Anonymous Bitcoin

Privacy is a fundamental human right. Fungibility is an essential property of good money. Anonymity is just another word for that.

CoinPedia Art

As of February 2018, the path to anonymous Bitcoin is finally clear. While strong anonymity in itself was already achievable, no strategies could achieve it in a convenient and economical way. During 2017, new research and techniques were invented that pave the path to both convenient and cheap anonymity. Furthermore, it is just a matter of time that we get to the point, where anonymous transactions will be more economical, than transparent ones.

2019 Update

Two Dimensions Of Anonymity

  • Network Analysis
  • Blockchain Analysis

Network Analysis

Private Transaction Broadcasting

Flagship Project: Dandelion

Private Transaction Retrieval

It seems like the only way to avoid address linking is to run your own full node. Your node downloads all the transactions ever happened on the Bitcoin network, then calculates balances locally. Since you ask for all the transactions, nobody knows, which ones you are interested in.

However, running a full node is anything, but convenient. You must wait a few days or weeks in order to synchronize the blockchain and start using your wallet. So why not start syncing from the creation of your wallet, then? And the idea of full-SPV wallet was born. Projects implementing this are: Jonas Schnelli’s Bitcoin Core PR, Stratis: Breeze Wallet and my HiddenWallet. However, this is still far from convenient, let alone mobile friendly. If you do not turn this wallet on for a week, then you must download 1008 blocks, which is 1–4 GB of data, before you can start using it.

It is worth pointing out that there was another bandwagon, invented in 2012: BIP37: Bloom filtering SPV wallets. These were designed to provide privacy for light wallets, although it turned out to be a privacy nightmare.

In June of 2017, Lightning Labs researchers came to rescue: BIP Proposal: Compact Client Side Filtering for Light Clients. Furthermore, they provide an implementation, called Neutrino. I know, there is a lot of nonsense terminology here, however, let me demystify it to you. Additionally, every full node maintains a small index table, which they serve to light clients. After light clients acquired it, they can now figure out which blocks they have transactions in. Finally, they ask for the few blocks they care about from full nodes and go on with their life.
Today I am working on implementing this approach into HiddenWallet.

Flagship Projects: Client-Side Filtering, Neutrino, HiddenWallet

Blockchain Analysis

Such technique was briefly described by Maxwell in the same thread, called Chaumian CoinJoin. In 2014, another, similar technique was proposed under the name of CoinShuffle, which went through an iteration in 2015: CoinShuffle++. These techniques are round based. That means if you have 8 bitcoins and the denomination of a CoinJoin round is 1 bitcoin, then you must participate in 8 rounds. Thus, you are paying transaction fees 8 times. What if you have 0.9 bitcoin? You are not lucky. It gets worse. If the blockchain observer starts looking at transaction chains, then it can deanonymize the CoinJoin users, therefore we need to have a dedicated wallet with a privacy conscious coin control in place.

To tackle all these edge cases, in 2017, I designed and implemented ZeroLink, where I worked out Maxwell’s Chaumian CoinJoin idea as well.

Flagship Projects: CoinJoin, CoinShuffle, ZeroLink

However, let us not get lost in the details, and rather recognize, dealing with all this complexity would be unnecessary, if we would not have to care about the transaction amounts. Transaction amounts are the root of all evil in privacy technologies.

Here comes Confidential Transactions! CT solves exactly this. It replaces the output values with Pedersen commitments. The problem is, these commitments are huge and the larger your transaction is the more you have to pay for it. For this reason, CT was unlikely to ever to be seen in Bitcoin and even if it would have got into it, some kind of hybrid half CT, half CoinShuffle/ZeroLink model would have needed to be done in order to keep the fees in bay.

Then something happened. In November, 2017 Bulletproofs was introduced, which is an improvement on Confidential Transactions. It makes the commitment sizes smaller. Instead of huge, now they are only large. More importantly, if you want to have many CT outputs in a transaction, then your transaction size does not grow linearly with the number of outputs, which is great for CoinJoin, where the number of outputs can reach high numbers. Numbers, where the cost of CT becomes insignificant. Participating in this CoinJoin would result in similar transaction fees, as the user would send a normal transaction!

As a takeaway Confidential Transactions can be easily added to CoinShuffle and ZeroLink. It does not only simplify these systems, moreover it dissolves many restrictions they have on their users. A CT compatible CoinShuffle is called ValueShuffle.

Flagship Projects: Confidential Transactions, Bulletproofs, ValueShuffle

It gets better! There is another technology coming to Bitcoin called Schnorr Signatures.
Today when a CoinJoin transaction has 100 inputs, then it must hold 100 signatures as well. With Schnorr, we can do it with only one signature. This will make CoinJoin transactions about 30–40% cheaper than normal transactions.

Flagship Project: Schnorr Signatures


Meta Update

Anyway, consider feeding us with a pizza. Or better: with a protein shake, I am on a diet now.