New Bitcoin Anonymity technique: The Clusterfuck Wallet
This is either the craziest idea I ever had or the most brilliant one
I remember reading a while ago Mircea Popescu’s ridiculous article, where he states something like Bitcoin is perfectly anonymous. His reasoning went like this: Blockchain analysis cannot make any reasonable conclusion, because a Bitcoin transaction can be interpreted in many different ways. I cannot dig up that article (if you can, please link it), but what if I tell you he was actually right? Or it would be more correct to say: with a little effort we actually can make him to be kind of right.
Just when I thought I’ve finally figured out how to do an optimal on-chain privacy on Bitcoin with ZeroLink and I have nothing else to do, but to build this technique and only redesign it if/when the Confidential Transactions technique gets into Bitcoin, waxwing (Adam Gibson) just gave a new talk and put everything into a whole new perspective.
We, stupid developers and researchers went to a direction where we can quantify things, we can work with mathematical models, instead of embracing chaos, like Mircea did. This article is an attempt that tries to model and quantify the chaotic path, which, we, developers and researchers were too scared to go down.
While this technique is likely more fragile, than ZeroLink’s Chaumian CoinJoin, assuming sufficient wallet liquidity it’s way more user friendly. In fact it’s possible to combine the two by making ZeroLink’s post-mix wallet also a Clusterfuck Wallet. (Lack of better word.)
To understand, let’s take a look at the direction the evolution of CoinJoin took.
CoinJoin was first detailed in 2013 by Gregory Maxwell on BitcoinTalk. When multiple participants add inputs and outputs to a common transaction, it obfuscates the transaction graph.
SharedCoin was a method, used by Blockchain.info. It was both great and terrible service.
It is a great concept, because it further hardens the job of blockchain analysis companies, however simple amount analysis (CoinJoin Sudoku) can tell a lot about who sent money where.
CoinJoin With Common Denomination
A stronger variant is, if the non-change outputs have the same value, no one can tell which input intended to fund which of these non-change outputs.
This is great, because it’s mathematically impossible to tell who sends to who. Of course only if the observer only looks at a single transaction, not transaction chains and it does not have any clues, exposed by network analysis, but that’s outside the scope of this article.
This technique is used by JoinMarket, CoinShuffle and ZeroLink’s Chaumian CoinJoin.
It looks like we have a consensus on this is the right way to go and Blockchain.info’s SharedCoin sucks, because it can be trivially linked.
But, no! What if I tell you Blockchain.info was actually pretty close to providing an unreliably anonymous Bitcoin, only with just a few small tweeks? Of course, I’m completely dismissing the fact that Blockchain.info actually knows exactly who sends who, due to their wallet architecture.
In order to understand what I’m going to show you, let’s take a step back and look at a simple transaction.
Although Adam is white, he’s a pretty good rapper. He uses his rapping skills to explain us how such simple transaction can be interpreted in many different ways. It’s a silly transaction, because it doesn’t have change, nor fees, but no need to complicate it for now.
Normal Blockchain analysis would assume it’s a simple CoinJoin transaction, where Alice pays 1btc to Bob and Carol pays 3btc to David. Here’s the catch: if a wallet only implements Blockchain.info’s SharedCoin, the simplest version of CoinJoin, then that’s assumption is 99% correct. Let’s take a look at the other interpretations, what a “clusterfuck wallet” might implement:
SharedCoin To Yourself
Alice can pay 1btc to herself and Bob can pay 3btc to himself.
Alice creates this transaction all input is hers and all output is hers.
A practical application would be: the wallet software from time to time randomly asks its users to make such transactions.
Payee Joins The Transaction
Alice pays Bob 1btc and Bob pays Bob 1btc.
Alice pays Bob 1btc. And Alice pays Bob 3btc.
These two techniques require for both party to use the same wallet and in this case they can create such Blockchain analysis misleading transactions.
Pay To Many
Alice pays Bob 1btc and Alice pays Carol 3btc.
This technique requires Alice to want to make a transaction in the same time to many different recipient, like paying her employees.
How To Apply It?
First, a clusterfuck wallet needs to implement a SharedCoin type CoinJoin. Such transactions would be the basic transactions going to another wallet, that’s not also a clusterfuck wallet. Of course for this to work, the wallet also needs huge initial liquidity (meaning: users).
However the wallet also must enable normal Bitcoin transaction, but try to disincentivize them. This makes Blockchain analysis companies to not to come to a conclusion that, because this transaction was normal, it cannot come from a clusterfuck wallet.
The wallet must also implement the rest of the interpretations, listed above.
The End Result: Chaos
Now Blockchain analysis cannot conclude who pays who. In fact, not even the number of participants. Maybe Alice is paying to herself, it’s just a fake CoinJoin. The conclusions to make are unreliable.
The Challenge: Organic Patterns Emerge
In such a system organic transaction patterns might emerge, that Blockchain analysis can use. The biggest challenge of the wallet developers is to try to bring the likelihoods of all the transaction interpretations as close to each other as possible.
Clusterfuck wallet refers to the notion, that all this wallet does is: it fucks up the clustering algorytms of Blockchain analysis companies.