Let’s start with some basic definitions. You need to understand that ensuring privacy is a very broad subject. It makes sense to single out two fundamental terms constituting the concept of privacy from the get-go: anonymity and untraceability. The former denotes impossibility to identify a particular user online. The latter implies unfeasibility to attribute certain activity on the Internet to specific users.
Privacy with Bitcoin
Although anonymity is part of Bitcoin’s architecture, in practice it can be easily compromised. The untraceability feature isn’t immaculately implemented either: transaction analysis can reveal connections between some transactions and certain anonymous wallets - hence specific users - as long as the anonymity of at least one address has been violated.
A commonplace Bitcoin wallet can only ensure a minimal level of privacy. The user engages new addresses for each incoming payment. In this case, it’s more difficult for a person who analyses the transaction graph to derive certain unobvious facts about cryptocurrency users and their coin flows. Nonetheless, this type of privacy is easy to circumvent. When routinely using Bitcoin, you trust contractors with your privacy. The party receiving a payment will know the details on the coin’s origin, whereas the sender will be able to monitor its further submissions.
In addition to that, transactions are typically accompanied by disclosure of various metadata that can also be accessed by third parties. These include the category of the deal (services, goods), the type of wallet being used, user location, etc.
Let’s see which details about a transaction should be concealed to ensure a maximum degree of privacy. First and foremost, it’s the data about the origin of the coins. This information, in its turn, has to do with the fungibility feature that’s extremely important for any financial resources and valuables. Of course, this property is delivered on the level of Bitcoin protocol (that is, all coins are identical and undergo the same type of processing), but fungibility is easy to compromise in practice. For instance, some merchants may analyse the history of the funds they are receiving and decline the payments if they don’t like it.
Besides, hiding the amount being transferred, as well as the sender’s and recipient’s addresses in the body of a transaction, is very important. Obfuscating users’ IP addresses is also a critical component of privacy – it can be achieved via such protocols as Freenet, TOR, and I2P. But what mechanisms and tools can help conceal the history, amounts, and addresses? Let’s try to figure out.
The CoinJoin method
CoinJoin is probably the simplest method to scramble the transaction graph. It boils down to combining different Bitcoin payments into a single transaction in order to obscure the origin of the funds being submitted. In other words, it presupposes that multiple users form a group that creates one common transaction spanning several concurrent payments rather than these users initiating separate transactions.
There are numerous variants of this method that have emerged to enhance certain privacy characteristics of payments. Now, we will elaborate on how exactly the original CoinJoin technique works and then scrutinise a few most interesting modifications.
CoinJoin: how it works
Imagine there is a group of users where each one wants to pay for goods at a certain online store. They create one transaction consisting of three inputs (one from each user); three outputs (one for each online store); and three more outputs, where each user takes their change. Then, all the outputs are mixed up randomly. Each participant double-checks the resulting transaction and signs the appropriate input. In all goes well, the transaction is deemed valid and so it proceeds to the network and gets confirmed.
Regular transactions vs. CoinJoin
CoinJoin boasts a much higher degree of obfuscation, making it more difficult to analyse the transactions. In real-world scenarios, the wallets using CoinJoin are formed by large groups of users, therefore transactions can have dozens or even more inputs and outputs. A coin that passed through a chain of these transactions can have thousands of possible origins. It’s problematic to find the genuine one out of all the variants.
Let’s now have a look at a CoinJoin modification referred to as Chaumian CoinJoin. The peculiarity of this modification is that it engages a central operator (server) and uses blind signatures. The operator’s objective is to mix the inputs and outputs and then form the final transaction. Meanwhile, the operator cannot steal coins or violate the confidentiality of the mixing process due to the blind signature.
Speaking of which, the blind signature feature allows the user to blind data before it reaches the server. When signing this data, the operator cannot see the actual contents. Then, the signed data gets back to the user who unblinds it and everything looks like a regular electronic signature.
With this scheme, neither the users nor the operator can de-anonymise coins in output addresses. Creating a transaction typically doesn’t take more than a minute. User interaction should take place via anonymous communication channels, such as TOR, I2P or Bitmessage.
Obviously, there can be unscrupulous participants who may try to undermine the process of creating the common transaction. There are quite a few user behaviour scenarios, including scam-related ones. The appropriate protection mechanisms have been devised to thwart the worst-case scenarios and ensure that regular users can form the final transaction smoothly. These techniques leverage time-outs, unspent outputs tracking and the like.
The CoinShuffle technique
The CoinShuffle modification to the CoinJoin protocol was introduced in 2014. Its main benefit is that it doesn’t engage a central mixing server. Users communicate with each other to create a common transaction on their own. Meanwhile, they cannot violate the confidentiality of mixing output addresses. One more thing on the plus side of this method is that users don’t have to use any additional traffic anonymisation networks, because the use of the same P2P protocol for interaction between participants meets all the necessary OPSEC criteria.
This method employs encryption using a pair of keys (public and private). A message is encrypted with a public key and can only be decrypted by the owner of a private key. Participants use a protocol called DiceMix to communicate. Abuse prevention mechanisms are in place, too.
CoinShuffle case study
Let’s imagine there’s a small group of users: sly Alice, wise Bob, bearded Charlie, and orange Dave. Each has one unspent coin on Bitcoin blockchain at addresses A, B, C, and D, respectively. Each one wants to spend their coin while obfuscating its origin. To this end, every participant finds out the address that the coin A, B, C or D, respectively, should be sent to, while not disclosing this address to the others. Then, each user generates a new key pair for encryption and the participants exchange their public keys, wherein a new public key is signed by the private key that corresponds to the address with unspent coin. All subsequent messages of the participants will be signed in the same way. This was the first stage.
Next, the users intermix and form a queue. Let Alice be the first one in our example because she’s sly; Bob is the second because he’s wise, etc. Now, Alice takes A’ and encrypts towards Dave, using Dave’s public key. Then, Alice encrypts the resulting ciphertext again, but this time towards Charlie. This ciphertext gets encrypted once again but towards Bob. Bob uses his private key to decrypt the message he has received. Then, he takes B’ and encrypts towards Dave, then towards Charlie and adds this information to the list. This list gets shuffled and handed over to Charlie. Charlie, in his turn, decrypts the elements of the list with his private key, adds C’ (which was encrypted towards Dave) to the list and shuffles all the elements randomly. This list is then handed over to Dave, who decrypts it, receives data on the addresses to send the coins, adds address D’, shuffles it all and forms the common transaction based on these addresses, known inputs, and amounts.
Dave distributes the transaction draft to the other group members. Each one thoroughly checks whether the transaction outputs contain the right address and whether the amounts match. If everything is correct, the participant signs the transaction, thus confirming the ownership of his/her input coins. The users then exchange signatures, and if the transaction is signed by everyone it can move on to the network for validation.
The Confidential Transactions (CT) method is quite special because it completely conceals the actual input and output amounts from third parties. At the same time, it enables everyone to ascertain that the sum of all outputs doesn’t exceed the sum of all inputs, which is enough for a transaction to be validated. This is possible due to the use of zero-knowledge proof, that is, cryptographic evidence of someone knowing a certain secret that doesn’t presuppose disclosing it.
A scheme called ‘Pedersen commitment’ is used to prove that the sum of outputs doesn’t exceed the sum of inputs. It is based on transformations in a group of points on the elliptic curve. In order to prevent unguided coin emission, this scheme involves proof of permissible amounts in transaction output. Furthermore, a technique called Range Proofs is implemented to make sure non-negative amounts were used that didn’t exceed the base point range.
Ring Confidential Transactions
Let’s scrutinise another method called Ring Confidential Transactions. It employs so-called ring signatures to confuse the coin origin. Here’s how it works. In a transaction input, the sender refers to several UTXOs (unspent transaction outputs) rather than a single one. Then, he or she uses a ring signature to prove ownership of coins in one of the several outputs without disclosing which one it is. This mechanism makes it impossible to trace the origin of the coins unambiguously.
This use of ring signatures was first introduced in the CryptoNote protocol underlying a number of cryptocurrencies. Besides, Ring Confidential Transactions is used by the CTs we have already touched upon. It allows for creating transactions with multiple inputs and outputs, where the origin of every input cannot be clearly traced, the transfer amounts are obfuscated, and creating a transaction doesn’t require any interaction with the other users.
Let’s have a look at Stealth Addresses and their benefits. Basically, this is a method that conceals the destination address of a transaction. This concept was first described by Peter Todd. It leverages public keys as user identifiers, which means you need to disclose your public key to receive payments. Then, the sender uses their key pair and your public key to generate a new one-off public key, which will be indicated in the transaction as the destination address. In other words, no one but the sender and the recipient knows the destination address. It is impossible for a third-party observer to establish ties between the user ID and destination address in a transaction output, which adds an extra layer of privacy to the use of cryptocurrency.
John Mason, founder, TheBestVPN.com
Image Credit: Geralt / Pixabay