Bitcoin Anonymity

Mixing
• So far, we've seen that different addresses might be linked together by
transaction graph analysis and that they might also be linkable to a real-
world identity. We've also seen that a transaction or address could get linked
to an IP address based on the peer-to-peer network.
• There are several mechanisms that can make transaction graph analysis less
effective. One such technique is mixing
• It is very simple: if you want anonymity, use an intermediary.
• This principle is not specific to Bitcoin and is useful in many situations where
anonymity is a goal.
 Mixing…
Mixing can improve anonymity in many contexts
by using an intermediary to route your
communications (or money).
• Put the coin into some intermediary, some
service
• After the insertion, it forgets the sender and
treats its entire Bitcoin storage as
indistinguishable from each other.
• At the end, it might combine them into a
unique transaction or merge them in different
ways.
• When the user comes back to withdraw their
Bitcoins, they won't be tied to the coins they
put in.
• they will get their coin from some other
randomly picked deposit that the intermediary
received.
Mixing…
Benefits
• Suppose that somebody is looking at the public information in the
blockchain.
• So, he doesn't know the operations made by the intermediary.
• Then, he won't be able to link the input addresses to the ultimate
output addresses corresponding to the same user. So, this is the
intuition behind intermediaries.
 Online wallets as mixes
• Online wallets seem to be suitable as intermediaries.
• Online wallets are services where you can store your bitcoins online and
withdraw them at some later date. Typically the coins that you withdraw won’t
be the same as the coins you deposited.
• There are several important limits to using online wallets for mixing.
• Most online wallets don’t actually promise to mix users’ funds
• Even if they do mix funds, they will almost certainly maintain records internally that will
allow them to link your deposit to your withdrawal
• In addition to keeping logs internally, reputable and regulated services will also require
and record your identity
• Therefore the anonymity provided by online wallets is similar to that provided
by the traditional banking system.
 Dedicated mixing services
• In contrast to online wallets, dedicated mixes promise not to keep records, nor
do they require your identity. You don’t even need a username or other
pseudonym to interact with the mix.
• You send your bitcoins to an address provided by the mix, and you tell the mix
a destination address to send bitcoins to. Hopefully the mix will soon send you
(other) bitcoins at address you specified.
• It’s essentially a swap.
• While it’s good that dedicated mixes promise not to keep records, you still have
to trust them to keep that promise.
 Use a series of mixes
• We begin with a user who has a coin or
input address that we assume the
adversary has managed to link to them.
• The user sends the coin through various
mixes, each time providing a freshly
generated output address to the mix.
• Provided that at least one of these mixes
destroys its records of the input to output
address mapping, and there are no side-
channel leaks of information, an adversary
won’t be able to link the user’s original coin
to their final one.
Dedicated Mixing services
MIXES FEES
• Why do mixes provide their service?
Typically, it's because they're a business and so they want to be paid. It turns
out that mostly the only way for these mixers to get paid is to take a cut of the
transaction that the user is sending to the mix.

Drawback
• That seems a bit unusual because if a mix takes a standard percentage, then an
adversary might be able to use that to link the input transaction and the outward
transaction.
Solution
• So some current mixes try to randomize the transaction fee, they might say we take
a random cut between 1% and 3%. However this is not a good idea either because if
you put that through a chain of mixes, then the amount of the value in the chunk is
going to dwindle in a predictable way and this is an important side channel for the
adversary.
Conclusion
• All those principles are really important to preserve a good level of anonimity.
The sad news is that none of the current mixes follow these principles. And
each mix operates completely independently and with distinct web interfaces.
The user interact with a single mix at a time and manually, choosing the
amount instead of a standard chunk size.
• So the current situation doesn't provide a good level of anonimity. But
changing to a slightly different model based on the principles above, would
increase anonymity a lot.
• Of course there would still be the problem of trust between the user
and the mixes. However, mixes do a lot of things to improve their
trustworthiness. For example, staying online for a long time and not
stealing users' money. In addition, if the money goes through many
mixes, one mix itself cannot know from which user the money is
coming from. So, if he wants to steal, he will only be able to steal
randomly and not from a particular user.
• Finally, one proposal to increase mixes trustworthiness, could be to
use a cryptographic mechanism where the mix can issue sort of a
promissory statement to the user. That once it receives a chunk at a
particular address, it will send a chunk back at some other address
that the user provides. And so if the mix fails to keep this promise, the
idea is that the user can publicize this warranty, and everybody will
know that a particular mix has cheated.
Decentralized Mixing
• Decentralized mixing is the idea of getting rid of mixing services and replacing
them with a peer-to-peer protocol by which a group of users can mix their
coins.
• There's a variety of reasons for decentralized mixing:
• No bootstrapping problem: In a decentralized system you find a community of peers who
all want to do mixing. And it is possible to mix without any central coordination or service
that collects your funds.
• No thefts: nobody is explicitly sending Bitcoins to another user.
• it could also provide a better anonymity.
• it's more philosophically in line with Bitcoin. In fact, it makes possible to get rid of the
need centralized service. Then, there are a lot of Bitcoin users who find that appealing.
Coinjoin model
• The main proposal for decentralized mixing
is called Coinjoin.
• In this protocol, different users jointly
create a single Bitcoin transaction that
combines all of their inputs.
• The key technical principle that enables
Coinjoin to work is this
• when a transaction has multiple inputs coming
from different addresses, the signatures
corresponding to each input are separate from
and independent of each other.
• So these different addresses could be
controlled by different people. You don’t need
one party to collect all of the private keys.
Coinjoin transaction structure
Let's see how a transaction looks like from an algorithmic point of view:
1. First of all, it's necessary to find peers who want to mix
2. They have to exchange their input and output address with each other
3. One of the user must construct the cumulative transaction
4. He signs his inputs and send the transaction to other peers. Each one will check if
their output is present, before signing their input. If a single peer refuses to sign the
transaction, it won't be forwarded
5. Broadcast the transaction
• The entire security property comes from each peer checking that their
output address is there.
• And that their output address receives at least as much value as went in
from their input.
 Zerocoin and Zerocash
• No cryptocurrency anonymity solutions have caused as much excitement as
Zerocoin and its successor Zerocash.

• All of the anonymity-enhancing technologies that we have seen so far add

anonymity on top of the core protocol, Zerocoin and Zerocash incorporate
anonymity at the protocol level.
Zerocoin
• Basecoin is a Bitcoin-like altcoin, and Zerocoin is an extension of this altcoin.
• The key feature that provides anonymity is that you can convert basecoins into
zerocoins and back again, and when you do that, it breaks the link between the
original basecoin and the new basecoin.
• In this system, Basecoin is the currency that you transact in, and Zerocoin just
provides a mechanism to trade your basecoins in for new ones that are
unlinkable to the old ones.
• You can view each zerocoin you own as a token which you can use to prove that
you owned a basecoin and made it unspendable. You can later redeem this
proof for a new basecoin by presenting this proof to the miners.
• Zero-knowledge proofs. The key cryptographic tool we’ll use is a zero-
knowledge proof, which is a way for somebody to prove a
(mathematical) statement without revealing any other information
that leads to that statement being true.
Minting Zerocoins
• Zerocoins come into existence by minting, and anybody can mint a
zerocoin.
• They come in standard denominations. For simplicity, we’ll assume that
there is only one denomination worth 1.0 zerocoins, and that each zerocoin
is worth one basecoin.
• While anyone can mint a Zerocoin, just minting one doesn’t automatically
give it any value — you can't get free money. It acquires value only when
you put it onto the block chain, and doing that will require giving up one
basecoin.
• To mint a Zerocoin, you use a cryptographic commitment .
• a commitment scheme is the cryptographic analog of sealing a value in an envelope
and putting it on a table in everyone’s view.
Minting a zerocoin is done in three steps:
1. Generate serial number S and a random secret r
2. Compute Commit(S, r) , the commitment to the serial number
3. Publish the commitment onto the block chain as shown in this Figure. This burns a
basecoin, making it unspendable, and creates a Zerocoin. Keep S and r secret for now.

• To spend a zerocoin and redeem a new basecoin, you need to prove that you
previously minted a zerocoin. You could do this by opening your previous
commitment, that is, revealing S and r . But this makes the link between your
old basecoin and your new basecoin apparent.
Zerocash
• Zerocash is a different anonymous cryptocurrency that builds on the concept of
Zerocoin but takes the cryptography to the next level. It uses a cryptographic
technique called zero-knowledge SNARKs (zk-SNARKS - Succinct Non-
Interactive Argument of Knowledge) which are a way of making zero-knowledge
proofs much more compact and efficient to verify.
• It becomes possible to run the whole network without needing a basecoin.
• All transactions can be done in a zero-knowledge manner.
• The transaction amounts are now inside the commitments and no
longer visible on the block chain. The cryptographic proofs ensure
that the splitting and merging happens correctly and that users can’t
create zerocash out of thin air.
• The only thing that the ledger records publicly is the existence of
these transactions, along with proofs that allow the miners to verify
all the properties needed for the correct functioning of the system.
comparison of the anonymity technologies
Altcoins and the Cryptocurrency
Ecosystem
Short History of Altcoins
 Altcoins: History and Motivation
Loosely refers to any cryptocurrency launched since Bitcoin as an altcoin
How many altcoins are there?
• Between 150-500 altcoins launched to date
• Impossible to provide an exact number because it’s not clear which altcoins are worth counting
• No one has started mining or using it yet, does that count?
• Other altcoins have been launched and seen some initial use, but then died very quickly after their launch.
How are they created?
○ borrow concepts from Bitcoin by directly forking its code base
○ make only very minor modifications to Bitcoin parameters
○ begin with a new genesis block and their own alternate view of transaction history
 Data from
mapofcoins.com
Bitcoin is not alone
More than 150 altcoins launched to date

Dogecoin
Altcoins launched per month
(genesis block)

Litecoin Peercoin
Namecoi
Bitcoin n
Reasons for launching altcoins
● Every altcoin needs some kind of story to tell. If an altcoin can’t claim
some characteristic that distinguishes it from all of the others, there is no
reason for it to exist.
● In the simplest case, an altcoin simply changes some of the built‐in
parameters to Bitcoin.
● This includes things like the average time between blocks, the block size
limit, the schedule of rewards being created, or the inflation rate of the
altcoin.
How to launch an altcoin or What are the steps involved in launching a new
altcoin?
Creation: creating a new reference client, typically by forking the existing code
base or modifying the characteristics of some existing, more well‐established
altcoin, or of Bitcoin itself
○ Coingen that would automate this process for a small fee
Bootstrapping: If nobody is using your altcoin, it has no market value (since
nobody wants the coins) and no security (since there aren’t miners yet)
○ Popularize it by creating its own ecosystem which consists of developers, miners, investors, merchants,
customers, and payment services
○ Attracting miners has special importance for cryptocurrencies because without adequate hash power
behind an altcoin, security may fail badly if double‐spending and forks are possible - give early miners
greater rewards.
○ Getting a community of people to believe the altcoin is valuable
Namecoin
Introduced in April 2011,
• It gives the possibility to register a domain name which is not already in use for a small fee,
corresponding to 0.01 Namecoin (around 0.05$). So, the cost is far less than the cost of
registering a domain name following the standard procedure.
• It is not necessary to pay a renewal fee to keep the domain. While it is enough to publish
every six months a transaction that pings the domain name under your control.
• Namecoin manages subdomains in the same way as current domain system. For example, if
you register mywebsite.bit, you have access to all its subdomains.
• It is also possible to transfer domains to other people selling them in exchange of some
Namecoins.
• It was the first Altcoin to feature merge-mining which is a very interesting mining approach
Litecoin
● Litecoin launched in Sep. 2011
● Memory-hard mining puzzle
○ Intended to be GPU-resistant,
○ when Bitcoin mining was GPU-based
○ FPGA, ASICs, arrived but later than BTC

● 2nd most popular, 1st most widely forked

● Block rate is 4x faster
Peercoin (aka PPCoin)
Launched August 2012
Hybrid mining:
● First Proof-of-Stake algorithm
○ mine by spending “stake” which accumulates
● Proof-of-Work can earn mining rewards
○ … but aren’t counted for choosing the main chain
● Also uses regularly published “checkpoints”
○ acts as a safeguard
Metrics for comparing altcoins
● Market cap (price * total number of coins)
○ Overestimates value (but by how much?)
○ Doesn’t account for lost / out-of-circulation coins
● Exchange volume
○ Depends on nature of third party exchanges
○ Can be moved deliberately
● Total hashpower (for similar puzzles)
● Merchant support and usage