Bitcoin and Anonymity
I’m finally on Week 6. That’s a win! Be warned this lecture covers several related topics and seems to jump from one to the other. Thus the notes below seems a bit more disjointed. This lecture dives into the terms of what it means to be anonymous. In addition, it brought up compelling questions on the ethics behind it. Getting into blockchain, there is a lot of talk about decentralization. For me, I look at decentralization as not necessarily requiring anonymity. People have been building these reputation and identity systems which is almost accomplishing the opposite goal, shedding light on these anonymous addresses to. Lastly, we talk about blind signatures which demonstrate why anonymity and decentralize may be at odds with each other.
Questions answered in this Post:
- Is Bitcoin anonymous?
- Who is this anonymity good for? What are the improvements that have been proposed?
- What does unlinkability mean and is it necessary?
- Why anonymous cryptocurrencies?
- Why don’t you want complete anonymity?
- What is some historical references of anonymous cash?
- What are some anonymous currencies if not Bitcoin?
Is Bitcoin anonymous?
It depends. That is the best answer to any question for almost everything (Oh so vague). Anonymous is defined to be “without a name”. Bitcoin addresses are public key hashes rather than real identities which realistically map to some real world entity. That is not a requirement but at this point in time many people physically create a public address that they themselves use and control. Apparently this is defined as “pseudonymity”. Even with things like hierarchical deterministic wallets, all those addresses are sprung by a single entity. So now it becomes more of a question of semantics.
What does unlinkability mean and is it necessary?
Anonymity is equal to pseudonymity plus unlinkability. Thus, unlinkability means that different interactions of the same user with the system should not be linkable to each other. Linkable in the sense that someone could monitor all the transactions and know that these set of transaction were all done by the same user even if there used different addresses. That’s actually pretty profound and difficult. I’m just thinking that if you see a high concentration of transactions happening between two parties and not anyone else than potentially that grouping may know each other or at least partake in business with each other. It may or may not be a similar algorithm for how Facebook or Linkedin can determine friend groups.
Now let’s talk about an example with online forums where people are able to create online entities. Some places like Reddit or Telegram, people create long-term pseudonyms. With Reddit, your reputation gives you more access and power within the site. Alternatively, 4Chan, the posts are anonymous with no attribution at all.
Additionally, if anyone has used cryptocurrency exchanges like Coinbase or even pure crypto-exchanges like Liqui or Poloniex, users need to input address and country information into the system. Therefore, real world identities are explicitly added to a system that could have been done with straight hash addresses.
Because of this and the fact unlinkability is hard among all addresses/transactions, instead another term is used called anonymity set. An anonymity set is the crowd that one attempts to blend into. I think it of it more like “study thy enemy”. This means that for the set you need to understand what the adversary knows, what they do not know, and what they cannot know. Thus to get to unlinkability, you’re trying to maximize the anonymity set. You also need to have a careful and thorough understanding of the technical protocol. Now the lecturer just shifts gears into discussing the ethics of this approach.
Anonymous Cryptocurrencies?
Currently blockchain based currencies are publicly, and permanently traceable. This means that the notion of privacy is worse than traditional banking which is one goal some people hope to achieve with blockchain and cryptocurrencies. Thus, he makes the argument that blockchain needs to do better. I ask again “Why?”. I would have preferred for him to state the reasons more explicitly. I read another post called “Importance of Anonymous Cryptocurrencies” where he at least elaborates on the idea a second time. I took his response to mean that not all currencies have to be anonymous. In fact the mainstream ones will likely not be as e-commerce and advertising benefit from this denonymization which is in fact more transparent than credit cards and especially more so than cash. The use of the research will drive confidence in mainstream adoption of Bitcoin. My take is that people will be happy that the technology exists but may not use it. His post also made me question if the question itself was invalid. Why ask the Bitcoin protocol about something that is more used in the Bitcoin ecosystem. The services are the truer implementation and develop around a protocol.
Why don’t you want complete anonymity?
Easily, one reason for wanting to provide complete anonymity is money laundering and even just using the funds for something malicious. Yes, that means that this structure is tied to real-world regulatory and criminal courts. However, if humans are performing these transactions on native soils, it seems reasonable that the entity that the people belong to has a hand in what happens to the currency amounts.
The lecturer uses this term bottleneck. Bottleneck means looking at the points of moving large flows of money in and out of Bitcoin. Thus, it is difficult to move money from Bitcoin to fiat currency. I don’t think that works since more and more people are going to just keep and provide their services for crypto. Look at Olaf Carlson-Wee, he took a job where he was only paid in crypto at a time where crypto was seemingly worthless. Also, there are websites that accept crypto but then at that point you’re also inputting several pieces of personal information like address and name though. It’s interesting he brought up the point of Tor which is an anonymous communication network where sender and receiver of message is truly unlinkable. So even with all this technology there is still a need for a blanket above it of law enforcement and regulation. Hmm, it sounds like this system can’t exist and be separate from centralized institutions if it will be safe for mainstream public consumption.
What are some historical references to anonymous currency (electronic cash)?
Arvind, the lecturer, brings up blind signatures which were created by David Chaum in 1982. This serves as an example that electronic cash has bee proposed in the past. Chaum can be considered the “Father of Anonymity”. Blind signatures is a two-party protocol, meaning two parties communicate with each other, to create a digital signature without the signer knowing the input. I looked up two of his papers, <a=””>Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms and <a=”https://taler.net/papers/chaum-blind-signatures.pdf”>Blind Signatures for Untraceable Payments. Arvind then walks through this protocol of blind signatures to handle anonymous e-cash.
Anonymous e-cash via blind signatures example
As with most examples, we start off with a bank, a central authority. The bank houses customer’s balances say customer Alphonso(10) and Bartelli(5). Also, it posses a table of spent coins. That’s not very interesting so let’s add some action to this story.
Alphonso wants to withdraw an anonymous coin of size 1. The bank will have a reduced balance that now equals 9. Afterwards they’ll execute the two party protocol. Alphonso will pick a random serial number of a coin which gets sent to the bank and there is some execution. The bank will send Alphonso a signature of the serial number in a way that the bank does not actually know the serial number. Now Alphonso has a signature of a serial number of an anonymous coin that (forgive me if this is not 100% correct), holds the information and value of the coin that Alphonso withdrew from that specific bank. The lecturer refers to this signature of a coin as an anonymous token that can be passed to others.
A little time passes. Alphonso decides he is going to give Bartelli one coin a a token of good will. The one coin that Alphonso holds which he knows the serial number that he sent to the bank as well as the signature of the coin that the bank sent back to him. He will send the anonymous (signed) token as well as the plain-text value of the token of the serial number. Bartelli will immediately contact the bank to deposit the money. Bartelli needs to do this action immediately to ensure that Alphonso is not trying to participate in a double spend. Double spend meaning that that Alphonso has not tried to give the anonymous token to several other individuals thus using the value of the token more than once and thereby creating more value than he started with. The bank will verify that the coin is not within the spent coins table. Only once the bank says the coin is valid with Bartelli continue with the transaction. The bank looks at the signature and makes sure it is valid as well as checking the plaintext serial number of the token is not within the spent coins table. Once confirmed, Bartelli will deposit the coin into the bank. Since the bank did not look at the serial number initially, the bank cannot tell who is the sender of the coin, they only know the receiver. Now the balances table will increment the balance to six and the bank will send a response back to the user. Now the bank cannot link the two users.
Drawbacks
One drawback is that the bank knows who is receiving the coin. The other question for me was whether it makes sense for users to just briefly touch base with the bank and then withdraw so that the balance is at zero. Basically you use the bank as just a validator but once that has been confirmed, the tokens become changed to anonymous and can be used for different payments.
The glaring drawback is centralization is required. The bank is used for both the signing and the validation of the coin. It is possible that banks for Alphonso and Bartelli don’t need to know their names and just their hash addresses. Even still, there is still a central location doing the validation. However, as a thought though, what can the bank do maliciously? The bank could just arbitrarily withdraw everyone’s funds and give it to themselves. They could also just lock the capital and not allow withdraws for deposits thereby freezing accounts. Arvind brings up that much of the research in cryptography protocols used a similar model where the bank was considered trustworthy.
Actual cryptocurrencies that encompass Anonymous Attributes
I’m going to just list a few that have some properies. Feel free to disagree or suggest more. I also did not include Zerocash which is in the next lecture.
- Monero
- Zcash
- Dash
- Verge
Monero, and Zcash are two currencies that provide anonymity features. I’ll talk more about Zcash in the next segment given that it’s discussed in this lecture series. Monero is not so I’ll spend some time on it.
Monero is cryptographically private and uses items called stealth addresses and ring confidential transactions. I have seen people on the internet recommend that one should use Tor with Monero. Stealth addresses means a random one-time address is automatically created for each transaction being made by the sender. This means that all payments sent have unique addresses and prevent links between the recipient. Ring signature add a second layer of masking by ensuring that the original sender of the coin cannot trace outputs on the blockchain. Outputs end up being masked so that senders are unable to determine if their coins are moved by the recipient by some grouping and hiding mechanism. The notion of ring confidential transaction means that the amount being transactions is hidden even though the network is able to verify said amount without revealing details. This mixing quality allows for the sum of inputs to equal the sum of outputs without knowing the exact sum of each individual component.
Dash and Verge are slightly different. They are not inherently cryptographically private. However, each has different characteristics built-in to provide more privacy then Bitcoin. Also, note that both dash and verge are similar in protocol to Bitcoin the the above two.
Dash uses something calling mixing, which is a method to anonymize Bitcoin. The truly basic explanation is that if you want to do a transactions merge it with other instead and then do a joint payment have it mixed together such that a little or your and the other persons values are distributed in the output. Thus there isn’t an easy way to separate the inputs and outputs in one bitcoin transaction. Dash has a level of trust built in for who it responsible for the mixing depending on the Public/Private send. The trust is enforced economically by having the master node lock some Dash coins though.
Verge offers privacy by how the messages are trafficed. They claim if one uses Tor and I2P Routing, traffic will be obfuscated and the user’s IP address will be concealed. It’s strange that Verge uses this secure communication but then have a site for the “Rich List”. Personally, I have not read their Blackpaper and only have a cursory understanding of the currency and how their focus on privacy is implemented.
Reflections: Anonymity versus Decentralization
Summing up, bitcoin allows for better decentralization than anonymity and that’s OK. The lecturer mentions that people can improve on the anonymity given that the decentralization target has been achieved. I’m not sure I agree that the decentralization target has been achieved giving the prevalence of mining farms. It does bring up to question, “Can you be both anonymous and decentralized?”. The example given suggests that if you use a bank or just an single centralized arbitrary validator to have these “two party protocols”, it’s not easy to decentralized. Also, because a blockchain is public, this is one way to enforce the accountability and security. It’s hard to prevent double spends then.
Unlinkability in Bitcoin could mean
- It’s hard to link different addresses owned by the same user
- It’s hard to link different transactions made by the same user