I’m just merging the next two lectures together. They’re short one is regarding the open source Bitcoin developers and the other is the stakeholders. Unsurprisingly, these topics are interconnected and thus I’ll quickly cover them since it seems pretty cut and dry. Not boring and dry just simple and quick.

Questions answered in this Post:

• What are BIPs?
• Explain the roles of the Bitcoin developers,
• What happens during a hard fork
• Who has power in Bitcoin?

Bitcoin Open Source

As everyone knows, you can just go GitHub, and look at the Bitcoin repository. Thus the Bitcoin core is the de facto rule book. It’s interesting that the lecturer mentioned that even those who are building new cryptocurrencies will look to it as guidelines for their own rules.

In addition to the core, there is also Bitcoin Improvements Proposals (BIPS). This is a formal proposal for changes to Bitcoin. Essentially, since everything is public and people need to be in consensus, this is the way to formally propose changes to Bitcoin including the technical specification changes and rationale. They are usually referred to like BIP32/BIP39. I personally have spent the most time looking at the BIPs related to mnemonic code for generating deterministic keys. This is because there is crossover between Ethereum and Bitcoin for how the deterministic keys are generated for each chain. I highly recommend people technical or nontechnical to read at least one BIP. They are clear, well formatted, and easy to read even if they are not that easy to understand. Each BIP has a champion to evangelize for it. Other projects have something similar such as Ethereum which has EIP (Ethereum Improvement Proposals) and Ripple which has RIP (Ripple Improvement Proposal). There was a repo for lips (Litecoin Improvement Proposal) but given that acronym perhaps they moved it elsewhere. Enough of this tangent, essentially if Bitcoin were a government we now have the Constitution (rulebook) and a Legislative system (way to make/lookup laws).

There are five main lead developers on Bitcoin. One of them Gregory Maxwell has been discussed in earlier lectures who proposed coin tumbling strategies i.e. CoinSwap. The lecturer points out that even though they are the lead developer their power is muted and they tend just to “lead the parade” because anyone can fork the software at any time. This gives power to the individual users which is more than what you would get in a centralized currency. With a centralized currency users have the right to exit. However, if there is only a single bank, exiting the bank would be detrimental to your everyday life. Life would become more difficult. Beyond that maybe you can join another if it exists but there isn’t a mechanism to make it better. With Bitcoin, users can fork the rules i.e. meaning more empowerment. Thus the right to fork ensures that the community retains more power as opposed to the central deploying entity. What exactly is a fork though?

Hardforks with Developers

I’ve discussed hard forks before. However, the lecturer goes more in depth of users behaviors. If the fork was mean to start an altcoin then the altcoin goes its separate way and branches coexist nicely. Otherwise, forks could reflect a fight to the future. Thus when miners fork, it means there needs to be mass adoption of a new set of rules and that eventually takes over the entire network of Bitcoin nodes. If mass adoption doesn’t occur, or it’s only a small subset that want to fork, well that becomes it’s own currency ie Bitcoin Cash. Now we segue to the stakeholders.

Stakeholders in Bitcoin

There are several individuals in the Bitcoin. If there is BIP or negotiation about rule setting what happen which I’ll expand on below which some thought experiments.

Claiming the Bitcoin developers have the power

This seems obvious to me because they write the rule book. Almost everyone users their code and follows their rules. In addition, for some of the technical details, they may be the only ones knowledgeable enough to make informed assessments about changes. However if they do something that only benefits them, they run into the case that people ie miners and users just stop using this blockchain. They perceive that they are at a disadvantage and because Bitcoin is not the only chain, they can move their business elsewhere. As we talked about behavior, this empowerment is something you don’t find in centralized currency.

Claiming the miners have the power

Miners are powerful. They write the history and without them, the blockchain doesn’t move forward. History has to be consistent with the future.

Claiming that investors have the power

Investors have power. They determine whether Bitcoin has value and with hard-forks they investors can decide which branch prevails by keeping or buying the successful currency. However again, they are relying on the developers to build code and miners to mine their transactions.

Claiming that merchants and consumers have power

While the populus has power, the lecturer also claims that they generate primary demand for Bitcoin and drive the long-term price. I’m still unclear what sets the price for Bitcoin so I’m a little more skeptical on this argument. He then claims that investors have to guess where the merchants and customers will go. Then you can think of the payment services who handle the transactions.

However, all have some power. For success, there needs to be some relationship across these different slivers for the blockchain to exist and be stable. If anyone gains too much power, the other I’m sure will be able to impact them negatively to almost enforce this balance.

Bitcoin Foundation

The last group which should be a category of their own is the Bitcoin Foundation. it began in 2012 and has the mission “standardize, protect and promote the use of bitcoin cryptographic money for the benefit of users worldwide.” They pay the developers. They evangelize Bitcoin to governments. While it’s not fully powerful, they do have quite a bit of support. There are controversies among the foundation which is interesting. Each of the members clearly have their own agendas. Roger Ver wanted to start his own nation this year. Additionally, whenever each of the foundation members speak about price movement, they have the ability to shift sentiment positive or negative.

Wrap Up

I spouted out a lot of facts. Not much of this is relevant to the every day user. I still recommend reading a BIP. I also recommend considering who has power when looking at Bitcoin are any other token. In the orders of Ron Swanson, I should have started off with, “I’ll be delivering a speech of facts.”

This lecture began to put the ideas of cryptographic functions and how they interact with the humans who create/use/interface with them. However, before talking about policy and regulations, the lecturer began with the idea of consensus in Bitcoin. Note, this is a very short section that has some important concepts. While there is nothing difficult discussed, after thinking about these concepts for a while, I’ve had a new found respect for their foundational value. Also, there’s been a craze in the blockchain ecosystem about HashGraph. HashGraph is an alternative consensus protocol that is much faster and therefore scalable than Bitcoin. I’ll need to spend more time on it but I’ve put two links here and here that will explain more to those interested. Also next lecture will likely be more meaty.

Consensus, by definition, just means general agreement. It’s tame, more like the French phrase “D’accord”. However, “chill” the word suggests, it’s the crux of what makes the Bitcoin network functional and consensus takes place in many types.

Questions answered in this Post:

• What are the three types of Consensus discussed?
• What does consensus of rules mean?
• What does consensus of history mean?
• What does consensus of value require?

Rules, History, Value

I gave the answer right in the header. The three types of consensus discussed related to the block rules, blockchain history, and the value of Bitcoins.

Consensus about rules means there needs to be agreement on the technology and infrastructure. People need to know what makes a transaction valid and what makes a block valid. It also gives structure to how P2P nodes behave and the protocols and formats. Without consensus in this layer, none of the nodes would be able to communicate with each other and they each may validate different blocks. Thus there would be no consistent way for the system to move forward without this. One real world thing I think about is hard forks. During a hard fork, there is a division with the nodes and certain nodes become incompatible with others. Thus all the nodes need to move to one standard eventually to persist.

Consensus of history means one needs to agree on the contents of the blockchain. Furthermore, this means which transactions have occurred, which coins exist, and who owns them. Bitcoin can be simplified to being a store of value and thus everyone needs to agree on this distributed ledger. While it seems so simple ie one big shared database, that has to be true for people to remove trust from central parties and apply trust to these systems.

Lastly, there is consensus of value. Having looked at the price fluctuations of Bitcoin, it’s hard to deny there is value. Coins have value and currencies need this. However, likely in 2009, people needed to believe. The lecturer then speaks about the “Tinkerbell Effect.” It’s a circular argument that you get value from something because someone tomorrow will also see the value. It’s clear the the rules and history are closely tied because rules determine which blocks and transactions come into existence. History and value are tied because to claim ownership is due to having consensus on the history. It’s a two way relationship because block reward means miners expect value for maintaining rules to the correct input of transactions and blocks.

I think this statement was important since he calls it “Genius of Bitcoin.” The “Genius of Bitcoin” was that it’s extremely difficult to get any consensus by itself. I’m curious if other protocols rely on these three pillars. While HashGraph may have a different consensus protocol, do they still need people to believe in them?

Tor and the Silk Road

This lecture was all about Tor and anonymous communication and then briefly talks about the Silk Road. Instead of just looking at the Silk Road, I expanded my view. I’ve been looking at the Whisper protocol which is a communication protocol that allows decentralized apps communicate with each other. In addition, one can use Signal if you’re trying to communicate as well. Irrespective, the lecture gave a good overview on how it can be used.

Questions answered in this Post:

• What is anonymous communication?
• At a high level, how does a message move in Tor?
• How do you hide routing information?
• Where does the term “onion network” come from?
• What is a hidden service?
• Reading recommendations

Anonymous Communication

Here’s a breakdown of the initial communication network. You have a bunch of senders and receives. For a message to get to a recipient, it has to pass through a communication network where multiple parties will propagate the message forward to the recipient.

Similar to how a Mix worked, a sender wants to send a message to a particular recipient but they do not want to be linked. There are adversaries who are considered the threat model. Any edge or node can be considered an attacker. The lecturer claims that there must exist at least one honest sender, communication network path, and recipient though for the message to get sent.

Tor: high level

Now how does Tor allow the message to pass through safely? Tor does this by picking a chain of intermediaries to find the route. The route can be random but it is fixed in the Tor protocol to be 3. The sender will pre-select a path of (3) x intermediaries for how the message will pass. The security guarantee is thus, as long as one of the nodes is not compromised then the sender is safe. By safe, I’m referring to the unlinkability is maintained. There are some attacks on Tor specifically “end to end traffic correlation attack”. People will look at timing to see when the nodes may communicate with each other. One key challenge is how do you hide routing information?

Tor: hiding router information

To send a message, the destination (IP address) has to be present. However, if we think any of the routers are compromised, we do not want the router being able to see the destination. Arvind mentions that the answer is encryption, specifically layered encryption. Layered Encryption resembles an onion which is where the term onion routing comes from. Alice and the first router share a symmetric key. Alice and the second router share another key. Alice and the third router also share a key. The symmetric keys are ephemeral just to be used when needed. The only long term keys are the keys held by the routers where each would have a public key and such. The last leg from the third router to Bob is unencrypted. However up until that point the message is encrypted. As the message passes along the routers, there are layers of keys that gets peeled off which indicates the next place to send it and the encrypted message. If you use secure web browsing of https, you’re able to encrypt the final message to Bob.

Silk Road: Challenges

According to the lecturer, Silk Road was an anonymous market place that sold illicit items and run by Dread Pirate Roberts. Also, the Silk Road was a hidden service. Thus it’s not something you can quick “Google”. To connect you’d need to find a “rendez-vous” point (Tor router) through Tor. Then it will publish the mapping between it’s name and the address of the rendez-vous point. Thus clients can connect to the rendez-vous point and then get access to your website. The addresses are usually random strings of characters and numbers but they end with a .onion address. The closing for this was brief so no nice wrap up, but I’ve listed some readings below.

Reading Recommendations

If you really want to look more into the topic of Silk Road, I have two more recommendation for reading material that I truly enjoyed. The Silk Road portion was usually just portions of the overall books but worth reading the rest of the book as well. I got them both from Overdrive connected to my local library but I’m sure you can also just buy them somewhere too. The first one was Digital Gold. The second one was Dark Net which again really liked. I haven’t gotten to the lecture that they cover the Silk Road and thus I’ll probably recommend that as well.

Last lecture described mixers, but as the lecturer notes there were some flaws with the design. Honestly, this was a dry lecture in terms of the descriptions and content.

Questions answered in this Post:

• What are some issues with centralized mixers?
• What is CoinJoin?
• What are some implementations of CoinJoin?
• What is a side channels that the lecturer has alluded to?

Cons for using centralized mixers, pros for decentralized

The lecturer brings up several points. First, there is a inherent bootstrapping problem. For a mixer to be successful and create a large anonymity set, they need to have a large number of users. To get users you need to have a god reputation. This is not the case for decentralized mixers because individuals are banding together. As long as there is sufficient interest, mixing can just occur. Second, there is less trust involved and Arvind mentions that you can guarantee no theft. Dependent on how you structure the decentralized protocol, theft can be prevented. No one user is sending Bitcoins. Also, there may be more anonymity with this method. Lastly, it’s more aligned with Bitcoin given that it is a decentralized method.

CoinJoin

The protocol that does this decentralized mix is called CoinJoin. CoinJoin was developed by Greg Maxwell who is a core Bitcoin developer. Coinjoin is a method for bitcoin transaction compression which aims to improve privacy by discarding unnecessary information. Ok, bitcoinwiki doesn’t really explain too much. Investopedia’s definition is a little better. An anonymization strategy that protects the privacy of users when they conduct transactions and requires multiple parties to sign jointly on an agreement to mix their coins when doing separate Bitcoin transactions.

High level explanation of CoinJoin

According to the lecturer, several users come together for a single Bitcoin transaction, and combines all their inputs (he suggests they should be of equivalent value). All the signatures for each of the inputs are entirely separate so a single user does not have to hold the private keys. This means that the users can have a randomized ordering for the transaction. In addition, this was only a single round of mixing and multiple rounds should take place. So outside users may be able to tell that it is a CoinJoin transactions but will not know the internal specifics. The mixing principles discussed from the previous lecture also need to be used.

More lower level algorithm in a list

1. Find peers who want to mix (group of like minded people neew to find each other)
2. Exchange input/output addresses
3. Construct transaction (only a single person does this)
4. Send it around, collect signature (Before signing, each peer checks if her output is present: security property)
5. Broadcast the transactions

Open Questions for CoinJoin

• How to find peers?
  Arvind suggests using an untrusted server which does add engineering complexity.
• Is there a security risk that peers know your input-output mapping?
  Arvind mentions that as long as there is diversity in the individuals running nodes, it should be ok. It is possible that a single adversary creates numerous sybils such that every sybil is part of every Coinjoin and thus is able to learn the input-output mapping. Thus this would be a problem that is not present in centralized mixes because those can have reputations. The proposed solutions is just a Strawman solution meaning that it’s just a draft version that people can improve. The proposed solution is disconnecting the inputs and outputs via Tor. That leads to a better solution which is having a special-purpose anonymous routing mechanism. These exist under the special term, Decryption Mixnets.
• Can there be denial of service attacks?
  Yes, one of the nodes can always choose not to sign the transaction. In addition, someone can remove their coins prior to the Coinjoin transaction being written to the blockchain and thus force a double spend attack. Arvind’s solution is to add some fee to prevent people from doing this arbitrarily. He proposed using proof of work, proof of burn (fidelity bonds), server kicks out malicious participants, or Cryptographic “blame” protocol (Coin Shuffle)

Current Implementation of Coinjoin

• JoinMarket
• ShufflePuff
• DarkWallet
• SharedCoin
• CoinShuffle

What is a side channel, high-level flows?

The example is Alice receiving set bitcoin each week as income and then transferring 5% to a retirement account. This kind of pattern is one that is very visible on a blockchain. To prevent this, Mike Hearn proposed merge avoidance. Thus, a receiver provides multiple output addresses and sender avoids combining the different inputs.

Wrap Up

Which of these is NOT an advantage of Coinjoin over centralized mixes?

• Built-in protection against denial-of-service attacks

How to De-anonymize Bitcoin

Well that’s a funny name for a topic given that the last lecture basically declared that bitcoin was just pseudoanonymous and even then reading through Freedom-to-Thinker posts, it made me think the ecosystem would bank on this fact. The amount of information that can be gleaned if all ecommerce companies use Bitcoin could be an advertiser’s dream. This lecture is once again an overview but substantially shorter than last time.

Questions answered in this Post:

• How can all your transactions be linked together?
• What is shared addresses?
• What does “Idioms of use” mean?
• How else can people be de-anonymized?
• References to Research Papers from Lecture

Linking all transactions?

The gist of this section is that one can try to prevent having someone link all your transactions by just generating a new address each time. It is easy to recreate a new public key based on your public key. However, it is not unlinkable. If for example the multiple bitcoin from different address get combined together and spent in a single transaction, someone can infer that they are coming from the same private key. Shared spending is then evidence of joint control since the addresses can be linked transitively.

The example given by the research paper is pretty scary. This was done in a paper by Reid and Harrigan, Analysis of Anonymity in the Bitcoin System. The paper combined two networks of both the transaction and user networks from Bitcoin’s public transaction history and were able to investigate a Bitcoin theft that occurred June 2011. Looking at the paper, it’s interesting that they are able to paint a clear story where 60 transaction involving 441.83 BTC were moved on a 70 days period and it total amounted to 25,000 BTC. Based on their analysis, it seems that one is unable to hide or be anonymous in Bitcoin. It is called transaction graph analysis. From the lecturer though, there is some level of probability to determine which address is actually mapped to the user. Thus, this means a second tool is also needed.

“Idioms of Use”

Idioms of use refers to particular features used in wallet software such as each address is used only once as change. This technique was used by Meiklejohn in Fistful of Bitcoin: Characterizing Payments Among Men with No Names. Within their paper, they used two main user heuristics to do account clustering. First was to treat different public keys used as inputs to a single transaction as being controlled by the same user. (This was what the lecturer used in the first case with the tea pot for 8 BTC.) The second was the change addresses tend to be used only once and likely unknown from the actual user. This allowed them to collapse users clusters. Additionally, from 344 transactions to mining pools, wallet services, exchanges, vendors, and gambling sites, they were able to cluster s the main providers/users of the system. From their analysis, they claim that agencies with subpoena power would be capable of determine who is paying money to whom in the Silk Road wallet and other Bitcoin thefts. According to the lecturer, this was a tedious and sometimes manual process. One way to determine owners is that people would self-label them manually in Bitcoin forums. Thus they were able to find the cluster of keys associated with Mt. Gox based on their account clustering.

From these crypto currencies to mapping to real-life identities

Now the lecturer poses another thought of how to find real world users based on their addresses. One could be the self-assigned people who just give up their address in the Bitcoin forum. Likely, if there is a single address posted in the forum, they are not using a new address for every transaction. Also, there is high centralization in service providers meaning that every flow will likely pass through one of them. Thus, as Meiklejohn’s paper mentioned, if someone has the subpoena power, they are able to request from the service provider that actual real-world user identity. However, there is a second layer of information which comes from networking. Specifically, “the first node to inform you of a transaction is probably the source of it”. There is a simpler way to make it more difficult which is just use Tor. Tor is used for low-latency work like just web browsing. Thus the lecturer suggests to use Mix nets, routing protocols that make communication pass through multiple proxies thus breaking a link between the source of a request and the destination. Interestingly, the concept of mix networks also came from David Chaum. Tor is one application of this which is onion routing.

References to Research Papers from Lecture

• An Analysis of Anonymity in the Bitcoin System
• Fistful of Bitcoins: Characterizing Payments Among Men with No Names
• Dan Kaminsky Slides

Wrap-up

Which of the following observations would you suggest that addresses A and B may be controlled by the same user/ entity?

• There is a transaction as input addresses.
• Combined Shared spending and idioms of use
• Coin join works – violates this assumption

Bitcoin and Anonymity

I’m finally on Week 6. That’s a win! Be warned this lecture covers several related topics and seems to jump from one to the other. Thus the notes below seems a bit more disjointed. This lecture dives into the terms of what it means to be anonymous. In addition, it brought up compelling questions on the ethics behind it. Getting into blockchain, there is a lot of talk about decentralization. For me, I look at decentralization as not necessarily requiring anonymity. People have been building these reputation and identity systems which is almost accomplishing the opposite goal, shedding light on these anonymous addresses to. Lastly, we talk about blind signatures which demonstrate why anonymity and decentralize may be at odds with each other.

Questions answered in this Post:

• Is Bitcoin anonymous?
• Who is this anonymity good for? What are the improvements that have been proposed?
• What does unlinkability mean and is it necessary?
• Why anonymous cryptocurrencies?
• Why don’t you want complete anonymity?
• What is some historical references of anonymous cash?
• What are some anonymous currencies if not Bitcoin?

Is Bitcoin anonymous?

It depends. That is the best answer to any question for almost everything (Oh so vague). Anonymous is defined to be “without a name”. Bitcoin addresses are public key hashes rather than real identities which realistically map to some real world entity. That is not a requirement but at this point in time many people physically create a public address that they themselves use and control. Apparently this is defined as “pseudonymity”. Even with things like hierarchical deterministic wallets, all those addresses are sprung by a single entity. So now it becomes more of a question of semantics.

What does unlinkability mean and is it necessary?

Anonymity is equal to pseudonymity plus unlinkability. Thus, unlinkability means that different interactions of the same user with the system should not be linkable to each other. Linkable in the sense that someone could monitor all the transactions and know that these set of transaction were all done by the same user even if there used different addresses. That’s actually pretty profound and difficult. I’m just thinking that if you see a high concentration of transactions happening between two parties and not anyone else than potentially that grouping may know each other or at least partake in business with each other. It may or may not be a similar algorithm for how Facebook or Linkedin can determine friend groups.

 

Now let’s talk about an example with online forums where people are able to create online entities. Some places like Reddit or Telegram, people create long-term pseudonyms. With Reddit, your reputation gives you more access and power within the site. Alternatively, 4Chan, the posts are anonymous with no attribution at all.

Additionally, if anyone has used cryptocurrency exchanges like Coinbase or even pure crypto-exchanges like Liqui or Poloniex, users need to input address and country information into the system. Therefore, real world identities are explicitly added to a system that could have been done with straight hash addresses.

Because of this and the fact unlinkability is hard among all addresses/transactions, instead another term is used called anonymity set. An anonymity set is the crowd that one attempts to blend into. I think it of it more like “study thy enemy”. This means that for the set you need to understand what the adversary knows, what they do not know, and what they cannot know. Thus to get to unlinkability, you’re trying to maximize the anonymity set. You also need to have a careful and thorough understanding of the technical protocol. Now the lecturer just shifts gears into discussing the ethics of this approach.

Anonymous Cryptocurrencies?

Currently blockchain based currencies are publicly, and permanently traceable. This means that the notion of privacy is worse than traditional banking which is one goal some people hope to achieve with blockchain and cryptocurrencies. Thus, he makes the argument that blockchain needs to do better.  I ask again “Why?”. I would have preferred for him to state the reasons more explicitly. I read another post called “Importance of Anonymous Cryptocurrencies” where he at least elaborates on the idea a second time. I took his response to mean that not all currencies have to be anonymous. In fact the mainstream ones will likely not be as e-commerce and advertising benefit from this denonymization which is in fact more transparent than credit cards and especially more so than cash. The use of the research will drive confidence in mainstream adoption of Bitcoin. My take is that people will be happy that the technology exists but may not use it. His post also made me question if the question itself was invalid. Why ask the Bitcoin protocol about something that is more used in the Bitcoin ecosystem. The services are the truer implementation and develop around a protocol.

Why don’t you want complete anonymity?

Easily, one reason for wanting to provide complete anonymity is money laundering and even just using the funds for something malicious. Yes, that means that this structure is tied to real-world regulatory and criminal courts. However, if humans are performing these transactions on native soils, it seems reasonable that the entity that the people belong to has a hand in what happens to the currency amounts.

The lecturer uses this term bottleneck. Bottleneck means looking at the points of moving large flows of money in and out of Bitcoin. Thus, it is difficult to move money from Bitcoin to fiat currency. I don’t think that works since more and more people are going to just keep and provide their services for crypto. Look at Olaf Carlson-Wee, he took a job where he was only paid in crypto at a time where crypto was seemingly worthless. Also, there are websites that accept crypto but then at that point you’re also inputting several pieces of personal information like address and name though. It’s interesting he brought up the point of Tor which is an anonymous communication network where sender and receiver of message is truly unlinkable. So even with all this technology there is still a need for a blanket above it of law enforcement and regulation. Hmm, it sounds like this system can’t exist and be separate from centralized institutions if it will be safe for mainstream public consumption.

What are some historical references to anonymous currency (electronic cash)?

Arvind, the lecturer, brings up blind signatures which were created by David Chaum in 1982. This serves as an example that electronic cash has bee proposed in the past. Chaum can be considered the “Father of Anonymity”. Blind signatures is a two-party protocol, meaning two parties communicate with each other, to create a digital signature without the signer knowing the input. I looked up two of his papers, <a=””>Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms and <a=”https://taler.net/papers/chaum-blind-signatures.pdf”>Blind Signatures for Untraceable Payments. Arvind then walks through this protocol of blind signatures to handle anonymous e-cash.

Anonymous e-cash via blind signatures example

As with most examples, we start off with a bank, a central authority. The bank houses customer’s balances say customer Alphonso(10) and Bartelli(5). Also, it posses a table of spent coins. That’s not very interesting so let’s add some action to this story.

Alphonso wants to withdraw an anonymous coin of size 1. The bank will have a reduced balance that now equals 9. Afterwards they’ll execute the two party protocol. Alphonso will pick a random serial number of a coin which gets sent to the bank and there is some execution. The bank will send Alphonso a signature of the serial number in a way that the bank does not actually know the serial number. Now Alphonso has a signature of a serial number of an anonymous coin that (forgive me if this is not 100% correct), holds the information and value of the coin that Alphonso withdrew from that specific bank. The lecturer refers to this signature of a coin as an anonymous token that can be passed to others.

A little time passes. Alphonso decides he is going to give Bartelli one coin a a token of good will. The one coin that Alphonso holds which he knows the serial number that he sent to the bank as well as the signature of the coin that the bank sent back to him. He will send the anonymous (signed) token as well as the plain-text value of the token of the serial number. Bartelli will immediately contact the bank to deposit the money. Bartelli needs to do this action immediately to ensure that Alphonso is not trying to participate in a double spend. Double spend meaning that that Alphonso has not tried to give the anonymous token to several other individuals thus using the value of the token more than once and thereby creating more value than he started with. The bank will verify that the coin is not within the spent coins table. Only once the bank says the coin is valid with Bartelli continue with the transaction. The bank looks at the signature and makes sure it is valid as well as checking the plaintext serial number of the token is not within the spent coins table. Once confirmed, Bartelli will deposit the coin into the bank. Since the bank did not look at the serial number initially, the bank cannot tell who is the sender of the coin, they only know the receiver. Now the balances table will increment the balance to six and the bank will send a response back to the user. Now the bank cannot link the two users.

Drawbacks

One drawback is that the bank knows who is receiving the coin. The other question for me was whether it makes sense for users to just briefly touch base with the bank and then withdraw so that the balance is at zero. Basically you use the bank as just a validator but once that has been confirmed, the tokens become changed to anonymous and can be used for different payments.

The glaring drawback is centralization is required. The bank is used for both the signing and the validation of the coin. It is possible that banks for Alphonso and Bartelli don’t need to know their names and just their hash addresses. Even still, there is still a central location doing the validation. However, as a thought though, what can the bank do maliciously? The bank could just arbitrarily withdraw everyone’s funds and give it to themselves. They could also just lock the capital and not allow withdraws for deposits thereby freezing accounts. Arvind brings up that much of the research in cryptography protocols used a similar model where the bank was considered trustworthy.

Actual cryptocurrencies that encompass Anonymous Attributes

I’m going to just list a few that have some properies. Feel free to disagree or suggest more. I also did not include Zerocash which is in the next lecture.

1. Monero
2. Zcash
3. Dash
4. Verge

Monero, and Zcash are two currencies that provide anonymity features. I’ll talk more about Zcash in the next segment given that it’s discussed in this lecture series. Monero is not so I’ll spend some time on it.

Monero is cryptographically private and uses items called stealth addresses and ring confidential transactions. I have seen people on the internet recommend that one should use Tor with Monero. Stealth addresses means a random one-time address is automatically created for each transaction being made by the sender. This means that all payments sent have unique addresses and prevent links between the recipient. Ring signature add a second layer of masking by ensuring that the original sender of the coin cannot trace outputs on the blockchain. Outputs end up being masked so that senders are unable to determine if their coins are moved by the recipient by some grouping and hiding mechanism. The notion of ring confidential transaction means that the amount being transactions is hidden even though the network is able to verify said amount without revealing details. This mixing quality allows for the sum of inputs to equal the sum of outputs without knowing the exact sum of each individual component.

Dash and Verge are slightly different. They are not inherently cryptographically private. However, each has different characteristics built-in to provide more privacy then Bitcoin. Also, note that both dash and verge are similar in protocol to Bitcoin the the above two.

Dash uses something calling mixing, which is a method to anonymize Bitcoin. The truly basic explanation is that if you want to do a transactions merge it with other instead and then do a joint payment have it mixed together such that a little or your and the other persons values are distributed in the output. Thus there isn’t an easy way to separate the inputs and outputs in one bitcoin transaction. Dash has a level of trust built in for who it responsible for the mixing depending on the Public/Private send. The trust is enforced economically by having the master node lock some Dash coins though.

Verge offers privacy by how the messages are trafficed. They claim if one uses Tor and I2P Routing, traffic will be obfuscated and the user’s IP address will be concealed. It’s strange that Verge uses this secure communication but then have a site for the “Rich List”. Personally, I have not read their Blackpaper and only have a cursory understanding of the currency and how their focus on privacy is implemented.

Reflections: Anonymity versus Decentralization

Summing up, bitcoin allows for better decentralization than anonymity and that’s OK. The lecturer mentions that people can improve on the anonymity given that the decentralization target has been achieved. I’m not sure I agree that the decentralization target has been achieved giving the prevalence of mining farms. It does bring up to question, “Can you be both anonymous and decentralized?”. The example given suggests that if you use a bank or just an single centralized arbitrary validator to have these “two party protocols”, it’s not easy to decentralized. Also, because a blockchain is public, this is one way to enforce the accountability and security. It’s hard to prevent double spends then.

Unlinkability in Bitcoin could mean

• It’s hard to link different addresses owned by the same user
• It’s hard to link different transactions made by the same user

This lecture focusing on miner incentives and strategies. When someone decides to mine, there are options that a miner has to how they actually mine. It is not simply get hardware, cheap electricity, run and wish for good luck. Miners can be more choosy to determine which blocks they work on which is discussed in this lecture.
Questions answered in this Post:

• What is the miner default strategy?
• What are some of the deviations and how can you analyze it?
• What is a forking attack?
• And furthemore, what is a Goldfinger Attack?
• What is a forking attack through bribery mean?
• What exists in the blockchain to prevent this?
• What is a block-withholding attack?
• What is punitive forking and how is it different from feature forking?

Default Miner Behavior

I’ll describe below what are some of the considerations miners make when determining their strategy. Just to be clear, the job of a miner is to listen on the network for transactions and blocks as well as get ready to write a transactions into a block. A miner is unable to write and send out a valid block until they actual solve the mining puzzle though.

First, they have to determine which transactions to include in a block. Default behavir is any block above the minimum transaction fee. The second is which block to mine on top of. Usually this is the longest valid chain. The next is how to choose between colliding blocks. The miner picks the first block hear. The last is when to announce new blocks and by default, it should be immediately after finding one. From now, the lecturer jumps into different “attacks” which in my interpretations are deviations in behavior.

One factor that is key is “alpha” which is what percentage of mining power do you control. Depending on your power, this is tied to how well choosing a non-default strategy may be profitable.

Forking Attack: what is it?

This is the first of the non-default strategies. Forking has gotten more notice recently due to it causing large fluctuations in the price as well as the creation of BTCC. Additionally, within Ethereum, a fork is pending as a way to bring in new chagnes which Metropolis to improve scale.

The goal of a forking attack is to perform a double spend. Remember a double spend is when a set of coins is used in more than one transaction. It does not mean new coins are created but that you are using the same coins for two transactions and ultimately reneging on one of the transactions. This would be considered fraudalent behavior. An example is presented in the notes. This same miner will work on an earlier block (ideally about 6 blocks earlier) and transfer than same amount that was going to “Bob”, they will give the bitcoins to themselves. The lecturer brings up a point where this attack depends on the percentage of mining power that you hold.

A miner sends some funds to user (victim) “Bob”. It will likely appear to be in the longest chain. However the forking miner is up to something sneaky. The miner will start to write off another block, one that occurred 6 blocks earlier. The miner will create another transaction where they send bitcoin to another address that they own. If the miner has sufficient hash power (>.5), they will continue writing on this alternate chain making the chain with Bob invalid. Thus history gets rewritten so that the payment to Bob is invalid. The lecturer brings up the point that if you had traded Bob for something in the real world (Bob gives you a teddy bear, you give Bob bitcoin) you have now come out ahead. Also, it means that you keep whatever amount you had given Bob. Double win for yourself and effectively successfully completing a double spend.

Takeaways from the Forking Attack

To do this, you need to have considerable hash power ie greater than .5. He mentions that it may be possible with less due to network overhead and avoiding block collisions, though I have not researched this further. He does mention that 51% is not always sufficient to execute an attack, only that the probabiliy increases because completing an attack becomes easier. This attack is clearly detectable and could be reversed. Being reversed means that that the community decides to reject the newest alternative chain even if it is the longest. That strikes me as requiring quite a bit of coordination. He mentions that this double spend could completely crash the bitcoin exchange rate. This would be due to loss of confidence in bitcoin if a double spend successfully when through and thus through lack of trust or other emotional triggers, there would be a stop to buying bitcoin for fiat ultimtely crashing the coin. Kinda doomsday to me, and really something like this could have to traditional fiat currency as well pulling more people to use bitcoin. The reason is that if the triggers for this collapse are linked to human emotions and fear, really nothing is safe.

Goldfinger Attack

Goldfinger refers to the movie and is used to explain why someone would want to cause bitcoin to crash and burn. In the movie, the villian wanted to devalue the Fort Knox gold so that the villian would have control over the supply. Thus in the case of bitcoin, you would make a profit if you shorted bitcoin or if you had strong holdings in an alt-currency.

Forking through bribery

Forking through bribery is fairly straightforward to understand. Instead of requiring alpha or hash power be greater than 0.5, he mentions tat it may be easier just to temporarily buy someone off. I suppose you can just have some single serve friends meaning that this attack can be undertaken not by just billionaires. The lecturer then goes on to describe some payment methods such as phsyically handing someone fiat currency, run a mining pool at a loss to attract attention and “friends”, or by just leaving large tips in the blockchain. The core idea stays the same and they work just temporarily for you. These miners are not incentivized in the long run however perhaps individual miners may just want a temporary gain. Tragedy of the commons” is how he described it. According to wikipedia, with situatios of shared resources, it is a situation where individual actors can behavior opposite or maliciously to a common good due to their own shared interest. In this case, it would be short versus long term gain on which would be greater. If the miner truly did not care about bitcoin or the power of blockchain and did not want to miner for a long period of time, they would be better rewarded to align with malicious parties.

Prevention Mechanism: Checkpointing

Each version of the bitcoin client always releases with this checkpoint mechanism. The security safeguard locks-in the blockchain up to that point in history and rejects other chains. This does mean there is a central party who are deciding what is the valid blockchain but at the same time it’s the central party of bitcoin developers.

Block-withholding attack

Again, this was is self explanatory as well. As a miner, you do not announce the block right away. Instead, you “get ahead”, by finding two more in a row and thus the next time someone announce a block, you can just annoucne yours and create the longest block. At this point, it means all the work everyone else is doing is invalid/orphaned and you would be able to profit. It has the term “selfish mining” but that’s a misnomer according to the lecturer.

In the scenario, if you’re only ahead by 1 instead of 2, then you need to immediately push your hidden block and hope that people decide to choose yours. This creates a race condition since now there are two versions of the history and only the majority will prevail. The suprising characteristic to me was that this mechanism would work if you knew that you would always/in majority win that race condition race. The lecturer mentions that you need to have alpha over 25% to do this. Also, you could couple the other attacks like bribery to get ahead.

Punitive Forking

This mechanism is just vengeful. If someone just wants to blacklist transactions from a specific address, a miner can just refuse to mine on any chain with a transaction from X. This strategy realistically only works if you have alpha great than .5. However, I could see this as a strategy for future uses if government regulation came into play. Governments could easily just blacklist certain addresses that they knew were doing money laundering. This would be an extremely temporary solution since people could just keep changing addresses or not. If the ban was strong enough, the money could be stop gapped to a certain account for a longer period of time.

Feather-forking

This is similar to punitive is that it’s directed toward a certain address hwoever it is more practicaly. Instead of banning a address outright, you can refuse to mine directly on any block with a transaction from X however, you’ll remine after n confirming blocks. If you hold a alpha greater than some amount, you may be able to get others to join the blacklist because it induces an a^2 chance of losing a block. Since you’re transparent with this ban, it’s no secret if you’re doing this feather forking. Success depends on convincing others how likely you’ll actually fork the network.
Again, regulation and extortion could be used.

There was another case that miners can truly blacklist on any characteristic present in a block. THe lecturer brings up one where they may try to enforce a minimum transaction fee. That’s interesting and could work. According to what I’ve read, it’s on average $7.00. This already exists in that priority has to be greater than 0.576 as of May 2015 mentioned in the lecture.

I remember reading in Bloomberg where someone lost $70K due to gas fees in Ethereum. Clearly a miner was greatly compensated for their work.

Wrap up

In summary, just want to say this was quite a bit of information. Miners have incentives coming from everywhere yet most seem to follow a simple herd mentality whether due to laziness or lack of technical skills. There are game-theortic alternative strategies that perhaps have not been seen in the real world but would be interesting if they got out.