Is it possible to have anonymous transactions on the public blockchain?
Many of today’s cryptocurrencies, including Bitcoin and Ethereum, are said to provide anonymity. But what exactly does it mean and, more importantly, is that true?
Privacy is not binary. It rather falls along a spectrum: from fully public to completely private. It’s hard to talk about hiding all data in a public, transparent blockchain, but can we hide just a part of the transaction, i.e. its author? That’s what I will discuss in this article. I will cover some of the possible techniques for achieving a reasonable level of anonymity using widely-known cryptocurrencies.
Anonymity vs. privacy
To deeply understand the problem we’re about to face in this article, we need to define those two – in fact very different – concepts.
Anonymity “describes situations where the acting person’s name is unknown”. There is nothing about hiding the act itself.
Privacy – on the other hand – is defined as “the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively”
To make it clear, we can quite accurately state that anonymity is about hiding the “who”, while privacy is about hiding the “what”. In the context of blockchains, anonymity means the ability for parties to exchange data without disclosing any off-chain identity information or other transactions they have done. A simple example could be Bitcoin, which is partially anonymous (each address is nothing more than public key hash looking random), but not private at all (we know all transactions made from/to that address).
View of some address.
So, how is Bitcoin “partially anonymous”?
People like to think that Bitcoin makes their transactions anonymous. In fact, when making a BTC transaction, all its details, including source address, are permanently stored in the public ledger, which means anyone can see the balance and transaction history of any Bitcoin address. Such data remains anonymous as long as the author’s address cannot be linked with his physical identity. However, this can be difficult to achieve. The link happens, for example, when you sign up for an exchange that implements a KYC mechanism (most of them are enforced by law to do so). Or when you publish your address on your blog to get donations.
It’s true that you can generate a new address and use it to make an “anonymous” payment. Bitcoin’s original whitepaper recommends using a new address for each transaction. Doing so helps avoid transactions being linked to a common owner but also generates another set of problems. First, you have to top up the address you want to make a payment from. How? If you send funds from another one of your addresses, tracking this and eventually uncovering your identity will be trivially simple. It’s all about reading blockchain history (transaction graph analysis, taint analysis, tracking payments, web-spidering, and many other mechanisms) and looking over network traffic. Almost anyone with enough time and dedication can trace those pieces of information and connect them (see this video to better understand the process behind it). Moreover, since the Bitcoin network is an ordinary P2P, it exposes its users to a whole range of network-level attacks. Everybody who is between the user and the Bitcoin network (e.g. ISP) can reveal his IP address easily. As you know, an authority can demand access to this information. One of the US DEA representatives even admitted that they “actually want” criminals to keep using Bitcoin because it gives them “a lot of tools to be able to identify people”. The fact is, without using any of the techniques I’m about to present, Bitcoin is much less anonymous than the traditional banking system.
“The way information leaks during ordinary purchases makes it straightforward to link individuals with the Bitcoin transactions they make, even when purchasers use additional privacy protections.” ~ Steven Goldfeder, Princeton University.
Although many improvements can be expected in the future to improve privacy, currently Bitcoin doesn’t provide any better protocol level anonymous mechanisms and that’s how most of the well-known cryptocurrencies work. This system (often called “pseudonymity”) is like writing under a pseudonym. If a pseudonym is ever linked to the user behind it, the protection is gone. To be absolutely clear – that means deanonymization of all content the user ever posted under this pseudonym. As the blockchain is permanent, it’s obvious that something not traceable currently may become trivial to trace in the future. Learn more here.
Anonymity – what can we do better with Bitcoin?
Mixing services & decentralized mixing
There are a few things you can do to get the most out of Bitcoin. First of all, there are centralized mixing services that offer to effectively mix your tokens with the tokens of others. Mixers, also called tumblers, works by receiving and sending back the same amount of coins using independent Bitcoin addresses, thus breaking traceability and obscuring any links between participating users. And that’s basically all it does. It makes the trail hard to follow on the blockchain, but it’s nothing more than security through obscurity. Or you can call it virtual money laundering if you want.
Simplified flow of mixing mechanism – each of A, B, C, D participants creates a transaction to the centralized Mixing Service. The service receives the funds and sends them back in a new transaction to addresses A’, B’, C’, D’ specified by the participants. From the blockchain observer point of view, a new address A’ appears with one received transaction from Mixing Service, but it’s hard to say who initiated and paid for it.
Also, there is a project called CoinJoin. It simply works by combining transaction inputs from multiple spenders into a single transaction. This may sound similar to mixers – the idea behind those is the same – make the connection between the input and the payee obfuscated. However, CoinJoin technique is much more sublime. It’s decentralized and requires no trust due to the use of multisignature between participants instead of some centralized party.
Simplified flow of decentralized mixing – group of A, B, C, D participants creates a multisig transaction to send funds to the new addresses A’, B’, C’, D’. This type of transaction requires each participant to sign it using their own private key. There is no risk of theft at any point. From the blockchain observer point of view, a new address A’ has received one transaction, but there is no way of knowing who of A, B, C, D created this specific output. Using only the blockchain analysis method, one can just find all the signers, but not the A -> A’ mapping.
Stealth addresses – “invisible” recipient
CoinJoin mechanism is used in some of the privacy-focused wallets (like Wasabi or Samourai) alongside with stealth addresses (also called ECDH address). These are one-time addresses generated by the sender for every transaction using the Elliptic-curve Diffie–Hellman (ECDH) protocol so that different payments made to the same receiver are unlinkable. It works as described below:
- The receiver has an ECDH key pair (b, B) (where b = private key, B = b * G = public key, G = EC base point)
- The sender generates one-time key pair (r, R) and transmits its public part R to the receiver (most often in a single transaction)
- The receiver computes a shared secret: c = b * R = b * r * G
- The sender computes a shared secret: c = r * B = r * b * G
- The one-time address for this payment is: c * G + B
- The receiver can use the corresponding private key: c + b, to spend funds from this address
To those of you who are new to EC cryptography: one could not simply compute private key r having R = r * G and knowing only R and G. The problem is known as discrete logarithm and it’s believed to be “hard”, meaning there is no known polynomial-time algorithm to solve it (in a classic cryptography the problem is: knowing a, b and prime p, find k such that b = a^k mod p). However, this implementation, known as Improved Stealth Address Protocol (ISAP) has a serious security flaw – it requires a transaction receiver to actively monitor newly generated address using his private spending key. Such a continuous usage of the key significantly increases the risk of it being recreated by an attacker. To eliminate this overuse, Dual-Key Stealth Address Protocol (DKSAP) was introduced. One key is used to spend the money and the other one is for generating and scanning a one-time address. This technique has been adopted by Monero, TokenPay and already mentioned Samourai Wallet, just to name a few.
Yet another idea is to use network-level anonymizers, like Tor (or I2P, Bitmessage, Freenet). That’s the thing others might recommend to you, but it produces yet another set of problems. Some of them are:
- Tor breaks in-built Bitcoin anti-DDos protection.
- Tor exit node can delay or drop transactions/blocks making double-spend possible.
- Tor introduces a chain of trust among its nodes, while Bitcoin is all about trustlessness.
- Tor network isn’t that secure. That should probably be discussed in a separate article, but it’s enough to mention obsolete algorithms used (RSA-1024, SHA1) and the relatively small number of active exit nodes.
Take a look at this great analysis of Bitcoin over Tor. All of this makes me hard to recommend this solution.
Buy it off a street corner
So, probably the best way to achieve anonymity in Bitcoin is: buy it off a street corner. Find anyone who can sell you BTC, meet him face-to-face, make a deal and pay him in good old cash. That’s simple.
There is a marketplace called localbitcoins.com that operates as an escrow service. It first holds the Bitcoin until the cash payment is done so both sides of the transaction are protected. The other places where you can find sellers nearby are facebook.com, meetup.com and similar. Of course, if you want to strengthen your privacy even further, you can use a VPN (or TOR) to search for a seller.
You may also consider Bitcoin ATMs, especially those that allow you to pay with cash. If they are actually available in your area, they can be really useful. After all, mix your fresh tokens using one of BTC launders. You are pretty hard to follow now.
Anonymity = pseudonymity + unlinkability
Now we’re one step away from understanding what true anonymity in the context of blockchain is. So, what is unlinkability? As a user interacts with the cryptocurrency network, different interactions should not be linkable to each other. That might mean the inability to:
- link different addresses of the same user
- link different transactions of the same user
- link sender of a transaction to its recipient
Are you thinking about mixers again? Their purpose is the same, but they guarantee nothing since they can’t vaporize data from the blockchain. Comparing to pseudonymity, the anonymity it’s like writing under no pseudonym so there is absolutely no way to your identity information to be leaked. That’s what some cryptocurrencies offer as one of the core features at the protocol level.
“Your keys, your bitcoin. Not your keys? Not your bitcoin.”~ Andreas M. Antonopoulos
Privacy coins and beyond
Several other concepts can be implemented to specifically address anonymity in the cryptocurrency industry. Dash uses PrivateSend (which is somehow similar to CoinJoin), ZCash implements zero-knowledge-proof. There are Ring Signatures in Monero and MimbleWimble algorithms in Beam. All of this (and even more!) will be covered in the second part of this article.