Mixers and ring signatures
Part 2 of a series on “Privacy on the Blockchain”
In the second part of this series, I’ll focus on financial privacy, including “mixers” and ring signatures. Each of these topics could warrant their own full post, so I’ll stick to the high-level capabilities of each rather than diving too deep.
If you’re looking for privacy in cryptocurrency today, there are a few practical options, including mixing services, often called “mixers” or “tumblers”, and privacy-centric cryptocurrencies, like Monero and Zcash. Let’s discuss mixers and Monero, and save Zcash for a more detailed post on zero-knowledge proofs.
Mixers
The basic idea behind a mixing service is nearly as old as finance itself.
A group of people want to keep their financial transactions private from some observer. To do that, they combine their funds into one pool, keeping track of who is owed what on a private ledger. Think “a second set of books”. When those mixed funds are spent, the origin of a each payment is obscured — observers see the amount paid and the recipient, but don’t know which person or persons in the group authorized the payment.
Now, there are clearly some issues with a scheme like this. Who keeps the ledger? Who can be trusted with the pooled funds?
Let’s take a closer look at how Bitcoin users have dealt with these issues.
Centralized services
BitMixer was a popular mixing service. Launched in 2014, it was a fairly literal implementation of the above scheme.
Users would deposit funds directly with the service. BitMixer then broke deposits into smaller pieces, mixing them with other users’ funds, as well as BitMixer’s own reserves. Users could then withdraw “new” outputs, unconnected on the blockchain to their original deposits. In the middle, of course, BitMixer took a significant fee.
So, who held the funds, and who kept the ledger? Both were controlled by the same centralized party — a disaster waiting to happen. Exit scams are common in Bitcoin, with a rich history of exchanges and other service operators walking away with customer deposits. Even if an operator is honest, trusting a centralized party with your financial privacy means trusting them to defend your privacy from governments, hackers, and internal threats.
Refreshingly, the owner of BitMixer opted for an orderly shutdown — no hacks or funny business. In a post on BitcoinTalk, he (she? they?) explained that he was shutting down the service because he no longer believed privacy on the Bitcoin blockchain was an achievable goal. Coming from someone who ran a mixing service for 3 years, that’s a pretty strange change of opinion. As you’ll see, though, strong privacy on the Bitcoin blockchain is more difficult than it appears.
CoinJoin
A decentralized approach to mixing, called CoinJoin, was proposed by Gregory Maxwell in 2013.
Here’s the idea. When user A needs to make a transaction to user B for 10 BTC, and user C needs to send user D 10 BTC, they can combine their transactions with one merged signature. Each user can publish a piece of the transaction, but neither can be spent until both pieces are put together. When they are, both B and D are paid 10 BTC each, though it’s not clear which sender paid which.
Using CoinJoin, there’s no longer a need for a third party to hold pooled funds. And because mixing happens each transaction, there’s no need for a private ledger — just a service to match users who want to create joint transactions.
Enter JoinMarket, a decentralized Bitcoin mixing service using CoinJoin. JoinMarket keeps an order book, similar to an exchange. “Makers” — market participants who add liquidity to the exchange — offer to act as CoinJoin participants for a fee. “Takers”, looking to mix their coins, are paired with makers, who swap bitcoins.
JoinMarket is a huge improvement over centralized mixers, but there are a number of issues with the approach in practice.
De-anonymization
The MIT Technology Review recently summarized an effort by researchers at Princeton to de-anonymize Bitcoin transactions online.
They found that if a user employs 3 rounds of CoinJoin, mixing their wallet, and makes two payments to popular merchants online, the user can still be de-anonymized with “98% accuracy”.
Modern surveillance
How did this happen?
Since the advent of the web, the lack of a sustainable revenue model has made profiting off content creation difficult. Content creators need a way to fund their work. And while there have been attempts to provide alternative sources of revenue, the tried and true revenue model is third-party advertising.
Because so many sites are powered by ads, an incredible amount of technical talent has been devoted to improving so-called “ad-tech” — better ad delivery, tracking, and customization. Each step has been reasonable, but in the pursuit of better advertising, the modern web has been turned into an effective global surveillance apparatus.
So how did the team from Princeton get these results? Easily. The team applied an existing blockchain analysis technique to identify CoinJoin transactions, and another, which they call a cluster intersection attack, to combine leaked payment details from ad trackers with blockchain information, unraveling the trail of mixed funds.
In the face of cookies and trackers, privacy from mixing falls apart.
Does privacy have a chance?
I’m an optimist. Privacy advocates are working at a disadvantage — both technologically, against the ad-powered web, and increasingly socially, as the public becomes accustomed to the new normal of social media.
There are a few things we can learn from this de-anonymization effort.
First, users who weren’t mixing coins were immediately exposed. A 2% chance at privacy is better than nothing, and as they say in the lotto, “you have to play to win”. Few real-world users are aware of the risks of de-anonymization, and have taken steps to mitigate the threat. Mixers as a solution are poor because they don’t work by default.
Second, the reason this effort was possible is because so few people are involved in a mixer’s pool. If three people are involved in a CoinJoin transaction, a particular output must have originated from one of those three. Those are good odds for a blockchain analyst.
Finally, the fact that CoinJoin transactions can be easily spotted on the blockchain is worrisome. If no one uses CoinJoin but those going out of their way to attain a higher degree of privacy, they’re a great target for hackers and blockchain analysts alike.
Hiding in a crowd
Between mid-2015 and mid-2017, there were 164 million transactions on the Bitcoin blockchain. Of those, 78,697 transactions used CoinJoin.
If you only take away one idea from this post, remember this — privacy works best when everyone is doing it.
The obvious reason is that an ideal private transaction doesn’t “look private”. Announcing your desire for privacy, ironically, often draws attention. The best way to ensure that no transactions receive extra attention is to make sure all transactions are private — a sort of inverse privacy herd immunity. The more private transactions, the less out-of-place a new private transaction appears.
There’s another reason privacy advocates want privacy by default.
Anonymity sets
In our discussion of mixing, we talked about two weaknesses to the common mixing scheme. Who can be trusted with pooled funds, and who keeps the private ledger orchestrating the scheme. CoinJoin and other decentralized mixing methods solve the first question, and services like JoinMarket aim to address the second.
Unfortunately, there’s another variable neither of these address — the size of the pool. If a pool of funds is composed of 2 depositors, very little privacy is afforded.
The “pool” is sometimes called the the privacy set, traceability set, or anonymity set. This is an important idea that will come up again and again in our discussion of privacy, and it’s a major flaw in many opt-in privacy schemes, including those built atop the Bitcoin network.
Too small an anonymity set, and transactions can be easily unmasked using statistical analysis.
Privacy by default
To solve these issues, we need a cryptocurrency that’s private by default. Every transaction should be private, and the anonymity set of each transaction should be as large as is feasible — ideally, the set would include every user of the currency.
Monero is one such candidate cryptocurrency. Unlike many altcoins, Monero isn’t a fork of Bitcoin. Instead, Monero is based on an alternative heritage, CryptoNote.
There are a number of privacy improvements in Monero over Bitcoin and other cryptocurrencies, but we’ll focus on the most notable — an alternative signature scheme.
Ring signatures
For the longest time, whenever I heard a discussion about signature schemes, my eyes would gloss over. They’re presented as a dry topic, and schemes are often introduced mathematically, burying the lede.
As one of the building blocks of today’s cryptocurrencies, signature schemes are incredibly important to discussions around privacy and security. They don’t need to be boring, and as a user, you don’t need to understand the math. Instead, we can focus on what a particular scheme claims to do, how it’s different from others, and the functionality it can support.
Monero’s privacy stems from ring signatures, which are used to sign all transactions. Ring signatures are a type of group signature, and a cousin of threshold signatures, which we’ll discuss later in the series.
Typically, a cryptographic signature proves the authenticity and integrity of a document from a single signer. This follows our intuitive understanding of signatures — in the same way you might sign a check, uniquely identifying that you approve an expenditure.
Group signatures work a bit differently. Instead of showing that a document was “approved” by a single signer, a group signature proves that one signer of a fixed group approved a document. Importantly, the scheme doesn’t expose which member of the group signed.
This should sound similar to CoinJoin. Instead of requiring multiple participants to sign pieces of a transaction, which can then be merged, ring signatures allow anyone in a fixed group to sign a transaction. Both offer plausible deniability — which participant signed the transaction?
The number of participants in a ring signature group is called the ring size. Similar to the number of participants in a CoinJoin transaction, the ring size determines the anonymity set for a signature. A small ring size means easier de-anonymization, as the team from Princeton leveraged against CoinJoin.
So, is Monero the ideal private cryptocurrency? It’s certainly close. There are still a few issues the community is working though.
- Users often choose a small ring size, weakening the anonymity guarantees of the network. A planned hard fork will address this issue in September, enforcing a minimum ring size.
- Ring signatures obscure the linkage between sender and recipient, but they don’t obscure the amount sent. RingCT, based on Gregory Maxwell’s Confidential Transactions, was launched on Monero in January. Confidential Transactions obscure the amount of a transaction, replacing it with a bound range. Over 95% of Monero transactions are now protected by RingCT, which will become mandatory for all Monero transactions in September.
While Monero enforces privacy by default and is a huge improvement over using a mixing service in Bitcoin, transactions still suffer from a bound anonymity set. In the next post, we’ll discuss Zcash, a new cryptocurrency that addresses this issue, as well as zero-knowledge proofs for non-financial uses.
Thanks to Laura Wallendal, Corbin Pon, Bedeho Mender, and Brayton Williams for reviewing early drafts of this story.
Learn More
For more information about the Keep Network:
- Join us on Reddit.
- Check out our whitepaper.
- Read our business primer.
- Subscribe for email updates.
- Follow us on Twitter.
- Join our Slack.
- Join our Telegram.
