Better Privacy in Bitcoin with ZeroLink
Updated 2020_09_28
Note: HiddenWallet went on to become Wasabi Wallet.
The Problem
Every Bitcoin transaction is stored on a public ledger, called the Bitcoin blockchain. The Bitcoin blockchain records every transaction ever made on the network. In isolation, the use of public addresses provide a decent amount of anonymity but the existence of exchanges that enable USD, GBP, EUR etc to be swapped for Bitcoin introduces ties to real world identities. With KYC and AML compliance in place, the start and end point of every ‘government currency to Bitcoin’ and ‘Bitcoin to government currency’ exchange can be linked to the identity of real people with real bank accounts. Working outwards from those points, it is not difficult to trace transactions through the blockchain, make associations between transacting parties, and try to imply why.
…the identity of the owner cannot be associated with their Bitcoin address until personal information is revealed by the owner during an exchange— bitcoin.org
There are plenty of profitable companies that exists solely to track and infer ownership of Bitcoin by analysing the blockchain. These companies sell their services to exchanges, which may already hold your personal information, along with the addresses used to deposit and withdraw Bitcoin.
If this thought makes you feel uncomfortable, you may be interested in keeping your transaction history a little more private.
But if I am doing nothing wrong, why should I care?
You might think, “Why should I be worried if people are tracking the blockchain if I am doing nothing illegal?”. If so, would you also be comfortable saying “Why should I be worried if someone I don’t know can read all my emails if I am doing nothing illegal?”. I doubt that the majority of Bitcoin holders are using it to engage in illegal activities, but I am confident that the majority would also not want it to be publicly known how much they own, or who they have sent and received Bitcoin from, just as they would not want the whole world to have access their email inbox.
A few months before writing this, I joined in helping nopara73 in the development of ZeroLink — a Bitcoin privacy and fungibility framework. I saw Adam announce ZeroLink when I attended Breaking Bitcoin in Paris earlier that year. The thing that most interested me was the use of something called Chaumian CoinJoin — which is ZeroLink’s chosen mixing technique.
Mixing is a way for users to “obscure the ties between their Bitcoin addresses and real-world identities”, allowing people to use Bitcoin more privately.
Chaumian CoinJoin is a mixing technique that prevents even the coordinator of the mix from knowing who ended up being sent which coins.
How ZeroLink works
ZeroLink’s Chaumian CoinJoin mixer allows people to join a mixing round by sending an amount of Bitcoin into the mix and receiving a set amount out of the mix. All participants will receive the same amount, and so it is much harder for anyone to try and determine which input became what output. Furthermore, the spending of ‘mixed’ outputs requires that the user follows certain rules, or else they will leak associations and undo the privacy gains that they just achieved.
Because of that, the ZeroLink framework also specifies that any ‘post-mix’ wallet should do all it can to warn the user that joining the resulting output of a mix with non-mixed (or even other post-mix) outputs may reduce the anonymity of the mix itself. This has all been detailed by Adam in the presentation he did at Breaking Bitcoin and I wont repeat it all here.
Instead I will try and explain how ZeroLink’s mixing technique aims to remove all knowledge of ‘who got what’, and further prevents even the co-ordinator of the mix from knowing this information.
ZeroLink’s Mixing Technique (Chaumian CoinJoin)
This is how it works…
The coordinator of the mix decides upon an anonymity set for the next mix. We’ll assume 100 participants for the purpose of this explanation.
Participants register for the next mix by sending an input address and a cryptographically hidden or ‘blinded’ output address to the mixer.
In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature.
The mix coordinator then signs the message, including the blinded output, to say that although it does not know the address that has been blinded, it did indeed receive it from a valid mix participant. The signed and blinded output is returned to the participant who will later un-blind it, switch Tor circuit, and submit it back to the mix coordinator. The process of un-blinding does not remove the mix coordinator’s signature, yet does change the blinded output signed by the mix coordinator into an unblinded one. This way, the mix coordinator is able to verify that the output was one that it has previously signed, although it will not know who submitted it for signing originally. Magic!
Once the mix coordinator receives all the unblinded, signed outputs and the anonymity target is reached, the mix coordinator constructs a transaction using the input addresses submitted and the 100 output addresses (in this example) that it received from all mix participants. It is worth reiterating that it is impossible for the mix coordinator to know which output was submitted by which participant. Each participant receives the transaction, checks that their submitted output is one of the outputs in the list of all outputs, signs the transaction and waits for all parties to complete the process.
Once a fully signed transaction has been received and verified by the mix coordinator it is broadcast to the network. All participants are updated to let them know that the mix transaction has been broadcast. When the transaction has been accepted into a block the participants will see that there are 100 outputs of identical amount, plus perhaps some change outputs that are not classed as mixed. Nobody has a way of linking any of the provided inputs to any of those outputs.
It is worth noting that all important data sends from the client happen over Tor — the circuit being used is switched during different stages of submission to prevent network snooping from identifying any link between input submission and output submission.
Participating in a test of ZeroLink in HiddenWallet!
If you would like to help test ZeroLink as it is implemented in the ‘HiddenWallet’ Bitcoin wallet please see the guide that has recently been released. This large test case aims for an anonymity set of 100 participants with a fall-back deadline of Wednesday 10pm GMT if that threshold is not met — upon when the mix will proceed with as many participants as have registered.
Please help us get to 100 participants before December the 20th — I have Christmas shopping to do and worryingly little time left as it is.
