Introduction
Bitcoin gained a lot of media attention today, not only because it’s a distributed digital currency, but also because of its anonymity feature. However, a Bitcoin user can be deanonymized based on heuristics and transaction graphs since every transaction on the Bitcoin blockchain can freely be inspected and analyzed by anyone. Hence, we can say Bitcoin is pseudo-anonymous and not anonymous. Pseudo-anonymous in the sense that Bitcoin addresses are used to transact on the network and no name, physical address, or other identity is tied to these Bitcoin addresses.
When talking about privacy in Bitcoin, it is important to make a distinction between anonymity and pseudonymity in a system. In an anonymous system, we do not know the identities of those performing actions in the system. In a pseudonymous system, actions performed by the same entity are all linked to the same identifier. Depending on the system’s implementation, this identifier may or may not link to real-world identifiable information. Also, this identifier does not have to be the participants’ real-life identities, but instead can be semi-anonymous “pseudonyms.”
For example, if you register on Twitter with the username “GraciousLight999”, you have registered a pseudonym. Although other Twitter users may not (at this time) know who is behind the account in real life, they can track all of the activity of the “GraciousLight999” pseudonym across the site. If one day you reveal yourself to be the owner of the “GraciousLight999” pseudonym, then all your historical and future activity across the site can be attributed back to you. Contrastingly, an anonymous implementation of Twitter would not display (or know) which users/pseudonyms had posted which messages — all messages on this website are totally anonymous.
Because of their random-looking nature, Bitcoin addresses may appear to be anonymous to outsiders. In reality, they should be considered pseudonyms because they can be used to link multiple actions of the same user. Therefore, we can conclude that Bitcoin is not an anonymous system but a pseudonymous one.
Why Privacy
The Bitcoin white paper has an entire section on privacy, where Satoshi acknowledges how the necessity to announce all transactions publicly affects privacy. However, he suggested keeping Bitcoin addresses anonymous and also not reusing the addresses as a good way to preserve privacy. Once a transaction is confirmed on the Bitcoin blockchain (“on-chain”), it can’t be removed and as a result, privacy is degraded gradually. Imagine an employer that pays salaries with bitcoin. It will be very easy for such an employer to know what bills or donations employees use their income for, which might be against the employee’s will. Another case is where a thief is able to trace all the transactions of an individual on a network, which can make such an individual a target for exploitation. For these reasons, every user wants to preserve their privacy (to some extent). Hence, the Bitcoin community needs to get privacy right for users to keep using it and for Bitcoin to survive.
Attacks on privacy
Bitcoin transactions happen on the Bitcoin network when a user sends or receives bitcoin, which is usually carried out on a bitcoin wallet (lightweight node) managed by bitcoin exchanges. Also, some transactions can be carried out on other types of Bitcoin nodes. Although Bitcoin is pseudo-anonymous, institutions like Bitcoin custodians, brokerages, and exchanges often require personal information for the KYC/AML policy to be fulfilled, after which a user can transact on their platform. User data is stored and traded with chain analysis companies, transaction surveillance companies, and other adversaries, which can degrade the user’s pseudo-anonymity and cause the user to lose privacy. These companies analyse data and apply some heuristics with the aim of tracking transactions down to an individual owner. It’s useful for the adversarially-thinking bitcoiner to understand how effective these heuristics can be in deanonymising them so that they can try to take measures to break them. For example, change detection cannot occur if the wallet is able to combine input that returns no change. This way, the change address can not be detected and chain analysis would return no valid result for change address detection heuristics.
Antichain Analysis
In a quest to help wallet developers select the best input for a transaction with the aim of preserving the user’s privacy, myself and a colleague in the Qala program decided to build an Anti-Chain Analyser that combats chain analysis. This application helps wallet developers build wallets that create transactions that are difficult for chain analysis to analyse correctly.
This tool iterates through the inputs provided by the developer and applies different heuristics to each input, returning the best inputs that minimise the number of heuristics the transaction would be susceptible to. Some of these heuristics include:
Shadow Heuristics: A common type of bitcoin transaction is the simple send, where one output goes to the receiver and one output goes back to the sender as a change. These heuristics assume that when one of a transaction’s output scriptPubKey (address) is the same as (one of) the input scriptPubKey (address), it’s evident that this output is a “change output” since it is going back to the sender. Especially in the case of a 2-output transaction, this also deanonymizes the receiver, since it now becomes quite obvious which output (the non-change output) is theirs. Another variant of this heuristic is: if any of the outputs (scriptPubkeys) have ever been seen on the blockchain, we can assume it is a payment output, and other outputs are likely to be changed. The anti-chain analyser counters these heuristics by detecting reused addresses and advising the user appropriately.
Unnecessary Input Heuristics: Consider a transaction with two inputs (2 BTC and 3 BTC) and two outputs (4 BTC and 1 BTC). It’s easy to tell 1 BTC is the change because if 1 BTC output is the payment, the 3 BTC input is unnecessary, and the 2BTC input is sufficient to pay 1BTC and pay a lower miner fee, hence 4 BTC is the payment. The anti-chain analyser addresses this privacy breach by requiring the wallet developer to always pass an amount greater than the actual payment to the anti-chain analyser request payload. Then the analyser computes the best input combination such that all output will always be greater than any input.
Change Detection: Many chain analyses attempt to find the change address of a transaction, as this can be combined with other heuristics like the common input ownership heuristic to leak privacy. This anti-chain analyser always finds the exact match for the amount intended to be spent before computing the best UTXO combination. In a situation where the input doesn’t match the exact desired output amount, the analyser applies other heuristics.
Challenges with Antichain Analysis
One of the major challenges of the anti-chain analyser is that it returns more than the inputs needed for transactions in a quest to combat unnecessary input heuristics, which leads to users paying more transaction fees. Also, the analyser works best if the user has more inputs for a higher value change output. Bitcoin core does not have a full address (scriptPubKey) index which can be queried for arbitrary transactions. As a result, the anti-chain analysis queries a third-party endpoint to detect address reuse as opposed to querying a local Bitcoin node, which can be a shortcoming as the aim is to use Bitcoin trustlessly. Querying the Bitcoin node means there will be no need to trust anyone, a third-party endpoint, or any intermediary to detect a reused address.
Conclusion
The blockchain ledger is visible to everyone, including adversaries. Adversaries can see the addresses that generate a transaction and the addresses that receive it, including the amount sent, even though no real identity is tied to such a transaction. Since Bitcoin custodians and exchanges require a user’s identity to transact bitcoin (changing fiat currencies for bitcoin), privacy is diminished. However, when you transact within the Bitcoin ecosystem, then whatever exchanges are doing doesn’t affect you. I believe building more anti-chain analysis tools would help preserve privacy and people would be encouraged to continue using Bitcoin.
Reference
Privacy (https://en.bitcoin.it/wiki/Privacy)
Anonymity of Bitcoin Transaction (https://www.wi.uni-muenster.de/sites/wi/files/public/department/itsecurity/mbc13/mbc13-moeser-paper.pdf)
Bitcoin Privacy and Anonymity (https://river.com/learn/bitcoin-privacy-and-anonymity/)
