Chapter 6: Bitcoin and Anonymity “Bitcoin is a secure and anonymous digital currency”
— WikiLeaks donations page
“Bitcoin won’t hide you from the NSA’s prying eyes”
— Wired UK
Copyright By PowCoder代写 加微信 powcoder
One of the most controversial things about Bitcoin is its supposed anonymity. First, is Bitcoin anonymous? As you can see from the mutually contradictory quotes above, there’s some confusion about this. Second, do we wanta cryptocurrency that is truly anonymous? There are pros and cons of anonymity, which leads to some basic questions: is having an anonymous cryptocurrency beneficial for the stakeholders? Is it good for society? Is there a way to isolate the positive aspects of anonymity while doing away with the negative parts?
These questions are hard because they depend in part on one’s ethical values. We won’t answer them in this chapter, though we will examine arguments for and against anonymity. Mostly we’ll stick to studying various technologies — some already present in Bitcoin and others that have been proposed to be added to it — that aim to increase Bitcoin’s anonymity. We’ll also look at proposals for alternative cryptocurrencies that have different anonymity properties from Bitcoin. These technologies raise new questions: How well do they work? How difficult would they be to adopt? What are the tradeoffs to be made in adopting them?
6.1 Anonymity Basics
Defining anonymity. Before we can properly discuss whether (or to what extent) Bitcoin is anonymous, we need to define anonymity. We must understand what exactly we mean by anonymity, and the relationship between anonymity and similar terms, such as privacy.
At a literal level, anonymous means “without a name.” When we try to apply this definition to Bitcoin, there are two possible interpretations: interacting without using your real name, or interacting without using any name at all. These two interpretations lead to very different conclusions as to whether Bitcoin is anonymous. Bitcoin addresses are hashes of public keys. You don’t need to use your real name in order to interact with the system, but you do use your public key hash as your identity. Thus, by the first interpretation, Bitcoin is anonymous as you do not use your real name. However, by the second interpretation, it is not; the address that you use is a pseudo-identity. In the language of computer science, this middle ground of using an identity that is not your real name is called pseudonymity.
Recall that you are free to create as many Bitcoin addresses as you like. With this in mind, you might be wondering whether Bitcoin addresses really are pseudo-identities considering that you can create as many of these pseudonyms as you like. As we’ll see, this still does not make Bitcoin anonymous.
In computer science, anonymity refers to pseudonymity together with unlinkability.Unlinkability is a property that’s defined with respect to the capabilities of a specific adversary. Intuitively, unlinkability means that if a user interacts with the system repeatedly, these different interactions should not be able to be tied to each other from the point of view of the adversary in consideration.
Sidebar.The distinction between anonymity and mere pseudonymity is something that you might be familiar with from a variety of other contexts. One good example is online forums. On a forum like Reddit, you pick a long-term pseudonym and interact over a period of time with that pseudonym. You could create multiple pseudonyms, or even a new one for every comment, but that would be tedious and annoying and most people don’t do it. So interacting on Reddit is usually pseudonymous but not quite anonymous. 4Chan, by contrast, is an online forum in which users generally post anonymously — with no attribution at all.
Bitcoin is pseudonymous, but pseudonymity is not enough if your goal is to achieve privacy. Recall that the block chain is public and anyone can look up all Bitcoin transactions that involved a given address. If anyone is ever able to link your Bitcoin address to your real world identity, then all of your transactions — past, present, and future — will have been linked back to your identity.
To make things worse, linking a Bitcoin address to a real-world identity is often easy. If you interact with a Bitcoin business — be it an online wallet servics, exchange, or other merchant — they are usually going to want your real life identity in order to let you transact with them. For example, an exchange might require your credit card details, while a merchant will need your shipping address.
Or you might go to a coffee shop and pay for your coffee with bitcoins. Since you’re physically present in the store, the barista knows a lot about your identity even if they don’t ask for your real name. Your physical identity thus gets tied to one of your Bitcoin transactions, making all the other transactions that involved that address linkable to you. This is clearly not anonymous.
Side channels. Even if a direct linkage doesn’t happen, your pseudonymous profile can be deanonymizeddue to side channels, or indirect leakages of information. For example, someone may look at a profile of pseudonymous Bitcoin transactions and note at what times of day that user is active. They can correlate this information with other publicly available information. Perhaps they’ll notice that some Twitter user is active during roughly same time intervals, creating a link between the pseudonymous Bitcoin profile and a real-world identity (or at least a Twitter identity). Clearly pseudonymity does not guarantee privacy or anonymity. To achieve those, we require the stronger property of unlinkability as well.
Unlinkability. To understand unlinkability in the Bitcoin context more concretely, let’s enumerate some key properties that are required for Bitcoin activity to be unlinkable:
1. It should be hard to link together different addresses of the same user.
2. It should be hard to link together different transactions made by the same user.
3. It should be hard to link the sender of a payment to its recipient.
The first two properties are intuitive, but the third one is a bit tricky. If you interpret “a payment” as a Bitcoin transaction, then the third property is clearly false. Every transaction has inputs and outputs, and these inputs and outputs are inevitably going to be in the block chain and publicly linked together. However, what we mean by a payment is not a single Bitcoin transaction, but rather anything that has the effect of transferring bitcoins from the sender to the recipient. It might involve a roundabout series of transactions. What we want to ensure is that it’s not feasible to link the sender and the ultimate recipient of the payment by looking at the block chain.
Anonymity set. Even under our broader definition of a payment, the third property seems hard to achieve. Say you pay for a product that costs a certain number of bitcoins and you send that payment through a circuitous route of transactions. Somebody looking at the block chain will still be able to infer something from the fact that a certain number of bitcoins left one address and roughly the same number of bitcoins (minus transaction fees, perhaps) ended up at some other address. Moreover, despite the circuitous route, the initial sending and the ultimate receiving will happen in roughly the same time period because the merchant will want to receive payment without too much of a delay.
Because of this difficulty, we usually don’t try to achieve complete unlinkability among all possible transactions or addresses in the system, but rather something more limited. Given a particular adversary, the anonymity setof your transaction is the set of transactions which the adversary cannot distinguish from your transaction. Even if the adversary knows you made a transaction, they can only tell that it’s one of the transactions in the set, but not which one it is. We try to maximize the size of the anonymity set — the set of other addresses or transactions amongst which we can hide.
Calculating the anonymity set is tricky. Since the anonymity set is defined with respect to a certain adversary or set of adversaries, you must first concretely define what your adversary model is. You have to reason carefully about what that adversary knows, what they don’t know, and what is it that we are trying to hide from the adversary — that is, what the adversary cannotknow for the transaction to be considered anonymous. There’s no general formula for doing this. It requires carefully analyzing each protocol and system on a case-by-case basis.
Taint analysis. In the Bitcoin community, people often carry out intuitive analyses of anonymity services without rigorous definitions. Taint analysisis particularly popular: it’s a way of calculating how “related” two addresses are. If bitcoins sent by an address S always end up at another address R, whether directly or after passing through some intermediate addresses, then S and R will have a high taint score. The formula accounts for transactions with multiple inputs and/or outputs and specifies how to allocate taint.
Unfortunately, taint analysis is not a good measure of Bitcoin anonymity. It implicitly assumes that the adversary is using the same mechanical calculation to link pairs of addresses. A slightly cleverer adversary may use other techniques such as looking at the timing of transactions or even exploit idiosyncrasies of wallet software as we’ll see later in this chapter. So taint analysis might suggest that you have a high degree of anonymity in a certain situation, but in fact you might not.
Why we need anonymity. Having seen what anonymity means, let’s answer some meta-questions about anonymity before we go further: Why do people want anonymity? What are the ethical implications of having an anonymous currency?
In block chain-based currencies, all transactions are recorded on the ledger, which means that they are publicly and permanently traceable to the associated addresses. So the privacy of your Bitcoin transactions can potentially be far worse than with traditional banking. If your real-world identity ever gets linked to a Bitcoin address, then you have totally lost privacy for all transactions — past, present, and future — associated with that address. Since the block chain is publicly available, literally anyone might be able to carry out this type of deanonymization without you even realizing that you’ve been identified.
With this in mind, we can identify two different motivations for having anonymous cryptocurrencies. The first is simply to achieve the level of privacy that we are already used to from traditional banking, and mitigate the deanonymization risk that the public block chain brings. The second is to go above and beyond the privacy level of traditional banking and develop currencies that make it technologically infeasible for anyone to track the participants.
Ethics of anonymity.There are many important (though often overlooked) reasons for anonymity that we take for granted with traditional currencies. Most people are uncomfortable sharing their salaries with their friends and coworkers. If individual’s addresses in the blockchain are easily identifiable though and they receive their salary in Bitcoin, it would be quite easy to infer their salary by looking for a large, regular monthly payment. Organizations also have important financial privacy concerns. For example, if a video game console manufacturer were to be observed in the blockchain paying a subcontractor which manufactures virtual reality glasses, this might tip off the public (and their competitors) about a new product they are preparing to launch.
However, there is legitimate concern that truly anonymous cryptocurrencies can be used for money laundering or other illegal activities. The good news is that while cryptocurrency transactions themselves may be pseudonymous or anonymous, the interface between digital cash and fiat currencies is not. In fact, these flows are highly regulated, as we’ll see in the next chapter. So cryptocurrencies are no panacea for money laundering or other financial crimes.
Nevertheless one may ask: can’t we design the technology in such a way that only the good uses of anonymity are allowed and the bad uses are somehow prohibited? This is in fact a recurring plea to computer security and privacy researchers. Unfortunately, it never turns out to be possible. The
reason is that use cases that we classify as good or bad from a moral viewpoint turn out to be technologically identical. In Bitcoin, it’s not clear how we could task miners with making moral decisions about which transactions to include.
Our view is that the potential good that’s enabled by having anonymous cryptocurrencies warrant their existence, and that we should separate the technical anonymity properties of the system from the legal principles we apply when it comes to using the currency. It’s not a completely satisfactory solution, but it’s perhaps the best way to achieve a favorable trade-off.
Sidebar: Tor. The moral dilemma of how to deal with a technology that has both good and bad uses is by no means unique to Bitcoin. Another system whose anonymity is controversial is Tor, an anonymous communication network.
On the one hand, Tor is used by normal people who want to protect themselves from being tracked online. It’s used by journalists, activists, and dissidents to speak freely online without fear of repercussion from oppressive regimes. It’s also used by law enforcement agents who want to monitor suspects online without revealing their IP address (after all, ranges or blocks of IP addresses assigned to different organizations, including law enforcement agencies, tend to be well known). Clearly, Tor has many applications that we might morally approve of. However, it also has clearly bad uses: it’s used by operators of botnets to issue commands to the infected machines under their control and it’s used to distribute child sexual abuse images.
Distinguishing between these uses at a technical level is essentially impossible. The Tor developers and the Tor community have grappled extensively with this conundrum. Society at large has grappled with it to some degree as well. We seem to have concluded that overall, it’s better for the world that the technology exists. In fact one of the main funding sources of the Tor project is the U.S. State Department. They’re interested in Tor because it enables free speech online for dissidents in oppressive regimes. Meanwhile, law enforcement agencies seem to have grudgingly accepted Tor’s existence, and have developed ways to work around it. The FBI has regularly managed to bust websites on the “dark net” that distributed child sexual abuse images, even though these sites hid behind Tor. Often this is because the operators tripped up. We must remember that technology is only a tool and that perpetrators of crimes live in the real world, where they may leave physical evidence or commit all-too-human errors when interacting with the technology.
Anonymization vs. decentralization.We’ll see a recurring theme throughout this chapter that the design criteria of anonymization and decentralization are often in conflict with one another. If you recall Chaum’s ecash from the preface, it achieved perfect anonymity in a sense, but through an interactive blind-signature protocol with a central authority, a bank. As you can imagine, such protocols are very difficult to decentralize. Secondly, if we decentralize, then we must keep some sort
of mechanism to trace transactions and prevent double spending. This public traceability of transactions is a threat to anonymity.
Later in this chapter, we’ll see Zerocoin and Zerocash, anonymous decentralized cryptocurrencies that have some similarities to Chaum’s ecash, but they have to tackle thorny cryptographic challenges because of these two limitations.
6.2 How to De-anonymize Bitcoin
We’ve said several times that Bitcoin is only pseudonymous, so all of your transactions or addresses could potentially be linked together. Let’s take a closer look at how that might actually happen.
Figure 6.1 shows a snippet of the Wikileaks donation page (including the quote at the beginning of the chapter). Notice the refresh button next to the donation address. As you might expect, clicking the button will replace the donation address with an entirely new, freshly generated address. Similarly, if you refresh the page or close it and visit it later, it will have another address, never previously seen. That’s because Wikileaks wants to make sure that each donation they receive goes to a new public key that they create just for that purpose. Wikileaks is taking maximal advantage of the ability to create new pseudonyms. This is in fact the best practice for anonymity used by Bitcoin wallets.
Figure 6.1: Snippet from Wikileaks donation page. Notice the refresh icon next to the Bitcoin address. Wikileaks follows the Bitcoin best practice of generating a new receiving address for every donation.
At first you might think that these different addresses must be unlinkable. Wikileaks receives each donation separately, and presumably they can also spend each of those donations separately. But things quickly break down.
Linking. Suppose Alice wants to buy a teapot that costs 8 bitcoins (more likely 8 centi-bitcoins, at 2015 exchange rates). Suppose, further, that her bitcoins are in three separate unspent outputs at different addresses whose amounts are 3, 5, and 6 bitcoins respectively. Alice doesn’t actually have an address with 8 bitcoins sitting in it, so she must combine two of her outputs as inputs into a single transaction that she pays to the store.
But this reveals something. The transaction gets recorded permanently in the block chain, and anyone who sees it can infer that the two inputs to the transaction are most likely under the control of the same user. In other words, shared spending is evidence of joint control of the different input addresses. There could be exceptions, of course. Perhaps Alice and Bob are roommates and agree to jointly purchase the teapot by each supplying one transaction input. But by and large, joint inputs imply joint control.
Figure 6.2 :To pay for the teapot, Alice has to create a single transaction having inputs that are at two different address. In doing so, Alice reveals that these two addresses are controlled by a single entity.
But it doesn’t stop there. The adversary can repeat this process and transitivelylink an entire cluster of transactions as belonging to a single entity. If another address is linked to eitherone of Alice’s addresses in this manner, then we know that all three addresses belong to the same entity, and we can use this observation to cluster addresses. In general, if an output at a new address is spent together with one from any of the addresses in the cluster, then this new address can also be added to the cluster.
Later in this chapter we’ll study an anonymity technique called CoinJoin that works by violating this assumption. But for now, if you assume that people are using regular Bitcoin wallet software without any special anonymity techniques, then this clustering tends to be pretty robust. We haven’t yet seen how to link these clusters to real-world identities, but we’ll get to that shortly.
Sidebar: Change address randomization. An early version of the bitcoin-qt library had a bug which always put the change address as the first output in a transaction with two outputs. This meant that it was trivial to identify the change address in many transactions. This bug was fixed in 2012 but highlights an important point: wallet software has an important role to play in protecting anonymity. If you’re developing wallet software, there are many pitfalls you should be aware of; in particular, you should alwa
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com