Bitcoin Institute

Anonymity

7 messages BitcoinTalk Michael Marquardt, Timo Y, llama, Satoshi Nakamoto, throughput, nimnul, Tritonio July 7, 2010 — August 15, 2010
theymos July 7, 2010 16:54 UTC Source ·

The current BitCoin implementation is certainly better than using a credit card, but I wouldn’t use it in environments requiring strong anonymity without a lot of changes.

The history of a coin is publicly available. Anyone can see the flow of BitCoins from address to address.

This becomes a problem when certain points in the “transaction chain” become known to the attacker. In the image below, the attacker controls both the source of Mr. Doe’s BitCoins and the destination. Since Doe bought his coins using non-anonymous methods, he is easily identified. His identity is tied to an address in the transaction chain.

A more likely scenario is for your BitCoin balance to come from transactions made over insecure channels (email, this forum, etc.). If you’re particularly careless, the destination can just Google all of the addresses in the transaction chain. Maybe he’ll find that one of them is in your forum signature here.

I’ve thought of two ways to make this harder. The first is to randomly send your coins to new addresses that you’ve generated just for this purpose. The coins are still part of your balance, but it’s impossible for an outsider to prove that you sent the coins to yourself instead of a real person. However, the transaction chain still has your identity in it. In a real investigation, you would be targeted for close examination because you either know (directly or indirectly) the real person who is under investigation, or you are that person.

The second way is for an external service to take the coins of many different people, mix them up, and send similar amounts back to those peoples’ addresses. If the mixer keeps no logs of who gets which coins, any investigation must stop here.

For maximum security, BitCoin should have the capability to automatically send coins through several external mixers. Assuming at least one of them doesn’t keep logs (and all of them actually return your coins), this should keep you completely safe.

There’s a problem with safely coordinating all of this. You want all of your coins to be mixed at least once, but keeping track of this in a database will ruin your plausible deniability. Probably you’d have to initially keep track, but then delete the database after all the coins have been made safe.

Unrelated to the chain issues above, BitCoin is vulnerable to network analysis. If an attacker can watch all of your incoming and outgoing traffic, he can easily see which transactions are yours. If the connection is unencrypted (as it is now), he can see when you broadcast a transaction that you didn’t receive.

Even when encrypted (through Tor or a built-in mechanism), it’s not impossible for an attacker to see which transactions are yours if he can see both ends of one of your connections to the BitCoin network.

Your transactions can be identified through Tor like this:

  1. The attacker fills the BitCoin network with IP addresses that he controls.
  2. When one of these “evil nodes” receives a packet, the attacker sees if it was received close to the time when he saw you send a packet. If this happens a few times, the attacker knows who you are and can see your transmissions to the network.
  3. When you send a transaction, the attacker knows it’s yours if you send it without receiving a packet in a while.

To fix this, BitCoin should implement encryption, padding (to prevent any size-based identification), dummy packets, and randomization in sending times. Some plausible deniability could also be added if BitCoin could export and import transactions to/from a file (importing would broadcast the transaction to the network, while exporting would not). Then you could transmit this file in other ways (a flash drive, for example).

I also see two structural problems not related to anonymity:

  • If the network is segmented at the network layer (because the PoTUS executed his “Internet kill switch”, for example), the block chain will be forked. This would be really bad.
  • It’s very easy for an attacker with lots of IP addresses to fill the network with cancer nodes. I’m not sure how badly BitCoin could be affected by this.
Timo Y July 8, 2010 12:59 UTC Source ·

Real life example

  1. I set up a fresh Bitcoin address/Bitcoin Client in a VPS hosted in Panama, connected via Tor.

  2. I purchase a 100 EUR paysafecard code at some newsagent in a big, densely populated city. I pay cash, and make sure the newsagent is 2 km away from my home.

  3. I advertise the sale of the paysafecard code on this forum, via Tor and a free public wifi hotspot, using a fresh username.

  4. A buyer shows up. I send him my bitcoin address and the paysafecard code from a freshly set up webmail address, again via Tor and a free public wifi hotspot.

Using above precautions, it will be very difficult to link my physical identity to my bitcoin address. Not impossible, but difficult enough for my purposes.

llama July 8, 2010 16:37 UTC Source ·

Not bad.

As far as anonymous internet connections go, prepaid phones aren’t a bad choice either. They’re cheap, nearly impossible to tie to the user, and can be destroyed when finished. Again, they can be bought in densely crowded shopping malls or walmarts.

Dont forget to use an anonymous method to pay for the VPS foreverdamaged. Perhaps a prepaid credit card also bought from a crowded location would do the trick.

By the way, I like to imagine that this user is in China and is trying to buy a book about freedom 😉

Satoshi Nakamoto July 8, 2010 19:12 UTC Source ·

It’s hard to imagine the Internet getting segmented airtight.  It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone.  It would only take one node to do it.  Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks.  Their number of confirmations would start over.

If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.

It wouldn’t be easy to take advantage of the segmentation to double-spend.  If it’s impossible to communicate from one side to the other, how are you going to put a spend on each side?  If there is a way, then probably someone else is also using it to flow the block chain over.

You would usually know whether you’re in the smaller segment.  For example, if your country cuts itself off from the rest of the world, the rest of the world is the larger segment.  If you’re in the smaller segment, you should assume nothing is confirmed.

throughput August 10, 2010 07:59 UTC Source ·
Quote from: satoshi on July 08, 2010, 7:12:00 PM UTC

It’s hard to imagine the Internet getting segmented airtight. It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone. It would only take one node to do it. Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks. Their number of confirmations would start over.

It is easy to imagine some bug in implementation, that may be triggered by some invalid specially crafted network message, let it cause bitcoin client to hang, but only after retransmission of the same message to peers and after damaging the blockchain database on disk.

If there will be only one implementation with the same bugs shared among versions and platforms, then the entire network will lose blockchain and when the majority will eventually recover, every separate node will reconnect to some existing majority with it’s own notion of history. If that event happens as a coordinated attack, then we may get very different history. How can that affect previous transactions? BTW, is there a blockchain backups?

PS: Let’s not discuss how impossible it is to exploit software vulnerabilities so precisely. That is an art with it’s own secrets and surprises. And no, I cannot do that right now to prove it is possible.

nimnul August 12, 2010 11:52 UTC Source ·
Quote from: llama on July 07, 2010, 7:28:05 PM UTC

Anonymity is not a feature that most users need.

Well, we need a poll. For me, anonymity is the only feature I need

Tritonio August 15, 2010 01:10 UTC Source ·

I bet anonymity is a must for many users. We definitely need a poll. What happens if i send all my money to one of my unused addresses? I guess that coins from all other addresses are gathered in one and no one is able to tell if I sent them to myself. Right? As the OP (I think) said, I will be still in the “suspect” list but nevetheless it offers some deniability.

BTW when you send money to yourself the transaction log doesn’t even list which the receiving account is… 🙄