Bitcoin and Anonymity

By Rich Apodaca | Updated

This unit is Part 6 of the Annotated Princeton Bitcoin Video Course.

Introduction (1 minute)

This section of videos makes the unfortunate choice to use the word “anonymity.” Although the problems with this term will be clarified in the next video, it’s important to realize that Bitcoin doesn’t grant users anonymity.

In Bitcoin, we speak not of anonymity but of privacy. Bitcoin’s privacy model is pseudonymity. It’s vital that all Bitcoin users understand the distinction. When you see or hear the word “anonymity” in this section, think “privacy.”

Anonymity Basics (26 minutes)

A Bitcoin public (or address) is a pseudonym. Sending or receiving payments requires the use of this pseudonym. We use pseudonyms all the time. For example, when we use Twitter or Reddit, our usernames serve as pseudonyms.

This video asserts that:

anonymity = pseudonymity + unlinkability

Consider replacing the word “anonymity” with “privacy.” Your privacy is a function of Bitcoin’s pseudonymity model and unlinkability. Two pseudonyms become linked when some fact is consistent with they’re belonging to the same entity. You maximize your privacy by minimizing the ability of others to link your pseudonyms.

Linkage can occur when a Bitcoin public key becomes linked to another pseudonym such as a Reddit handle. But it can also occur when two Bitcoin public keys become linked together.

Chaum’s paper on blind signatures can be read here.

How to De-Anonymize Bitcoin (18 minutes)

Address reuse is one of the most common forms of privacy loss. Reusing an address permanently associates two or more payments with it. When combined with other privacy leaks, address reuse can be devastating to Bitcoin user privacy.

Address reuse is very common on donation pages, for example. Any moderately-skilled investigator can monitor the block chain for address reuse.

Tor is a tool that hides an Internet user’s real IP address (also a pseudonym). Using Tor makes it difficult to link your IP address to Bitcoin public keys.

Two papers are cited:

Mixing (21 minutes)

Even with careful use, user privacy can be degraded by linking a public key to another pseudonym. One remedy is to use a centralized service that accepts coins from multiple users and returns new coins in exchange. This kind of service is called a mixer.

Mixers come in a variety of forms. Some are dedicated to enhancing user privacy. Others, like online wallets and exchanges, mix coins coincidentally to other services rendered.

The main problem with mixers is trust. They must be trusted to no only return deposited funds, but also safeguard user privacy. In this sense, mixers and traditional banks have a lot in common.

Decentralized Mixing (14 minutes)

The need to trust a mixer has motivated research into distributed, trustless alternatives. One of the most important is CoinJoin.

CoinJoin is a general protocol in which two or more users collaborate to create a single Bitcoin transaction. Two properties work to the advantage of CoinJoin:

  1. Transaction inputs aren’t mapped to outputs.
  2. Each transaction input is signed independently of the others.

The most widely-used implementation is available at JoinMarket.

Zerocoin and Zerocash (19 minutes)

This lecture points out that Zerocash requires a trusted setup - secret keys that need to be securely destroyed. The Zcash team addressed this problem with a cryptographic “ceremony” that was documented in a radio broadcast and in an article.

Tor and the Silk Road (11 minutes)

Understanding how Tor works isn’t nearly as important as understanding what it does. Tor obfuscates your IP address from the Web servers and Bitcoin nodes you connect with. As such, it’s useful for preventing the linkage of of your IP address to one or more Bitcoin public keys. Tor is incapable of breaking links between Bitcoin public keys caused by address reuse or other actions.

Next Up: Community, Politics, and Regulation