Anonymity and Traceability Review

[vess]

I've been generating BTC for a week or so now, and I'm enjoying myself very much.

One thing I've been wondering about is the anonymity of the system, and I can't find all the documentation I need to understand.

What I'm wondering about is total anonymity as far as origination of Bitcoins.

The question is analogous to the US government's current laws that any money transferred to terrorists by however long a chain implies criminal liability for the original transferer of the money offshore.

Now, I don't like sending terrorists money at all, whether or not our government approves of them, so I don't wish to do such a thing.

However, as I understand the protocol right now, this sort of chain of payment checking is quite easy in bitcoin land if the bitcoin address scheme is used to transfer money.

Does the IP transfer option mitigate this? My current best practice for completely breaking the chain of who-sent-the-bitcoins-to-whom is:

1) Receiver sets up a listener at 8333 at some IP online, presumably with some tor-based login scheme.
2) Sender, using Tor sends to that IP, say 100 BTC
3) Receiver receives BTC, waits for confirmation from the network.
4) Receiver copies wallet.dat file to real location over Tor
5) Receiver sends money from wallet.dat to 'main' wallet using newly generated Bitcoin address
6) BTC 'laundered'.

Is this the approved method of breaking the chain of payments?

Comments on attacks or other methods?

[1713904241]

1713904241

[1713904241]

1713904241

[1713904241]

1713904241

[1713904241]

1713904241

[1713904241]

1713904241

[vess]

Just to say, I currently believe based on reading the spec that everyone will know

1) Sender sent 100 BTC to _random_ip
2) Receiver's address sent 100 BTC to 'new_address'

But that these would not otherwise be correlated. Is this correct?

[Red]

Just to say, I currently believe based on reading the spec that everyone will know

1) Sender sent 100 BTC to _random_ip
2) Receiver's address sent 100 BTC to 'new_address'

But that these would not otherwise be correlated. Is this correct?

As far as I know, this is incorrect.

Every bitcoin transaction is mapped to a previous transaction. All transactions are signed by the owner of a particular bitcoin address. They are all traceable though the graph. If you think about it, you will realize that otherwise the system would be easy to spoof.

The send to IP address, simply makes a connection there first and asks it for an appropriate bitcoin address to send to. After that everything is the same as any other transaction. That is why there was a warning of a possible man-in-the-middle attack using Tor or other proxies.

(anyone, please correct me if I'm wrong)

[vess]

Okay.

In that case, I revise my best practices to:

0) use all new bitcoin addresses
1) find a trustworthy bitcoin exchange market
2) transfer in
3) transfer out, if they delete logs
3a) if not, sell bitcoins for USD
3b) transfer out USD
3c) send money to trustworthy bitcoin exchange market
3d) purchase bitcoins

Comments?

[Red]

I think that the limits of anonymity needs to be discussed if that is going to be a claim of the system.

I'm very interested in that subject, however, others are less so.

Might be worth creating some sort of best practices, depending upon how anonymous you are trying to be.

[Insti]

The question is analogous to the US government's current laws that any money transferred to terrorists by however long a chain implies criminal liability for the original transferer of the money offshore.

If you track the progress of a real USD $1 bill, from your pocket and it ends up in the pocket of a terrorist, at what point are you liable?

Using the logic you suggest the US Federal Reserve is the biggest terrorist funder of them all.
(Discussion of whether they are actually deliberately funding terrorists omitted)

Using a bitcoin market will probably not solve the problem you suggest.
And in fact probably makes things worse because it anchors your bitcoin transactions to your real world identity at 2 points. (assuming you're not managing to anonymously buy BTC, in which case that DOES solve your problem and you can just ignore all the steps prior to 3d)

Just only do honest things with your bitcoins and you'll be fine.

[FreeMoney]

Just only do honest things with your bitcoins and you'll be fine.

Buying things is not dishonest, but that doesn't mean you'll be fine if certain third parties find out.

[ichi]

If you want to stay anonymous, there must be no associations between any of your Bitcoin adresses and anything that identifies you.  That includes your name, address, telephone numbers, IP addresses, friends, enemies, favorite websites, politics and/or whatever.

Doing all that can be inconvenient.  It requires discipline.  You need to keep your identities straight.

There's another issue.  Unless you're going to live in a bunker, you'll need to trust someone.  Even with the bunker, you'll probably need to trust someone.  With Tor, you'll need to trust your exit nodes, to some extent, at least.  Or you'll need to trust your anonymous VPN provider (more than you trust your ISP and/or government, anyway).

I'm still puzzling how to reliably exchange Bitcoins and physical things while maintaining mutual anonymity.  Dead drops either protect sellers or buyers, as I see it.

[vess]

I started working on a solution to this today. I'll update here when I have some news.

And, for those saying 'just keep your nose clean,' that's entirely not the point.

Regarding the US government, the Patriot Act really did make it much harder to get money outside of the US -- a move that was welcomed by large banks (it pushed small banks out of the international wire business), and the IRS alike. It did it via the mechanism I described. Ask your local banker if they will wire money to Afghanistan for you if you'd like to understand just how hard this is to accomplish in America.

[chaord]

I'm not sure if http://bitcointalk.org/index.php?topic=635.0 (a post I just made in a new topic) would help maintain anonymity, but I feel like it can't hurt.  I'd be curious to hear your critique.

[Red]

Anonymity in BitCoin is really a misnomer. It is really pseudonymity as all transactions are done through bitcoin addresses. An address is equivalent to the pseudonyms used on this site.

When people speak about anonymity/pseudonymity they usually mean link-ability. Can my pseudonym (address) be linked to my real world identity.

However, there is another important aspect, associate-ability. What can others learn about me by watching the behavior of my pseudonym. Because bitcoin is a publicly visible directed graph, link-ability is directly related to associate-ability.

Suppose you use the same handle and anonymous email here, as you do on a kiddie porn site. If that association was made you might be banned here, or even targeted by others. In the real world (and the generalized internet world) those associations are often hard to make. That tends to make people careless. However, in bitcoin these associations are trivial.

Associating your address with a set of behavior gives others a reason to attempt to link it back to you.

Every bitcoin comes to you from someone who knows enough about you to transact with you. When you spend the coins they go to someone who often knows you as well. Each interaction can leak information about you or your behavior.

You would think that single use addresses could protect you, however they can often be correlated easier than you think.

Suppose you want to buy a domain registry from privacyshark for 700 BTC. But you don't want it associated with your well know bitcoin address in your footer here. So you decide to route it through three single use intermediary accounts (x, y, z). So create new accounts X,Y,and Z. Send 700 BTC first to X, then from there to Y, and from Y to Z. Finally you send the 700 BTC on to privacysharks well known address.

Well you are still screwed, because on the bitcoin directed graph, you just drew a straight line from your public address here to privacyshark's public address. Each segment in that line correlates by value amount. They also correlate in time. (one hop each block at worst)

What if you try it differently, you send three different amounts from your public address to the three new addresses. 100 to X, 200 to Y, and 400 to Z. Then you send from X, Y, and Z individually to privacyshark. Well these amounts now create a neat diamond shape on the graph with you at the fork and privacyshark at the join. The transactions to and from X,Y & Z all correlate in time (perhaps even in the same two blocks). They also correlate by amount.

If you already happen to have coins at several addresses and you decide to sent 700 of them at once to privacyshark, I'm not sure exactly how the client generates the transactions but I do know, that they will still correlate by time and amount. Even worse it has the potential to associate non-single use accounts to one individual.

You can only de-correlate the timing by adding more latency. You can only de-correlate the graph connections by adding more hops. You can only de-correlate the values by adding more forking. All of these precautions reduce the utility of bitcoin and increase the complexity of transactions.

Is anyone going to go through all the bother to back-propagate your transaction graph just for buying a domain name? Well they might if privacyshark just registered "kiddieporn.com" and they are looking to link that to the buyer. And while doing that they might happen to correlate the anonymous registry of "IDontPayTaxes.com" with your "trade in bitcoin instead of paying taxes" post here.

[Red]

By the way, I've got an idea for an automated way of preserving true anonymity in the transaction list. It shouldn't require any changes to the bitcoin system.

I might try to create it as a service if anyone thinks it would be of value.

Other people are going to hate the whole concept though. ;-)

[Insti]

By the way, I've got an idea for an automated way of preserving true anonymity in the transaction list. It shouldn't require any changes to the bitcoin system.

You may like to tell us what it is so we can tell you if we think it will work.

[Anonymous]

Anonymity in BitCoin is really a misnomer. It is really pseudonymity as all transactions are done through bitcoin addresses. An address is equivalent to the pseudonyms used on this site.

When people speak about anonymity/pseudonymity they usually mean link-ability. Can my pseudonym (address) be linked to my real world identity.

However, there is another important aspect, associate-ability. What can others learn about me by watching the behavior of my pseudonym. Because bitcoin is a publicly visible directed graph, link-ability is directly related to associate-ability.

Suppose you use the same handle and anonymous email here, as you do on a kiddie porn site. If that association was made you might be banned here, or even targeted by others. In the real world (and the generalized internet world) those associations are often hard to make. That tends to make people careless. However, in bitcoin these associations are trivial.

Associating your address with a set of behavior gives others a reason to attempt to link it back to you.

Every bitcoin comes to you from someone who knows enough about you to transact with you. When you spend the coins they go to someone who often knows you as well. Each interaction can leak information about you or your behavior.

You would think that single use addresses could protect you, however they can often be correlated easier than you think.

Suppose you want to buy a domain registry from privacyshark for 700 BTC. But you don't want it associated with your well know bitcoin address in your footer here. So you decide to route it through three single use intermediary accounts (x, y, z). So create new accounts X,Y,and Z. Send 700 BTC first to X, then from there to Y, and from Y to Z. Finally you send the 700 BTC on to privacysharks well known address.

Well you are still screwed, because on the bitcoin directed graph, you just drew a straight line from your public address here to privacyshark's public address. Each segment in that line correlates by value amount. They also correlate in time. (one hop each block at worst)

What if you try it differently, you send three different amounts from your public address to the three new addresses. 100 to X, 200 to Y, and 400 to Z. Then you send from X, Y, and Z individually to privacyshark. Well these amounts now create a neat diamond shape on the graph with you at the fork and privacyshark at the join. The transactions to and from X,Y & Z all correlate in time (perhaps even in the same two blocks). They also correlate by amount.

If you already happen to have coins at several addresses and you decide to sent 700 of them at once to privacyshark, I'm not sure exactly how the client generates the transactions but I do know, that they will still correlate by time and amount. Even worse it has the potential to associate non-single use accounts to one individual.

You can only de-correlate the timing by adding more latency. You can only de-correlate the graph connections by adding more hops. You can only de-correlate the values by adding more forking. All of these precautions reduce the utility of bitcoin and increase the complexity of transactions.

Is anyone going to go through all the bother to back-propagate your transaction graph just for buying a domain name? Well they might if privacyshark just registered "kiddieporn.com" and they are looking to link that to the buyer. And while doing that they might happen to correlate the anonymous registry of "IDontPayTaxes.com" with your "trade in bitcoin instead of paying taxes" post here.

full of win^^^^  This has been bothering me as a purchase proxy merchant.If someone orders a product from a company through me you cant escape the need for a shipping address.How do you get around this glaring traceability?How could you set something up so that there is plausible deniability between myself and my customer in this scenario?

[Red]

By the way, I've got an idea for an automated way of preserving true anonymity in the transaction list. It shouldn't require any changes to the bitcoin system.

You may like to tell us what it is so we can tell you if we think it will work.

See that's the insidious nature of correlation. If I tell you about it, then build it as a hidden service. The service is forever linked to my user account here!

:-)

I'll post about it in detail but it will take more time to explain than I have now. It involves trust, but in the bitcoin spirit, the trust is cryptologically verifiable. 

[Red]

To make a truly anonymous payment, the sent address must be not be linkable to a particular person. All addresses belong to a particular key holder. So it's an impasse unless we break the rule about an address belonging to one and only one individual.

So what I'm considering is a automated Tor hidden service that holds the private key wallet for a joint address that anyone can trade through. It would have to be a "trusted" service because obviously anyone with access to the private key could steal everyone's coins. So for the sake of argument, presume that the service is not a scam.

Now an honest anonymity service could provide proof of its honesty using the following automated mechanism.

1. Many users send bitcoins to the anonymizer address in advance like a checking account. Each of these are standard public transaction. That means the service can see who sent the coins and keep private account balances by sending address.
2. Users communicate with the anonymizer through a Tor hidden service so there are no exit nodes that can spy. No one knows where the server is located to avoid other sorts of attacks. There are three messages that can be sent to the service.
2a. Send this transaction.
2b. Get Balance.
2c. Acknowledge Balance.

Send this transaction - takes as parameter a almost-standard transaction sending money from the anonymizer address to any recipient address. The only non-standard part of the transaction is that it is signed by the "account holder" rather than by the anonymizer. The system validates this signature and matches it to the depositors account in the standard way. It then checks the current account balance. If there is sufficient funds, the anonyizer simply removes the account holder's signature, and resigns the transaction and broadcasts it. It then *temporarily* stores the original signed transaction request and updates the account balance.

Get Balance - the message returns the account holder's current private balance and any confirmed account transactions.

Acknowledge Balance - once the account holder has reconciled his "checkbook" against the account records, he then signs his account balance and sends the signature in an acknowledgement message. When the system receives the acknowledgment it deletes the transaction logs and saves the signed balance.


So should any user try to repudiate the anonymizer's honesty the system can show the user's previous signed balance, any signed but unacknowledged withdrawals and any new new deposits (from the transaction log). These should sum to an unassailable current balance.

---

As with any mix-net, the system requires a large number of users to provide anonymity. It doesn't do any good to have a single user anonymity system. It also requires a buffer with some latency. It doesn't do any good to deposit 1234 BTC and then immediately send 1234 BTC to someone else using the system. That can be easily correlated just like in my previous post.

The optimal use would be for lots of users to make regular deposits (like a paycheck). Then they could request payments at will, just like with a checking account.

So to be optimally anonymous all users must:
1. make regular payments
2. have private/hidden balances
3. communicate with the system through a non-observable channel
4. make irregular payments (not matching public deposits)

Anyway, that's the general idea. Feel free to shoot holes in it.

[ichi]

I like that, Red.  And I have a tweak.

As you've noted, your plan is vulnerable to correlation attacks.  That's especially problematic for bitcoins, given that the entire transactional history is available for analysis.  Perhaps that's my market niche 

Anyway, one could further decouple deposits and withdrawals by setting up several such Tor hidden services ("agents").  Agents could trade bitcoins for other digital currencies via exchanges, and trade with other agents only via non-bitcoin currencies.  Each agent would possess an independently-randomized cache of bitcoins.

Each agent would create many virtual Linux machines, each containing a fresh Bitcoin client (VMC).  They'd charge each VMC with bitcoins from their cache.  VMCs are basically bitcoin debit cards.

When you needed to make a payment, you'd request a VMC from your agent containing the necessary balance.  Your agent would request the appropriate VMC from one of its peers, with whom you do no direct business, and deliver it to you anonymously.  None of the bitcoins in that account would have any relationship to you, except by chance.

When you've spent out the VM, you'd just delete it.

And BTW, agents could obviously play standard financial games.  They could pay interest on deposits, make investments and loans, sell shares, trade derivatives and whatever.  And they could do all of that inside Tor (or wherever) 

Of course, you have to trust your agent    And perhaps there's a way around that?

[EconomyBuilder]

"Anonymity" is a vague phrase and we've got to be careful what kind we're talking about.  It might for example mean:

(1)  Not having your name directly on a transaction, but any competent investigator (the attacker) could talk to a merchant who has a database associating your name with certain Bitcoin address(es) and find out that your name controls those address(es). 
(2) Same as (1) but instead of finding out your name they simply geo-locate your address(es) by linking them to your IP address.
(3) Same except instead of name or geo-location they figure out what kind of business you are up to from the detailed history on the Bitcoin chain of which addresses you've transacted with and when. 
(4) They figure out all of (1)-(3).
(5) You try to avoid any of (1)-(4) by trusting intermediaries not to keep logs.
(6) Secure untraceability, which avoids (1)-(5) without having to trusted anybody in particular.   Tor, for example, can mostly achieve this (every relay in chain would have to collude or be simultaneously monitored) for individual encrypted messages.

I only call (6) _secure_ anonymity.   (1)-(5) I am uncomfortable with people advertising as "anonymous" because, although it might not have your name directly in the log, "anonymity" in the crypto community has traditionally meant something much stronger, i.e. secure untraceability.    Computers have perfect memories and are full of obscure caches, and in the financial world intermediaries are often required to keep logs by law, so you should just assume they will remember everything rather than trusting them not to.

I don't know how to make secure anonymity work directly with Bitcoin, since having the transactions be public and related (by chains, by addresses, and by signatures) is part of Bitcoin's security protocol while secure anonymity is about making each transaction unlinkable to the others.   It can be made to work indirectly by having an intermediary issue a different kind of coin, blinded digital cash, and then mixing much as suggested above.    Then if you want to be anonymous you exchange your bitcoins for anonymous cash and if you don't you just use bitcoins directly.     The issuers of anonymous cash can be required by customers to use bitcoins to keep securely auditable reserves so bitcoins would still be adding tremendous value in making the currency more trustworthy even if everybody else is using the anonymous cash instead of bitcoins directly.   This dual setup is very analogous to a bank holding gold reserves and issuing bank notes, except the "gold" in this case, bitcoins, can be made much more securely auditable and much harder to steal.   Since the anonymous cash is blinded each transaction is securely unrelated to the others and one does not have to worry about either the intermediary or the merchants keeping logs or linking your name to a particular transaction.   Because the logs can't be pieced together to link transactions to each other.   Google "blind signature"+"cash", there is a good technical literature out there about how to do securely anonymous digital cash.   I particularly recommend "double blinded" cash as it allows the payee as well as the payer to remain securely anonymous.

[ichi]

I'd appreciate feedback on the following anonymization scheme.

Let's say that I have N Bitcoin clients, all Ubuntu VMs, each with a different stable IP address, distributed globally via secure VPNs.  The VMs are themselves interconnected by secure VPNs.  There's a script running on each VM that polls the Bitcoin balances and receiving addresses of all the other VMs.  Whenever a client receives Bitcoin, it sends a pseudo-random percentage to the VM with the lowest balance.  Overall, the network strives to equalize balances in all VMs.

One could send Bitcoin to any of the VMs.  Withdrawals would be split among all of the VMs, distributed pseudo-randomly.

Does that make any sense?  If so, how large would N need to be?  Would this cause problems for Bitcoin overall?

[Red]

I'd appreciate feedback on the following anonymization scheme.

One could send Bitcoin to any of the VMs.  Withdrawals would be split among all of the VMs, distributed pseudo-randomly.

I may not understand your point but this doesn't sound anonymous at all. Each transaction is logged in the block list. That makes it trivial to associate this group of nodes. By making payments from multiple nodes correlated in time you confirm the suspicion.

Somewhere I posted a simple way to have true anonymity, but it requires a trusted account that mixes coins from different people. If multiple people own the same account then no single person can be correlated with any particular payment through block list analysis.