Research Summary: SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques

simin · September 6, 2022, 1:00pm

TLDR

Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine users’ financial privacy and reveal their actual identities by using advanced heuristics and techniques to identify possible links between transactions.

A multitude of approaches has been proposed to reduce financial transparency and enhance users’ anonymity. These techniques range from mixing services to off-chain transactions that address different privacy issues.

We focus on comparing and evaluating privacy techniques in the Bitcoin blockchain (which can be applied in (Unspent Transaction Output (UTXO) based blockchains), present their limitations, and highlight new challenges.

Core Research Question

How do existing privacy techniques compare in terms of privacy, security, and efficiency?

Citation

Ghesmati, Simin, Walid Fdhila, and Edgar Weippl. “SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques.” ARES 2022: The 17th International Conference on Availability, Reliability and Security, Vienna, Austria, August (2022). SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Privacy Techniques | Proceedings of the 17th International Conference on Availability, Reliability and Security
https://eprint.iacr.org/2021/629.pdf

Background

Timelock transaction: It restricts spending the coins until the specified time and can be used for a refund. The time is defined either in block height or point in time.
Hashlock transaction: It is locked by a hash and can be spent by providing a pre-- Image of the hash: The pre-image is the data that was hashed and put in the condition of unlocking the output.
Hash Time Locked contracts (HTLC). It is a script that employs both hashlock and timelock transactions. The output is locked by a hash and if the recipient is unable to unlock it in a specific period of time, the coins are returned to the sender.

Summary

Several studies have focused on Bitcoin privacy and analyzed the chain of interactions between users, identified relationships, and revealed users’ real identities.
This has motivated research to prevent privacy leaks and has led to a plethora of either (i) new proposals (built-in) such as Zcash and Monero, or (ii) proposals for privacy improvement (add-on) in Bitcoin.
In this paper, we only consider privacy methods proposed for Bitcoin.
We aim to evaluate and compare existing privacy approaches by analyzing their privacy, security, and efficiency as well as studying their applicability to the Bitcoin blockchain.

Method

We have followed common guidelines for research synthesis comprising

(i) the identification of research questions,
(ii) search and selection of the literature,
(iii) the analysis and synthesis of extracted data.
In total, we obtained 869 research papers, and 21 privacy techniques were selected for our study.

Results

In table 1 we evaluate the privacy techniques (centralized mixers, atomic swap, CoinJoin-based, and threshold signatures).

1684×1133 417 KB
Among atomic swap techniques, New CoinSwap and its predecessors can meet most of the criteria, while requiring more transactions and, consequently, more time and fees.
CoinJoin-based techniques have been commonly adopted in practice. Transaction distinguishability, as a result of equal-sized outputs, and DoS attacks pose serious problems for these techniques. The recently proposed PayJoin method, which is based on CoinJoin, can indeed resolve distinguishability and improve anonymity.
One of the main advantages of CoinJoin-based techniques is the reduced number of transactions needed to run the protocol, which makes them quite affordable. Although multiple rounds of CoinJoin can provide better anonymity, they do add fees and delays.
Most CoinJoin techniques fail to provide a large anonymity set and plausible deniability. Confidential transactions to hide the UTXO amount, proposed in ValueShuffle, can efficiently solve this problem and provide indistinguishability for CoinJoin-based techniques.
Privacy techniques often require a minimum number of transactions in order to hide the connection between senders and recipients. Although an increased number of transactions can improve anonymity, this also comes at a cost, i.e., transaction fees. Even though the mixing fee can be negligible, additional transaction fees may limit the technique’s adoption by users.
Except for centralized mixers and threshold signature techniques, the theft resistance criterion is met by most of the techniques.
Although the initial intention of guaranteeing strong privacy was to prevent user information from exposure to malicious adversaries and criminals, such privacy-preserving techniques can be employed to conduct illicit activities. Therefore, new methods which allow to identify transactions used for illicit activities from regular mixing transactions (e.g., for financial privacy) are needed.

Discussion and Key Takeaways

Usability.Usable systems can attract more users, and therefore provide more anonymity. The following questions should be considered:
- To what extent are the users aware of add-on and built-in privacy techniques and their implementations in practice?
- Do they trust third-party privacy-preserving services?
- What would users prefer to achieve stronger anonymity: add-on techniques implemented by wallets and services, or built-in techniques such as privacy coins?
- Do users accept the extra fees and delays necessary to achieve stronger privacy in the blockchain?
- Do the current implementations of the techniques allow the users to understand what needs to be done, and do they know how to do it?
Law enforcement. There is always a trade-off between privacy and law enforcement rules. Achieving privacy for most users while preventing the technology from being misused for criminal activities is still an unresolved problem in the field.
Practicality. Accepting the PayJoin technique into the market could effectively provide privacy for users, as it has the ability to break the so-called “common input ownership heuristic”. However, these transactions should be implemented in a way that cannot tag the transactions as PayJoin.

Implications and Follow-Ups

The following research question would be a useful starting point for further research:

Is it possible to categorize the destination of CoinJoin transactions to learn how often it is applied in illicit activities?

jmcgirk · September 6, 2022, 2:03pm

Post-Tornado cash, what do you think will happen to companies like Coinswap and CoinJoin etc? There’s also an evolving field of on-chain “credit” tokens that analyze wallets and could flag any privacy use as suspect… Do you imagine these companies becoming completely decentralized or operating outside of the law?

Chrisarch · September 7, 2022, 6:24am

Thank you @simin for this amazing summary on Bitcoin privacy.

As one of the ethical properties of Blockchain Governance, Privacy helps to reflect the awareness that comes from the impact of blockchain on humans and society.

I am intrigued as Privacy Techniques seems to have some benchmarks on some transactions in order to make private connections between senders and receivers as reflected by your summary.

However, to what extent can transactions be to reach this minimum number of requirement?

Ulysses · September 7, 2022, 10:54am

Considering the volume of research papers you consulted and the number of privacy techniques you selected and studied, this is a deep dive. Good work @simin. I also read your paper on the usability of privacy wallets providing CoinJoin transactions, and it was worth the time.That’s by the way.

Whenever it comes to issues of privacy and anonymity, I’m always skeptical. @simin, Can privacy be achieved without anonymity?

If yes, great but if no, then the idea of achieving privacy permanently on a blockchain could be a mirage. Governments and regulatory bodies are always after anonymous means of transactions due the ease at which they can be manipulated by rogues. And this is understandable.Consider the recent case of Tornado Cash as a practical example.

I believe that if we can establish a thin line of independence between privacy and anonymity, it will be a win-win for both blockchain enthusiasts and the government.

simin · October 23, 2022, 2:34pm

Currently, laws such as AML would be one of the main barriers for such companies. Lessons learned from the Monero ban may help to think about solving this issue. Actually, the trade-off between privacy and government law has existed so far.

simin · October 23, 2022, 2:41pm

So far CoinJoin wallets offer multi-round of conjoining. As an example, in Samourai the flat fee rate applies for coinjoin, and then you can participate in the next coinjoin pools (remixing) for free. In Wasabi, you can choose the anonymity set, but a small fee should be paid for additional transactions.
Let’s say there is no minimum, however, it is always discussed that one time round CoinJoin wouldn’t be enough.

simin · October 23, 2022, 2:47pm

Yes, true. This is one of the important aspects. Having privacy from the public eyes, while preventing criminal activities.

Topic		Replies	Views
Research Pulse #50 01/31/22 Research Pulse	0	747	January 31, 2022
Research Summary: Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users Privacy summary , network-security , privacy	10	3794	August 15, 2022
Research Summary: Zerocash: Decentralized Anonymous Payments from Bitcoin Privacy summary , zero-knowledge , privacy	12	2447	November 15, 2022
Research Summary: Analysis of Decentralized Mixing Services in the Greater Bitcoin Ecosystem Privacy summary , network-security , privacy	5	1283	August 12, 2022
Research Pulse Issue #35 10/18/21 Research Pulse	2	1164	October 23, 2021