Research Summary: SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques

TLDR

  • Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine users’ financial privacy and reveal their actual identities by using advanced heuristics and techniques to identify possible links between transactions.
  • A multitude of approaches has been proposed to reduce financial transparency and enhance users’ anonymity. These techniques range from mixing services to off-chain transactions that address different privacy issues.
  • We focus on comparing and evaluating privacy techniques in the Bitcoin blockchain (which can be applied in (Unspent Transaction Output (UTXO) based blockchains), present their limitations, and highlight new challenges.

Core Research Question

How do existing privacy techniques compare in terms of privacy, security, and efficiency?

Citation

Ghesmati, Simin, Walid Fdhila, and Edgar Weippl. “SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques.” ARES 2022: The 17th International Conference on Availability, Reliability and Security, Vienna, Austria, August (2022). https://doi.org/10.1145/3538969.3538971
https://eprint.iacr.org/2021/629.pdf

Background

  • Timelock transaction: It restricts spending the coins until the specified time and can be used for a refund. The time is defined either in block height or point in time.
  • Hashlock transaction: It is locked by a hash and can be spent by providing a pre-- Image of the hash: The pre-image is the data that was hashed and put in the condition of unlocking the output.
  • Hash Time Locked contracts (HTLC). It is a script that employs both hashlock and timelock transactions. The output is locked by a hash and if the recipient is unable to unlock it in a specific period of time, the coins are returned to the sender.

Summary

  • Several studies have focused on Bitcoin privacy and analyzed the chain of interactions between users, identified relationships, and revealed users’ real identities.
  • This has motivated research to prevent privacy leaks and has led to a plethora of either (i) new proposals (built-in) such as Zcash and Monero, or (ii) proposals for privacy improvement (add-on) in Bitcoin.
  • In this paper, we only consider privacy methods proposed for Bitcoin.
  • We aim to evaluate and compare existing privacy approaches by analyzing their privacy, security, and efficiency as well as studying their applicability to the Bitcoin blockchain.

Method

We have followed common guidelines for research synthesis comprising

  • (i) the identification of research questions,
  • (ii) search and selection of the literature,
  • (iii) the analysis and synthesis of extracted data.
    In total, we obtained 869 research papers, and 21 privacy techniques were selected for our study.

Results

  • In table 1 we evaluate the privacy techniques (centralized mixers, atomic swap, CoinJoin-based, and threshold signatures).
  • Among atomic swap techniques, New CoinSwap and its predecessors can meet most of the criteria, while requiring more transactions and, consequently, more time and fees.
  • CoinJoin-based techniques have been commonly adopted in practice. Transaction distinguishability, as a result of equal-sized outputs, and DoS attacks pose serious problems for these techniques. The recently proposed PayJoin method, which is based on CoinJoin, can indeed resolve distinguishability and improve anonymity.
  • One of the main advantages of CoinJoin-based techniques is the reduced number of transactions needed to run the protocol, which makes them quite affordable. Although multiple rounds of CoinJoin can provide better anonymity, they do add fees and delays.
  • Most CoinJoin techniques fail to provide a large anonymity set and plausible deniability. Confidential transactions to hide the UTXO amount, proposed in ValueShuffle, can efficiently solve this problem and provide indistinguishability for CoinJoin-based techniques.
  • Privacy techniques often require a minimum number of transactions in order to hide the connection between senders and recipients. Although an increased number of transactions can improve anonymity, this also comes at a cost, i.e., transaction fees. Even though the mixing fee can be negligible, additional transaction fees may limit the technique’s adoption by users.
  • Except for centralized mixers and threshold signature techniques, the theft resistance criterion is met by most of the techniques.
  • Although the initial intention of guaranteeing strong privacy was to prevent user information from exposure to malicious adversaries and criminals, such privacy-preserving techniques can be employed to conduct illicit activities. Therefore, new methods which allow to identify transactions used for illicit activities from regular mixing transactions (e.g., for financial privacy) are needed.

Discussion and Key Takeaways

  • Usability.Usable systems can attract more users, and therefore provide more anonymity. The following questions should be considered:
    • To what extent are the users aware of add-on and built-in privacy techniques and their implementations in practice?
    • Do they trust third-party privacy-preserving services?
    • What would users prefer to achieve stronger anonymity: add-on techniques implemented by wallets and services, or built-in techniques such as privacy coins?
    • Do users accept the extra fees and delays necessary to achieve stronger privacy in the blockchain?
    • Do the current implementations of the techniques allow the users to understand what needs to be done, and do they know how to do it?
  • Law enforcement. There is always a trade-off between privacy and law enforcement rules. Achieving privacy for most users while preventing the technology from being misused for criminal activities is still an unresolved problem in the field.
  • Practicality. Accepting the PayJoin technique into the market could effectively provide privacy for users, as it has the ability to break the so-called “common input ownership heuristic”. However, these transactions should be implemented in a way that cannot tag the transactions as PayJoin.

Implications and Follow-Ups

The following research question would be a useful starting point for further research:

  • Is it possible to categorize the destination of CoinJoin transactions to learn how often it is applied in illicit activities?
4 Likes

Post-Tornado cash, what do you think will happen to companies like Coinswap and CoinJoin etc? There’s also an evolving field of on-chain “credit” tokens that analyze wallets and could flag any privacy use as suspect… Do you imagine these companies becoming completely decentralized or operating outside of the law?

1 Like

Thank you @simin for this amazing summary on Bitcoin privacy.

As one of the ethical properties of Blockchain Governance, Privacy helps to reflect the awareness that comes from the impact of blockchain on humans and society.

I am intrigued as Privacy Techniques seems to have some benchmarks on some transactions in order to make private connections between senders and receivers as reflected by your summary.

However, to what extent can transactions be to reach this minimum number of requirement?

1 Like

Considering the volume of research papers you consulted and the number of privacy techniques you selected and studied, this is a deep dive. Good work @simin. I also read your paper on the usability of privacy wallets providing CoinJoin transactions, and it was worth the time.That’s by the way.

Whenever it comes to issues of privacy and anonymity, I’m always skeptical. @simin, Can privacy be achieved without anonymity?

If yes, great but if no, then the idea of achieving privacy permanently on a blockchain could be a mirage. Governments and regulatory bodies are always after anonymous means of transactions due the ease at which they can be manipulated by rogues. And this is understandable.Consider the recent case of Tornado Cash as a practical example.

I believe that if we can establish a thin line of independence between privacy and anonymity, it will be a win-win for both blockchain enthusiasts and the government.

2 Likes

This post was flagged by the community and is temporarily hidden.

1 Like