TLDR
- Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine users’ financial privacy and reveal their actual identities by using advanced heuristics and techniques to identify possible links between transactions.
- A multitude of approaches has been proposed to reduce financial transparency and enhance users’ anonymity. These techniques range from mixing services to off-chain transactions that address different privacy issues.
- We focus on comparing and evaluating privacy techniques in the Bitcoin blockchain (which can be applied in (Unspent Transaction Output (UTXO) based blockchains), present their limitations, and highlight new challenges.
Core Research Question
How do existing privacy techniques compare in terms of privacy, security, and efficiency?
Citation
Ghesmati, Simin, Walid Fdhila, and Edgar Weippl. “SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Mixing Techniques.” ARES 2022: The 17th International Conference on Availability, Reliability and Security, Vienna, Austria, August (2022). SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Privacy Techniques | Proceedings of the 17th International Conference on Availability, Reliability and Security
https://eprint.iacr.org/2021/629.pdf
Background
- Timelock transaction: It restricts spending the coins until the specified time and can be used for a refund. The time is defined either in block height or point in time.
- Hashlock transaction: It is locked by a hash and can be spent by providing a pre-- Image of the hash: The pre-image is the data that was hashed and put in the condition of unlocking the output.
- Hash Time Locked contracts (HTLC). It is a script that employs both hashlock and timelock transactions. The output is locked by a hash and if the recipient is unable to unlock it in a specific period of time, the coins are returned to the sender.
Summary
- Several studies have focused on Bitcoin privacy and analyzed the chain of interactions between users, identified relationships, and revealed users’ real identities.
- This has motivated research to prevent privacy leaks and has led to a plethora of either (i) new proposals (built-in) such as Zcash and Monero, or (ii) proposals for privacy improvement (add-on) in Bitcoin.
- In this paper, we only consider privacy methods proposed for Bitcoin.
- We aim to evaluate and compare existing privacy approaches by analyzing their privacy, security, and efficiency as well as studying their applicability to the Bitcoin blockchain.
Method
We have followed common guidelines for research synthesis comprising
- (i) the identification of research questions,
- (ii) search and selection of the literature,
- (iii) the analysis and synthesis of extracted data.
In total, we obtained 869 research papers, and 21 privacy techniques were selected for our study.
Results
- In table 1 we evaluate the privacy techniques (centralized mixers, atomic swap, CoinJoin-based, and threshold signatures).
- Among atomic swap techniques, New CoinSwap and its predecessors can meet most of the criteria, while requiring more transactions and, consequently, more time and fees.
- CoinJoin-based techniques have been commonly adopted in practice. Transaction distinguishability, as a result of equal-sized outputs, and DoS attacks pose serious problems for these techniques. The recently proposed PayJoin method, which is based on CoinJoin, can indeed resolve distinguishability and improve anonymity.
- One of the main advantages of CoinJoin-based techniques is the reduced number of transactions needed to run the protocol, which makes them quite affordable. Although multiple rounds of CoinJoin can provide better anonymity, they do add fees and delays.
- Most CoinJoin techniques fail to provide a large anonymity set and plausible deniability. Confidential transactions to hide the UTXO amount, proposed in ValueShuffle, can efficiently solve this problem and provide indistinguishability for CoinJoin-based techniques.
- Privacy techniques often require a minimum number of transactions in order to hide the connection between senders and recipients. Although an increased number of transactions can improve anonymity, this also comes at a cost, i.e., transaction fees. Even though the mixing fee can be negligible, additional transaction fees may limit the technique’s adoption by users.
- Except for centralized mixers and threshold signature techniques, the theft resistance criterion is met by most of the techniques.
- Although the initial intention of guaranteeing strong privacy was to prevent user information from exposure to malicious adversaries and criminals, such privacy-preserving techniques can be employed to conduct illicit activities. Therefore, new methods which allow to identify transactions used for illicit activities from regular mixing transactions (e.g., for financial privacy) are needed.
Discussion and Key Takeaways
- Usability.Usable systems can attract more users, and therefore provide more anonymity. The following questions should be considered:
- To what extent are the users aware of add-on and built-in privacy techniques and their implementations in practice?
- Do they trust third-party privacy-preserving services?
- What would users prefer to achieve stronger anonymity: add-on techniques implemented by wallets and services, or built-in techniques such as privacy coins?
- Do users accept the extra fees and delays necessary to achieve stronger privacy in the blockchain?
- Do the current implementations of the techniques allow the users to understand what needs to be done, and do they know how to do it?
- Law enforcement. There is always a trade-off between privacy and law enforcement rules. Achieving privacy for most users while preventing the technology from being misused for criminal activities is still an unresolved problem in the field.
- Practicality. Accepting the PayJoin technique into the market could effectively provide privacy for users, as it has the ability to break the so-called “common input ownership heuristic”. However, these transactions should be implemented in a way that cannot tag the transactions as PayJoin.
Implications and Follow-Ups
The following research question would be a useful starting point for further research:
- Is it possible to categorize the destination of CoinJoin transactions to learn how often it is applied in illicit activities?