Research Summary: Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and Other Cryptocurrencies

TLDR

• Bitcoin is under constant attack by adversaries and government surveillance attempting to trace and/or link transactions to their origins.
• The authors present privacy-compromising attacks found in Bitcoin and other cryptocurrencies and analyze various privacy-preserving algorithms that mitigate or prevent these attacks.
• The authors show that privacy-preserving techniques are designed to tackle specific privacy problems, and only the resolution of a specific problem should be measured when considering effectiveness.

Core Research Question

What privacy attacks are faced by Bitcoin and other cryptocurrencies, and what privacy-preserving algorithms have been used to resolve them?

Citation

Rahalkar, Chaitanya, and Anushka Virgaonkar. “Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and Other Cryptocurrencies.” ArXiv.org , 16 Sept. 2021, [2109.07634v1] Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and other Cryptocurrencies.

Background

• Anonymous Network: A network that attempts to allow users to access the web without being tracked or traced. They prevent traffic analysis and network surveillance. I2P and Tor are examples of anonymous networks.
• Atomic Swaps: An atomic swap exchange permits different parties to transact from two different blockchain platforms without trusting a third party.
• CoinSwap: A protocol that allows users to send funds using a swap structure whereby multiple senders and receivers collaborate to make it harder for third parties to link them.
• Confidential Transactions: A confidential transaction is a privacy-preserving technique that focuses on concealing a transaction amount to prevent analysis or any form of inference attack.
• Common-Input-Ownership Heuristic (C-I-OH): If a transaction has more than one input, a heuristic can be made that they may all be owned by a single entity. Since Bitcoin transactions have multiple inputs and outputs, trackers may assume that a transaction which has more than one input is owned by one individual.
• Deterministic Wallets: A system of deriving keys from a seed, used to create multiple addresses.
• Dust Attack: An attack where a tiny amount of cryptocurrency, called dust, is sent to multiple wallet addresses to track them with the aim of de-anonymizing the addresses.
• Dust Transactions: The transfer of an amount of cryptocurrency that is so small it is impractical to cover the transaction fee for processing.
• Equal Output CoinJoin Transaction: A type of transaction used to make Bitcoin flow untraceable.
• Full Anonymity: A protocol that provides absolute concealment of the sender node, receiver node, and transaction details.
• Hierarchical Deterministic Wallet: A type of deterministic wallet that enables the creation of a series of key pairs from one seed to enhance privacy and security.
• Pseudonymity: A state of anonymity where pseudonymous addresses are used. It is a disguised state between complete anonymity and open information.
• Ring Signature: A type of digital signature that can be performed by any member of a group of users who all have their own keys. The anonymity of the ring signature is irrevocable and it is not possible to determine the producer of the signature among the members.
• Set Anonymity: A type of anonymity used in the Monero cryptocurrency through ring signatures where a user’s identity is either 1 out of _n _possible peer identities.
• Stealth Address: A stealth address is a key pair used by a recipient to prevent disclosing their public wallet address.
• Taint Analysis: An analysis that traces the flow of users’ input to detect vulnerabilities or security implications.
• Unlinkability: When an attacker cannot sufficiently distinguish whether two or more messages or transactions are related or not.
• Untraceability: When a transaction cannot be traced from one wallet to another.
• Wallet Fingerprinting: A wallet software creates unique fingerprints when making transactions. Analysts can use fingerprinting to deduce which software was used to create a transaction.
• Zero-Knowledge Proof: A method by which a party (the prover) can prove possession of knowledge to another party (the verifier) without disclosing additional information.
• Z-Cash: A cryptocurrency that uses zero-knowledge proofs for preserving privacy. Z-addresses and T-addresses are addresses provided by Zcash: the former utilizes zkSNARKs to enhance user privacy whereas the latter are identical to Bitcoin.
• zk-SNARKS: An acronym standing for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. It is a technology that uses non-interactive zero-knowledge cryptographic proof.

Summary

• Bitcoin faces several attacks on multiple fronts, including transaction malleability, double-spending, and block withholding, amongst others.
• Bitcoin falls within the pseudonymity tier in the privacy domain.
• As a result, multiple issues targeting the pseudonymity claims of Bitcoin have been found in the protocol.
• Many privacy attacks are attempted on the Bitcoin blockchain by exploiting its loopholes and limitations.
• Some tools can link addresses and their corresponding transactions using the transaction graph and publicly available ledger. This is known as transaction traceability. This means that if the pseudonymous owner of an address is known, third parties can trace transactions to them. However, when different addresses are used for each transaction, linking transactions to owners becomes more difficult.
• Unique fingerprints made through wallet fingerprinting can reveal information about the wallet software being used. Analysis of fingerprints can lead to deductions about the parties involved in a transaction.
• When transaction amounts are in round figures, e.g. 0.000016 BTC equals 1 USD, and fall within the commonly known cryptocurrency-fiat conversation rate, third parties can sometimes guess a transaction’s potential destination.
• Tracking the flow of coins is a privacy attack done through taint analysis. When a wallet user’s address is known to an adversary, they can track the transactions being made from the address. The recipient is ‘tainted’ with coins from the sender.
• In the same vein, an adversary can send dust to multiple accounts and reveal a user’s identity when they consolidate (‘sweep’) the transactions into a single wallet. The adversary may conduct a taint analysis on the dust to discover the owner, thereby de-anonymizing the user.
• When outputs are not equally valued, Equal Output CoinJoin Transactions reveals the change address. CoinJoin is used to fix the problem of CIOH heuristics in Bitcoin.
• The researchers further analyze countermeasures that have been designed to tackle privacy problems in Bitcoin transactions. However, not all of them are being actively used.
• CoinJoin improves the privacy of transactions by combining inputs from multiple senders into one single transaction, making it difficult for third parties to trace transactions or make inferences. Transactions can lead to leakage of IP addresses; therefore, participants are expected to transact on anonymous networks like Tor and I2P. In decentralized systems, CoinJoin can be threatened by denial of service (DDoS) attacks.
• Tracking and tracing off-chain transactions are more complicated when compared to on-chain transactions because not all transactions are recorded on the chain. Transaction information is stored chiefly between users and only periodic summaries are written on chain.
• Another countermeasure is Coin Witness, which allows payment to a user who can produce cryptographic evidence about running a particular deterministic program on a given input argument. The validator learns nothing about the transaction apart from the publicly known inputs and that they were accepted. Coin Witness is on the Bitcoin’’s soft-fork wishlist.
• Although P2P Bitcoin transactions are done through trusted intermediaries, CoinSwap requires non-censorship and significant interaction from both parties to a transaction, and can fail if the conditions are not met. CoinSwap has not yet been deployed on the Bitcoin blockchain.
• For hierarchical deterministic (HD) wallets, third-parties can leverage the deterministic nature of HD wallets to conduct attacks. Extended public keys do not protect the privacy of the entire tree of public keys.
  
• Certain cryptocurrencies have privacy-preserving techniques that can be used to protect the privacy of transactions carried out on their protocols.
• Although ring signatures protect identities, they fail to conceal transaction amounts which can be used to infer transaction patterns.
• A stealth address scheme guarantees the unlinkability of a stealth address and the public wallet address of a recipient. Multiple transactions from different senders to one recipient using their public wallet address can cause the senders to discover that their recipient is the same.
• In the same fashion, Ring’s confidential transactions preserve privacy in cryptocurrencies by hiding the number of coins transferred from sender to receiver in a transaction.
• Finally, using zk-SNARKS, a prover proves to a verifier that they possess a particular piece of information without revealing the information to the verifier.
  

Method

• The researchers thoroughly review prior work on privacy attacks and techniques that can enhance user privacy.
• They analyze and measure critical aspects of these techniques in the context of the sender and recipient addresses, transaction-level data, as well as metadata available on blockchain ledger.

Results

• There are asymmetrical approaches to privacy. The researchers found that the ability of a privacy-preserving technique to protect the privacy of users depends on the underlying cryptographic schemes, anonymity set, and blockchain data model.

• Comparison of privacy-preserving techniques in various cryptocurrencies

• Privacy-preserving techniques were created to achieve specific privacy goals; therefore, users must be aware of the peculiarities of each technique. For instance, CoinJoin can only provide privacy when the anonymity set is large.

Discussion and Key Takeaways

• Even if privacy-preserving techniques are used, additional information accidentally collected from other sources on the blockchain coupled with de-anonymization attacks may result in attacks on the privacy of transactions. The theoretical guarantee of privacy differs from the practical guarantee of privacy.
• Cryptocurrencies offering absolute anonymity are often avoided by third parties such as centralized exchanges due to money laundering allegations and suspicion of illicit activities. However, there is a fine line between acceptability and privacy in cryptocurrency; therefore, a feasible way to toe the line would be to comply with a moderate layer of privacy while maintaining acceptability.

Implications and Follow-ups

• The researchers demonstrate that privacy-preserving algorithms work to resolve specific privacy attacks that they are created for, such as transaction graph analysis attacks. When the wrong technique is used, privacy of the transaction cannot be guaranteed. For instance, in Zcash, only Z-addresses can be used if users want to keep their transactions private.
• Privacy-preserving techniques sometimes provide limited privacy as they have loopholes that adversaries may exploit. For instance, a user would have to generate new wallet addresses for each transaction to avoid being discovered in stealth addresses. Furthermore, the generation of new wallet addresses for individual transactions is unappealing as stealth addresses are meant to prevent the need for multiple addresses.

Applicability

• Entities needing to transact with strict privacy requirements can benefit from this research because it focuses on privacy-preserving techniques and the risks of various approaches.
• Blockchain developers and academics targeting privacy problems in Bitcoin and other cryptocurrencies should learn about the limitations of each privacy-preserving technique for both practical and research purposes.
• Entities who conduct transactions using cryptocurrencies should learn to mitigate attacks depending on the cryptocurrency used.

Thank you so much for a fascinating paper.

What do you think of privacy coins as a solution to many of the privacy-preserving techniques – I’m quite surprised that, with the possible exception of Monero, they haven’t really taken off as a replacement for Bitcoin or Ethereum when it comes to digital payments online. Can you offer any insight into this?

Thank you @jmcgirk.
Privacy coins are a great alternative for people who take their transaction privacy very seriously. However, as you rightly pointed out, it is yet to take off as a replacement for Bitcoin and other cryptocurrencies. This is due to a number of reasons, first, privacy coins are private to a great extent but they are not impossible to penetrate, emphasizing the fact that the theoretical guarantee of privacy is different from its practical guarantee.

Also, privacy coins are often under serious scrutiny by governments and people because of their money laundering and terrorism funding use cases. Importantly, they attract higher transaction fees therefore it is just easier for individuals to go for cryptocurrencies with lesser fees. I believe these are some of the reasons the use of privacy coins is not as widespread as other cryptocurrencies like Bitcoin and Ethereum.

Conversely, one of the arguments against public blockchains is that it does not comply with data protection laws in terms of the rights granted to individuals. The use of privacy coins could bridge the data protection gaps in public blockchains by allowing individuals to transact anonymously and potentially untraceable.

Therefore, when it comes to regulations, governments have to weigh the potential use of privacy coins to promote illegal activities with their potential protection of people’s privacy rights. A dicey situation I must say.

While the authors focused on the limitations/vulnerabilities of cryptographic schemes and data models, to get the full picture on how these privacy techniques compare, I don’t get a sense of how much the average user (in Bitcoin and other cryptocurrency) behaves to bolster their privacy or how much of a knowledge gap exists for this stakeholder. I imagine in some cases, adversaries hope or somehow know how well users are ignorant to these techniques.

Thank you for this summary, I have had it on my radar for a while now as I learn more about the inter-relations between blockchain and privacy.

Is this absolute? Many seem to prefer to use the term pseudonymous when referring to privacy in bitcoin because with some crypto forensics, it is possible to do an unveiling. The Bitcoin.org website also highlights this and suggests using an address only once: Protect your privacy - Bitcoin. All of which the authors highlight and you mention in the summary.

How does the privacy-preserving techniques the authors discuss impact multi-sig wallets and transactions? Was this discussed in the paper? If not, what are your opinions?

This relates to my question above. Aren’t bitcoin transactions traceable by default, unless some privacy-preserving techniques are adopted?

And considering most of these techniques require technical know-how, and may be expensive as you and Tania have mentioned, do you have any suggestions to improve user experience?

I found this summary very interesting, because at a high level there are some significant parallels when it comes to maintaining confidentiality in qualitative social science research. The name escapes me, but there was a relatively famous example in qualitative research ethics where a researcher went into a relatively remote community and anonymized all of the participants when writing a book on it. However, when people in that community read the book they were able to deanonymize most of the participants because they were able to recognize certain contexts or opinions, and link it back to the pseudonyms to get a full picture of what they’d told the researcher in confidence. This resulted in significant ructions in the community, and is now used as an example when teaching research ethics.

Privacy preserving techniques on blockchains appear to suffer from similar problems. As the main post noted, there is a very big difference between theoretically guaranteeing privacy, and the outcomes generated in practice which are less deterministic.

@Fizzymidas I think your interpretations are correct here. Bitcoin and many blockchains are remarkably transparent, in ways that are becoming increasingly dangerous. I don’t think there are any easy or deterministic solutions here.

This reminds me of a statement that “privacy is not secrecy”.

Yeah, there’s a lot of nuance to this topic.

Paradoxically, both privacy and transparency are really important, though opposing concepts. We need both, but at different levels in different contexts. We’ve just seen the damage a lack of transparency can do when big players make bad decisions (ie 3 Arrows Capital).

Thank you for a detailed summary.

I see privacy in blockchain transactions as a double-edged word.

Looking at it from the perspective of a user, privacy is very important as it protects users against phishing attacks and cyber-extortion threats.

But looking at it from the perspective of government and regulatory institutions, privacy preserving blockchain networks have been used to perpetrate various crimes. Privacy Coins in 2019: True Financial Freedom or a Criminal's Delight?
Consequently, creating problems for these institutions.

Privacy issues are one big factor slowing down blockchain adoption. ‘People Will Get Burned’: Matt Odell on the Long Road to Bitcoin Privacy. Take for instance this year, Binance disabled the deposit and withdrawal of all Litecoin using the MimbleWimble extension blocks (MWEB). Notice on Deposits and Withdrawals of Litecoin (LTC) Utilizing MimbleWimble Extension Blocks (MWEB) | Binance Support. Mimblewimble is a blockchain privacy preserving protocol.

So the questions now are :

1. Is achieving full privacy in blockchain not a utopian idea as governments stand in the way trying to protect its own interest?

2. Would this “policing” not be detrimental to adoption of blockchain technology in the long run?

Thank you for your comment @Ulysses. Privacy is really a sword with multiple edges. There is usually a constant battle between respecting and promoting privacy rights and protecting other governments’ interests. The impact of regulations on the Blockchain cannot be underestimated, this is why more research must be conducted in this area, and advocacy work be done between stakeholders and the government.

@Tolulope I have to admit that your article is insightful and well-written, and I moved on to write on this fascinating subject.

Apart from the introduction of bitcoin tracking technologies, there is little threat to Bitcoin’s privacy.

However, the single threat is significant. The US Secret Service presently has technologies capable of tracking cryptocurrency back to its source.

As a result, you should think twice about using it for frauds.

Apart from that. There is new technology/software that can instantly identify and calculate all transactions to fraudulent companies. This has had a significant impact on the anonymity of cryptocurrencies.

Many privacy attacks on the Bitcoin blockchain are attempted by exploiting its flaws and limits. Using the transaction graph and a publicly available ledger, several tools can connect addresses and their related transactions. This is referred to as transaction traceability.

This means that if the address’s pseudonymous owner is known, third parties can trace transactions to them. When new addresses are used for each transaction, however, it becomes more difficult to link transactions to owners. Wallet fingerprinting creates unique fingerprints that can expose information about the wallet software being used. Fingerprint analysis can reveal information about the parties involved in a transaction.

Third parties can occasionally estimate a transaction’s potential destination when transaction quantities are in round values, e.g. 0.000016 BTC equals 1 USD, and fall within the commonly recognized cryptocurrency-fiat conversation rate.

Tracking the flow of coins is a privacy attack performed using taint analysis (a very expensive software with transaction analysis features). When an adversary knows a wallet user’s address, they can track the transactions made from the address. The recipient is ‘tainted’ with the sender’s coins.

Ring signatures safeguard identities, but they are unable to mask transaction quantities, which can be exploited to deduce transaction patterns.

Conclusion

Privacy-preserving techniques occasionally only provide a minimal level of privacy due to weaknesses that attackers could exploit.

I hope this meets you well?

Thanks for your contribution to the thread. You mentioned a few projects/technologies that are potentially threats to privacy-preserving techniques. Could you go into more depth about those technologies, how they work, and how they connect to some of the claims made in the original research summary?

Thank you for this insightful summary, The problem that cannot be ignored in blockchain technology is privacy leakage. Please could you share more light on
cryptographic schemes, anonymity set, and blockchain data model?

Hi @Raphking, thanks for your question. I have provided basic definitions of cryptographic schemes and anonymity set and added some resources that you could find helpful on the topics.
Cryptographic schemes are a means of protecting data or information by converting them from human-readable formats to encrypted formats and back to readable forms. They are mostly used for encryption and authentication purposes.
Anonymity set of a transaction is the set of transactions from which an adversary cannot distinguish the transaction.
Blockchain data Model

Here are some resources that you may find helpful to better understand the topics:

• Anonymity set

• Anonymity in cryptocurrencies

• Cryptographic algorithms

Citation: (Attacks detected on cryptocurrency › Friedrich-Alexander-Universität Erlangen-Nürnberg)

More and more people are using cryptocurrency, but money can be burnt on the Internet too. Researchers at Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) have urged for caution. Together with the University of Saarland, they have detected attacks on Zerocoin as well as uncovering potential security issues relating to the cryptocurrencies Zcoin, PIVX, SmartCash, Hexxcoin and Zoin. They discovered several instances in which issuing honestly generated coins was hindered, the same coins were spent more than once and money was stolen.

Cryptocurrency is digital currency created on the basis of cryptography, in other words methods typically used to secure communication. The most well-known is Bitcoin, which was launched in 2009 as the first publicly traded cryptocurrency. Thousands of other cryptocurrencies have been introduced since, attracting the interest of researchers as well.

CRYPTOGRAPHIC ATTACK ON ZEROCOIN

Several cryptocurrencies use the Zerocoin protocol which is based on digital serial numbers. Following the same system as bank notes, each serial number is only used once for digital coins. In the event of a cryptographic attack, however, the attacker succeeds in creating a second Zerocoin with the same serial number – comparable to forging a bank note.

Researchers from the Chair of Applied Cryptography at FAU were able to detect a ‘denial of spending’ attack on Zerocoin. Prof. Dr. Dominique Schröder describes this attack as follows: ‘An honest person would like to pay using a coin and sends their transaction including the serial number to the network. An attacker, who presumably has control over the victim’s network, blocks the message with the transaction and ensures that it fails to reach the nodes in the cryptocurrency’s network.’ The attacker then generates a forged Zerocoin with the same serial number and sets it into circulation. Schröder explains that for the honest owner, their coin has effectively been burnt.

The attacker only benefits financially from the move when the reputation of the currency is damaged after news spreads of the attack. Attackers speculate on the currency falling in value after news of the security leak spreads. By finding several victims and publicising the matter themselves, attackers are set to make a profit if and when the currency loses value.

SECURITY LOOPHOLES IN OTHER CRYPTOCURRENCIES

Researchers also came across two programming errors in the libzerocoin library, used by the cryptocurrencies Zcoin, PIVX, SmartCash, Hexxcoin and Zoin. One of these errors allowed attackers to basically create money from thin air, leading to an inflation of the currency. A further error in transaction signatures allowed attackers to steal money from honest users.