Articles written by both Bitcoin supporters and detractors frequently stress the fact that “Bitcoin is NOT anonymous”. Critics would like you to believe that if you use Bitcoin, your financial privacy will be totally compromised. Supporters often make a similar case to try to keep the regulators at bay. The reality, however, is that Bitcoin does provide a fairly high degree of privacy already and upcoming improvements should significantly increase the degree of anonymity. In this article I’ll provide an overview of where we are at present and talk about some up coming privacy enhancements.
As you likely know, all Bitcoin transactions are stored in a public ledger which anyone can view. It’s done like this because there simply isn’t any other way to prevent double spends without providing everyone with a copy of the transaction history. What this means is that someone can (potentially) parse this ledger and view all of your transactions. Of course, this tends to be relatively difficult since your identity isn’t recorded in the ledger, only your Bitcoin address. Someone looking through the ledger will only see that bitcoins were sent from one address to another:
17mJFJJcpsbEVM41QMy9gvooKJF4qJRyun ==10btc==> 1Ct9GnnCkTce65osEkXhNcq3ZArvzAjR1v
This is why Bitcoin is usually said to be pseudonymous rather than completely anonymous. However, if your identity is linked to your Bitcoin address, your privacy can be completely compromised. The ledger might as well read:
Alice ==10btc==> Bob
Given that AML/KYC regulations require exchanges like Mt.Gox or Coinbase to verify and record your identity, this gives the government a relatively convenient way of linking your identity to your address. As an imperfect workaround, you can generate a new Bitcoin address and send the bitcoins from the address linked to your identity to the new one that isn’t.
Alice ==10btc==> 1JLs7BDEfJREvGSQJUeVcBJpsiZrPeb1A1
Since Bitcoin addresses can be generated with trivial effort, you can do this as many times as you want. The new address will still be linked to the one with your identity in the blockchain, but this does give you a reasonable degree of plausible deniability. If someone were to question you about a transaction, you could plausibly claim that you sold those coins on LocalBitcoins and don’t own the address. Of course this wouldn’t prevent you from being labeled a “person of interest”, but it remains to be seen if that link would pass the “beyond a reasonable doubt” standard in court.
Nevertheless, this problem can largely be mitigated by treating all Bitcoin addresses as one-time use addresses. One of the primary sources of privacy leaks is address reuse. The reasons here are two-fold:
1) Obviously, anyone who links your identity to your address can just visit blockchain.info and see your balance and transaction history. If you generate a new address for every transaction, it will be next to impossible to do this without physically compromising your wallet.
2) Even if you don’t reuse addresses personally, that fact that other people do compromises your privacy. Once identities are linked to Bitcoin addresses, it becomes trivial to link your transactions to identities through the blockchain.
To the right is a transaction graph for Wikileaks published in a 2011 research paper. As you can see, address resuse has negative externalitites that compromise the privacy of all users.
Now if everyone uses Bitcoin addresses only once, it becomes next to impossible to perform this type of network analysis. Consider an example: suppose Alice sends a few bitcoins to Bob, if Bob generated a new address just for this transaction, Alice doesn’t learn anything about his other addresses, only only the one she sent her funds to. When Bob sends those bitcoins to Charlie, Alice can see the bitcoins leaves Bob’s address for another, but assuming Charlie generated a fresh address for the transaction, Alice will have no idea who the bitcoins were sent to. If all Bitcoin addresses across the network spring into existence only at the moment of a transaction, and are never reused, this would make Bitcoin pretty close to anonymous.
I say pretty close because there are still some scenarios where your privacy could still be compromised. Imagine a situation where Alice receives a payment from Eve, sends the same outputs to Bob and Bob sends the same outputs back to Eve. Here Eve would be able to determine that Alice transacted with Bob. While that certainly counts as a privacy leak, situations like this tend to be extremely low probability events and wouldn’t compromise all of your transactions.
This is how Satoshi originally conceived Bitcoin to operate. Version 0.1 contained a pay-to-IP-address feature where the receiving client provided the sender with a fresh address for each transaction. Unfortunately this feature didn’t catch on and people started reusing addresses.
So despite the potential privacy gains people continue to reuse addresses. The question is why? I think there are a couple reasons. First, it’s cumbersome to manage a wallet with hundreds of Bitcoin addresses. You typically have to backup your wallet after every 100 wallet operations or else risk losing some bitcoins if you have to recover your wallet from a backup. And having a wallet with hundreds of addresses isn’t nearly as easy to back up to a piece of paper as is a single address.
Second, it’s not always possible to provide a new address for each transaction. Think of the static tip addresses that many of us post on our websites or those used by charities for donations. Fortunately there are improvements that should change our default behavior with our wallets and move people away from the practice of reusing addresses.
The old method of generating Bitcoin addresses was to generate each one separately from a random private key. All of the private keys would be stored in the wallet.dat file. For the reasons mentioned above managing this type of wallet is a pain in the ass.
A deterministic wallet takes advantage of the pseudorandom properties of cryptographic hash functions to generate an unlimited number of new bitcoin addresses from a single random seed. So rather than having to backup a cumbersome wallet.dat file with hundreds of addresses, you only need to securely store this seed. Every one of your Bitcoin addresses can be reconstructed from this seed at any time. So now it doesn’t take any more effort to secure the keys for a wallet with hundreds of addresses than it does to secure the key to a single address.
For those who are fans of paper wallets, there’s nothing stopping you from printing the seed to piece of paper just like you currently do with a private key.
Some members of the community are in the process of developing a standard (BIP 0039) for creating a mnemonic code for the seed that looks like this:
royal despair cigarette rich huge wet pretty waist silently fail afraid passion
This has largely already been implemented in Electrum and Bitcoinj.
Also, wallets are moving away from displaying the addresses in the user interface and instead will simply handle all these addresses behind the scenes. The user doesn’t need to know she has multiple addresses in her wallet. The UI will simply display the balance and transaction history and when the user places a transaction it will automatically select an address in the wallet from which to send the funds. In other words, deterministic wallets remove the need for users to handle their addresses. This not only improves the user experience, but also moves people away from the practice of address reuse.
The Payment Protocol
Sometime in the next month or two the core developers will release Bitcoin-QT version 0.9 which will contain a new payment protocol. The goal of this protocol is to increase the security of transactions and improve the user experience. Presently, the merchant typically displays its Bitcoin address in web browser and the user copies and pastes it into his wallet. There are several problems with this practice. First, transmitting the address over the internet is relatively insecure. We’ve been lucky so far that we haven’t heard of attackers intercepting Bitcoin addresses and replacing them with their own before they reach the payer, but that certainly can happen. Secondly, alphanumeric addresses just aren’t very user friendly, especially for beginners.
The new payment protocol solves these problems. When a user goes to pay a merchant, he will be presented with a link to download a signed payment request (presumably this link will be presented to mobile wallets as a QR code). The user clicks the link and his wallet automatically downloads and loads the payment request from the merchant. The request will show the actual name of the merchant (as opposed to the Bitcoin address), the total, and a description of what the payment is for. The payment request will be signed with an authenticated X.509 certificate which will prevent an attacker from forging payment requests.
Most importantly, the default behavior of the protocol will be to generate a new address for each payment request (handled behind the scenes). This will serve to nudge people away from the practice of address reuse. As the protocol becomes ubiquitous, very few people will continue to reuse addresses.
The payment protocol covers nearly all situations where two people can communicate in real time. It doesn’t, however, allow a user to pay someone who is offline, or who wishes post a static address on a website the way Bitcoin addresses currently allow.
The final pieces of the puzzle are “Stealth Addresses”, first discussed on the development mailing list. A stealth address allows a user to post a static address linked to his identity, but receive payments to completely separate Bitcoin addresses. Here’s how it works…
The user generates a new stealth keypair:
Secret: c8edfa93b0475d617de98643673ddbd3f25b08a98261a2b3f913ea29990ef6f6 Address: SxjHZmrj1GrtuyW8dLmtYbNsLTEUGCQzpbk6iFRHEiBiZ5Z8Nq8EVt
The sender combines the recipient’s stealth address with a random nonce and a little elliptic curve magic to generate a Bitcoin address for which only the recipient can generate the corresponding private key.
Nonce: 03f3f8509a9ac713d269670119862416f377428fa1b40119fa418c3f24a610b11f Address: 1vTNCd9NtWS77aPsfGWMeqNP1jsfbGQZ4
The sender broadcasts a transaction to this new address and includes the nonce as an extra output. The recipient can scan the blockchain for transactions containing a nonce, check if they belong to him, and recover the private key for the Bitcoin address:
Address: 1vTNCd9NtWS77aPsfGWMeqNP1jsfbGQZ4 Private key: 5JDUsvi6bGL5M3Wk2qvgrEHvp3proSRStHakfwtsdMfauXekqR4
So in other words, stealth addresses will allow you to post a static address on a website and have each payment sent to different Bitcoin addresses which you have the keys to. Not only does this eliminate the need for address reuse, but it also makes it impossible for someone to look up your balance and transaction history on blockchain.info.
In the future it’s likely that stealth addresses will be combined with a distributed identity system such that you wont even need to type someone’s stealth address into the client to make a payment, only their real name. The corresponding stealth address will be downloaded from a blockchain and imported into your address book.
The only kinks that have yet to be worked out are making stealth addresses work with the lightweight clients used in mobile wallets. Adam Back, Peter Todd and Jeremy Spilman have been putting in a lot of work to come up with a workable solution.
Thanks to these innovations it seems we’re on the cusp of winning the war on address reuse. In the near future it’s likely that users wont even know what a Bitcoin address is as their wallets will just handle everything behind the scenes. This will go a long way towards making Bitcoin the anonymous currency that we all want it to be.
To get the rest of the way there we’ll need to further develop new protocols like Coinjoin, Zerocoin, and Homomorphic Encrypted Value. Until then, we can still enjoy the high degree of privacy afforded to us by the current protocol.
Original content by Chris, copyleft, tips welcome