Privacy on Cryptocurrencies: What You Need to Know

Anonymity and privacy were two of the main concepts that led to a new, decentralised financial system and the conception of bitcoin. But how private is your information really when trading or paying with bitcoin or other crypto tokens? This article explains the technical details of anonymity on crypto networks and which techniques can be applied to shroud your identity in mystery.

Anonymity and unlinkability

Is bitcoin really ‘anonymous’? The short answer is no. While bitcoin isn’t anonymous, it is pseudonymous, meaning it can mask the identity of users. With the proper tools and techniques, it is possible to trace back the owner of transaction addresses. To answer this question in more detail, let’s take a look at the meaning of anonymity and unlinkability.

Literally, anonymous means ‘without a name.’ This article on transactions in the bitcoin network, shows how counterparties must expose their ‘addresses’ which are the public keys replacing real names. This is called pseudonymity in computer science. In computer networks, anonymity can be expressed as anonymity = pseudonymity + unlinkability. Pseudonyms possess varying degrees of anonymity, ranging from highly linkable public pseudonyms (meaning the link between the pseudonym and human is publicly known or easy to discover), potentially linkable non-public pseudonyms (the link is known to system operators but is not publicly disclosed), and unlinkable pseudonyms (the link is not known to system operators and cannot be determined).

Since the bitcoin blockchain is publicly accessible and transparent to everyone, people can conduct investigations and group different addresses (called bitcoin address clustering). Hence it is wrong to assume that if you have 100 addresses on the bitcoin network, then no one can identify how many bitcoins you have in total. In fact, people can group all your addresses together under the same ‘entity’ and calculate the total number of BTC you own. This is also why bitcoin address reuse is not encouraged as it makes the address clustering and linkability even easier.

The good news is, If you protect your privacy well, people may not be able to link your real world identity to your bitcoin addresses, even if they are clustered.

The Case of Silk Road

One infamous example is the owner of Silk Road (a darknet market), Ross Ulbricht. He was arrested as he had used the same account on a forum for receiving bitcoin from Silk Road, while simultaneously asking for programming help and stating an email address containing his full name. His read world identity linked to his bitcoin addresses could now be traced back to all his bitcoin holdings.

To conclude, bitcoin is not fully anonymous and unlinkable. But if you protect your privacy well, you may still keep your bitcoin unlinkable to your real world identity.

Bitcoin Address Clustering

There are various rules that people can use to group bitcoin addresses together. We called them bitcoin clustering heuristics. However, readers should note that these heuristics do not guarantee a 100% correct result, and they are only used for their effectiveness in general circumstances.

The basic heuristics are:

• Co-spending heuristics
• One-time-change heuristics

Co-spending heuristics

Let’s assume we have the transaction below called ‘Txn 003’:

Users must possess the private key for each address to be able to spend them. In Txn 003, the user is able to spend adr 1 and adr 2 at the same time, suggesting that adr 1 and adr 2 are belonging to the same user.

This is called the co-spending heuristics.

One-time-change heuristics

Let’s assume we have the transaction below called ‘Txn 017’:

Imagine if this user spent 1 BTC to buy a pizza. Since bitcoin adopts an UTXO model, he must spend all his 1.2 BTC and return the remaining 0.2 BTC to himself. Therefore, it is likely that adr 1 and adr 3 are belonging to the same user.

This is called one-time-change heuristics.

Research2 from Harrigan et. al. states that a single heuristic (co-spending heuristic) can identify more than 69% of the addresses in the wallets stored by lightweight clients.

Privacy Techniques: Coin Mixing, Anonymous Signature, and Zero-knowledge Proof

So bitcoin is not entirely anonymous. Although this comes with advantages from a compliance standpoint – full anonymity facilitates money laundering, there will always be some who wish for a fully anonymous token.

The development of privacy coins using advanced cryptographic techniques can provide this.

They are mainly based on the following three techniques:

• Coin mixing
• Anonymous signatures
• Zero-knowledge proof

Coin mixing

Coin mixing is a technique to shuffle coins so that the owner becomes untraceable.

Imagine A,B,C, and D each own 10 bitcoins. They send their bitcoin to a mixer, and the mixer sends 10 bitcoins back to four new addresses which belong to A,B,C, and D respectively. However, it becomes very hard to identify the who is who for those four newly generated addresses.

Anonymous signatures

Anonymous signatures are digital signatures that can hide the real signer.

One example of such an anonymous signature is called ‘Ring signature’. Monero (XRM) is using ring signatures to preserve transaction privacy.

In a normal digital signature setup, people can verify if the signature is true using the signer’s public key.

However for ring signatures, the system will utilise a group of users of which anyone in the group can sign. Eventually, others can only verify that it was signed by one of them, without knowing who signed it.

Zero-knowledge proof

Zero-knowledge proof (ZKP) allows you to prove that you know confidential information to somebody without actually revealing it. The very term ‘zero knowledge’ originates from the fact that no (‘zero’) information about the confidential information is revealed, but the second party (called a ‘verifier’) is (rightfully) convinced that the first party (called ‘prover’) knows the secret in question.

The following example illustrates ZKP:

There is a cave with a guarded entrance stopping you from being able to pass through. The door can however be passed by saying the magic password. Alice wants to convince Bob that she knows the password. One way she could do this would be to walk with Bob to the entrance, shout the magic password, and if the door opens then Bob would be convinced that Alice knows the password. The problem with this conventional approach is that Bob could learn the magic password, which Alice doesn’t want him to know.

This approach is akin to the working of bitcoin where everyone sees every transaction so we can be certain of the bitcoin value each public address holds, but this comes at the cost of everyone being able to know this information.

Alice needs a way to prove to Bob that she knows the password without actually telling him what the password is. This is what we term ‘zero-knowledge proof’. Proving something (the fact that Alice knows the password), whilst conveying zero-knowledge (without Bob learning the password). Alice could achieve the zero-knowledge proof with the following manner:

Alice would enter the cave and arbitrarily choose to go to side A or B.

1. Bob would then come to the cave entrance and ask Alice to either exit from side A or from side B.
2. Now if Alice does indeed know the password she will be able to pass through the door and emerge from the requested side. However, if she doesn’t know the password, she has a 0.5 probability of being able to come from the side requested by Bob.
3. Bob would now simply repeat the experiment n times, when n is large enough, it is simply impossible for Alice to be correct so many times if she is merely doing random guesses.

Privacy on the Crypto.org Chain

Transaction privacy is an important aspect for the design of the Crypto.org chain.

Our privacy design axioms are:

• encrypted on-chain pseudonymous transaction data that only relevant parties involved in each transaction can decrypt
• efficient transaction validation

In order to address privacy needs, as well as other priorities including security, transaction speed and decentralisation, the core functionality of Crypto.com chain nodes is designed to run in secure enclaves of Trusted Execution Environments (TEEs). TEEs, such as Intel SGX, Arm TrustZone, or Keystone, are extended CPU instruction sets that isolate code executed in an enclave from the host operating system in hardware-encrypted RAM. TEEs ensure that even the node administrator cannot see private data that the enclave code works with.

Privacy through Trusted Execution Environments

An important feature of TEEs is their local and remote attestation. This feature enables nodes or external parties to verify that the code they plan to interact with is indeed the certified Crypto.com Chain code. In case of remote attestation, each node completes this step before establishing secure communication channels with other nodes.

In Crypto.com chain design, TEEs can find several compelling use cases:

1. Sealing ledger data: while all transaction data can be distributed to any node for processing, humans (even node administrators) cannot view these data in their raw form
2. ‘Virtual’ hardware wallets: community nodes can utilise ledger trustlet-like software to protect their private keys
3. Payment protocol enhancements: TEEs have gained popularity in blockchain systems research, as they can offer high transaction throughputs with low latency
4. Witnessing external data: for data from oracles or other blockchain networks, TEEs can be used to attest data authenticity

Privacy Updates on the Crypto.com Chain

To further enhance privacy capabilities, the Crypto.com chain will soon include other software-based measures in case of secure enclave breaches. The initial prototype will utilise tree signatures for threshold multi-signatures which provide a good trade-off between privacy and accountability. Furthermore, we will potentially explore employing other techniques, such as additively homomorphic commitments (as used, for example, in confidential transactions), where data remains private even in the case of secure enclave breaches, and its processed parts can be securely and verifiably exposed for third-party auditing.

For more details, please refer to the Crypto.com chain technical whitepaper.

References

1. Pseudonymity (n.d). Retrieved from https://en.bitcoinwiki.org/wiki/Pseudonymity
2. Harrigan, M., & Fretter, C. (2018, September 14). The Unreasonable Effectiveness of Address Clustering. Retrieved from https://arxiv.org/pdf/1605.06369.pdf
3. Digital Library: Communications of the ACM. (2018). Retrieved May 05, 2020, from https://dl.acm.org/doi/fullHtml/10.1145/3132696
4. Ring signature. (2020, February 13). Retrieved May 05, 2020, from https://en.wikipedia.org/wiki/Ring_signature
5. Moneropedia: Ring Signature. (n.d.). Retrieved May 05, 2020, from https://web.getmonero.org/resources/moneropedia/ringsignatures.html
6. Jon Jon (2018). Why the concept of anonymity is as clickbaity as this article title and a zero-knowledge proof. Retrieved from https://www.newtownpartners.com/transaction-anonymity-and-zero-knowledge-proof/
7. Crypto.com (2019, September 17). Crypto.com Chain: The next generation decentralized mobile payment protocol. Retrieved from https://crypto.com/images/chain_technical_whitepaper.pdf