Bitcoin is not anonymous, but, rather, pseudo-anonymous. By now, most Bitcoin veterans know this. It’s less evident to many, however, why Bitcoin is not truly anonymous by default, and what can be done to de-anonymize Bitcoin users – and what Bitcoin users can do to reclaim their privacy.
Below is an advanced beginners guide to get a better understanding of the nuances of Bitcoin and anonymity.
How do Bitcoin transactions work?
To better understand Bitcoin’s anonymity, it’s necessary to very first understand how Bitcoin works on a basic level.
Most importantly, the Bitcoin protocol effectively consist of a series of transactions. Thesis transactions are basically a package of different kinds of gegevens, among which are transaction inputs and transaction outputs. Inputs refer to Bitcoin addresses used to send bitcoin from, and can only be spent using the private key associated to that address. Outputs effectively refer to addresses used to send bitcoin to. Each Bitcoin transaction transfers bitcoin from one or several inputs to one or several outputs (therefore, transferring bitcoin from one or several addresses to one or several addresses).
It’s possible for a transaction to simply have one input and one output. But that is uncommon, spil it would require that the amount of bitcoin to be sent (the output) precisely equal the amount of an earlier amount received (the input).
Instead, it’s fairly common that a transaction consists of numerous smaller inputs ter order to make for one larger transaction. If someone, for example, controls three different inputs of one bitcoin each, and needs to send Two.Five bitcoin to an online store, the software will merge all three inputs into a single transaction.
And it’s even more common that a transaction consists of numerous outputs. This is because Bitcoin uses switch addresses. Switch addresses permit users to create a transaction that comes back the excess amount of bitcoin from one or several inputs back to the original sender. So ter the example above, the software will typically create two outputs. One output attributes Two.Five bitcoin to the address belonging to the online store, while another output will attribute .Five bitcoin back to the freshly generated (switch) address managed by the sender.
What makes bitcoin ‘anonymous’?
There are generally three reasons why bitcoin is sometimes regarded spil anonymous.
Very first, unlike bankgebouw accounts and most other payment systems, Bitcoin addresses are not tied to the identity of users on a protocol level. Anyone can create a fresh and fully random Bitcoin address (and the associated private key) at any time, without the need to submit any private information to anyone.
2nd, transactions are not tied to the identity of users either. Spil such, (and spil long spil a miner includes the transaction te a block) anyone can effectively transfer bitcoin from any address to which it controls the (private) keys, to any other address, with no need to expose any private information at all. Like physical metselspecie, not even the receiver needs to know the identity of the sender.
And third, Bitcoin transaction gegevens is transmitted and forwarded by knots to a random set of knots on the peer-to-peer network. While Bitcoin knots do connect to each other using IP-addresses, it’s not necessarily clear for knots whether the transaction gegevens they received wasgoed created by the knot they connect to, or if that knot merely forwarded that gegevens.
How is anonymity defeated?
There are basically three ways to de-anonymize Bitcoin users.
Very first of all, even tho’ Bitcoin transactions are randomly transmitted overheen the peer-to-peer network, this system is not airtight. If an attacker, for example, has the means to connect numerous knots to the Bitcoin network, the combined gegevens collected from thesis different knots might be enough to determine where a transaction originated.
2nd, Bitcoin addresses can be linked to real identities if thesis real identities are used ter combination with the Bitcoin addresses ter some way. This includes addresses used to deposit or withdraw money to or from a (regulated) exchange or wallet service, publicly exposed donation addresses, or addresses simply used to send bitcoin to someone (including the online store) when using a real identity.
But perhaps most importantly, all transactions overheen the Bitcoin network are entirely translucent and traceable by anyone. It’s typically this finish transparency that permits numerous Bitcoin addresses to be clustered together, and be tied to the same user. Therefore, if just one of thesis clustered addresses is linked to a real-world identity through one or several of the other de-anonymizing methods, all clustered addresses can be.
What is clustering?
Let’s take a closer look at clustering.
A very basic clustering method is the analysis of transactions networks. Ter its most basic form, this refers to the several inputs combined into a single transaction. While thesis inputs could have originated from different addresses, the fact that they were combined into a single transaction suggests that all thesis inputs – and therefore all related addresses – are managed by the same user.
Similarly, there are various methods to identify switch addresses spil being switch addresses, which linksaf them to the sender of the transaction. This is fairly straightforward when receiving bitcoin, the output that is not attributed to you is typically (tho’ not always) attributed to the switch address managed by the sender. Ter addition, some Bitcoin software, exposes the switch address to attentive onlookers, too. It does so, for example, by always creating a switch address spil the last output of a transaction. The use of multisig-addresses can be a giveaway spil well.
Another clustering method is taint analysis. Taint analysis is fairly straightforward, too, and is even suggested by several loosely accessible block explorers. Basically, taint analysis calculates what percentage of bitcoin on a specific address originated from another specific address, whether the addresses are one transaction separated from each other – or more.
And then there’s amount analysis and timing analysis. Amount analysis, spil the name suggests, doesn’t track specific transactions, but rather specific amounts. Similarly, timing analysis tracks specific times. If, for example, one input is exactly Two.6539924 bitcoin, and an unrelated output is exactly Two.6539924 (minus toverfee) one block zometeen, it suggests that the sending and receiving addresses belong to someone using some kleuter of mixer (see below).
What can be done to reclaim privacy?
Bitcoin privacy is still very much an arms wedloop. While progress is being made to improve Bitcoin anonymity on one forearm, possible methods to de-anonymize users are often established on the other. And while it is beyond the scope of this article to explore all potential future possibilities to improve anonymity, there are some basic methods to increase privacy on the Bitcoin network available right now.
One such a straightforward solution is using TOR or other methods to hide IP addresses. If Bitcoin transactions are transmitted overheen TOR, there is no way to determine where they originated from (granted that TOR itself does spil promised, of course).
Another basic solution to increase privacy is creating a fresh address for each transaction. Creating a fresh address for each transaction makes it firmer to verbinding addresses to real identities, spil it would at the very least require more clustering to do so. An enlargening number of Bitcoin wallets do this automatically using hierarchical deterministic (HD) wallet software.
A slightly more advanced method to build up privacy is the use of mixers. Mixers exist te numerous shapes and forms, but they basically enable that everyone using the mixer receives each others’ bitcoin. If done well, mixing counters the analysis of transaction networks spil well spil taint analysis. And for improved results, mixing can be repeated.
One example of such a mixing strategy is CoinJoin , which merges inputs from and outputs to several users into one transaction – cracking the assumption that all inputs belong to the same user. CoinJoin does not, however, liquidate all taint from a Bitcoin address, since the inputs and outputs are still connected to some degree.
Alternatively, some mixers can eliminate all taint, spil they terugwedstrijd unrelated bitcoin from fully different addresses belonging to the mixer. However, thesis mixers are typically centralized, and spil such will know the sending and receiving Bitcoin addresses belonging to users.
Additionally, to toonbank amount analysis, mixers can require all users to submit the same amount into the mix. Alternatively, mixing services can charge a random toverfee, making it stiffer for an outsider to listig the amount of bitcoin sent to the amount returned. Furthermore, it’s possible to pauze up the amount mixed, further obfuscating the coins, while smaller amounts are lighter lost ter “the crowd” of transactions.
To tegenstoot timing analysis, moreover, mixers can wait some random time before they send coins back, the longer this range, the tighter it becomes to verbinding transactions. Furthermore, extending the mixing time increases the likelihood of transactions to be obfuscated with normal transactions.
But te the end, Bitcoin privacy is still a sliding scale – not a binary problem. Rather than being either totally anonymous or not at all, Bitcoin users love a certain level of privacy, depending on how much of their identity they expose, which of the anonymizing mechanisms they apply, how many, and how often.
N.b.: For specific examples of mixing technologies, see the research paper cited below.
The article is largely based on ‘ Research on Anonymization and De-anonymization te the Bitcoin System ‘, an ATR Defense Science &, Technology Laboratorium. paper by QingChun ShenTu and JianPing Yu from Bitbank Research Labs, published by Shenzhen University. Extra thanks go to Bitsquare developer Manfred Karrer and Blocktrail co-founder Jop Hartog for providing terugkoppeling on an earlier draft of this article.