With Bitcoin at one point valued at more than $5,000 per unit, cryptocurrencies have excited a lot of interest from individuals, businesses, and hackers. One of the selling points of Bitcoin and others of its type is anonymity. Yet there are concerns that online currency transactions may not be as anonymous as many wish. In this post, we will discuss several tools that make an effort to ensure anonymity with cryptocurrency transactions.
A cryptocurrency is a digital currency in which encryption techniques regulate the generation of units of currency and verify the transfer of funds, and that operates independently of a central bank. In other words, it is a decentralized, trustless money system that can be verified independent of any central authority. It does this using a “blockchain,” a list of open yet encrypted records.
There are several flavors of cryptocurrencies, with Bitcoin, Litecoin, and Ethereum the most widely used. Cryptocurrencies released after the success of Bitcoin are collectively called altcoins. The father of all cryptocurrencies, Bitcoin requires the ledger, or record of transactions, to be available to everyone—making all transactions public knowledge. For many, this raises anonymity and privacy concerns. In this article, we will examine some of the ways that the anonymity of cryptocurrencies has been addressed.
Because a blockchain ledger is public, maintaining anonymity is hard, especially in the case of Bitcoin. Bitcoin is considered pseudoanonymous, which means a person may be linked to a public Bitcoin address, but not to an actual name or home address. You may know that an address is related to one person but you do not know to whom. Hence, Bitcoin (and most cryptocurrencies) are not completely anonymous. Many people trading in cryptocurrency prefer their transactions to be anonymous for various reasons. These include, but are not limited to, law enforcement–related issues, company-specific information, or for the sake of maintaining privacy. In the hacker world, cryptocurrencies have become ubiquitous in financial transactions. Well-known underground markets that sell stolen personal data, malware, and other goods and services deal exclusively in cryptocurrencies.
Figure 1: The AlphaBay market, which was seized by law enforcement.
Primarily, these markets deal in Bitcoin, as was the case with the recently seized Hansa and AlphaBay markets. Other currencies are also being used and implemented in these markets. According to the European Cybercrime Centre Internet Organised Crime Threat Assessment report, many markets, including automated vending card sites, deal almost exclusively in Bitcoins. However, the report acknowledges that Monero, Etheruem, and Zcash are also gaining traction in these circles. It also notes the development of a new dark-net market called Tralfamadore, which uses Ethereum smart contracts as a possible new crime-as-a-service model.
Cryptocurrencies are not limited to markets. Extortion attempts through ransomware demand cryptocurrencies as payment. All the modern major ransomware families—such as Locky, Petya, and Wannacry—have demanded Bitcoin for payments. To protect proprietary information, among other reasons, those engaged in cybercrime and those who investigate these crimes have an incentive to maintain anonymity.
Maintaining anonymity can be difficult because of mistakes or attacks against the network designed to deanonymize users. Compromised identities can hinder law enforcement investigations or, in the case of cybercriminals, lead to arrest. Because the ledger is publicly visible, anyone can analyze it to correlate addresses with identifiable names. If they are successful, they can link all transactions to a payer or payee. The attacker can then move to corresponding Bitcoin addresses and perform a “taint” analysis. In Bitcoin jargon, the “taint” of a Bitcoin transaction evaluates the association between an address and earlier transaction addresses. The more taint, the stronger the link between two addresses. Hence the need for various techniques to maintain anonymity.
A deceptively simple technique is to refrain from given out personally identifiable information. Users can avoid linking their personal data or organizational information to the cryptocurrency address or transaction. A website generally has personal data such as an IP address and registrar information that give context to the address if used in relation to the site or service. Another easy and obvious way to maintain anonymity is to trade Bitcoins in cash.
Anonymity is based on the trust of the person or organization you are trading with and how securely they store the information. Most law abiding users may feel comfortable using ATMs and even wallets with built-in features for in-person exchanges such as the BillBoard feature of Mycelium. However, some local laws view in-person cash transactions as evidence of money laundering and can lead to arrest, depending on the amount transferred.
Beyond simple user-behavior changes, many technologies help secure anonymity for cryptocurrency users. We will delve into several techniques:
- Services such as virtual private networks (VPNs) or Tor
- New Bitcoin addresses for each transaction
- Secure wallets
- Stealth addresses
- Zcash or other anonymity-centric cryptocurrencies
Services such as VPNs or Tor
Both VPN and Tor services are designed to safeguard the user and can be used to maintain anonymity. These technologies are used by researchers, journalists, companies, governments, and others for both safety and privacy. They are also used by many cryptocurrency users with similar concerns. Many ransomware decryption-management tools are housed as hidden services in Tor. VPNs are often used to hide personal information during cryptocurrency transaction requests. Both VPN and Tor can hide the personal data of the user making a transaction by using a different IP address or geo location, sometimes configurable by the user. These tools will prevent an attacker or analyst from monitoring traffic from correlating IP addresses and transactions. It can also be used when communicating to others, such as vendors, and hiding your address from them as well.
Figure 2: The onion router network.
Tor is free software that enables anonymity in online transactions by “onion routing,” an encryption technique in the application layer that essentially masks IP addresses. It does this routing through hops, similar to layers of an onion, multiple times over a virtual network, making it hard for any member of the hops to decrypt information. Using Tor can slow Bitcoin transactions but it can keep the user’s address hidden.
A VPN helps add security to a network by using secure protocols such as PPTP, L2TP, or OpenVPN to encapsulate online transactions. A user trading in Bitcoins can use a VPN to appear to work from San Francisco while actually working from Germany. The data is encrypted from the user to the VPN service, hiding traffic from their ISP, and preventing correlating traffic analysis of transactions.
New Bitcoin Addresses for Each Transaction
The blockchain is effectively immutable, provided that 50% or more of the network is not working together to make changes. Effectively, all transactions can be traced to their inception. For users who use different addresses for each transaction, it becomes difficult to prove associations between each address. However, by reusing addresses, the connection is inherently known. Users will allow any third party to easily follow transactions to and from that address. Their behavior is easy to follow. Should their identity become associated with their addresses, further analysis of its context may lead to the discovery of other related addresses used by the same user. By using unique addresses for each transaction, users increase the difficulty of finding relationships among the transactions. The use of single addresses per transaction is the recommended practice from Satoshi Nakamoto’s original paper.
The terms tumblers and mixers are often used interchangeably. They are services that help confuse the trail of cryptocurrency transactions by associating unrelated funds together using various methods.
If an address’ anonymity has been compromised or, in other words, has been tainted, the funds can be “cleaned” using a tumbler. The association between the user’s identity and the new addresses can be muddled, providing a new start to anonymity. The mixer cannot undue any information gained prior to the mix. To do this, users send the Bitcoins they want to “clean” to the tumbler, which mixes them with Bitcoins from other users in a pool and then returns the currency to their respective owners at new addresses, minus a mixing fee.
There are two types of mixers, centralized and decentralized. Popular centralized mixers are Bitmixer.IO (in use since 2011), Bitcoin Fog (since 2011, under Tor), and Helix. Decentralized mixers obtain the same mixing goals without a central authority controlling the mixings. Examples of decentralized Bitcoin mixers are CoinShuffle, JoinMarket, SharedCoin, and Jumblr. This technique is obviously of interest to money launderers. Bitcoin Fog appears to focus on those users. Mixing services are seen to have a lot of privacy and anonymity value by other coin developers and have benefitted from a lot of recent research and implementations. New or proposed coin implementations such as Cloakcoin, Dash through PrivateSend, PIVX, and Zcoin have built-in mixing services as a part of their blockchain networks.
Figure 3: Bitcoin Fog, a Bitcoin mixer.
The back-end technology of decentralized mixers is typically the widely used technology CoinJoin, which was proposed in 2013 by Gregory Maxwell. The basic concept groups a bunch of payers, pools their money, and makes a joint payment, thus obfuscating the relationship between payer and payee. What makes CoinJoin possible is that not every input in a transaction must come from the same wallet or user. The signatures required to authenticate a transaction are independent for each input, allowing multiple users to agree to complete a single transaction to multiple unrelated payees. In doing so, the information about which input paid which payee is not part of the blockchain, and can be hidden from analysis.
CoinJoin is an important technology for maintaining anonymity because it is the base of many techniques and implementations. Some implementations include SharedCoins, Darkwallet, CoinShuffle, PrivateSend, and JoinMarket.
Figure 4: A CoinJoin example. Source: Wikipedia.
Bitcoin wallets contain a private key that provides ownership and access to the wallets’ funds. They generate addresses and sign their transactions, proving ownership to the blockchain network. If a private key is compromised, any address generated by that private key will be compromised as well, along with any funds that those addresses may hold. Users are strongly advised to protect their private keys through secure wallets. Broadly speaking, there are five types of wallets: desktop, mobile, web, paper, and hardware. Among the different types some, such as Darkwallet, also focus on user anonymity. Darkwallet primarily provides anonymity using two techniques: stealth addresses and CoinJoin. By implementing several anonymity techniques and providing a mechanism for users to join in CoinJoin transactions, wallets simplify the process. Darkwallet is still in open beta, and it is unclear how active the project is.
Figure 5: Darkwallet.
Stealth addresses facilitate transactions in which a requester wishes to both ask for funds from the public yet keep their balance hidden. The requester publishes a stealth address that can be used to generate a regular address. Using cryptographic techniques, all generated stealth addresses are owned by the requester’s private key. With this technique, the payment addresses are not publicly associated with the receiver, preventing analysts from tracking the ownership of funds.
Stealth addresses work using the elliptic curve Diffie-Hellman algorithm. This is the idea behind Monero, which inherently supports stealth addresses. This privacy feature is attractive to many customers in the digital currency market. However, it can be applied to other currencies, too, including Bitcoin. For example, Darkwallet uses stealth addresses as one feature to provide anonymity within Bitcoin transactions.
TumbleBit is a new protocol that can be used with Bitcoin to make transactions that are off the blockchain via an untrusted intermediary party. It essentially is a trustless mixing system using the blind-signing features of Chaumium e-cash. To keep the mixer from linking the payer and payee, the system uses a pool of funds that are indistinguishable from each other. The funds are populated by the senders, who send a “blinded” serial number to the mixer, who signs it. Based on the properties of blind signing, any signed serial number can be unblended and still maintain a valid signature. This serial can be sent to the recipient, who can redeem the associated funds. The mixer does not know which funds are associated with the signed serial number and deducts the appropriate amount from the pool. When a large number of similar input and output addresses are mixed in, it is hard for the mixer to map transactions to the payer and payee, even with extensive analysis.
Figure 6: TumbleBit.
It takes a three-phased approach to complete payments. In the first phase, escrow, Party A notifies the tumbler that they would like to make a payment, and Party B notifies the tumbler that they would like to be paid. This is done on the public blockchain. For the second phase, the researchers have put cryptographic tools into place that allow the tumbler to pay the correct parties without actually knowing which parties are involved. This is the blind-signing technique. Phase two does not appear on the blockchain, providing additional benefits such as faster transactions. In the third phase, cashout, all of the transactions are conducted simultaneously, making it more difficult to identify which parties are involved in any specific transaction. Phase three does appear in the public blockchain.
A ring signature is a type of digital signature that allows one person in a group to endorse the signature on behalf of the group. This step provides more security by making it computationally hard to determine which of the group members’ keys was used to produce the signature. CryptoNote uses ring signatures to produce untraceable payments and is implemented in cryptocurrencies such as Monero. CryptoNote makes it almost impossible for the verifier of the payment to identify the payee from the group.
Figure 7: A ring signature.
CryptoNote uses a modified version of the Diffie-Hellman exchange protocol, which allows two parties to produce a common secret key derived from their public keys. In some implementations, the sender uses the receiver’s public address and random date generated by the user to create a one-time key for the payment. Because the keys are generated dynamically and are random, they are called one-time keys. A ring signature also can transform traceability into linkability, which is supported by using a key image through which it is impossible to recover the private key. The key image is a one-way function that acts as an anonymous marker for the user’s private key.
Zcash or Other Anonymity-Centric Cryptocurrencies
Some cryptocurrencies were developed with anonymity as a primary goal. Monero, as well as Dash, Zcash, and others are among them. Each implement different techniques to hide the identity of its users. We will look at just Zcash, but there are many alternatives with many approaches.
Zcash is a proof-of-work cryptocurrency, and is considered the first truly anonymous digital currency. Zcash also uses a decentralized approach on the blockchain; however, users can encrypt all transactions on the blockchain, making it hard for anybody on the network to access the details. Zcash uses the technology zk-Snarks (zero-knowledge Snarks) to facilitate the encryption. Moreover, the only information that is available on the blockchain is the timestamp of transactions. Zcash is regarded as a privacy-enabling cryptocurrency but most people agree it is also anonymous. Users are free to use two kinds of addresses, transparent addresses, which start with a “t” and make trades similar to those in Bitcoin, and shielded addresses, which start with “z” and use zero-knowledge proofs to maintain privacy.
Figure 8: Zcash.
Many of the technologies and techniques to maintain anonymity have grown from mathematicians, technologists, and enthusiastic cryptocurrency researchers, who have made many advancements and practical use of their findings. Although there are valid reasons to seek anonymity, in the hands of bad actors these techniques make it difficult for law enforcement and security researchers to analyze. Regardless of the motivations, many users try to maintain anonymity while using cryptocurrencies. There are several options, some of which can be combined for further security. A few techniques are simple, while others require specialized tools.
In future posts, will we cover some of the tools and techniques used to break the anonymity of users of cryptocurrencies.
For more insights and research follow us at @McAfee_Labs.