Is Bitcoin anonymous, and can mixing services make it more private? Here are the weaknesses and strengths of popular crypto privacy solutions.
The cryptocurrency industry was initially headlined as anonymous digital cash. While experts were keen to point out that this was not exactly the case, Bitcoin (BTC) found initial popularity in darknet markets such as Silk Road, where merchants sold illegal goods ranging from light drugs to, allegedly, hitman services. Founded in 2011, Silk Road thrived for the next two years until the Federal Bureau of Investigation shut it down in 2013. Authorities later revealed that completely free blockchain explorers aided their investigative efforts.
Bitcoin’s transaction ledger is completely open for the public to view. What the blockchain does lack is openly available identity data, as all transactions are conducted between wallet addresses, which can be considered pseudonyms. However, each wallet address is unique and can be tied to specific people or entities.
Mapping an address to its holder can be as simple as making a transaction. A buyer and seller can potentially reveal their entire transaction history to each other. Though they may not know with whom they’ve transacted previously, they can know the balance and spending amounts through a simple check on a blockchain explorer. In technical terms, this is called linkability: how easy it is to reconstruct a particular chain of transactions.
Bitcoin’s chain of transactions is theoretically easy to link. In practice though, this is not a trivial task, as it can be complicated to determine which part of a Bitcoin transaction is the change and which is the actual money that was spent.
Bitcoin-based privacy solutions
Given the explicit privacy weakness of Bitcoin and other open ledgers, various remedy solutions have been developed over the years. The first was proposed in early 2013 by Gregory Maxwell, a core Bitcoin developer. Later dubbed CoinJoin, the technology utilized an already existing principle of Bitcoin that single transactions can contain many “outputs” and “inputs” that flow to and from multiple wallets.
Each transaction takes a certain amount of Bitcoin in the form of inputs and reshapes it, like clay, into different chunks of outputs. With CoinJoin, multiple participants offer their Bitcoin into a single transaction, which then reshapes them into different outputs that are sent to the wallets specified by each user.
The result is that the chain of transactions is scrambled: an external viewer tracking wallet A doesn’t know to which exact wallet B the Bitcoin was sent to. Wallet B may contain Bitcoin pieced together from dozens of input wallets. The amount of participants, called the anonymity set, is important for the overall strength of mixing. It’s much more difficult to track one wallet out of 10,000 than one out of 10.
Another solution was given by Bitcoin mixers. Though they utilized a similar approach, they were centralized services that held custody of the Bitcoin during the scrambling process. Nevertheless, mixers initially proved popular for users as they were much simpler to implement than the peer-to-peer CoinJoin.
Their security flaws were soon made evident by researchers. A December 2017 paper by Felix Maduakor demonstrated a fairly simple heuristic process to deanonymize mixer transactions. The algorithm relied on factors such as timing, Bitcoin transaction amounts and their corresponding fees to filter the destination wallet. In addition, one service had a simple web-based vulnerability that could leak all mixed transaction data by exploiting internal record keeping. A different 2017 paper also concluded that even the most popular mixers utilized poor security practices that made it easy to trace their operations.
Despite the significant security flaws, mixers continued to be popular well into 2018. However, police seizures and voluntary closures pressured the sector and may have finally helped to curb their use. As Chainalysis noted in a July 2019 webinar, CoinJoin-based wallets offered by Wasabi and Samourai steadily gained popularity during 2019, processing over $250 million in Bitcoin.
As a largely decentralized process, CoinJoin doesn’t rely on the security skills of mixer operators, thus removing unnecessary failure points. Despite this, the system is far from perfect. Maxwell later distanced himself from pure CoinJoin implementations, noting in a presentation that “if all the users are putting in and taking out different amounts, you can easily unravel the CoinJoin.”
Though that can be mitigated by utilizing fixed output amounts, similar to cash bills, it doesn’t appear to be enough to prevent tracking. In a conversation with Cointelegraph, Chainalysis CEO Michael Gronager explained:
“CoinJoins and mixers do achieve a certain level of dissociation between funds. However, in many cases this link can be reestablished through forensics work.”
Further evidence of the vulnerability of CoinJoin was given by Chainalysis’s investigation into the operations of PlusToken. According to a December 2019 report excerpt, the firm was able to track 45,000 Bitcoin out of the 180,000 total collected by the Ponzi scheme, despite complex obfuscation tactics that also included CoinJoin services. Nopara73, a pseudonymous developer behind Wasabi wallet, defended the technology in an “Ask Me Anything” thread on Reddit, saying, “I don't think the technical part of the story is hard to figure out. Hint: they had more coins than the entire market cap of Monero.”
Privacy-based altcoins rising
As the ecosystem matured, dozens of projects arose specifically to provide private transactions to users. The present landscape is divided into several major families of coins based on different protocols.
Monero (XMR) is currently the largest privacy coin by market capitalization, and it was one of the first to be introduced on the market. It’s based on the CryptoNote protocol pioneered by Bytecoin (BCN) in 2014 and augmented over time by RingCT, a system combining ring signatures and Confidential Transactions cryptography.
Monero makes an effort to hide all parts of a transaction: sender, receiver and amount.
The sender is hidden via ring signatures. When creating a transaction, Monero aggregates the sender’s true output with other semi-random outputs picked from previous blocks. This creates an effect similar to CoinJoin by giving plausible deniability to the user, as external parties cannot pick the real coins without additional information.
A technology called Confidential Transactions further improves on this by hiding the amount of coins for each output. Stealth addresses, a part of the original CryptoNote protocol, hide the receiver by creating a one-time wallet address for each transaction.
Monero’s closest competitor is Zcash (ZEC), which uses zero-knowledge cryptography to hide transactions. At a high level, zero-knowledge proofs allow for a “prover” — a user sending the money — to conclusively demonstrate to a “verifier” — or a blockchain node — that they know a certain value, without ever revealing the actual number. Used in a privacy-centric blockchain, this allows the details of a transaction to be completely encrypted and uses zero-knowledge proofs as a guarantee that it is valid. Many variants of zero-knowledge proofs exist. The one currently used by Zcash is called zk-SNARKs.
The latest major addition to privacy coins is the Mimblewimble protocol. Implemented in projects such as Grin and Beam, Mimblewimble primarily uses CoinJoin and Confidential Transactions to ensure privacy. However, its blockchain architecture is significantly different from most other coins.
For example, Mimblewimble blockchains do not have permanent addresses. Instead, crypto is exchanged in a two-step process: the sender delivers partially filled transaction information through external means, such as emails, and the receiver must then add their own data before retransmitting the completed transaction file.
Several other projects use CoinJoin variants for their privacy features. Dash’s PrivateSend mixes coins through multiple steps of CoinJoin, while Decred’s (DCR) privacy mode uses CoinShuffle++, an updated and improved implementation of the original protocol. Though there are bitter debates between the opposing camps, each protocol comes with their own advantages and disadvantages.
The price of anonymity
Privacy protocols in general suffer from performance and scalability issues. The additional layer of secrecy often has a very measurable cost in terms of transaction size, speed of execution and computing performance.
Monero’s transactions are several times heavier than their equivalent on the Bitcoin network. Though the introduction of “bulletproofs” range proofs was a significant remedy to this problem, Monero transactions tend to be heavier than 1,500 bytes, while simple Bitcoin transactions can be as low as 280 bytes.
This poses a significant problem for scalability. Though Monero has dynamic block sizes, avoiding true bottlenecks, the entire blockchain still grows significantly faster in size. Eventually, it will become impossible to maintain Monero nodes on simple computers, which its community sees as a major aspect of decentralization.
Zcash is a mixed blockchain containing both transparent and “shielded” transactions. Private transactions suffer from a similar size problem to Monero, weighing on average 2,000 bytes.
Before the introduction of Sapling, sending money privately also required about 4 GB of available RAM, which made shielded transactions highly impractical.
Similar problems exist for Mimblewimble-based coins. Its raw transactions are over 5,000 bytes due to the presence of heavy-range proofs. The primary scalability benefit for Mimblewimble-based coins is the ability to “prune” a blockchain: removing past transaction data without impacting its validity. Grin estimated a reduction of roughly 98% for a sample case of 10 million transactions, from around 130 GB to just under 2 GB. That is less than half the size of the Bitcoin blockchain when it had the same amount of transactions in December 2012, according to data from Blockchain.com.
The ability to prune a blockchain is a major factor for some researchers. While Monero was considered unable to scale through pruning, the team released a limited implementation of it at the start of 2019. Critics described it as “more like sharding than pruning” due to its failure to completely remove transactions. Monero developers explained on Twitter that removing outputs is impossible with current technology, adding, “Our implementation definitely prunes certain transaction data.”
Zcash was also unable to prune its data, but the team at Electric Coin Company — the company behind Zcash — chose to further leverage zero-knowledge proofs to introduce a similar concept of scaling. Its proposed Halo technique would use a “proofs of proofs” system that would confirm the validity of the blockchain’s past states. This would allow nodes to only hold data on recent transactions, together with a proof of correctness for everything that occurred earlier.
Compromises on privacy
Practicality, decentralization and anonymity issues often pose a trilemma for any single privacy technology. Though Monero scores relatively well on practicality and decentralization, its anonymity has been put into question in the past.
Fireice_uk, a pseudonymous Monero contributor and the developer of the xmr-stak miner software, identified several weaknesses in the ring signature approach, noting that churning immediately exposes the true origin of the funds by creating a loop of transactions. They also demonstrated a way to break normal ring signatures based on leakage of metadata: the transaction’s time of creation can be compared with internet service provider records to identify the true output.
Leading Monero community members responded on Reddit, acknowledging some of these concerns while downplaying their relevance. When asked by Cointelegraph whether the team acted upon these concerns, fireice_uk said that the efforts have been insufficient:
“Over the past year, the volume of research into metadata leaks increased and they only fixed the very lowest hanging fruit. The current state of affairs leaves me uncertain if the whole ring signature based family of coins is viable — and I'm saying that as a dev of one of them.”
Sarang Noether, a pseudonymous member of the Monero Research Lab, responded to this criticism in a conversation with Cointelegraph. While noting that this is a “subtle issue” that depends on the implied threat model — who wants to deanonymize the transactions — they added:
“There's network-level metadata floating around, which may or may not affect a particular user depending on their threat model — and is tricky to reduce. There's on-chain metadata floating around, including things like timing, input/output structure, non-standard transaction data, etc. Reducing exploitable metadata is important, but eliminating it entirely is impossible.”
Addressing churning, Noether noted that it is a subject of ongoing research, while revealing that there are proper and improper ways of doing it: “Similar to how to choosing decoy inputs poorly can lead to heuristics about what is more likely to be the true signer, churning ‘badly’ could lead to heuristics trying to identify the process.”
Though the cryptography powering Zcash shielded transactions is often described as fundamentally better than that of Monero’s, the dominance of transparent addresses places strong restrictions. Researchers from University College London, now officially known as UCL, were able to de-anonymize several transfers by tackling the conversion step between shielded and unshielded coins. When asked whether Zcash sees value in increasing the amount of shielded transactions and thus the anonymity set, Electric Coin Company’s vice president of marketing, Josh Swihart, told Cointelegraph:
“A large anonymity set is important, and we don’t believe there is a point of diminishing returns. We share the world with billions of people, each driving dozens of transactions per month, and hundreds of millions of businesses and institutions driving many multiples more. The anonymity set should be large enough to safely protect all of those people, companies and institutions on a per-transaction basis.”
Swihart also pointed out that the amount of fully shielded transactions grows over time, which increases its anonymity set. Nevertheless, data shows that the ratio of shielded to transparent transaction volume has been oscillating between 10% and 20% for most of Zcash’s history, with little recent growth:
Centralization is also a major concern for Zcash, as zk-SNARKs require a “trusted setup” to properly function: specific parameters set by the developers. Any security or trust compromise during each generation event would be catastrophic, as attackers would be able to create new coins virtually undetected. Nevertheless, the introduction of Halo-based technology would remove the need for a trusted setup.
Discussing the importance of anonymity sets, fireice_uk emphasized, “It is life-or-death critical. It is impossible to hide in a crowd of 1. Anything that can be done to whittle down the crowd will impact privacy.” They added, “We can see that very well with the Mimblewimble break,” referring to the breakthrough by Ivan Bogatyy — a researcher at Dragonfly Capital — who de-anonymized up to 96% of real-time Grin transactions.
Grin developers responded by dismissing the importance of the breakthrough. However, they acknowledged that “Grin’s privacy is far from perfect,” noting that “transaction linkability is a limitation that we’re looking to mitigate.”
Is there a clear leader?
Though each system has its own strengths and weaknesses, it ultimately comes down to each user to make the best of available tools. Even Zcash, which has arguably the most resilient anti-linkability system, can still be misused through careless transitions between transparent and shielded addresses. Monero is in this sense somewhat easier to use. As Chainalysis reported in its webinar, it is the preferred privacy coin in darknet markets.
Yet, Bitcoin remains the most popular payment method. Furthermore, its users tend to not place emphasis on privacy, with the majority of funds to darknet markets sent directly from centralized exchanges.
Privacy-enhancing technology appears to be uninteresting to darknet market users, the segment that arguably would need it most. Until privacy coins are widely adopted in high-stakes environments like these, debates on their anonymity will remain highly theoretical.
Non-criminal case for privacy
It’s important to note that privacy should not be strictly associated with illicit use. Chainalysis highlighted that only a little more than 10% of funds sent to mixers come from criminal activities.
A similar proportion can be expected in privacy coin use. Though regulators are increasingly scrutinizing cryptocurrency-enabled crime, maintaining some privacy for legitimate use is critical, according to Chainalysis’s CEO:
“Complete anonymity opens the door to illicit activity that by definition cannot be investigated. That's not a world you want to live in. On the other hand, complete transparency means no privacy at all. That's also not a world you want to live in. We believe that the market decides, and currently the non-privacy coins see the most momentum.”
Speaking on behalf of the company, Swihart’s stance on transaction privacy understandably went even further. Electric Coin Company believes that a person’s ability to transact with others is a fundamental right, while “businesses have a right to transact securely without exposing information to competitors or others that might wish them harm.”
Answering a question on whether facilitating criminal use is an acceptable compromise for privacy, Swihart added, “The compromise argument is a red herring. People with bad intent will use whatever tools they can to do illegal things. Today, that mostly involves the US dollar.”