Bitcoin Coinjoin Not Anonymous v01
Click here to load reader
Transcript of Bitcoin Coinjoin Not Anonymous v01
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
Why CoinJoin, as Used in DarkCoin,
does NOT bring Full Anonymity
A Clarification
Abstract
Unlike widely claimed, it is shown that CoinJoin is not fully anonymous. We prove this by a simpleexample.
Hence, the claim “CoinJoin (or DarkCoin) provides full anonymity” is proven wrong.
Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as usede.g. in DarkCoin) does not guarantee anonymity at all.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [1 of 4]
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
1. The Counter-Example (to Prove that CoinJoin is not FullyAnonymous)
Legend: Meaning of symbols in the following diagrams:
We assume that the following transactions are observable in the blockchain:
Transaction 1:
Transaction 2:
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [2 of 4]
10
10
A10
A13 10
A14
CoinJoinPool:
30
1A15
9A16
2A17
8A18
3A19
7A20
110A1 Address "A1" with 110 coins
Normal transaction
CoinJoin transaction
110
130
A1
A2 120
A3
10A10
20A11
30A12
CoinJoinPool:300
10A4
90A5
20A6
80A7
30A8
70A9
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
Transaction 3:
2. Analysis of the Transactions� Let's assume that Address A1 (compare Transaction 1) is known to be an address that has been
used for illegal activities.
� Let's further assume that Address A21 belongs to a merchant that bills 25 coins to a customer,and Transaction 3 shows this payment.
Question: Can the merchant (or an institution that has access to the payment data of thismerchant) find out by blockchain analysis if the payer of this bill is involved in illegal activities?
Answer: Let's try to find out (in reality, this task would of course be performed by a powerfulcomputer, but we will do it “manually” here for the sake of illustration):
� The payer of Transaction 3 used two inputs, Addresses A6 and A18.
� Both A6 and A18 are outputs of a previous CoinJoin transaction (compare Transactions 1and 2), so at first glance one would think that it is not possible to track back the moneyflows. But we'll try anyway...:
� We track back Address A18: From Transaction 2 (readable in the blockchain) we see that thefunds of A18 stem from EITHER A10 OR A13 OR A14 – we cannot say for sure, but we knowthat at least one of them is the earlier owner of the money of A18.
� We track back Address A6: From Transaction 1 (readable in the blockchain) we see that thefunds of A6 stem from EITHER A1 OR A2 OR A3 – we cannot say for sure, but we know thatat least one of them is the earlier owner of the money of A6.
� Looking further at Transaction 1, we see that A10 is a transaction output of input A1.
� In other words: It is very likely that the owner of A10 is the same as the owner of A1.
� This even more so, as the owner of A6 & A18 is provably the same person, and theseaddresses can be tracked back to A1 and A10 respectively.
� Hence it is very likely that the owner of A6 and A18 (i.e. the payer of the merchant's bill) isalso the owner of A1 and A10.
� Hence there is strong evidence that the payer of the merchant bill to A21 is involved inillegal activities in connection with Address A1.
The evidence is not 100% of course, but very strong. It is theoretically possible, but highly unlikely,that the payer's wallet (A6 and A18) is connected to Address A1 in two different ways (first directlyvia Transaction 1, and secondly via A10 and Transaction 2) by pure coincidence.
Hence, there is sufficiently strong evidence and justification to trigger deeper real-worldinvestigations in the direction of the payer of merchant bill A21.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [3 of 4]
20
8
A6
A18
25
3
A21
A22
Amount to pay
Change
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
2.1 Alternative without CoinJoinRemember that also with “normal” blockchain transactions over multiple stages we can not reach100% evidence that owners of different addresses are the same person, but similarly asdemonstrated above, also here we can get strong evidence.
This is illustrated by a corresponding example:
Transactions (alternative):
In this case, Address A1 is first split to A10 and A96. Theoretically, there is no 100% proof that anyof these two addresses belong to the same person as A1.
In the next step, A10 and A96 are further “split” to other addresses. This step could be repeatedmany times of course – not shown above to keep illustration simple.
Finally, A6 and A18 are the input to the same “Transaction 3”, hence A6 and A18 must belong to thesame person.
Theoretically, the payer of Transaction 3 and owner of A6 & A18 could argue that he isn't the ownerof neither A10 nor A96, and that it is pure coincidence that he received the funds from A10 and A96into A18 and A6. Theoretically, the owners of A1, A10 and A96 and the payer of Transaction 3(=owner of A6 & A18) could all be different persons. Just the probability for this is very low.
So, after all, the situation is very similar to the CoinJoin scenario.
3. ConclusionIt has been shown that the notion of CoinJoin bringing full anonymity is a fallacy.
Instead, CoinJoin, as used in DarkCoin, does not prevent blockchain analysis and tracking backpayments to derive probabilities of persons being owners of certain addresses.
Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as usede.g. in DarkCoin) does not guarantee anonymity at all.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [4 of 4]
Transaction 3
110A1
10
100
A10
A96
80A98
20A6
8A18
2A97
A21
A22 3
25
Transaction 1
Transaction 2a
Transaction 2b