This isn't that hard to do, just enable an advanced user mode and choose which inputs you want to spend. This is easily done in Bitcoin Core and Armory.
There are a few problems here, though not major ones. You are operating under the assumption that change outputs are easily spotted, however that is not the case. If the change is sent to a new address, then that change cannot be easily tracked or identified as change. It can be rather difficult to identify the change outputs especially if both outputs are either outputs with weird uneven values (e.g. 0.3595412) or both are even values (e.g. 0.25). Furthermore, with newly generated change address and newly generated payment addresses, an observer cannot be certain which output is your change and which is someone you are paying.
Additionally, if you have enough inputs, you can create identical outputs which would make it near impossible for an observer to distinguish which output is for whom. That is also achievable by using even output values or uneven output values for all of the outputs.
Another solution which is perhaps better but slightly harder to do is a CoinJoin transaction; it requires coordinating between multiple parties. CoinJoins combine inputs from various people, so you could have a bunch of your own inputs there and no one would know that those were your inputs, for all they know it could be some other person who participated in that CoinJoin. Then the outputs are all the same amount so it is difficult to distinguish which output is for which person.
Topic: Anonymity in the Bitcoin: Splitting Transactions - page 2. (Read 3321 times)
Hi all,
I would like to know the opinion of the community on this idea that I have.
Also I'd like to know if this was ever implemented before, but as far as I have researched I couldn't find any evidence of it.
Background
We know that Bitcoin is not an anonymous system but rather it is a pseudonymous environment.
Take for example, 4chan where users can make posts but there are no usernames or any sort of way of linking between different author's post. (anonymous)
Reddit, on the other hand, there are usernames and actions/posts can be linked because of that. (pseudonymous)
In Bitcoin anyone can have multiple public addresses ('usernames') and because transactions are public we can track everyone's actions.
In a transaction you are either paying or being paid, and that's how we can link different addresses to same entities.
Let's then consider both cases:
1) Receiving payment
Let's consider the case where you are being paid, and you don't want those payments to be linked to you.
An easy solution for this would be, for every new payment, make a new address, receive payment, done. No linking and you got the payment.
2) Issuing a payment
Unfortunately, this is a more complex situation.
Here the linking can happen in a transaction that will generate a payment change output address;
or when you use multiple input addresses to sum up for the amount you need to pay. The input addresses are linked.
We can break it down to 3 cases, depending on how much you need to spent and how much you own for some address.
Let's say you want to pay X bitcoins.
2.1) You have an address with exactly X bitcoins
Easy? Make a single transaction with input = output, however I see that maybe we need to account for transaction fees.
I don't know what is the likelihood of this situation, where you own X + Y bitcoins, where Y is the fee amount for the transaction, resulting in a 'no change' transaction.
This would be the case where no change is needed.
If you don't want this transaction to be linked to your original address, you could them use one of the mixing services before you make the transaction and 'break' the link.
2.2) You have an address with more than X bitcoins
In this case, the naive transaction will result in a change address. The problem is that now this change address will carry the history of this payment.
Also, if your original address was already identified somehow, then the change address will probably be linked to it.
The solution I see, is to breakdown your bitcoins by creating new addresses and distributing among them.
If possible, create one address with X bitcoins, then we are in case 2.1).
Again use some mixing service to 'break' the link with the original address and do the payment with no changes.
However I see it must be really hard to get addresses with the exact amount we want, and some mixing services ask for chunking the bitcoins in some amount they set.
And then we end up on case 2.3)
2.3) You have multiple addresses with less than X bitcoins.
This is where I am concerned on what people currently do.
I believe that users will just make transactions using multiple input addresses and make the payment, possibly with a change output.
If all those multiple addresses you own are originated from a mixing service, then maybe you don't really care that now you are linking again some addresses.
But maybe this linking can be detected and de-anonymized by an attacker because of the value of the transaction or because of the time it happened.
And you will probably end up with a change address that now is linked to all the input used.
But let's say you are WikiLeaks or another entity that gets payments(donations) on new addresses everytime.
If you use a multiple input transaction to make up for the amount you need to pay, you have just created the linking point for an attacker, and he can maybe detect who you are (by side channels) and infer the donors.
My proposal here is to increase the anonymity for users by avoiding the creation of multiple input transactions.
The idea is to breakdown the transaction value X into N smaller transactions with values that match up the buyer's bitcoin amounts.
This could be set with an agreement (maybe smart contract) between the buyer and the seller.
This way we can always try to get N-1 transactions of type (2.1) with no changes and only one with a change.
The advantage here is that there would be no link between those N transactions.
There are some details to analyze:
1) Fees, how many transactions is the user willing to create in order to have this better guarantee of unlinkability, taking into account the fees by transaction.
1.1) Maybe we don't mind linking some addresses, maybe some addresses are more sensitive. So we can split the transaction in various ways.
2) How effective this technique would be in practice, against current de-anonymizing techniques/algorithms.
To summarize I believe that this proposal, together with mixing services, could enhance the system privacy.
Please let me know your thoughts on this.
I would like to know the opinion of the community on this idea that I have.
Also I'd like to know if this was ever implemented before, but as far as I have researched I couldn't find any evidence of it.
Background
We know that Bitcoin is not an anonymous system but rather it is a pseudonymous environment.
Take for example, 4chan where users can make posts but there are no usernames or any sort of way of linking between different author's post. (anonymous)
Reddit, on the other hand, there are usernames and actions/posts can be linked because of that. (pseudonymous)
In Bitcoin anyone can have multiple public addresses ('usernames') and because transactions are public we can track everyone's actions.
In a transaction you are either paying or being paid, and that's how we can link different addresses to same entities.
Let's then consider both cases:
1) Receiving payment
Let's consider the case where you are being paid, and you don't want those payments to be linked to you.
An easy solution for this would be, for every new payment, make a new address, receive payment, done. No linking and you got the payment.
2) Issuing a payment
Unfortunately, this is a more complex situation.
Here the linking can happen in a transaction that will generate a payment change output address;
or when you use multiple input addresses to sum up for the amount you need to pay. The input addresses are linked.
We can break it down to 3 cases, depending on how much you need to spent and how much you own for some address.
Let's say you want to pay X bitcoins.
2.1) You have an address with exactly X bitcoins
Easy? Make a single transaction with input = output, however I see that maybe we need to account for transaction fees.
I don't know what is the likelihood of this situation, where you own X + Y bitcoins, where Y is the fee amount for the transaction, resulting in a 'no change' transaction.
This would be the case where no change is needed.
If you don't want this transaction to be linked to your original address, you could them use one of the mixing services before you make the transaction and 'break' the link.
2.2) You have an address with more than X bitcoins
In this case, the naive transaction will result in a change address. The problem is that now this change address will carry the history of this payment.
Also, if your original address was already identified somehow, then the change address will probably be linked to it.
The solution I see, is to breakdown your bitcoins by creating new addresses and distributing among them.
If possible, create one address with X bitcoins, then we are in case 2.1).
Again use some mixing service to 'break' the link with the original address and do the payment with no changes.
However I see it must be really hard to get addresses with the exact amount we want, and some mixing services ask for chunking the bitcoins in some amount they set.
And then we end up on case 2.3)
2.3) You have multiple addresses with less than X bitcoins.
This is where I am concerned on what people currently do.
I believe that users will just make transactions using multiple input addresses and make the payment, possibly with a change output.
If all those multiple addresses you own are originated from a mixing service, then maybe you don't really care that now you are linking again some addresses.
But maybe this linking can be detected and de-anonymized by an attacker because of the value of the transaction or because of the time it happened.
And you will probably end up with a change address that now is linked to all the input used.
But let's say you are WikiLeaks or another entity that gets payments(donations) on new addresses everytime.
If you use a multiple input transaction to make up for the amount you need to pay, you have just created the linking point for an attacker, and he can maybe detect who you are (by side channels) and infer the donors.
My proposal here is to increase the anonymity for users by avoiding the creation of multiple input transactions.
The idea is to breakdown the transaction value X into N smaller transactions with values that match up the buyer's bitcoin amounts.
This could be set with an agreement (maybe smart contract) between the buyer and the seller.
This way we can always try to get N-1 transactions of type (2.1) with no changes and only one with a change.
The advantage here is that there would be no link between those N transactions.
There are some details to analyze:
1) Fees, how many transactions is the user willing to create in order to have this better guarantee of unlinkability, taking into account the fees by transaction.
1.1) Maybe we don't mind linking some addresses, maybe some addresses are more sensitive. So we can split the transaction in various ways.
2) How effective this technique would be in practice, against current de-anonymizing techniques/algorithms.
To summarize I believe that this proposal, together with mixing services, could enhance the system privacy.
Please let me know your thoughts on this.
Jump to: