Author

Topic: [Education] Bitcoin Privacy and Anonymity (Read 1375 times)

legendary
Activity: 3752
Merit: 1864
March 30, 2024, 02:00:52 PM
#26
F2b
hero member
Activity: 2141
Merit: 926
February 03, 2024, 02:11:13 PM
#25
Hi there! I'm coming from the recent French translation of this topic. That was a great read.

6. CoinJoin
[...] JoinMarket pioneered a lot of CoinJoin science (and BTW, belcher wrote an excellent & comprehensive wiki article on privacy), while Wasabi is the first wallet that implements CoinJoin in both a highly-usable and sound way. [...]
-snip- Wasabi is not our friend any more.  They joined the enemy's boat.

Given what happened with Wasabi, and the reactions here, I was surprised that Whirlpool wasn't brought up by anyone in this particular thread. Because I feel like it has become more or less the de-facto Coinjoin implementation. Is there a reason not to recommend it?
sr. member
Activity: 616
Merit: 442
Forum Only For Fun
August 17, 2023, 01:32:24 PM
#24
to point 6 (coinjoin) from the great education, there is now also a very interesting website called: https://www.coinjoins.org/
it’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
I found information about coinjoin.org which was launched by this wasabi contributor via Twitter and I opened it at bitcoinmagazine.com
since there is mention of wasabi, I dare not share.

At first glance, from what I read, the articles published on bitcoinmagazine are very good because of privacy education.
https://bitcoinmagazine.com/business/educational-project-for-private-bitcoin-transactions-coinjoins-org-has-officially-launched
legendary
Activity: 3304
Merit: 8633
icarus-cards.eu
August 17, 2023, 12:02:29 PM
#23
to point 6 (coinjoin) from the great education, there is now also a very interesting website called: https://www.coinjoins.org/
it’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
legendary
Activity: 3304
Merit: 8633
icarus-cards.eu
today i translated this complete thread with the different 16 topics into german and i noticed that at the last topic [16th Circuit of Transactions] the link to the picture of the benes network is broken.
so i post here the talkimg link, so that it will be overwritten against the old one:

legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Even though the wasabi wallet changed from its original purpose, it did not change the history that the Wasabi wallet was a pioneer in implementing the Coinjoin concept. Theymos also said in his post, which I also quoted above:  Re: CoinJoin: Bitcoin privacy for the real world.

But I agree with you when Wasabi Wallet announced this: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/. I will add your note to the Wasabi wallet.  I think this is fair enough for readers to judge from both sides.

Thank you for this update, Husna QA, and also for the fast reply! I understand your point of view: nothing from present changes the past and in the past Wasabi was a pioneer, no matter that it turn rogue now. So the part regarding this wallet being a pioneer of CoinJoin stays, as it's a part of history, and theymos congratulated them for what they were at that moment of the past. However, considering their recent moves, your new added observation is more than welcome.

The update is also reflected inside the Romanian translation of your topic.
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
I am arriving on this thread from Gazeta Bitcoin's translated thread of yours.  I really hope there is no hate for posting in a 2020 thread.  But I think this is very important.  It is important to me at least.

Wasabi is not our friend any more.  They joined the enemy's boat.  So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite.  This is a very disappointing move on Wasabi side and it disgusts me but it is what it is.  Hasna, could you do this?

-
Regards,
PrivacyG
Even though the wasabi wallet changed from its original purpose, it did not change the history that the Wasabi wallet was a pioneer in implementing the Coinjoin concept. Theymos also said in his post, which I also quoted above:  Re: CoinJoin: Bitcoin privacy for the real world.

But I agree with you when Wasabi Wallet announced this: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/. I will add your note to the Wasabi wallet.  I think this is fair enough for readers to judge from both sides.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
I am arriving on this thread from Gazeta Bitcoin's translated thread of yours.  I really hope there is no hate for posting in a 2020 thread.  But I think this is very important.  It is important to me at least.

Wasabi is not our friend any more.  They joined the enemy's boat.  So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite.  This is a very disappointing move on Wasabi side and it disgusts me but it is what it is.  Hasna, could you do this?

-
Regards,
PrivacyG
staff
Activity: 4284
Merit: 8808
December 23, 2020, 03:53:32 PM
#18
Olivier Coutu presented Circuit of Transactions (Decentralized Mixers for Bitcoin) at the Bitcoin conference in May 2013 while Gregory Maxwell's CoinJoin was August 2013. Other much simpler concepts emerged, such as those implemented by Taaki and Martin (but the initial idea was also inseparable from the CoinJoin concept proposed by Gregory Maxwell) [6].
Huh!  I had no idea that was at the conference, I would have found it pretty interesting I had been and would have mentioned it in the coinjoin post!

However, my work in that space substantially pre-dates the conference e.g. https://bitcointalksearch.org/topic/i-taint-rich-raw-txn-fun-and-disrupting-taint-analysis-51kbtc-linked-139581  which included demonstrating it on the network,  as well as describing how to cryptographically blind the participants from each other.  And even those posts were posted as late as they were because I had to wait until the software had the necessary functionality.  I believe public discussion of this kind of approach to improve privacy goes back to mid 2011.

The purpose of the coinjoin thread was just to popularize an existing concept,  driven by the reasoning that because it hadn't been given a catchy name no one was thinking much about it.
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
December 13, 2020, 07:36:05 PM
#17
France is now looking for regulation on crypto heavily & they are likely to force the crypto users to have mandatory KYC for any kind of crypto tx to track the users. This will be a challenge for the privacy seekers as BTC tx are transparent.
https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
The reasons that are often used as a reference for requiring KYC are one of them because:

uniswap is taken from the idea of coinswap? Well, when you convert a coin to other coin is consider as swapping. But uniswap has better way of doing it like a complete decentralize exchange. However, I am hearing bad feedback of uniswap recently.
Please focus on the discussion about Bitcoin Privacy. The discussion about Uniswap is already in the altcoins category. To discuss more it please discuss on the following board: Altcoin Discussion.
newbie
Activity: 17
Merit: 1
December 13, 2020, 07:56:36 AM
#16
uniswap is taken from the idea of coinswap? Well, when you convert a coin to other coin is consider as swapping. But uniswap has better way of doing it like a complete decentralize exchange. However, I am hearing bad feedback of uniswap recently.
jr. member
Activity: 700
Merit: 3
December 13, 2020, 07:36:31 AM
#15
Bitcoin is more than the coin we see and the process involved in making sending and receiving it really secured is so unique, more than I can even comprehend from the information I am seeing here.
hero member
Activity: 1358
Merit: 851
December 12, 2020, 11:43:00 AM
#14
France is now looking for regulation on crypto heavily & they are likely to force the crypto users to have mandatory KYC for any kind of crypto tx to track the users. This will be a challenge for the privacy seekers as BTC tx are transparent.
https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
newbie
Activity: 252
Merit: 0
December 12, 2020, 11:08:09 AM
#13
Bitcoin has getting a point, where it can be introduce in our educational system as case of studies across the glob, and the world are moving into technology to make a life better in future. Therefore bitcoin has a big structures and enable to solved or reduced world problem by eradicate poverty..
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
December 11, 2020, 09:41:40 PM
#12
16. Circuit of Transactions
back to table of contents

At the 2013 Bitcoin Conference in San Jose, CA [1], Olivier Coutu from the University of Montreal Canada offered a Circuit of Transactions by leveraging network theory to structure Bitcoin transactions that form complex circuits, making it more difficult to trace the identities of the parties involved [2].



There are several network concepts used in the circuit of transactions, e.g.:
- Butterfly Network [3]



- Benes Network [4].


Benes Network from Wikimedia Commons [4]

The transaction circuit will make it challenging to analyze the identity of the Bitcoin address owners involved in these transactions, thereby increasing Bitcoin's anonymity [5].
However, the underlying mathematics is complex, and so far no easily usable implementation has been created [6].

There is nothing particularly original about the protocol;
At first glance, the concept of a transaction circuit is similar to Coinjoin.
Olivier Coutu presented Circuit of Transactions (Decentralized Mixers for Bitcoin) at the Bitcoin conference in May 2013 while Gregory Maxwell's CoinJoin was August 2013. Other much simpler concepts emerged, such as those implemented by Taaki and Martin (but the initial idea was also inseparable from the CoinJoin concept proposed by Gregory Maxwell) [6].

Reference:
[1] Bitcoin 2013 conference - Olivier Coutu - Decentralized Mixers for Bitcoin
     https://www.youtube.com/watch?v=6hc8qaR_Fok
[2] Olivier Coutu, Privacy in Bitcoin through decentralized mixers
     https://core.ac.uk/download/pdf/151552849.pdf
[3] Martin Collier. A systematic analysis of equivalence in multistage networks. Journal of Lightwave Technology, vol. 20, No. 9, September 2002
     https://pdfs.semanticscholar.org/9c3a/5530f8492dc63d200f08080ea93c2f0cd6ac.pdf
[4] https://en.wikipedia.org/wiki/Clos_network
[5] Dimaz Ankaa Wijaya, Bitcoin Tingkat Lanjut, page 60: Puspantara, 2016.
     https://play.google.com/books/reader?id=EEFgDQAAQBAJ&hl=en&pg=GBS.PA60
[6] Vitalik Buterin, Trustless Bitcoin Anonymity Here at Last, 2013
     https://bitcoinmagazine.com/articles/trustless-bitcoin-anonymity-here-at-last-1377737692
-    Other references look at post #1

legendary
Activity: 2366
Merit: 2054
15. Coin Control
back to table of contents

Coin control feature allows you to control how you spend the coins in your HD wallet. You can choose what addresses will be the ones sending the coins and which of the coins you have received will be used.

When you send bitcoins to someone else, the bitcoin client chooses kinda randomly which of your addresses will send the coins. With coin control, you can exactly choose. More specific is which of your unspent outputs will be the sending inputs.

Image below how to enable coin control on Bitcoin core wallet

Settings > Options > Wallet > (tick) Enable coin control features.




And image below show how you spending (I am using Electrum Wallet - Bitcoin testnet for example)




How to use?

1. Click Address tab
2. Choose what address you want to spend
3. Right-click and choose spend from



The image showed, your coin control is actived.

this is Example transaction using coin control



Transaction I made look like this:[/b] https://live.blockcypher.com/btc-testnet/tx/dcfd79703dc27b32b636d10dd037e5ea53055641cbe18c558b6d89a81ccaef09/ (* don't expose tx id if you want privacy)


Source:

[1]. https://medium.com/@nopara73/coin-control-is-must-learn-if-you-care-about-your-privacy-in-bitcoin-33b9a5f224a2
[2]. https://bitcoin.stackexchange.com/questions/37486/what-does-bitcoin-cores-coin-control-features-do-and-how-do-i-use-it
[3]. https://cryptomining-blog.com/tag/what-is-coin-control/
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
13. Taproot
-snip-
Thank you for your contribution.


14. Bitcoin Anonymity Analysis
back to table of contents

There are several characteristics of Bitcoin that use as the basis for Bitcoin transaction analysis and the analysis of the identity of the owner of a Bitcoin address. Analysts can dig up information through the Bitcoin blockchain that is open and accessible to anyone. Moreover, additional information can be extracted by analysts to simplify their work.

Disseminating Bitcoin address information is naturally a common thing to receive payments and donations. But analysts can directly link the Bitcoin address with the real identity of the owner of the address. Transactions related to this address also have a privacy risk-the owner of the Bitcoin address and those who deal with that address.

The characteristics of Bitcoin address information that can be collected on the internet are analyzed in research [1]. Researchers collect Bitcoin address information from stores that publish their Bitcoin addresses. After that, they grouped the address according to the geographical location of the shops. Of course, this can be concluded that customers who transact with Bitcoin addresses are in the same geographic area as these stores.

The researchers suggest providing a new address for each transaction with new customers to reduce the possibility of analysis as above and to protect customer privacy a little better.

Bitcoin users who display their Bitcoin addresses on sites, forums, and social media are also the target of analysis, including Wikileaks donation addresses [2]. The research succeeded in opening relations to Bitcoin transactions in a network graph.


Source: An Analysis of Anonymity in the Bitcoin System [2]

A Bitcoin wallet can have more than 1 Bitcoin address that manages these addresses for users. If the user tries to make a transaction that requires funds in an amount that exceeds the funds in 1 address, the wallet will automatically create a transaction with more than 1 (plural) input amounts. This concept is used by analysts with address clustering techniques and associating them with the same owner's identity.

This characteristic is exploited in research by doing clustering techniques [3]. This technique is done by collecting transactions with multiple inputs and identifying the owners of these addresses. Other research with a broader reach is also carried out using quantitative analysis to determine the general characteristics of bitcoin transactions that have occurred [4].

A change address is a Bitcoin address that is owned by the sender of Bitcoin to receive the difference between the money held in an address and the money paid. It is a common practice in Bitcoin transactions. With this practice, it can be said that the sender of Bitcoin owns the return address in a transaction. The return address is also used in clustering techniques [3], and the same owner owns identification as the address as of the plural input addresses.

The amount of Bitcoin that is in a Bitcoin transaction can be a starting point for Bitcoin analysts. For example, someone who makes a payment in a specific amount (for example, with a significant value), then someone else can guess who made a transaction with that particular value without having to do a more in-depth analysis.

Reference:
[1] E. Androulaki, G.O. Karame, M. Roeschlin,. T. Scherer, and S. Capkun,
     "Evaluating user privacy in bitcoin," in Financial Crytography and Data Security, ed: Springer, 2013, pp. 34-51
     https://link.springer.com/chapter/10.1007/978-3-642-39884-1_4
[2] F. Reid and M. Harrigan, An analysis of anonymity in the bitcoin system: Springer, 2013.
     https://users.encs.concordia.ca/~clark/biblio/bitcoin/Reid%202011.pdf
[3] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G.M. Voelker, et al.,
     "A Fistful of Bitcoins: Characterizing Payment Among Men with No Names," USENIX; Login:, 2013.
    https://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf
[4] D. Ron and A. Shamir, "Quantitative analysis of the full bitcoin transaction graph,
     "in Financial Cryptography and Data Security, ed: Springer, 2013, pp 6-24.
     https://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_2
-    Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 110-111: Jasakom, 2017.
     [email protected] ; @kriptologi
-    Other references look at post #1

legendary
Activity: 2366
Merit: 2054
13. Taproot
back to table of contents

the origins of the Taproot idea are from an email from Bitcoin developer Gregory Maxwell in January 2018 then continue by Pieter Wuille.

"What is taproot? Trying to make all output scripts and most spends indistinguishable," said Pieter Wuille. Taproot aims to improve privacy, efficiency, and flexibility of Bitcoin's scripting capabilities without adding new security assumptions.



Instead of having separate concepts for pay-to-pubkey and pay-to-script-hash, combine them into one and make every output both. Every output will be spendable on one key and zero or more scripts. then going to make it in such a way that spending with just a public key will be super-efficient: it will only require a single signature on-chain.

Taproot + Schnoor



Taproot is a scheme for signing transaction scripts. with Schnorr Signatures, through the Muti signature scheme, enable key aggregation.

Source:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015614.html
https://en.wikipedia.org/wiki/Merkle_tree
https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki
https://cryptonews.com/news/bitcoin-a-step-closer-to-taproot-the-biggest-upgrade-since-s-5618.htm
http://www.altnews.nu/taproot-the-new-update-that-will-revolutionize-the-bitcoin-blockchain/
https://en.bitcoin.it/wiki/Script
https://blog.bitmex.com/the-schnorr-signature-taproot-softfork-proposal/
https://www.bitcoinmedia.id/11-tahun-bitcoin-saatnya-privasi-bitcoin-dengan-taproot-dan-schnorr/
https://bitcoinist.com/schnorr-taproot-soft-fork-promises-big-things-for-bitcoin/
https://diyhpl.us/wiki/transcripts/sf-bitcoin-meetup/2019-12-16-bip-taproot-bip-tapscript/
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
12. MAST (Merklized Abstract Syntax Tree)
back to table of contents

Merklized Abstract Syntax Trees (MAST) is an additional proposal proposed in the Bitcoin protocol that enables the implementation of the following:
- Smaller deal size
- More privacy
- Larger Smart contract.

Issue: Script data not used.
- Satoshi Nakamoto gives Bitcoin a feature that allows users to write programs (called scripts) that can be used as dynamic public keys and signatures.
- When you specify a script - which is the default of every wallet - Consensus on the Bitcoin Protocol will not allow anyone to spend on your bitcoin until a predetermined script justifies the process.
- Currently, all scripts must be written on the Blockchain (as a whole).

The origin of MAST
The idea of ​​MAST comes from two pre-existing concepts, namely Abstract Syntax Trees (AST) and Merkle Trees.
- AST - is a way to describe a program by dividing it into separate parts so that it is easier to analyze and also optimize the functions of each.
- Merkle Tree - allows a node to copy some information without having to copy all transactions.

-snip-

Images of Merkle Tree

There are advantages to using the Merkle tree in terms of verifying a block.
For example, in the Merkle tree structure in the picture above, to verify transaction D, a node does not need to copy all transactions A, B, C, D, and E, but enough to copy C, AB, and EEEE information to produce the Merkle root. It has led to the emergence of nodes that do not have a complete copy of the blockchain, which is then called simplified payment verification (SPV).

Reference: Bitcoin Developer Guide - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016) - https://bitcoin.org/en/glossary/simplified-payment-verification.

Example of Abstract Syntax Tree



Example of Merkle Tree



Example of MAST
Allice can use up BTC (left picture), or after three months, Bob and Charlie can spend BTC (right image) - you only need to save completely from encumbrance (Merkle root) to get all the subscripts.



Benefits of Implementing MAST
1. Smaller transactions
You can add as many subscripts as you want.



2. More privacy
The benefits of this MAST are likely to work more optimally in improvising privacy when combined with other methods such as generalized threshold trees (Pieter Wuille’s & Gregory Maxwell), scriptless scripts (Andrew Poelstra) and discrete log contracts (Thaddeus Dryja).

3. Larger Smart Contract
Bitcoin has three different byte sizes that apply to each script depending on the development of the encumbrance.



With MAST, you cannot exceed the limit of bytes
Ten thousand bytes limit for empty scripts, 520 bytes limit for P2SH, and 10,000 bytes limit for SegWit.

Reference:
- https://github.com/jl2012/bips/blob/mast/bip-mast.mediawiki
- https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki
- http://www.mit.edu/~jlrubin/public/pdfs/858report.pdf
- https://bitcointechtalk.com/what-is-a-bitcoin-merklized-abstract-syntax-tree-mast-33fdf2da5e2f
- https://www.youtube.com/watch?v=Phn_Im2K_PY
- https://bitcoinops.org/en/topics/mast/
- https://themoneymongers.com/merkelized-abstract-syntax-tree-mast/
- https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2017-09-07-merkleized-abstract-syntax-trees/
- Bitcoin Developer Guide  - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016)
  https://bitcoin.org/en/glossary/simplified-payment-verification
- Other references look at post #1

legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
11. Schnorr Signature
back to table of contents
Schnorr signature is a signature scheme: a set of mathematical rules that connect private key, public key and signature.
Claus-Peter Schnorr invented this digital signature scheme, but it was not originally intended for crypto technology.
Schnorr is an alternative algorithm as a digital signature with several advantages.

Currently, Bitcoin uses the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm to generate cryptographic signatures to send/deliver secp256k1 messages and keypair.
The main reason that Bitcoin did not initially use the Schnorr signature is that Schnorr is not standardized, and is not available on crypto libraries in general.

Many cryptographers consider Schnorr signatures to be the best in their field because schnorr offers a right level of accuracy, is relatively fast in terms of verification, and most importantly, schnorr supports multi-signature. In essence, several signatures can be combined into one new signature.

Previously, schnorr was not possible to use in the bitcoin protocol. Other signature schemes, ECDSA was included in the Bitcoin protocol, so to change it requires a hard fork.
But with SegWit (Segregated Witness), all-digital signature data is moved into a separate part of the transaction: Witness is not integrated into the old Bitcoin protocol. Almost all of the rules applied to Witness can be changed through soft forks, including the scheme used in signatures.

Capacity
The most beneficial part of schnorr is the aggregation of multi signatures.

Many Bitcoin transactions include multiple inputs. All of these inputs require separate signatures, which means that all of these signatures must be entered into the transaction, all must be sent over the network, and all must include in the block.
But with Schnorr, all inputs require only one combined signature that represents all these different signatures.
Schnorr can provide the option to transact with a simple multi-user scheme.

It is one of the advantages offered by Schnorr. Because only one signature must be entered into a transaction, only one must be sent over the network, and only one must be entered in the block. It means there is more room for transactions.
The exact amount of additional space depends on the type of transaction included in the block. But rough estimates by Eric Lombrozo (Bitcoin Core Developer) show that the Schnorr signature can eventually increase the total capacity by 40 percent or more and that is an additional 60 to 100 percent previously offered by Segregated Witness.

Multisig
Capacity building, as described above, applies to regular transactions, because many transactions include more than one input. But the benefits can be more significant in terms of multisig transactions-transactions where a single data itself requires multiple signatures (usually from different people).


Size of the Bitcoin blockchain with and without multi-signatures.
Source: https://eprint.iacr.org/2018/068.pdf


Privacy
As mentioned earlier, one transaction can include many inputs. In general, this input refers to addresses that are all controlled by the same person.
But the privacy-enhancing trick discovered by Gregory Maxwell (developer of Bitcoin Core), CoinJoin, allows different users to combine all of their transactions into one transaction. That one transaction will include several inputs from various payers, which send money to several outputs, belonging to different payees.
Note: discussion about Coinjoin can be seen in the topic Bitcoin Privacy and Anonymity, point 6. CoinJoin.

If done correctly, CoinJoin is a great way to increase privacy in the Bitcoin protocol, because it is not clear which inputs are paid, which outputs are correct.
CoinJoin is not a new concept. But until now CoinJoin is usually a bit of a hassle. Because of this, most people don't care.
But the Schnorr signature can add new advantages to CoinJoin. It allows all participants in CoinJoin transactions to not only combine their transactions but also to combine their signatures. And doing so means that the actual transaction size will be smaller than all the individual transactions combined. Which, in turn, means the miner will usually charge a lower fee for processing the transaction.
Using the Schnorr signature scheme on CoinJoin will not only increase privacy but also - importantly - can reduce costs for everyone involved in the transaction.


Reference:
- Gregory Maxwell, Andrew Poelstra, Yannick Seurin, & Pieter Wuille, Simple Schnorr Multi-Signatureswith Applications to Bitcoin, https://eprint.iacr.org/2018/068.pdf
- Schnorr, https://en.bitcoin.it/wiki/Schnorr
- Schnorr signature, https://en.wikipedia.org/wiki/Schnorr_signature
- Aaron van Wirdum, The Power of Schnorr: The Signature Algorithm to Increase Bitcoin’s Scale and Privacy,
  https://bitcoinmagazine.com/articles/the-power-of-schnorr-the-signature-algorithm-to-increase-bitcoin-s-scale-and-privacy-1460642496
- Alyssa Hertig, Schnorr Is Looking Poised to Become Bitcoin’s Biggest Change Since SegWit,
  https://www.coindesk.com/schnorr-is-looking-poised-to-become-bitcoins-biggest-change-since-segwit
- René Pickhardt, Introduction to Schnorr Signatures for Bitcoin & Lightning Network. Schnorr Signature Tutorial Part1,
  https://www.youtube.com/watch?v=n5aompcR9W0
- René Pickhardt, MuSig - Multisignature Addresses in Bitcoin. Schnorr Signature Tutorial Part 2,
  https://www.youtube.com/watch?v=4v4G8Vtr3Bk
- René Pickhardt, Introduction to Adaptor Signatures via Schnorr Signatures - Schnorr Signature Tutorial Part 3,
  https://www.youtube.com/watch?v=a8Pdpz_Jzok
- Yodik Prastya, Bitcoin Cash Upgrade Fitur Pemulihan Dan Keamanan, https://www.seputarforex.com/berita/bitcoin-cash-upgrade-fitur-pemulihan-dan-keamanan-288550-15
- Privacy, https://en.bitcoin.it/wiki/Privacy
- Other references look at post #1

legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
10. Mixing Service
back to table of contents
There are other methods to deal with privacy issues in Bitcoin transactions, namely, by using a mixing service (randomization).


Bitcoin Mixing20

These services have different methods for mixing users' Bitcoin. However, the methods they use can be classified into two groups 21.

In the first group, the service asks users to send bitcoin into a virtual wallet that is controlled by the service, so users can retrieve their bitcoin to sent to another Bitcoin address. The service provider will exchange the user's Bitcoin for another bitcoin that has no connection with his previous bitcoin. If the user wants to pay a coin to another party, they can enter the destination address to be paid by the service provider.

The second group is a service that combines several transactions into a significant transaction using a concept like CoinJoin (the mechanism combines several similar transactions into a transaction that consists of many inputs and outputs).

When users use services like this, they have to pay a bitcoin service fee to the service manager in the amount between 0.5% to 3%. Although services like this might increase anonymity, there are also risks borne by users, because they cannot control their bitcoin when they have sent the bitcoin to the manager's bitcoin address. It means that when the service manager acts fraudulently by stealing the user's bitcoin, the user cannot do anything else because all bitcoin transactions cannot be canceled.

In the thesis of Felix Maduakor 20 on Mixing Services / Anonymous Bitcoin Transactions, pages 18-20, the Mixing Method divided into three categories
https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
The following is a summary of these categories:

1. Decentralized Mixing (P2P Mixing)


A figure of P2P Mixing Service

Several scientific papers, such as or about algorithms, which allow the transfer of bitcoin anonymously, have been published. Some of these algorithms have been implemented in different cryptocurrency by default (example: Zerocash22), but at the time of writing [-thesis-], no approach has been widely adopted in the Bitcoin network. Unlike Centralized Mixing Services (CMS), P2P Mixing must be implemented in Bitcoin wallet software so that users can access it.

2. Centralized Mixing Services (CMS)


A figure of Centralized Mixing Services

Centralized Mixing Services (CMS) are usually run by commercial website providers who advertise that their services can anonymize Bitcoin transactions. CMS usually charges fees up to 3% of the initial amount of coins that have not been sold. Often the P2P mixing algorithm is used internally by CMS.

3. Off Chain Mixing

The public can access every transaction sent through the Bitcoin network through the Bitcoin blockchain. However, recently there have been many scientific efforts to find solutions to send and receive Bitcoin transactions without the need to publish them on the blockchain.
Among the implementation solutions for this problem include Lightning Network.
Lightning Network leads to transactions that are almost instant and may eliminate transaction costs.

-snip- Anonymity is very difficult, especially with blockchain-based systems where so much data has to be public, but also in other areas (eg. there are several known weaknesses with Tor). You should always operate with the expectation that any anonymity system you use will eventually fail you. If you're ever confident in your anonymity, then you're wrong. ...
-snip- that even though a mixing service/a mixing algorithm might seem to be reliable at the moment, through a single leak/implementation fault, an attacker could be able to deanonymize any past transaction which has been processed by the mixing services. Even though the leak/implementation fault gets fixed by the service, every transaction which has been processed prior to the fix is irreversible vulnerable. -snip-

Comparison between Bitcoin Mixer and CoinJoin23:
Quote
#MixerCoinJoin
1Closed-source and the system cannot be verified.Open-source and can't be verified by the system (in general).
2A mixer controls the coin.The user controls the coin
3Privacy is lost if the mixer keeps the mixing activity or the mixing method is wrong.[24]Privacy is lost if CoinJoin's implementation is incorrect.
Some Bitcoin Mixers Bitcoin Tumblers website links compiled by LeGaulois25:
https://bitcointalksearch.org/topic/m.28964833

Reference:
20. Anonymous Bitcoin Transactions. Felix Maduakor
     https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
21. Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 109-110, 2017: Jasakom
22. Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza.
      Zerocash: Decentralized anonymous payments from bitcoin.
      In Security and Privacy (SP, 2014 IEEE Symposium on, pages 459-474. IEEE, 2014
23. https://bitcointalksearch.org/topic/edu-bitcoin-mixing-service-5125545 - ETFbitcoin
24. Breaking Mixing Services - madu
25. 2019 List Bitcoin Mixers Bitcoin Tumblers Websites - LeGaulois
-    [Guide] Decent mixing methods - theymos
-    What is Bitcoin Mixer? - RapTarX
-    Anonymous Bitcoin Transactions. P. Martin and A. Taaki. (2013, August 25, 2015/0)
-    CoinJoin: Bitcoin privacy for the real world by gmaxwell
 -   Other references look at post #1

legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
9. Merge Avoidance
back to table of contents
Merge avoidance is a term introduced by Mike Hearn in the concept he put forward to identify bitcoin privacy issues.
Merge avoidance is the idea of ​​breaking a certain number of bitcoin transactions into several transactions to avoid identifying the user of the specific amount sent from one user to another19.
By solving transactions with a small amount of bitcoin, then the identification of these transactions will be more difficult.

Merge avoidance is useful in some instances; for example, Alice and Bob work in the same company and are paid in the form of bitcoin by the company. Bob suspected that he got a smaller salary from Alice, so he could have asked Alice to send a small amount of bitcoin. From there, Bob can analyze which transactions become salary payments to Alice and prove Bob's suspicions.

Implementation properties

This scheme has several things that make it nice to implement:
  • It can be written incrementally — a simple and not very smart algorithm can nevertheless still improve someone’s privacy. Later, a better algorithm can be developed and deployed, but it doesn’t require any complicated global upgrades. This is a good fit for the volunteer driven fits-and-spurts, competing-wallets development model that Bitcoin has.
  • It is very simple and has no moving parts or big state machines. You don’t have to worry about a random mobile phone the other side of the world driving into a tunnel at the wrong moment, or running a buggy reimplementation of the software.
  • There is no centralisation, not even any transient rendezvous servers.
  • There are no legal risks, because you’re not relying on any services that could be considered money laundering tools.
  • It is robust. Above, I gave examples of how CoinJoin can appear to work but still leak in the presence of very little additional information. Merge avoidance doesn’t have that problem.

There are also some downsides:
  • How good your privacy is depends heavily on how smartly the people sending you money craft transactions. Thus your privacy relies on people who may not have much incentive to do anything about it. Hopefully common wallet software would do the right thing by default.
  • It increases the number of transactions, although the overhead is not as high as you might think — a transaction is merely a list of inputs, outputs and a two-field header (version and lock time). Inputs and outputs are not really changed over a good CoinJoin implementation, and version/locktime could easily be compressed/varint encoded to save space. The difference would be on the order of bytes rather than kilobytes.
  • It relies on the payment protocol. But many things rely on that, and the payment protocol is critical to cracking down on address reuse, which is needed for all proposed privacy schemes to work anyway. It’s important that we make BIP70 as easy and widespread as possible.


Reference:
19. M. Hearn. (Dec 11, 2013). Merge avoidance A note on privacy-enhancing techniques in the Bitcoin protocol.
     https://medium.com/@octskyward/merge-avoidance-7f95a386692f
 -   https://bitcoinfoundation.org/forum/index.php?/topic/572-merge-avoidance/
 -   Proposal to add Merge Avoidance extension to Payment Protocol - amincd
     https://bitcointalksearch.org/topic/proposal-to-add-merge-avoidance-extension-to-payment-protocol-1120137
 -   Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, page 109, 2017: Jasakom
 -   Other references look at post #1
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
8. MixCoin
back to table of contents
MixCoin is a concept that creates accountability for mixing services18. MixCoin implementation does not require changes to the Bitcoin protocol so that it can be implemented easily by users.
In MixCoin, there are two parties involved. The first party is the party that wants to do bitcoin randomization, and the second party is the party that provides randomization services.
MixCoin's accountability made as proof of transaction. If the service provider cheats by stealing the user's bitcoin, the user will expose evidence of the deal, thereby destroying the reputation of the service provider.

The following is a diagram illustrating the MixCoin Protocol18:



Several steps must take by user A and service provider M. User A makes a service request to M to create a bitcoin transaction. If M agrees, then M signs information on the transaction requested by A using M.'s private key. The signed data is evidence that will be stored by A that can be verified by anyone using M.'s public key. Next, A pays an amount bitcoin that has approved to M, including transaction fees paid to M. If M is acting honestly by sending bitcoin as agreed, then the evidence can remove. But if M is cheating, then A can publish proof that states that M did not honest.

Reference:
18. J. Bonneau, A. Narayanan, A. Miller, J. Clark, J.A. Kroll, and E.W. Felten,
     "Mixcoin: Anonymity for Bitcoin with accountable mixes," in Financial Cryptography and Data Security, ed: Springer,
     2014, pp. 486-504.
     Link to download (PDF): http://www.jbonneau.com/doc/BNMCKF14-FC-mixcoin_proceedings.pdf
 -   Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, page 107-109, 2017: Jasakom
 -   Other references look at post #1

legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
February 28, 2020, 08:20:47 AM
#2
6. CoinJoin
back to table of contents
Gregory Maxwell introduces an alternative solution to increase the level of privacy of Bitcoin users, called CoinJoin13, which is a development of the ideas previously presented about Taint14, CoinJoin is a mechanism that combines several similar transactions into a transaction that consists of many inputs and outputs. The CoinJoin concept then implemented into an application called CoinJoin15.

-snip-
CoinJoin Transactions13

The picture above explains how CoinJoin works and how it compares to Bitcoin transactions.

In transaction 1, a 1FF address that has 50 BTC wants to send 0.5 BTC to another address, 1A1, with a return address of 1FF. At the end of the transaction, the 1FF address will have 49.5 BTC bitcoin.

In transaction 2, there are many input and output addresses. Although this scheme looks like an ordinary Bitcoin transaction, it can be used to protect the identity of the user associated with the transaction. For example, the owner of address 1A1 wants to send 0.8 BTC to 1E5 and does not want anyone else to know of this transaction, so he combines the transaction with another transaction of the same size, for example, from address 1C3 to 1D4. It means that by looking at the transaction, the observer cannot determine which address receives the 1A1 address, because the bitcoin could have originated from 1D4 or 1E5.

UPDATE
Among the applications that are pioneers in the implementation of the CoinJoin concept:

Congratulations to the Wasabi and JoinMarket developers! JoinMarket pioneered a lot of CoinJoin science (and BTW, belcher wrote an excellent & comprehensive wiki article on privacy), while Wasabi is the first wallet that implements CoinJoin in both a highly-usable and sound way. As both a signer and a donor to the CoinJoin bounty fund, I'm thrilled that these two pieces of software exist!

For everyone looking to improve their privacy, I highly recommend checking out Wasabi, especially over centralized "mixers". -snip-

Note:

-snip- Wasabi is not our friend any more.  They joined the enemy's boat.  So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite.  This is a very disappointing move on Wasabi side and it disgusts me but it is what it is. -snip-

See also this link: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/

> They still didn't explain how exactly is zkSNACKs Ltd going to blacklist certain unspent transaction outputs if they are not monitoring and collecting user data

We didn't explain, because it's trivial. By architecture, the Wasabi coordinator cannot breach the privacy of its users. It does not mean the coordinator chooses to not collect data, but it means it couldn't collect even if it wanted to. The coordinator only knows of the UTXOs to take part in coinjoins - so does the public - and that's not a privacy leak.


Reference:
13. gmaxwell, CoinJoin: Bitcoin privacy for the real world
14. gmaxwell, I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!)
15. P. Martin & A. Taaki. (2013, August 25, 2015) Anonymous Bitcoin Transactions.
 -   Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 104-105, 2017: Jasakom
 -   Other references look at post #1

legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
February 28, 2020, 06:04:40 AM
#1
This thread is a translated version of a topic that I created in a local board Bahasa Indonesia: [Edukasi] Privasi dan Anonimitas Bitcoin

Privacy and Anonymity
Privacy is a big problem in the Bitcoin system. Although Bitcoin offers pseudonymous, several techniques have developed to open relationships between Bitcoin addresses, transaction patterns, and the original identity of the owner of the Bitcoin address.

Table of contents:
1. Privacy Issues
2. KYC and AML principles
3. Taint
4. Greenlist
5. Geolocation
6. CoinJoin
7. CoinSwap
8. MixCoin
9. Merge Avoidance
10. Mixing Service
11. Schnorr Signature
12. MAST (Merklized Abstract Syntax Tree)
13. Taproot by DroomieChikito
14. Bitcoin Anonymity Analysis
15. Coin Control by DroomieChikito
16. Circuit of Transactions
Reference


1. Privacy Issues
back to table of contents
Bitcoin designed with a privacy model where transactions made and addresses owned by a user do not have a direct relationship with the real identity of the owner. The Bitcoin privacy model and its comparison with the traditional privacy model can describe as follows:


Bitcoin Privacy Model 1

Anyone can join the Bitcoin system without having to register first because there is no centralized control organization in the bitcoin system that controls users or transactions that occur within the system.
Although everyone can see these transactions, the identity associated with the purchase remains hidden.

However, this privacy model does not mean that the user's identity remains hidden. Many rules are set and also the characteristics of Bitcoin that can use to analyze the relationship between bitcoin transactions and the user's real identity. They are what then causes the Bitcoin community to tend to refer to Bitcoin as pseudo-anonym.

2. KYC and AML principles
back to table of contents
Governments in the world are starting to become aware of money laundering schemes that can implement using digital currencies such as Liberty Reserve, which then forces financial institutions to apply the principles of Know Your Customer (KYC) and Anti Money Laundering (AML). By using the KYC principle, no one can create a bank account without an identity card. The same law imposed on financial institutions related to the Bitcoin system, such as the Bitcoin trading company that allows users to sell or buy Bitcoin and convert local currencies into Bitcoin or vice versa.3

In Indonesia, one of the exchangers for exchanging Bitcoin / Cryptocurrency with Rupiah, namely Indodax, adopted the same mechanism by requiring its users to submit copies of their identities to be validated manually by the company.
It means that Bitcoin trading services have a connection record between the Bitcoin address and the user's real identity.

Because anyone can see every transaction in the Bitcoin system, Bitcoin purchased from the Bitcoin Exchanger can be tracked easily. Therefore, if the transaction is suspected to be related to illegal activities, the identity of the user involved can be identified if the user transacts directly from the exchanger.

3. Taint
back to table of contents
Taint is a transaction trace that can use to measure connectivity between a Bitcoin address and another Bitcoin address that connected to transactions between these addresses.5

This is the best I could explain the taint analysis you see on blockchain.info but i'm not sure it is very clear: (fictional example for address 1MtPYAjqohLH5gMq3PH5xKVFWWDxrRQEbh)



All addresses which have received a payment are "tainted" and it in no way effects the value of the coins.

Addresses that transact with each other tend to have something related, for example, owned by the same user, or have a seller-buyer relationship in the transaction scheme of buying and selling goods or services.

There used to be a Taint Analysis tool on Blockchain.info (https://www.blockchain.com/)
but at this time, the feature is removed6. (CMIIW)

-snip-
I am also incensed frankly that someone would step into the market with such a muddle-headed thinking, and attempt to sabotage or destroy the core bitcoin feature that gives its value, where the value has been created by Satoshi and a cast of millions of man-hours of contributions of the community and technical wizards developing it mostly on volunteer time.  I am not someone prone to swearing, but this is astonishingly stupid and dangerous.   Please stop now.  In the article it is claimed they sought advice from the Winklevoss twins, if the twins value their estimated $30million bitcoin holding they should advise them to stop: if fungibility is destroyed bitcoins value as a transaction currency is impacted.  
-snip-
Greenlist will eliminate the concept of functionality, which is a concept where any bitcoin with the same amount should have equal value regardless of where the bitcoin originated.
This greenlist scheme will create different bitcoin valuations depending on whether the bitcoin comes from an integrated address.
Greenlist policies can be a starting point for government agents who have database access to track the identity of anyone who transacts with a specific bitcoin address8.

5. Geolocation
back to table of contents
Geolocation analysis can understand as a method for mapping Bitcoin users based on their location on the surface of the earth. The report can do by mapping the locations of vendors who accept bitcoin as a means of payment.
Every time a user makes a payment in the form of bitcoin, it can estimate that the user is in the same location as the vendor, of course assuming that the vendor sells goods offline in the physical stores they have. Thus, analysts can track transaction details, including if necessary, checking CCTV cameras when searching for the user's presence.


Heatmap of retailers which accept cryptocurrency as payment.12

By combining geolocation techniques and taint analysis techniques, every bitcoin user who shops at a vendor's shop can be tracked. Therefore, without further security, the identity of Bitcoin users can be known.

Reference:
back to table of contents
-   https://en.bitcoin.it/wiki/Privacy
1. Satoshi, Bitcoin: A Peer-to-Peer Electronic Cash System
2. Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 100-104, 2017: Jasakom
    [email protected] ; @kriptologi
3. M. Moser, R. Bohme, and D. Breuker, "An inquiry into money laundering tools in the Bitcoin ecosystem,"
    in eCrime Researchers Summit (eCRS)
, 2013, pp. 1-14.
4. Kaisa, Menata Legalitas Cryptocurrency di Indonesia
5. What is Taint?
6. Was Blockchain.info taint analysis function removed?
7. Any Other Taint Analysis Tools (other than blockchain.info's)?
8. Vitalik Buterin, Why The Bitcoin Greenlist is Structurally Dangerous to the Bitcoin Ecosystem
9. Kashmir Hill, Sanitizing Bitcoin: This Company Wants To Track 'Clean' Bitcoin Accounts
10. adam3us, Coin Validation misunderstands fungibility and could destroy bitcoin
11. https://www.reddit.com/r/Bitcoin/comments/1qj7sw/sanitizing_bitcoin_this_company_wants_to_track/
12. https://coinmap.org/ ; https://academy.binance.com/en/articles/what-is-bitcoin



I am not a native speaker of English and please correct if there is incorrect grammar.
Jump to: