tag:blogger.com,1999:blog-38040511487295963.post3570651810390844552..comments2020-10-11T04:57:06.342-07:00Comments on An Analysis of Anonymity in the Bitcoin System: Bitcoin is not AnonymousMartin Harriganhttp://www.blogger.com/profile/01610696350600503266noreply@blogger.comBlogger45125tag:blogger.com,1999:blog-38040511487295963.post-31311336139693879562014-06-11T16:11:55.628-07:002014-06-11T16:11:55.628-07:00Impressive. You can certainly track the coins hith...Impressive. You can certainly track the coins hither and yon in a relatively easy-to-show manner, which is certainly a good first step in IDing a specific user.<br /><br />Sadly, unless that user has - somewhere along the line - identified themselves (ex. buys a pizza and has it delivered to their home or some other event)...They're still unidentifiable unless they pooch it in the future.<br /><br />Simply washing the BTC little by little through real-world traders (physical coins or not) would scupper this method of tracking as suddenly you have branch offs and coins becoming 'clean' again over time, or at least impractical to backtrace. <br /><br />A fine piece of design, analysis and e-tracking but still derail-able. :[<br /><br />Bitcoins may not be anonymous in themselves, yet if you don't expose yourself (which is pretty much the first law for nefarious activities, LulzSec notwithstanding) your still anonymous for all practical purposes!Anonymoushttps://www.blogger.com/profile/07002459536748239020noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-16997006701946308652013-02-25T14:16:10.235-08:002013-02-25T14:16:10.235-08:00There is a good chance that this analysis will hel...There is a good chance that this analysis will help _save_ bitcoin [B¢] from paranoid future regulation.<br /><br />If someone invented plain cash, nowadays, it would quickly get banned before it gained traction. That B¢ is traceable feeds enough spy fantasies to resist banning. It might take time and effort to track someone down, but the thrill of this would probably make B¢ _more_ appealing to law enforcement.<br /><br />Sometimes a leaky bucket is better than a tight one.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-32710874059367508812013-01-30T14:14:41.581-08:002013-01-30T14:14:41.581-08:00@Martin that is unsound reasoning. What if my wife...@Martin that is unsound reasoning. What if my wife and I have separate bitcoin accounts but we use both together to make a joint purchase? What if I inappropriately get ahold of her private key and make a purchase in tandem with my own? What if we both hold both accounts?<br /><br />The combination of accounts on a transactions is completely uninformative about who or how many people control the accounts, or whether the account was used legitimately or illegitimately. You cannot draw the conclusions you wish to from the data we have.Alan Ché Alexioshttps://www.blogger.com/profile/16921805345264901308noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-29767338716190718772011-12-05T00:52:52.309-08:002011-12-05T00:52:52.309-08:00@Zooko, in the paper we describe an ancillary netw...@Zooko, in the paper we describe an ancillary network that maps multiple public-keys to individual users. We do this using a a property of transactions with multiple inputs. Basically, if you control, say, three separate public-keys, PK_A, PK_B and PK_C, and (inadvertently?) use all three to sign a transaction in order to send Bitcoins to another public-key, you have revealed that one user controls all three. This information can be applied retrospectively -- a transaction you may perform in the future may reveal information about transactions you performed in the past.Martin Harriganhttps://www.blogger.com/profile/01610696350600503266noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-17108649115923449532011-11-30T19:13:45.507-08:002011-11-30T19:13:45.507-08:00"We have determined that these four public-ke..."We have determined that these four public-keys — which receive Bitcoins from two separate flows that split from each other two days previously — are all contracted to the same user in our ancillary network. "<br /><br />What does this mean? What does it mean for a public key to be "contracted to" a user, and how did you determine that these four had that relationship to the same user?Anonymoushttps://www.blogger.com/profile/17046522562803939443noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-9874198388522465042011-11-30T19:11:35.369-08:002011-11-30T19:11:35.369-08:00Oh, no I was confused when I thought that was why ...Oh, no I was confused when I thought that was why I was confused. Actually it is hard for me to see some of the arrowheads so I had one of the links backwards.Anonymoushttps://www.blogger.com/profile/17046522562803939443noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-15649535552034606182011-11-30T19:07:50.416-08:002011-11-30T19:07:50.416-08:00Hi! I've been confused by this in the past, an...Hi! I've been confused by this in the past, and now trying to understand it again, I think I see part of why. You've swapped "A" and "B" in the following sentence, haven't you?<br /><br />"Flow 1 splits at the vertex labeled A in the right inset at 04:05 the day after the theft. Some of its Bitcoins rejoin Flow 2 at the vertex labeled B."Anonymoushttps://www.blogger.com/profile/17046522562803939443noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-65147415889537582902011-10-07T08:48:28.029-07:002011-10-07T08:48:28.029-07:00Would it be possible to build into the client a to...Would it be possible to build into the client a tool that would recognize bitcoin that was involved in a dispute before accepting it? As we try to grow this system, we do need ways to deter fraud. Of course, there would have to be some sort of arbitration panel to resolve disputes, but a system like that might help reduce the need for escrow in everyday transactions as well.Anonymoushttps://www.blogger.com/profile/05098127331684338857noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-87936245204157714362011-08-11T03:08:38.565-07:002011-08-11T03:08:38.565-07:00jhtrde54e: Tor ensures anonymity at the TCP/IP lev...jhtrde54e: Tor ensures anonymity at the TCP/IP level. If you use Tor exclusively then mappings between Bitcoin addresses and IP addresses are essentially useless. However, in many cases, it is still possible to establish that two or more public-keys (identities within the Bitcoin system) are actually controlled by a single user. So, yes, even if you use several different Bitcoin public-keys and use Tor intermittently, it may be possible to link transactions performed while using Tor to transactions performed while not using Tor.Martin Harriganhttps://www.blogger.com/profile/01610696350600503266noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-26979810826149504972011-08-10T05:24:55.162-07:002011-08-10T05:24:55.162-07:00Just to be clear then, if traffic analysis on bitc...Just to be clear then, if traffic analysis on bitcoin can provide an ip-to-bitcoin-address mapping, then is trading done using bitcoin through tor completely anonymous?<br /><br />It sounds like if bitcoin is used exclusively through tor, that anonymity is guaranteed, but can your identity be revealed if you preform one transaction through tor, and subsequent ones not through tor? Even if you use a different bitcoin address for each transaction?<br /><br />I hope these aren't silly questions, as I haven't yet read the paper yet myself. (I plan to soon though!)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-43391588673454059502011-08-02T02:21:40.628-07:002011-08-02T02:21:40.628-07:00Richard_N: Thanks for the comment. We will look at...Richard_N: Thanks for the comment. We will look at using colorblind-safe colors in future revisions of the paper.Martin Harriganhttps://www.blogger.com/profile/01610696350600503266noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-21188349127475512822011-08-02T00:21:57.831-07:002011-08-02T00:21:57.831-07:00Gavin:
How about working on an encrypted P2P distr...Gavin:<br />How about working on an encrypted P2P distributed file system to store everyone's wallets ?<br />If that is even remotely possible, it should be attempted IMHO...Etiennehttps://www.blogger.com/profile/16340529925881723006noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-51328625482080301092011-07-29T17:42:50.684-07:002011-07-29T17:42:50.684-07:00RE: the Faucet and IP addresses:
I haven't re...RE: the Faucet and IP addresses:<br /><br />I haven't read the full paper yet. I'm torn between doing something to anonymize the IP addresses and using the Faucet as a way of educating people about the issues of bitcoin pseudo-anonymity.<br /><br />I suppose I could do both... but frankly I'm not very motivated to spend more time working on the Faucet (I've got much higher priority work on my TODO list).Gavin Andresenhttps://www.blogger.com/profile/10105284501947275111noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-51089467831993578592011-07-27T06:26:33.207-07:002011-07-27T06:26:33.207-07:00I do like the pictures !I do like the pictures !Benhttps://www.blogger.com/profile/10105827488821889563noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-6920376091213954802011-07-27T02:17:40.559-07:002011-07-27T02:17:40.559-07:00Thanks Gavin - great to get the positive feedback....Thanks Gavin - great to get the positive feedback.<br /><br />We understand that people such as yourself have been saying for a while that there was no anonymity built into the system.<br /><br />There's often a gap between theory and practice, and we weren't sure how hard it would be to decipher what was happening in practice; we hadn't seen any other public studies on this.<br />We were actually quite surprised at how well our attempts to make sense of the block chain actually worked in practice.<br /><br />As you say, we are hoping that this blog, and the graphics showing transaction activity, will give users a better understanding of the lack of practical anonymity, and dispel the anonymity meme.<br /><br /><br />On a related note, did you see the part of our preprint (in the paper, but not discussed on the blog) about using the IP->bitcoin_address mapping that the faucet gives publicly, to deanonymise some users?<br /><br />I think this is a fairly significant source of identifying information; coupled with address linking, we find it sometimes associates a timestamped IP with a significant amount of prior Bitcoin activity.<br /><br />We also came across a few instances where linked accounts had received several faucet allocations between them - presumably people trying to game the faucet.<br /><br />I presume you don't have much sympathy for the later category, but would you consider modifying the faucet so as to not make the IP addresses public? <br />Or even to print the list of IP addresses separate from the transactions they were for? <br />I don't see any real reason to show the IP address->transaction mapping - I would imagine a shuffled list of IPs would be just as effective, at cutting down faucet fraud, while identifying a lot fewer users?<br /><br />Regardless, thanks again for your comment, its very encouraging to get good feedback from someone that is as knowledgeable about Bitcoin as yourself.Fergalhttps://www.blogger.com/profile/13326762176311257293noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-33129602201981364682011-07-27T00:44:28.399-07:002011-07-27T00:44:28.399-07:00Nice work! The core bitcoin developers have been s...Nice work! The core bitcoin developers have been saying that "bitcoin is not anonymous unless you know how it works and you work pretty darn hard to make it anonymous" for months.<br /><br />If I recall correctly, the bitcoin.org home page used to refer to bitcoin transactions as being anonymous, which was an unfortunate mistake that probably started the whole "bitcoin is for anonymous transactions" meme. I hope your work will help stop that meme from spreading any further.Gavin Andresenhttps://www.blogger.com/profile/10105284501947275111noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-47559107913273913252011-07-26T13:41:26.490-07:002011-07-26T13:41:26.490-07:00Thanks for a fascinating article - you've made...Thanks for a fascinating article - you've made what could easily be a baffling subject very clear... almost.<br /><br />Might I make a constructive criticism?<br /><br />I'm colour-blind, and that made the diagrams very difficult to follow until I realised I could save them, select individual colours without knowing what they are and highlight them.<br />Some of the coloured text embedded in the body of the work simply don't show at all for me unless I 'select all' to mask the colours.<br /><br />In print, this option won't be available. Accessibility is important...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-87379089464731149562011-07-26T00:57:43.274-07:002011-07-26T00:57:43.274-07:00Thanks for your work guys, it was an interesting r...Thanks for your work guys, it was an interesting read :)c_khttps://www.blogger.com/profile/18373205472116897590noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-90780384489686558242011-07-25T19:44:50.850-07:002011-07-25T19:44:50.850-07:00"And still... the fact that you didn't re..."And still... the fact that you didn't reveal any identifying information about the PERSON behind the account number really undermines your title, if not your thesis."<br /><br />Even if we had such identifying information, we'd have to think long and hard about the ethics of revealing it, and outing someone publicly.<br />As others have pointed out, we only have one forum user's word - widely reported in the media, but still - that a theft actually occurred.<br /><br /><br />Again, the first line of this post states that: "It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified."<br />Our point, all the way through, is that its possible to make sense of whats going on in the network, and see interesting patterns. As such, users shouldn't assume the system is providing anonymity - because its not.<br /><br />There are a number of anonymity pitfalls - the address linking is very real in practice, and we see a lot of identities (forum posters, faucet receiving users, organizations) linked, that probably don't realize they are so easily linked.<br /><br /><br />Finally, we should point out that we aren't in the business of identifying individual people, in the system. (Other parties may be.)<br />We are just analyzing the level of anonymity provided by the system, and pointing out that its possible to associate addresses, and track flows.<br /><br />So, if we were a large exchange or other service, that had a lot of individual identities, perhaps due to incoming payments - or a law enforcement agency with the power to subpoena such an exchange, or computer criminals that cracked its database - then the architecture of the Bitcoin system would provide very little practical anonymity.<br /><br />We look at the identities from the Bitcoin forum as a proxy to this, and we can see at all sorts of relationships between those users. This gives us a sense of the level to which an exchange would be able to track individual people. (Equally, unless those users are accessing the Bitcoin forum using TOR, if it is keeping logs, then they are already mapped to real individuals - though we don't have the mapping, and wouldn't particularly want it, in any event.)<br /><br /><br />All this is without considering more sophisticated attacks, or active attacks (such as running a mixing service, flooding another mixing service with coins from accounts you control, etc)<br /><br /><br /><br />Thanks for your comment on the graphics - if you are curious, the one on the top is created using Gephi, and the ones on the bottom are a combination of Graphviz, for layout, and a set of visualization generating code we wrote. We used the excellent Python library Networkx, with graphviz, for the custom visualizations. Also used were the bitcointools, and R.Fergalhttps://www.blogger.com/profile/13326762176311257293noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-32313981821988369232011-07-25T19:44:32.632-07:002011-07-25T19:44:32.632-07:00Erik:
The issue you are taking with the title see...Erik:<br /><br />The issue you are taking with the title seems to be primarily about what semantics are attached to something being 'not anonymous'.<br />We aren't trying to say 'Bitcoin is never anonymous' or 'Bitcoin cannot be used anonymously' - just that anonymity is not a property of the system.<br /><br />I'd also like to point out that, even if you don't agree with these semantics, that our summary at the top (the first few lines of this blog post) address your concerns - so there's clearly no attempt to mislead anyone here. I think we've been pretty thorough on this point - there's a 13 page paper on arxiv, which hopefully sets out our findings pretty clearly.<br /><br /><br />To come at this from another angle, you write:<br />"Clearly, Bitcoin permits anonymity, and that is a huge advantage of the system. The fact that such anonymity is not 'automatic' doesn't dismiss the advantage."<br /><br />But, a huge advantage of the system, compared to what?<br /><br />You can make a parallel argument about every other sort of payment system - you could say that credit cards permit anonymity; because, so long as the users go to great lengths to acquire a credit card that isn't associated with them, they can use it anonymously.<br />But I wouldn't then say 'the credit card system permits anonymity, which is a huge advantage of the system'.<br />And, in fact, I'd be happy to say 'credit card payments are not anonymous' - because, while they can be used anonymously, its very hard, and it'd be very hard not to leak your identity at some point.<br /><br />Similarly, with Bitcoins, you've got to buy your Bitcoins from somewhere (Ok, some users mine them, but fast forward a few years, and the mining will be all done) and, as we've shown, in practice, its hard for users to avoid binding together different addresses into a single identity.<br /><br />I think that if Bitcoin had some form of sophisticated mixing built into it, at a protocol level, or if it was just practically impossible to follow transaction flows, or make associations between addresses, then it'd be reasonable to say 'Bitcoin is anonymous'.<br /><br />But it doesn't; users shouldn't think it does; these attacks are practical, as we've shown; so I'm happy to describe it as 'not anonymous', as it currently stands.Fergalhttps://www.blogger.com/profile/13326762176311257293noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-258355118240161402011-07-25T17:40:05.321-07:002011-07-25T17:40:05.321-07:00Fergal - I understand your intention was merely t...Fergal - I understand your intention was merely to track "network flows," but I take issue with the title of your piece.<br /><br />The title was clearly intended to grab attention, and it states in no uncertain terms that "bitcoin is not anonymous." I think that statement is as misleading as saying that "Bitcoin IS anonymous."<br /><br />Clearly, Bitcoin permits anonymity, and that is a huge advantage of the system. The fact that such anonymity is not "automatic" doesn't dismiss the advantage. <br /><br />And still... the fact that you didn't reveal any identifying information about the PERSON behind the account number really undermines your title, if not your thesis.<br /><br />I do appreciate that you're trying to make sure users are aware that anonymity is not easy and automatic. This type of education is valuable. And damn do those graphics look nice :)Erik Voorheeshttps://www.blogger.com/profile/01780045950459697961noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-38356168141689122502011-07-25T16:51:09.760-07:002011-07-25T16:51:09.760-07:00Guys, beautiful work on this!
With the uncertaint...Guys, beautiful work on this!<br /><br />With the uncertainties that currently exist with our global economy (i.e. a default on US debit looming!), the hope that we will one day have a decentralised means of trading is awsome.<br /><br />This report brings us one step closer and clears up some of the fear that surrounds it.toeyhttps://www.blogger.com/profile/15630681963968622890noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-80738614884797864232011-07-25T16:50:04.852-07:002011-07-25T16:50:04.852-07:00This comment has been removed by the author.toeyhttps://www.blogger.com/profile/15630681963968622890noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-20811925939472183652011-07-25T15:05:02.181-07:002011-07-25T15:05:02.181-07:00joepie91:
Thanks for your comment.
That's ce...joepie91:<br /><br />Thanks for your comment.<br /><br />That's certainly one way of putting it.<br /><br />We aren't saying that we know the identities of everyone on Bitcoin, just because they use Bitcoin.<br />Like any Internet based service, users can take steps to make sure the network never knows their identity (using TOR etc)<br /><br />This will limit the usefulness of Bitcoin - users that want to be anonymous would have to be very careful to never make a mistake, and buy something, or spend BTC, in a way that can identify them. And, frankly, such usage is outside the technical sophistication of most users.<br /><br />So, if people start using Bitcoin as a broadly adopted currency, for buying their online shopping, say, then, using current clients, the vast majority of users are going to be very unanonymous.<br /><br />If someone got their hands on the records of a large exchange today, they could probably follow the actions of many casual users.<br /><br /><br />So, what we are saying that Bitcoin doesn't hide your identity, just because its Bitcoin. <br />Its possible to see a lot of what goes on, on the Bitcoin system.<br /><br /><br />In this specific case, the thief may still be anonymous, depending on how they operated.<br />But its not Bitcoin that makes them anonymous - its the extra steps they took outside of it.<br /><br />We haven't followed the thief all the way.<br />We just used that as a case study, and an example, to show that flows could be tracked; our goal has been to investigate anonymity generally, and then to warn users that they don't get anonymity just because they use Bitcoin, which many of them think they do.<br /><br /><br />We saw some surprising things, that we haven't mentioned, that would make us think users have had their anonymity compromised in some way that they may not have expected (but obviously, we don't know what each individual user's expectations are).<br /><br />We could debate what most users expectations are - if you were a Bitcoin user, would you expect your Bitcoin address to be linked to those of any organizations? - but based on the feedback we've gotten already, I think its clear many users had a higher expectation of anonymity than was justified.<br /><br /><br />Our point is that users have to be careful - especially if they are living in a repressive regime, or something like that - they might not be as anonymous as they think.Fergalhttps://www.blogger.com/profile/13326762176311257293noreply@blogger.comtag:blogger.com,1999:blog-38040511487295963.post-25072841144927204742011-07-25T15:01:13.082-07:002011-07-25T15:01:13.082-07:00Erik:
We don't know the real identity of the ...Erik:<br /><br />We don't know the real identity of the thief.<br />It wasn't our intention to track the thief down.<br />It was our intention to use the theft as a case study to show that flows can be tracked.<br />We think the fact that the flows split off, and then reunite later on, is evidence that our flow tracking is working properly.<br /><br />Our point is that the alleged thief's transactions didn't get lost in the system.<br /><br />It is reasonable to suspect that the thief took extra precautions, such as accessing everything using TOR, being very careful about what they did, etc, and as such is still anonymous.<br /><br />But its also possible that they assumed the network would hide their transactions, and left enough information to be caught.<br /><br />There are co-incidences, and leads, that could be examined; services could be subpoena'd - maybe that'd reveal an identity in the end, and maybe it wouldnt - but as we've said, that's outside the scope of our work, which is about letting users know that the system doesn't make them anonymous.Fergalhttps://www.blogger.com/profile/13326762176311257293noreply@blogger.com