Silk Road forums
Discussion => Security => Topic started by: elivance on August 27, 2012, 07:19 am
-
I've been on SR for a while and I realized that we should have a sticky topic discussing the technical details behind bitcoins. I'm not trying to pretend that I'm an expert, but I may be able to help out a few of you. Even better, we can use this topic to keep track of our questions and answers.
So, what are bitcoins?
A bitcoin is, essentially, a chain of cryptographic signatures. Your "address" is simply a public key. Your wallet is just a list of the private keys corresponding to your public keys.
Let's not go too far into public-key cryptography. It suffices to say that you can take your private key and "sign" a digital document and anyone with your public key can verify the signature you made with the private key. That should be all we need from cryptography.
Bitcoins are assigned to an address. If you know the private key for that address, those are your bitcoins. If you own bitcoins, you can assign them to other addresses -- i.e., "spend" them. Each time you send a bitcoin to an address, you sign the bitcoin and the address you are sending it to with your private key.
With a normal currency, you would have to send this transaction to some sort of central authority like a bank. The bank would check their database to make sure there was enough money in the account and then they would debit one account and credit the other in the database.
Bitcoins don't have a central authority. In fact, that was one of the main design goals. But since we still need to verify that each transaction is valid, we still need to be able to track how much money is in each address. The way we do it is to distribute the database to everyone! Every transaction made is sent to everyone and when the miners find a new block, they include all the transactions they know about in the new block. This way every transaction made is written to the permanent record, the block chain, that we all share. (This is why it takes about 60 minutes for a transaction to be confirmed. We need to wait for about 6 blocks to be generated until we are sure that our transaction is in the permanent record.)
So, a bitcoin is a chain of signatures and everybody knows how to track all the bitcoins. Except, when we say, "track," all we are tracking are public keys; that's it. This is why the currency is considered anonymous. All anybody really knows is just a chain of one number after another -- one public key signing the next.
Ah, but if at some point your actual identity is associated with an address, all transactions associated with that address can be tracked in the public record. Because we all have the entire record, we all see every time bitcoins are assigned to that address and every time that address assigns bitcoins to another address. If an address gets associated with you in RL, then the transactions made with that address can also be associated with you. (To a certain extent. Keep reading.)
So when people tell you that bitcoins aren't as "private" as you think they may be, this is what they are talking about. If an address is known to be yours, any money you send from that address can be tracked. Forever. Publicly and forever.
I can hear you now, "oh shit, I need a method to get completely anonymous bitcoin." But, wait.
We can track that money forever, but the only thing that we can definitively say is that you sent that money to another address. Period. End of line.
Did you send it to yourself? No idea. All you did was attach a random-ish looking number to a bitcoin and sign it with your public key. If anyone asks you where you sent it, your answer should be, "none of your business." If LE asks where you sent it, don't tell them anything. If LE has a warrant, get a lawyer. I could tell you that you could say something like, "I have a gambling problem. This is my account at <insert bitcoin gambling place here> and I lost everything." However, really, don't say anything. The only way they can associate you with any following addresses is if you tell them. I repeat, don't talk to cops. Just, don't.
Listen, if you don't think you can talk to LE in a stressful situation (and believe me, I understand how you feel) just don't say anything. They are going to make you feel very uncomfortable when you don't say anything -- they are very good at that. In fact, that could be considered their job requirement. "Are you good at getting people to admit crimes they may not have committed? You're hired!"
Okay, TL;DR.
Executive Summary:
1. Bitcoins are chains of cryptographic signatures.
2. Don't talk to LE for any reason.
-
I've been on SR for a while and I realized that we should have a sticky topic discussing the technical details behind bitcoins. I'm not trying to pretend that I'm an expert, but I may be able to help out a few of you. Even better, we can use this topic to keep track of our questions and answers.
So, what are bitcoins?
A bitcoin is, essentially, a chain of cryptographic signatures. Your "address" is simply a public key. Your wallet is just a list of the private keys corresponding to your public keys.
Let's not go too far into public-key cryptography. It suffices to say that you can take your private key and "sign" a digital document and anyone with your public key can verify the signature you made with the private key. That should be all we need from cryptography.
Bitcoins are assigned to an address. If you know the private key for that address, those are your bitcoins. If you own bitcoins, you can assign them to other addresses -- i.e., "spend" them. Each time you send a bitcoin to an address, you sign the bitcoin and the address you are sending it to with your private key.
With a normal currency, you would have to send this transaction to some sort of central authority like a bank. The bank would check their database to make sure there was enough money in the account and then they would debit one account and credit the other in the database.
Bitcoins don't have a central authority. In fact, that was one of the main design goals. But since we still need to verify that each transaction is valid, we still need to be able to track how much money is in each address. The way we do it is to distribute the database to everyone! Every transaction made is sent to everyone and when the miners find a new block, they include all the transactions they know about in the new block. This way every transaction made is written to the permanent record, the block chain, that we all share. (This is why it takes about 60 minutes for a transaction to be confirmed. We need to wait for about 6 blocks to be generated until we are sure that our transaction is in the permanent record.)
So, a bitcoin is a chain of signatures and everybody knows how to track all the bitcoins. Except, when we say, "track," all we are tracking are public keys; that's it. This is why the currency is considered anonymous. All anybody really knows is just a chain of one number after another -- one public key signing the next.
Ah, but if at some point your actual identity is associated with an address, all transactions associated with that address can be tracked in the public record. Because we all have the entire record, we all see every time bitcoins are assigned to that address and every time that address assigns bitcoins to another address. If an address gets associated with you in RL, then the transactions made with that address can also be associated with you. (To a certain extent. Keep reading.)
So when people tell you that bitcoins aren't as "private" as you think they may be, this is what they are talking about. If an address is known to be yours, any money you send from that address can be tracked. Forever. Publicly and forever.
I can hear you now, "oh shit, I need a method to get completely anonymous bitcoin." But, wait.
We can track that money forever, but the only thing that we can definitively say is that you sent that money to another address. Period. End of line.
Did you send it to yourself? No idea. All you did was attach a random-ish looking number to a bitcoin and sign it with your public key. If anyone asks you where you sent it, your answer should be, "none of your business." If LE asks where you sent it, don't tell them anything. If LE has a warrant, get a lawyer. I could tell you that you could say something like, "I have a gambling problem. This is my account at <insert bitcoin gambling place here> and I lost everything." However, really, don't say anything. The only way they can associate you with any following addresses is if you tell them. I repeat, don't talk to cops. Just, don't.
Listen, if you don't think you can talk to LE in a stressful situation (and believe me, I understand how you feel) just don't say anything. They are going to make you feel very uncomfortable when you don't say anything -- they are very good at that. In fact, that could be considered their job requirement. "Are you good at getting people to admit crimes they may not have committed? You're hired!"
Okay, TL;DR.
Executive Summary:
1. Bitcoins are chains of cryptographic signatures.
2. Don't talk to LE for any reason.
+1 Good post for beginners and seasoned campainers alike :)
-
I recently had an interesting conversation with angelkiller about sending bitcoins to SR.
[...]
So my overall point was that you don't have to mix coins coming in. They need 2 confirmed identities before someone can talk about proving I sent money to someone.
[...]
Angelkiller's point was that not only would LE need to be able to associate his real identity with the sending address but they would also have to compromise SR. That is, "you need two confirmed identities."
I think he's right on point. My argument is that I still like using coin-mixing services that try and completely remove the association between the source and destination. I'm the first to admit my position is based on paranoia, but I think a little paranoia is healthy. There is a difference between proof and intuition. Someone might not be able to prove that you had a transaction with SR, but they might suspect it, and that might be enough.
Anyway, I'm mostly in agreement with Angelkiller. You really can send Bitcoins directly to your SR address and not worry. But a little paranoia is a good thing and mixers can be your friends too. Check out https://blockchain.info/wallet or http://nci2szjrwjqw2zbi.onion for two good mixers. I'm not associated with either but I've sent coin through both and I give each my recommendation.
-
+1. Excellent easy to read summary. Thanks!
-
Hey Elivance, great post!!!
Now, I have a question, and I don't want it to turn into a hijacked thread, but I think its relevant to our current discussion:
You mention blockchain.info's wallet service...great stuff. Within the wallet is a tool which will track the "taint" of a transaction.
Do you know exactly what TAINT is? Does it have to do with the bitcoin public key itself, or is it somehow tracking the sending IP address associated with that particular public key during the sending process?
I had sent a few coins from SR to the TOR-accessed blockchain.info wallet, and looked at the TAINT, and WOW, it shows every single IP address which had ever transferred coins ending in the transaction I made!
Is this where we should be focusing our security concerns, regarding btc transfers, namely, if the coins are associated with our IRL IP address, and we start moving them around, there is one of the links you've been talking about.
Do tell more....!
Omega
-
Good info.
I don't use a mixer for some of the reason's you've addressed. If you've bought bitcoins through a traceable method, then that's it, the evidence of your purchasing bitcoins and sending it to an address is there, regardless of whether you use the mixer or not, as it's not like one address has a big red flashing light that says 'SilkRoad" and the mixer's address doesn't. There's no more or less evidence of buying drugs with or without the mixer. Unless in the unlikely event Silkroad gets compromised and all Bitcoin deposits and addresses become known - now that would be a problem that a mixer would help with, but I don't see SR ever being compromised to that extent in all honesty.
-
Hey Elivance, great post!!!
Now, I have a question, and I don't want it to turn into a hijacked thread, but I think its relevant to our current discussion:
You mention blockchain.info's wallet service...great stuff. Within the wallet is a tool which will track the "taint" of a transaction.
Oh, that's *very* relevant.
Do you know exactly what TAINT is? Does it have to do with the bitcoin public key itself, or is it somehow tracking the sending IP address associated with that particular public key during the sending process?
Unfortunately the Blockchain site does not explain what the taint beyond the statement on the taint analysis page:
This pages shows the addresses which have sent bitcoins to <BTC address>. The data can be used to evaluate the anonymity provided by a mixing service. For example Send Coins from Address A to a Mixing service then withdraw to address B. If you can find Address B on the taint list of Address A then the mixing service has not sufficiently severed the link between your addresses. The more "taint" the stronger the link that remains.
I could be wrong, but I believe that it is determined according to the history of the coins and their origin. So coins that may have been part of the Mt. Gox attack last year will be tainted as a result of being stolen and then returned to the Bitcoin economy. While coins that have just been mined will be completely free of taint because they are new.
I'm not certain how Blockchain can guarantee 100% untainted coins with their mixing service.
This thread on the Bitcoin Talk forum indicates that taint is correlated to stolen coins:
https://bitcointalk.org/index.php?topic=86225.0
I had sent a few coins from SR to the TOR-accessed blockchain.info wallet, and looked at the TAINT, and WOW, it shows every single IP address which had ever transferred coins ending in the transaction I made!
I strongly suspect that most Bitcoin users have or have had tainted coins, even if they have never done anything illegal.
Is this where we should be focusing our security concerns, regarding btc transfers, namely, if the coins are associated with our IRL IP address, and we start moving them around, there is one of the links you've been talking about.
Maybe, I think we'd need to know more about how this taint is judged and who or what does the judging. It would also depend on whether other organisations, such as exchanges, set a policy to not accept coins above a certain threshold of taint.
The thread I linked to above indicates that at least some organisations may not accept transactions using tainted coins.
-
Now, I have a question, and I don't want it to turn into a hijacked thread, but I think its relevant to our current discussion:
You mention blockchain.info's wallet service...great stuff. Within the wallet is a tool which will track the "taint" of a transaction.
Not a hijack at all. This is a very pertinent question. This is, in fact, how we measure how well a mixer works.
The definition at blockchain.info is: "The taint is the percentage of funds received by an address that can be traced back to another address." I think a few examples will sufficiently illustrate this.
Suppose, for example, we want to transfer 100BTC from address A to address B. If we simply transfer 100 coins directly from A to B, then the taint should be %100. That is, this transaction is %100 tainted by coins from A.
If instead we transferred 50BTC from address A to B, 50BTC from address A to C, and 50BTC from address C to B, then we have again transferred 100 coins from A to B, but this time it looks like the taint is %50. That is, only %50 of the coins in that "transaction" come from A. However, it is pretty obvious that %100 of the coins came from A. Of course only %50 of the coins came directly from A, but if we look one transaction back we find that all the coins actually come from A. If we want "taint" to make sense, this calculation should be %100.
Here is where the clause, "that can be traced back to another address" takes effect. Even though C sent 50BTC to B, we can track all those coins back to A. Since every coin in that transaction came from A at some point, that transaction is also %100 tainted by coins from A.
The idea is that we trace back every address that paid B in that transaction and try and find A anywhere there.
For example, say that address A, at some point in the past, paid address A_1 which in turn paid address A_2, who forwarded it on to A_3, and so on. Say that these transactions end at address A_(n-1) sending funds to address A_n. Now, if A_n pays B, what is the taint from A? (Assuming, to make things easier, that the entire balance was transferred at each point.) Well, it should be obvious that the funds sent to B are still %100 tainted by coins from A. That is, even though we had n addresses in between, this transaction to B consists entirely of coins from A.
Why do I bring this up? Well, at least at blockchain.info, they only track transactions back 250 blocks. Hence if n is 250, then blockchain.info will say that there is 0% taint in that transaction. Obviously my example there is contrived. While blockchain.info would claim 0% taint in that transaction, that is not how it mixes coins. It does serve to illustrate the details and, perhaps, where things could break down.
Do you know exactly what TAINT is? Does it have to do with the bitcoin public key itself, or is it somehow tracking the sending IP address associated with that particular public key during the sending process?
I had sent a few coins from SR to the TOR-accessed blockchain.info wallet, and looked at the TAINT, and WOW, it shows every single IP address which had ever transferred coins ending in the transaction I made!
Holy crap, another excellent, excellent observation! What you have noticed is that, not only do we have a chain of transactions, but we can also sometimes identify those transactions with IP addresses!
The question is, "if this is supposed to be a pseudo-anonymous currency, why the hell can we associate IP addresses with transactions?!?!"
Well, the answer is obvious if we walk through what happens when we make a transaction. I have an address A and I am going to send funds to address B. What I do is concatenate address B with the coins and then sign them using the private key corresponding to address A. However, the coins aren't spent yet. For address B to get the coins, that transaction has to get into the next block the miners find. To make sure that the miners have this transaction, we send it everywhere we can. This transaction won't become part of the official record unless everybody sees it, checks it, and includes it in the next block. (Then the transaction won't become final until we have about 5 blocks built after that one.)
The point is, you are sending that transaction everywhere! Everywhere you can or this just doesn't work.
Okay, what this means is that if an adversary is connected to every bitcoind and is listening for transactions, the first IP address that announces a transaction is most likely the source of that transaction.
Let me make sure I am absolutely clear. When you _receive_ a transaction, you are totally anonymous. The transaction is just part of the block chain that everyone has. There is no way for anyone to tell that you received a transaction. When you _send_ a transaction, the IP address that actually sends that transaction can be identified.
This means that if you are using a private wallet stored on your own computer you can receive anything you want without worry about identification. If you send funds from a private wallet, you have to think about exposing your IP address.
Of course the answer here is Tor. It is (fairly) easy to setup bitcoind or bitcoin-qt to use your Tor SOCKS5 connection. If you are going to send funds from your private wallet, simply send them through the Tor network.
I have about 1000 other things but I think I need to stop to let people digest the above. I love Bitcoins and it is one of the things, besides my kids, that really give me hope for the future.
Please, send me questions. If I don't know the answer, we'll work it out. I'm having fun. :)
-
very good intro. Nice to see others aren't afraid of creating long winded posts in the name of greater good like me.
-
Wow, Elivance and LouisCyphre, what great info indeed!
So, to get real here, once one takes the first step and breaks through the concept of bitcoins themselves, these are the subjects we should all concern ourselves with, namely true anonymity and security.
And yeah, Elivance, I'm going to have to digest that wonderful post longer than the digestion process of the fat rib-eye I ate this past weekend, lol...
But then, to stay truly "anonymous" and keep the traces of the use of bitcoins away from our IRL identities, looks like we'll have to stay in TOR-land, based on the "taint" analysis you've thoroughly outlined above.
I love Tor, and yet, I want to use my smart cell phone and access my wallet and check balances and shit, but I now know I can't do that since I'll be forever "linked" to those coins that pass through my cell-phone wallet! ARRG!
And if they happen to hit the 'Road, am I fucked?? Are we all 'fucked' by the use of bitcoins on the 'Road???
Keep the awesome info coming, my expert friends!!!