Silk Road forums
Discussion => Security => Topic started by: pine on May 11, 2012, 02:53 am
-
Sauce: http://bitcoinweekly.com/articles/the-battle-is-on-silk-road-vs-government-and-bitcoin-anonymity
Relevant quote:
In order for anonymous transactions to be possible through Bitcoin, however, a mixing system must be used. There are two types of mixing systems: those secure against attack from people viewing the public transaction block, like Bitcoin Laundry and those secure against attack from the mixing system itself, like Open Transactions. The first work in something similar to the following:
Alice wants to transfer 10 BTC to Bob. Alice deposits 10 BTC into the system, and gets a 10 BTC balance within the system.
Alice gives Bob her one-time account key.
Bob withdraws 10 BTC, but the coins come not from Alice but from some other people who had deposited 10 BTC earlier. Thus, there is no chain from Alice to Bob in the public transaction log.
In BitcoinLaundry in particular, steps 2 and 3 happen internally and automatically, so Alice directly sends coins to Bob's address without Bob participating in the process. The problem is that the mixing system knows that the key Alice got and the key Bob used are the same, or related, and thus knows that Alice transfetted money to Bob. Law enforcement agencies could potentially set up mixing systems as honeypots. The systems of the second type work in the following way:
Alice deposits 10 BTC into the system, and sends an encrypted certificate to be blind signed. Blind signatures are a way that allows the bank to sign the certificate without knowing what the message signed or even the signature itself looks like; a more detailed description can be found here.
The bank sends the blind signed certificate back to Alice. Alice decrypts the blind signed certificate and gets a normal signed certificate. She sends this to Bob.
Bob sends the certificate to the bank, the bank verifies it and withdraws 10 BTC.
The advantage here is that the bank has no way of linking Alice's certificate to Bob's certificate even though it can tell that the certificate is legitimate. A useful real-world analogy is the one used in the name "blind signature": Alice creates a piece of paper with some text on it, blindfolds the bank, the bank signs the paper blindfolded, then Alice gives the paper to Bob, the bank takes off its blindfold and verifies the signature. The bank does not know who the certificate that Bob provided came from, but it can recognize the signature as its own. This is still vulnerable to statistical attacks - if Alice deposits 13500 BTC into one of these systems and Bob withdraws 13500 BTC, then it is obvious that Alice and Bob made a transaction with each other. There are further ways of masking this - one is using "clean" coins to send as a payment; a 400 BTC donation to hacker group LulzSec (press release here) was done this way and is completely untraceable; another way is splitting up the transaction, sending it to many different addresses belonging to Bob, but no matter what (unless you have freshly minted coins, which will not exist in significant quantities forever) there is still substantial information leakage, so Bitcoin's Jeff Garzik cautions: "Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb." Minor illicit transactions, on the other hand, are easy to hide, and the sales currently made on Silk Road are almost all below 10 BTC.
Silk Road itself uses an internal mixing system of the first type, so it does have the weakness that users must trust it. The fact that the system is internal is itself a weakness: even if one cannot tell which drug someone bought, the fact that someone bought something off of Silk Road is easier to deduce, although there is always plausible deniability, since some legal products are sold there. Silk Road promises to delete the physical address of the buyer as soon as the transaction is complete, but there is no way to prove this. Because of this trust, it is a good idea for Silk Road users to use their own anonymity protection in addition to Silk Road's: using another bitcoin mixer, like BitcoinLaundry or using a bank as a mixer, like MyBitcoin, adds a layer of obfuscation to the transaction, and use of post boxes under fake IDs or someone else's house is often advised on Silk Road forums.
The de facto anonymity of Bitcoin can be increased by frequent use of mixers, and it is important to note that many types of services can be used as mixers: bitcoin accounts like MyBitcoin, Bitcoin poker sites and witcoin, no matter what their purpose, can be used. A startup promising Bitcoin debit cards and Bitbills offer the option to buy bitcoins anonymously physically, once again removing all traces of where they came from. As services like these are integrated into the Bitcoin economy, it may ultimately become impossible for investigators to see where coins came from more than 4 or 5 transactions back.
Discuss!
-
Ok I have a tough time understanding this shit so I'll just ask questions.
The encrypted messages through a bank really sounds interesting however for the bank to survive wouldn't they need some sort of commission on transactions or percentage of deposits and withdrawals? Now wouldn't that percentage be an easy way to deduce how much money was transferred?
-
Ok I have a tough time understanding this shit so I'll just ask questions.
The encrypted messages through a bank really sounds interesting however for the bank to survive wouldn't they need some sort of commission on transactions or percentage of deposits and withdrawals? Now wouldn't that percentage be an easy way to deduce how much money was transferred?
Asking questions is fine, I think many people are afraid of going out on a limb or problem complexity, but that's how we all learn is it not? Imperfect pine is imperfect too, people shouldn't assume because I make a detailed statement that this implies it's gospel.
In any case I guess traffic analysis would be possible under any schema even if you couldn't prove Alice transferred X coins to Bob or that Alice swopped X coins with Bob. I think it's conceptually easy to avoid though.
For example if you take a fixed fee per transaction, or if you take a relative percentage from the entire pool of coins being mixed i.e. everybody throws in their money, and you take x% off the top, then the only information available to garner from the bitcoin 'checking account' the bank is using to store their fee income is the number of transactions or the volume over time.
I think Bitcoin Fog for example, uses different randomly chosen fees between 1% and 3% to avoid traffic analysis.
You could make it very complex indeed, but I don't think it's necessary if you address the second problem I'm bringing up:
A different problem, is the limited scope of the mixer's domain/territory.
Sure it mixes up stuff within its power to do so. However, seems to me that traffic analysis could differentiate between different kinds of bitcoin network activity because the mixer doesn't mix coins from across the entire network. Different types of activity should show up like shoals of fish. If you see frenetic activity in one part of the network, but not in another part, then there is a reason for it. A reason I say, but it's a helluva stretch to claim you know the reason for it. I mean, I am certain that you can't even do that with regular credit which is perfectly identifiable and traceable. Still, it's a concern.
Sure you could simulate the normal pattern and level of activity within your B$ mixer, but I'm not sure you've solved the problem. Ideas? Where are you bitcoin geeks? :P
-
Sauce: http://bitcoinweekly.com/articles/the-battle-is-on-silk-road-vs-government-and-bitcoin-anonymity
Discuss!
That is fascinating!
I believe mixers, especially of the second kind, in addition to bitcoin banks and ewallets are all very good things to become part of the bitcoin economy.
This is a very good balancing factor, IMHO.
The LEOs wont know what hit them!
-
Ok I have a tough time understanding this shit so I'll just ask questions.
The encrypted messages through a bank really sounds interesting however for the bank to survive wouldn't they need some sort of commission on transactions or percentage of deposits and withdrawals? Now wouldn't that percentage be an easy way to deduce how much money was transferred?
Asking questions is fine, I think many people are afraid of going out on a limb or problem complexity, but that's how we all learn is it not? Imperfect pine is imperfect too, people shouldn't assume because I make a detailed statement that this implies it's gospel.
In any case I guess traffic analysis would be possible under any schema even if you couldn't prove Alice transferred X coins to Bob or that Alice swopped X coins with Bob. I think it's conceptually easy to avoid though.
For example if you take a fixed fee per transaction, or if you take a relative percentage from the entire pool of coins being mixed i.e. everybody throws in their money, and you take x% off the top, then the only information available to garner from the bitcoin 'checking account' the bank is using to store their fee income is the number of transactions or the volume over time.
I think Bitcoin Fog for example, uses different randomly chosen fees between 1% and 3% to avoid traffic analysis.
You could make it very complex indeed, but I don't think it's necessary if you address the second problem I'm bringing up:
A different problem, is the limited scope of the mixer's domain/territory.
Sure it mixes up stuff within its power to do so. However, seems to me that traffic analysis could differentiate between different kinds of bitcoin network activity because the mixer doesn't mix coins from across the entire network. Different types of activity should show up like shoals of fish. If you see frenetic activity in one part of the network, but not in another part, then there is a reason for it. A reason I say, but it's a helluva stretch to claim you know the reason for it. I mean, I am certain that you can't even do that with regular credit which is perfectly identifiable and traceable. Still, it's a concern.
Sure you could simulate the normal pattern and level of activity within your B$ mixer, but I'm not sure you've solved the problem. Ideas? Where are you bitcoin geeks? :P
Hi Pine,
This is an excellent article thank you!
As I understand you are absolutely right in saying BitcoinFog charges a random amount of commission between 1 - 3% to obfuscate tracing. From reading the information on the site they are perfectly candid about the fact that this in itself does little to increase the anonymity of transactions as if LEO know that Alice has placed 100 BTC into the Fog and Bob has withdrawn between 97 and 99 BTC, as the article says it would be fairly easy to detect.
For this reason Bitcoinfog at least offers users the option to withdraw money in random amounts over a certain period of time. Users are also encouraged to "tumble" their coins through the Fog more than once. The longer you leave your BTC in the Fog and the more frequently you tumble them the greater your degree of protection however this costs both time and money.
As you say, this also does little to get around the second hurdle which is that of the fact that the mixing of Bitcoins is limited to those within the mixer's own pool. As you say I am not aware of any technical means by which this could be proven through block chain analysis but I think it would have to be a truly colossal sum of money to raise any eyebrows.
I have a small amount of experience from the other side of the fence with money laundering through my job and would say the above concerns are secondary to legitimising the funds obtained from cashing out Bitcoins in any case. Within the network, a vendor's BTC profits are no good to them in themselves - even if they used their own SR to buy a large amount of gold bullion for instance, this would do nothing to assure the suspicious people of the IRS as to the provenance of his or her income.
V.