Stanford CS251: Lecture 9

Lecture 9: Wallet & Anonymity

Wallet

A user has a lot of bitcoin address, each of which is H(p_k) or H(script). A wallet manages p_k/s_k, post/verify transactions,  and show balances. A wallet can be Cloud wallets like Coinbase or desktop based like Electrum or hardware-based like Trezor. SPV or Simplified Payment Verification clients are not full mining nodes but can verify incoming payments. An SPV downloads all the block headers and then specifically requests a list of addresses which are in your wallet to fetch the transactions associated with those addresses from a server.  The server returns the relevant transactions associated with those addresses and the corresponding Merkle proof of that.

Wallet backup

Don’t generate random keys but have a 128-bit seed K0. S_ki = HMAC(K0, ). P_ki = g^S_ki. So, only K0 has to be backed up. Bitcoin has 2048 words (11-bit). 128-bit seed requires 13 words including error correction.

For further security, split the wallet into an offline cold Wallet which contains K0 and an online hot wallet which contains Pk1, Pk2,… but cannot spend funds.

Anonymity

Weak: pseudonymity has a reputation but suffers from linkability. If a single post/transaction links to you, then all posts link to you. Therefore, anonymity goes down over time.
Strong: Complete unlinkable posts/transactions. Fraud detection and spam filtering are hard in this.
Business needs anonymous payments. Individuals need it, even thieves need it.

Bitcoin is not anonymous. Linking different accounts/transactions of the same entity is almost always possible. Finding whether A paid B is almost always possible.

Bitcoin Deanonymization:

  1. Network Layer – If enough nodes collude, one can connect different addresses belonging to the same IP. To avoid this connect Bitcoin over Tor.
  2. Blockchain – “idioms of use”. H1 – If they are two inputs to a transaction, they belong to the same entity. H2 – change address is controlled by the same entity which controls the input address.
    Ex 1: In 2013, in an experiment, using these two heuristics, 12 M Bitcoin addresses were reduced to 3.3M clusters. They identified 1070 addresses by interacting with entities eg. depositing money in Coinbase => 2200 clusters (1.8M addresses, 15%) de-anonymized.
    Ex 2: 3171 BTC stolen from Betcoin. The thief slowly peeled small amounts ~ 10 BTCs at a time to a new address. As soon as the thief deposits even a single one to Coinbase or any other exchange, the identity would be revealed.
    Ex 3: Cryptolocker encrypts the disk and asks for 2 BTC for decryption. 1200 BTCs was paid in 800 transactions to Cryptolocker addresses.

Two ways to make Bitcoin anonymous

  1. Mixing
  2. Anonymous alt coins (in Lecture 10)

Fully trusted mixer provides a receiver address. Alice sends the funds and hopes that she will get the funds back from a different address. The mixer will generate a single transaction returning those coins to everyone including Alice.  Some mixers steal money. Chain multiple mixers for more privacy. Coinjoin is trustless mixing. Using an online forum.
in: A_in: 5, B_in: 3, C_in: 2
out: A_change: 3, B_change: 1 (not anonymous)
A_0: 2, B_0: 2, C_0: 2 (anonymous)

One Reply to “Stanford CS251: Lecture 9”

Leave a Reply

Your email address will not be published. Required fields are marked *