[Groxx]

Unless I misunderstand Bitcoin more than I think I do, this is flat-out wrong (~1/3 of the way through the document):

  (U) What Users Can Do To Increase Anonymity
  ...
  • (U) Combine the balance of old Bitcoin addresses
        into a new address to make new payments.

Combining balances just means you have a bunch of disparate nodes in the network which may not be related, and you are intentionally connecting them. So if you combined anonymous nodes A-Y with Z which was linked to you, A-Y are now logically linked to you because Z tainted the whole pool. (edit: or at the very least, all the money in A-Y)

Yeah, there are ways to make it true/er, but I'm arguing against the principle of the suggestion. And I have doubts that combining (only your) addresses will ever increase anonymity.

[feral]

Actually, I think the suggestion in the report is correct.

I think that what they are getting at here, is the following scenario:

Imagine that you have several addresses, with different balances, in the same wallet. If you do a payment using the normal client, which requires the total balance from all those addresses, this will create a transaction with all those addresses as inputs. In the Bitcoin protocol this provides unambiguous proof that the input addresses are all controlled by the same user. (With some provisos: obviously wallet services overlaid on the network complicate this; as do some other more sophisticated uses of the protocol; but in general, at a protocol level, this is true).

So, that then shows any passively listening third party that all those addresses were under control of a single user. This knowledge can then be applied transitively, to consolidate ownership of large quantities of accounts. (We tried explain this in our paper: http://arxiv.org/pdf/1107.4524v2.pdf Fig 1.6)

What the report is probably getting at, is that an alternative thing to do, would be to instead send all the payments to a new account, in separate transactions. This would introduce a lot more ambiguity for a passive attacker - passive ownership assumptions become a lot less clearcut. You can still try make deductions, but its going to be much larger to do at large scale, and require more statistical assumptions.

Its not completely obvious that this is what the paper is suggesting, but thats my reading of it, and I think that makes sense.

[Groxx]

Yeah, it's not a clear-cut connection if you do it in multiple steps. Hence the caveat that there are ways to make it (more) true. But what improvement in anonymity does it provide over leaving them separate? If they can't infer that X belongs to you, then if you don't send it to account Y (linked to you) you certainly don't leak that X belongs to you. If you do, it's not proof, but it certainly doesn't improve matters.

Don't take it to extremes - this can clearly be stretched to include running the whole process through mixers and back to a single address while improving anonymity. It doesn't say that. In principle, is combining addresses better for anonymity than not?

[sliverstorm]

I think what you're looking at is something more like, if someone employs this tactic, they can't identify that addresses X, Y, and Z belong to the same person, whether or not they know who that person is.

Linking together abstract pieces like that can be one of the first steps to figuring out a very anonymous network.

[Groxx]

I can't tell if you're agreeing with me or disagreeing...

And yes, those links are basically all you can use in an anonymous network to deanonymize actions. So how is linking things better than not?

[sliverstorm]

Now I think I'm just confused by the way you're describing things. I'll hope someone else is better able to understand.

[Groxx]

Hah, sorry if I am :) Not sure how I can significantly improve things without writing a blog post or something :|

Anyway. Thanks for chiming in :)

[sp332]

It makes it a little harder to prove. If you do something sketchy and get bitcoins in wallet 1, and then buy something from wallet 1, people will see that the same wallet that did something sketchy also bought something.

On the other hand, if you move bitcoins from wallet 1 to wallet 2, then do the buying from wallet 2, there's some separation and people aren't sure if it's the same person.

[Groxx]

This is suggesting doing something sketchy with 1 and then moving it and 2 and 3 to 4. You can improve your odds of evading detection by moving things around a bit, yes, but most applications I'm aware of will simply move them all in a single transaction. There have also been some fairly large-scale network analysis papers showing linked accounts and the flow of e.g. one big theft a while back - unless you run it through a mixer, you're only mixing with yourself, which runs the risk of revealing everything if you leak a little too much.

And regardless, if you then use 4 to do anything that's linked to you, it's further evidence that you are linked to all the accounts - in no way better than before, and possibly worse. You also can't use the money from 2 or 3 to do things linked to you, because now they're linked to you and the sketchy 1. If you had left them isolated, observers would only have information on 1, nothing would have changed, and you could use 2 and 3 without leaking any information about 1.

[sp332]

Think about it as cash: if someone knows that serial #AAAA was stolen, and then later you deposit that bill at a bank, they still have no idea if you are the person who stole it. It could have gone through any number of hands. I think I see your point about mixers though.

[Groxx]

It couldn't have gone through any number of hands - Bitcoin transactions are public. You can see every hand it has gone through, though you may not (or may!) know the owner of the hand. That's why any large-scale analysis can be dangerous to such actions - if you discover the intermediaries, you can start drawing conclusions about who performed actions.

edit: here's the main article I'm aware of http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-...

[rorrr]

What would stop me from creating a thousand (or a million) wallets, and just randomly shuffling money between them a thousand times per day, creating a visibility of activity?

As long as you control all the wallets, the money is still yours.

[Groxx]

Not much now, but if this becomes the norm, transaction fees will stop you. Or at least discourage heavily - excessive transactions aren't great for the network because they bloat the block chain. Mixers largely bypass this concern because they can deal with larger blocks of money and more people than you can realistically do yourself, so the transaction fees are basically inconsequential.

Also, if you do this, you're likely not forming a new TOR connection each time you do any transaction, so you're leaking your IP address and traffic - easy to gather and be reasonably confident that someone is doing precisely what you described, and since it's all recorded forever, all the actions are essentially tainted forever. If you do form a new connection each time, you'll slow down substantially, and there may be a way to block you at the entry points to the TOR network (I don't remember TOR's details well enough to be sure, though).

edit: also, this will be very easily identified behavior unless people do it all over the place (and then transaction fees are basically guaranteed soon after), so you'd stick out like a sore thumb. I would be willing to bet that while it would give you some anonymity and you might shake off a few addresses, you won't gain complete anonymity, and it'll probably ultimately be worse and slower and harder than just using a few mixers. And if you ever transact them in a way that re-forms those connections (if they're all millionths of a coin, it's unavoidable), you just undid almost all your work.

[rorrr]

If I send the money between my wallets, the transaction fees are not an issue - I keep that money, don't I?

Making a new TOR connection per transaction shouldn't be too hard to automate.

[Groxx]

They are an issue. Transaction fees are paid to the miner who builds the block which contains a transaction - for your transactions to be valid, they must be included in a block, so you'll have to pay the fees. Unless you mine the block yourself and don't require a fee / recollect it - a possibility, but your odds are abysmal.

Transaction fees are intended to be motivation to be a miner. Since 50 bitcoins per mined block will soon become 25 and eventually nothing, transaction fees will progressively take over to become the majority of miners' income. They're not enforced by the protocol, so there may be some transaction-fee-free miners out there at any given time, but they're not likely to be the majority of the compute power (and will probably diminish as time goes on). You might end up waiting for a long time for your transaction to be confirmed.

[michaelt]

If there's 1000 wallets that only transact with each other and never (or rarely) with other wallets, it might be possible to identify them as an island in the transaction graph - see [1] for an example of automatic graph clustering (I think the image is communities in facebook's social graph, but the same algorithm could be applied to a transaction graph)

Of course, whether that behavior would stand out depends on how other users of the system behave.

[1] http://www.ece.umd.edu/~wenjunlu/images/gephi.png

[rorrr]

You will probably find many of these islands even right now.

Plus, I can divide my 1000 wallets into 20 islands, and only have 1-2 transactions between the islands.