Bitcoin Privacy - A Survey on Mixing Techniques Simin Ghesmati and Walid Fdhila and Edgar Weippl https://eprint.iacr.org/2021/629 Abstract: Blockchain is a disruptive technology that promises a multitude of benefits such as transparency, traceability, and immutability. However, this unique bundle of key characteristics rapidly proved to be a double-edged sword that can put user privacy at risk. Unlike traditional systems, Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine the financial privacy of users and reveal their actual identities using advanced heuristics and techniques to identify eventual links between transactions, senders, receivers, and consumed services (e.g., online purchases). In this regard, a multitude of approaches has been proposed in an attempt to overcome financial transparency and enhance user anonymity. These techniques range from using mixing services to off-chain transactions and address different privacy issues. In this survey, we particularly focus on comparing and evaluating mixing techniques in the Bitcoin blockchain, present their limitations, and highlight the new challenges. Category / Keywords: applications / blockchain anonymity Mixing Date: received 13 May 2021, last revised 20 Aug 2021 Contact author: ghesmti at icloud com Version: 20210820:155838 Studying Bitcoin privacy attacks and their Impact on Bitcoin-based Identity Methods Simin Ghesmati and Walid Fdhila and Edgar Weippl https://eprint.iacr.org/2021/1088 Abstract: The Bitcoin blockchain was the first publicly verifiable, and distributed ledger, where it is possible for everyone to download and check the full history of all data records from the genesis block. These properties lead to the emergence of new types of applications and the redesign of traditional systems that no longer respond to current business needs (e.g., transparency, protection against censorship, decentralization). One particular application is the use of blockchain technology to enable decentralized and self-sovereign identities including new mechanisms for creating, resolving, and revoking them. The public availability of data records has, in turn, paved the way for new kinds of attacks that combine sophisticated heuristics with auxiliary information to compromise users' privacy and deanonymize their identities. In this paper, we review and categorize Bitcoin privacy attacks, investigate their impact on one of the Bitcoin-based identity methods namely did:btcr, and analyze and discuss its privacy properties. Original Publication (with minor differences): Springer Date: received 24 Aug 2021 Contact author: ghesmti at icloud com Version: 20210825:064031 WabiSabi: Centrally Coordinated CoinJoins with Variable Amounts Ádám Ficsór and Yuval Kogman and Lucas Ontivero and István András Seres https://eprint.iacr.org/2021/206 Abstract: Bitcoin transfers value on a public ledger of transactions anyone can verify. Coin ownership is defined in terms of public keys. Despite potential use for private transfers, research has shown that users’ activity can often be traced in practice. Businesses have been built on dragnet surveillance of Bitcoin users because of this lack of strong privacy, which harms its fungibility, a basic property of functional money. Although the public nature of this design lacks strong guarantees for privacy, it does not rule it out. A number of methods have been proposed to strengthen privacy. Among these is CoinJoin, an approach based on multiparty transactions that can introduce ambiguity and break common assumptions that underlie heuristics used for deanonymization. Existing implementations of CoinJoin have several limitations which may partly explain the lack of their widespread adoption. This work introduces WabiSabi, a new protocol for centrally coordinated CoinJoin implementations utilizing keyed verification anonymous credentials and homomorphic value commitments. This improves earlier approaches which utilize blind signatures in both privacy and flexibility, enabling novel use cases and reduced overhead. Category / Keywords: cryptographic protocols / Bitcoin, anonymity, privacy, financial privacy Date: received 24 Feb 2021 Contact author: adam ficsor73 at gmail com, nothingmuch at woobling org, lucasontivero at gmail com, istvanseres at caesar elte hu Version: 20210301:171314 Sword: An Opaque Blockchain Protocol Farid Elwailly https://eprint.iacr.org/2020/1289 Abstract: I describe a blockchain design that hides the transaction graph from Blockchain Analyzers. The design is based on the realization that today the miner creating a block needs enough information to verify the validity of transactions, which makes details about the transactions public and thus allows blockchain analysis. Some protocols, such as Mimblewimble, obscure the transaction amounts but not the source of the funds which is enough to allow for analysis. The insight in this technical note is that the block creator can be restricted to the task of ensuring no double spends. The task of actually verifying transaction balances really belongs to the receiver. The receiver is the one motivated to verify that she is receiving a valid transaction output since she has to convince the next receiver that the balances are valid, otherwise no one will accept her spending transaction. The bulk of the transaction can thus be encrypted in such a manner that only the receiver can decrypt and examine it. Opening this transaction allows the receiver to also open previous transactions to allow her to work her way backward in a chain until she arrives at the coin generation blocks and completely verify the validity of the transaction. Since transactions are encrypted on the blockchain a blockchain analyzer cannot create a transaction graph until he is the receiver of a transaction that allows backward tracing through to some target transaction. Category / Keywords: applications / cryptocurrency, Bitcoin, confidential transaction, blockchain analyzer, stealth address, privacy, Mimblewimble, Sword Date: received 15 Oct 2020 Contact author: sword at elwailly com Version: 20201016:064939 Zerojoin: Combining Zerocoin and CoinJoin Alexander Chepurnoy and Amitabh Saxena https://eprint.iacr.org/2020/560 Abstract: We present Zerojoin, a privacy-enhancing protocol for UTXO blockchains. Like Zerocoin, our protocol uses zero-knowledge proofs and a pool of participants. However, unlike Zerocoin, our pool size is not monotonically increasing. Thus, our protocol overcomes the major drawback of Zerocoin. Our approach can also be considered a non-interactive variant of CoinJoin, where the interaction is replaced by a public transaction on the blockchain. The security of Zerojoin relies on the Decisional-Diffie-Hellman (DDH) assumption. We also present ErgoMix, a practical implementation of Zerojoin on top of Ergo, a smart contract platform based on Sigma protocols. While Zerojoin contains the key ideas, it leaves open the practical issue of handling fees. The key contribution of ErgoMix is a novel approach to handle fees in Zerojoin. Category / Keywords: cryptographic protocols / cryptocurrency, privacy, DDH, zero knowledge Original Publication (with minor differences): Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM 2020, CBT 2020. Date: received 13 May 2020, last revised 29 Aug 2021 Contact author: kushti at protonmail ch Version: 20210829:211748 Mimblewimble Non-Interactive Transaction Scheme Gary Yu https://eprint.iacr.org/2020/1064 Abstract: I describe a non-interactive transaction scheme for Mimblewimble protocol, so as to overcome the usability issue of the Mimblewimble wallet. With the Diffie–Hellman, we can use an Ephemeral Key shared between the sender and the receiver, a public nonce R is added to the output for that, removing the interactive cooperation procedure. And an additional one-time public key P' is used to lock the output to make it only spendable for the receiver, i.e. the owner of P'. Furtherly, to keep Mimblewimble privacy character, the Stealth Address is used in this new transaction scheme. Category / Keywords: public-key cryptography / Mimblewimble, Stealth address, Bitcoin, Grin, Confidential transaction, Privacy Date: received 2 Sep 2020, last revised 21 Dec 2020 Contact author: gary yu at gotts tech Note: A major updating on the scheme, and analysis on replay attack and rogue-key attack, etc., to substitute the unsafe previous version. Version: 20201221:130713