Tuesday, September 23, 2014

Bitcoin, Anonymous ECash, and Strong Privacy

I first wrote about the idea of strong privacy in an article published in 1996, almost twenty years ago, and have returned to the subject several times since. The basic idea, inspired by the work of members of the Cyperpunk mailing list, in particular Tim May, was that public key encryption made possible a world where individuals could make their transactions invisible to third parties. In such a world it would be possible to combine anonymity and reputation by linking the reputation to an online identity but making it difficult or impossible to identify the corresponding realspace identity. 

A key element of such a world is anonymous digital cash, some way of making payments, including payments to strangers, without identifying payer or payee to either third party observers or the other party. What I was imagining was something along the lines worked out by David Chaum, a Dutch cryptographer. Chaumian digital cash is issued by a realspace bank but, just as with ordinary paper currency, transactions are anonymous. The bank does not know who has made transfers to whom, and neither party to a transfer needs to know the identity of the other.

Chaumian digital cash does not yet exist, probably because it requires a realspace bank, a realspace bank requires permission, ideally protection, for the government in whose territory it exists, and governments take a dim view of a technology that would make money laundering laws undenforceable. The nearest equivalent that does exist is bitcoin, one of its virtues being that there is no issuer, hence no need for permission or protection. 

Bitcoin is, in a sense, the least anonymous money that has ever existed, since every transaction is observable by anyone with a bitcoin account. Transactions are shown as between accounts, not between people. But all that is necessary to link a realspace person to at least one of his accounts is to make a bitcoin payment to him and see what account the money goes to.

That works as a way of monitoring bitcoin transactions made by a realspace identity. Suppose, however, that we have a world of strong privacy. In that imaginary world my online identity is Legal Eagle Online, selling legal advice which I cannot sell in realspace due to not being a member of my state bar. Legal Eagle makes and receives payments in bitcoins. The online identity can be linked to the account he uses by anyone who makes a payment to him. But as long as I am careful not to use his bitcoins to buy goods delivered to my realspace address,  there is no information linking Legal Eagle to me.

There are proposals to convert bitcoin into a truly anonymous ecash by using mechanisms that, as I understand them, mix coins in between transactions. How successful such projects will be I do not know. Even without them, bitcoin as it currently exists could be used as the digital currency of a world of strong privacy. It is not as good for that purpose as a fully anonymous currency would be, since the bitcoin transactions of my online identity are public. But it preserves the essential feature of such a world, the separation between online and realspace identities.

.

9 comments:

Mashuri said...

You should look into OpenTransactions: http://opentransactions.org/. It enables chaumian transfers and voting pools, among other things. This will allow bitcoin (and any other cryptocurrency) to be transferred blind through a distributed network.

Anonymous said...

Even zerocoin etc are not fully anonymous. Nothing is ever fully anonymous. We have a hard enough time developing secure devices to hold bitcoin. to be fully anonymous, you'd have to monitor the entire internet chain etc (from your isp etc). At the end of the day nothing is 100%.

But with dark wallet, etc i think it will be anonymous enough. There are still plenty of attack vectors with zerocoin etc.

adam back on zerocoin (around 32:40 mark) and some draw backs with zerocoin

https://www.youtube.com/watch?v=3dAdI3Gzodo


Chris Hibbert said...

Minor corrections: it was the Cypherpunks mailing list. I'm fairly certain that Chaum is an American. When the government was most strongly prosecuting the crypto-wars, the only place Chaum could continue development was in the Netherlands, and he did get funding for a company there, but most of the foundational papers were written and published in the US.

The digital mixes you describe are workable, and you don't actually need multiple parties to make the idea work. The thing that makes currency traceable is combining multiple payments into a single wallet. If you do that, and make payments consistently from the same wallet, then anyone who pays you can see what other payments went into that wallet, and what other payments went out. But there's no requirement that a person only have one wallet.

Any bitcoin user who cares about anonymity should create a wallet for each incoming payment, and pay for goods with a collection of coins assembled into a wallet used for just that payment. Someone who pays you will be able to see all the people you paid some of those funds to, but since you don't jumble them together into a traceable wallet connected to your continuing identity, they can't assemble a coherent picture of your transactions over time.

Jon Matonis said...

Thanks for your thoughts, David. We will never go back to a world of Chaumian anonymous digital cash because it functioned under a centralized model where coins were sent back to the mint and then re-issued to confirm no double-spending.

The distributed aspect of Bitcoin's block chain (public ledger) provides its essential resiliency, which is a major feature of a nonpolitical digital currency when you consider its adversaries.

Unknown said...

Examples like 'I can perform an illegal service and take Bitcoin for payment, because it can't be traced' are pretty daft. Illegal services can and will be tracked in many ways. Trust me , I've been there.

I thought I was smart, but one error - or in my case, an advance in technology in an unrelated area that I could never have foreseen - unravels the web. Computer (algorithms) are very very good at following trails - and mass investigations based on public data have virtually zero marginal costs.

The payment may ( or may not ) be anonymous, but there are so many other attack vectors by the authorities that it is irrelevant.

The community needs to argue that the powers of law enforcement are so enhanced these days due to the advances in computer based forensics that the old principle of follow the money is less necessary.

And, we need to get out of our heads that Bitcoin enables illegal services. No matter how one defines 'illegal'

Bob Robertson said...

What about the generation of a new key that is used for only one transaction?

I'm aware that the transaction credit will show up in the same Bitcoin "account", so is generating a new key to receive a single transaction a waste of time?

Bob Robertson said...

Of course I meant "wallet" rather than "account".

Paul miller said...

Dark Coin is another option here.

Anonymous said...

As Mashuri mentioned, Open Transactions makes chaumian cash possible. In OT, anonymous users can trade receipts of various assets (such as bitcoins, gold and US dollars) through financial instruments.