Bitcoin users in need of serious transaction privacy should avoid popular services like Blockchain's SharedCoin and other CoinJoin implementations, according to a well-known security expert.
Consultant Kristov Atlas, author of the book Anonymous Bitcoin, published a security advisory today saying weaknesses in SharedCoin offered privacy only from "unskilled examiners of the bitcoin blockchain" – and even then, only until more sophisticated analysis tools were made user-friendly enough for the average user to deploy.
Blockchain CEO Nicolas Cary said he was satisfied with the research and the way it was handled:
"We've been in close communications with Kristov and appreciate his diligence. He takes privacy seriously and so do we."
Using a software tool he created himself called 'CoinJoin Sudoku', Atlas analyzed thousands of transactions identified as using SharedCoin and determined he could identify relationships between specific payments and payees.
Coinjoin Sudoku works by searching for common ownership of the multiple transaction inputs and outputs that SharedCoin uses to obscure identity, grouping them where ingoing and outgoing amounts match.
"They do not prevent a determined investigator from correlating transactions or an adversary with information about specific addresses from correlating them to specific payments and payees."
How SharedCoin works
While transactions on the bitcoin blockchain are open for all to see (at least at the public address level), SharedCoin will collect a group of users wishing to increase privacy and join their transactions into one 'master transaction' before broadcasting it to the network.
The transaction that then appears on the blockchain would have multiple outputs and inputs, supposedly making it worthless for analysis.
Customers may select the number of times to repeat the SharedCoin process, between two and ten.
While offering enhanced privacy to users, SharedCoin and mixing services hope to better protect all users by making the bitcoin blockchain overall a less dependable tool for connecting bitcoin addresses to individuals.
Need for privacy
Blockchain officially began offering SharedCoin as a free service to its users last November, around the time Matt Mellon's 'CoinValidation' and other services appeared, which promised to track specific bitcoins and addresses connected to suspicious or other investigation-worthy activity. It did not claim, however, to provide 100% protection from such services.
Older style mixing tools (also known as 'tumblers') would forward a payment around several different addresses to make the originator hard to find, usually on a private server, or 'off-chain'. Such systems, however, required trust from users that anonymous operators would not simply confiscate or steal the bitcoins before they emerged from the mixer.
SharedCoin, and the CoinJoin protocol itself, provided a system that required less trust in the operator, by taking advantage of a bitcoin transaction's ability to have multiple inputs and outputs.
Crunching through transactions
Atlas analyzed 20,000 transactions across 45 blocks on the bitcoin block chain and found around 2.6% fit the profile of a SharedCoin transaction.
CoinJoin Sudoku identified groups within a transaction with equal amounts (marked red and blue in the diagram below) then examined inputs and outputs one digit at a time to identify possible relationships.
Currently, he wrote, the new tool is still inefficient and required over 30 hours to complete the analysis on a single processor, even with testing limitations he introduced. More thorough de-anonymization would take much longer, though it remained possible.
"Despite the limitation, the tool was able to group 69% of inputs and 53% of a single transaction's outputs."
Through this kind of grouping, he could identify a maximum of two users within that transaction.
Atlas recommended anyone using SharedCoin set the number of cycles to the maximum 10, while remembering that even this did not guarantee 100% privacy.
Blockchain provides a 'Taint Analysis' tool to test traceability of funds and is designed to evaluate the effectiveness of mixers. If it works, users should not be able to identify sending addresses in the list.
Atlas says the Taint Analysis is a "poor measurement" for this, identifying a 100% and 50% chance of relationship between an output and two inputs, where the Taint Analysis had claimed 4.2% and 4.5% respectively.
He plans to release CoinJoin Sudoku as an open-source project in two weeks. The delay, he said, was to provide SharedCoin users with adequate time to take the steps necessary to protect their privacy.
Blockchain disclosed that it paid Atlas a bounty (via SharedCoin) for finding the vulnerability and had worked with him to coordinate a schedule to release the information:
"Blockchain.info sincerely appreciates the thoughtful nature of this disclosure from community member Kristov Atlas. We look forward to working with Mr. Atlas and other security researchers, on future improvements and enhancements to SharedCoin."
"As always, Blockchain.info is committed to transparency, the community, and improving bitcoin services for everyone."
The company invited everyone to visit its GitHub repository to review its many open-source projects.
"If you want to truly hide transactions, SharedCoin and other implementations of CoinJoin are not for you, they are neither sufficient nor convenient. SharedCoin provides a basic level of enhanced privacy transaction but doesn't guarantee anonymity nor was it intended to."
Blockchain saw SharedCoin's primary user base as corporations wishing to protect privacy of payroll and bill payments, individuals wishing not to display records of salaries or tips, and political and charitable organizations protecting their donors.
SharedCoin, Blockchain says, is actually "not a mixing service" as it never controls or sends any funds on behalf of its users.
Repeating a warning often given to anyone who claims the bitcoin payment network is 'anonymous', the company said anyone with sufficient time, money, motivation and computing power could correlate transaction outputs and inputs.