The Bitcoin transaction graph has varied observable patterns, with pockets clustering of highest significance. A few of these patterns have been studied and used to hyperlink cash from the identical pockets, each in idea and apply.
Each transaction consists of a listing of inputs (the place the sats are taken from) and outputs (the place the enter sats are distributed). Inputs check with the outputs of earlier transactions, similar to connecting transactions. Outputs lock some quantity of bitcoin with sure spending circumstances (i.e., the “deal with,” public key, or output script). Linking cash means figuring out the entity that controls the keys to a group of transaction outputs, spent or unspent.
Part 10 of the Bitcoin white paper, “Privateness,” briefly discusses linking:
“A brand new key pair must be used for every transaction to maintain them from being linked to a typical proprietor.”
When the identical public key controls multiple coin, these cash are trivially linked since just one entity is meant to know the personal key.
Nevertheless, deal with reuse just isn’t the one concern. The paper continues:
“Some linking continues to be unavoidable with multi-input transactions, which essentially reveal that their inputs had been owned by the identical proprietor.”
That is also known as the “widespread enter possession heuristic,” CIOH, or the “multi-input heuristic.” It’s solely a heuristic as a result of, in contrast to the implication within the quote above, counterexamples exist. Though it isn’t at all times true, it typically is.
Through the years, extra refined strategies for clustering have been developed, for instance, telling aside change outputs from funds or utilizing bigger buildings within the transaction graph than simply particular person transactions. A few of these have been described in educational work, whereas others stay proprietary. Improved strategies can hyperlink to extra cash or keep away from so-called “cluster collapse,” the place cash belonging to completely different customers are incorrectly related. Business choices typically profit from extra sources of knowledge, similar to KYC information; they don’t essentially rely on simply the privateness leaks that happen within the Bitcoin protocol, however clustering continues to be the central theme.
This motivates an adversarial framing of privateness, the place a deanonymization assault makes an attempt to assign cash to clusters. From this attitude, defending privateness means making it harder for the adversary to reach appropriately assigning cash to clusters. Probably the most notable examples contain collaborative transaction building, whether or not it’s overtly tough to guess, as in CoinJoin, or covertly as in PayJoin, or maybe most prominently, simply part of how the software program works as with Lightning node transactions. In all circumstances, the simplistic assumption of widespread possession breaks down, necessitating a extra nuanced evaluation.
The adversarial framing additionally makes it express that completely different adversaries have completely different capabilities, with the suitable adversarial mannequin relying on the person’s risk mannequin: Are you extra frightened about surveillance by an oppressive authorities or snooping by your transactions’ counterparties?
Initially printed on the Spiral Substack.