May 2021
Welcome to the twelfth issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!
"File:Marbled emperor moth heniocha dyops.jpg" by Charles J Sharp is licensed under CC BY-SA 3.0
Table of Contents
- IRS John Doe Summons to Exchanges, Continued
- Holistic Privacy and Usability
- Malicious Tor Exit Relays, Continued
- Current State of Lightning Network Privacy
- Financial Freedom and Privacy
- Chaincase CoinJoin in iOS
- Increase OUTPUT_GROUP_MAX_ENTRIES
- Atomic Swaps With Monero, Continued
- Pizza, Wasabi, and Privacy - Oh My!
- Taproot Signalling Reaches Threshold
- OFAC Seeking Chainalysis Subscription
May 5th - IRS JOHN DOE SUMMONS TO EXCHANGES, CONTINUED
Last month in TMIBP11, I included that the U.S. Department of Justice announced that the IRS has served a John Doe summons to Circle. While it became known at the time that Kraken had also been served, it was not similarly announced until May 5th.
Today’s order from the Northern District of California grants the IRS permission to serve what is known as a “John Doe” summons on Kraken. The United States’ petition does not allege that Kraken has engaged in any wrongdoing in connection with its digital currency exchange business. Rather, according to the court’s order, the summons seeks information related to the IRS’s “investigation of an ascertainable group or class of persons” that the IRS has reasonable basis to believe “may have failed to comply with internal revenue laws.” According to the copy of the summons filed with the petition, the IRS directed Kraken to produce records identifying the U.S. taxpayers described above, along with other documents relating to their cryptocurrency transactions.
May 6th - HOLISTIC PRIVACY AND USABILITY
Nym Technologies CEO Harry Halpin published a paper titled ‘Holistic Privacy and Usability of a Cryptocurrency Wallet,’ which focused on the results of tests “integrating the ZCash wallet into network-level protection like VPNs or Tor,” within the framework of holistic privacy:
Unlike encryption that – given [a] mathematical hardness assumption – can be proven to keep confidentiality against even powerful enemies, privacy is not a binary property but a multi-dimensional and socially-embedded spectrum that can be realized in multiple ways, ranging from pseudonymity to anonymity. This especially holds true for third-party anonymity in technical systems, which have multiple layers where information may leak and so allow an adversary to link items of interest…
The problem then facing the design of a usable anonymous cryptocurrency wallet is holistic privacy: Privacy is not reducible to a single layer of abstraction, and a leak at any layer can eliminate any privacy properties of the system as a whole. This problem is not confined to privacy-enhanced cryptocurrency wallets, but the hard problem of holistic privacy is endemic in the development of privacy-enhancing tools from web browsers like Tor to secure messaging applications like Signal. For example, Tor cannot interoperate with the popular Google Chrome browser due to the way it retrieves DNS without allowing a proxy like Tor, and Signal uses phone numbers for identities in a way that many activists feel uncomfortable with even though the Signal server itself uses advanced techniques so that it does not need to record the phone number itself [18]. Holistic privacy is likely always incomplete, as new bugs and layers of abstraction are discovered and more complex assemblages of programs created (in turn, altering their original privacy properties).
May 8th - MALICIOUS TOR EXIT RELAYS, CONTINUED
In TMIBP03 and TMIBP08, I have been following issues with Tor and their effect on Bitcoin. According to a follow-up post by security researcher and Tor server operator Nusenu, the attackher introducing malicious relays had “managed more than 27% of tor’s exit relay capacity” in February. “This is the largest malicious tor exit fraction I’ve ever observed by a single actor.”
Nonetheless we are in a dilemma between knowingly using malicious tor exit relays vs. excluding them via the tor client configuration at the price of having a non-default configuration. This is additionally complicated by the fact that the exact nature of the attacks are not entirely known. We know about mitmproxy, sslstrip, bitcoin address rewrites and download modification attacks but it is not possible to rule out other types of attacks.
The simplest ways to protect yourself from these threats are to force HTTPS-only connections and to stay within the Tor network, which eliminates the need for exit nodes. Browser features like Onion-Location can help by redirecting you to the onion version of websites you visit.
On May 5th, the Tor Project had launched a new page for checking “the state of our major services.” On May 11th, they tweeted about their attempts to “diagnose and reject bad relays,” and published a list of rejected fingerprints.
On May 13th, senior software engineer Konstantin Darutkin published a report about an unrelated “scheme flooding vulnerability” affecting all major browsers including Tor, though it “takes the longest to successfully run” there. “A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together.”
Recently we have seen a number of integrations of Tor into Bitcoin infrastructure. On May 14th, Trezor highlighted Tor Switch, which they had introduced into their Suite as of November 2020, and said “we’re planning to allow the user to enable Tor right on the login!” On May 17th, the Ronin Dojo project published a release adding “a new way to interact with your node remotely using Tor Browser.” And on May 20th, Sparrow Wallet v1.4.1 came with the option to “broadcast transactions over a new Tor circuit to an external service where Tor is enabled.”
May 10th - CURRENT STATE OF LIGHTNING NETWORK PRIVACY
Bitcoin Lightning developer Anthony Ronning published “Current State of Lightning Network Privacy” as an outline of its features and deficiencies, many of which I have covered in TMIBP01, TMIBP02, TMIBP03, TMIBP05, TMIBP07, TMIBP08, TMIBP10, and TMIBP11.
The purpose of the Lightning Network is quick settlements. Bitcoin’s base layer does not have any privacy guarantees and neither does Lightning. There are ways to attempt to hide amongst the activity of the network, but it’s no guarantee. Sizable actors can attack and reveal private channels that are an extension of the main graph. From there, the flow of funds across the network should be considered public knowledge.
Ronning was interviewed on this for SLP276 and Odell’s Citadel Dispatch e0.2.1 podcast.
May 13th - FINANCIAL FREEDOM AND PRIVACY
In TMIBP06, I featured the Cato Institute’s 38th Annual Monetary Conference with a focus on “central bank vs. private (centralized and decentralized) digital currencies.” On May 13th, the center announced that their new “Digital Currencies: Risk or Promise?” journal was online, including Human Rights Foundation (HRF) director Alex Gladstein’s article, “Financial Freedom and Privacy in the Post-Cash World.”
In “Cypherpunk’s Manifesto,” privacy activist Eric Hughes (1993) wrote: “We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence.” The world seems destined to track toward the extinction of banknotes and an endgame of trackable and seizable CBDC and commercial money. In the post-cash world, there simply may not be very much financial freedom and privacy. In this context, bitcoin is worthy of continued study and exploration by monetary economists and human rights activists alike.
The paper covers CBDCs (TMIBP08), Taproot (TMIBP08, TMIBP09, TMIBP10, TMIBP11), the third-party doctrine (TMIBP02, TMIBP04, TMIBP05, TMIBP06, TMIBP09, TMIBP11), the Financial Action Task Force (FATF) and their ‘Travel Rule’ (TMIBP02, TMIBP04, TMIBP06, TMIBP10, TMIBP11), FinCEN and the Federal Reserve’s proposed rule from October 2020 (TMIBP05), and other topics within “the future of financial freedom and privacy.”
May 16th - CHAINCASE COINJOIN ON IOS
In last month’s TMIBP11, I featured a mobile BIP-78 PayJoin implementation using a fork of Chaincase, both developed by Dan Gould. He has released a new demo showing the app’s CoinJoin features as of v0.5.8 (at the end of May, v0.5.9 became the latest release).
Chaincase app keeps your financial data to yourself. Chaincase never holds your keys and lets you stay in complete control. Chaincase uses Tor and Neutrino block filters to keep your data private while you sync, communicate on the network, and broadcast transactions. This CoinJoin feature allows you to preserve your blockchain privacy by creating a collaborative transaction with your peers.
May 19th - INCREASE OUTPUT_GROUP_MAX_ENTRIES
A meeting of the Bitcoin PR Review Club, hosted by Core developer Gloria Zhao, convened to discuss pull-request #18418 by Core developer Fabian Jahr, which aims to increase the number of UTXOs per OutputGroup by scriptPubKey from 10 to 100. Two participants noted that the main purpose of the change was to “improve privacy.”
The way our wallet constructs transactions over time can leak information about its contents. The most obvious example is we can assume that all UTXOs sent to the same scriptPubKey are controlled by the same person. UTXOs sent to different addresses may also be linked if they are spent together (a common heuristic used in chain analysis). Thus, if we’re not careful, observant attackers can link addresses to estimate our wallet balance and, if any one of our addresses is deanonymized (e.g. we send it to an exchange, merchant, or block explorer that knows our personal information or IP address), we might accidentally reveal how much money we have!
The Bitcoin Core wallet implements a few best-practice privacy techniques. One is avoiding the reuse of addresses when creating an invoice or change address. Another is grouping UTXOs into OutputGroups by scriptPubKey and running coin selection on the groups rather than individual UTXOs.
After further discussion about the privacy impact, the pull-request was merged by Core maintainer Michael Ford on May 26th.
May 20th - ATOMIC SWAPS WITH MONERO, CONTINUED
Bitcoin Meetup Switzerland hosted an event for a presentation by the Farcaster project, which I have been following in TMIBP03, TMIBP05, TMIBP07, and TMIBP11:
The Farcaster project is a new protocol that enables such atomic swaps between Bitcoin and Monero. Joël Gugger, Sebastian Küng, and Robert Hambrock from the Farcaster project will present to a broadly privacy concerned audience how this enables them to break the surveillance chain of their Bitcoin and protect their legitimate privacy interests.
On May 2nd, ‘Diverter’ had joined S1E6 of the Why Monero podcast to discuss “BTC/XMR maximalism, sovereignty, the importance of maintaining financial privacy through the use of KYC-free bitcoin, privacy-enhancing tools and monero, and why private individuals mining bitcoin is important and possible.” On May 28th, the Hoenisch / del Pino implementation also released v0.7.0 and “unlocked mainnet.”
May 22nd - PIZZA, WASABI, AND PRIVACY - OH MY!
For the eleven-year anniversary of Pizza Day, Wasabi marketing strategist Riccardo Masutti published an article about what we should learn about the most famous aggregating transaction in Bitcoin’s history from a privacy perspective. This includes avoiding posting personally identifying information, reusing addresses, poor change output management, and using round numbers for transaction amounts.
We’ve shown how multiple cyber attacks in recent decades have stripped away the feeling of security that any human being deserves, and we’re not only referring to Bitcoin-related privacy violations. Our recommendations and the backstory justifying them applies to every service or product that people purchase or use on the internet.
Lászlo Hanyecz also had something to say about their wallet:
“Wasabi Wallet is my favorite non full node Bitcoin wallet. It uses modern methods to filter transactions and has a privacy first design. The built in CoinJoin functionality is probably the most interesting part. But even for users who are not interested in this feature it is a great wallet that encourages labeling the user’s coins and being aware of what inputs the user is spending.”
On May 24th, “software artist” and Wasabi creator Ádám “Nopara” Ficsór published “Privacy, Fungibility, Anonymity,” a philosophical overview of privacy and financial freedom:
Technologies of anonymous communication, anonymous currency, and reputation systems have been invented. They cannot be un-invented. These are all the ingredients needed to build a circular economy with strong privacy in cyber-space. Simultaneously, in meat-space our privacy is eroding. How long will doors and curtains — which are currently cutting-edge meat-space privacy technologies — hold against the advancements of mass surveillance?
To learn more about wallet privacy, check out Keep It Simple Bitcoin’s guide on “How To Use
Wasabi Wallet.”
May 25th - TAPROOT SIGNALLING REACHES THRESHOLD
Last month’s TMIBP11 covered the merging of Taproot “speedy trial” activation parameters into the first release candidate of Bitcoin Core 0.21.1. On May 2nd, the final release candidate with these mainnet and testnet activation parameters was published.
If activated, these improvements will allow users of single-signature scripts, multisignature scripts, and complex contracts to all use identical-appearing commitments that enhance their privacy and the fungibility of all bitcoins. Spenders will enjoy lower fees and the ability to resolve many multisig scripts and complex contracts with the same efficiency, low fees, and large anonymity set as single-sig users. Taproot and schnorr also include efficiency improvements for full nodes such as the ability to batch signature verification. Together, the improvements lay the groundwork for future potential upgrades that may improve efficiency, privacy, and fungibility further.
On May 4th, Casa co-founder Jameson Lopp noted that “once our software and hardware dependencies support Taproot functionality, we can integrate it into Casa.”
At that point, we’ll seek to make migrating to a Taproot-enabled wallet as painless as possible. The migration process will be quite similar to the regular transaction signing flows with which you are familiar, it will just create a transaction that moves funds into a Taproot-enabled address. There will be no rush to upgrade your wallet; you may do so at your own convenience.
In addition to the default privacy benefits you’ll get by upgrading to a Taproot-enabled wallet, we’ll be exploring ways we can improve security for our clients with the new Taproot features.
Bitcoin Optech Newsletter #147 included how to “trustlessly monitor signaling progress.”
Anyone wanting to trustlessly monitor signaling progress can upgrade to Bitcoin Core 0.21.1 and use the
getblockchaininfoRPC. For example, the following command line prints the number of blocks in the current retarget period, the number of those blocks which have signaled, and whether it’s possible for taproot to activate in this period (assuming there’s no reorg)
On May 6th, Galaxy Digital’s Amanda Fabiano re-shared a portion of the research that she and Rachel Rybarczyk had conducted earlier, published in two parts, regarding Taproot, Schnorr, and mining. They argued that we should be wary of “two concepts that have come up in relation to fungibility: clean coins and green coins.”
- There is no distinction between the newly issued coins in a block and transaction fees in a block, which means that newly minted bitcoins are mixed with the coins paid by transactors in a block, which themselves may not be clean.
- Pools currently assemble blocks, and the coin flow starts at the pools’ addresses. Depending on the pool, miners can see multiple hops of coin movement prior to the coins landing in their wallets — usually attributed to change addresses.
- It also does not take into account the transaction fees, something that become increasingly significant as the block subsidy diminishes over time… So the bitcoin that is paid out to all miners includes block subsidies and transaction fees with a multitude of addresses with very different histories, all from different blocks.
They predict that “a Schnorr and Taproot activation will likely cause an increase in fees per block,” and “because the Schnorr and Taproot upgrades obfuscate some of the details of the script execution, it makes it more difficult to label one bitcoin as being worth less than another bitcoin because it is more difficult to obtain an accurate understanding of a bitcoin’s spend history, thereby increasing network fungibility.”
On May 11th, the Poolin mining pool announced that they had started signalling for Taproot. On May 13th, Stephan Livera published an interview with Braiins’ co-founder Pavel Moravec “to talk about signalling for Taproot as a miner” for SLP275. Earlier in the month, his company’s pool had mined the first block signalling support for Taproot. “It was a no-brainer, no pun intended.” By May 21st, around 95% of potential hash rate share was signalling. On May 25th, software engineer Yihao Peng wrote about how BTC.COM enabled it in their pool deployment. “Therefore, we should be able to see that almost all blocks from BTC.COM contain the taproot signal from this week and onwards.” As of this month’s end, it appears that we are on route for lock-in within the next two weeks, according to Hampus Sjöberg’s taproot.watch page.
Check out the Bitcoin Optech Newsletter #145, the Schnorr Taproot Workshop, and Aaron van Wirdum’s article for summaries and other developments.
May 26th - OFAC SEEKING CHAINALYSIS SUBCRIPTION
The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) published their intent to purchase a subscription from blockchain surveillance firm Chainalysis, whose tools claim to provide address clustering, transaction flow mapping and graphing, a wallet explorer, and “analysis of user behavior, exchange rate, trade, and market data.”
The Department of Treasury’s Office of Foreign Assets Control (OFAC) is requesting a subscription to Chainalysis Inc.’s Chainalysis Rumker and subsequent Training and Support Packages for mission-critical research. OFAC requires a commercial online blockchain tracing web-based application tool to equip investigators in its Office of Global Targeting (OGT) to analyze and track virtual currency transactions e.g. Bitcoin, in order to gather attribution information on involved parties that OGT may put on the SDN List. This tool would specifically support cyber sanctions implementation undertaken by OFAC.
Chainalysis Rumker licenses include Observations and Nodes, which help locate where server nodes are running. This license also includes Wasabi Demixing services at no additional cost to OFAC, and with no limits to the number of requests. All Assets license includes every asset Chainalysis has coverage for today and will include any added in the future on a quarterly basis. The License also includes a dedicated Customer Success Manager to OFAC, and premium 24 hours a day, 7 days a week, and 365 days a year support.
Moreover, Chainalysis’ use by key industry, U.S. Government, and foreign partners necessitates OFAC’s use of the same tool to be able to collaborate easily and seamlessly with these partners in investigations and anti-money laundering and terrorist finance inquiries. Each automated blockchain tool in this space is distinctive given the variety of features and unique heuristics, algorithms, and data to which they have access.
While the notice was subsequently cancelled “in order to re-evaluate the requirement,” it gives further insight into government attempts to track and control Bitcoin. I have previously covered similar contracts in TMIBP01, TMIBP02, TMIBP04, and TMIBP06.
Thanks for reading! Feel free to 
bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’
issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!