Welcome to the fourth issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!
Table of Contents
- S’More Schnorr
- EFF Calls for Coinbase Transparency
- IRS Still Seeking to Trace Privacy Coins
- IEEE Symposium on Security & Privacy
- Nym Mixnet Test Rewards in Bitcoin
- FATF Report on ‘Red Flag Indicators’
- Fidelity’s Crypto Privacy Conference
- Wasabi Wallet Developer Meeting
- Blacklight Website Privacy Inspector
- Samourai Opens Beta Testing For Soroban
- DIY CoinJoins With Fully Noded
Note: Due to my busy schedule, this month’s issue of the newsletter has fewer stories and will be more concise than usual.
September 1st - S’MORE SCHNORR
Pieter Wuille shared that the pull-request “for BIP340 (Schnorr signature) in libsecp256k1 is getting close to being mergeable,” and encouraged others to perform final reviews. He had also just co-authored a paper titled “MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces,” which stands as his last project within the Blockstream Research team.
The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks… This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin.
MuSig, the Schnorr-based multi-signature scheme this is based on, was originally proposed by Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Wuille in January 2018, with “Simple Schnorr Multi-Signatures with Applications to Bitcoin.” They had explained the privacy benefits of using key and signature aggregation:
Key aggregation improves upon this further, as a single-key predicate can be used instead which is both smaller and has lower computational cost for verification. It also improves privacy, as the participant keys and their count remain private to the signers.
… The predicate in this case would take as input an aggregated public key, a signature with it, and a proof. Its validity would depend on the signature being valid with the provided key, and the proof establishing that the key is in fact one of the leaves of the Merkle tree, identified by its root hash. This approach is very generic, as it works for any subset of combinations of keys, and as a result has very good privacy as the exact policy is not visible from the proof.
There are also efficiency gains, as Nadav Kohen explains in ‘Schnorr Applications: Batch Verification.’ “Introducing a new standard for (Schnorr) signatures has allowed us to make design decisions that will enable what is called batch verification, which is a process in which many signatures can be verified at once in a process faster than verifying each signature individually.”
On September 2nd, following last month’s meeting highlighted in TMIBP03, the Bitcoin Core PR Review Club held their fifth meeting on BIP 340-342 developments. Hosted by John Newberry, they discussed Wuille’s pull-request on implementing Taproot validation, which “uses an updated version of libsecp256k1 that requires the
--enable-experimental options.” You can read the meeting log here.
On September 11th, Jonas Nick’s pull request to enable these experimental modules in libsecp256k1, Bitcoin Core’s library for ECDSA signatures and other cryptographic operations on curve secp256k1, was finally merged after nearly two years of review.
On September 26th, Wuille noted that “U.S. Patent No. 7,110,538 has expired.” This patent is “Method for accelerating cryptographic operations on elliptic curves,” dated September 2006. He clarified that this could add “about 25% speedup of signature validation.” As Bitcoin Optech’s Newsletter #117 summarised, a pull-request “has been opened in the libsecp256k1 repo to always use the GLV endomorphism algorithm, which is expected to decrease Bitcoin Core’s initial sync time significantly.”
Check out Kohen’s “Introduction to Schnorr Signatures,” Lucas Nuzzi’s “Schnorr Signatures & The Inevitability of Privacy in Bitcoin,” and Bitcoin Optech’s Schnorr Taproot Workshop to learn more.
September 2nd - EFF CALLS FOR COINBASE TRANSPARENCY
Legislative activist Hayley Tsukayama of the Electronic Frontier Foundation (EFF) published a call for Coinbase “to start releasing regular transparency reports that provide insight into how many government requests for information it receives, and how it deals with them.” As they wrote back in July 2018, these transparency reports would provide “an overview of how many government requests the company received in a set period of time (such as a year)” and optionally “other details, such as how many requests it complied with, how many accounts were affected, and any requests to censor or take down accounts.”
Financial data can be among the most sensitive types of information we produce. How you spend your money can reveal a lot about your daily habits, the causes you care about, who you hang out with, and where you go. Choosing to comply with or reject a government request for this user data — or choosing to shut down an account — can have a huge impact on what types of speech can thrive online.
In TMIBP02, I featured the case U.S. v. Gratkowski in the context of law enforcement using the third-party doctrine to access financial data, including from cryptocurrency exchanges. The circuit judges decided that “Gratkowski thus lacked a privacy interest” in his Coinbase records. The EFF’s special counsel Marta Belcher disagreed, arguing that the government’s reliance on the third-party doctrine “is wrong,” and that exchanges should “fight for users’ privacy.”
Users should not lose their reasonable expectation of privacy in their data just because it is stored by a third party. In today’s digital world, it is almost impossible to navigate daily life without using essential services like email that give third parties access to sensitive information.
The EFF had broadly called for payment processors to start publishing transparency reports back in June 2018, specifically calling on Bitpay and Coinbase. It was soon reported that Coinbase would say nothing on the matter. Since then, ShapeShift has published one report for the year 2018. Kraken has published snapshots from two reports for the years 2018 and 2019.
Previous issues TMIBP01 and TMIBP02 covered how Coinbase has recently established contractual relationships with the U.S. IRS, Secret Service, and potentially Drug Enforcement Administration (DEA) for their new blockchain analytics service.
September 4th - IRS STILL SEEKING TO TRACE PRIVACY COINS
In TMIBP02, I highlighted a request for information from the IRS Cyber Crimes Unit (CCU) of the Criminal Investigation (CI) division regarding tracing tools for privacy coins, Lightning, sidechains, and on-chain bitcoin using Schnorr signatures. It appears that no such thing exists and the request went unfulfilled, because they are now soliticiting contractors to build it.
Their request stated that they are “seeking a solution with one or more Contractors to provide innovative solutions for tracing and attribution of privacy coins and Layer 2 off-chain transactions” to “assist their Cyber Crimes agents in carrying their mission as it relates to cryptocurrency privacy technologies.” The work would be carried out “under the overall direction of the Director of Cyber Crimes or their designee.” The current CI chief is Don Fort, though he will be replaced by deputy director James Lee in October; the director of Cyber Crimes is Michael T. Batdorf.
Pilot IRS will appear substantively different from how the government normally buys technology. To be fair, it is.
As primary goals, the document emphasizes that the tool must be able “to trace transaction inputs and outputs to a specific user and differentiate them from mixins/multisig actors” and produce “good statistical likelihoods of transaction parties,” with “minimal involvement of external vendors.” If a proposal is accepted before the deadline of September 16th, then the applicant will be offered no more than $500,000 to develop “the proof of concept and an initial working system” within eight months. An additional $125,000 will be given for further “Testing and Pilot/Initial Deployment,” suject to approval by the government.
On September 30th, the contract was awarded to Chainalysis and Integra FEC LLC, “a forensic data analytics firm that assists government agencies and law firms with investigations, litigation, and enforcement related to securities and financial fraud.”
September 7th - IEEE SYMPOSIUM ON SECURITY AND PRIVACY
The Institute of Electrical and Electronics Engineers (IEEE) hosted an all-digital academic conference on cryptocurrencies, with a track for “achieving and evaluating financial privacy in public blockchains.” Privacy-focused talks included: Sarah Meiklejohn’s “De-anonymizing Cryptocurrencies,” Suyash Bagad and Saravanan Vijayakumaran’s “Performance Trade-offs in Design of MimbleWimble Proofs of Reserves,” Martin Westerkamp and Jacob Eberhard’s “zkRelay: Facilitating Sidechains using zkSNARK-based Chain-Relays,” and Sergei Tikhomirov, Pedro Moreno-Sanchez, and Matteo Maffei’s “A Quantitative Analysis of Security, Anonymity and Scalability for the Lightning Network.” In case you missed the live event, videos and slides are available for almost all of the presentations.
September 10th - NYM MIXNET TEST REWARDS IN BITCOIN
Dave Hrycyszyn, co-founder and CTO of Nym Technologies, announced the release of version 0.8.0 of the Nym platform, “an anonymous overlay network that provides strong network-level anonymity” that is not based on “a centralized directory authority for routing” like the Tor network. Among other features, they are officially launched a reward system for mixnodes on testnet.
Lastly, we are also launching our tokenized testnet as well as giving rewards in BTC. We have issued a token (without value, like all testnet tokens) to allow us to stress test the next phase of the development of Nym. We have already rewarded some of our testnet nodes in BTC — many of them have been with us since our testnet was launched at the Chaos Computer Congress in 2019. We’ll be doing rewards and bug bounties at regular intervals, to be paid in BTC. So run up a mixnode using Nym v0.8.0 and visit our signup form at https://nymtech.net/incentives/ to get started!
To be clear, the rewards are currently being offered either in bitcoin or through the Liquid sidechain (L-BTC). CEO Harry Halpin said that they “encourage L-BTC due to confidential transactions for privacy, but we understand people may prefer BTC as it’s sound money.” On September 29th, head of product Jess Hrycyszyn wrote that after “two weeks since the start of the testnet, the network is now more than 10x larger” with “over 350 mix nodes in operation.” The ‘Nym Tokenized Testnet and Bitcoin Rewards Onboarding Form’ now states they “have gone OVER our cap of 100 mixnodes, and so Bitcoin rewards for this round are finished.”
All our node runners have now earned NYMPH testnet tokens. The top 100 mix nodes have also been sent Bitcoin to cover their costs for providing computing for the Nym mixnet and mixing packets. We will continue to run the incentivized testnet until mainnet launch to test new features and releases as they become available.
Last month, the Tor Project had indicated that they were also exploring using anonymous tokens to “prioritize good clients over malicious clients when a denial of service attack is happening,” as well as to “reward trusted users with tokens that can later be used to regain access.”
An additional benefit of a token-based approach is that it opens up a great variety of use cases for Tor in the future. For example, in the future tokens could be used to restrict malicious usage of Tor exit nodes by spam and automated tools hence reducing exit node censorship by centralized services. Tokens can also be used to register human-memorable names for onion services. They can also be used to acquire private bridges and exit nodes for additional security. Lots of details need to be ironed out, but anonymous tokens seem like a great fit for our future work.
September 14th - FATF REPORT ON ‘RED FLAG INDICATORS’
The Financial Action Task Force (FATF) published a report on “red flag indicators” for virtual assets (VAs), which they believe will “help virtual asset service providers, financial institutions, and designated non-financial businesses and professions, and other reporting entities detect and report suspicious transactions.”
Freestanding red flags such as those listed below can be developed or combined with information from operational agencies, which can in turn be further developed through a public-private partnership, in a cyclical, evolutionary process that takes into account the unique risk and context of a jurisdiction, customer type, or the reporting entity itself. The mere presence of a red flag indicator is not necessarily a basis for a suspicion of ML or TF, but could prompt further monitoring and examination.
The red flags are grouped into categories related to the “size and frequency of transactions,” users “conducting a large initial deposit” and withdrawal, or “transactions involving the use of multiple VAs, or multiple accounts.” They have a lengthy section on “technological features” that “increase anonymity and add hurdles to the detection of criminal activity,” despite simultaneously asserting “the mere presence of these features in an activity does not automatically suggest an illicit transaction.” In addition to monetary privacy-enhancing techniques such as “making use of mixing and tumbling services,” “decentralised/unhosted, hardware or paper wallets to transport VAs across borders,” and “VA ATMs/kiosks,” the list also casts suspicion on “anonymous encrypted communication” in general.
September 15th - FIDELITY’S CRYPTO PRIVACY CONFERENCE
The Fidelity Center for Applied Technology (FCAT) hosted a “two-day virtual conference featuring keynotes and panels addressing four major themes: bitcoin privacy, cryptography, financial privacy, and privacy-focused businesses.” In case you missed the live event, hopefully the videos and slides will be published soon.
Update: The playlist of all recorded sessions can be found here.
September 16th - WASABI WALLET DEVELOPER MEETING
September 22nd - BLACKLIGHT WEBSITE PRIVACY INSPECTOR
The Markup, a non-profit media organisation led by Julia Angwin that specialises in data-driven investigative journalism, has released a new tool called ‘Blacklight: A Real-Time Website Privacy Inspector.’ Built by Brooklyn-based artist, engineer, and journalist Surya Mattu, Blacklight scans whatever web address you specify and then generates short “inspection” reports identifying “specific user-tracking technologies on the site.”
These “tracking technologies” include: advertising trackers, third-party cookies, canvas fingerprinting, session recording services, keyloggers, Facebook Pixel, and Google Analytics’ “remarketing audiences.” If you are not already familiar with these techniques and how they impact your privacy, the report includes a simple explainer, whether or not they were found to be active on the particular website you specified. Note that it works by loading the homepage and one randomly selected page; different pages may have other results.
This is not a Bitcoin-focused tool, but I thought it would be interesting to look at the privacy health of various cryptocurrency websites:
- Blockchain.info: There are five advertising trackers from Facebook, Alphabet, and Twitter. Both Facebook Pixel and Google’s ‘remarketing audiences’ feature are present.
- Blockstream.info: Spotless!
- Casa: A nearly spotless result, except for interaction with Amazon through Cloudfront.
- Chainalysis: There are six advertising trackers from LinkedIn, Alphabet, and Adobe; nine third-party cookies from LinkedIn and Adobe. Google’s ‘remarketing audiences’ feature is present.
- Coinbase: A few years ago, I had highlighted that Coinbase appeared in a study on cross-device tracking with browser fingerprinting. In addition to Facebook Pixel and canvas fingerprinting being present, this tool identified four advertising trackers from Facebook and Alphabet, and one third-party cookie from Alphabet.
- CoinDesk: There are five advertising trackers and one third-party cookie from Alphabet, including to DoubleClick.
- Decrypt: There are eight advertising trackers from OneSignal, Alphabet, and Twitter; two third-party cookies from Alphabet. Both Facebook Pixel and Google’s ‘remarketing audiences’ feature are present. There are also connections being made to Adobe’s “typekit.net.”
- Kraken: There are six advertising trackers from Alphabet, Reddit, and Microsoft; five third-party cookies from Reddit, Zendesk, and two other companies. Canvas fingerprinting and Google’s ‘remarketing audiences’ feature are being used.
- Lightning Labs: A nearly spotless result, except for a connection to Google Analytics and, as expected for an invite page, two third-party cookies from Slack Technologies.
- Samourai: A nearly spotless result, except for one advertising tracker from Alphabet and limited interaction with Amazon via Cloudfront.
- Tales from the Crypto Podcast: A nearly spotless result, except for one advertising tracker from Alphabet.
- This Month in Bitcoin Privacy Newsletter: Out of curiousity, I self-scanned. Spotless!
- Wasabi Wallet: A nearly spotless result, except for a key logger “loaded from algolia.net.” As they explain in the report, key logging can be used non-maliciously for auto-completing search results, and Algolia is indeed a U.S.-based company that provides web search products. However it is unclear to me how the fields “name, family-name, given-name” would be relevant on this site.
- What Bitcoin Did: This site had the most trackers and cookies compared to other examples here. There are seven advertising trackers from Adobe, Oracle, Alphabet, and Sumo Group. There are nineteen third-party cookies from Oracle, Amobee, Adobe, Alphabet, The Trade Desk, and WarnerMedia. Google’s ‘remarketing audiences’ feature is present. There is also a connection being made to MediaMath.
- Zcash / Electric Company Company: There is one advertising tracker from Alphabet and one third-party cookie from New Relic through the domains “newrelic.com” and “nr-data.net.”
- Zcash Foundation: Interestingly, there is a third-party cookie from Stripe, and they also appear to be allowing Stripe to engage in canvas fingerprinting on their newsletter feed. An issue has since been opened to remove this unnecessary integration. There is a self-loaded key logging script that tracks the email field as well, though this seems normal for a newsletter subscription page.
September 24th - SAMOURAI OPENS BETA TESTING FOR SOROBAN
Samourai Wallet published a demonstration of Soroban, a “method of facilitating blinded coordination and communication between multiple clients” that will be utilized in existing features like Stowaway and Stonewall. They are still refining it with the help of “a small group of testers from our community.” On the same day, version 1.8.0 of the Dojo was also released.
September 26th - DIY COINJOINS WITH FULLY NODED
Fully Noded published a video on how to manually create our own CoinJoin-type transaction with Partially Signed Bitcoin Transactions (PSBTs) on the Bitcoin testnet, using the signing tool introduced in July. Towards the end, they show that Blockstream.info’s privacy analysis designated it as “possibly a CoinJoin transaction.” The Boltzmann score also appears to have returned zero deterministic links.