One of the pillars of the cryptocurrency community is that the digital addresses of bitcoin and other wallets will protect the identity of those who use them to buy and sell.
A new paper, published this week by researchers at Baylor College of Medicine and Rice University, has shattered that claimed anonymity. Titled “Cooperation among an anonymous group, protected Bitcoin during failures of decentralization”, the article is now published on the researchers’ server.
64 people only at start-up
Lead researcher Alyssa Blackburn, along with her teammates Christoph Huber, Yossi Eliaz, Muhammad S. Shamim, David Weisz, Goutham Seshadri, Kevin Kim, Shengqi Hang, and Erez Lieberman Aiden, used a technique called “address binding” ( “address linking” in the text) to study bitcoin transactions during the first two years of its existence, from January 2009 to February 2011.
Their key finding is that, in those first two years, “most bitcoins were mined by just 64 agents. […] collectively representing 2,676,800 bitcoins (equivalent to a current value of $84 billion). They refer to the process of minting new coins by solving computer challenges.
That number, 64 people in total, is “1,000 times smaller than previous estimates of the size of the first Bitcoin community (75,000),” they observe. Among these 64 people are personalities who have already become legends, such as Ross Ulbricht, known as the Dread Pirate Roberts. Ross Ulbricht is the founder of Silk Road, a black market operation that used bitcoins for illicit purposes – until it was shut down by the FBI.
“64 agents mined most of the bitcoins between bitcoin’s launch and when it reached the same price as the US dollar. We exploited data leaks to build a map of the blockchain in early 2011, in which bitcoins are classified according to the agent who mined them. » Alyssa Blackburn et al.
For Alyssa Blackburn and her team, it was about studying the effects of people participating in game theory situations as anonymous parties. Surprisingly, they found that early insiders like Ross Ulbricht could have exploited the relative scarcity of participants by mining bitcoin to double the coins, but they didn’t. They acted “altruistically” to maintain the integrity of the system.
While this discovery is intriguing, the researchers have highlighted another more pressing discovery which is that addresses can be traced and identities revealed.
Trace addresses to lift anonymity
To find out who was making those early transactions, Alyssa Blackburn and her team had to reverse-engineer the very principle of bitcoin and all cryptocurrencies: anonymity. As Satoshi Nakamoto himself points out in the original bitcoin whitepaper, privacy was to be preserved through two means: the anonymous use of public keys and the creation of new key pairs for each transaction.
The public can see that someone sends an amount to someone else without any information linking the transaction to anyone. This resembles the level of information released by exchanges, where the time and size of individual trades, the “band”, are made public without identifying the parties.
A new key pair must be used for each transaction to prevent them from being tied to a common owner. Some linking is always unavoidable with multiple-entry transactions, which reveal that the same owner owned their entries. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
Alyssa Blackburn and her team had to trace these key pairs to reveal the early parts of bitcoin transactions. To do this, they have developed what they call a new address binding system.
Follow the money
The system finds two patterns that designate users: one is the presence of recurring code bits, the other is the presence of duplicate addresses for certain transactions. These techniques exploit the way bitcoin mining software generates character strings, which are used as part of bitcoins’ cryptographic protections against tampering. In fact, there are many correlations between seemingly meaningless strings associated with a single user. They also exploit insecure user behaviors, such as using multiple addresses to pay for a single transaction, which allow addresses to be linked based on transaction activity.
The consequences, they write, are that it is possible to “follow the money” to expose any identity by following a chain of kinship in an address graph, from a known identity.
“In this approach, the identity of a target Bitcoin address can be determined by identifying a short transaction path connecting it to an address whose identity is known, and then using off-chain data sources (ranging from public data to subpoenas) to follow the path, determining who paid whom to de-identify addresses until the target address is identified,” the researchers write.
Additionally, they hypothesize that “many cryptocurrencies may be susceptible to follow-the-money attacks”.
“When you encrypt private data and make it public, you can’t assume it will stay private forever,” Alyssa Blackburn commented to the New York Times.
As the team concludes in the report, “drip by drop, information leakage is eroding once impenetrable blocks, sculpting a new landscape of socio-economic data.”
Source: ZDNet.com