CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin [chapter]

Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate
2014 Lecture Notes in Computer Science  
The decentralized currency network Bitcoin is emerging as a potential new way of performing financial transactions across the globe. Its use of pseudonyms towards protecting users' privacy has been an attractive feature to many of its adopters. Nevertheless, due to the inherent public nature of the Bitcoin transaction ledger, users' privacy is severely restricted to linkable anonymity, and a few Bitcoin transaction deanonymization attacks have been reported thus far. In this paper we propose
more » ... nShuffle, a completely decentralized Bitcoin mixing protocol that allows users to utilize Bitcoin in a truly anonymous manner. CoinShuffle is inspired by the accountable anonymous group communication protocol Dissent and enjoys several advantages over its predecessor Bitcoin mixing protocols. It does not require any (trusted, accountable or untrusted) third party and it is perfectly compatible with the current Bitcoin system. CoinShuffle introduces only a small communication overhead for its users, while completely avoiding additional anonymization fees and minimizing the computation and communication overhead for the rest of the Bitcoin system. ledger constitutes a significant privacy concern: Bitcoin's reliance on the use of pseudonyms to provide anonymity is severely restricted. Several recent studies analyzing the privacy implications of Bitcoin indicate that Bitcoin's built-in privacy guarantees are not satisfactory. Barber et al. [9] observe that Bitcoin exposes its users to the possible linking of their Bitcoin addresses, which subsequently leads to a weak form of anonymity. Meiklejohn et al. [10] demonstrate how to employ a few basic heuristics to classify Bitcoin addresses that are likely to belong to the same user; this is further refined by Spagnuolo, Maggi, and Zanero [11]. Koshy, Koshy, and McDaniel [12] show that it is also possible to identify ownership relationships between Bitcoin addresses and IP addresses. Recently, some efforts have been made towards overcoming the above attacks and providing stronger privacy to the Bitcoin users by mixing multiple transactions to make input and output addresses of transactions unlinkable to each other. In this direction, some third-party Bitcoin mixing services [13, 14,15] were first to emerge, but they have been prone to thefts [10] . Mixcoin [16] allows to hold these mixing services accountable in a reactive manner; however, the mixing services still remain single points of failure and typically require additional mixing fees. Zerocoin [17] and its successors [18, 19, 20] provide strong anonymity without any third party, but lack compatibility with the current Bitcoin system. Maxwell proposes CoinJoin [21] to perform mixing in a perfectly compatible manner with Bitcoin, while ensuring that even a malicious mixing server cannot steal coins. CoinJoin is actively used in practice [22] but suffers from a substantial drawback: The mixing server still needs to be trusted to ensure anonymity, because it learns which coins belong to which user. To tackle this problem, Maxwell mentions the possibility to use secure multi-party computation (SMPC) in CoinJoin to perform the mixing in an oblivious manner. Yang [23] proposes a concrete scheme based on SMPC sorting. However, against a fully malicious attacker, generic SMPC as well as state-of-art SMPC sorting [24, 25] is not yet practical for any reasonable number of parties required in mixing to ensure a good level of anonymity. Furthermore, it is not clear how to ensure robustness against DoS attacks in these approaches, because a single user can easily disrupt the whole protocol while possibly remaining unidentified. Consequently, defining a practical and secure mixing scheme is considered an open problem by the Bitcoin community [26, 27, 28] . Our Contribution. We present CoinShuffle, a completely decentralized protocol to allow users to mix their coins with those of other interested users. CoinShuffle is inspired by CoinJoin [21] to ensure verifiability and by the accountable anonymous group communication protocol Dissent [29] to ensure anonymity and robustness against active attacks. The key idea is similar to decryption mix networks, and the protocol requires only standard primitives such as signatures and public-key encryption. CoinShuffle is a practical solution for the Bitcoin mixing problem and its distinguishing features are as follows:
doi:10.1007/978-3-319-11212-1_20 fatcat:4jzukzabi5fv3actsgfpu22zqi