Defending Bitcoin Privacy
Speakers: Chris Belcher
Date: March 11, 2019
Transcript By: Stephan Livera
Category: Podcast
Media: https://stephanlivera.com/download-episode/1014/58.mp3
podcast: https://stephanlivera.com/episode/58/
Stephan Livera: My guest today is Chris Belcher, Bitcoin privacy O.G. He’s been in the game a long time, and has made great contributions on privacy. He’s involved with JoinMarket, Electrum Personal Server, and most recently he wrote, or rather updated, a fantastic Bitcoin privacy Wiki which you simply must read. Here is my interview with Chris. Chris, welcome to the show.
Chris Belcher: Hello, thanks for having me.
Stephan Livera: Yeah. Chris I’ve been quite impressed by some of the work that you’ve been doing. You’ve been doing a lot of important things in Bitcoin from a privacy point of view. Obviously your work on JoinMarket, your work on Electrum Personal Server, and most recently your work on the Bitcoin privacy Wiki. Which was truly impressive and a great summary of many different concepts. And it just shows that you’ve really been thinking quite deeply about this.
Chris Belcher: Yeah, I’ve been doing my best about that stuff. I’ve been thinking lots about privacy over the years through Bitcoin.
Stephan Livera: Excellent. Look, I think it might be good to start with some of the basic concepts and then get a little more advanced as we go into it further. Do you want to just start with talking about some of the basic concepts and ways in which your Bitcoin privacy can be destroyed or removed?
Chris Belcher: Well basically everyone uses Bitcoin through software, through wallets. And those wallets have to communicate with the outside world, and in doing so they will generally leak a little bit of information. All this privacy technology stuff is about trying to understand what kind of information is leaked, and minimizing that as much as possible. A big example is address reuse, which is you have these objects called Bitcoin addresses and money can be sent to them. And generally they should only be used once for privacy reasons. You could think of it that each address is a new identity, and if you only use it once, it’s like you’re throwing that identity once you’ve used it, and creating a new identity. But I think because the name of the object Bitcoin address, it makes it sound like it’s a mail address or an email address. I think in terms of the model people have in their brains that they … Some of them I think use addresses again and again just for that reason, because they don’t realize how much it harms privacy. I mean, there’s loads of examples, there’s a whole page full of them.
Stephan Livera: Yeah, sure. And I think one of the other … That’s obviously a lot of the privacy around the transaction graph, and we can talk a little bit about some of the heuristics that get applied. And I think the other angle is also understanding where your anonymity or privacy can be impinged upon through IP analysis. Do you want to comment on that?
Chris Belcher: Yeah, that’s right. Wallets obviously have to connect to the Bitcoin network, and the sorts of the original way that Bitcoin wallets worked is they downloaded the entire blockchain. And that was … And then they’d scan the blockchain on their hard drives to see what was the balance of their own addresses, and what happened to their own transactions. But that’s quite resource intensive, especially as the blockchain grows. A lot of people are using lightweight wallets, which generally query some third party server, or a bunch of third party servers. And they sent them all their addresses, and the servers reply with what the balances are, and which transactions are on them. But in doing so, the servers will see what all the addresses are and link them together, and generally link them with the user’s IP address. That’s obviously not great for privacy. You’re essentially telling the server exactly what you do with every transaction you have in Bitcoin.
Chris Belcher: And then another IP address based tracking thing is when wallets broadcast the transaction there can be an adversary such as a transaction surveillance company. One thing they do is create lots of full nodes out there on the network. And the things they do is aggressively announce themselves, and try and get wallets to connect to them. Then when a wallet broadcasts it’s own transaction, these adversarial full nodes out there can try and track the transactions it spreads through the network, as it spreads out. And they hope to find the actual IP address where that transaction came from. And a third example might be if you’re using Bitcoin and your internet service provider actually can see that you’re using it. They might be able to see your transactions or addresses, but they can see you interested in the thing that’s … In Bitcoin as a whole. It could be privacy relevant depending on your threat model.
Stephan Livera: Right. And I think we can start to talk about the potential counter measures against each of these. But let’s first talk through some of the other ways in which you can be de-anonymized. Another example that you raise is just around the obvious AML/KYC on exchanges that many people go through. And also the other one you mentioned is around being de-anonymized or having your privacy impinged upon through things like forum posts, Twitter, social media that then get tied back to your real life identity.
Chris Belcher: Yeah, that’s right. The AML one is a good example because it actually … A lot of the time we spend a lot of effort thinking about actual technology, like address reuse, or confidential transactions, or CoinJoin, or something like that. But AML/KYC is probably … It’s a way that completely bypasses that with just requiring people to de-anonymize themselves. And there’s actually someone raised a big point that if every transaction in Bitcoin required AML/KYC, then you’d have … Nobody would have any privacy regardless of what technology they actually had. If, I don’t know, zero-knowledge proof were soft fork things of Bitcoin to add to other privacy, then even if every transaction were AML/KYCed there’d be no privacy. Because if you had a database of all of these you could just watch where all the money flows. In that sense, in a way to get privacy, you actually have to use Bitcoin as money and spend it on things. And you can’t just deposit and withdraw from exchanges, from two or three exchanges and that’s that.
Chris Belcher: And in terms of the forum posting, yeah, that’s also another way of voluntarily damaging your privacy where a lot of … I don’t know. For example, people put the address on their Twitter and you can say, “If you like my work you can donate to me.” Or something like that. And people could take that address and put it in a blockchain explorer and see the transactions that are coming in and out, and look on the transaction graph to see where they go later. Generally if people are doing that, they should be careful the coins which land on this address don’t … I don’t know. Don’t immediately go to some other place that’s easy to track where they’re going. For example, like an exchange that knows their real name.
Stephan Livera: Right. And one example that I came across from one of my earlier interviews with the Samourai Wallet team was where they mentioned this concept of say, a dusting attack. And where you might mark some of those coins as do not spend. But then I suppose the question is, if you want to spend it at some point, how would you? Would you then have to move that through some kind of CoinMixer, CoinJoin service?
Chris Belcher: Yeah, that’s a really interesting concept, this dusting attack. In the privacy Wiki, I instead use the phrase mystery shopper payment. Because if you think about it, the dusting attack doesn’t have to be dust. You could in theory give someone $100 or $1000, which is quite a lot of money, but just to … If the real intention is to damage their privacy. Probably the thing you’d have to do there is make sure … The way these mystery shopper payments work or dusting attacks, is they try and get that coin to be linked to the other coins. Yes, if you use something that CoinJoin or any other kind of mixing technique which stops the transaction graph analysis from working, then you would get privacy from that. There’s quite an interesting paper I saw which is linked from privacy Wiki, where some researchers were doing this for ransomware. They would, ransomware, would accept Bitcoin payments to decrypt for their victims, for their ransomware victims. And they would actually do these mystery shopper payments.
Chris Belcher: And they sent them about $1 each, and some of the ransomware authors just swept up all the dusts, all the mystery shopper payments into their own wallets. And then the researchers could see what their wallets were, and roughly how much money they made. And some other ransomware authors never touched the money, it’s just still there, and they never spent it. And there’s actually a great line in the paper which talks about, “Maybe we didn’t pay them enough. We only paid them $1 and maybe we should try $10.” But they didn’t want to spend that much money, so they didn’t do it. But it’s interesting to see how in the future this might develop. Because it’s essentially a bribe, you’re trying to pay money to someone to ruin their privacy. And if they don’t want to … If they’re not bribed by $1, you will try $10 or $100 maybe.
Stephan Livera: That’s really clever. Yeah. I think it ultimately comes to how savvy the criminals are, and whether they’re aware of this kind of dusting or mystery shopper attack, or whether they are just unaware, and they’re just … Or their wallets are not sophisticated enough to have some kind of coin control. But another concept I was keen for you to discuss, and I think this is a fantastic point that you made very well in your Privacy Wiki, was the fact that many times it may not be one of those methods we mentioned above, say IP, transaction graph, AML, forum post. It may not be one of them, but it may be a combo of the above that leads to somebody losing their privacy. Can you comment on that?
Chris Belcher: Yeah. This idea of combo, I’ve been calling it data fusion. Is where essentially it’s never just one method, because one method, for example, the IP address tracking method that will link a transaction to an IP address, and that doesn’t ruin your privacy. Your IP address is not necessarily linked to your name, you still need to go another step to find who’s linked to the … Will be linked to which computer you’re at, and then who’s using that computer. It’s always … I’ve got a picture, a diagram on the Wiki, which is a two circle, like a Venn diagram, of one privacy leak in one circle and then another privacy leak in another circle. And the intersection of them two is much smaller than either of those. And that’s kind of explaining how it’s a combination of privacy leaks. There’s always the … Ends up being a real damage. In that example there it’s someone who’s posted their address on a forum, and then overlaid that with somebody who uses that money to buy something incriminating, like a illegal newspaper or something.
Chris Belcher: And the point that I’m trying to make there is, people sometimes think, these privacy leaks are quite small. Like address reuse, it doesn’t damage things that much, or using a lightweight wallet doesn’t damage things that much. But really a combination of all of them together generally completely damages your privacy. It’s worth stamping out every last privacy leak, even if it seems really small.
Stephan Livera: That’s a well made point. And I think what you’re really driving towards there is that, and this is a point you also make, is that there’s no one silver bullet to maintaining Bitcoin privacy. That really it’s more like a multipronged approach that an individual has to take when they’re trying to defend their privacy. With that in mind, can you just offer us some basic tips for listeners who are interested on ways to maintain their privacy?
Chris Belcher: Yeah. That point about the multipronged thing, that’s actually true outside of Bitcoin. Even if you could say for example, if you use Tor, which would give … Allows you to browse the internet anonymously. You could still use Tor, and then go on Facebook, and login with your real name, and upload your real photo. And that would be damaging the privacy even though, “Hey, I’m using Tor, Tor’s fine.” Right? Yeah. Now privacy is always a whole … It’s a whole … It has to essentially encompass your entire … All your behavior and all the technology you use. And for what people could do best to just the casual Bitcoin user, I guess, I think the top thing is to not do address reuse, followed by not using lightweight wallets. Only use a full node or possibly use a wallet which works by client-side block filtering. Which is a way of having lightweight wallets without … which learns its own history in a generally quite private way.
Chris Belcher: But for most people just using a full node wallet is the best. And there is … And trying to avoid AML/KYC, I guess. Maybe buying your coins in cash and then spending them in a way that’s anonymous.
Stephan Livera: Yeah. I suppose that’s the other difficulty depending on where people live, depending on what their local Bitcoins or hodlhodl, or other kind of peer-to-peer markets exist where people live. They may have difficulty being able to buy Bitcoins in a way that doesn’t require AML/KYC.
Chris Belcher: Yeah. And they have to think about what their threat model is, what their actual requirements for all … If some people only want privacy to stop them being advertised to, having custom ads for them personally, or other people might want to be hiding from their governments if they’re in Syria or Venezuela, or third, people might want to be hiding from just their neighbors who they don’t want to know what money they’re spending. And all those three cases would require different behaviors. Or like the person who’s hiding from their neighbors probably doesn’t need to worry about AML/KYC because their neighbors can’t access those records. Every person has to think about it in their own personal way, like what’s their own personal threat model? Who are they hiding from?
Stephan Livera: I see. Yeah. And I think it’d be good now to also talk about just modern day privacy techniques. Are there any that you’re most excited about today in early 2019?
Chris Belcher: Yeah. I think there’s two big ones. One is PayJoin, which is a specific type of CoinJoin. And that’s really special because all the CoinJoins that existed so far they’re obviously CoinJoins. If you look at them on the blockchain, you can, “Oh, this is obviously a CoinJoin, and something interesting is happening here.” And therefore if you’re an adversary, you can exclude them from your analysis. The PayJoin is really great because you can’t do that, it just looks like a normal transaction. And it’s … An adversary can’t exclude them, and PayJoin will continue to gum up their analysis, that it will stop working. And it essentially breaks a very powerful assumption called the common-input-ownership heuristic. I’m quite excited about that. And a second one I’m excited, which is slightly further out, is coin swap technology. Which is it’s been known since 2013, but it’s essentially a way of two parties swapping coins with escrow. I know Alice and Bob, and Alice sends one Bitcoin to Bob, and Bob sends one Bitcoin to Alice, but it’s done with smart contracts in a way that neither can cheat each other.
Chris Belcher: And the effect of that is that if you then see a transaction which sends from A to B, you can’t know that actually is really sent from A to B. Because really this transaction, an adversary sees, could be a coin swap. And A to B, the ownership of the coin actually ends up in Z, or in X, or Y, or some completely random place in the blockchain. That would destroy the assumption of the transaction graph. It’ll destroy this idea that if you see coins flowing from A to B that you can know that they really went from A to B. They could have teleported in a sense to Z.
Stephan Livera: Fascinating stuff, yeah. Look, while we’re just on that topic of talking about CoinJoins, I’m curious to know your thoughts on … Okay. Obviously I agreed about how PayJoin improves privacy from obviously doing sort of CoinJoins in a way that aren’t obviously a CoinJoin. What about these concepts, say something like a, I’m sure you’re familiar with Samourai Wallet’s STONEWALL. Which is apparently, as I understand it, it is a transaction that is constructed in such a way that it looks like a CoinJoin, but it actually is not.
Chris Belcher: Yeah, that probably is a good idea since if there’s an analyst who says, “Anything that looks like a CoinJoin I’m going to exclude from my analysis.” If you then create fake CoinJoins that looked like the CoinJoin but actually aren’t, then you can get the analyst to exclude your transaction. Or at least they’d believe they can’t see what’s going on when really they can. I mean, yeah, it’s definitely valuable. The only thing I’d be concerned about is then, transactions aren’t in isolation. You could see where the previous inputs have gone from and where the later outputs go to. And I suppose if you see them then being co-spent together, or if the previous inputs were somehow obviously owned by the same person, then you could maybe deduce that this is really a fake CoinJoin. Although I haven’t analyzed it much, so I don’t know how easy it would be to do that. But I think it’s definitely worth thinking about and doing. It can’t hurt, right? If you get it wrong, then you’re still in the same situation as you were before.
Stephan Livera: That’s right. And with PayJoin what are the kind of hopes for that being implemented in terms of timelines? Now I understand Samourai Wallet are working on that, and I think they call it Stowaway. Do you know of any other Bitcoin wallets that are working on a similar kind of functionality?
Chris Belcher: Yeah, there’s … JoinMarket has implemented PayJoin and it works already, it’s in the last release. But you can only pay other JoinMarket wallets. And I think with Samourai Wallet there’ll be quite similar that you can only pay other Samourai Wallets. And that’s probably the main difficulty with PayJoin, and with any CoinJoin, is it actually requires interactivity. That the people paying each other have to, not just like one person sends an address to another person who then sends coins to it, but they actually have to swap, partially sign a transaction with each other in about three rounds of interaction. It’s not … I think the idea is actually still in the design stage in the sense of how the protocol should work and how it should be … How it will end up working in the way that all this interaction it becomes practical. For example, the way we use Bitcoin right now is people share addresses, and then you send money to pay to that address. But with PayJoin you couldn’t do that. You’d probably need to share some kind of host name, like an IP address, or a Tor onion address.
Chris Belcher: Because you need to connect to the other person somehow and then you … To do this interaction. Probably, I guess in the future, maybe PayJoin will work that you have a thing that’s like a Bitcoin address, but really it’s encodes a host name. And then the person you’re paying to has to be online, it’s a bit like lightning the … It would be most appropriate maybe for paying merchants rather than individuals paying to each unless they’re both online. I’d say the idea is still in the design stage really.
Stephan Livera: Yeah. Okay. And I think, I guess as you’re saying, it’s a bit of a coordination problem, and then there’s also that aspect of trying to make it interoperable, right?
Chris Belcher: Probably, I’m imagining actually it would, yeah, every wallet would need to then adopt this new address type. And probably the first thing that it may be adopted is in BTCPay Server as like a merchant solution, and then some wallets might adopt it and they can only pay BTCPay Server merchants. That might be the way it works, I’m not sure. And then probably some exchanges would never adopt it. Well not some exchanges, but people who just aren’t interested in the idea.
Stephan Livera: Yeah, that’s interesting. That’s an interesting one, because some people would also argue that even exchanges might have some, not necessarily a requirement, but it might be a good thing for them to actually mix their customers coins to help improve their own customers’ privacy.
Chris Belcher: Yeah, so that … Because privacy is also really important for traders. There’s an example I’ve been telling people quite often about address reuse is that, suppose you’re a trader and you want to sell some coins, and you make a deposit to an address that’s been used 50 times before. Anyone could see that it’s been broadcast, that this money goes to an exchange because they can see that the previous times the address it was used, that it’s Bitstamp, so it belongs to Coinbase or something like that. They’ll see this transaction, and it takes three confirmations to actually be credited, which is about half an hour. Probably what people do is then open shorts, so the price will move downwards. And then when the money actually appears in the trader’s accounts, the price has already moved against them and they could sell them for a less attractive price. That kind of thing is a direct example of how privacy is actually really important for traders.
Chris Belcher: Since trading, I suppose you could say, is a way of … You have to hide your intentions from the rest of the market. Yeah, there could definitely be arguments of exchanges trying to protect their customers’ privacy.
Stephan Livera: Right. And that’s probably an example where something like liquid with confidential assets and confidential transactions could help in that example as well.
Chris Belcher: Yeah, absolutely.
Stephan Livera: Another area I was interested to ask your thoughts on, and in the article you touch on this as well, that you’re quite optimistic about lightning network in terms of how lightning network may improve people’s privacy. Can you comment a little bit on sort of the aspects there around privacy and potentially any ways that people could still be de-anonymized even if they’re using lightning network?
Chris Belcher: Yeah, with lightning, as it’s off-chain, it means all the on chain privacy problems just don’t exist. Everything I said about address reuse, and the common-input-ownership heuristic, mystery shopper payments, and all that kind of stuff, just isn’t a problem in lightning because there are no addresses, and there are no co-spent inputs, or anything like that, that it’s all off-chain. Just from that, I think there’s a lot of positive there for lightning and privacy. But yeah, there are still problems. For example, you could have the technology and then not use it. For example, if most people use lightning through a custodial web wallet, then the web wallet will see everything you do. And I’ve noticed there’s been a lot of people … Some people have been using lightning wallets which are actually custodial, which just connect to some centralized server, which has payment channels only from that server to other places. And therefore the server will see everyone’s payments.
Chris Belcher: Or other ideas which might happen is, you could potentially tell the balance of every payment channel by an adversary trying to pay through each of them. And then when they get a message back saying there’s not enough capacity, from that could tell how much is in the payment channel. And then they have to do this for the entire network, and then do it maybe once a second or something. I don’t know how practical this is, but hopefully … I don’t know if anyone studied it, and hopefully it cost too much in transaction fees or something. But that is probably the worst case. If this idea of proving every payment channel could somehow work, then that would be quite damaging. Well, there’s a few other ideas. For example, the intermediate nodes along a lightning payment right now they can tell the exact payment amount, and through that could be somehow damaging to privacy depending on the situation. But I think overall that it’s quite positive.
Stephan Livera: Right. Yeah, it’s a really interesting analysis you bring there. This idea of potentially trying to probe across the entire lightning network at one time, or at least the publicly visible channels to try and sort of figure out based on the movement in those balances, I suppose, if I understand you correctly.
Chris Belcher: Yeah. If someone could see every balance of every channel, which they can’t, that’s not in the design, but if they could, then they could see payments happening. Because they could see the change in balance as it spreads across through one path, through one payment. And see, okay this node is paying that node, and they’ve paid them this much. But I don’t think it’s practical. I hope it’s not practical, but it’s something that needs to be studied. Which is fine because lightning is quite a new system, and people haven’t studied anything yet.
Stephan Livera: Yeah. I see. And I think another component that might destroy that or at least move against that is, this concept of AMP as well, the multi path routing. I suppose that might be another way to help reduce the ability of somebody to probe the network and infer the movement in the balances, because then they wouldn’t know kind of where those had gone.
Chris Belcher: Yeah, that’s right. And also AMP stops individual nodes seeing the actual amounts. Because now they only see an upper bound of the amount, of the payment that splits among many parts. AMP is also great for privacy and liquidity.
Stephan Livera: Fantastic.
Chris Belcher: Also, there’s an idea of wrote about, although I don’t know how practical it is, that lightning nodes, maybe one out of 50 times reply with a routing failure even if they do have capacity. And then one out of 50 might be … It’ll be fine for users because they could make another payment in less than a second. But for an adversary trying to do it for the whole network, they have to deal with one out of 50 failures, and there’s 10,000 payment channels or something. That’s 50 loads of failures.
Stephan Livera: That’s clever, I didn’t know that. Fascinating stuff. Okay, I’ve got another question. Now with this all, obviously with cryptocurrencies, there’s a lot of chatter about, well in the … At least not as much now, but in the past, a lot of chatter about privacy coins. And my question to you is more like, do you have thoughts on Bitcoin’s level of privacy if it’s correctly done, versus some of the privacy coins, like for the Moneros and Zcashs of the world?
Chris Belcher: Yeah. Well, one thing with Bitcoin that’s often missed in these discussions is it actually has way more usage. You can like look at Monero’s blockchain for example, and see it has 100 times less transactions per day, or I think it was 100 when I looked lost, it might be different now. But that means, in a sense, you have 100 times less of a crowd. I mean, if you do a very naive calculation, 100 times less of a crowd to hide within. And that’s because of the network effects because people who want to use any money well you go for the most liquid, the most used, and the most developed currency, and that will end up being Bitcoin. But no, it’s without question that something like Monero if it was the first cryptocurrency ever invented would be much more private. But it does come with trade offs. Monero full nodes they scale much worse than Bitcoin. We can expect over time they’ll be really expensive to run, because they have a big unprunable accumulator. They have to essentially remember every unspent coin. They don’t know when a coin has been spent so they can’t delete it.
Chris Belcher: And before I mentioned the full nodes are quite important to run to use Bitcoin privately, and it’s kind of sad that since the-
Stephan Livera: So it’s kind of like the equivalent the UTXO set.
Chris Belcher: Yeah. I mentioned earlier full nodes are important for privacy, and if we expect over time that Monero full nodes will be hard to run, then they won’t be able to have that privacy. They’ll have to use custodial wallets somehow. And then for Zcash that takes the scale off to an even worse sense, in a sense that those Zcash private transactions, they are so expensive. It seems that most people don’t actually use them, that supposedly most Zcash transactions are actually the non private type. Because the private transaction takes I think several seconds on a CPU to actually generate. It might be different now, but that’s what it was when I read it. And that comes down to I think a general point in that these systems they work by adding privacy by adding decoys. In Monero they have the other spent coins that are included in the ring signature. And then that requires more data because those decoy whatever, the general term decoy that requires bandwidth and storage and all that stuff.
Chris Belcher: And I think probably a more productive way of finding privacy is to remove data rather than adding more decoy data, and that’s what lightning does. Lightning doesn’t add privacy by adding decoy data. It adds privacy by taking away data from the blockchain, by having off-chain transactions. That solves this trade off between privacy and scalability, hopefully because you get both, you get scalability and privacy. In my view, that will be a much more productive way to get privacy in the future. People won’t use something that’s not scalable.
Stephan Livera: Okay, great. How about just the fact … I guess what you’re driving to there at the start of that answer was really around the size of the anonymity set. And it’s a fair point to say that Bitcoin’s anonymity set is just so much larger, and that does afford it some level of protection. But I suppose then the question would also be, how many people in Bitcoin are actually doing CoinJoins, and PayJoin, and using JoinMarket, and Samourai Wallet, and Wasabi Wallet? I guess that would be the question then.
Chris Belcher: Yeah, that’s right. And the answer is, much fewer. But it also comes back to the threat model idea. If you were … I don’t know. I suppose you in a country where using Bitcoin was illegal in Venezuela, or Syria, or something like that, and you go and buy Bitcoin from someone, there’ll be fewer people who can be confused with you just by doing the trade. Like I give you cash and you give me Bitcoins, then there will be from Monero. In that kind of threat model, the idea of using CoinJoins and other privacy technology isn’t that important, because just using Bitcoin or any cryptocurrency is illegal. But yeah, in the privacy … In the threat model of people trying to spy on you but Bitcoin is legal then, yeah, I think, CoinJoins are really important. In that sense, the concept of anonymity set that I mentioned there is probably really over simplifying it yeah, because Bitcoin not every transaction is the same as a Monero transaction.
Stephan Livera: Yeah. Interesting. And I suppose it just speaks generally to this idea that we want to just try and encourage the use of some of these technologies where feasible. And I think another question just around this whole concept of fungibility, and this idea of one Bitcoin equals one Bitcoin, and that they’re all the same, maybe this is getting a little more philosophical, but to what extent are we in our kind of human mind placing non fungibility onto Bitcoin when it already is fungible? And what I’m speaking to here is, one of my friend’s, Saifedean Ammous recently commented, and it was a good observation, he was saying, “It’s not like there is a separate market for fungible Bitcoins and then there’s a separate market for tainted Bitcoins.” Do you have any comments on that, Chris?
Chris Belcher: Yeah, that’s right that such a market doesn’t exist today. But I think the big fear is that, I think to be concrete, the big fear is that these transaction surveillance companies like Chainalysis, and Neutrino, and so on, that they’ll become so pervasive that they can end up turning the screw. Today they might think, “Okay, we don’t have the power to just …” They won’t see it as destroying fungibility, they’ll see it as tracking criminals or something. They’ll say, “We don’t have the power to do that today, but if we get enough exchanges to use our services and that kind of thing, and if we stop all trading outside of these exchanges, then we’ll be able to find the bad guys, it will be great.” And then at that moment, fungibility could be lost. Yeah, it’s true that it’s not a problem today, and even if it was a problem, I think there are privacy technologies out there.
Chris Belcher: You could put your money through CoinJoins and that kind of thing, and then they would in a sense lose their history because these transaction surveillance companies can’t see where they came from, they’ll just see a CoinJoin. I think the future looks good, but it’s not, it could still be ruined in a sense. For example, I think if every transaction ended up being associated with AML/KYC, then that could be quite damaging for fungibility.
Stephan Livera: Yeah, a great point. And we definitely don’t want an ecosystem where people have to first assess their coins versus some kind of black list, or assess their coins for taint before sending them or before accepting them as payment. And definitely that would ruin the overarching system. But just curious to get your thoughts there.
Chris Belcher: Yeah, that would be the death of a decentralized Bitcoin.
Stephan Livera: Yes, definitely. Yep. Interested to talk now about JoinMarket. I’ve tried to do a little bit of reading, but maybe it would be great if you could just give the listeners an overview on what JoinMarket is and what the model is in terms of maker-taker.
Chris Belcher: Yeah. JoinMarket it’s an implementation of CoinJoin, and it was first created and released in 2014, 2015. And the idea was, it’s not the first implementation of CoinJoin, there’ve been … Before JoinMarket there was at least three or four others. And they had this problem that you had to wait for a CoinJoin. CoinJoins work that more than one person, and I would say 10 or any number, they have to come together to create a single Bitcoin transaction. And it means you need the … It’s actually an economic problem. You need to allocate resources, you need the right resource i.e. coins in the right place, at the right time, in the right quantity. And the way most other systems solved that was you had a queue. You had to run this wallet through application, and then every so often, maybe once a day or something, a CoinJoin transaction will be made, and you couldn’t choose the amount, it will have to be fixed, fixed up.
Chris Belcher: There was Andytoshi’s CoinJoin tool which had one Bitcoin for example, or something like that. The insight of CoinJoin … Sorry, with JoinMarket wasn’t really a technological thing, it was an economic solution. And that was to use market forces to solve this problem of liquidity. And that worked that, if you wanted to do a CoinJoin
[inaudible 00:35:48]
the user, you’d have a wallet, and you could do a CoinJoin right there for any amount you wanted, like now as soon as you press the send button. But in return you’d have to pay a CoinJoin fee, which is you’d have to pay the other people who are creating the CoinJoin. And they were called makers, and the user who sends the CoinJoin straight away is called a taker. Like liquidity maker and liquidity taker, like in exchanges. And then these liquidity makers, they could actually earn money. All they need to do was run a program on their computer when you put the coins in it. And when other people wanted to create CoinJoins with their own coins, they’d earn a small … They’d earn the CoinJoin fee.
Chris Belcher: It would be much less than 1%, because the supply and demand stuff. And that seemed to work really well. Right now in JoinMarket you can create CoinJoins for an amount up to about 200 Bitcoins just right there as soon as you press send. And it costs you not very much money, like much less than 1%. And the reason it works so well is because CoinJoin is actually a kind of smart contract. There’s no way that any party can steal Bitcoins from any other party. That the CoinJoin is atomic, that it either/or happens or none of it happens. There’s no risk of any party losing their coins because of that reason. And that’s essentially a short overview of JoinMarket really. That it’s a way of using market forces to make CoinJoins happen in a way that’s useful.
Stephan Livera: Fantastic. And then is there any sort of central coordinator involved for JoinMarket? Can you explain that part?
Chris Belcher: Yeah. The central coordinator, or at least the coordinator of CoinJoins is the taker. The taker contacts all these other makers, and asks them for their partially signed transactions. And then the taker sends the partially signed transactions back to each maker and gets them to sign it. The coordinator is the taker. And that also means the taker can … They know all the mapping, so they know which inputs correspond to which outputs. And I suppose, that’s a bit of a privacy leak. But the sort of the economic argument is that while the taker wanted to create this CoinJoin and he’s paying for it, presumably he’s not going to ruin his own privacy by publishing the CoinJoin mapping on the internet. I don’t know if the argument convinces you, maybe it does. But in practice, when somebody looks at a CoinJoin transaction on the blockchain, they can’t see the mapping between the inputs and the outputs.
Chris Belcher: But there is a definite point there that the privacy of the taker is stronger than the privacy of the makers. Because the makers … There’s at least one other person who knows where the maker’s coins went, and the taker only knows where their own coins went.
Stephan Livera: Right. And I suppose the people providing the liquidity in this example are the makers, and the takers are the ones paying the fee. Kind of in the same way that a market maker on an exchange is kind of sort of making money on it, like a bid-ask spread. But in this case it’s more like the makers are the ones just kind of offering up Bitcoins in kind of saying, “Yes, here are my two Bitcoins that I’m willing for you to use as part of your CoinJoin.” Is that essentially what’s going on there?
Chris Belcher: Yeah, that’s exactly what’s going on. The terminology is the same because it’s the same sort of the same job in terms of economics is being done there. In traders, these guys provide liquidity for trading, for buying and selling, and in JoinMarket these guys provide liquidity for creating CoinJoins.
Stephan Livera: Fascinating. Chris, can you just comment for us on how technical you need to be on installing JoinMarket and using JoinMarket?
Chris Belcher: Yeah, it’s unfortunately fairly technical. It involves installing things on the command line and installing some dependencies, that’s not ideal, I guess. But the … It’s not that difficult if you … There’s tutorials and that kind of thing. But I suppose the underlying reason why it happens is that JoinMarket’s an open source project, which doesn’t really have many resources in a sense, that it can’t tell people, “Okay, you work on this thing to make it easy and to install, you work on this other thing.” And people just work on the things they’re interested in, and that normally ends up being to improve privacy of how it works. And I suppose by analogy you can say it’s a bit like the Linux of CoinJoin or something that it’s a bit hard to use and install. But hopefully that will change one day.
Stephan Livera: Chris, could you just comment a little bit around using it as well? I understand to install that it’s okay … You need to use character line interface. But in terms of the kind of user interface for somebody using JoinMarket, can you just talk through how that would work?
Chris Belcher: Actually using it as a lot easier because there’s a GUI, a GUI. That looks a lot like a wallet that you press create wallet, and it gives you 12 words that you write down, and then it shows you Bitcoin addresses you can send money there. And then you can … When you press send or repeat it sends, then it sends a transaction, but those are actually CoinJoins. And there’s also a built in scheme where it will automatically create many different CoinJoins in a way to add even more privacy. CoinJoins that then spend from your previous CoinJoins, and that’s all included in this GUI. Hopefully using it as a lot easier once you’ve installed that.
Stephan Livera: Yeah. And I understand the way Wasabi wallet works as well, it uses this concept of multiple rounds of mixing. Is that essentially a similar concept that you’re applying there in JoinMarket?
Chris Belcher: Yeah, I think it’s exactly the same thing. In that CoinJoin is, you get much more privacy from CoinJoin when you cascade the CoinJoins i.e. do them again and again. Yeah, it’s essentially the same thing. This is a mode of operation that just automates the process. Normally people write their destination, like the Bitcoin addresses where they want the coins to end up, and then press this tumbler mode, and then leave their computer on for eight hours. And by the end of it, the coins will end up in that place via many different CoinJoins.
Stephan Livera: Fantastic. And lastly, Chris, on this topic of JoinMarket, can you just comment a little bit, I mean, no below the belt punches, but I’m just curious if you could just from your point of view, contrast JoinMarket with some of the other privacy wallets, say Wasabi wallet or Samourai Wallet?
Chris Belcher: Yeah. Probably the closest contrast is Wasabi, is they both use … CoinJoin as both their modus operandi, and there are different approaches there. I think Wasabi has this liquidity problem that I mentioned before, that users have to wait in a queue, essentially. That CoinJoin happen once every hour or hour and a half, and they can’t choose the amount. That the amount can only be roughly, not exactly not 0.1 BTC, but around there. And if you want to do more than there are certain tricks. Yeah, I think it has the liquidity problem that the other CoinJoin implementations had, and the reason is that liquidity isn’t paid for. In a sense the price of liquidity is fixed at zero. But apart from that it is good in those other ways. It uses client-side block filtering which is, it allows itself to synchronize its history and balance without revealing to any third party server which addresses it has. And it’s also much easier to use. It’s run by a company and they have an income, and they have an investment.
Chris Belcher: They can make the whole thing really easy to install and use, and that’s quite nice, that’s obviously great for users. And then for Samourai Wallet, I also like a lot of the things they’re doing. They have this Stowaway, the thing you mentioned before, and they’re working on PayJoin, or maybe they’ve already finished it. But the thing I’m concerned about there, is that Samourai is a wallet on your smartphone. Smartphones aren’t very powerful, and you can’t easily run a full node there. The way Samourai works is it connects to a centralized server and then tells it all your Bitcoin addresses. Then i.e. the Samourai server can see what your addresses are and ruin your privacy. But still for all these things it depends on the person’s threat model. If your threat model means that you don’t mind Samourai server seeing your addresses, then it could be really useful. For example, if you’re a Bitcoiner in Venezuela and, I don’t know, Samourai server isn’t inside Venezuela, then it’s fine to use Samourai. I mean, yeah, I’m positive on all of them. It’s good that people try different technologies, that they … It’s good to understand the trade offs.
Stephan Livera: Yeah, exactly. I think … I mean there’s different trade offs with all them, and I understand Samourai Wallet are making efforts on that to try and have this Dojo product, or allow you to connect to your own sort of trusted node. And I know one another trade off could be with Wasabi wallet. My understanding is to make the mixing easier, and to make it work, it is currently only Bech32 addresses. What sort of … Does JoinMarket have a similar kind of a Bech32 only, or is it using other addresses as well?
Chris Belcher: JoinMarket uses P2SH-wrapped SegWit addresses, so they start with three.
Stephan Livera: Got it. Okay, great. Look, I think it might be great now to talk a little bit about Electrum Personal Server, another one of your projects. And this is quite a … I’m quite positive on this. Could you just maybe explain to the listeners why should they look into Electrum Personal Server? What are the benefits for them?
Chris Belcher: Electrum wallet is, it’s a software wallet. And I think it’s quite nice, and it has lots of features and all that kind of stuff that can interface with hardware wallets. But the biggest downside that I saw is that, as a lightweight wallet, it connects to third party servers and tells them what all your Bitcoin addresses are, and it can see your transactions, and that kind of thing. You can mitigate this by running your own server. But the Electrum like the sort of the default implementation, the way it works is, it has a big index of every address that was ever used on the blockchain, and every transaction that was ever used, and obviously every block. It’s quite resource intensive and it takes a long time to generate this index, and you have to have a lot of disc space and all that stuff. Electrum Personal Server it’s essentially a way of having an Electrum server, but that uses the minimum possible resources. It works by, instead of tracking every possible address, it only tracks your addresses.
Chris Belcher: When you start it up and configure it, you actually tell it your Electrum master public key, and from that it generates your wallet, and tracks only that. And that means that it’s essentially a layer on top of the full node. And it means the full node is compatible with pruning and with blocks only, and with reducing bandwidth requirements, and all these other things that reduce the resource requirements of the full node. I think it’s interesting in that respect, because it allows you to use a full node with your Electrum wallet. And we know full nodes are good for privacy and for validation, so making sure that you really do have Bitcoins and sort of some attack or another Altcoin.
Stephan Livera: Yep. Exactly. And if you could just tell the listeners the basic process around installing Electrum Personal Server and how to use it.
Chris Belcher: Yeah. You go to GitHub Page and there’s a short tutorial there which right now involves a little bit of command line manipulation. But it should be fairly simple, it doesn’t have any dependencies. And in the future what they hope to do is for Windows users to create a Windows executable. Where you could essentially just double click it as a Windows user, and it will start Electrum Personal Server, and there’d be no installation. That should be quite nice. But right now you follow the tutorial in the GitHub.
Stephan Livera: Fantastic. Yeah, I think it’s a great technology. It’s a great software that people should look into where they can. Chris, another topic I was interested to discuss with you is just this whole idea of Chainalysis, which you touched on earlier. Now, my question is, and now you’re a guy who has thought very deeply and thought about this. Do you believe there might be cases where law enforcement or other Chainalysis companies let’s say, not necessarily law enforcement, that they might overplay their hand in terms of what they can actually prove with the chain analysis?
Chris Belcher: I think they definitely overplay their hand right now because it’s good for their business. If they can convince people that these techniques are always work, then they can get investment much more easily. Because they can tell investors, “Just give us money and we’ll implement these techniques, and then it will definitely 100% work.” And also they’ll get more customers because they’ll tell people, “If you buy our products then you’ll be protected from all the law enforcement stuff that you need to do.” I think there’s definitely an incentive already to exaggerate how other techniques work. And how well they actually work in practice is actually, it’s a problem. We can’t really know because the victims of i.e people who want privacy are never really going to tell what the real story is. We’re generally lacking a ground truth in a sense that we can have these heuristics, like address reuse, and common-input-ownership heuristic, and that kind of thing. But we can’t check if they really work, if you see … I mean.
Chris Belcher: For the answer of how well do their do their techniques work, we’re not really sure, it’s hard to know for certain. There is some cases where you can note, for example, the Mt. Gox exchange a few years ago it was obviously hacked and taken down. And then a few months after that its database was leaked. You had almost the complete database of every transaction going back for years. And from there you actually had a ground truth. You could link that with the blockchain analysis and see how all the techniques worked. In that case you could see a ground truth. And Mt. Gox is a great example because it had this feature where you could input a private key as a user of Mt. Gox, and then it would sweep the coins and send them to somewhere else. And this had the effect of breaking the common-input-ownership heuristic, which is what these companies rely on. And then in that case it turned out the analysis doesn’t work very well at all. I’m not sure. As an answer to whether they work, maybe, I don’t know. And it’s hard to tell.
Stephan Livera: Right. Yeah. And I suppose just a bit of a follow up question to that. Let’s say enough people start using transaction graph privacy i.e. they start avoiding that common ownership input or the merge heuristic, as I think Mike Hearn called it, what would be kind of the … Because obviously this is like a cat and mouse game. Once that part gets, let’s say, sold, what would be kind of the next level that they would start doing? Would they just try to use IP analysis or AML/KYC stronger? Do you have any ideas on what that might be?
Chris Belcher: That’s a good question. What would be there in the post common-input-ownership heuristic world? I’m not sure. I guess they could try IP address tracking, or the AML/KYC stuff. I can’t think of anything right now.
Stephan Livera: Yeah, sure.
Chris Belcher: Yeah. It would have to be that. They’d have to try and use IP address tracking and AML/KYC if they could.
Stephan Livera: Yeah. Interesting. Yeah. Okay. No, just curious. It just came to me then. Okay. Another question I was keen to ask and I’m sure you’ll have opinions on this, do you have thoughts on the next generation block explorers that we’re seeing nowadays? Things like OXT.me with Laurent, and with Blockstream.info which now actually shows privacy heuristics applied to specific transactions.
Chris Belcher: Yeah, there are good efforts because I think they’re really great because a lot of this privacy technology we know, or at least, some people know, I think everything, not everything but many things that are out there that are. But I think the general Bitcoin using public doesn’t really know a lot about these things. That they don’t know that address reuse is a problem, some of them. Or they don’t know that this merge, the merge heuristic, how bad that is. Or using the different script types, or the other things. Those things are definitely good in terms of education. And I think I’ve been thinking lately about it might be worth trying to do is to rename this object address because of how it implies that you can reuse it like it’s an email address or a mail address. Maybe it’s worth renaming it in the Bitcoin space to something like Bitcoin invoice or Bitcoin invoice address. And that might make it more obvious to people, to users, that you should only use them once.
Chris Belcher: Yeah, that any kind of education I think is definitely good, then I don’t want to talk it down or anything like that.
Stephan Livera: Yeah, exactly. And I think, I mean, as much as I would love to try and change the terminology, I think sometimes the ship has already sailed. It reminds me a little of some of the discussion around trying to not use SATS, and use things like nanobit, and picobit, and so on. But ultimately the street names these things. And that was the point, I believe, Dr. Adam Back made, he was saying, “Look, the street names these things, even like millimeters builders might say mills on a site.” I think for better or worse, we’re probably unfortunately stuck with the address term.
Chris Belcher: Yeah. Unfortunately.
Stephan Livera: Yeah. Look, I think we’re pretty much getting to time, but yeah, I’d like to give you a chance to just offer some closing thoughts. And obviously, I want to motivate some of the listeners to go and read the Bitcoin Privacy Wiki that you just wrote. And one line that really struck out to me, or stuck out to me, from your privacy Wiki was this line is, “The Bitcoin white paper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it.” Can you offer some closing thoughts there for the listeners, Chris?
Chris Belcher: Yeah, so that, I think the main point there is, Bitcoin privacy is a really big topic and it requires at least a little bit of reading and understanding for how you use Bitcoin in a private way. That it is totally possible to use it in a private way, it just requires a little bit of know how. But yeah, I mean, the original paper was 10 years ago, and any kind of knowledge will advance in 10 years. The things we know now we’re not known to Satoshi or anyone else who was around then back in the time.
Stephan Livera: Fantastic.
Chris Belcher: Yeah. I think that the future is bright, but it will take a bit of work, I guess.
Stephan Livera: Excellent. All right Chris. Well look, I think if you could just tell the listeners where they can find you. Obviously I’ll put the links in the show notes as always, but it’s just nice to have it spoken out as well. Just tell the listeners where they can follow you, where they can find some of your work.
Chris Belcher: Yeah, so I’m on GitHub, Chris-Belcher. And I’m on Twitter, @Chris_ Belcher_. And then I’m on a Reddit, I’m one of the r/Bitcoin moderators, which is u/Belcher_. What else? I have an email address, belcher@riseup.net. I think I have a Bitcointalk account, although I don’t really go there much anymore, but that’s still around. Yeah, in any of those places, I normally look at them every so often.
Stephan Livera: Fantastic. Chris, look, it’s been fantastic to just discuss with you, and really educational for me, and I’m sure very educational for the listeners as well. Thank you for all the work that you’re doing to help defend Bitcoin privacy and educate people. And thanks for coming on the show, Chris.
Chris Belcher: Yeah, thanks for having me.
Stephan Livera: I hope you found that educational, and if you haven’t already, I encourage you to go and read Chris Belcher’s Bitcoin privacy Wiki. It’s long, it might take about one and a half hours or so, but it’s definitely worth it. You can tell he has thought very deeply about Bitcoin privacy, so you know there’s huge value in it. Next, take a look at some of the different Bitcoin privacy software solutions out there, such as JoinMarket, Wasabi wallet, Samourai Wallet for example. Give them a try. Ultimately the Bitcoin ecosystem will benefit from people trying these tools out and helping increase the size of the anonymity set. If you enjoy my podcast, remember I have a day job, and this does take me a lot of time and effort to produce high quality episodes for you. If you’re so inclined, you can help me out in a few ways. I’ve got a Patreon which is patreon.com/stephanlivera.
Stephan Livera: I’ve got a Tallycoin donation link on my website, stephanlivera.com. But ultimately just share the podcast with your friends on Twitter, Reddit, forums, and chat groups. Also, make sure you guys are subscribed to my YouTube channel, which you can find by searching Stephan Livera. I’m hoping to start doing some more YouTube live shows, that way I can help build the audience, and also get a little bit more engagement. Also, thanks to the people who leave me five star reviews on iTunes. I appreciate your support guys, and see you next time.