“Anonymity loves company.”  It is well established that anonymity is co-created by the members of an anonymity set, who share the same intention and employ technical systems and protocols to make them appear indistinguishable to outside observers . In many cases, the parties retain some private information about the set formation, which can help deanonymize members of the set. We explore how the police can gather and use this information in exceptional cases, pertaining to the age-long tension between privacy and law enforcement.
Previously, this tension has been studied for mixes in communication networks [5, 11, 4]. The proposed solutions rely on putting backdoors into systems or the supporting cryptography, such that designated parties can revoke the anonymity in justified cases. Access to the backdoor is made transparent, which holds law enforcement accountable and impedes mass surveillance.
With the advent of privacy-hardened cryptocurrencies and their popularity among criminals, the tension is instantiated for money flows. While backdoors seem technically feasible, it is unlikely that they can be sustained in decentralized systems, whose raison d’être is the rejection of privileged parties with special access rights. Other, more widely acceptable ideas to combat money laundering specifically are threshold schemes. Small payments would enjoy unlinkability while larger transactions require identification or are traceable by design [10, 19]. The downsides of this approach include the need to agree on a threshold and, more importantly, it would require strong identities in order to prevent “smurfing” attacks, which split a large sum into many small payments.
We explore a different approach. Collaborative deanonymization means that the parties who formed the anonymity set, henceforth called witnesses, share information on request for the purpose of solving a crime. We argue that this approach is compatible with the peer-to-peer spirit of decentralized systems because every witness decides if she supports the investigation or not. This limits the method to felonies that are universally disapproved, such as extortion (ransomware) or the financing of child sexual abuse. For the method to be effective, it is not required that every witness collaborates. Every collaborating witness reduces the search space. Law enforcement might leverage a range of incentives to induce collaboration: alibi, altruism, bounties, and—in justified cases—force (e. g., seizure and use of a private key). Unlike traffic or blockchain analyses, collaborative deanonymization does not scale, hence the risk of secret mass surveillance is small. Moreover, as search requests are announced publicly, law enforcement can be held accountable. The very fact that anonymity is conditional can deter crime.
In the following we develop a scenario (Sect. 2), formulate desiderata, and sketch protocols (Sects. 3 and 4) that enable collaborative deanonymization of two relevant privacy techniques: CoinJoin anonymization in Bitcoin, and Monero rings. Section 5 concludes.
Crucially, our protocols are overlays and do not require changes to the target systems. Similar protocols can be developed for other cryptocurrencies and privacy techniques.
2 Scenario and Model
Consider a scenario where a law enforcement agency (LEA) has identified a suspicious cash-out from a cryptocurrency address. The objective of an investigation is to find an identifiable source, i.e., backtracking. After employing known blockchain analysis methods, like state-of-the-art clustering , the LEA obtains an entity graph where backtracking is ambiguous only due to mixing transactions.
We model such transactions as collections of inputs and outputs. The LEA has no information about the relation.111Conversely, if the LEA has some information (e. g. due to non-uniformly valued inputs and outputs), it can partition the transaction into smaller units and proceed as described. Without loss of generality, we assume that each output of a transaction is funded by exactly one input. Backtracking links the entity associated with the targeted -th output to the entity of the funding input. Between transactions, each input of a transaction references exactly one output of a previous transaction.
Join-type transactions are formed collaboratively by parties, potentially facilitated by an intermediary such as JoinMarket . We model this using inputs, each funding a distinct output (). A join-type transaction can then be expressed as a permutation on . The LEA’s problem is to find the funding input of the
-th output. In practice, CoinJoin transactions vary in size. A study estimates the modal value of inputs for CoinJoins on Bitcoin at. Transactions with are rare.222A single CoinJoin transaction with made headlines in June 2019: https://www.coindesk.com/bitcoin-users-perform-what-might-be-the-largest-coinjoin-ever.
In contrast to join-type transactions, ring-type transactions can be formed without the cooperation of other entities. Moreover, a ring-type transaction does not spend all outputs referenced on its input side. In our simplified model, ring transactions have inputs and a single output (). The LEA’s goal is to learn the true input .333 Note that we depart from the terminology of the Monero project, which calls an entire ring “input.” At the time of writing, the Monero reference implementation fixes the number of inputs to .
For both types of mixing transactions, the anonymity of the participants is based on the observer’s uncertainty about and , respectively. If multiple mixing transactions are cascaded, the number of possible funding sources (suspects) increases exponentially in the number of layers (see Figure 1). We propose protocols that allow the LEA to reduce the number of suspects in collaboration with a subset of the involved parties.
3 Collaborative Backtracking
We assume an authenticated one-way communication channel from the LEA to the protocol participants. The LEA uses this channel to announce inquiries on targeted transaction outputs. Each inquiry conveys enough information so that a potential witness can decide whether she supports the request, i. e., whether she approves prosecution of the specific case, or not.
We further assume an unauthenticated but confidential communication channel from the witnesses to the LEA and, for group testimonies, communication channels between the witnesses. Witnesses willing to support an inquiry use these channels to give testimonies that facilitate backtracking for a single transaction.
3.1 Individual Testimony
An individual testimony is a protocol between a single witness and the LEA. It results in ruling out one of the possible inputs. Formally speaking, the witness associated with the -th input should prove that or , respectively.
For join-type transactions, the witness can testify by signing a challenge with the private keys belonging to the -th input and the -th output (obviously ).
Ring-type transactions hide the true input using traceable ring signatures . By design, these ring signatures reveal attempts to spend an input more than once. The spending of an input yields a transaction-independent key image that must be included in a valid signature—transactions attempting to spend the same input will contain identical key images . Let be the output of a preceding transaction that links the witness to the suspicious transaction . The witness prepares a phantom transaction for the LEA. It has one input referencing and one output. The output could be invalid in order to avoid accidental inclusion in the blockchain. For example, could spend more funds than available in . Crucially, the phantom transaction unambiguously spends . If the key image associated with is different to the key image of , it must hold that .
3.2 Group Testimony
The LEA learns one true input to output relationship per individual testimony. Since the LEA is only interested in the true input of a single output, all individual testimonies reveal more information than necessary. Group testimonies offer a way to overcome the unnecessary privacy loss. Multiple witnesses controlling the set of inputs collaboratively testify or , while maintaining their anonymity within .
For join-type transactions, this can be realized by signing a challenge with all private keys belonging to the witnesses’ inputs and outputs. In the best case, all witnesses cooperate () and identify the true suspect. If witnesses participate in the protocol, for example because private keys are deleted or witnesses unreachable, the search space is reduced to suspects. Join-type group testimonies retain as the anonymity set of witnesses. Cases where minimize the anonymity loss for witnesses when testifying that .
For ring-type transactions, it is possible to implement group testimonies with the construction of a provably spent set [18, 20]. For example, each cooperating witness can individually form a new transaction like for an individual testimony, however this time referencing not only its own input but all inputs of cooperating witnesses. Given transactions that all have the same set of inputs and yet differing key images, the LEA gains evidence that . If an output referenced by an input is unspent at the time of the testimony, the respective witness can achieve an anonymity set of for by referencing all when spending . Conversely, if has already been spent in a transaction with input set , the anonymity set of the witness reduces to .
Notably, each of the cooperative protocols can be executed jointly for multiple mixing transactions. This testifies that the owners of (now generalized to the enumeration of all inputs in all transactions involved) initiated none of these transactions. This approach is especially interesting for ring-type transactions, as larger increase the overlap with the anonymity sets of outputs that have already been spent elsewhere.
3.3 Dealing with the Risk of False Testimonies
A general question is how much confidence the LEA can place in the testimonies. This calls for a closer look at how collaborative deanonymization can fail, and in the worst case produce false or misleading evidence. We observe crucial differences between join-type and ring-type transactions.
Monero stores on the blockchain, however in encrypted form. This should reduce the risk of false testimonies to the security of the cryptography used, even if private keys are leaked or stolen.
By contrast, CoinJoin does not commit to the blockchain. Even computationally unbounded observers cannot decide about the relation. The resulting deniability bears a risk of false testimonies. For example, if the perpetrator has access to the private keys of a witness, he could obtain a false alibi by signing a false input–output relation. If the victim among the witnesses does not participate in the collaborative deanonymization, she is falsely accused. If she does participate, the LEA receives two conflicting statements. This concentrates the suspicion on both the perpetrator and the victim, hence perpetrators have little to gain from false statements—unless their victims are unavailable.
The sketched situation highlights that parties engaging in CoinJoins might be exposed to physical risks under collaborative deanonymization. A potential direction of research is to modify the protocols used for CoinJoin formation in such a way that is committed to the blockchain at the time of the transaction. This would obviate false accusations and reduce the incentives to attack other witnesses. The key problem to solve is to decide under which conditions what part of should be revealable. For example, should every party commit to one relation individually? Would a threshold scheme make sense? Moreover, it would be desirable to make the commitment coercion-resistant. Otherwise the risk could reappear at the time of the CoinJoin formation, rather than be mitigated.
A general consequence of collaborative deanonymization is that old private keys remain sensitive even if they do not control any funds anymore.
4 Forward Tracking
A variant of the scenario presented in Section 2 is foward tracking. Here, the LEA has identified a suspicious origin and wishes to trace the money flow to its (current) destination or until it hits a known cash-out point. We sketch how our approach can be adapted to this case.
4.1 Testimonies for Forward Tracking
Due to the symmetry of join-type transactions, the testimony protocols for the backtracking case (Sect. 3) can be repurposed for forward tracking. Since is bijective, testimonies which rule out assignments of also rule out assignments of .
Ring-type transactions are less straightforward. The protocols given in Section 3 enable collaborating witnesses to testify that a set of inputs does not contain the funding input for a given transaction , i.e., . For the case of forward tracking, they must instead prove that only one specific suspicious input is not a funding input, i.e., . Individual witnesses can accomplish this by creating a phantom transaction , which include all but the suspicious input . As and share the same funding input , they will produce identical key images. By comparing the key images of and , the LEA can verify that without learning .
4.2 Blacklisting and Cover Transactions
Forward tracking is related to transaction blacklisting previously proposed (and controversially debated) as a regulatory instrument [15, 2]. Specifically the “poison” policy , where taint of a single input is propagated to all outputs, mimics the proliferation of a priori suspicion. An interesting question is whether the threat of blacklisting can foster collaboration. For example, the propagation policy could terminate at transactions that are whitelisted after sufficient evidence has been collected to disambiguate the entity graph (for forward and backtracking).
Forward tracking on Monero rings comes with two caveats. First, it might be hard to decide about when to terminate (unsuccessfully), because it is often unknown whether a given output has been spent at all. Second, the method is susceptible to cover transactions placed by a perpetrator. Such transactions reference the investigated money flow in order to increase the search space and with it the number of witnesses needed.
Blacklisting might be a defense against this behavior because it would devalue the funds in cover transactions and thus raise the cost of creating them. However, the effectiveness of this method as well as other defenses are open research questions. We note that backtracking is not affected by the threat of cover transactions because funding transactions cannot be added after the spending transaction.
5 Conclusion and Outlook
We have presented a novel way to investigate criminal money flows in cryptocurrencies even if the perpetrators use anonymization techniques. Our approach requires collaboration of witnesses, which keeps the method costly enough to prevent mass surveillance or the prosecution of petty crimes. Specifically, we have given protocols for backtracking and forward tracking of CoinJoin transactions in Bitcoin as well as Monero rings. Several techniques ensure that the information shared with law enforcement can be limited to the necessary minimum. Finally, we have discussed new risks due to false accusations and pointed out relations to transaction blacklisting.
We shall also pinpoint future work. Obviously, the protocols for secure testimonies need to be further developed and their properties formalized and proven. A proof-of-concept implementation for the most relevant types of mixing transactions could demonstrate the practicality of our approach. Whether and under which condition LEAs can deploy collaborative deanonymization must be subject of more interdisciplinary work with legal scholars. Adapting the approach to less common types of mixing transactions (see for instance Table 1 of  for an overview) would help to complete the picture.
The topic also lends itself to economic studies. It would be interesting to investigate the incentives of witnesses to collaborate, presumably with cooperative game theory. In addition, potential knock-on effects on the participation in mixing transactions call for model in the tradition of competitive game theory .
Two broader technical directions are to explore collaborative deanonymization for anonymous communication systems, and to research deniable privacy techniques, which could protect potential witnesses from any pressure to testify or release deanonymizing information.
In summary, collaborative deanonymization appears not only under-researched, but also under-estimated for its potential to balance the conflicting goals of privacy and law enforcement in future digital currency systems. This paper set out to make a case for this promising tool.
We thank our colleagues Michael Fröwis, Malte Möser, Tim Ruffing, and a number of anonymous reviewers for helpful discussions of earlier versions of this work. Rainer Böhme’s and Patrik Keller’s work on this topic is supported by the Austrian FFG’s KIRAS programme under project VIRTCRIME.
-  (2017) Mixing coins of different quality: a game-theoretic approach. In Financial Cryptography and Data Security Workshops, M. Brenner, K. Rohloff, J. Bonneau, A. Miller, P. Y.A. Ryan, V. Teague, A. Bracciali, M. Sala, F. Pintore, and M. Jakobsson (Eds.), Lecture Notes in Computer Science, Vol. 10323, pp. 280–297. Cited by: §5.
-  (2018) Making Bitcoin legal. In International Workshop on Security Protocols, V. Matyáš, P. Švenda, F. Stajano, B. Christianson, and J. Anderson (Eds.), Lecture Notes in Computer Science, Vol. 11286, pp. 243–253. Cited by: §4.2.
-  (2018) Pricing anonymity. In Financial Cryptography and Data Security, S. Meiklejohn and K. Sako (Eds.), Lecture Notes in Computer Science, Vol. 10957, pp. 349–368. Cited by: §5.
-  (2014) BackRef: accountability in anonymous communication networks. In Applied Cryptography and Network Security, I. Boureanu, P. Owesarski, and S. Vaudenay (Eds.), Lecture Notes in Computer Science, Vol. 8479, pp. 380–400. Cited by: §1.
-  (2003) Revocable anonymous access to the Internet?. Internet Research 13 (4), pp. 242–258. Cited by: §1.
-  (2006) Anonymity loves company: Usability and the network effect. In Workshop on the Economics of Information Security, Cited by: §1.
-  (2007) Traceable ring signature. In Public Key Cryptography, T. Okamoto and X. Wang (Eds.), Lecture Notes in Computer Science, Vol. 4450, pp. 181–200. Cited by: §2, §3.1.
-  (2018) When the cookie meets the blockchain: privacy risks of web payments via cryptocurrencies. In Privacy Enhancing Technologies, Vol. 4, pp. 179–199. Cited by: §2.
-  (2017) TumbleBit: an untrusted Bitcoin-compatible anonymous payment hub. In Network and Distributed System Security Symposium, Cited by: §5.
-  (2005) Probabilistic escrow of financial transactions with cumulative threshold disclosure. In Financial Cryptography and Data Security, A. S. Patrick and M. Yung (Eds.), Lecture Notes in Computer Science, Vol. 3570, pp. 172–187. Cited by: §1.
-  (2006) Revocable anonymity. In Emerging Trends in Information and Communication Security, G. Müller (Ed.), Lecture Notes in Computer Science, Vol. 3995, pp. 206–220. Cited by: §1.
-  (2013) CoinJoin: Bitcoin privacy for the real world. Forum Post Cited by: §2.
-  (2014) Towards risk scoring of Bitcoin transactions. In Financial Cryptography and Data Security Workshops, R. Böhme, M. Brenner, T. Moore, and M. Smith (Eds.), Lecture Notes in Computer Science, Vol. 8438, pp. 16–32. Cited by: §4.2.
-  (2016) Join me on a market for anonymity. In Workshop on the Economics of Information Security, Cited by: §2.
-  (2019) Effective cryptocurrency regulation through blacklisting. Preprint Cited by: §4.2.
-  (2001) Anonymity, unobservability, and pseudonymity – a proposal for terminology. In Workshop on Design Issues in Anonymity and Unobservability, H. Federrath (Ed.), Lecture Notes in Computer Science, Vol. 2009, pp. 1–9. Cited by: §1.
-  (2013) CryptoNote v2.0. Whitepaper Cited by: §3.1.
-  (2018) Monero ring attack: recreating zero mixin transaction effect. In Trust, Security And Privacy In Computing And Communications, pp. 1196–1201. Cited by: §3.2.
-  (2019) PRCash: fast, private and regulated transactions for digital currencies. In Financial Cryptography and Data Security, I. Goldberg and T. Moore (Eds.), Lecture Notes in Computer Science, Vol. 11598, pp. 158–178. Cited by: §1.
-  (2019) New empirical traceability analysis of CryptoNote-style blockchains. In Financial Cryptography and Data Security, I. Goldberg and T. Moore (Eds.), Lecture Notes in Computer Science, Vol. 11598, pp. 133–149. Cited by: §3.2.