Privacy-Preserving Bitcoin Protocol Enhancements
The research community features a number of proposals to enhance user privacy in Bitcoin without the need for modifying the original Bitcoin trust model. Examples includes ZeroCoin , Extended ZeroCoin , and ZeroCash . These constitute the most prominent initiatives that involve the conversion of BTCs to coins that can be spent anonymously.
In the sequel, we first elaborate on the trust model assumed by these protocols, along with their security requirements and guarantees. We then detail how these properties are achieved in each of the aforementioned protocols. Note that we will solely focus on extensions of the Bitcoin protocol—these are orthogonal to the network level linkability of transaction announcements in the Bitcoin network.
In the privacy extensions of Bitcoin that we will be discussing in this chapter, we assume that users convert BTCs to untraceable or anonymous coins (zerocoins in , extended zerocoins in , and zerocash in ) through an operation called Mint. Users subsequently spend these anonymous coins in two possible ways:
- • The first payment type consists of converting anonymous coins back to BTCs that are sent to a payee's address; this is the reverse operation of Mint and is referred to by Spend. ZeroCoin only supports this type of spending.
- • The second type of payment consists of transforming anonymous coins to other anonymous coins that are under the control of the payee using an operation denoted by Pour. ZeroCash and Extended ZeroCoin support this type of payment.
Given the considered adversarial model, we identify the following security notions for Bitcoin: balance, anonymity, and activity unlinkability. Informally, the balance property requires that an adversary who has legitimately acquired a set of BTCs can spend anonymous coins (to other users) of at most the value of the BTCs he originally owned. The unlinkability property refers to the fact that an adversary should not be able to link two different spending transactions that pertain to a user. Finally, anonymity refers the fact that the spending of a coin should not be linked to a certain conversion transaction (i.e., Mint). Although the spirit of these definitions is the same across all systems presented in this chapter, we provide in the following more formal definitions that are adjusted to the operations performed in each case.