Anonymity

The current BitCoin implementation is certainly better than using a credit card, but I wouldn't use it in environments requiring strong anonymity without a lot of changes.

The history of a coin is publicly available. Anyone can see the flow of BitCoins from address to address.



This becomes a problem when certain points in the "transaction chain" become known to the attacker. In the image below, the attacker controls both the source of Mr. Doe's BitCoins and the destination. Since Doe bought his coins using non-anonymous methods, he is easily identified. His identity is tied to an address in the transaction chain.



A more likely scenario is for your BitCoin balance to come from transactions made over insecure channels (email, this forum, etc.). If you're particularly careless, the destination can just Google all of the addresses in the transaction chain. Maybe he'll find that one of them is in your forum signature here.

I've thought of two ways to make this harder. The first is to randomly send your coins to new addresses that you've generated just for this purpose. The coins are still part of your balance, but it's impossible for an outsider to prove that you sent the coins to yourself instead of a real person. However, the transaction chain still has your identity in it. In a real investigation, you would be targeted for close examination because you either know (directly or indirectly) the real person who is under investigation, or you are that person.



The second way is for an external service to take the coins of many different people, mix them up, and send similar amounts back to those peoples' addresses. If the mixer keeps no logs of who gets which coins, any investigation must stop here.



For maximum security, BitCoin should have the capability to automatically send coins through several external mixers. Assuming at least one of them doesn't keep logs (and all of them actually return your coins), this should keep you completely safe.

There's a problem with safely coordinating all of this. You want all of your coins to be mixed at least once, but keeping track of this in a database will ruin your plausible deniability. Probably you'd have to initially keep track, but then delete the database after all the coins have been made safe.

Unrelated to the chain issues above, BitCoin is vulnerable to network analysis. If an attacker can watch all of your incoming and outgoing traffic, he can easily see which transactions are yours. If the connection is unencrypted (as it is now), he can see when you broadcast a transaction that you didn't receive.

Even when encrypted (through Tor or a built-in mechanism), it's not impossible for an attacker to see which transactions are yours if he can see both ends of one of your connections to the BitCoin network.

Your transactions can be identified through Tor like this:
1. The attacker fills the BitCoin network with IP addresses that he controls.
2. When one of these "evil nodes" receives a packet, the attacker sees if it was received close to the time when he saw you send a packet. If this happens a few times, the attacker knows who you are and can see your transmissions to the network.
3. When you send a transaction, the attacker knows it's yours if you send it without receiving a packet in a while.

To fix this, BitCoin should implement encryption, padding (to prevent any size-based identification), dummy packets, and randomization in sending times. Some plausible deniability could also be added if BitCoin could export and import transactions to/from a file (importing would broadcast the transaction to the network, while exporting would not). Then you could transmit this file in other ways (a flash drive, for example).

I also see two structural problems not related to anonymity:
- If the network is segmented at the network layer (because the PoTUS executed his "Internet kill switch", for example), the block chain will be forked. This would be really bad.
- It's very easy for an attacker with lots of IP addresses to fill the network with cancer nodes. I'm not sure how badly BitCoin could be affected by this.

Everything I mentioned could be user-configurable, and most of it wouldn't slow down actual transactions. Even if you had all of these security features disabled, just having them implemented would give you plausible deniability in certain cases.

Block generation would be slowed in the case of a network split, so executing a double-spend would be even more difficult. I was thinking more of a problem like the Cogent-Level3 peering dispute, where there is no path between two ISPs for a long while. In this case, lots of transactions would be lost when the network is recombined and one of the chain's branches is discarded.

I don't know how this is currently handled. It might already be fixed. I haven't looked at the source.

*Strong

I don't know, I personally find it rather disconcerting if users in the chain can be identified. For example, it wouldn't be enough for me to simply get bitcoins at an exchange, send them to a random address, and then use them from that point on. Your identity would still be linked. However, given the public nature of the transactions, I'm not sure if there is any way around this.

I agree with you though, the software needs to be usable with a well-designed UI, and it needs to be robust. Bitcoin needs a full security audit to see how robust it is to different kinds of attacks, and what is compromised.

+1 to Previous Post by gavinandresen

Because Bitcoin transactions are not forced through the regulated banking system, bitcoins can range from being not at all anonymous if I announce my transactions on twitter, to being completely anonymous so long as I purchase anonymously, obfuscate ownership by transferring to one or more intermediary addresses and then spend them anonymously. There's nothing wrong with adding that obfuscation optionally, but it's overkill to apply it to all transactions because not everyone needs that level of anonymity and no matter how anonymous you make it, it's never going to be anonymous to the folks who voluntarily reveal their identity.

Real life example

1) I set up a fresh Bitcoin address/Bitcoin Client in a VPS hosted in Panama, connected via Tor.

2) I purchase a 100 EUR paysafecard code at some newsagent in a big, densely populated city. I pay cash, and make sure the newsagent is 2 km away from my home.

3) I advertise the sale of the paysafecard code on this forum, via Tor and a free public wifi hotspot,  using a fresh username.

4) A buyer shows up. I send him my bitcoin address and the paysafecard code from a freshly set up webmail address, again via Tor and a free public wifi hotspot.



Using above precautions, it will be very difficult to link my physical identity to my bitcoin address. Not impossible, but difficult enough for my purposes.

It's hard to imagine the Internet getting segmented airtight.  It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone.  It would only take one node to do it.  Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks.  Their number of confirmations would start over.

If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.

It wouldn't be easy to take advantage of the segmentation to double-spend.  If it's impossible to communicate from one side to the other, how are you going to put a spend on each side?  If there is a way, then probably someone else is also using it to flow the block chain over.

You would usually know whether you're in the smaller segment.  For example, if your country cuts itself off from the rest of the world, the rest of the world is the larger segment.  If you're in the smaller segment, you should assume nothing is confirmed.