SharedCoin adds another layer of privacy by bundling numerous transactions before placing them in the blockchain, helping mask users from casual examination by outsiders. Unfortunately most consumers have little or no idea that there are different levels of security and what that means to their privacy concerns. We have to keep in mind that the public ledger is open to inspection at all times. Savvy users can use the above mentioned tools to actually track individual transactions in the ledger. There are more than a few corporations that conduct their business and even make payroll in exclusively Bitcoins, which opens up privacy issues from its employees.
But while SharedCoin will most certainly provide more privacy that operating with it the application is far from powerful, as was clearly shown recently by Kristov Atlas, author of the book Anonymous Bitcoin. Atlas developed his own software named ‘CoinJoin Sudoku’ and the research study that he conducted discovered that SharedCoin only offered enough privacy to protect from unskilled examiners of the blockchain and, as more tools become available with user friendly features this small protection will also disappear. But more importantly Kristov’s research was completely accepted by Blockchain. CEO Nicolas Cary stated that he was satisfied with the results of the study and that Kristov addressed privacy as seriously as did Blockchain.
The company went even further by publishing a blog post which explained what user could expect in regards to security from SharedCoin. The company explained that the tool is far from perfect, saying in the post:
“They do not prevent a determined investigator from correlating transactions or an adversary with information about specific addresses from correlating them to specific payments and payees.”
On the surface SharedCoin seems like a good idea. The idea is to collect a group of users and bundle their transactions together and then inserting them into the blockchain. But this bundle will have a number of both inputs and outputs which, in theory, should render the entire bundle useless for analysis. This is an improvement from the old “Tumblers” which shifted the transaction across several address to obscure the address of the sender. This system had a huge security hole however because it was possible for anonymous operators to simply make the bitcoins disappear.
Atlas was able to discover that about 2.6% of the 20,000 transactions scattered across 45 blocks on the chain had SharedCoin profiles and then identified groups within the bundled transaction with equal amounts. From this he was able to examine inputs and outputs for relationships. The entire study required 30 hours with a single core processor and while he considered this inefficient he was also certain that a more thorough investigation and de-anonymization was certainly possible. But Atlas was very clear that his study only used one cycle and it is worth noting that SharedCoin can be set to run from 2-10 cycles with one cycle default. You can also use the Taint Analysis tool made by Blockchain to test the traceability of the transactions but Altals warned that the measurement was not accurate enough for his tastes.
Blockchain seems to be handling public relations over this issue very well. The company paid Atlas a bounty for discovering the weakness and worked with the researcher in releasing the information, thanking him for working with the company.
“As always, Blockchain.info is committed to transparency, the community, and improving bitcoin services for everyone.”
Blockchain has also invited the community to its GitHub repository for reviewing all of its open source projects. But they have also been very clear about one thing: SharedCoin will not let users completely hide transactions and only provides a basic level of security.