EXCEL ENGINEERING COLLEGE

(Autonomous)
DEPARTMENT OF ARTIFICIAL INTELLIGENCE AND DATA SCIENCE
VII Semester
20AIE27 –Blockchain & Crypto Currency
Regulations 2020
Question Bank
UNIT – III (Bitcoin and Anonymity)

PART- A
Q.No. Questions Marks CO BL
1 Define Anonymity in Bitcoin. 2 CO3 R
2 State Unlinkability in the Bitcoin contex. 2 CO3 R

3 Tell about Taint Analysis. 2 CO3 R

4 List the different ways to De-anonymize Bitcoin. 2 CO3 R

5 Define Transaction graph analysis. 2 CO3 R

6 State Mixing. 2 CO3 R

7 Recall De-centralized mixing. 2 CO3 R

8 List the steps involved in Coinjoin. 2 CO3 R

9 Define Coinjoin. 2 CO3 R

10 Recall the Dedicated Mixing services. 2 CO3 R

11 List some ways of decentralized mixing. 2 CO3 R

12 What is called merge avoidance? 2 CO3 R

13 Differentiate Basecoin and Zerocoin. 2 CO3 R

14 Write down the steps for Mining a Zerocoin. 2 CO3 R

15 Give the comparison of the anonymity technologies. 2 CO3 R

16 State Zero Cash. 2 CO3 R

17 Give diagrammatic representation of mixing. 2 CO3 R

18 What is pseudonymity? 2 CO3 R

19 Recall about finding peers step in coinjoin. 2 CO3 R

20 Infer Unlinkability. 2 CO3 R

 PART- B
Q.No. Questions Marks CO BL
1. Explain How to De-anonymize Bitcoin in detail. 16 CO3 U

Describe the set of principles for improving the way that mixes CO3
2. 16 U
operate.
3. Explain the concepts of Mixing Cryptocurrency. 16 CO3 U

4. Discuss in detail Decentralized mixing. 16 CO3 U

5. Summarise the steps involved in coinjoinin detail. 16 CO3 U

6. Explain the concepts of Mining and spending the zerocoin in detail. 16 CO3 U

(Note:*Blooms Level (R – Remember, U – Understand, AP – Apply, AZ – Analyze, E –

Evaluate, C – Create)
PART A- Blooms Level : Remember, Understand, Apply
PART B- Blooms Level: Understand, Apply, Analyze, Evaluate(if possible)
Marks: 16 Marks, 8+8 Marks, 10+6 Marks)

Subject Incharge Course Coordinator HOD IQAC

(Name & Signature) (Name & Signature)
 EXCEL ENGINEERING COLLEGE
(Autonomous)
DEPARTMENT OF ARTIFICIAL INTELLIGENCE AND DATA SCIENCE
VII Semester
20AIE27 –Blockchain & Crypto Currency
Regulations 2020
Question Bank
UNIT – III (Bitcoin and Anonymity)

PART- A

Q.No. Questions Marks CO BL

Define Anonymity in Bitcoin.
Anonymity is the quality of a person whose identity is unknown.
Bitcoin addresses are hashes of public keys. You don't need to
1 use your real name in order to interact with the system, but you 2 CO3 R
do use your public key hash as your identity. Thus, by the first
interpretation, Bitcoin is anonymous as you do not use your real
name.
State Unlinkability in the Bitcoin contex.
Some key properties that are required for Bitcoin activity to be
unlinkable:

2 1. It should be hard to link together different addresses of the 2 CO3 R

same user.
2. It should be hard to link together different transactions made
by the same user.
3. It should be hard to link the sender of a payment to its
recipient.
Tell about Taint Analysis.
It’s a way of calculating how “related” two addresses are. If
bitcoins sent by an address S always end up at another address
3 R, whether directly or after passing through some intermediate 2 CO3 R
addresses, then S and R will have a high taint score. The formula
accounts for transactions with multiple inputs and/or outputs and
specifies how to allocate taint.
4 List the different ways to De-anonymize Bitcoin. 2 CO3 R
 Linking
 Attaching real-world identities to clusters
 Tagging by transacting
  Identifying individuals
 Network-layer deanonymization
Define Transaction graph analysis.
5 The deanonymization techniques we’ve examined so far are all 2 CO3 R
based on analyzing the graphs of transactions in the block chain.
They are collectively known as transaction graph analysis.
State Mixing.
Users send coins to an intermediary and get back coins that were
6 2 CO3 R
deposited by other users. This makes it harder to trace a user’s coins on
the block chain.
Recall De-centralized mixing.
Decentralized mixing is the idea of getting rid of mixing
7 services and replacing them with a peer-to-peer protocol 2 CO3 R
by which a group of users can mix their coins. As you
can imagine, this approach is better philosophically
aligned with Bitcoin.
List the steps involved in Coinjoin.
1. Find peers who want to mix
2. Exchange input/output addresses
8 2 CO3 R
3. Construct transaction
4. Send the transaction around. Each peer signs after verifying
their output is present.
5. Broadcast the transaction
Define Coinjoin.
The main proposal for decentralized mixing is called Coinjoin. In this
protocol, different users jointly create a single Bitcoin transaction that
9 combines all of their inputs. The key technical principle that enables 2 CO3 R
Coinjoin to work is this: when a transaction has multiple inputs coming
from different addresses, the signatures corresponding to each input are
separate from and independent of each other.
Recall the Dedicated Mixing services.
We send bitcoins to an address provided by the mix, and you tell the
10 mix a destination address to send bitcoins to. Hopefully the mix will 2 CO3 R
soon send you (other) bitcoins at address you specified. It’s essentially a
swap.
List some ways of decentralized mixing.
 Coinjoin
11  Finding peers 2 CO3 R
 Exchanging addresses
 Collecting signatures and denial of service
12 What is called merge avoidance? 2 CO3 R
 One technique that can help regain unlinkability in the presence of
high-level flows is called merge avoidance, proposed by Bitcoin
developer Mike Hearn.

Differentiate Basecoin and Zerocoin.

Basecoin is the currency that you transact in and Zerocoin just provides
13 2 CO3 R
a mechanism to trade your basecoins in for new ones that are unlinkable
to the old ones.
Write down the steps for Mining a Zerocoin.
14 1. Generate serial number S and a random secret r 2 CO3 R
2. Compute Commit(S, r), the commitment to the serial number
3. Publish the commitment onto the block chain
Give the comparison of the anonymity technologies.

System Type Anonymity Deployabil

attacks ity

Bitcoin pseudon transaction default

ymous graph
analysis
Manual transaction
mixing mix graph analysis, usable
15 bad mixes/peers today 2 CO3 R
Chain of mixes side channels,
or coinjoins mix bad bitcoin-
mixes/peers compatible
Cryptograp side altcoin,
Zerocoin hic mix channels trusted
(possibly) setup

Zerocash untraceab none altcoin,

le known trusted
setup
State Zero Cash.
Zerocash is a different anonymous cryptocurrency that builds on the
concept of Zerocoin but takes the cryptography to the next level. It
16 2 CO3 R
uses a cryptographic technique called zero-knowledge SNARKs (zk-
SNARKS) which are a way of making zero-knowledge proofs much
more compact and efficient to verify.
Give diagrammatic representation of mixing.

17 2 CO3 R

18 What is pseudonymity? 2 CO3 R

 Pseudonymity means an individual is using a fake name to identify
themselves or their actions. Bitcoin is based on an open, publicly
auditable database of transactions. In the language of computer science,
this middle ground of using an identity that is not your real name is
called pseudonymity.
Recall about finding peers step in coinjoin.
A group of peers who all want to mix need to find each other.
19 This can be facilitated by servers acting as “watering-holes,” 2 CO3 R
allowing users to connect and grouping together. Unlike
centralized mixes, these servers are not in a position to steal
users’ funds or compromise anonymity.
Infer Unlinkability.
Unlinkability is a property that’s defined with respect to the
capabilities of a specific adversary. Intuitively, unlinkability means that
20 2 CO3 R
if a user interacts with the system repeatedly, these different
interactions should not be able to be tied to each other from the point of
view of the adversary in consideration.

PART- B
Q.No Questions Marks CO BL
.
1. Explain How to De-anonymize Bitcoin in detail. 16 CO3 U
Linking

To pay for the teapot, Alice has to create a single transaction

having inputs that are at two different address. In doing so, Alice
reveals that these two addresses are controlled by a single entity.

Change address

To pay for the teapot, Alice has to create a transaction with one
output that goes to the merchant and another output that sends
change back to herself.
Idioms of use. Implementation details of this sort are called “idioms of
use”. In 2013, a group of researchers found an idiom of use that was
true of most wallet software, and led to a powerful heuristic for
identifying change addresses.
Tagging by transacting. What about just visiting the website for
each exchange or merchant and looking up the address they
advertise for receiving bitcoins? That doesn't quite work,
however, because most services will advertise a new address for
every transaction and the address shown to you is not yet in the
block chain. There’s no point in waiting, either, because that
address will never be shown to anyone else.
The only way to reliably infer addresses is to actually transact
with that service provider — depositing bitcoins, purchasing an
item, and so on. When you send bitcoins to or receive bitcoins
from the service provider, you will now know one of their
addresses, which will soon end up in the block chain (and in one
of the clusters). You can then tag that entire cluster with the
service provider’s identity.
This is is exactly what the Fistful of Bitcoins researchers (and
others since) have done.
Identifying individuals. The next question is: can we do the same
thing for individuals? That is, can we connect little clusters
corresponding to individuals to their real-life identities?

Directly transacting. Anyone who transacts with an individual —

an online or offline merchant, an exchange, or a friend who splits
a dinner bill using Bitcoin — knows at least one address
belonging to them.

Via service providers. In the course of using Bitcoin over a few

months or years, most users will end up interacting with an
exchange or another centralized service provider. These service
typically providers ask users for their identities — often they’re
legally required to, as we’ll see in the next chapter. If law
enforcement wants to identify a user, they can turn to these
service providers.

Carelessness. People often post their Bitcoin addresses in public

forums. A common reason is to request donations. When
someone does this it creates a link between their identity and
 one of their addresses. If they don’t use the anonymity services
that we’ll look at in the following sections, they risk having all
their transactions de-anonymized.
Things get worse over time. History shows that
deanonymization algorithms usually improve over time when
the data is publicly available as more researchers study the
problem and identify new attack techniques. Besides, more
auxiliary information becomes available that attackers can use
to attach identities to clusters. This is something to worry about
if you care about privacy.

The deanonymization techniques we’ve examined so far are all

based on analyzing the graphs of transactions in the block chain.
They are collectively known as transaction graph analysis.

Network-layer deanonymization. There’s a completely different

way in which users can get deanonymized that does not rely on
the transaction graph. Recall that in order to post a transaction
to the block chain, one typically broadcasts it to Bitcoin’s peer-
to-peer network where messages are sent around that don't
necessarily get permanently recorded in the block chain.

2. Describe the set of principles for improving the way that mixes 16 CO3 U
operate.
Use a series of mixes. The first principle is to use a series of mixes,
one after the other, instead of just a single mix. This is a well-known
and well-established principle — for example, Tor, as we’ll see in a bit,
uses a series of 3 routers for anonymous communication. This reduces
your reliance on the trustworthiness of any single mix.
 Uniform transactions. If mix transactions by different users had
different quantities of bitcoins, then mixing wouldn’t be very
effective. Since the value going into the mix and coming out of a
mix would have to be preserved, it will enable linking a user’s
coins as they flow through the mix, or at least greatly diminish
the size of the anonymity set.
Client side should be automated. In addition to trying to link
coins based on transaction values, a clever adversary can
attempt various other ways to de-anonymize, for example, by
observing the timing of transactions. These attacks can be
avoided, but the precautions necessary are too complex and
cumbersome for human users. Instead, the client-side
functionality for interacting with mixes should be automated and
built into privacy-friendly wallet software.
Fees should be all-or-nothing. Mixes are businesses and expect
to get paid. One way for a mix to charge fees is to take a cut of
each transaction that users send in. But this is problematic for
anonymity, because mix transactions can no longer be in standard
chunk sizes. (If users try to split and merge their slightly-smaller
chunks back to the original chunk size, it introduces serious and
hard-to-analyze anonymity risks because of the new linkages between
coins that are introduced.)
To avoid this problem, mixing fees should be all-or-nothing, and
applied probabilistically. In other words, the mix should swallow the
whole chunk with a small probability or return it in its entirety.
Mixing in practice. As of 2015, there isn’t a functioning mix
ecosystem. There are many mix services out there, but they have low
volumes and therefore small anonymity sets. Worse, many mixes have
been reported to steal bitcoins.
Today’s mixes don’t follow any of the principles we laid out. Each
mix operates independently and typically provides a web interface,with
which the user interacts manually to specify the receiving address and
any other necessary parameters.
The user gets to choose the amount that they would like to mix.
The mix will take a cut of every transaction as a mixing fee and
send the rest to the destination address.
3. Explain the concepts of Mixing Cryptocurrency. 16 CO3 U
There are several mechanisms that can make transaction graph
analysis less effective. One such technique is mixing, and the
intuition behind it is very simple: if you want anonymity, use an
intermediary. This principle is not specific to Bitcoin and is
useful in many situations where anonymity is a goal.

Mixing. Users send coins to an intermediary and get back coins

that were deposited by other users. This makes it harder to trace a
user’s coins on the block chain.

Online wallets as mixes. If you recall our discussion of online

wallets, they may seem to be suitable as intermediaries. Online
wallets are services where you can store your bitcoins online and
withdraw them at some later date. Typically the coins that you
withdraw won’t be the same as the coins you deposited. Do
online wallets provide effective mixing, then?

Online wallets do provide a measure of unlinkability which can

foil attempts at transaction graph analysis — in one case,
prominent researchers had to retract a claim that had received a
lot of publicity because the link they thought they’d found was a
spurious one caused by an online wallet.

On the other hand, there are several important limits to using

online wallets for mixing. First, most online wallets don’t actually
promise to mix users’ funds; instead, they do it because it
simplifies the engineering.
Second, even if they do mix funds, they will almost certainly maintain
records internally that will allow them to link your deposit to your
withdrawal. This is a prudent choice for wallet services for reasons of
both security and legal compliance. So if your threat model includes the
possibility of the service provider itself tracking you, or getting hacked,
or being compelled to hand over their records, you’re back to square
one.
Third, in addition to keeping logs internally, reputable and
regulated services will also require and record your identity
(we’ll discuss regulation in more detail in the next chapter). You
won’t be able to simply create an account with a username and
password. So in one sense it leaves you worse off than not using
the wallet service. That’s why we called out the tension between
centralization and anonymity in the previous section.
 The anonymity provided by online wallets is similar to that
provided by the traditional banking system. There are
centralized intermediaries that know a lot about our transactions,
but from the point of view of a stranger with no privileged
information we have a reasonable degree of privacy.

But as we discussed, the public nature of the block chain means

that if something goes wrong (say, a wallet or exchange service
gets hacked and records are exposed), the privacy risk is worse
than with the traditional system.
Besides, most people who turn to Bitcoin for anonymity tend to
do so because they are unhappy with anonymity properties of the
traditional system and want a better (or a different kind of)
anonymity guarantee. These are the motivations behind dedicated
mixing services.
4. Discuss in detail Decentralized mixing. 16 CO3 U
Decentralized mixing is the idea of getting rid of mixing
services and replacing them with a peer-to-peer protocol
by which a group of users can mix their coins. As you
can imagine, this approach is better philosophically
aligned with Bitcoin.
Decentralization also has more practical advantages. First, it
doesn’t have the bootstrapping problem: users don’t have to wait
for reputable centralized mixes to come into existence. Second,
theft is impossible in decentralized mixing; the protocol ensures
that when you put in bitcoins to be mixed, you’ll get bitcoins
back of equal value.
Because of this, even though some central coordination turns out
to be helpful in decentralized mixing, it’s easier for someone to
set up such a service because they don’t have to convince users
that they’re trustworthy. Finally, in some ways decentralized
mixing can provide better anonymity.

Coinjoin. The main proposal for decentralized mixing is called

Coinjoin. In this protocol, different users jointly create a single Bitcoin
transaction that combines all of their inputs. The key technical
principle that enables Coinjoin to work is this: when a transaction has
multiple inputs coming from different addresses, the signatures
corresponding to each input are separate from and independent of each
other. So these different addresses could be controlled by different
people. You don’t need one party to collect all of the private keys.
 This allows a group of users to mix their coins with a single
transaction. Each user supplies an input and output address and
together they form a transaction with these addresses. The order of the
input and output addresses is randomized so an outsider will be unable
to determine the mapping between inputs and outputs.
Participants check that their output address is included in the
transaction and that it receives the same amount of Bitcoin that they
are inputting (minus any transaction fees). Once they have confirmed
this, they sign the transaction.
Coinjoin transaction — will be unable to determine the mapping
between the inputs and outputs. From an outsider’s perspective the
coins have been mixed, which is the essence of Coinjoin

5. Summarise the steps involved in coinjoinin detail. 16 CO3 U

Coinjoin, which can be broken into 5 steps:

1. Find peers who want to mix

2. Exchange input/output addresses
3. Construct transaction
4. Send the transaction around. Each peer signs after verifying
their output is present.
5. Broadcast the transaction

Finding peers. First, a group of peers who all want to mix need
to find each other. This can be facilitated by servers acting as
“watering-holes,” allowing users to connect and grouping
together. Unlike centralized mixes, these servers are not in a
position to steal users’ funds or compromise anonymity.
Exchanging addresses. Once a peer group has formed, the peers must
exchange their input and output addresses with each other. It’s
important for participants to exchange these addresses in such a way
that even the other members of the peer group do not know the
mapping between input and output addresses.
Collecting signatures and denial of service. Once the inputs and
 outputs have been communicated, one of these users — it doesn't
matter who — will then construct the transaction corresponding
to these inputs and outputs. The unsigned transaction will then be
passed around; each peer will verify that its input and output
address are included correctly, and sign.
High-level flows. We mentioned side channels earlier. We’ll now take
a closer look at how tricky side channels can be. Let's say Alice
receives a very specific amount of bitcoins, say 43.12312 BTC, at a
particular address on a weekly basis, perhaps as her salary.
Suppose further that she has a habit of automatically and immediately
transferring 5% of that amount to her retirement account, which is
another Bitcoin address. We call this transfer pattern a high-level flow.
Merge avoidance. Alice wishes to buy a teapot for 8 BTC. The
store gives her two addresses and she pays 5 to one and 3 to the
other, matching her available input funds. This prevents revealing
that these two addresses were both belong to Alice.

One technique that can help regain unlinkability in the presence of

high-level flows is called merge avoidance, proposed by Bitcoin
developer Mike Hearn. Generally, to make a payment, a user creates a
single transaction that combines as many coins as necessary in order to
pay the entire amount to a single address.
6. Explain the concepts of Mining and spending the zerocoin in detail. 16 CO3 U
Zerocoin is an extension of this altcoin. The key feature that provides
anonymity is that you can convert basecoins into zerocoins and back
again, and when you do that, it breaks the link between the original
basecoin and the new basecoin.
Minting Zerocoins. Zerocoins come into existence by minting,
and anybody can mint a zerocoin. They come in standard
denominations. For simplicity, we’ll assume that there is only one
denomination worth 1.0 zerocoins, and that each zerocoin is
worth one basecoin. While anyone can mint a Zerocoin,
just minting one doesn’t automatically give it any value — you
can't get free money. It acquires value only when you put it onto
the block chain, and doing that will require giving up one
basecoin.

To mint a Zerocoin, you use a cryptographic commitment. Recall

from Chapter 1 that a commitment scheme is the cryptographic
analog of sealing a value in an envelope and putting it on a table
in everyone’s view.
Minting a zerocoin is done in three steps:
1. Generate serial number S and a random secret r
2. Compute Commit(S, r), the commitment to the serial number
 3. Publish the commitment onto the block chain as shown
in Figure 6.12. This burns a basecoin, making it
unspendable, and creates a Zerocoin. Keep S and r secret
for now.

Putting a zerocoin on the block chain. To put a zerocoin on the

blockchain, you create a special ‘mint’ transaction whose output
‘address’ is the cryptographic commitment of the zerocoin’s
serial number. The input of the mint transaction is a basecoin,
which has now been spent in creating the zerocoin. The
transaction does not reveal the serial number.

To spend a zerocoin and redeem a new basecoin, you need to

prove that you previously minted a zerocoin. You could do this
by opening your previous commitment, that is, revealing S and r.
But this makes the link between your old basecoin and your new
basecoin apparent. How can we break the link?

This is where the zero-knowledge proof comes in. At any point,

there will be many commitments on the block chain — let’s call
them c1,c2,...,cn.

Here are the steps that go into spending a zerocoin with serial number
S to redeem a new basecoin:
● Create a special “spend” transaction that contains S, along
with a zero-knowledge proof of the statement:
“I know r such that Commit(S, r) is in the set
{c1,c2,...,cn}”.

● Miners will verify your zero-knowledge proof which

establishes your ability to open one of the zerocoin
commitments on the block chain, without actually opening
it.
● Miners will also check that the serial number S has
never been used in any previous spend transaction
(since that would be a double-spend).
● The output of your spend transaction will now act as a
new basecoin. For the output address, you should use an
address that you own.
Subject In charge Course Coordinator HOD IQAC
(Name & Signature) (Name & Signature)