Bitcoin is a permanent open ledger whose privacy features have mostly been defeated by blockchain analysis. Every transaction, after being confirmed into a block, is considered final (though some will argue that waiting for six confirmations is the more conservative way to guarantee permanence). And once this transaction has been added to the ledger, anyone can analyze it for as long as the network stays online — and this scrutiny can continue offline if someone stores a complete copy of the blockchain. In other words, Bitcoin is a pseudonymous panopticon which derives its privacy from the idea of deniability: the more users participate in the system and accept to be paid directly for BTC, the harder it becomes to certainly associate addresses and transactions with identities of real people.
But in the era of blockchain analysis, when most on-ramps and off-ramps are subjected to KYC/AML procedures, breaking the deniability is easier than ever. And privacy, while it appears to be decent at the moment when the transaction occurs, can only degrade over time as the sender and the recipient may accidentally or willingly divulge more information later on. Satoshi himself wrote this in the whitepaper: ”some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking would reveal other transactions that belonged to the same owner” [1].
While some self-described ”toxic maximalists” will argue that Bitcoin is inherently fungible at the protocol level and discrimination is only an issue at the social layer, it’s nearly impossible to not distinguish between monetary units while the origins are clear. In June 2024, PayPal co-founder Peter Thiel has made one of the most candid observations on the topic: ”when people in the FBI tell me that they’d much rather have criminals use Bitcoin than $100 bills, it suggests that maybe it’s not quite working the way it was supposed to” [2].
Regardless of this depressing status-quo, there are three types of arguments to be made in favor of Bitcoin’s aspirations to become a private digital currency: the first one concerns the history and origins of the project, the second one is about sound money and the requirement to obtain fungibility, and the third is about some efforts that developers have made over the years.
First, let’s begin with Bitcoin’s history: In an e-mail that he sent to b-money inventor Wei Dai in August 2008, Satoshi Nakamoto attached a document called ”ecash.pdf” [3] — an early draft of the Bitcoin whitepaper whose working title implies the creation of a decentralized approach to David Chaum’s privacy-friendly electronic cash system. At chapter 10, just like in the final draft of the Bitcoin whitepaper which was revealed to the world on October 31st, readers can find a rather naive but useful description of how bitcoiners can transact with a degree of privacy: every time a user receives bitcoins, he should generate a new ”public key” whose purpose and identity are known only by the sender. This method was also demonstrated by Satoshi Nakamoto while he mined blocks: currently, the ”1 million BTC” theory is a mere assumption that Sergio Demian Lerner has made during his Patoshi research in 2013 [4]. We cannot know for certain how many blocks were discovered by Satoshi, as every coinbase reward of 50 BTC was sent to a different address.
According to professional software engineers who analyzed version 0.1 of the Bitcoin software, Satoshi Nakamoto was not a seasoned C++ developer. He created a system that was pieced together from open source libraries, included a broken game of poker and a peer to peer marketplace, and was only available on Windows. It took the efforts of other developers such as Hal Finney, Gavin Andresen, Jeff Garzik, Mike Hearn, Wladimir van Der Laan, Gregory Maxwell, and Laszlo Hanyecz to refine the code, break it down into manageable chunks, and port it to Linux, MacOS, and mobile platforms. Satoshi Nakamoto’s amateurish work was attested by early contributor Jeff Garzik [5] and Libbitcoin maintainer Eric Voskuil [6].
Based on these observations, as well as some e-mail exchanges in which Satoshi appeared to be insecure about his project and seemed to look up to Hal Finney, we know that the Bitcoin creator wasn’t some time-traveling alien AI who invented digital alchemy (as Saylorists seem to believe) and he wasn’t a CIA/NSA professional either. Satoshi didn’t invent or write from scratch the building blocks of Bitcoin: elliptic curve digital signatures, Merkle trees, SHA256, Proof of Work, public key cryptography, peer to peer networks, electronic cash and blockchains were all available as separate iterations that served disparate purposes. But he did want Bitcoin to be a decentralized version of Chaumian ecash — a true holy grail among the cypherpunk community.
The above paragraph, though it may seem unnecessary in the context of a discussion on privacy, is useful in providing context for what kind of software developer Satoshi was and what his intentions were. We do know that he wanted his system to have privacy, but at the same time he wasn’t the best coder or cryptographer around. He merely used the open source libraries that were available to him at the time. And most of the privacy technology that emerged later (ring signatures, zero knowledge proofs, MimbleWimble, confidential transactions, ZK rollups) marks an attempt to improve on a rough software stack and bring it closer to its intended purpose.
We know with certainty that Satoshi Nakamoto cared about improving Bitcoin’s privacy because, during his short tenure as lead developer and educator in chief he provided feedback to some early improvement proposals. This intellectual contribution is frequently pointed out by Monero fans, who claim that their network of choice also follows the writings of Satoshi.
On August 11th 2010, as part of Bitcoin Talk’s 770th thread (titled ”Not a suggestion”), Satoshi Nakamoto replied to users Red and Insti who proposed using Zero Knowledge Proofs to minimize the amount of transaction data being stored by full nodes. Initially, the Bitcoin creator made a pretty interesting suggestion: ”if a solution was found, a much better, easier, more convenient implementation of Bitcoin would be possible.” [7]
Two days later, under the same forum topic, Satoshi described three elements that lay at the foundation of today’s Monero and ZCash:
”Can public nodes see the values of transactions?” — a condition which later inspired the creation of Confidential Transactions
”When paying to a bitcoin address, you would generate a new blinded key for each use” — a vague description of stealth/shielded addresses and Silent Payments, as well as one-time public keys.
”I think that’s where group signatures comes in. With group signatures, it is possible for something to be signed but not know who signed it.” — a description of what would later become ring signatures in Monero and mixing pools in ZCash (as well as CoinJoins in Bitcoin).
Satoshi Nakamoto didn’t only answer to the comments posted by the users, he also proved that he’s been researching the topics and presented the limitations of his discovery: ”Crypto may offer a way to do ‘key binding’. I did some research and it was obscure, but there may be something there. ‘Group signatures’ may be related.”
As always, the Bitcoin creator presented a practical example to spark the imagination of the contributors: “say some unpopular military attack has to be ordered, but nobody wants to go down in history as the one who ordered it. If 10 leaders have private keys, one of them could sign the order and you wouldn’t know who did it.”
Satoshi also encouraged others to find a solution to a problem he couldn’t solve during his short tenure as lead developer: “The challenge is, how do you prove that no other spends exist? It seems a node must know about all transactions to be able to verify that. If it only knows the hash of the in/outpoints, it can’t check the signatures to see if an outpoint has been spent before. Do you have any ideas on this?”
Hal Finney, legendary PGP coder and the first notable cypherpunk to give Bitcoin a chance, is responsible for putting out the famous “Running bitcoin” tweet — published on January 11th 2009. But only 10 days later, he wrote about a lesser known but equally significant effort: “Looking at ways to add more anonymity to bitcoin” [8]
This post was sent out to the world two years before Silk Road was launched, and it would take five years for the intelligence company Chainalysis to get founded. Without fueling any “Hal Finney was Satoshi” theories, it’s worth noting that his early concerns were valid and haven’t been invalidated yet. Bitcoin never received more anonymity — just a little bit more deniability via transaction obfuscation.
Now let’s talk about the properties of sound money — a status which Bitcoin unquestionably aspires to attain. Even in the event that it scales down its purpose to remain a store of value, a certain degree of fungibility is still required. Currently, discrimination of transactions is possible at the validator and block producer level: nodes can choose to filter out transactions of arbitrary types or coming from a certain source, while miners can ignore transactions that they don’t like.
The reason why Bitcoin still works as designed is the incentive system: it’s relatively easy for the sender to spin up a node which saves his transaction in the mempool — any contemporary computer can run Bitcoin Core. Likewise, for every censorship-friendly mining cartel, there can always be another independent block producer which will not mind collecting the transaction fee.
However, in a world in which KYC/AML practices become prevalent and blockchain analysis is an industry standard, there is a lot more information about Bitcoin users, addresses, and miners. So resourceful governments can pressure participants into following a strict blacklisting procedure, with very draconian punishments for miners who break the rule. Naturally, geopolitical game theory fixes part of the problem because we live in a multi-polar world with a plurality of superpowers that don’t always collaborate. But a project like Bitcoin should not rely on goodwill or flaws in the structure of human politics — instead, it should become censorship resistant by design. The only way to achieve this feat is to make it impossible for miners to act in ways which differ from the system’s incentives: therefore, collect the highest fees to confirm transactions without caring about the origins. If Bitcoin adds a degree of confidentiality, which enables senders to remain private and also hide the amounts that they’re sending, then the system would finally support sound money.
As any monetary theorist will tell you, fungibility is a very important quality for good money. An ounce of gold is equal in value with another one of the same purity, regardless of its origins. A $100 bill will buy you the same amounts of goods and services, regardless if it was previously held by Brad Pitt, the President of the USA, or a construction worker. In the case of Bitcoin, you still deal with “freshly mined coins”, “Silk Road coins”, “dark market coins”, “Mt. Gox coins”, “Coinbase coins”, “Kraken coins”, “CoinJoined coins”, “ordinals”, and all sorts of ways to differentiate according to origin. On the free market, freshly mined coins are usually deemed more valuable — for the simple reason that they have no past.
Interestingly, Bitcoin does have a built-in fungibility mechanism: once a transaction fee gets paid, the corresponding coins get mined again as part of the block reward. So even the most “tainted” coins can become squeaky clean once a miner collects them as fees and reissues them. However, this is not enough: and to expect all “tainted” bitcoins to get sent as transaction fees is extremely unrealistic. What Bitcoin needs is a system that makes it impossible to discriminate according to previous ownership — and if users (and outside observers) cannot know, then they will have no means to censor.
Last but not least, we have a remarkable series of discoveries and inventions that can improve Bitcoin’s privacy — but they were implemented in other networks and systems due to the community’s conservatism in relation to adding upgrades.
[to be completed]Given the volume of information presented, we can safely affirm that allowing Bitcoin to have very poor privacy today was a choice. It might be the result of negligence or cowardice on behalf of the users and developers. It might be a consequence of the ”number go up no matter the cost” mentality, combined with the fear of getting delisted from exchanges. It’s possible that the efforts to please regulators, portray Bitcoin as the nice chain that criminals avoid, and eventually embed in into the traditional financial system via ETFs might have be part of the reason. But regardless of the cause, the situation is not great: not for the users, not for the network, and definitely not for the fungibility of the currency.
Sure, CoinJoins are fine — but they still reveal the amounts being transacted and some of the participants might later KYC to diminish the others’ deniability. CoinSwaps via Statechains (as designed by Mercury Wallet) are also useful, but you never know when you get a much more ”tainted” UTXO than the one you sent out. The CoinJoin outputs may be considered ”tainted” and therefore unacceptable by some economic actors. Until the moment Bitcoin gets privacy for the amounts being sent, these issues will continue to affect users.
The four types of Bitcoin privacy
When used as Satoshi suggested in the whitepaper, Bitcoin protects the identity of the receivers — that is, until further multi-input transactions are made to break the deniability. If the user makes use of the Tor network or a powerful mixnet such as Nym, then other peers cannot figure out where the node or light wallet is located based on IP address. So Bitcoin can also have pretty good network-level privacy.
However, there is no privacy for the sender: as the receiver can see the amount being sent and how much change was returned after the transaction. And speaking of amounts, there is no way to have any confidentiality for the number of coins being transferred — at least not on the base layer.
From this practical example, we can distinguish between the four types of Bitcoin privacy: sender, receiver, amounts, and network-level. For a more thorough breakdown on the topic, I recommend you to listen to Paul Puey on S15 E48 of the Bitcoin Takeover podcast [7].
Sources:
- The Bitcoin Whitepaper, Satoshi Nakamoto, 2008, Available at: https://bitcoin.org/bitcoin.pdf
- Peter Thiel on Aspen Ideas Festival 2024, Available at: https://youtu.be/B3ZXrTzskw0
- Nakamoto Studies Institute, Electronic Cash Without A Trusted Third Party, Available at: https://www.nakamotostudies.org/literature/ecash.html
- Sergio Demian Lerner, ”The Well-Deserved Fortune of Satoshi Nakamoto, Bitcoin Creator, Visionary and Genius”, April 2013, Available at: https://bitslog.com/2020/06/22/a-new-mystery-in-patoshi-timestamps/
- Jeff Garzik, ”Hemi Presents Satoshi Stories — The Secret Behind Satoshi’s Real Identity”, Available at: https://youtu.be/Zi92Y0WpEg4?si=yYwU5TiQKZfmVwal
- Erik Voskuil on the Bitcoin Takeover Podcast, S5 E8, Around 00:20:51, May 2020, Available at: https://bitcoin-takeover.com/audio/index.php?name=2020-05-13_s5_e8_eric_voskuil_on_misean_economics__cryptoeconomics.mp3
- Satoshi Nakamoto on the Bitcoin Talk Forum, Replying to Topic #770, In response to Red, August 11th 2010, Available at: https://bitcointalk.org/index.php?topic=770.msg8637#msg8637
- Hal Finney, Personal Twitter Profile, Available at: https://x.com/halfin/status/1136749815
- Paul Puey on the Bitcoin Takeover Podcast, S15 E48, August 2nd 2024, At the 01:12:00 mark, Available at: https://www.youtube.com/live/NRYFjS8UT1M?si=K5LzZw1VN4s2bwkY&t=4341
Recent Comments