MODULE – III: BITCOIN MINING AND BITCOIN AND ANONYMITY

The task of Bitcoin miners, Mining Hardware, Energy consumption and ecology, mining pools,
Mining incentives and strategies. Anonymity Basics, How to De-anonymize Bitcoin- Mixing,
Decentralized Mixing.

3.1 The task of Bitcoin miners

Bitcoin miners play a vital role in the Bitcoin blockchain ecosystem by ensuring the network's
security, functionality, and decentralization.
Bitcoin depends on miners to:

 store and broadcast the blockchain

 validate the transactions
 depending on their hash power they are able to insert new blocks and earn some reward

The task of Bitcoin miners

Here's a detailed breakdown of their tasks:

1. Transaction Validation

 Collecting Transactions: Miners gather unconfirmed transactions from the mempool (a pool of
pending transactions waiting to be processed).
 Verification: They check the legitimacy of transactions by ensuring:
o The sender has sufficient funds (no double-spending).
o Transactions follow Bitcoin’s protocol rules.
o Digital signatures are valid.

2. Creating a Block

 Miners group verified transactions into a block.

 The block includes:
o A list of transactions.
o The previous block’s hash (linking to the blockchain).
o A nonce (a number used in mining to solve the cryptographic puzzle).
o A Merkle root (a hash summarizing all transactions in the block).

3. Solving the Cryptographic Puzzle (Proof-of-Work)

 Miners compete to solve a computationally intensive problem using the SHA-256 hashing
algorithm:
o They calculate a hash value that satisfies the network’s difficulty target (e.g., starts with a
specific number of leading zeros).
o This process is resource-intensive, requiring specialized hardware like ASIC miners and
significant energy consumption.

4. Broadcasting the Solution

 When a miner finds a valid hash:

o The solution is broadcast to the network.
o Other nodes and miners verify the solution to ensure it adheres to the protocol.
5. Adding the Block to the Blockchain

 Once verified, the block is added to the blockchain, making it part of the immutable ledger.
 Transactions in the block are considered confirmed and are effectively irreversible.

6. Earning Rewards

Miners are incentivized with:

 Block Rewards:
o A fixed amount of newly created Bitcoin for successfully mining a block.
o The reward started at 50 BTC in 2009 and halves approximately every 4 years (current
reward: 6.25 BTC as of 2024).
 Transaction Fees:
o Fees paid by users to prioritize their transactions.
o As block rewards decrease, transaction fees are expected to become a primary source of
income for miners.

7. Ensuring Network Security

 Miners prevent tampering by securing the blockchain:

o Altering a block requires re-mining all subsequent blocks, making it computationally
infeasible.
o A higher hash rate (total mining power) increases security against attacks like the 51%
attack, where a malicious actor could control the network.

8. Adjusting to Mining Difficulty

 The difficulty adjustment algorithm ensures a consistent block creation time (approximately
every 10 minutes):
o If blocks are mined too quickly, difficulty increases.
o If mining slows, difficulty decreases.
 This balances the network regardless of changes in total mining power.

9. Decentralization and Consensus

 Miners enable a decentralized and trustless system:

o No central authority is needed to validate transactions or secure the network.
o Miners collectively maintain consensus about the state of the blockchain.

10. Environmental Considerations and Efficiency

 Mining’s energy-intensive nature has raised concerns about environmental impact:

o Some miners use renewable energy sources to mitigate this issue.
o Advances in hardware (e.g., more efficient ASICs) reduce energy consumption per hash.

So, miners useful activity is to validate the transactions and blocks. The race for block
creation and the consequent reward are just an incentive for miners to do this validation.
Process to find a valid block
Now let's see what's necessary to find a new valid block. In order to do so, we have to recall
that there are two hash-based data structures:

 blockchain: each block header points to the previous block header.

 merkle tree: inside evry block there are transactions organized within this binary hash
tree
The miners need to:

1. assemble some new transactions heard from the network in a Merkle Tree
2. create a block with the right header pointing to the last valid block inserted
3. start searching over the nonce field and try to find a block header with an hash that starts
with the required number of zeros. The miners try to change this 32-bit nonce every time
that they obtain hashes that don't satisfy the desired condition. If a miner tries every
possible 32-bit nonce doesn't obtain an hash with the required format, he can try to
modify the extra-nonce. This corresponds to the output index of the coinbase
transaction. Since this transaction creates new coins, doesn't refer to an output of a previous
transaction. When this parameter is changed, the hash of the entire Merkle Tree changes, too.
So, changing the extra-nonce is more computationally expensive than changing the nonce
itself.
4. Eventually, the miner is able to find the correct nonce before the others competitors, and
can broadcast the block on the network.

Difficulty
The difficulty depends on the number of zeros that the hash must begin with to be considered
valid.
At the moment of this lecture, the 256-hash must begin with at least 64bits of zeros. The
corresponding difficulty is equal to 266.2, which is an incredibly height number.
The difficulty is changed every two weeks based on how efficient the miners were over the
previous two weeks. To compute the new difficulty simply compute the ratio between two
weeks and the amount of time that it took the miners to find the previous 2016 blocks. Then
the ratio is multiplied by the previous difficulty. This is a scaling to keep valid a constant
property. The constant property is the amount of time needed to find a new block, which
is 10 minutes.

Over time the mining difficulty keeps increasing. It's not a steady linear increase or an
exponential increase. It depends on activity in the market. How many new miners are getting
into the game, which may be affected by the current exchange rate of Bitcoin. But generally
more and more hash power comes online. More people are hashing, blocks are found faster,
and the difficulty is adjusted up, so that it again takes ten minutes to find blocks. Below
there's a step function of difficulty over two months.

3.2 Mining hardware

Hash function details
We've already mentioned that the hash function used for Bitcoin is SHA-256:

 it's a general purpose cryptographic hash function, part of a bigger family of functions
that was standardized in 2001
 it was designed by the NSA
 it's a fairly strong hash function. It's not broken cryptographically, although there are
some theoretical weaknesses that are starting to show up. As a result, the SHA-3 family
it's the new standard, but was not available when Bitcoin was designed.
SHA-256
Let's see a high level overview of SHA-256 to understand the problem that needs to be solved
by the miners. In the image below we can see that:

1. the 256-bit state is split up in eight 32-bit words, so it's optimized for 32-bit platforms
2. In each round some of these words are taken. There are four different tweaks applied on
them at bit-level that correspond to logic operations (bit shift, permutation, addition, ...).
3. Then a number of words in the state are taken and added together mod 32.
 4. The result of all these additions is wired over to the first word of the state and the entire
state shifts over
5. The steps 1-4 correspond to one round of SHA-256, the operation is repeated for 80
iterations. In each iteration slightly different constants are applied, so that every
reiteration isn't exactly the same as the previous ones.

Mining hardware in the early days

The task of miners is to compute tis specific SHA-256 function as fast as possible. To do this,
they need to be able to deal with 32-bits words, do 32-bit addition and some bitwise logic.
The hardware used for mining has changed over the years:

 CPU: when Bitcoin was proposed, general purpose computers where used. With a high-
end desktop PC, it is possible to compute around 224 hashes per second, which correpond
to around 20 MegaHertz. With the actual difficulty it would take over a hundred
thousand years to find a block.
 GPU: after the CPU, the graphic processing units started to be used. The graphic cards
are designed to have a high parallelism, which helps with Bitcoin mining. In fact, they
let compute multiple hashes at the same time for different nonces. The graphic cards are
easily available and are easy to set up for computing hashes. In addition, it is possible to
attach many graphic cards to one single motherboard and CPU.Many miners started to
run many graphic cards and tried to optimize the process to be as fast as possible.
However graphic cards are not designed to compute hashes, so they don't have great
cooling systems especially when there are a lot of graphic cards near each other. They
also use more electricity than the one necessary to compute hashes since they are
designed for graphical rendering and not only for mathematical computations. The best
GPU systems, that used around 100 GPU, were able to reach the 200 MegaHertz.

Advanced mining hardware

After 2011, miners started to use more specific and advanced hardware:
 FPGA (Field Programmable Gate Arrays): FPGA have hardware like performances, but
let the owner of the card customize it. So they are faster that GPU and it's easier to set up
FPGA racks since less cooling is necessary. But Bitcoin mining requires to make FPGAs
work harder than what they were designed for. So there was a lot of malfunctioning and
they were less accessible for common people. The best solutions using FPGA let the
miners reach 1 GigaHertz and they were a popular solution for miners for around a year.
With today difficulty, it would still take around 25 years to find a new block.
 ASIC (Application Specific Integrated Circuits): chips designed and build from scratch
to do nothing except mining Bitcoins. In the last few years many companies started to
produce ASICs and there are a lot of choices when a miner decides to buy one.There are
models with different cost, computing power, energy consumption and shipping times. It
is really important to consider delivery options, since there are many new companies
rising that require consumer to pay before the chip is ready. There are many known cases
in which the ASICs took a lot of time to be delivered, were never sent or were full of
bugs. An ASIC as the one below is able to compute 2 TeraHash per second. So it's
1000 times faster than an hypothetical array of 100 really good FPGA. It now costs
around 3000$. Even with this incredible performances are still necessary 14 months to
find a new block. Due to the cost and the dynamics to buy them, it is very difficult for a
small miner to go online in a profitable way.

Profits
Based on what we have seen above, it could seem not worthy to mine Bitcoins. But it is still
profitable for miners that own many ASICs, since the price of Bitcoins has been rising for
most of its history and is becoming particularly height lately. So the miners were able to earn
money only because they bought the equipment relying on the fact that Bitcoin value would
rise. And many miners probably would have earn more money if they just took the funds
invested in mining equipment and used them to buy Bitcoins.

Now we are in the era of professional mining. It is known that there are many professional
centers popping up around the world, especially in China. To open a professional center it is
necessary to have cheap energy, good network connectivity, a cool climate so that it is not
necessary to spend too much on cooling systems. Some popular destinations for this purpose
are for example Georgia and Iceland.
So a couple of questions for the future are:

 are small miners out of BitCoin mining forever?

 is there any way to start as a small miner in this game?
 does the existence of these ASICs and these large mining centers go against the original
vision of Satoshi Nakamoto, which was to have every individual in the network being a
miner running on their own computer?

3.3 Energy consumption and ecology

In the last lecture we have seen that the number of professional miners is inrcreasing around
the world. And, even if Bitcoin mining isn't so widespread, these professional miners
consume a lot of energy. So we can try to understand the impact of Bitcoin on energy
consumprion and ecology.

Energy consumption and ecology

There's a principle developed by Rolf Landauer in the 1960s. "Any non reversible
computation
must use a minimum amount of energy". This means that every time you flip one bit in a non
reversible computation, there's a minimum number of Joules that you have to use. And we
have seen that SHA-256, which is a hash function, is not reversible, so needs to use some
energy. In addition, the minimum limits provided by Landauer's principle are far below the
amount of electricity necessary nowadays for Bitcoin computations (by over a factor of
1000). So, we're nowhere close to the theoretical optimum efficiency of computing.

Another important Physics theorem states that energy is never destroyed. It's only converted
from some form into another. In the case of computation most of the energy used is
transformed from electricity into heat, which is dissipated into the environment.

Why does Bitcoin mining require energy?

There are three steps in the process that require energy:

 embodied energy: energy required for manufacturing Bitcoin mining equipment. It's
necessary to extract rare Earth metals and copper for circuits and then construct the
ASIC.
 shipping ASIC to destination
 when the ASIC is active it will use electricity constantly
However, the most important factor is the energy consumption to run the hardware and for
the cooling systems. So, it is possible to reduce it using efficient ways to deliver power. It is
also better the mining center is set in a cold place.

Energy consumption estimation

It’s not possible to compute the enercgy consumption precisely. Bitcoin network
is decentralized with miners operating all over the world. So we will use a very simple
approximation strategy with an upper and a lower bound.

How much energy is the entire Bitcoin network using?

To find an upper bound, we can consider that every block produces a fixed number of new
Bitcoins. At the moment it’s 12.5 BTC for a value of around 2500$ each. This corresponds
more or less to a value of 30000$ per block. A new block is created every 10 minutes. So it’s
around 50$ per second given to the mining community.
Suppose that the miners are turning all the 50$ into electricity, how much can they get? In US
the electricity can cost around 0.10$ per kilowatt/hour. We can convert it to the more
scientific unit Megajoule. So with 50$ per second, the miners could reach about 1800
megajoules every second.

How much hashes can the miners compute?

To find a lower bound, we can compute how many hashes are the miners computing. The
best mining hardwares available today, is able to turn 1 Watt of electricity into about 1GH of
hashing. So it performs 1 billion hashes per second with about 1 Watt of power. The total
network hash rate is around 150 million GH per second. So, if the entire network was running
the best chip of the market, it would be necessary around 150MW to produce that many
hashes per second.

Estimation
With the upper and lower bound found with the two previous reasonings we have estimated
between 150 MW and 900 MW. It's not a precise bound, but can give us an idea of today
energy consumption.
The largest power plans in the world is the Three Gorges Dam in China produces 10000 MW.
A typical large hydro plant produces around 1000 MW. An average nuclear plan produces
around 4000MW and the largest one 7000MW. The coal plants produces between 1000 and
2000 MW.
The whole Bitcoin network, even considering the upper bound counsumes less than
1000MW. So, we need to run a big electricity power plant purely to power Bitcoin.

Comparison with other kind of consumption

To understand where it's a big amount or not we need to compare it to other things in the
world. For example, any payment system is going to require energy and electricity. So we can
look at traditional currency. Energy is consumed to:

 producing the money

 transporting the money aroundin armored cars
 guarding money
 running the ATM machines and cash registers
Even all this energy, doesn't serve any other purpose besides maintaining the currency
system. So that's a really important disclaimer, just because Bitcoin uses electricity, it's not
necessarily wasted. If Bitcoin is a useful currency system then the electricity is essentially
being used for that purpose.

Data furnaces
But, we still might think, that there is something better that we can do with this electricity.
One pretty interesting idea is that we could try to capture the heat produced by Bitcoin
mining and use it for practical purposes. This is called the data furnaces model.

The basic idea is that you can use a Bitcoin mining hardware to heat your home or water,
instead of using a traditional heating system.
It turns out that the efficiency of this system isn't actually much worse than a normal electric
heater. This could be a great idea for the future. There are still some challenges to be cleared:

 electric heaters are still less efficient than gas heaters. So in very cold places, they won't
be enough.
 the ownership of mined Bitcoins. Will the Bicoins be property of the people who buy
the appliance or of the company who sells them? Many people would have no interest in
mining Bitcoins. So for them it would be better to buy the appliance at a lower cost and
give the rewards to the company who sells them.
This could have effect on Bitcoin production and network maintenance, since the production
could lower in summer and in warmer days.

Open questions
So, at the end of this lecture, we can think about the questions that remain open for the future:

 Will Bitcoin drive out electricity subsidies? In many countries the government actually
subsidizes industrial electricity. They try and encourage industry to be located in their
country as opposed to other countries. One of the main things that Bitcoin miners need to
be successful is cheap energy. So if a country is heavily subsidizing electricity, this
could lead a of Bitcoin miners to move into that country. And this is not useful for the
country itself.
 Will Bitcoin require guarding power outlets? Especially around universities and
corporations, large buildings with a lot of power outlets, will they need security cameras
to make sure that employees or students aren't trying to mine Bitcoins by plugging into
power outlets and just letting them run?
 Is it possible to create a currency with no proof-of-work? So that electricity would
not be used much to mantain this currency. We will see some examples in further
lectures about alternative mining.
Bitcoin mining pools
Now we will talk about mining pools that miners can join to cooperate with other miners.

Economics of small miners

Let’s say you're an individual who spent $6,000 of your hard-earned money to buy a new
Bitcoin mining rig. Now, you expect that you'll find a block in about 14 months with this
fancy new rig. And remember that a block is worth about $30,000 at today's prices. So, you
could say that the expected revenue of this box is about $2,000 per month not considering the
electricity.
But mining is a random process, so you don’t know when you're going to find the next block.
Looking at the probability distribution of finding a new block during the first year,
the variance is pretty high because the expected number of blocks you're going to find is
low.

We can see in the graph that the probability distribution is a Poisson distribution. So there's
over a 40% chance that you won't find any blocks in the first year. You might really be in
trouble if you haven't earned any revenue in an entire year of running that $6,000 box that
requires a lot of electricity.
There's about a 36% chance that you'll find one block in the first year. And then there's
a slightly smaller chance that you'll find two or more blocks, in which case you'll really
be making profit.
So again, on expectation, you might be just doing okay enough to make a return on your
money. But there's a big chance that you'll make nothing at all. For a small miner, mining is
essentially based on chance.

3.4 Mining pools

Now historically, when small business people faced a lot of risk and they wanted to lower it,
they got together and formed mutual insurance companies. A mining pool is exactly this kind
of organization for mining Bitcoins.

Suppose that a group of miner get together and form a pool. They will attempt to mine a
block for the same recipient, called pool manager. The pool manager will receive the minted
Bitcoin no matter what miner found them. He will take that revenue and distribute it to all of
the participants in the pool based on how much work each participant actually does. Of
course, the pool manager will also probably take some kind of reward for his management
service. The miners are encouraged to join a pool to lower their variance.

Computing the work of each miner

How does the pool manager know how much work each of the members is actually
performing? He can’t just take everybody's word for it, since many won’t declare the truth.
So, the idea is that miners can prove probabilistically how much work they're doing by
outputting shares. Shares are almost valid blocks. It's pretty rare to find an actually valid
block, that starts with all the required zeros at the beginning of the output hash. But, there
will be a lot more almost blocks that start with a lot of zeros but not all the ones necessary to
make it a valid block. So, supposing that a valid block starts with 60 zeros, a almost valid one
could start with 40 or 50 bits of zeros.

So the miners participating in the pool send to the manager a bunch of these near-valid
blocks. The rate at which every miner is sending them, should give a very good statistical
idea of who's doing how much work. In addition, there's no way to fake it. In fact, thanks to
hash properties, there's no way to find almost valid blocks without also finding actual blocks
at the expected rate.

Computing the revenue for each miner

How can miners work together to find a new valid block? As soon as a new block is
discovered by the network a new round starts:

 the pool manager chooses the new transactions that are going to be inserted, assemble
the Merkle tree including the coinbase transaction that creates new coins towards
himself.
 the block header will be sent to all of the participants in the pool. The miners have to
prove that they've been working on it by sending in shares showing that they've been
hashing this block. Finally one of the miners, hopefully in the pool, finds a valid block
that will be published.
 After this happens, all the miners will send the pool manager all the shares found. He
will verify them and distribute the revenue proportionally to how much work they
actually did.
Now, in the image below, even if the block was found by the miner on the right, the miner on
the left will receive a higher revenue, since he has found more valid shares. There's no bonus
for the miner who has actually found the block. So it would have been better if he had just
mined alone. While, the miner on the left would be glad since he will receive a higher reward.

Alternative reward methods

There are a lot of variations on the model explained above to compute the miners' reward. A
couple of common ones are:

 pay-per-share: the pool manager pays a flat fee for every share above a certain
difficulty that the miners find. In some ways it's the best for miners because the reward is
guaranteed. The pool manager is taking all the risk in this scheme, since he will have to
pay even if no valid block was found for the current round. In this case the miners don't
have any real motivation to send valid blocks, since they will get the same reward as if
they have only found shares.
  proportional model: instead of a flat share, the amount of share depends on whether or
not the pool actually found a valid block. In this case the miners still have some risk,
while it will be lower for the pool manager. In this case, the miners have a higher
motivation to send valid blocks.
 Luke-Jr approach: the pool owner actually collects no fee, but miners can't receive any
revenue until their balance is at least one Bitcoin. So it's the best model to be in after the
first Bitcoin,
but it's harder to start to earn something. Since it's quite difficult to reach one Bitcoin
nowadays, there are few systems that use this model.
Integration with Bitcoin protocol
The first mining pools have arisen in 2010 and they immediately became very popular. So by
2014 most of miners have already joined a pool. Now it is really simple to buy a mining
hardware, plug it into the wall, connect to the network an join a mining pool. That's because
these mining pools protocols have been almost integrated with the specific mining hardware.
In June 2014 happened that the mining pool GHash.io got so big that controlled over 50% of
the entire capacity of the Bitcoin network. This because its conditions were better than other
groups. That's something that people had feared for a long time. So GHash started to change
the rewards to become a little less attractive. It finally stopped the activity when the Bitcoin
price fell again below 300$.
Now the situation is shown by the following graph and it is possible to check the updates
here.

Mining pools pros and cons

Basically nowadays around 4 mining pools control about half of the power in the network (i.e.
AntPool, BTCC Pool, Bixin, BTC.com). So, are mining pools a good thing? The
advantages are that:

 they make mining more predictable for the participants. So it is much easier for smaller
miners to get involved in the game.
 there's one pool manager who's sitting on the network and assembling blocks. So it's
easier to upgrade the network. In fact, by upgrading the software of the mining pool
manager, that effectively updates the software of all the pool members.
The disadvantages are:
 this leads to centralization. The miners are free to switch between one pool and another.
But now there is no pool that's offering really better conditions than others. So for the
miners it's easier to stick to the first joined pool.
 mining pools existance lowers the population of people actually running a fully validated
Bitcoin node. Before mining pools, all small miners had to store the whole blockchain
and validate transactions. Now, most miners offload that task to their pool manager.

3.5 Mining Incentives and Strategies

We have spent most of the lectures on miningsaying that's important to have some good
hardware, get some cheap electricity, run as fast as one can, and hope for some good luck.
But it turns out there's also some interesting strategic considerations that every miner makes:

 choose the transactions he wants to include in the new block

 choose the block to mine on top of. The default behavior is to choose the longest chain in
history
 choose when to announce a new found block: immediately after he has found it or not
There's a default strategy, followed by most miners (around 90%) since they run the default
Bitcoin client.

Is it possible to make more money in changing the default strategy? It depends on mining
power. If we express the proportion of mining capacity in the world that one has with an 0< α
<1, it turns out that for some α, it is possible to make more money changing the strategy. But
the study on this topic is still ongoing.

Forking attacks
The simplest attack is a forking attack. The idea is to perform a double spend. Suppose that
some money has been transferred to Bob and that the transaction is in the longest chain. A
miner could try to insert another transaction towards himself connecting to a prevoius block
that the one containing the other transaction. At the moment of insertion the transaction is not
part of the longest chain. But, if the miners has greater than 50% of hashing power, he can
make the new chain become the longest one and rewrite history. So the valid transaction
would now be the one towards himself and not Bob.
If Bob had given the miner something in exchange for those bitcoins, for example real
currency or goods, he has swindled him and the network.
This attack is certainly possible if α is greater than 0.5, so if the miner has the majority of
the mining power. And it might be possible with a little bit less. So the 51% attack threshold
is not a certainty, but a gradient where the attack gets easier.

This attack is detectable, so the community could refuse to accept a the new chain even if it's
the longest one. In addition, a successfull forking attack could make the Bitcoin price fall
down due to a dramatic loss of confidence. So it is not clear if in practice this could actually
work.

Goldfinger attack
This attack is named after the James Bond movie. The goal in the movie was to irradiate all
of the gold that the U.S. government held at Fort Knox to make it valueless. So if the goal is
to destroy Bitcoin, then you might be willing to do this forking attack in order to specifically
tank the market. However, beyond that threat model, it's not clear in which scenarios we
would have to worry about a large-scale forking attack.

It would be really expensive to buy enough mining capacity to have more than 50% power.
But it would also be possible to just bribe the people who control that capacity to work for
you in exchange for some reward. The reward could be an amount of FIAT currency. You
could run a new mining pool with not sustainable rewards, but enough to get miners join it.

However this would affect the currency they are mining. So why would anybody be subject
to such bribery? All of the miners together have an incentive in keeping the bitcoin currency
solvent, but individual miners would
have the incentive to defect and accept a bribe if they thought they could make more money
in the short-term.

Checkpointing defense
One defense that exists in BitCoin against forking attacks is Checkpointing. Since 2010,
each version of the default BitCoin client ships with a specific checkpoint and will refuse to
accept versions of the blockchain that don't date back to that version. It's usually several
hundred blocks before whatever the current longest chain is.
This has some implications on Bitcoin decentralization. In fact, this means that developers
who mantain the core Bitcoin client are deciding something about the blockchain validity.
However this is a good practical mitigation against the risk of a deep forking attack.

Block-withholding attack
The idea is not to announce a block as soon as one has found it. Instead the miner tries to go
ahead to find another block before the rest of the network finds one.

Why would it be possible to gain in mantaining some block secret? While you have two
blocks in your backpocket, the rest of the network is trying to extend what they think is the
current longest chain. All of the effort is going to be a waste for them. As soon as the rest of
the network finds a new block, you can drop your two and yours would instantly be the
longest chain. That's why this technique has been called selfish mining.

Now that hobbyist interest in mining has largely died down, mining is a business, so people
just want to make money. So the miners will follow the strategy that let them make more
profit.

If you try the block withholding strategy, what would you do if you're just one block ahead
and the network finds one? You would immediately push your secret block so that there are
two versions of possible longest chain, so other miners will have to choose the one to follow.
They usually choose the one they've heard about first, so it's important to insert it as soon as
possible.

When is block withholding profitable?

So when is it a good idea to do a block-withholding attack? Well, if you assume that you can
win every
race every time when there's competition for the next valid block. Then no matter what alpha,
no matter
how much mining capacity you have, it's better to try selfish mining. How would you try to
win every race?
You could just fight really hard to have a good network position. You could try to peer with
every node. So that you'll announce to more nodes ahead of the legitimate flooding
algorithm. Or you could try bribing people, and again, you could bribe by including small tips
in your block, so that it makes it more attractive for people to mine on top of you rather than
the competing block. It turns out that if the chance to win the race is around 50%, this
strategy is profitable if α is greater than 0.25. So, this attack is really interesting, since at the
beginning of Bitcoin history, it seemend impossible to have a better mining strategy with less
that 50% mining power. Again, this is a theoretical attack which hasn't actually been
observed, yet.

Blacklist an address
Suppose that you want to blacklist transactions from address X to freeze its individual money
forever. The extreme strategy would be to refuse every transaction coming from this
address, so also every block containing one of its transactions. It's an extreme strategy since
you would have to do an hard foriking and it won't work with less tha 50% power. In
addition you'll waste all your power and energy doing so.

Feather Forking
There's a better way to do punitive forking, which is called feather forking. The idea is that
you announce pulicly that you're going to fork and you will try to mine an alternative longest
chain. But you won't fork forever, and you'll give up after one or two blocks that confirm
block X. Then you will return to the longest chain. Typically you will stop after one
confirmation, since you would have to find two consecutive block to fight it. Your chance of
actually pruning the block containing transaction from X is α2. So it's not very good since if
your power is 0.2, α2 would be very low.
However, since you announced publicly the fork, other miners know that there's an
α2 possibility that their block will be orphaned if they don't follow your block. So, if they
don't have a strong motivation to include that transaction(i.e. high fees), they would probably
mine on top of yours. In addition, the risk of losing the reward could be much worse than
loosing the fee of a single transaction. So it's usually in our interest to follow feather forking.
So it would be possible to enforce a blacklist with less that 50% power.

The profint in blacklisting could be to obtain some kind of extorsion, or for legal reasons. For
example to frozen some specific assets.

Transaction fees
It would be interesting if the miners will start to do this to enforce a minimun transaction fee.
They could for example try to blacklist every transaction with a fee below a specific
threshold.
We have alrewady seen that transaction fees exist, but we haven't talked about them deeply.
So what are transaction fees?
Transactions are assigned a priority which is the sum of input values times input ages
divided by the size of the transaction in bytes:
priority = sum(input_value * input_age)/size_in_bytes

This basically means that the transactions with higer values, that are spending older coins that
haven't been moved in a while and with smaller dimensions have higer priority. So, if you
want to move money more quickly, with lower amounts and complicated scripts, you will
have to pay higher fees. Currently, by default, the miners accept transactions without fees if
the priority is higher than 0.576. It's a very arbitrary choice, but it's the default of Bitcoin core
client.

Currently transaction fees doesn't matter so much, since block minting is providing 99% of
miners' reward. However the transaction fees importance is growing with the increasing of
transactions number and with the decreasing of blocks reward every four years. So, in the
near future they could become vital. So, maybe miners will become more and more
aggressive trying to enforce a minimum transaction fees.

3.6 Bitcoin anonimity basics

Anonimity
Let's start seeing what does anonimity mean. There are two ways to interpret it:

 literaly: without a name

 computer science: we have seen that Bitcoin addresses are public key hashes and not
real identities. But we can intend anonimity as interacting without a real name or as
interacting without a name at all. In the case of Bitcoin the name is the Bitcoin address,
so we are interacting without a real name. In computer science this is not called
anonimity, but pseudonymity.
Even if the Bitcoin address is not literally anonymous, it is possible to generate new address
for every transaction to be sent. So it will be possible to use many pseudonyms. This will lead
to some improvements, but we will see that it won't be completely anonymous either.

Anonymity in Computer Science

What are the requirements for anonymity in computer science? Anonymity
it's pseudonymity together with unlinkability. Unlinkability means that a user can interact
with the system repeatedly and these different interactions can't be tied to each other to let an
adversary collect some useful infomation.

A useful example to distinguish between pure pseudonymity and unlinkability are forums. In
Reddit you pick a long-term pseudonym used for a period of time and it won't be feasible to
change it for every post. While in 4Chan it is possible to make posts with no attribution at all.
So the last one provides full anonymity.

The situation is similar for Bitcoin. Mere pseudonymity is not enough if you want privacy. In
fact, it would be possible to reconstruct all the interactions with the system of a pseudonym.
So it will be possible to collect useful informations about one's behavior and maybe also trace
back to his real identity.
The connection between pseudonym and real identity or profile could be possible because:

 Bitcoin businesses online, wallet services, exchanges and vendors in many cases require
your real life identity in order to let you transact with them. If only one of your
transactions can be linked to you, so will be all the others done with the same
pseudonym.
 even if the direct linkage can't be found out directly from one transaction, a profile could
be shaped out using side channels. For example, if the transactions coming from a
specific address happen only at certain times of the day and the same timing is used to
post on social networks, there could be a connection and a possibility to recover the real
identity.
Similar attacks have happened. So this is why this notion of this pseudonymous profile is
considered quite fragile.

Unlinkability in Bitcoin context

Unlinkability in Bitcoin context could have different meanings. It should be hard to link:

 together different addresses of the same user

 together different transactions of the same user
 the sender of a payment to its recipient
The last one could seem confusing, since a transaction has inputs and outputs that will
inevitably be saved publicly in the blockchain. So it could seem impossible to achieve, but an
idea could be not to use a single transactions, but through a circuitous route of transactions.
In this way the ultimate receiver could not be immediately linked to the real sender. Even in
this way it could be possible to make some deductions, for example if there are many
transactions for the same amount in a short period of time that are sent from an address to
another repeatedly, before stopping.

Quantifying anonymity
Complete unlinkability between all addresses and transactions is really hard to be achieved.
Instead we could try to maximise the size of our anonymity set. The anonymity set is the
size of the crowd of other addresses or transactions that we're trying to hide in. So if you can
be reasonably sure that,
with respect to some adversary, there are these thousand other transactions that look just like
yours, the adversary can't tell which one was really yours.
To compute this anonymity set it's necessary to define concretely your adversary model. So,
you have to know what information he can and cannot retrieve. There's no general formula
for doing this. It's necessary to analyze each protocol and system and do it on a case by case
basis. In addition, you can suppose how clever is the adversary, but it won't be an accurate
information. So, in some cases, it would also be necessary to apply probability distributions
on top of the anonymity set.

Ethics of anonymity
In blockchain based currencies all transactions are recorded on the public ledger, they're
public and permanently traceable. So, if your identity ever gets linked to these transactions,
the privacy level is much worse than what you get from a traditional bank. In fact, anyone
could retrieve all your transactions, not only some company or government.
So, we want anonymity to at least obtain the same level of privacy between cryptocurrencies
and traditional systems. Of course people hope that it can give us a higher level of privacy.

Risk of money laundering

One of the major concerns about Bitcoin anonymity is money laundering. This is a
legitimate worry. We wouldn't be in favour of studying anonimity of cryptocurrencies
ignoring the ethical aspect.
However if we look at the current Bitcoin organization, the difficulty of money laundering is
not only due to the lack of anonymity. In fact, the major difficulty is not to hide large flows
of Bitcoins, but flows from Bitcoin to FIAT currency and back.

All the attempts of increasing Bitcoin anonymity don't make this last step easier, so there will
still be a guard against money laundering. In addition, one thing that we could ask is: is it
possible to provide anonymity only in case of "Bitcoin good usage"? This is a very common
problem in computer security and privacy, but it never turns out to be possible. Because those
uses that we perceive as very different morally, are almost the same from a technologic point
of view.

Tor: anonymous communication network

The same dilemma was faced for Tor, an anonymous communication network.
Anonymous communication enables bad actions at least as much as anonymous cash flows
do.

Tor is a communicating system that:

 routes messages between a sender and a receiver through a network of nodes.

 through some encryption, ensures that as long as some the nodes in that network are
honest, the adversary is not able to link the sender to the receiver
Let's look at some activities, good and bad, that can happen on the Tor network.
Good, used by:

 normal people who want to protect themselves from being trapped online by marketers
or
various other privacy properties online, when they're browsing websites
 journalists, activists and dissidents to not be recognised
 law enforcement since they want to be able to visit websites not revealing that their IP
address is coming from a law enforcement block
Bad, used by:

 botnets to spread malawares between nodes in the network

 child pornography
Distinguishing between these uses at a technical level is essentially impossible. So Tor has
grappled with this issue. At the end, the society concluded that it's better for the world that
the technology exists than it doesn't. In fact, one of the main funders of Tor is the US State
Department. They're interested in it because Tor helps dissidents in other countries who
might be fighting oppressive governments and so on. Of course we have to remember there is
a level above the technology that law enforcement can exploit, a variety of ways to get to
people who are using these systems for bad purposes.

Anonymous e-cash
Bitcoin is not the first case in which we have to face the concept of anonymous e-cash. Back
in 1982, the cryptographer David Chaum proposed something called blind signatures, that
helped him develop anonymous electronic cash.

Blind signatures are a two-party protocol, in which two parties communicate with each other.
At the end of communication, one party has produced a digital signature of some input
without knowing what that input is. It sounds like magic, but it's not that sophisticated at a
technical level if you look into the details.
Now, assuming that we have blind signatures, how can that help us achieve an electronic cash
protocol?

Imagine that there is a bank which stores various things in its database. In particular:

 a table with a mapping of users and the balance of their account which is just a plain
number saved in the database
 a table called spent
coins Protocol scheme
Suppose that a user now wants to withdraw an anonymous coin from the system:

 the bank receives the request and deduct the user balance (i.e. goes from 10$ to 9$)
 the bank and user execute the two parties blind signature protocol. The user choose a
random serial number for the coin and, at the end of the protocol, receives a signature for
this serial number. Using blind signature, the bank signs it without knowing the serial
number and the user. This signed number represents an anonymous token
 if the user want to use the money to make a payment, he will send the red user both the
signed token and the serial number
  the receiving user will immediately contact the bank and try to deposit this anonymous
coin. In fact, he can't be sure that the blue user is not trying to double spend, until he
deposits the cash. Only if the coin will turn out to be valid, the red user will complete the
rest of transaction (i.e. send some goods in exchange of the money)
 the bank receives the plain serial number and its signature and verifies the signature
validity and that the coin with the serial number doesn't appear in the list of spent ones.
Since the bank didn't see the serial number the first time, it doesn't know which user
initially withdraw the amount. In fact, it will have a lot of requests from different users
and cannot recognize this transaction among others. That's the anonymity property: the
bank cannot link the two users.

Difference with Bitcoin protocol

This seems to be a trust model that's very different from the model that BitCoin operates under.
Most of traditional cryptography research on anonymous e-cash followed this model when the
bank can be trust for keeping the money, but not for anonymity. Looking
back to the Bitcoin history, it seems that people gave much more importance to
decentralization. So, people were willing to accept only sort of pseudonymity properties in
order to have a decentralized system and start working on anonymity improvements only as a
second step.
Generally anonymization and decentralization are in conflict with each other, as we will see
better in the following lectures. There are at least a couple of reasons for this:

 often for anonymity it is necessary to rely on certain interactive protocols with the bank
in order to do some blinding (i.e. blind signatures). It’s not clear if something like that
could be possible without a central authority
 even it was possible to obtain blinding in a decentralized system, there’s still the
problem that in order to decentralize and still get security properties like resistance to
double spending, often the way to go is to record and trace everything in a public ledger.
So this compromises further the anonymity and privacy properties

how to de-anonymize bitcoin

e-anonymizing Bitcoin transactions can be challenging due to its pseudonymous nature. While
Bitcoin does not directly reveal personal identities, it records all transactions publicly on the
blockchain. By analyzing these public records and combining them with external information,
individuals or entities can attempt to de-anonymize Bitcoin transactions.

Key Methods of Bitcoin De-Anonymization

1. Blockchain Analysis

 Address Clustering: Identifying groups of addresses that likely belong to the same entity by
analyzing patterns like:
o Input and output addresses in transactions (e.g., if multiple input addresses are used in a
single transaction, they may belong to the same user).
o Change address detection (tracking "leftover" funds sent back to the sender).
  Transaction Graph Analysis: Mapping and analyzing the flow of transactions between
addresses to identify patterns and links between entities.

2. Network-Level Analysis

 IP Address Tracking: Monitoring the IP addresses of nodes broadcasting Bitcoin transactions.

This can help trace transactions back to their origin.
 Timing Analysis: Observing the timing and propagation of transactions across the network to
identify the source node.

3. Off-Blockchain Data Correlation

 Exchange and Service Records: Identifying users by linking Bitcoin addresses to accounts on
exchanges, wallets, or online services that require identity verification (KYC/AML).
 Payment Metadata: Information from payment processors or merchants accepting Bitcoin can
be tied to specific transactions.
 Social Media and Public Forums: Users may inadvertently reveal Bitcoin addresses in public
posts or profiles.

4. Dusting Attacks

 Small amounts of Bitcoin (called "dust") are sent to a target address. If the dust is later spent in a
transaction, it can link multiple addresses and help reveal the identity of the wallet owner.

5. Machine Learning and Artificial Intelligence

 Advanced algorithms can analyze transaction patterns, clustering, and behavioral data to identify
and track users more effectively.

6. Collaborating with Intermediaries

 Law enforcement or researchers often work with exchanges, custodial wallets, or payment
processors to obtain user identity information linked to Bitcoin transactions.

7. Using Heuristics

 Applying specific rules or assumptions, such as:

o Identifying common practices (e.g., how change addresses are used).
o Tracking transactions with unique or rare patterns.

Tools and Platforms for De-Anonymization

Several blockchain analysis tools and platforms are used by law enforcement, regulators, and
private organizations, such as:

 Chainalysis
 Elliptic
 CipherTrace
 Crystal Blockchain

These platforms use a combination of clustering, analytics, and data aggregation to trace
transactions and identify participants.

Challenges in De-Anonymization

 Mixers and Tumblers: Services that mix funds from multiple users to obscure transaction trails.
  Privacy Coins and Techniques: Users might employ privacy-enhancing technologies like
CoinJoin or switch to privacy-focused cryptocurrencies (e.g., Monero or Zcash).
 Address Reuse: Best practices discourage reusing addresses, which complicates linking
transactions to a single entity.

Ethical and Legal Considerations

De-anonymization efforts must respect privacy rights and comply with laws and regulations.
Unauthorized tracking or revealing of identities may breach privacy laws and ethical guidelines.
These methods are primarily used by law enforcement or regulatory bodies in criminal
investigations, such as tracking illicit activities like money laundering or ransomware payments.