Toward Unlinkable Bitcoin Transactions

The appearance of Bitcoin in 2009[Nak09] has enabled the trustless transfer of funds by means of a publically verifiable distributed ledger. However, this ledger exposes all transactions, resulting in extremely poor privacy for Bitcoin users. In this paper, we describe some new technologies that would reduce the amount of publically inferrable information on the Bitcoin blockchain. We start with the selectively-linkable ring signatures first proposed in CryptoNote[vS13], and introduce modifications to (a) allow signatures by multisigner sets who satisfy arbitrary threshold circuits, such that the resulting signatures are indistinguishable from ordinary single-party ones; (b) combine signatures for multiple outputs to compress transactions. We also introduce a novel mechanism for output value hiding, which allows an output of size N to be plausibly included in a ring signature for inputs whose sizes are any M ≤ N . Finally, we describe a mechanism for using one-way aggregatable signatures [Mou13] to remove the linking between inputs and outputs within a block, and introduce an improved version of this scheme which greatly improves efficiency by eliminating the need for bilinear groups. The cost is a minor trust requirement on miners to not reveal the original input/output mappings. ∗[email protected] †[email protected]