Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99

Why CoinJoin, as Used in DarkCoin,

does NOT bring Full Anonymity

A Clarification

Abstract

Unlike widely claimed, it is shown that CoinJoin is not fully anonymous. We prove this by a simpleexample.

Hence, the claim “CoinJoin (or DarkCoin) provides full anonymity” is proven wrong.

Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as usede.g. in DarkCoin) does not guarantee anonymity at all.

Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [1 of 4]

Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99

1. The Counter-Example (to Prove that CoinJoin is not FullyAnonymous)

Legend: Meaning of symbols in the following diagrams:

We assume that the following transactions are observable in the blockchain:

Transaction 1:

Transaction 2:

Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [2 of 4]

10

10

A10

A13 10

A14

CoinJoinPool:

30

1A15

9A16

2A17

8A18

3A19

7A20

110A1 Address "A1" with 110 coins

Normal transaction

CoinJoin transaction

110

130

A1

A2 120

A3

10A10

20A11

30A12

CoinJoinPool:300

10A4

90A5

20A6

80A7

30A8

70A9

Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99

Transaction 3:

2. Analysis of the Transactions� Let's assume that Address A1 (compare Transaction 1) is known to be an address that has been

used for illegal activities.

� Let's further assume that Address A21 belongs to a merchant that bills 25 coins to a customer,and Transaction 3 shows this payment.

Question: Can the merchant (or an institution that has access to the payment data of thismerchant) find out by blockchain analysis if the payer of this bill is involved in illegal activities?

Answer: Let's try to find out (in reality, this task would of course be performed by a powerfulcomputer, but we will do it “manually” here for the sake of illustration):

� The payer of Transaction 3 used two inputs, Addresses A6 and A18.

� Both A6 and A18 are outputs of a previous CoinJoin transaction (compare Transactions 1and 2), so at first glance one would think that it is not possible to track back the moneyflows. But we'll try anyway...:

� We track back Address A18: From Transaction 2 (readable in the blockchain) we see that thefunds of A18 stem from EITHER A10 OR A13 OR A14 – we cannot say for sure, but we knowthat at least one of them is the earlier owner of the money of A18.

� We track back Address A6: From Transaction 1 (readable in the blockchain) we see that thefunds of A6 stem from EITHER A1 OR A2 OR A3 – we cannot say for sure, but we know thatat least one of them is the earlier owner of the money of A6.

� Looking further at Transaction 1, we see that A10 is a transaction output of input A1.

� In other words: It is very likely that the owner of A10 is the same as the owner of A1.

� This even more so, as the owner of A6 & A18 is provably the same person, and theseaddresses can be tracked back to A1 and A10 respectively.

� Hence it is very likely that the owner of A6 and A18 (i.e. the payer of the merchant's bill) isalso the owner of A1 and A10.

� Hence there is strong evidence that the payer of the merchant bill to A21 is involved inillegal activities in connection with Address A1.

The evidence is not 100% of course, but very strong. It is theoretically possible, but highly unlikely,that the payer's wallet (A6 and A18) is connected to Address A1 in two different ways (first directlyvia Transaction 1, and secondly via A10 and Transaction 2) by pure coincidence.

Hence, there is sufficiently strong evidence and justification to trigger deeper real-worldinvestigations in the direction of the payer of merchant bill A21.

Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [3 of 4]

20

8

A6

A18

25

3

A21

A22

Amount to pay

Change

Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99

2.1 Alternative without CoinJoinRemember that also with “normal” blockchain transactions over multiple stages we can not reach100% evidence that owners of different addresses are the same person, but similarly asdemonstrated above, also here we can get strong evidence.

This is illustrated by a corresponding example:

Transactions (alternative):

In this case, Address A1 is first split to A10 and A96. Theoretically, there is no 100% proof that anyof these two addresses belong to the same person as A1.

In the next step, A10 and A96 are further “split” to other addresses. This step could be repeatedmany times of course – not shown above to keep illustration simple.

Finally, A6 and A18 are the input to the same “Transaction 3”, hence A6 and A18 must belong to thesame person.

Theoretically, the payer of Transaction 3 and owner of A6 & A18 could argue that he isn't the ownerof neither A10 nor A96, and that it is pure coincidence that he received the funds from A10 and A96into A18 and A6. Theoretically, the owners of A1, A10 and A96 and the payer of Transaction 3(=owner of A6 & A18) could all be different persons. Just the probability for this is very low.

So, after all, the situation is very similar to the CoinJoin scenario.

3. ConclusionIt has been shown that the notion of CoinJoin bringing full anonymity is a fallacy.

Instead, CoinJoin, as used in DarkCoin, does not prevent blockchain analysis and tracking backpayments to derive probabilities of persons being owners of certain addresses.

Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as usede.g. in DarkCoin) does not guarantee anonymity at all.

Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [4 of 4]

Transaction 3

110A1

10

100

A10

A96

80A98

20A6

8A18

2A97

A21

A22 3

25

Transaction 1

Transaction 2a

Transaction 2b