Version 0.1 (31 May 2014) by Michael_S (bitcointalk.

org) OpenPGP KeyID=0xCC7E7C99

Why CoinJoin, as Used in DarkCoin,
does NOT bring Full Anonymity
A Clarification
Abstract
Unlike widely claimed, it is shown that CoinJoin is not fully anonymous. We prove this by a simple
example.
Hence, the claim CoinJoin (or DarkCoin) provides full anonymity is proven wrong.
Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as used
e.g. in DarkCoin) does not guarantee anonymity at all.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [1 of 4]
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
1. The Counter-Example (to Prove that CoinJoin is not Fully
Anonymous)
Legend: Meaning of symbols in the following diagrams:
We assume that the following transactions are observable in the blockchain:
Transaction 1:
Transaction 2:
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [2 of 4]
l0
l0
Al0
Al3 l0
Al4
CoinJoin
Pool:
30
l Al5
9 Al6
2 Al7
8 Al8
3 Al9
7 A20
ll0 Al
Address "Al" with ll0 coins
Normal transaction
CoinJoin transaction
ll0
l30
Al
A2 l20
A3
l0 Al0
20 All
30 Al2
CoinJoin
Pool:
300
l0 A4
90 A5
20 A6
80 A7
30 A8
70 A9
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
Transaction 3:
2. Analysis of the Transactions
Let's assume that Address A1 (compare Transaction 1) is known to be an address that has been
used for illegal activities.
Let's further assume that Address A21 belongs to a merchant that bills 25 coins to a customer,
and Transaction 3 shows this payment.
Question: Can the merchant (or an institution that has access to the payment data of this
merchant) find out by blockchain analysis if the payer of this bill is involved in illegal activities?
Answer: Let's try to find out (in reality, this task would of course be performed by a powerful
computer, but we will do it manually here for the sake of illustration):
The payer of Transaction 3 used two inputs, Addresses A6 and A18.
Both A6 and A18 are outputs of a previous CoinJoin transaction (compare Transactions 1
and 2), so at first glance one would think that it is not possible to track back the money
flows. But we'll try anyway...:
We track back Address A18: From Transaction 2 (readable in the blockchain) we see that the
funds of A18 stem from EITHER A10 OR A13 OR A14 we cannot say for sure, but we know
that at least one of them is the earlier owner of the money of A18.
We track back Address A6: From Transaction 1 (readable in the blockchain) we see that the
funds of A6 stem from EITHER A1 OR A2 OR A3 we cannot say for sure, but we know that
at least one of them is the earlier owner of the money of A6.
Looking further at Transaction 1, we see that A10 is a transaction output of input A1.
In other words: It is very likely that the owner of A10 is the same as the owner of A1.
This even more so, as the owner of A6 & A18 is provably the same person, and these
addresses can be tracked back to A1 and A10 respectively.
Hence it is very likely that the owner of A6 and A18 (i.e. the payer of the merchant's bill) is
also the owner of A1 and A10.
Hence there is strong evidence that the payer of the merchant bill to A21 is involved in
illegal activities in connection with Address A1.
The evidence is not 100% of course, but very strong. It is theoretically possible, but highly unlikely,
that the payer's wallet (A6 and A18) is connected to Address A1 in two different ways (first directly
via Transaction 1, and secondly via A10 and Transaction 2) by pure coincidence.
Hence, there is sufficiently strong evidence and justification to trigger deeper real-world
investigations in the direction of the payer of merchant bill A21.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [3 of 4]
20
8
A6
Al8
25
3
A2l
A22
Amount to pay
Change
Version 0.1 (31 May 2014) by Michael_S (bitcointalk.org) OpenPGP KeyID=0xCC7E7C99
2.1 Alternative without CoinJoin
Remember that also with normal blockchain transactions over multiple stages we can not reach
100% evidence that owners of different addresses are the same person, but similarly as
demonstrated above, also here we can get strong evidence.
This is illustrated by a corresponding example:
Transactions (alternative):
In this case, Address A1 is first split to A10 and A96. Theoretically, there is no 100% proof that any
of these two addresses belong to the same person as A1.
In the next step, A10 and A96 are further split to other addresses. This step could be repeated
many times of course not shown above to keep illustration simple.
Finally, A6 and A18 are the input to the same Transaction 3, hence A6 and A18 must belong to the
same person.
Theoretically, the payer of Transaction 3 and owner of A6 & A18 could argue that he isn't the owner
of neither A10 nor A96, and that it is pure coincidence that he received the funds from A10 and A96
into A18 and A6. Theoretically, the owners of A1, A10 and A96 and the payer of Transaction 3
(=owner of A6 & A18) could all be different persons. Just the probability for this is very low.
So, after all, the situation is very similar to the CoinJoin scenario.
3. Conclusion
It has been shown that the notion of CoinJoin bringing full anonymity is a fallacy.
Instead, CoinJoin, as used in DarkCoin, does not prevent blockchain analysis and tracking back
payments to derive probabilities of persons being owners of certain addresses.
Users of crypto-currencies must be educated to be aware that solely using CoinJoin (as used
e.g. in DarkCoin) does not guarantee anonymity at all.
Donations welcome: 1MichaS16UMKFgNjanKrtfD51HpBkqPAwD [4 of 4]
Transaction 3
ll0 Al
l0
l00
Al0
A96
80 A98
20 A6
8 Al8
2 A97
A2l
A22 3
25
Transaction l
Transaction 2a
Transaction 2b