A few weeks ago I was asked by the crypto community to do a review of the Pinkcoin anonymous implementation which has since been rebranded as the Pink Entanglement Engine (PinkEE). This request came shortly after I did a codebase and block chain audit for the same coin (https://twitter.com/jyap/status/472468458240630784). Pinkcoin has since put out a whitepaper for their anonymous implementation (https://twitter.com/Pinkcoin_/status/479745535197589508).
I was reluctant to do the review as there are lots of interpretations of what is “anonymous”. Unlike code or block chain rewards, there is no black or white. It is difficult terrain as Bitcoin and the block chain is designed around the concept of an open ledger. All transactions are open to inspection and can be mapped. The best that can be achieved is a good level of obfuscation since all transactions need to be valid for them to exist.
The overall crypto scene has recently latched onto the term “anonymous”. This term varies from coin to coin and as such correlations between different implementations can be hard to find or properly compare. If we gave the analogy that coins are like a full outfit of clothes then the anonymous feature of one coin is a hat, for another coin it’s pants and for another it’s shoes.
In researching this I read approximately 20 whitepapers of varying degrees of length and description. I also read numerous forum posts and related articles. Some whitepapers such as the one for Cryptcoin and their CryptCast technology were very ambiguous. Their whitepaper is entitled “CryptCast: Decentralized, Anonymous Transactions via Public/Private Key Broadcasting”. After reading it, it sounds looks like it (deliberately?) confuses the term “Anonymous Transactions” with with what they are actually using which can be described as secure messaging. Bitcoin works on the principle of a gossip protocol to broadcast transactions so the transactions can’t be anonymous or sent directly to a peer over a defined network channel. A better name would have been “CryptCast: The Negotiation of Common Transactions via Secured Messaging”.
The first thing I asked the Pinkcoin team to do was to outline the main points of what their PinkEE implementation achieved. This would give me a definition to go by.
Here are the 5 design goals they came up with (please read the 19 page whitepaper for more detailed information):
1. NEVER CREATE A DIRECT LINK BETWEEN THE SENDING AND RECEIVING ADDRESSES IN THE BLOCK CHAIN.
2. LEAVE AS LITTLE EVIDENCE AS POSSIBLE THAT AN ANONYMOUS TRANSACTION HAPPENED IN THE FIRST PLACE.
3. PROCESS TRANSACTIONS QUICKLY.
4. KEEP THE ANONYMOUS INTERFACE AS SIMPLE AS POSSIBLE.
5. AVOID ANY SOLUTION THAT WOULD REQUIRE A HARD FORK.
PinkEE differs from some implementations such as Darkcoin’s Darksend in that it does not combine other sent transactions with other sending parties. These kinds of “CoinJoin” systems need to make sure they have sufficient randomness in their parameters such that a distinct fingerprint based on the mixing system cannot be derived. If a system always combines exactly 3 transactions and outputs to 3 addresses over 3 blocks, then you have a potential problem where anonymous transactions could be extracted from the block chain in a predictable fashion. In fact, systems which offer increased cycles of mixing over several blocks may actually increase the evidence of anonymous transactions by leaving a larger footprint over which fingerprint traits could be found.
Rather than combine transactions, PinkEE attempts to masquerade as common everyday transactions. An important distinction is that coins are not mixed and combined, but are REALLOCATED. Where possible, exact coin amounts are used in PinkEE wallets when they are reallocated and used for anonymous transfers. This avoids the “fingerprint” issue which can be found in mixing systems. No division of coin wallets is performed unless absolutely necessary.
PinkEE also does not enforce a send amount. The maximum amount being 500,000 PINK. I did originally think of a way to flush out all of the coins in the anonymous wallet by sending through large transactions close to the maximum amount multiple times. Though no particular individual could be targeted, this would lead to an eventual wallet that could be monitored for activity. With my recommendation, the verbiage was added to have a recommendation to “send less than 50,000 PINK at any one time” so that enough coin entropy and random amounts were in the anonymous wallets.
When using coin exchanges we are largely dealing with trades which happen off the block chain (they exist only exchange databases). Coins only hit the block chain at the edges when they are withdrawn or deposited. If an exchange happens to disappear or purges their own internal transaction history then the evidence linking a buy/sell trade is effectively gone and non-existent. PinkEE achieves something similar by using a memory based lookup table to hold details about senders and receivers. When an anonymous transaction is completed, the temporary links are removed from memory. This is an ideal situation as it means no confirmed or recorded link between a sender or receiver can be proven.
I ran some tests on several occasions which back up the claims that PinkEE anonymous transactions blend in with other transactions quite well. It has a good level of obfuscation such that guess work is required to derive a link between the original sender and receiver. The PinkEE system as described in their whitepaper could easily be implemented for other coins without much need for modifications.
Author donation links: