We are currently conducting research on wallet fingerprinting in Bitcoin. In this work, we delve on the way that several Bitcoin wallets construct and sign transactions, and we study their impact on the user’s privacy.
The objective
When a user desires to transact in Bitcoin, several devices communicate between them to make that transaction possible. Firstly, the user will create the transaction using his or her preferred software wallet, which is the computer or mobile application that retrieves their UTXOs and allows them to create transactions spending them. Then, once the transaction has been created, the software will send the unsigned, raw transaction to the user’s signing device. This can be achieved via USB or airgapped communication. The device will then sign the transaction with the user’s private key and return it to the software client. The software wallet will then send the signed transaction to its backend relay node, which is a program that retrieves transactions and broadcasts them to the network.
Users can connect to public nodes or set up their own for better privacy. The relay node will then broadcast the signed transaction to Bitcoin’s P2P network. The transaction will remain at the mempool until a miner includes it in a block and mines it, when the transaction will be included at the blockchain and therefore get confirmed. Each element in this sequence of communications does their job in a particular way. This means that different wallets might create transactions with different details or fields, or may allow or not allow particular behaviors, or different signing devices might perform signatures in various ways. All these differences are called fingerprints, and these can lead to identification of the users, or might be used as address clustering heuristic. The aim in this study is to split the different fingerprints according to the elements responsible for them, so that users gain knowledge on how to improve their privacy.
Why to study this topic?
One of the most important aspects in Bitcoin is that it allows for privacy that traditional payment systems do not allow. But if users do not follow best practices, their information might get disclosed and their transactions could get linked to their real identity. Knowing which wallets follow the best practices in terms of privacy and security is not trivial.
Our approach
We use an isolated test environment where we generate as many test transactions as we desire. Then, we ensure a stable configuration by splitting the variables in Software, Hardware and Relay Node, and we modify only one of these variables at a time, before generating batches of test transactions, which we analyze. We have finished the batches where the variable is the Hardware, and we are currently preparing the transaction batches where the variable is the Software.
Interested?
If you’d like to chat about this topic, know more details or if you’re working on something similar and would like to collaborate, feel free to reach out at david.corral.urbano@uab.cat.