So we've talked a lot about Bitcoin's anonymity in this lecture. But Bitcoin's anonymity becomes even more powerful when combined with other technologies, in particular, anonymous communication technologies. We've talked about Tor a little bit. We've alluded to it several times. But now let's go into more detail. Let's first set up the problem of anonymous communication, though. So, this is what the system looks like. There are a bunch of senders. There are a bunch of recipients. And messages are routed from senders through recipients through this network over here. And of course there is gonna be an attacker. This attacker, and this is called a thread model, the attacker controls several things. Some of these nodes in red are compromised by the attacker. Some of these edges, some of these links between on these nodes to the network are also controlled by the attacker, even if the nodes themselves are not. Similarly some of the recipient nodes over here and some of these links from the network to the recipient node, are also controlled by the attacker and finally some of the internal nodes of the anonymous communication network. All under the control of the attacker, but crucially not all of the communication network is controlled by the attacker. And we want to achieve anonymity in this hostile environment. And as before anonymity refers to un-linkability between the sender and the receiver. So how does Tor accomplish this? It's the same old pattern of picking a chain of intermediaries to route your messages through, and here it is in a nice visual form. I have to thank the Electronic Frontier Foundation for this slide. So what's going on? Alice over here wants to talk to Bob over here So she pre-selects a path through this set of routers. And that number is fixed in the Tor protocol, it's always three. But conceptually you can imagine that it would be any number you want. And the more nodes you run through, the more anonymity you get. Where the harder it is, I should say, to breach anonymity. So these nodes denoted with a plus are all the Tor nodes. And she picks some substantive three nodes randomly in order to write her message. And the security property that we get is that as long as it least one of these three nodes that she picks is not compromised or colluding with the attacker, then she is sort of safe here. In that Alice can not be linked to Bob by somebody who's observing some of the nodes in the network. I should say that there are many attacks possible on Torr. One of them, for example, is called an end to end traffic correlation attack. So there are gonna be timing patterns in the flow of traffic between Alice and whatever Bob is, maybe a website. And so if the attacker controls both of these links, then just by observing the correlation in those timing patterns he might be able to determine that these two nodes are in communication with each other, even if he knows nothing about the route that the message took between them. So one key point here is how do you hide routing information? What do I mean by that? When a message is gone from Alice to the first router, it has to have the IP address of Bob's computer somewhere in that message. Otherwise, there is no way that this router can appropriately forward that on to reach the right destination. However, we don't want this router to actually learn that IP address. Because if the router does that IP address, then it knows both Alice's IP, because the message came from her, and Bob's IP, because that's where the message is eventually going. And now this router has the link between the two ends of the communication. Now this would be a problem if were this router were malicious. So, as you might guess, the answer involves encryption. And as you can see in this picture, these links here in green, they're encrypted connections and this one is an unencrypted connection. Let's look in more detail to see how this encryption works. It's a specific way in which encryption is used, it's called a layered encryption. It resembles an onion so that's why onion routing is a related concept here. So what is going on here? Alice and router one share a symmetric key. That's represented in purple. Alice and router two share this key that's represented in blue and Alice and router three share the key that's represented in gold. Now these symmetric keys are not stored long-term by any of these nodes. They're established as necessary using key exchange. The only persistent keys are the long-term public keys of these routers. And these routers do in fact have long-lived identities and public keys and so on. Alice, of course, does not need to have any long-term public key. When she picks a path of these routers, she finds their public keys executes key exchange protocols, and obtains these shared symmetric keys. And what she's gonna do is, when she sends the message to R1, it's going to be triply encrypted. The outer most layer of encryption is a symmetric encryption between Alice and R1, and so what this allows R1 to do is peel off that layer of encryption like peeling off an onion. And when router one peels off that layer of encryption, inside it's going to find the IP address of router two and an encrypted message to send to router two. And it's going to forward that. Router two peels off a further layer of encryption and then to Router three for another layer of encryption. Now, the message is unencrypted, consisting of the plain text message, as well as Bob's IP address. And so router three now sends that message in plain text to Bob. Of course, what you probably want to do is further layer a protocol like HTTPS or secure web browsing on top of Tor so that even this message from router three to Bob is encrypted. But the Tor protocol itself doesn't guarantee that. There's no way of guaranteeing that because Bob might be a regular web server that doesn't even speak the Tor protocol and so there's no way that Tor can be responsible. For the encryption between R3, which is called the exit node and the ultimate recipient of the message. I'll leave you to think about why this wouldn't quite work if there were only one layer of encryption. For example, if Alice tried to encrypt the message all the way from her to R3, it wouldn't quite work. The routing would not quite work out. But as it is the very neat property that you have is that R1 only knows Alice's IP address and R2's address, does not know R3's or Bob's address. And similarly every node knows only the addresses of the node that was one hop before it and one hop after it. And in fact when the message gets to this point. The IP address of Alice is not even present anymore whether or not in encrypted form. So, that's really how you get anonymity here and if any one of these, if R2 for example were compromised then it would learn R1's and R3's addresses but not Alice's or Bob's. So, that's how Tor works. And now let's talk about Silk Road, and in particular the problem that a site like Silk Road has to overcome is this, Silk Road is what is known as a hidden service. In other words, the Silk Road server wants to hide its address, for obvious reasons. If you haven't heard about Silk Road, let me just say a sentence about it briefly. You're gonna see it in more detail in the next lecture. A Silk Road was a website that operated for a couple of years. It was an anonymous marketplace that sold a variety of goods but the thing that was most known for is selling drugs and because of the pervasive anonymity or at least pseudonymity in the system, the idea was it was a very hard for law enforcement to go after. And the story of what happened next I will leave to the next lecture. But let's look at the technology that made something like Silk Road possible and the implications of that. So here is a simplified algorithm by which a server can keep its identity hidden and yet provide services through Tor. What it does is it connects to what is called the rendezvous point which is one of the Tor routers through Tor. And then what it's going to do is it's going to publish the mapping between its name and its domain name and the address of the rendezvous point through directory services that the Tor system offers. And these domain names are not your regular DNS domain names. That wouldn't work because it's this whole parallel system of routing. So these are called onion addresses, and they're gonna look like this long string.onion. Notice that it looks a lot like Bitcoin public keys, and it's for sort of the same reasons. It's because anyone can generate one of these. And now the client will have to learn the onion address of the site that it wants to visit. When the Silk Road existed, if you wanted to go to Silk Road, you couldn't type in silkroad.com, that wouldn't make any sense because Silk Road is not even available over the regular web. Instead you would have to through some manner and this was a widely known address you would have to find. This is not Silk Road's address by the way this is the onion address of Duck Duck Go. A search engine that offers privacy and anonymity. But you would find a similar address that belonged to Silk Road and put that into your Tor enabled browser. And that what your client would automatically do is look up the mapping for the address of the rendezvous point, connect to that rendezvous point, and through that rendezvous point, have a anonymous and encrypted connection to the ultimate server, without the server having to publish it's actual IP address. So that covers some of the technology behind Silk Road. In particular anonymous communication and how do you do anonymous payments which is of course with Bitcoin. But still you need more technology in order to make this whole system work. You need security, in other words how can you be sure that when you pay someone on Silk Road they're going to actually sell you the goods? Silk Road had a reputation system for that. And how do you do anonymous shipping? The site pretty much left this to the participants that advised buyers to provide an anonymous PO Box for example to ship good to. So let's take a step back. We've covered a lot of technology in this lecture. Hopefully you've understood that Bitcoin anonymity is a very powerful thing. And it gains in power when combined with other technologies, in particular anonymous communication technologies. And also anonymity is a deeply, morally ambiguous thing. There are many moral distinctions that we would like to make that we're not able to adequately express at the technological level. And so, some of those moral ambiguity appears to be inherent. Hopefully it's also been clear that anonymity is very fragile. One must take can create a link that you're trying to hide. But also anonymity is an important thing to protect. It's worthwhile protecting it has a lot of good uses in addition to bad uses. So most of the the things that we've talked about today are either at the forefront of research technologically, or they're a topic of serious ethical debates. None of this is really settled, and so this is an ongoing conversation area of ongoing research. We don't know which anonymity system for Bitcoin, if any, is going to become prominent or mainstream. And so this is a great opportunity for you, either as a developer or in thinking through the ethical implications to get involved in some of these issues. And hopefully what you've learned in this lecture has given you the right background for that.
