Unlinkability

This ensures that multiple transactions from the same user cannot be linked together on a public ledger. It breaks the deterministic link between a user's public address and their activity.

• Mechanism: Often uses stealth addresses (unique one-time addresses for each transaction) and coin mixing.
• Example: In Monero, a sender generates a unique, one-time stealth address for the recipient, making it impossible to link multiple payments to the same recipient's wallet.

This prevents an observer from determining which participant sent a transaction to which recipient, even if the transaction amounts are visible.

• Core Challenge: Hides the mapping between inputs (senders) and outputs (recipients) within a transaction.
• Implementation: Achieved through cryptographic techniques like Ring Confidential Transactions (RingCT) and zk-SNARKs, which allow a prover to validate a transaction without revealing the specific sender or receiver.

A strong form of unlinkability where transaction data or cryptographic outputs are computationally indistinguishable from random data. This prevents pattern analysis.

• Key Property: An adversary cannot differentiate between a valid privacy-preserving transaction and a random string of data.
• Application: zk-SNARK proofs and certain commitment schemes produce proofs and ciphertexts that appear random, offering semantic security.

Unlinkability is often quantified by the size of an anonymity set. This is the group of all possible entities (users, transactions) that could be the source of an observed action.

• Larger Set = Stronger Privacy: In a ring signature with 10 participants, the sender's anonymity set size is 10.
• Metric: The effectiveness of unlinkability mechanisms is measured by how effectively they enlarge and obfuscate the true user within this set.

It is crucial to distinguish unlinkability from confidentiality (secrecy of data). They are complementary but distinct privacy goals.

• Unlinkability: Hides relationships and metadata (who is talking to whom).
• Confidentiality: Hides the content itself (the transaction amount or message).
• Real-world Analogy: Confidentiality is an encrypted letter; unlinkability ensures the postman cannot tell if two letters came from the same house.

Unlinkability is not absolute and is defined within a specific threat model. It can be compromised by external data leaks or sophisticated analysis.

• Common Threats: Timing analysis, amount correlation, network-level surveillance, and wallet fingerprinting.
• Defense: Requires a holistic approach combining cryptographic protocols with network-layer protections like Dandelion++ or Tor to mitigate metadata leakage.

CoinJoin is a coordination-based method where multiple users combine their transactions into a single, larger transaction, obscuring which inputs correspond to which outputs.

• How it works: Users collaboratively sign a transaction that pools and redistributes funds, breaking the direct on-chain link.
• Examples: Wasabi Wallet and Samourai Wallet implement coordinated CoinJoin. Tornado Cash (on Ethereum) is a non-custodial mixer that uses a smart contract pool and ZKPs for stronger guarantees.

Network-layer privacy protocols like Dandelion++ aim to obscure the origin IP address of a transaction before it is broadcast to the peer-to-peer network, preventing spy nodes from linking a transaction to its source.

• Propagation Phases: A transaction is first passed anonymously in a "stem" phase through a line of peers, then diffused broadly in a "fluff" phase.
• Importance: Protects against transaction graph analysis that could deanonymize users by correlating transaction timing with network activity.

Differential privacy is a statistical technique that adds carefully calibrated noise to query results or published data, providing strong mathematical guarantees that the presence or absence of any single user's data cannot be determined.

• Use Case: While not common in core transaction protocols, it's used in blockchain analytics and data-sharing scenarios. For example, a network might publish aggregate statistics (e.g., total daily volume) without revealing individual user contributions.
• Guarantee: Ensures plausible deniability for any data point, enhancing systemic unlinkability.

Unlinkability ensures that multiple actions performed by a single user cannot be linked together by an external observer. This is distinct from anonymity, which hides the user's identity. In blockchain, this means an adversary should not be able to determine if two transactions originated from the same wallet or if a user interacted with multiple smart contracts in a related way. The goal is to break the transaction graph analysis that de-anonymizes users on transparent ledgers.

Several cryptographic and protocol-level techniques are employed:

• Zero-Knowledge Proofs (ZKPs): Protocols like zk-SNARKs (used by Zcash) allow transaction validation without revealing sender, receiver, or amount, severing the link between inputs and outputs.
• CoinJoin & Mixers: These protocols pool and shuffle funds from multiple users, making it computationally difficult to trace the path of individual coins.
• Stealth Addresses: Generate a unique, one-time address for each transaction sent to a recipient, preventing address reuse and linkage.
• Ring Signatures: Used in protocols like Monero, they allow a transaction to be signed by a group, making the actual signer indistinguishable from decoys.

Unlinkability can be compromised through various attacks:

• Timing Analysis: Correlating transactions based on when they are broadcast or confirmed.
• Amount Analysis: Linking transactions by unique or identifiable transaction amounts.
• Metadata Leakage: Information from IP addresses, wallet software fingerprints, or on-chain activity patterns outside the core protocol.
• Cluster Heuristics: Advanced chain analysis that uses leftover change outputs, common input ownership, and behavioral patterns to link addresses. Weak implementations of mixing protocols are particularly vulnerable to these clustering attacks.

These are related but distinct privacy properties:

• Anonymity: Hides the identity of the actor (who you are).
• Unlinkability: Hides the relationships between actions (that you did both this and that). A system can provide anonymity without unlinkability (e.g., a pseudonymous blockchain where all of a user's transactions are linked to their public key). True privacy often requires both. The failure of unlinkability is what enables the construction of detailed behavioral profiles from public ledger data.

Unlinkability is critical beyond simple payments. In decentralized finance (DeFi), it prevents front-running bots from identifying a user's full trading strategy across multiple protocols. In decentralized identity and voting systems, it ensures that a user's actions across different services cannot be aggregated to build a profile. Without unlinkability, the transparent and persistent nature of blockchain can lead to unprecedented levels of financial and personal surveillance.