What exactly is the controversial MIT ChainAnchor in the Bitcoin community?

Based on the information provided to me, it looks like the MIT ChainAnchor project is in some way an attempt to get Bitcoin users to register with their real identities and tie their transactions to those identities. Initially this will be on an opt-in basis, but ChainAnchor looks to have a long-term plan to bribe and force miners to only process transactions from registered users, and eventually ban unregistered users altogether.

If ChainAnchor is fully applied to Bitcoin, everyone will first have to register with their real name. Transactions will be linked to identities in a way that courts require, and hackers may even be able to find detailed information about every Bitcoin transaction you make - your entire financial activity record, and even the financial records of all Bitcoin users.

This will be accomplished in three main phases:

1. Create an opt-in registration system that allows users to register wallet addresses (public keys) using their real identities to form a "permission group". Registered users can prove that their public keys belong to a group using group signatures in a pseudo-anonymous state. However, there will be a backdoor in the system that allows system administrators to deanonymize users.

2. Once a reasonable number of users is reached, ChainAnchor will bribe miners to only mine blocks that contain non-anonymous transactions from registered users, while unregistered users' transaction costs and confirmation times will increase. As part of the conditions for accepting the bribe, miners are also required to register with their real names.

3. Ultimately eliminating the existence of unregistered miners, making it impossible to use or mine Bitcoin without registering first.

In simple terms, ChainAnchor appears to be attempting to turn the current permissionless Bitcoin blockchain into a centrally controlled and permissioned chain.

Information sources

ChainAnchor is not yet public, except for a small ad on the MIT Trust Alliance website. I have obtained leaked versions of their initial documents and overview slides from multiple sources (mostly from MIT itself). I have also been contacted by several people who claim that the ChainAnchor team approached them for funding and strategic collaboration. These people gave me more details about ChainAnchor's long-term goals, and they also claimed that in addition to the names on the documents and slides (MIT's Thomas Hardjono and Alex Pentland, Intel's Ned Smith), several well-known Bitcoin community members are also involved in the project.

Registered Identity - Permission Group

Group signatures enable anyone to prove their membership in a group by using a key, without revealing exactly which key created the signature. ChainAnchor reuses Intel’s EPID group signature scheme — a widely used digital restrictions management (DRM) technology — to create a “permission group” of keys that represent certain permissions or attributes, such as the key owner’s compliance with AML regulations and real-name registration.

The membership of the permission group is controlled by a group of administrators, which ChainAnchor refers to as the Identity Verifier (IdP-PV). They are the only ones who have the authority to add new members and remove members.

However, the authority verifier does not always know the real identity of the user. Identity registration plays a separate role, known as the identity provider (IdP-PI). In fact, ChainAnchor has always warned to keep the two roles of IdP-PV and IdP-PI separate:

The Permission Verifier is similar to EPID and related schemes in that it is assumed to be independent of the Permission Issuer, and that both are separate entities (physically, operationally, and legally).

Why? The problem is that the mathematics used by EPID has a backdoor: an authority can use its own private key to determine who makes a given group signature. This means that the privacy of the system is based on trust: the authority and the identity provider can de-anonymize users without being detected by colluding with the real identity and cryptographic identity information. This means that authorizations requiring user transaction information can be satisfied. It also means that a hacker who successfully breaks into both servers can de-anonymize user transactions.

Mining licensed blocks

To be deployed on Bitcoin, ChainAnchor proposes a scheme where miners choose to mine “permissioned blocks” that only contain transactions from registered users.

The technical principle of how this works is very simple: for every transaction received by a compliant miner, the address is checked by the authority verifier to ensure that the transaction comes from a whitelist of "authority groups". If not, the transaction is discarded.

So why would miners choose to forgo transaction fees from unregistered users? ChainAnchor suggests bribing miners:

“On ChainAnchor, miners who complete a block containing only permissioned transactions will receive additional fees (in addition to new bitcoins and transaction fees).”

Of course, if miners accept bribes, ChainAnchor hopes that miners will obey them and verify their identities:

“For a validated permissioned block, IdP-PV and IdP-PI must verify that the miner’s public key can be found in the validation identity database. They must ensure that the miner has executed the zero-knowledge proof protocol before mining the ChainAnchor permissioned transaction.”

Why? Obviously because we can’t bribe miners everywhere unless we know their true identities.

“This last step is necessary in order for miners to receive compensation from the authority group.”

Strikingly, none of this is technical. If ChainAnchor just wants to create an opt-in whitelist of AML-compliant addresses, why would they care if miners create blocks containing non-compliant transactions? Given that the system always relies on an online permission verification server, it's obvious that the compliance of transaction outputs should be tracked.

The problem now is that ChainAnchor is trying to force people to register for their service by making non-compliant transactions more expensive and time-consuming for non-compliant users. Unless the database of whitelisted addresses is public, all transactions are the same to non-compliant miners; if you register, then 100% of miners will process your transaction, but if you don't register, then you have to wait.

Unsurprisingly, one of the concerns I heard from people approached by ChainAnchor was that they didn’t want to participate in a monopoly on Bitcoin trading; on an ethical level, the proposal could lead to an antitrust case.

Completely eliminate non-compliant transactions

Although not explicitly stated in the documents or slides, ChainAnchor’s final phase is said to be to eliminate all unregistered and non-compliant Bitcoin miners, primarily by gradually reducing their profits until they either stop mining or become compliant. Bribing miners to only produce permitted blocks may be sufficient in itself - mining is a zero-sum game, so if unregistered users respond to the extra income from compliance by registering (or leaving), then non-compliant mining will become unprofitable.

So what if the user doesn’t leave? For example, the user might choose to pay a higher fee to opt out of the transaction. In a perfect market without artificial barriers, ChainAnchor would have to respond by increasing the bribe amount in return — which would obviously be expensive.

ChainAnchor is reportedly looking into paying miners extra bonuses if they mine on compliant blocks rather than non-compliant blocks; this strategy could lead miners to prefer compliant blocks when they can't decide which block to use. It's not hard to imagine tools like DOS attacks, as well as legal, regulatory, and even social pressure. Of course, ultimately, once a majority of hash power is achieved, a direct 51% attack is also possible (although I would hope to use more subtle means).

Threat Modeling

Rather than discussing our plans to accuse others, it is more productive at this point to think of it as a threat to modeling. So what can an attacker like ChainAnchor do to minimize the costs of Bitcoin becoming a fully AML-compliant permissioned system?

The interesting thing to note is that this attacker is using profit as a weapon to try to change the composition of the mining community to be more regulated. As defenders and protocol designers, we must understand which miners we are encouraging to achieve our goals and how to ensure that the economic incentives of the system are in a way that makes it profitable for miners.

Original article: https://petertodd.org
By Peter Todd
Compiled by: Kyle
Source (translation): Babbitt Information (http://www.8btc.com/chainanchor-bribing-miners-to-regulate-bitcoin)