dsueiro · February 20, 2013 17:08 · Nov 2, 2012 · Oct 18, 2012 · Oct 18, 2012 · Oct 18, 2012
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -2,7 +2,14 @@ This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph
 
 There are some incorrect details and analyses that warrant attention.
 
-## tl;dr (the short version)
+## Oct. 31 UPDATE
+
+The authors have introduced several revisions to their paper, available at the same URL as before.
+
+The criticism below may be outdated in part or in full.
+
+
+## tl;dr (the short [edit: old] version)
 
 The Ron/Shamir paper contains provably-false key assumptions.  Further, their data source (website scraping) is a secondary data source known to have served invalid data in the past.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -2,14 +2,14 @@ This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph
 
 There are some incorrect details and analyses that warrant attention.
 
-#tl;dr (the short version)#
+## tl;dr (the short version)
 
 The Ron/Shamir paper contains provably-false key assumptions.  Further, their data source (website scraping) is a secondary data source known to have served invalid data in the past.
 
 We **do not** claim this wholly invalidates their statistical results, but given the web wallet and cold storage examples, seems likely to introduce statistically significant changes in the results.
 
 
-#Appearance of data and conclusions obtained by a web crawl#
+## Appearance of data and conclusions obtained by a web crawl
 rather than close analysis of the actual bitcoin system.
 
 Quote #1: _"On May 13th 2012 we downloaded the full public record of this system, which consisted of about 180,000 HTML files."_
@@ -29,7 +29,7 @@ While the authors do appear be to aware that bitcoin is based on public/private
 Further, while it may not be material for the results of this particular study, web block explorers are not authoritative sources for bitcoin data and have sometimes been known to display wildly false information.
 
 
-#Fundamental assumptions of transaction address ownership appear flawed#
+## Fundamental assumptions of transaction address ownership appear flawed
 
 Quote #1: _"A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
 all those addresses, as it is demanded by the Bitcoin system that “Whoever sent
@@ -61,4 +61,13 @@ Any bitcoins that are permanently lost, due to wallet deletion, also appear with
 
 Finally, this analysis does not appear to include "change transactions."  When someone sends bitcoin, the system will potentially create two outputs:  (1) the bitcoin sent to the receipient, (2) bitcoins sent back to yourself.  This preserves the rule that 100% of a bitcoin transaction's inputs are spent.  You can never spend half of a 100BTC transaction output:  you must spend 100BTC... even if that means sending some bitcoins back to yourself.
 
-The Ron/Shamir paper does mention Deepbit and MtGox as large "users", but does not indicate that these are essentially multi-owner or multi-user sites.  Building graphs that ignore the multi-user aspect of MtGox will produce conclusions different from those that take it into account.
+The Ron/Shamir paper does mention Deepbit and MtGox as large "users", but does not indicate that these are essentially multi-owner or multi-user sites.  Building graphs that ignore the multi-user aspect of MtGox will produce conclusions different from those that take it into account.
+
+## Additional resources
+
+davout emailed the authors, and got a response:
+https://bitcointalk.org/index.php?topic=118797.msg1280496#msg1280496
+
+Meni Rosenfeld also emailed the authors:
+https://bitcointalk.org/index.php?topic=118797.msg1281470#msg1281470
+
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -61,3 +61,4 @@ Any bitcoins that are permanently lost, due to wallet deletion, also appear with
 
 Finally, this analysis does not appear to include "change transactions."  When someone sends bitcoin, the system will potentially create two outputs:  (1) the bitcoin sent to the receipient, (2) bitcoins sent back to yourself.  This preserves the rule that 100% of a bitcoin transaction's inputs are spent.  You can never spend half of a 100BTC transaction output:  you must spend 100BTC... even if that means sending some bitcoins back to yourself.
 
+The Ron/Shamir paper does mention Deepbit and MtGox as large "users", but does not indicate that these are essentially multi-owner or multi-user sites.  Building graphs that ignore the multi-user aspect of MtGox will produce conclusions different from those that take it into account.
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -45,7 +45,7 @@ Read the source code, for the canonical signature checking details: https://gith
 This wiki link describes signature checking detail: https://en.bitcoin.it/wiki/Contracts#Theory
 This forum post provides a concrete example of multiple owners coordinating to create a single transaction containing "multiple sending addresses": https://bitcointalk.org/index.php?topic=112007.0
 
-It is acknowledged that these multi-owner transactions are rare at this time.  However, there is an existing use case that is *very* statistically significant:
+It is acknowledged that these multi-owner transactions are rare at this time.  However, there is are two existing use cases that are *very* statistically significant:  shared coin pools (web wallets) and change transactions.
 
 *Web wallets* provide an easy counter-example of the "multiple sending addresses == common owner" assumption.  Websites dubbed "web wallets" provide a centralized, HTTP-based web interface to the otherwise decentralized P2P bitcoin network.  Web wallets typically pool the bitcoins from all their web users into two large pools, a "hot wallet" and a "cold wallet."
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -45,6 +45,8 @@ Read the source code, for the canonical signature checking details: https://gith
 This wiki link describes signature checking detail: https://en.bitcoin.it/wiki/Contracts#Theory
 This forum post provides a concrete example of multiple owners coordinating to create a single transaction containing "multiple sending addresses": https://bitcointalk.org/index.php?topic=112007.0
 
+It is acknowledged that these multi-owner transactions are rare at this time.  However, there is an existing use case that is *very* statistically significant:
+
 *Web wallets* provide an easy counter-example of the "multiple sending addresses == common owner" assumption.  Websites dubbed "web wallets" provide a centralized, HTTP-based web interface to the otherwise decentralized P2P bitcoin network.  Web wallets typically pool the bitcoins from all their web users into two large pools, a "hot wallet" and a "cold wallet."
 
 Transactions sent to web wallet websites, and sent from web wallet websites, will clearly appear as clusters of bitcoins within the blockchain dataset.

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -37,7 +37,7 @@ this transaction owns all of these addresses”. This legal requirement is also
 nically ensured by the fact that each received amount must have a cryptographic
 digital signature that unlocks it from the prior transaction."_
 
-This is unconditional equating of "multiple sending addresses" to a "common owner" is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
+This is unconditional equating of "multiple sending addresses" to a "common owner" is false.  We may demonstrate this from a theoretical perspective, and also with practical examples from today's block chain.
 
 Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", when in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -37,7 +37,7 @@ this transaction owns all of these addresses”. This legal requirement is also
 nically ensured by the fact that each received amount must have a cryptographic
 digital signature that unlocks it from the prior transaction."_
 
-This is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
+This is unconditional equating of "multiple sending addresses" to a "common owner" is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
 
 Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", when in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -6,7 +6,7 @@ There are some incorrect details and analyses that warrant attention.
 
 The Ron/Shamir paper contains provably-false key assumptions.  Further, their data source (website scraping) is a secondary data source known to have served invalid data in the past.
 
-We *do not* claim this wholly invalidates their statistical results, but given the web wallet and cold storage examples, seems likely to introduce statistically significant changes in the results.
+We **do not** claim this wholly invalidates their statistical results, but given the web wallet and cold storage examples, seems likely to introduce statistically significant changes in the results.
 
 
 #Appearance of data and conclusions obtained by a web crawl#

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -4,7 +4,7 @@ There are some incorrect details and analyses that warrant attention.
 
 #tl;dr (the short version)#
 
-The Ron/Shamir paper contains provably-false key assumptions.  Their data source (website scraping) is a secondary data source known to have served invalid data in the past.
+The Ron/Shamir paper contains provably-false key assumptions.  Further, their data source (website scraping) is a secondary data source known to have served invalid data in the past.
 
 We *do not* claim this wholly invalidates their statistical results, but given the web wallet and cold storage examples, seems likely to introduce statistically significant changes in the results.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -2,6 +2,13 @@ This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph
 
 There are some incorrect details and analyses that warrant attention.
 
+#tl;dr (the short version)#
+
+The Ron/Shamir paper contains provably-false key assumptions.  Their data source (website scraping) is a secondary data source known to have served invalid data in the past.
+
+We *do not* claim this wholly invalidates their statistical results, but given the web wallet and cold storage examples, seems likely to introduce statistically significant changes in the results.
+
+
 #Appearance of data and conclusions obtained by a web crawl#
 rather than close analysis of the actual bitcoin system.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -49,3 +49,6 @@ Another common practice seen in the field (and therefore, in any blockchain data
 This is recommended -- and for large sites, necessary -- security practice.  The cold wallet of a large exchange will indeed appear as coins that have not been spent in a long time.
 
 Any bitcoins that are permanently lost, due to wallet deletion, also appear within the data as old, unmoved coins.  One cannot distinguish between unspent "coins under the mattress" and lost/destroyed coins.
+
+Finally, this analysis does not appear to include "change transactions."  When someone sends bitcoin, the system will potentially create two outputs:  (1) the bitcoin sent to the receipient, (2) bitcoins sent back to yourself.  This preserves the rule that 100% of a bitcoin transaction's inputs are spent.  You can never spend half of a 100BTC transaction output:  you must spend 100BTC... even if that means sending some bitcoins back to yourself.
+
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -47,3 +47,5 @@ Simplified example:  Alice, Bob and Carla each deposit 10 BTC in Wallet.Example.
 Another common practice seen in the field (and therefore, in any blockchain data analysis) is "wallet cold storage."  Bitcoin exchanges, merchants and users often keep the *majority* of their bitcoins offline, a technique called "cold wallet" or "cold storage."  A "hot wallet" connected to the Internet is then used to store the remaining bitcoins.  If a thief steals the hot wallet, the damage is limited.
 
 This is recommended -- and for large sites, necessary -- security practice.  The cold wallet of a large exchange will indeed appear as coins that have not been spent in a long time.
+
+Any bitcoins that are permanently lost, due to wallet deletion, also appear within the data as old, unmoved coins.  One cannot distinguish between unspent "coins under the mattress" and lost/destroyed coins.
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -44,3 +44,6 @@ Transactions sent to web wallet websites, and sent from web wallet websites, wil
 
 Simplified example:  Alice, Bob and Carla each deposit 10 BTC in Wallet.Example.Com.  Wallet.Example.Com now controls a single shared pool of 30 BTC.  Anyone who makes a withdrawal from Wallet.Example.Com, including new users David, Rick and James, will receive coins from that 30 BTC pool.
 
+Another common practice seen in the field (and therefore, in any blockchain data analysis) is "wallet cold storage."  Bitcoin exchanges, merchants and users often keep the *majority* of their bitcoins offline, a technique called "cold wallet" or "cold storage."  A "hot wallet" connected to the Internet is then used to store the remaining bitcoins.  If a thief steals the hot wallet, the damage is limited.
+
+This is recommended -- and for large sites, necessary -- security practice.  The cold wallet of a large exchange will indeed appear as coins that have not been spent in a long time.
diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -34,6 +34,7 @@ This is false.  We may demonstrate this from a theoretical perspective, with pra
 
 Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", when in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
 
+Read the source code, for the canonical signature checking details: https://github.com/bitcoin/bitcoin/blob/master/src/script.cpp#L1064
 This wiki link describes signature checking detail: https://en.bitcoin.it/wiki/Contracts#Theory
 This forum post provides a concrete example of multiple owners coordinating to create a single transaction containing "multiple sending addresses": https://bitcointalk.org/index.php?topic=112007.0
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -13,7 +13,7 @@ proof-of-work system."_
 
 Quote #3: _"The entire activity in the Bitcoin network is publicly available
 through the internet and is recorded in the form of a block chain, starting at
-block 0 [7] (created back on the 3rd of January 2009). Each block reports on as
+block 0 (created back on the 3rd of January 2009). Each block reports on as
 little as a single transaction to as much as over a thousand transactions, and
 provides hyperlinks to other blocks and to other activities of each address."_
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -19,6 +19,8 @@ provides hyperlinks to other blocks and to other activities of each address."_
 
 While the authors do appear be to aware that bitcoin is based on public/private key cryptographic signatures, these quotes do not seem to indicate that _the_ block chain, singular, is a globally shared binary structure, based on distributed consensus.  Blocks are not web pages containing hyperlinks, even though http://blockexplorer.com/ and http://blockchain.info/ present them as such, for display purposes.
 
+Further, while it may not be material for the results of this particular study, web block explorers are not authoritative sources for bitcoin data and have sometimes been known to display wildly false information.
+
 
 #Fundamental assumptions of transaction address ownership appear flawed#
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -7,26 +7,26 @@ rather than close analysis of the actual bitcoin system.
 
 Quote #1: _"On May 13th 2012 we downloaded the full public record of this system, which consisted of about 180,000 HTML files."_
 
-Quote #2: "Nodes broadcast transactions to this network, which records them in
+Quote #2: _"Nodes broadcast transactions to this network, which records them in
 publicly available web pages, called block chains, after validating them with a
-proof-of-work system."
+proof-of-work system."_
 
-Quote #3: "The entire activity in the Bitcoin network is publicly available
+Quote #3: _"The entire activity in the Bitcoin network is publicly available
 through the internet and is recorded in the form of a block chain, starting at
 block 0 [7] (created back on the 3rd of January 2009). Each block reports on as
 little as a single transaction to as much as over a thousand transactions, and
-provides hyperlinks to other blocks and to other activities of each address."
+provides hyperlinks to other blocks and to other activities of each address."_
 
 While the authors do appear be to aware that bitcoin is based on public/private key cryptographic signatures, these quotes do not seem to indicate that _the_ block chain, singular, is a globally shared binary structure, based on distributed consensus.  Blocks are not web pages containing hyperlinks, even though http://blockexplorer.com/ and http://blockchain.info/ present them as such, for display purposes.
 
 
 #Fundamental assumptions of transaction address ownership appear flawed#
 
-Quote #1: "A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
+Quote #1: _"A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
 all those addresses, as it is demanded by the Bitcoin system that “Whoever sent
 this transaction owns all of these addresses”. This legal requirement is also tech-
 nically ensured by the fact that each received amount must have a cryptographic
-digital signature that unlocks it from the prior transaction."
+digital signature that unlocks it from the prior transaction."_
 
 This is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
 

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -2,7 +2,8 @@ This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph
 
 There are some incorrect details and analyses that warrant attention.
 
-#1) Appearance of data and conclusions obtained by a web crawl, rather than close analysis of the actual bitcoin system.#
+#Appearance of data and conclusions obtained by a web crawl#
+rather than close analysis of the actual bitcoin system.
 
 Quote #1: _"On May 13th 2012 we downloaded the full public record of this system, which consisted of about 180,000 HTML files."_
 
@@ -19,7 +20,7 @@ provides hyperlinks to other blocks and to other activities of each address."
 While the authors do appear be to aware that bitcoin is based on public/private key cryptographic signatures, these quotes do not seem to indicate that _the_ block chain, singular, is a globally shared binary structure, based on distributed consensus.  Blocks are not web pages containing hyperlinks, even though http://blockexplorer.com/ and http://blockchain.info/ present them as such, for display purposes.
 
 
-#2) Fundamental assumptions of transaction address ownership appear flawed#
+#Fundamental assumptions of transaction address ownership appear flawed#
 
 Quote #1: "A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
 all those addresses, as it is demanded by the Bitcoin system that “Whoever sent

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -29,7 +29,7 @@ digital signature that unlocks it from the prior transaction."
 
 This is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
 
-Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", then in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
+Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", when in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
 
 This wiki link describes signature checking detail: https://en.bitcoin.it/wiki/Contracts#Theory
 This forum post provides a concrete example of multiple owners coordinating to create a single transaction containing "multiple sending addresses": https://bitcointalk.org/index.php?topic=112007.0

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -1,9 +1,8 @@
-
 This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph" by Dorit Ron and Adi Shamir.
 
 There are some incorrect details and analyses that warrant attention.
 
-*1) Appearance of data and conclusions obtained by a web crawl, rather than close analysis of the actual bitcoin system.*
+#1) Appearance of data and conclusions obtained by a web crawl, rather than close analysis of the actual bitcoin system.#
 
 Quote #1: _"On May 13th 2012 we downloaded the full public record of this system, which consisted of about 180,000 HTML files."_
 
@@ -20,7 +19,7 @@ provides hyperlinks to other blocks and to other activities of each address."
 While the authors do appear be to aware that bitcoin is based on public/private key cryptographic signatures, these quotes do not seem to indicate that _the_ block chain, singular, is a globally shared binary structure, based on distributed consensus.  Blocks are not web pages containing hyperlinks, even though http://blockexplorer.com/ and http://blockchain.info/ present them as such, for display purposes.
 
 
-*2) Fundamental assumptions of transaction address ownership appear flawed*
+#2) Fundamental assumptions of transaction address ownership appear flawed#
 
 Quote #1: "A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
 all those addresses, as it is demanded by the Bitcoin system that “Whoever sent

diff --git a/ron-shamir-review.md b/ron-shamir-review.md
@@ -0,0 +1,43 @@
+
+This is a review of "Quantitative Analysis of the Full Bitcoin Transaction Graph" by Dorit Ron and Adi Shamir.
+
+There are some incorrect details and analyses that warrant attention.
+
+*1) Appearance of data and conclusions obtained by a web crawl, rather than close analysis of the actual bitcoin system.*
+
+Quote #1: _"On May 13th 2012 we downloaded the full public record of this system, which consisted of about 180,000 HTML files."_
+
+Quote #2: "Nodes broadcast transactions to this network, which records them in
+publicly available web pages, called block chains, after validating them with a
+proof-of-work system."
+
+Quote #3: "The entire activity in the Bitcoin network is publicly available
+through the internet and is recorded in the form of a block chain, starting at
+block 0 [7] (created back on the 3rd of January 2009). Each block reports on as
+little as a single transaction to as much as over a thousand transactions, and
+provides hyperlinks to other blocks and to other activities of each address."
+
+While the authors do appear be to aware that bitcoin is based on public/private key cryptographic signatures, these quotes do not seem to indicate that _the_ block chain, singular, is a globally shared binary structure, based on distributed consensus.  Blocks are not web pages containing hyperlinks, even though http://blockexplorer.com/ and http://blockchain.info/ present them as such, for display purposes.
+
+
+*2) Fundamental assumptions of transaction address ownership appear flawed*
+
+Quote #1: "A very important feature of the Bitcoin network is that a transaction involving multiple sending addresses can only be carried out by the common owner of
+all those addresses, as it is demanded by the Bitcoin system that “Whoever sent
+this transaction owns all of these addresses”. This legal requirement is also tech-
+nically ensured by the fact that each received amount must have a cryptographic
+digital signature that unlocks it from the prior transaction."
+
+This is false.  We may demonstrate this from a theoretical perspective, with practical examples from today's block chain.
+
+Each bitcoin transaction contains a number of inputs, and a number of outputs.  Ron and Shamir assume that "multiple sending addresses can only be carried out by the common owner of all those addresses", then in fact bitcoin is explicitly designed to permit multiple owners, individually and independently adding signatures to a single transaction.
+
+This wiki link describes signature checking detail: https://en.bitcoin.it/wiki/Contracts#Theory
+This forum post provides a concrete example of multiple owners coordinating to create a single transaction containing "multiple sending addresses": https://bitcointalk.org/index.php?topic=112007.0
+
+*Web wallets* provide an easy counter-example of the "multiple sending addresses == common owner" assumption.  Websites dubbed "web wallets" provide a centralized, HTTP-based web interface to the otherwise decentralized P2P bitcoin network.  Web wallets typically pool the bitcoins from all their web users into two large pools, a "hot wallet" and a "cold wallet."
+
+Transactions sent to web wallet websites, and sent from web wallet websites, will clearly appear as clusters of bitcoins within the blockchain dataset.
+
+Simplified example:  Alice, Bob and Carla each deposit 10 BTC in Wallet.Example.Com.  Wallet.Example.Com now controls a single shared pool of 30 BTC.  Anyone who makes a withdrawal from Wallet.Example.Com, including new users David, Rick and James, will receive coins from that 30 BTC pool.
+
Original file line number	Diff line number	Diff line change
		@@ -61,3 +61,4 @@ Any bitcoins that are permanently lost, due to wallet deletion, also appear with

		Finally, this analysis does not appear to include "change transactions." When someone sends bitcoin, the system will potentially create two outputs: (1) the bitcoin sent to the receipient, (2) bitcoins sent back to yourself. This preserves the rule that 100% of a bitcoin transaction's inputs are spent. You can never spend half of a 100BTC transaction output: you must spend 100BTC... even if that means sending some bitcoins back to yourself.

		The Ron/Shamir paper does mention Deepbit and MtGox as large "users", but does not indicate that these are essentially multi-owner or multi-user sites. Building graphs that ignore the multi-user aspect of MtGox will produce conclusions different from those that take it into account.