How anonymous is token payout?


Reading the Trustchain paper I get the impression that it is not very anonymous, i.e., everybody can request your transaction history. Wouldn’t it be pretty simple then to de-anonymize network traffic on Tribler by just looking at who pays whom? The transactions are not directly linked, but they should be pretty close together in each of the chains, so adversaries should be able to get at least some information about possible circuits that could have been used. Is there a mechanism that makes this harder or impossible?


That’s a very good question. In general, there exists a trade-off between accountability and anonymity. In Tribler, we indeed perform a byte-accurate accounting of bandwidth exchanged between pairwise peers. A sophisticated network crawl and traffic correlations might reveal who communicated with whom. Even given that, this information would not be helpful since payouts only happen after the data exchange has been completed. As such, the anonymity of the data exchanges is not at risk.

Now there are solutions to the above issue, for example, described in this scientific work. The main idea is to aggregate and defer payouts to break likability between payments. We still wish to implement this feature, however, this is not trivial to implement and might have unintended consequences that we didn’t think of. Another solution could be to do fuzzy payouts where we payout in units of, say, 250 MB. If done accordingly, this should also reduce the chances of linking users together in the transaction graph.

Hopefully this answers your question!


Thanks for the answer. There is one part I don’t fully understand:

Couldn’t adversaries just save all the network traffic for later analysis? Granted, that is only possible when the adversary controls a large percentage of the exit nodes (or network equipment that connects those nodes to the internet, which is perhaps feasible for governments), but I think that is a real risk even if the network grows in the future.

And even if the adversary only controls one exit node then it could still deanonymize every connection that they handle. I’m imagining a situation where a copyright owner can deanonymize and sue all users that download content illegally through their exit node.


Yes, this might happen. Once we pass beyond 100 million users lawyers will start to spend time understanding how our Tor-like system works. However, if we get big enough to get noticed it will no longer matter much anymore. The Tribler team aims to turn off exit nodes, once the network can sustain itself using end-2-end crypto and seeding. With roughly 1 million users we are self-sustaining. Finally we can go “fully dark” :star_struck:

(see our messy Issue 3 for details from 2013,


Wouldnt it be possible to add random hops between a exit proxy and a peer downloading stuff ? Then it would be much more difficult for exit node operators to clearly identify any Downloader within the tribler network.


It depends, if there is not so much traffic then each of the previous blocks in all the involved chains are probably the payments from the previous link in the chain. If you have A -- pays -> B and shortly after B -- pays --> C then the chains will probably look something like:

 A    B    C
 |    |    |
 |    |  ->+
 |    | /  ^
 |  ->+    |
 | /  ^    |
>+    |    |
 ^    |    |
 |    |    |

(time is moving up: from bottom to top, sorry for the confusing diagram)

You see that one of the predecessors of the final payment to C is the payment to B which came from A.

So, C can easily see that A is the origin of the request, and this would probably even work if there are many more nodes inbetween.

But that only works if you pay everyone immediately and separately for each request/download in the proper order.


Yes, we need sufficient traffic to blend into the crowd. See broad background info from the wise Tor people, who been doing this for years. “privacy loves company”
Without enough traffic, an exit node should not be used.

But that only works if you pay everyone immediately and separately for each request/download in the proper order.

Yes, that is scheduled. We need to bundle payouts and delay them to 1 per week to avoid correlation attacks. Ones we’ve made progress on keyword search and critical end-to-end network scale we can focus on this.


Won’t that cause problems with the mechanism of small payouts to untrusted users to counter Refusal to Sign attacks? To quote your TrustChain paper:

Refusal to Sign— […]
Another defence mechanism is to gradually build trust between participants by splitting the transactions in smaller amounts.

I really like your project, by the way, I think it is a great ideal that I would also like to contribute to in the future. So thanks for answering my questions.