Creating Highly Anonymous Verus IDs

Verus IDs are pseudonymous just like normal crypto addresses, but there are several ways the owner of a Verus ID may be identified, and ways to mitigate those risks for people choosing to be as anonymous as possible.

Here we’ll look at the proper use of referrers, best strategies for funding a Verus ID registration, good options for maximally private Verus ID names, considerations for the transparent and private addresses associated with the ID, and considerations regarding revocation and recovery authority assignments.

Referrers

When creating a Verus ID you have the option of using a referrer. Using a referrer discounts your registration from 100VRSC to 80VRSC. It also gives referral fee to the ID used as a referral, and to the ID that was used as a referrer for its registration, plus one more level (the miners always get at least 20VRSC from an ID registration). There’s nothing stopping you from using an ID you already own as a referrer for another, but be aware that this will be recorded in the blockchain and will allow people to infer a relationship between those IDs. This is one clue that can lend to a picture of who owns a Verus ID. If someone is known to own Verus ID A@ and they register Verus ID B@ with A@ as a referrer, it’s not hard to guess that A@ and B@ are either owned by the same person, or that those people know each other.

For this reason, if you want a maximally anonymous Verus ID, you should either avoid using a referrer (paying the full price of 100VRSC to the miners/stakers), or you should use a referrer that many other unaffiliated people use – my recommendation would be “Verus Coin Foundation@”.

Funding

When registering your Verus ID the funds to pay the registration may be pulled from any transparent source (any transparent address or ID), depending on where funds are available. If the funds used to purchase a Verus ID can be tracked back to other known transactions such as other Verus ID registrations, published addresses, or addresses at which you’ve received payments from anyone, that’s a potential vector for discovery.

To maximize privacy and anonymity when registering an ID my recommendation would be to work from a clean wallet with no funds in it, then fund it from a private address with just enough to complete the registration. That works out to 0.0001VRSC for the name commitment and 80.0001VRSC for the registration (if using Verus Coin Foundation@ as the referrer as recommended above). You can use the following command (replacing your private and transparent addresses [the transparent address appears twice and needs to be inserted in both places]) to create just the right outputs to create your ID without creating any change to go anywhere.

verus sendcurrency "ZADDRESS" '[{"address":"TADDRESS","amount":0.0001},{"address":"TADDRESS","amount":80.0001}]'

The z-address you’re funding from can be in the same wallet or in another wallet elsewhere. And by funding from a z-address you’ve made sure the funds can’t be tracked back to any other addresses as long as your hygiene was good – that is, don’t fund the z-address, then immediately spend from it – fund it with varied amounts over time, and allow some time to pass so those transactions into z-space aren’t easily associated with the transactions out.

Name Selection

Obviously if you use your name, or an online handle, or any variation thereof, it can be trivially easy to associate an ID with you. Even choosing names based on things you’re into (characters, places, or other references to books or movies, etc.) can create risk of being discovered if someone knows that’s an interest of yours.

If you need to be able to remember the name of your Verus ID, choose a name that’s as unconnected to you as possible, as random as possible, maybe even use a random word generator such as xkcdpass on Linux, which creates word lists like: CorncobRelapseFlatwormStargazer, which would be something you could memorize without much trouble, but which is ultimately impossible to connect with you as an individual.

If you don’t need to be able to remember the name of your Verus ID, use a hash. You can create this by feeding some random junk into a hash function. On Linux systems you could run the following to get a highly random ID name such as 8d896cb224eeffdd946e6856678a6fea49b8fa8678e645ff1748d9c2ce00ee3e@.

dd if=/dev/urandom bs=1024 count=1 | sha256sum

This is my recommendation, and I’ll be releasing a script to automate ID creation using a hash as a name in the VerusExtras repo. The more people use the same format the more anonymous it becomes.

Primaryaddresses

Select your primaryaddresses carefully. These are the addresses used to control the Verus ID. Typically, and by default, this is usually just one address, but it may be multiple in special configurations. Regardless, make sure the address(es) you select hasn’t been used for any other activity that would be harmful to associate with the ID. A fresh address generated specifically for the ID is best, especially if you’re disciplined and organized enough to make sure you never use it for anything else either.

Privateaddress

Verus IDs can optionally have a private address associated with them. If the same private address is used on multiple IDs this clearly associates them. Since the use of a private address with a Verus ID is optional my general recommendation is to omit it if you don’t plan to use it.

While it has little to do with privacy, also be aware that the private address associated with your Verus ID is just an association – it’s so that someone who has your ID can look up your private address to use it. The funds in a private address are not protected by the Verus ID, are not revokable or recoverable, not lockable with Verus Vault. They’re still quite useful, just be aware that it’s only a loose coupling.

If you do plan to use a private address with a Verus ID, make sure you don’t reuse the private address with other Verus IDs, or that you only reuse it with any other IDs already clearly associated with one another, such as a main ID and its revocation and recovery authorities.

Authorities

Select and create your revocation and recovery authorities carefully, since if someone can identify one of those IDs any they’re attached to as authorities are similarly discovered.

Obviously you can leave these set to SELF to avoid the issue entirely, but then you’re missing out on many of the benefits of Verus ID. When set to SELF (if raw ID information is viewed these fields will show the same value in identityaddress and either or both of revocationauthority and recoveryauthority), you have no ability to revoke or recover the ID if its keys are compromised, or to access funds locked in a Verus Vault in an emergency (without waiting for the cooldown period).

My recommendation for setting up authorities would be to make an ID for each of the revocation and recovery authorities using all of the suggestions above, and not reusing them as authorities for any other IDs, or only for groupings of IDs you don’t mind being associated with one another.

High Security

If you’re looking for optimal security, combine these principles with the last writeup on Seriously Paranoid Cryptocurrency Key Generation for generating the keys for your revocation and recovery authorities. Be aware that you can create an ID with a primaryaddress that’s not in your current wallet, so addresses created securely elsewhere can be assigned to an ID such as a recovery ID without ever having had that address/key loaded into a wallet. Just make sure to test your configuration/procedure with some test addresses/IDs before relying on it – I am not responsible for your lost funds or lost access to an ID – do your due dilligience and test thoroughly.

Leave a Reply