FIT5214: Blockchain
Lecture 8: Privacy Lecturer:
https://dowsley.net
Copyright By Assignmentchef assignmentchef
Unit Structure
Lecture 1: Introduction to Blockchain
Lecture 2: Bitcoin
Lecture 3: Ethereum and Smart Contracts
Lecture 4: Proof-of-Work (PoW)
Lecture 5: Attacks on Blockchains
Lecture 6: Class Test/Alternatives to PoW
Lecture 7: Proof-of-Stake (PoS)
Lecture 8: Privacy
Lecture 9: Byzantine Agreement
Lecture 10: Blockchain Network
Lecture 11: Payment Channels
Lecture 12: Guest Lecture
Unit Structure
Lecture 1: Introduction to Blockchain
Lecture 2: Bitcoin
Lecture 3: Ethereum and Smart Contracts
Lecture 4: Proof-of-Work (PoW)
Lecture 5: Attacks on Blockchains
Lecture 6: Class Test/Alternatives to PoW
Lecture 7: Proof-of-Stake (PoS)
Lecture 8: Privacy
Lecture 9: Byzantine Agreement
Lecture 10: Blockchain Network
Lecture 11: Payment Channels
Lecture 12: Guest Lecture
Learning outcome:
Basic understandings on privacy preserving technologies for blockchain
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.
We can learn that both input 1 and input 2 belong to the same payer.
Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
Users may reuse the PK (address)
In fact, most users use a single or a few addresses
Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
pseudonymity: real identity is hidden
(Linking Bitcoin addresses to real identities is not difficult)
Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
pseudonymity: real identity is hidden
(Linking Bitcoin addresses to real identities is not difficult)
unlinkability: cannot link any two transactions to the same user
Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
pseudonymity: real identity is hidden
(Linking Bitcoin addresses to real identities is not difficult)
unlinkability: cannot link any two transactions to the same user
untraceability: cannot trace any coin back to another transaction
(cash flow)
Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
pseudonymity: real identity is hidden
(Linking Bitcoin addresses to real identities is not difficult)
unlinkability: cannot link any two transactions to the same user
untraceability: cannot trace any coin back to another transaction
(cash flow)
Bitcoin is NOT Anonymous!!!
Bitcoin privacy
Bitcoin privacy
Traceable to anyone (and linkable to the payee)
Bitcoin privacy
Traceable to anyone (and linkable to the payee)
Traceable and Linkable to anyone
Bitcoin privacy
Traceable to anyone (and linkable to the payee)
Additionally, account balance is also revealed in every transaction.
Traceable and Linkable to anyone
Bitcoin privacy
Bitcoin privacy
2 BTC 3 BTC
Linkable transactions (to the same payee)
Bitcoin privacy
2 BTC 2 BTC
The later transaction is traceable (back to two transactions)
Bitcoin privacy
2 BTC 2 BTC
All amounts are also visible!
The later transaction is traceable (back to two transactions)
Bitcoin privacy
A critical question
Is privacy always good?
Screenshots taken on 16th-July-2019 by Dr., for research purpose only.
Darknet Market
Screenshots taken on 16th-July-2019 by Dr., for research purpose only.
Darknet Market
Screenshots taken on 16th-July-2019 by Dr., for research purpose only.
De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.
De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.
De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.
Ring signature (2001 by Rivest, Shamir, Tauman )
The signature scheme convinces a verifier that a document has been signed by one of n independent signers.
When signing, other members do not
need to cooperate Bob
The signer only needs to choose n-1 public-keys of other entities
The actual signer is indistinguishable from other entities in the ring
signature (2001 by Rivest, Shamir, Tauman )
The signature scheme convinces a verifier that a document has been signed by one of n independent signers.
When signing, other members do not
need to cooperate Bob
The signer only needs to choose n-1 public-keys of other entities
The actual signer is indistinguishable from other entities in the ring
The signer gets some anonymity!
signature (2001 by Rivest, Shamir, Tauman )
wants to anonymously reveal NSAs secrets.
Any member i of NSA has a pair of keys (PKi, SKi) published on the NSA website.
To reveal a secret, Snowden randomly chooses n-1 public keys from the NSA members, and creates a ring signature on the secret, so that:
A third party can verify that the signer of the revealed
secret is one of the n members from NSA.
No one knows which member has revealed the secret.
Ring signature (2001 by Rivest, Shamir, Tauman )
A ring is an arbitrary set of participants including the actual signer.
Each member i of the ring has a public encryption key PKi.
Only i knows the corresponding secret key SKi.
The signer and verifier need to known the public key of all
ring members.
Ring signature (2001 by Rivest, Shamir, Tauman )
Keyed combining function
Ck,v(y1, y2, . . . , yn) = Ek(yn Ek(yn1 Ek( . . . Ek(y1 v) . . . ))) = v Where the function takes (k, v, y1, y2, , yn) as input, and
output value v.
Ek is symmetric key encryption with secret key k.
Ring signature (2001 by Rivest, Shamir, Tauman )
Keyed combining function
Ck,v(y1, y2, . . . , yn) = Ek(yn Ek(yn1 Ek( . . . Ek(y1 v) . . . ))) = v
Given (k, v) and any n-1 parameters of (y1, y2, , yn) as input, it is easy to calculate the remaining parameter (as both Ek and xor operation are invertible).
Ring signature (2001 by Rivest, Shamir, Tauman )
Signature generation on message m:
1. k=H(m).
2. Choose random v.
3. Choose random xi for i for all other ring members and
calculate corresponding yi = gi(xi), where gi is a trapdoor function.
4. Solve the Keyed combining function for ys is simple, where i=s is the signer
Ck,v(y1, y2, . . . , yn) = Ek(yn Ek(yn1 Ek( . . . Ek(y1 v) . . . ))) = v
5. Calculating x from y is also simple x = g1(y ). sssss
6. The ring signature is (PK1, PK2, , PKn; v; x1, x2, , xn).
Ring signature (2001 by Rivest, Shamir, Tauman )
Signature verification on signed message m: Signature is (PK1, PK2, , PKn; v; x1, x2, , xn)
1. For all xi, calculate yi = gi(xi).
2. k=H(m). 3. Verify that
Ck,v(y1, y2, . . . , yn) = Ek(yn Ek(yn1 Ek( . . . Ek(y1 v) . . . ))) = v
Linkable ring signature
Alice (sk)
Link if sk=sk
Alice (sk)
J.Liu et.al. Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups, ACISP 2004.
CryptoNote
Alice (sk)
(Must be a new random address)
Alice (sk)
(Must be a new random address)
spending will be identified!
CryptoNote
Alice (sk)
This provides untraceability
(Must be a new random address)
Double spending will be identified!
CryptoNote
Alice (sk)
This provides untraceability
(Must be a new random address) This is called stealth address, which aims
at providing unlinkability
(as no public key address can be reused)
Double spending will be identified!
Commitment scheme
A commitment scheme is a cryptographic primitive that allows the sender to commit to a value during the commit phase while keeping it hidden from the receiver(s), with the ability to reveal the committed value on a later point (the opening phase).
A commitment scheme should be binding, meaning that after the commit phase the sender cannot change the committed value.
A commitment scheme should be hiding, meaning that before the opening phase the receiver(s) cannot learn any information about the committed value.
Commitments in Monero
The value of all Monero inputs and outputs are committed (hidden), with additional proofs that:
1. The total amount of coins in the committed inputs is equal to the total amount of coins in the committed outputs plus the transaction fee.
2. All committed values are positive. This is done using range proofs and guarantees that coins are not created out of thin air.
Comparison
1 bitcoin 3 bitcoin 5 bitcoin
? Coin ? Coin ? Coin
Recap: Monero
Monero provides better privacy than Bitcoin
One-time stealth address aims at providing unlinkability (e.g. preventing address
clustering)
Transaction values are hidden (by using a commitment scheme with the
accompanying equality and range proofs).
Linkable ring signature is used to provide untraceability (Money flow is hidden).
Monero mixin selection
Initially, Monero has not enforced the number of mixins of transaction.
In Monero, 12158814 transaction inputs do not contain any mixins! (64.04% of all inputs before April 15, 2017, block height 1288774)
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
et. al. An Empirical Analysis of Traceability in the, Proceedings on Privacy Enhancing Technologies, 2018.
TX2 is a 0-mixin transaction, and has no privacy guarantee!
Why 0-mixin?
Motivation:
In Monero, a transaction with smaller size pays less transaction fee.
Zero Mixin attack
In order to save money, the owner of TX2 chooses to give up its privacy, is this ok? Would it affect the privacy of others?
Zero Mixin attack
The owner of TX2 is traceable!
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
The probability of guessing
the real input of TX1 is expected to be 1/3.
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
The probability of guessing
the real input of TX1 is
expected to be 1/3.
Now, it is 1/2.
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
The probability of guessing
the real input of TX1 is
expected to be 1/3.
Now, it is 1/2.
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
The probability of guessing
the real input of TX1 is
expected to be 1/3.
Now, it is 1/2.
TX1 TheownerofbothTX1andTX2 is traceable!
(One coin can only be spent once, and coin 2 is spent in TX2)
Zero Mixin attack
The owner of TX2 is traceable!
The untraceability of the owner
of TX1 is reduced!
The probability of guessing
the real input of TX1 is
expected to be 1/3.
Now, it is 1/2.
TheownerofbothTX1andTX2 is traceable!
(One coin can only be spent once, and coin 2 is spent in TX2)
TX1 T X2
The owner of both TX1 and TX2 is traceable!
(coin 2 is spent in TX2 and coin 1
is spent in TX3)
Zero Mixin attack
So, users should NOT choose a mixing that is used as a 0-mixin input!
Two new TXs
The owners of the two new transactions only choose coins that is not an input of 0-mix transactions
Question: The input of which transactions are identifiable?
Even worse
The owners of TX1, TX2,TX3 are traceable!
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Even worse
The owners of TX1, TX2,TX3 are traceable!
So, coin 3 is also known to be spent in TX1.
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Even worse
The owners of TX1, TX2,TX3 are traceable!
So, coin 3 is also known to be spent in TX1.
Even though no input of TX4 and TX5 is used as 0-mixin input.
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Even worse
The owners of TX1, TX2,TX3 are traceable!
So, coin 3 is also known to be spent in TX1.
Even though no input of TX4 and TX5 is used as 0-mixin input.
The owner of TX4 is traceable!
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Even worse
The owners of TX1, TX2,TX3 are traceable!
So, coin 3 is also known to be spent in TX1.
Even though no input of TX4 and TX5 is used as 0-mixin input.
The owner of TX4 is traceable!
The owner of TX5 is traceable!
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Even worse
Cascade effect!
The owners of TX1, TX2,TX3 are traceable!
So, coin 3 is also known to be spent in TX1.
Even though no input of TX4 and TX5 is used as 0-mixin input.
The owner of TX4 is traceable!
The owner of TX5 is traceable!
et. al. A Traceability Analysis of Moneros Blockchain, ESORICS, 2017.
Zero Mixin attack
Before April 15, 2017, block height 1288774
12158814 transaction Monero inputs do not contain any mixins! (64.04% of all inputs)
For the rest inputs (35.96%), 63% of them are deducable by the cascade effect!
et. al. An Empirical Analysis of Traceability in the, Proceedings on Privacy Enhancing Technologies, 2018.
Mixin selection
When the attack was observed, Monero developers enforced a network-wide rules on the minimum number of mixins, and miners reject transactions with number of mix-ins lower than that:
2016-03-23, minimum mix-in of 2 (Ring size>=3)
2017-09-16, minimum mix-in of 4 (Ring size>=5)
2018-03-29, minimum mix-in of 6 (Ring size>=7)
2018-10-18, fixed Ring size=11
Does this solve the problem?
https://github.com/monero-project/monero#monero-software-updates-and-consensus-protocol-changes-hard-fork-schedule 37
Can you identify the real input of any transaction? Why?
Passive inference attacks
Example 1: inputs of transactions are
TX1= {1,2}, TX2={1,2}, TX3 ={2,3}, TX4 ={1,4}
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.
Passive inference attacks
Example 1: inputs of transactions are
TX1= {1,2}, TX2={1,2}, TX3 ={2,3}, TX4 ={1,4}
Each coin can only be spent once, so coin 1 and 2 must have been spent in TX1 and TX2, but we dont know which coin is spent in which TX.
Coin 3 is spent in TX3
Coin 4 is spent in TX4
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.
Can you identify the real input of any transaction? Why?
Passive inference attacks
Example 2: inputs of transactions are
TX1= {1,2}, TX2={3,4}, TX3 ={1,3}, TX4 ={2,4}
By observing, we cannot deanonymise any transaction.
But What if the attacker is a Monero user?
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.
Active inference attacks
Example 2: inputs of transactions are
TX1= {1,2}, TX2={3,4}, TX3 ={1,3}, TX4 ={2,4}
If the attacker is an owner of coin 1, and it is spent in TX1, then it knows
Coin 3 is spent in TX3
Coin 4 is spent in TX2
Coin 2 is spent in TX4
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.
Temporal analysis
1 2 J K K+1 K+2
Temporal analysis
1 2 J K K+1 K+2
1 year old 6 months old 1 week old
Temporal analysis
1 2 J K K+1 K+2
1 year old 6 months old 1 week old
This has a very
high probability to be
the real input
Age distribution of inputs
(a) Age distribution of all inputs
(b) Age distribution of inputs that are identified as mixins (from other attacks, e.g. 0-mixin) (c) Estimated age distribution of real inputs
(a)-(b)=(c)
et. al. An Empirical Analysis of Traceability in the, Proceedings on Privacy Enhancing Technologies, 2018.
Age distribution of inputs
The accuracy rate is about 80%, for all non-0-mixin coins!
et. al. An Empirical Analysis of Traceability in the, Proceedings on Privacy Enhancing Technologies, 2018.
Age distribution of inputs
The accuracy rate is about 80%, for all non-0-mixin coins! Solution: Choose more recent coins as mixins.
et. al. An Empirical Analysis of Traceability in the Monero Bloc
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.