anonymity in cryptocurrencies
play

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? - PowerPoint PPT Presentation

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice


  1. Anonymity in Cryptocurrencies Foteini Baldimtsi

  2. Bitcoin Anonymity? Satoshi Nakamoto, 2008

  3. Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice 122NB5426d8Lau3Kbbf8q2L7g89h If anyone is ever able to link your Bitcoin address to your real world identity, then all of your transactions — past, present, and future — will have been linked back to your identity.

  4. De-anonymizing Bitcoin users Bitcoin De-anonymization in Practice

  5. Anonymity: the goal eCash Adversarial Bank cannot link a withdrawal to a deposit unlinkability Bitcoin It should be hard to link the sender of a payment to its recipient Ledger

  6. Anonymity: the goal Payer Payee Addr A Addr B Break the link between payer and payee

  7. Anonymity Flavors Payers Payees Set Anonymity: the set of transactions which the adversary cannot distinguish from your transaction (depends on anonymity model)

  8. Two Main Directions 1) Mixing/Tumbler Services (for Bitcoin) Blindcoin Bitcoin Compatible XIM 2) Anonymous Cryptocurrencies Non- Compatible to Bitcoin

  9. Why do we need anonymity ● achieve the level of privacy that we are already used to from traditional banking, and mitigate the deanonymization risk that the public blockchain brings. ● go above and beyond the privacy level of traditional banking and develop currencies that make it technologically infeasible for anyone to track the participants.

  10. PART I Mixing/Tumbler Services

  11. What is a mix? MIX ? ● Centralized (intermediary) ● Decentralized (i.e. Coinshuffle)

  12. What is a mix? MIX ? 2 challenges ● privacy against intermediary ● security against intermediary

  13. Attempt 1 - Centralized Scheme Intermediary blindly issues vouchers? Goal: Set-Anonymity V Addr A V Addr B V Intermediary cannot link a voucher it issued to a voucher it redeems! ▪ Blind signatures

  14. Attempt 1 - Centralized Scheme Intermediary blindly issues vouchers? Goal: Set-Anonymity V V V V Addr A V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr B V Intermediary cannot link a voucher it issued to a voucher it redeems! ▪ Blind signatures

  15. Attempt 2 - Centralized Scheme Intermediary blindly issues vouchers? Bob Alice Issuance SK sn σ Addr A Addr B sn Sign 1. Pick random sn to get blind 2. Blind sn to sn σ signature 3. Unblind to σ σ V=(sn, σ ) 4. Create voucher Redemption V

  16. Attempt 2 - Centralized Scheme Intermediary blindly issues vouchers? But what if Intermediary is malicious σ and refuses to issue or return ? Bob Alice Issuance SK sn σ Addr A Addr B sn Sign 1. Pick random sn to get blind 2. Blind sn to sn σ signature 3. Unblind to σ σ V=(sn, σ ) 4. Create voucher Redemption V

  17. Blindly Signed Transaction Contracts Goal: Set-Anonymity , Fair Exchange/Atomic swaps Alice Transaction Offer: V for . sn “Addr A pays to a spending transaction that has a valid blind signature on . This sn must be done within time tw.” σ Addr A Transaction Fulfill: V for . σ “Here is .” Fair exchange is robust if either party is malicious! ▪ Bitcoin Scripts* * The blind signature we use requires a soft fork

  18. Attempt 3 - centralized scheme Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Alice Bob Addr A Addr B sn Transaction Offer V for Fair exchange 1: σ A: Gives 1 bitcoin A: Gets 1 voucher Transaction Fulfil V for V=(sn, σ ) Transaction Offer for V V Fair exchange 2: B: Gives 1 voucher Transaction B: Gets 1 bitcoin Fulfil for V

  19. Attempt 3 - centralized scheme Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Alice Bob Addr A Addr B sn Transaction Offer V for Fair exchange 1: Intermediary can just ignore σ A: Gives 1 bitcoin Bob’s voucher redemption request. A: Gets 1 voucher Transaction Fulfil V for V=(sn, σ ) Transaction Offer for V V Fair exchange 2: B: Gives 1 voucher Transaction B: Gets 1 bitcoin Fulfil for V

  20. HBG’16 Protocol Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Intermediary can check if Voucher Alice Bob already spent. h=H(sn) Addr A Addr B h Transaction Offer for V sn Transaction Offer V for Fair exchange 1: Fair exchange 2: σ A: Gives 1 bitcoin B: Gives 1 voucher A: Gets 1 voucher B: Gets 1 bitcoin Transaction Fulfil V for V=(sn, σ ) V Transaction Fulfil for V

  21. HBG’16 Protocol Blindly Signed Transaction Contracts What is stored on the blockchain? Blockchain block i-1 block i blocki +1 ≈ 30mins 1 epoch Anonymity properties: How do we achieve this? 1. Set Anonymity within an Epoch. (resists a fully malicious intermediary!) 2. Transparency of Anonymity Set. (It’s visible on the blockchain)

  22. HBG’16 Protocol Anonymity vs Malicious Intermediary? What if intermediary aborts all but one transaction? Not Anonymous! Not Anonymous! V V V V Addr A V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr A Addr B An ephemeral address is a newly created address that is used V Addr B V once and then discarded. The receiving address is always an ephemeral address. Countermeasures: 1. Small anonymity set is visible on the blockchain. 2. Addr B is ephemeral; If anonymity set is too small anonymously send it a new ephemeral addr (rinse & repeat).

  23. HBG’16 Protocol Anonymity vs Malicious Intermediary? What if intermediary distort anonymity set transparency with sybils? ● Expensive due to sybil resistance: ○ Intermediary pays all transaction fees for each sybil. ● Low success rate: ○ If intermediary waits until it sees Alice’s address to abort, Alice and Bob can detect attack. ○ If intermediary launches the attack earlier, it only sees Bob’s address which is an ephemeral address (untargeted).

  24. Background: Bitcoin Transaction Contracts Goal: Fair Exchange/Atomic swaps: Alice Transaction Offer: X for . “Addr A pays to a spending transaction has a value X satisfying condition C. X Addr A Transaction Fulfill: X for . “Here is X .” Bitcoin transaction scripts are very limited. Fair exchange is robust if either party is malicious! We can only check two types of cryptographic conditions C: 1. Hash(X) = Y, ▪ Bitcoin Scripts 2. ECDSA_CheckSignature(Tx, PUBLIC_KEY) = TRUE

  25. Big Picture Bitcoin-Compatible Schemes New Cryptocurrencies (aka “Mixing Services”) Not compatible with bitcoin Vulnerable to bitcoin theft HBG’16 TumbleBit Mixing takes Vulnerable to DoS & Sybil Attacks hours Intermediary Xim breaks anonymity 25

  26. PART II Anonymous Decentralized Cryptocurrencies

  27. Anonymous Decentralized Cryptocurrencies Almost a decentralized mixing service performance issues and limited functionality Standalone cryptocurrency

  28. Zerocoin - main idea Requires a trusted, append only bulletin board (it could be the Bitcoin blockchain) Minting Bulletin Board pick SN, compute C1 = Commit(SN,r) C1 pin C1 on BB with a bitcoin C2 All Users accept C1 and agree it carries 1 C3 unlinkable by C4 Redeem Commitment ... compute a NIZK π: and NIZK - I know Ci in (C1,C2,..,CN) CN - I know r to open Ci to SN Post (SN,π) (SN,π) Spend All Users verify π and check SN is new if OK, I can collect a from any location of BB

  29. How to compute the proof π Redeem Bulletin Board compute a NIZK π: C1 - I know Ci in (C1,C2,..,CN) - I know r to open Ci to SN C2 Post (SN,π) C3 C4 ... Naive Solution CN Identify all valid zerocoins in the bulletin board Prove that SN is the serial number of a coin C (SN,π) Spend C = C1 ∨ C = C2 ∨ ...C=CN This “OR” proof is O(N)

  30. How to compute the proof π Cryptographic Accumulators Bulletin Board C1 RSA modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend This is not anonymous!

  31. How to compute the proof π Cryptographic Accumulators Bulletin Board C1 RSA modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend There exists an efficient proof (NIZK) that I have a valid witness to a commitment of SN and know the corresponding randomness r cost log (N) [CL’02]

  32. Problems with Zerocoin - Accumulators require a trusted setup (somebody to compute N and throw away p,q) - Proofs not very efficient log(N) Each proof is approximately 50 KB) - note the scaling problems of Bitcoin - Not compatible with bitcoin - these new types of transactions should be included - you would need to be able to verify sophisticated ZK proofs - Payments of single denomination and payment values appear in the clear (1 BTC) Solves the problems above*

Recommend


More recommend