Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1
Anonymity in Bitcoin 2
Anonymity in Bitcoin 2
Anonymity in Bitcoin 2
Anonymity in Bitcoin 2
Anonymity in Bitcoin How much anonymity does Bitcoin really provide? 2
Outline 3
Outline Background 3
Outline Background Taint resistance 3
Outline Background Taint resistance Achieving taint resistance 3
Outline Background Taint resistance Achieving taint resistance Conclusions 3
Outline Background How Bitcoin works Background Taint resistance Anonymity in Bitcoin Coinjoin Achieving taint resistance Conclusions 3
How Bitcoin works 4
How Bitcoin works peer-to-peer network 4
How Bitcoin works (pk A ,sk A ) (pk B ,sk B ) peer-to-peer network 4
How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4
How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4
How Bitcoin works (pk A ,sk A ) address tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4
How Bitcoin works (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4
How Bitcoin works blockchain (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4
Anonymity in Bitcoin How much anonymity does Bitcoin really provide? (pk A ,sk A ) address (pk B ,sk B ) 5
Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity (pk A ,sk A ) address (pk B ,sk B ) 5
Input clustering [RH13,RS13,A+13, M +13,SMZ14] 1 7 2 15 6 3 Heuristic: the same user controls these addresses 6
Change clustering [A+13, M +13,SMZ14] 1 1 7 1 2 14 0 3 14 Heuristic: the same user also controls this address 7
Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8
Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8
Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 9
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Privacy-enhancing overlays 10
Coinjoin Introduced on August 22 2013 by Gregory Maxwell “Bitcoin privacy for the real world” 11
Coinjoin 1 1 2 2 3 12
Coinjoin 1 1 2 2 3 12
Coinjoin σ 1 1 1 σ 2 2 2 3 12
Coinjoin σ 1 1 1 σ 2 2 2 σ 3 3 12
Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12
Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12
Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13
Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13
Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14
Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14
“Coinjoin” transactions 15
“Coinjoin” transactions “coinjoin” has: • more than 5 inputs • more than 5 outputs 15
“Coinjoin” transactions “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs time 15
“Coinjoin” transactions 13 “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs 3 2011 8/2013 time 15
Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16
Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16
Outline Taint resistance Cryptographic background Background Taint resistance Accuracy Taint resistance Achieving taint resistance Conclusions 17
Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18
Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18
Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 19
Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address 19
Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address should be hard to figure out permutation 19
Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 20
Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? 20
Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) 20
Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set 20
Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set taint resistance : no adversary can have good accuracy 20
Bad taint resistance: lopsided values 50.123 σ 1 50.123 2 σ 2 1.987 1.987 21
Bad taint resistance: process of elimination σ 1 1 1 3 σ 2 2 2 σ 3 3 3 22
Outline Cryptographic background Background Taint resistance Achieving taint resistance Achieving taint resistance Conclusions Constructive approaches Is Coinjoin taint resistant? 23
Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: • private communication • IRC (+Tor) • central server 24
Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication • IRC (+Tor) and A is passive • central server then we can achieve taint resistance 24
Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24
Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 (like CoinShuffle [RM-SK14]) σ 3 if an active A controls 3 τ fraction of n parties then we can achieve (1-n τ n-1 )-taint resistance could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24
Analyzing taint-resistant protocols 25
Analyzing taint-resistant protocols participated in 108 transactions ourselves 25
Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address 26
Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address (Atlas,Coinjoin Sudoku) 26
Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses and knows coinjoins (Atlas,Coinjoin Sudoku) 26
Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses passive adversary and knows coinjoins knows no addresses and guesses coinjoins (Atlas,Coinjoin Sudoku) 26
Recommend
More recommend