privacy enhancing overlays in bitcoin
play

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University - PowerPoint PPT Presentation

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin


  1. Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1

  2. Anonymity in Bitcoin 2

  3. Anonymity in Bitcoin 2

  4. Anonymity in Bitcoin 2

  5. Anonymity in Bitcoin 2

  6. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? 2

  7. Outline 3

  8. Outline Background 3

  9. Outline Background Taint resistance 3

  10. Outline Background Taint resistance Achieving taint resistance 3

  11. Outline Background Taint resistance Achieving taint resistance Conclusions 3

  12. Outline Background How Bitcoin works Background Taint resistance Anonymity in Bitcoin Coinjoin Achieving taint resistance Conclusions 3

  13. How Bitcoin works 4

  14. How Bitcoin works peer-to-peer network 4

  15. How Bitcoin works (pk A ,sk A ) (pk B ,sk B ) peer-to-peer network 4

  16. How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4

  17. How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4

  18. How Bitcoin works (pk A ,sk A ) address tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  19. How Bitcoin works (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  20. How Bitcoin works blockchain (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  21. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? (pk A ,sk A ) address (pk B ,sk B ) 5

  22. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity (pk A ,sk A ) address (pk B ,sk B ) 5

  23. Input clustering [RH13,RS13,A+13, M +13,SMZ14] 1 7 2 15 6 3 Heuristic: the same user controls these addresses 6

  24. Change clustering [A+13, M +13,SMZ14] 1 1 7 1 2 14 0 3 14 Heuristic: the same user also controls this address 7

  25. Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8

  26. Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8

  27. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 9

  28. Privacy-enhancing overlays 10

  29. Privacy-enhancing overlays 10

  30. Privacy-enhancing overlays 10

  31. Privacy-enhancing overlays 10

  32. Privacy-enhancing overlays 10

  33. Privacy-enhancing overlays 10

  34. Privacy-enhancing overlays 10

  35. Coinjoin Introduced on August 22 2013 by Gregory Maxwell “Bitcoin privacy for the real world” 11

  36. Coinjoin 1 1 2 2 3 12

  37. Coinjoin 1 1 2 2 3 12

  38. Coinjoin σ 1 1 1 σ 2 2 2 3 12

  39. Coinjoin σ 1 1 1 σ 2 2 2 σ 3 3 12

  40. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12

  41. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12

  42. Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13

  43. Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13

  44. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14

  45. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14

  46. “Coinjoin” transactions 15

  47. “Coinjoin” transactions “coinjoin” has: • more than 5 inputs • more than 5 outputs 15

  48. “Coinjoin” transactions “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs time 15

  49. “Coinjoin” transactions 13 “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs 3 2011 8/2013 time 15

  50. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16

  51. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16

  52. Outline Taint resistance Cryptographic background Background Taint resistance Accuracy Taint resistance Achieving taint resistance Conclusions 17

  53. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18

  54. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18

  55. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 19

  56. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address 19

  57. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address should be hard to figure out permutation 19

  58. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 20

  59. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? 20

  60. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) 20

  61. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set 20

  62. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set taint resistance : no adversary can have good accuracy 20

  63. Bad taint resistance: lopsided values 50.123 σ 1 50.123 2 σ 2 1.987 1.987 21

  64. Bad taint resistance: process of elimination σ 1 1 1 3 σ 2 2 2 σ 3 3 3 22

  65. Outline Cryptographic background Background Taint resistance Achieving taint resistance Achieving taint resistance Conclusions Constructive approaches Is Coinjoin taint resistant? 23

  66. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: • private communication • IRC (+Tor) • central server 24

  67. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication • IRC (+Tor) and A is passive • central server then we can achieve taint resistance 24

  68. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24

  69. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 (like CoinShuffle [RM-SK14]) σ 3 if an active A controls 3 τ fraction of n parties then we can achieve (1-n τ n-1 )-taint resistance could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24

  70. Analyzing taint-resistant protocols 25

  71. Analyzing taint-resistant protocols participated in 108 transactions ourselves 25

  72. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address 26

  73. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address (Atlas,Coinjoin Sudoku) 26

  74. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses and knows coinjoins (Atlas,Coinjoin Sudoku) 26

  75. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses passive adversary and knows coinjoins knows no addresses and guesses coinjoins (Atlas,Coinjoin Sudoku) 26

Recommend


More recommend