Towards Better Privacy with Monero Malte Möser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin.
� 2
� 3 Takeaways ▸ Monero improves upon Bitcoin’s privacy ▸ One-time addresses prevent address clustering ▸ Transaction values are hidden ▸ Obfuscation of payment flows ▸ Incorrect use can severely hurt your anonymity ▸ Used for both illegitimate and legitimate purposes
� 4 Anonymity Anonymity is the state of not being identifiable within a set of subjects, the anonymity set. Pfitzmann & Köhntopp 2001 Indistinguishable
� 6 Issue 1: Public Reuse of Addresses Send Bitcoin to 1myaddress001 To: 1myaddress001 To: 1myaddress001
� 10 Issue 1: Public Reuse of Addresses To: 1myaddress042 To: 1myaddress001 To: 1myaddress001 To: 1myaddress612
� 12 Monero Uses Stealth Addresses Send XMR to mystealthyaddr To: g77gwvm8mg ▸ Based on shared secret (ECDH) ▸ Sender embeds information allowing to recover secret ▸ Recipients must try to redeem all outputs on the blockchain
� 13 Issue 2: Values Are Visible 1 XMR Send XMR to mystealthyaddr To: g77gwvm8mg 10.376289 XMR To: 0yqija6fga
� 14 When the Cookie Meets the Blockchain ▸ Each step can leak information to third-party trackers ▸ Timing and value allow to identify corresponding transactions Goldfeder et al. (2018). When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies
� 15 Amounts Are Encrypted (Since 2017) ?? XMR Send XMR to mystealthyaddr To: g77gwvm8mg ?? XMR To: 0yqija6fga
� 16 Issue 3: Tracing Payments Bob Alice Hotel
� 17 Output Selection in Bitcoin each input spends a single output
� 18 Output Selection in Monero each input spends one of multiple outputs linkable ring signature (key image)
� 19 Deduction Technique initially no mandatory number of mixins
� 21 Results of Deducibility Attack ▸ 64% of inputs have no mixins ▸ 63% of inputs with mixins are deducible
� 23 How Do You Choose Fake Coins? 2 years old 3 months old 2 days old Most likely to be the real coin being spent
� 24 Distributions Do Not Match Real Real + Fake Ruled-out
� 25 The Newest Input Is Usually the Real One Successful for 80% of all inputs between April 2014 and April 2017
� 26 How Can We Fix This? Sample More “Recent” Mixins ▸ More mixins, more “recent” mixins ▸ Simulation results in our paper Estimate Empirical Distribution Probability Binned Mixin Time
� 27 Sophisticated Timing Attacks 2 years old 3 months old 2 days old ▸ Bob is one of five suspects to have bought drugs at AlphaBay today ▸ I know Bob bought some XMR exactly 3 months ago
� 29 Chain Forks Are a Privacy Hazard Monero MoneroV
� 32 Chain Forks Are a Privacy Hazard linked by key image Intersection reveals true spend
� 33 Estimating Performance of Guess-Newest Source: Abraham Hinteregger and Bernhard Haslhofer. An Empirical Analysis of Monero Cross-Chain Traceability. (2019)
� 34 Quantifying Privacy-Sensitive Use ▸ Not all transactions are equally privacy sensitive Monero doubles ▸ Goal: quantify block interval different usage types
� 36 Estimating Mining Activity ▸ Miners announce blocks and payouts ▸ Website crawl ▸ # blocks found ▸ # payout txs ▸ 0.44 txs per block related to mining
� 37 AlphaBay ▸ Volume spiked when AlphaBay started accepting Monero AlphaBay starts accepting Monero
� 38 AlphaBay - Daily Volume (Number of Transactions) (nr. of transactions, 7 − day avg.) XMR or BTC 5,000 BTC only Unidentified 4,000 Daily volume 3,000 2,000 1,000 0 Jan 2015 Jul 2015 Jan 2016 Jul 2016 Jan 2017 Date
� 39 AlphaBay ▸ Volume spiked when AlphaBay started accepting Monero AlphaBay starts accepting Monero ▸ At most 25% of txs can be deposits at AlphaBay
� 40 Cryptocurrency Privacy Inherits the Worst of ▸ Data anonymization ▸ Blockchain data is public ▸ Weakness can be exploited retroactively ▸ Communication anonymity ▸ Behavior of some users influences anonymity of others ▸ “Anonymity loves company” cf. Goldfeder, Kalodner, Reisman & Narayanan (2018)
� 41 Summary ▸ Monero improves upon the limited privacy of Bitcoin ▸ Correct use of technology is paramount ▸ It’s hard to patch a broken system ▸ Illicit business tends to be early adopters of new technologies ▸ Many legitimate uses that are less visible
Recommend
More recommend
