anonymity in cryptocurrencies
play

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? - PowerPoint PPT Presentation

Apr 09, 2024 •405 likes •821 views

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

  1. Anonymity in Cryptocurrencies Foteini Baldimtsi

  2. Bitcoin Anonymity? Satoshi Nakamoto, 2008

  3. Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice 122NB5426d8Lau3Kbbf8q2L7g89h If anyone is ever able to link your Bitcoin address to your real world identity, then all of your transactions — past, present, and future — will have been linked back to your identity.

  4. De-anonymizing Bitcoin users Bitcoin De-anonymization in Practice

  5. Anonymity: the goal eCash Adversarial Bank cannot link a withdrawal to a deposit unlinkability Bitcoin It should be hard to link the sender of a payment to its recipient Ledger

  6. Anonymity: the goal Payer Payee Addr A Addr B Break the link between payer and payee

  7. Anonymity Flavors Payers Payees Set Anonymity: the set of transactions which the adversary cannot distinguish from your transaction (depends on anonymity model)

  8. Two Main Directions 1) Mixing/Tumbler Services (for Bitcoin) Blindcoin Bitcoin Compatible XIM 2) Anonymous Cryptocurrencies Non- Compatible to Bitcoin

  9. Why do we need anonymity ● achieve the level of privacy that we are already used to from traditional banking, and mitigate the deanonymization risk that the public blockchain brings. ● go above and beyond the privacy level of traditional banking and develop currencies that make it technologically infeasible for anyone to track the participants.

  10. PART I Mixing/Tumbler Services

  11. What is a mix? MIX ? ● Centralized (intermediary) ● Decentralized (i.e. Coinshuffle)

  12. What is a mix? MIX ? 2 challenges ● privacy against intermediary ● security against intermediary

  13. Attempt 1 - Centralized Scheme Intermediary blindly issues vouchers? Goal: Set-Anonymity V Addr A V Addr B V Intermediary cannot link a voucher it issued to a voucher it redeems! ▪ Blind signatures

  14. Attempt 1 - Centralized Scheme Intermediary blindly issues vouchers? Goal: Set-Anonymity V V V V Addr A V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr B V Intermediary cannot link a voucher it issued to a voucher it redeems! ▪ Blind signatures

  15. Attempt 2 - Centralized Scheme Intermediary blindly issues vouchers? Bob Alice Issuance SK sn σ Addr A Addr B sn Sign 1. Pick random sn to get blind 2. Blind sn to sn σ signature 3. Unblind to σ σ V=(sn, σ ) 4. Create voucher Redemption V

  16. Attempt 2 - Centralized Scheme Intermediary blindly issues vouchers? But what if Intermediary is malicious σ and refuses to issue or return ? Bob Alice Issuance SK sn σ Addr A Addr B sn Sign 1. Pick random sn to get blind 2. Blind sn to sn σ signature 3. Unblind to σ σ V=(sn, σ ) 4. Create voucher Redemption V

  17. Blindly Signed Transaction Contracts Goal: Set-Anonymity , Fair Exchange/Atomic swaps Alice Transaction Offer: V for . sn “Addr A pays to a spending transaction that has a valid blind signature on . This sn must be done within time tw.” σ Addr A Transaction Fulfill: V for . σ “Here is .” Fair exchange is robust if either party is malicious! ▪ Bitcoin Scripts* * The blind signature we use requires a soft fork

  18. Attempt 3 - centralized scheme Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Alice Bob Addr A Addr B sn Transaction Offer V for Fair exchange 1: σ A: Gives 1 bitcoin A: Gets 1 voucher Transaction Fulfil V for V=(sn, σ ) Transaction Offer for V V Fair exchange 2: B: Gives 1 voucher Transaction B: Gets 1 bitcoin Fulfil for V

  19. Attempt 3 - centralized scheme Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Alice Bob Addr A Addr B sn Transaction Offer V for Fair exchange 1: Intermediary can just ignore σ A: Gives 1 bitcoin Bob’s voucher redemption request. A: Gets 1 voucher Transaction Fulfil V for V=(sn, σ ) Transaction Offer for V V Fair exchange 2: B: Gives 1 voucher Transaction B: Gets 1 bitcoin Fulfil for V

  20. HBG’16 Protocol Blindly Signed Transaction Contracts Goal: Set-Anonymity, Fair Exchange Intermediary can check if Voucher Alice Bob already spent. h=H(sn) Addr A Addr B h Transaction Offer for V sn Transaction Offer V for Fair exchange 1: Fair exchange 2: σ A: Gives 1 bitcoin B: Gives 1 voucher A: Gets 1 voucher B: Gets 1 bitcoin Transaction Fulfil V for V=(sn, σ ) V Transaction Fulfil for V

  21. HBG’16 Protocol Blindly Signed Transaction Contracts What is stored on the blockchain? Blockchain block i-1 block i blocki +1 ≈ 30mins 1 epoch Anonymity properties: How do we achieve this? 1. Set Anonymity within an Epoch. (resists a fully malicious intermediary!) 2. Transparency of Anonymity Set. (It’s visible on the blockchain)

  22. HBG’16 Protocol Anonymity vs Malicious Intermediary? What if intermediary aborts all but one transaction? Not Anonymous! Not Anonymous! V V V V Addr A V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V V Addr A Addr B V Addr A Addr B V Addr A Addr B V Addr A Addr B An ephemeral address is a newly created address that is used V Addr B V once and then discarded. The receiving address is always an ephemeral address. Countermeasures: 1. Small anonymity set is visible on the blockchain. 2. Addr B is ephemeral; If anonymity set is too small anonymously send it a new ephemeral addr (rinse & repeat).

  23. HBG’16 Protocol Anonymity vs Malicious Intermediary? What if intermediary distort anonymity set transparency with sybils? ● Expensive due to sybil resistance: ○ Intermediary pays all transaction fees for each sybil. ● Low success rate: ○ If intermediary waits until it sees Alice’s address to abort, Alice and Bob can detect attack. ○ If intermediary launches the attack earlier, it only sees Bob’s address which is an ephemeral address (untargeted).

  24. Background: Bitcoin Transaction Contracts Goal: Fair Exchange/Atomic swaps: Alice Transaction Offer: X for . “Addr A pays to a spending transaction has a value X satisfying condition C. X Addr A Transaction Fulfill: X for . “Here is X .” Bitcoin transaction scripts are very limited. Fair exchange is robust if either party is malicious! We can only check two types of cryptographic conditions C: 1. Hash(X) = Y, ▪ Bitcoin Scripts 2. ECDSA_CheckSignature(Tx, PUBLIC_KEY) = TRUE

  25. Big Picture Bitcoin-Compatible Schemes New Cryptocurrencies (aka “Mixing Services”) Not compatible with bitcoin Vulnerable to bitcoin theft HBG’16 TumbleBit Mixing takes Vulnerable to DoS & Sybil Attacks hours Intermediary Xim breaks anonymity 25

  26. PART II Anonymous Decentralized Cryptocurrencies

  27. Anonymous Decentralized Cryptocurrencies Almost a decentralized mixing service performance issues and limited functionality Standalone cryptocurrency

  28. Zerocoin - main idea Requires a trusted, append only bulletin board (it could be the Bitcoin blockchain) Minting Bulletin Board pick SN, compute C1 = Commit(SN,r) C1 pin C1 on BB with a bitcoin C2 All Users accept C1 and agree it carries 1 C3 unlinkable by C4 Redeem Commitment ... compute a NIZK π: and NIZK - I know Ci in (C1,C2,..,CN) CN - I know r to open Ci to SN Post (SN,π) (SN,π) Spend All Users verify π and check SN is new if OK, I can collect a from any location of BB

  29. How to compute the proof π Redeem Bulletin Board compute a NIZK π: C1 - I know Ci in (C1,C2,..,CN) - I know r to open Ci to SN C2 Post (SN,π) C3 C4 ... Naive Solution CN Identify all valid zerocoins in the bulletin board Prove that SN is the serial number of a coin C (SN,π) Spend C = C1 ∨ C = C2 ∨ ...C=CN This “OR” proof is O(N)

  30. How to compute the proof π Cryptographic Accumulators Bulletin Board C1 RSA modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend This is not anonymous!

  31. How to compute the proof π Cryptographic Accumulators Bulletin Board C1 RSA modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend There exists an efficient proof (NIZK) that I have a valid witness to a commitment of SN and know the corresponding randomness r cost log (N) [CL’02]

  32. Problems with Zerocoin - Accumulators require a trusted setup (somebody to compute N and throw away p,q) - Proofs not very efficient log(N) Each proof is approximately 50 KB) - note the scaling problems of Bitcoin - Not compatible with bitcoin - these new types of transactions should be included - you would need to be able to verify sophisticated ZK proofs - Payments of single denomination and payment values appear in the clear (1 BTC) Solves the problems above*

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja Venkatakrishnan, Giulia Fanti,

Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja Venkatakrishnan, Giulia Fanti,

Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja Venkatakrishnan, Giulia Fanti, Andrew Miller, Pramod Viswanath Why do People Use Cryptocurrencies? Technical Properties/ Currency Stability Investment Ideology Untraceable

692 views • 58 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
Attacks on Mining Protocol Yujin Kwon KAIST 2018.03.22 1 Cryptocurrencies Cryptocurrencies

Attacks on Mining Protocol Yujin Kwon KAIST 2018.03.22 1 Cryptocurrencies Cryptocurrencies

Attacks on Mining Protocol Yujin Kwon KAIST 2018.03.22 1 Cryptocurrencies Cryptocurrencies Increa rease! se! Cryptocurrencies Increa rease! se! 1 BTC $8.5K 1 ETH $180 Proof-of-Work Mining They use blockcha kchain to run

992 views • 64 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti Dina Katabi & Katya Puchala State of the art: Onio Onion Rout n Routing over P2P ing over P2P n Routing over P2P ing over P2P Bob Onion

705 views • 43 slides
Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh | Shinyoung Cho | Phillipa Gill Stony Brook University 1 Anonymity on the Internet Tor Network 2 Anonymity on the Internet Does not know the source

261 views • 15 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides
Feasibility of Cryptocurrencies on Mobile devices Anas Younis & Sander Lentink University of

Feasibility of Cryptocurrencies on Mobile devices Anas Younis & Sander Lentink University of

Feasibility of Cryptocurrencies on Mobile devices Anas Younis & Sander Lentink University of Amsterdam MSc System and Network Engineering RP1 06-02-2018 1 Disclaimer Assumed knowledge; Cryptocurrencies The principle of

618 views • 28 slides
Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

CyLab Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818:

467 views • 46 slides
for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

Anonymity Trilemma not all is lost for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 Universitaet zu Luebeck Anonymous Communication (AC) Networks

449 views • 21 slides
How to write a literature review Tyler Moore Computer Science & Engineering Department, SMU,

How to write a literature review Tyler Moore Computer Science & Engineering Department, SMU,

Notes How to write a literature review Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX November 6, 2012 Literature Reviews Project Notes Outline Literature Reviews 1 Project 2 2 / 19 Literature Reviews

243 views • 5 slides
Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable Codes Dana Dachman-Soled University of Maryland Joint work with: Mukul Kulkarni and Aria Shahverdi, University of Maryland Talk is also based on

572 views • 35 slides
Evaluating, choosing and implementing a SIEM solution Dan Han , Virginia Commonwealth University

Evaluating, choosing and implementing a SIEM solution Dan Han , Virginia Commonwealth University

Evaluating, choosing and implementing a SIEM solution Dan Han , Virginia Commonwealth University A little about me Worked in IT for about 15 years Worked in Application Development, Desktop Support, Server Management, Infrastructure

606 views • 38 slides
Customizing Employment: Strengths of a Sports Fan April Lynch, M.S., CRC, Resident in Counseling

Customizing Employment: Strengths of a Sports Fan April Lynch, M.S., CRC, Resident in Counseling

9/23/2019 Customizing Employment: Strengths of a Sports Fan April Lynch, M.S., CRC, Resident in Counseling Vocational Rehabilitation Counselor VCU Rehabilitation Research and Training Center 1 Starting pointClient Intake Employment

423 views • 5 slides
2020-2021 College at wise Undergraduate tuition AND FEE proposal UVA Wises Value Proposition

2020-2021 College at wise Undergraduate tuition AND FEE proposal UVA Wises Value Proposition

2020-2021 College at wise Undergraduate tuition AND FEE proposal UVA Wises Value Proposition Washington Monthly, Most Established in 1954 as a division of UVA Bang For the Buck Award 2100 students 31 majors, 37 minors, 8

250 views • 6 slides
Quotients of strongly proper posets, and related topics Sean Cox Virginia Commonwealth

Quotients of strongly proper posets, and related topics Sean Cox Virginia Commonwealth

Quotients of strongly proper posets, and related topics Sean Cox Virginia Commonwealth University scox9@vcu.edu Forcing and its Applications Retrospective Workshop, March 2015 1 / 50 Joint work with John Krueger. 2 / 50 A conjecture of

537 views • 50 slides
CAMPUS PUBLIC SAFETY Welcome Welcome Purpose of Webinar Presenters Calvin Hodnett

CAMPUS PUBLIC SAFETY Welcome Welcome Purpose of Webinar Presenters Calvin Hodnett

Guide for Developing High-Quality Emergency Operations Plans for Institutions of Higher Education: A CLOSER LOOK: CAMPUS PUBLIC SAFETY Welcome Welcome Purpose of Webinar Presenters Calvin Hodnett Senior Management Analyst Dept of

599 views • 39 slides
VIRGINIA NUCLEAR ENERGY CONSORTIUM VNECA Meeting Richmond, VA March 20, 2018

VIRGINIA NUCLEAR ENERGY CONSORTIUM VNECA Meeting Richmond, VA March 20, 2018

VIRGINIA NUCLEAR ENERGY CONSORTIUM VNECA Meeting Richmond, VA March 20, 2018 www.virginianuclear.org Update Day on the Hill Meeting with Governor Northam Briefing for Governors Key Energy Officials Energy Workforce Cluster

424 views • 7 slides

More recommend