monero
play

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 - PowerPoint PPT Presentation

Feb 19, 2023 •203 likes •734 views

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems Moneros solutions Fungibility Anonymity Unlinkability Untraceability Acknowledgments Bitcoin Genve, Universit

  1. Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016

  2. Overview ● Bitcoin’s problems Monero’s solutions ● ● Fungibility ● Anonymity ● Unlinkability Untraceability ●

  3. Acknowledgments Bitcoin Genève, Université Libre de Bruxelles Jérémie Dubois- Arne Brutschy Lacoste

  4. Bitcoin ● The first decentralized cryptocurrency But it has problems ● ● It is not fungible ● It is not anonymous ● It’s linkable It’s traceable ●

  5. Bitcoin’s graph

  7. Linkability Payments to C are linked

  10. Forensic analysis of blockchains Forensic analysis of bitcoin reveals identities What can we use to forensically analyze the bitcoin blockchain? ● Change addresses Transaction correlation ● ● Public service addresses (pools, shops)

  11. Blockchain forensic analysis services ● Booming new field bitiodine.net ○ ○ coinalytics.co quantabytes.com ○ ● Blockchain is permanent Privacy can only decrease with time ●

  12. Why do we need financial privacy? ● Supported by long-history of cypherpunk philosophy Private crypto currencies will dominate ● ● Evidence illustrates privacy benefits the honest ● Needed if we want to achieve true decentralization ● Otherwise centralization can be forced upon us through courts of law “Those people who do not have power, we mustn't reduce their power even more by making them yet more transparent.” Julian Assange

  13. Fungibility Fungibility is the property of a commodity whose individual units are capable of mutual substitution . Fungible cryptocurrencies have units that are interchangeable .

  14. Bitcoin’s lack of fungibility ● All bitcoins are equal, but some bitcoins are more equal than others Coins are traceable ● ● Colored coins ● Tainted coins ● Privacy can be broken, so fungibility is voluntary coinvalidation.com ● ● Social pressure exists to break fungibility in bitcoin

  15. Why do we want fungibility? ● Fundamental property of currencies If I get paid, I need to know that I can spend my money ● ● We know from bitcoin voluntary fungibility does not work ● Lack of fungibility centralizes nature of coins Who is the authority to determine tainting? ○

  16. Achieving blockchain untraceability ● Tumblers (bitcoin) Centralization ○ ● Coinjoin (bitcoin) Opt-in, off by default ○ ○ Anonymity set is too small Zerocash ● Large proofs ○ ○ Costly fees Slow ○ ● Monero

  17. Achieving bitcoin unlinkability ● Bitcoin stealth addresses Requires interactivity ○ ○ Or exchange of information beforehand Or elaborate use of OP_RETURN ○ ● Renew addresses every time Impractical ○

  18. Monero ● Altcoin Rewritten from scratch, not a fork ● ● Created April 2014 ● Based on CryptoNote protocol

  19. Monero overview ● Stealth addresses achieve unlinkability Ring signatures achieve untraceability ●

  20. Monero’s unlinkability ● Monero uses stealth addresses

  21. Bitcoin address model

  22. CryptoNote address model

  23. Stealth addresses ● Bob maintains one pre-generated public address To send money to Bob, Alice generates a one-time key based on Bob’s ● public address ● Bob monitors the blockchain for payments ● Bob can recognize payments to one-time keys from his address using his private key ● Only the owner of a monero address knows the output is for him ● Mallory cannot distinguish whether a payment belongs to Bob

  24. Stealth addresses ● Bob can now publish his stealth address to everybody Each output sent to Bob will look to observers as having different ● destinations ● Nobody can tell these outputs are going to Bob ● Nobody can tell these outputs are going to the same person

  25. Stealth addresses ● Bob creates two EC key pairs (A, a) and (B, b) (a, b) is his private key ● ● a is the view key (or tracking key) ● b is the spending key ● (A, B) is his public key and can be encoded into an address

  26. Send money to stealth address G is elliptic curve base point H is hash function ● Alice wants to pay bob to (A, B) ● She generates random r and publishes R = rG Computes one-time key P = H(rA)G + B ●

  27. Viewing money on stealth address ● For every transaction on the blockchain, Bob computes P’ = H(aR)G + B Bob checks if P = P’ ● ● P’ = H(aR)G + B = H(arG)G + B = H(raG)G + B = H(rA)G + B = P ● Only a is needed to view money; a is a view key

  28. Spending money from stealth address ● Bob can compute x = H(aR) + b such that P = xG xG = (H(aR) + b)G ● = H(aR)G + bG = H(aR)G + B = P Bob can spend by signing with x ● ● b is needed to spend money; b is a spending key

  29. Ring signatures

  30. Ring signatures

  31. Ring signature ● We control key (P S , x S ) Pick an anonymity set: ● S’ = { P 1 , P 2 , …, P N } Augment the public key set with our own key ● S = S’ U { P S } Sign message m using S and x s and output signature σ ●

  32. Ring signatures terminology GEN : Produces key pair (P, x) where P is public, x is private and an associated public key image I (such that P → I is one-way and masked with x ) SIG : Takes message m , an anonymity set S’ = { P i } i ≠ s and a pair (P S , x S ) , outputs a signature σ and a set S = S’ ∪ { P S } VER : Takes message m , public key set S , signature σ and outputs “ true” or “ false” LNK : Takes a signature σ and a public key image set � = { I i } and outputs “ linked ” or “ independent ”

  33. Ring signature ● Correctness : VER(m, S, SIG(m, x S , S’ U {P S })) is true If a message is signed with a private key from a set of public keys, the signature can be verified with this set of public keys.

  34. Ring signature ● Unforgeability : Given only a public key set S , it is impossible to produce a valid signature

  35. Ring signature ● Linkability : The same private key cannot be used to sign two different messages Given all the secret keys { x i } for a set of public keys S , it is impossible to produce n + 1 distinct signatures σ 1 , σ 2 , …, σ n + 1

  36. Ring signature ● Anonymity : Given a signature σ and a set S , it is impossible to determine the public key associated with the signer (with probability 1/n + non-negl )

  37. Monero’s untraceability ● Monero uses ring signatures To make a payment, Alice picks an anonymity set S from the utxo ● ● She ring-signs as σ the anonymity set S with her private key x S ● Alice gives key image I of her public key P S to Bob ● Alice proves to Bob that the ring signature was made using some private key associated with some public key whose image is I ● Bob receives payment and validates ring signature σ ● Bob cannot distinguish which private key from the anonymity set was used ● Transaction graph becomes non-deterministic

  39. Spending money In bitcoin: ● Sign your utxo O of amount X using the private key corresponding to the public key you used for receiving O In monero: Find anonymity set from utxo* with same amount X as O ● ● Sign using anonymity set and the private key corresponding to the public key you used for receiving O

  40. Bitcoin TX

  41. Monero TX

  42. Ring signatures ● You’re mixing your outputs with others’ Others are mixing your output with theirs constantly too! ● ● No need for interactivity or consent from others in your anonymity set ● Forensic analysis impossible due to combinatorial explosion

  44. Double spend avoidance ● Possible due to LNK function For each utxo, keep list of public key images I ● ● When we wish to validate new transaction: ○ Take its input anonymity set S For each input public key P ∈ S verify independence ○ ○ Find list of public key images I associated with plausible spendings of P Run LNK on σ against list ○ ● Spending the same output twice is easily detected

  45. Spending money In bitcoin: ● Sign your utxo O of amount X using the private key corresponding to the public key you used for receiving O In monero: Find anonymity set from utxo* with same amount X as O ● ● Sign using anonymity set and the private key corresponding to the public key you used for receiving O

  46. Denominations ● Monero outputs are split into decimal denominations Similar to bank notes ● ● To send 11.5 XMR , we send 10 XMR + 1 XMR + 0.5 XMR ● Each denomination is sent to stealth address by reapplying stealth algo

  47. Monero achievements ● Hides transactions destination (stealth) Hides transactions origin (ring) ● ● Hides precise amounts (denominations) ● There is no “rich list” like in bitcoin

  48. View keys ● View keys can be used to comply with taxation if we want Can be used to prove transaction was made in case of dispute ● ● Can be used to achieve transparency in case of non-profits ● Could be used in solvency proofs ● The user can choose privacy or transparency as they wish Transparency is opt-in only ●

  49. Real-world statistics ● Market capitalization: $5,222,000 1 XMR = 1 mBTC ●

  50. Bonus ● CryptoNight mining achieves egalitarian proof-of-work 60 seconds expected block generation time for fast confirmation ● ● Adaptive block size ● Smooth emission

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois pwrcycle Prolexic SOC Verisign VIDN Apple SIRT F5 Silverline Salesforce NetSec Gmail Reddit pwrcycle on Twitter Freenode LinkedIn Signal

177 views • 15 slides
Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey,

891 views • 30 slides
Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly signing a transaction Secretly receiving a transaction Privacy Hierarchy Everything open Bitcoin Pseudonymous, amount open Privacy Hierarchy

911 views • 45 slides
Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan

Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan

Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin 2 3

393 views • 27 slides
An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan

An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan

An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, Nicolas Christin PETS 2018:

287 views • 26 slides
MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12 Cryptocurrency Exchanges

395 views • 12 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com

Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com

Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com July 29, 2004 Blackhat Briefings USA 2004 The Ground Rules Dont believe anything I say Daytime - Security consultant Beltway

759 views • 35 slides
Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU Delft/ KU Leuven 18. June 2019 GDPR requires data protection by design and by default (Article 25) A complex law with many requirements. More

950 views • 58 slides
Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven Project 1 Threat Model (what we aim to defend against) Global passive adversary can observe everything Owns half the nodes We are not

656 views • 41 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
A B Verschlsselung schtzt nur Inhalte, nicht die Metadaten! Wer mit wem? Wann?

A B Verschlsselung schtzt nur Inhalte, nicht die Metadaten! Wer mit wem? Wann?

Anonymitt? nberwachbare Kommunikation! A B Verschlsselung schtzt nur Inhalte, nicht die Metadaten! Wer mit wem? Wann? Was? 1-hop proxy (VPN, SSH Tunnel etc) Alice1 Bob1 Y Alice2 Z Bob2 Relay

764 views • 32 slides
Bitcoin, Blockchain and Beyond... Satj tjsh Babu Chair, ISOC-TRV Chair, APRALO LO/ICANN

Bitcoin, Blockchain and Beyond... Satj tjsh Babu Chair, ISOC-TRV Chair, APRALO LO/ICANN

Bitcoin, Blockchain and Beyond... Satj tjsh Babu Chair, ISOC-TRV Chair, APRALO LO/ICANN Overview Whats a (Digital) Currency ? Bitcoin: Revolutjonary ? The Blockchain Ethereum and recent developments The Future 2/35

616 views • 35 slides
Concepts in Crypto Parker Higgins parker@eff.org @xor PGP: 4FF3 AA1B D29E 1638 32DE C765 9433

Concepts in Crypto Parker Higgins parker@eff.org @xor PGP: 4FF3 AA1B D29E 1638 32DE C765 9433

Concepts in Crypto Parker Higgins parker@eff.org @xor PGP: 4FF3 AA1B D29E 1638 32DE C765 9433 5F88 9A36 7709 Micah Lee micah@eff.org @micahflee PGP: 5C17 6163 61BD 9F92 422A C08B B4D2 5A1E 9999 9697 ELECTRONIC FRONTIER FOUNDATION

549 views • 24 slides
RC4: Non-Randomness in the index j and some results on its Cycles Chandratop Chakraborty, Pranab

RC4: Non-Randomness in the index j and some results on its Cycles Chandratop Chakraborty, Pranab

RC4: Non-Randomness in the index j and some results on its Cycles Chandratop Chakraborty, Pranab Chakraborty, Subhamoy Maitra PES University, Wipro Limited, Indian Statistical Institute [chandratop@protonmail.ch, kojagori@gmail.com,

536 views • 31 slides
Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL Belgium Introduction

Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL Belgium Introduction

cole Internationale de Printemps Systmes Rpartis : METIS2008 Architecture, Scurit & Fiabilit Rabat, 20-23 Mai 2008 Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL Belgium Introduction Confidentiality,

1.85k views • 135 slides
Programming Distributed Systems 13 Blockchains Christian Weilbach & Annette Bieniusa AG

Programming Distributed Systems 13 Blockchains Christian Weilbach & Annette Bieniusa AG

Programming Distributed Systems 13 Blockchains Christian Weilbach & Annette Bieniusa AG Softech FB Informatik TU Kaiserslautern Summer Term 2018 Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018

870 views • 65 slides
) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine ) cypherpunk chaotic neutral privacy activist researcher DI Daniel

656 views • 27 slides
Belfast CryptoParty Welcome Pete Maynard @pgmaynard October 14, 2014 Belfast CryptoParty

Belfast CryptoParty Welcome Pete Maynard @pgmaynard October 14, 2014 Belfast CryptoParty

Belfast CryptoParty Welcome Pete Maynard @pgmaynard October 14, 2014 Belfast CryptoParty #cryptofast Pete Maynard @pgmaynard 1 What is a CryptoParty? A CryptoParty is free, public and fun. Its a decentralized, global initiative to

760 views • 8 slides
Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson

Mixminion: A next-generation anonymous remailer George Danezis Roger Dingledine Nick Mathewson 1 Outline Background Related systems A few improvements over past work Secure single-use reply block mechanism 2 Anonymous,

544 views • 22 slides
P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

p r e t t y E a s y p r i v a c y N U L L c o n 2 0 1 7 , G o a s v a @ p E p . f o u n d a t i o n h t t p s : / / p E p . f o u n d a t i o n t w i t t e r @ s v a

1.32k views • 85 slides
Distributed Ledger Technology: An introduction to interoperability Andrea Lisi, Paolo Mori

Distributed Ledger Technology: An introduction to interoperability Andrea Lisi, Paolo Mori

Distributed Ledger Technology: An introduction to interoperability Andrea Lisi, Paolo Mori Universit degli studi di Pisa 02/03/20 2009 2 2009 3 2009 Bitcoin is a P2P payment system where nodes share the ledger of money Transactions, the

655 views • 28 slides
The Signal Protocol @ VanLug BorisReitman.com Agenda OTR Double Ratchet X3DH

The Signal Protocol @ VanLug BorisReitman.com Agenda OTR Double Ratchet X3DH

The Signal Protocol @ VanLug BorisReitman.com Agenda OTR Double Ratchet X3DH Sesame Overview First the parties will use X3DH key agreement protocol to agree on a shared secret key. Then, the parties will use the Double

1.12k views • 96 slides
The Redesigned Naturalization Test Office of Citizenship 2 Overview of Presentation

The Redesigned Naturalization Test Office of Citizenship 2 Overview of Presentation

The Redesigned Naturalization Test Office of Citizenship 2 Overview of Presentation Historical Overview of the Redesigned (New) Test Legal Framework The Redesigned Naturalization Test Administration of the Redesigned Test

257 views • 22 slides

More recommend