[PPT] - On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin PowerPoint Presentation

SLIDE 1

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients

Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan Čapkun ETH Zurich, NEC Research ACSAC 2014

SLIDE 2

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bitcoin

2

Bitcoin

Peer-to-peer decentralized currency   Users keep Bitcoins in a wallet  containing multiple addresses (@)    Unlinkability between @    Log of all transactions

@1 @2 @3 @4 @5

Total $

SLIDE 3

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bitcoin for lightweight clients

3

Bitcoin’s scalability problems

1. Log of transactions (>25 GB)

 

2. Clients receive irrelevant

transactions 

3. Limited data traffic over 3G/4G

SLIDE 4

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bitcoin for lightweight clients

3

Bitcoin’s scalability problems

1. Log of transactions (>25 GB)

 

2. Clients receive irrelevant

transactions 

3. Limited data traffic over 3G/4G

T r a n s a c t i

n

SLIDE 5

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

SLIDE 6

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

SLIDE 7

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1

SLIDE 8

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1 1 1 1

SLIDE 9

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1 1 1 1

SLIDE 10

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

SLIDE 11

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

SLIDE 12

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

SLIDE 13

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

SLIDE 14

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

SLIDE 15

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

@5 True negative

SLIDE 16

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

SPV client Full Bitcoin node Full Bitcoin node

SLIDE 17

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter

SLIDE 18

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter Connection Bloom filter

1 1 1

SLIDE 19

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

transactions Is transaction relevant for Bloom filter? SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter Connection Bloom filter

1 1 1

SLIDE 20

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

Relevant transactions transactions Is transaction relevant for Bloom filter? SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter Connection Bloom filter

1 1 1

SLIDE 21

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

Relevant transactions transactions Is transaction relevant for Bloom filter? SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter Connection Bloom filter

1 1 1

SLIDE 22

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

Relevant transactions transactions Is transaction relevant for Bloom filter? SPV client Full Bitcoin node Full Bitcoin node

1 1 1

@1 @2 @3

Bloom filter Connection Bloom filter

1 1 1

33 mio addresses in the Blockchain target FPR: 0.1 % "User addresses hidden amongst 33 000" false positives

Promise:

SLIDE 23

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Main contributions

6

1. Given one Bloom filter, Bitcoin addresses partially linkable 
Addresses linkable if < 20 addresses in wallet
2. Given multiple Bloom filter, addresses nearly always linkable 
3. Propose a lightweight and efficient countermeasure 
Significantly enhances the privacy offered by SPV clients 
Requires minimum modifications to Bitcoin

Main contributions

Bloom filter

1 1 1

SLIDE 24

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain Adversary

SLIDE 25

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain Adversary

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 26

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 27

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

Positive

@

Positive

@

Positive

@

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 28

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

@ +

Positive

@

Positive

@

Positive

@

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 29

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 30

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

Total positives

Positive

@

Positive

@

Positive

@

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 31

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

Total positives

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Intersection

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 32

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Positive

@

Positive

@

Positive

@

True positives Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

Total positives

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Intersection

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

SLIDE 33

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Positive

@

Positive

@

Positive

@

True positives Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

Total positives

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Intersection

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

Measure privacy

SLIDE 34

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Model and Privacy measure

Experimental setting

7

SPV client Blockchain All addresses

f the Blockchain

Positive

@

Positive

@

Positive

@

True positives Adversary

@ +

1 1 1

Bloom filter 2

Positive

@

Positive

@

Positive

@

Total positives

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Positive

@

Intersection

1 1 1

Bloom filter 1

+ parameters (seed, FPR)

Measure privacy

SLIDE 35

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Stair stepping

Privacy influencing design choices of SPV clients

8

1 1 1

Bloom filter designed for

N addresses 
target FPR when N addresses inserted

@ BF1

SLIDE 36

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Stair stepping

Privacy influencing design choices of SPV clients

8

1 1 1

Bloom filter designed for

N addresses 
target FPR when N addresses inserted

@ BF1

1 1 1

@ + @ + BF2

SLIDE 37

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Stair stepping

Privacy influencing design choices of SPV clients

8

1 1 1

Bloom filter designed for

N addresses 
target FPR when N addresses inserted

@ BF1

1 1 1

@ + @ + BF2

1 1 1 1 1

@ + @ +

Resize of Bloom filter

BF3

exceed N addresses

SLIDE 38

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Stair stepping

Privacy influencing design choices of SPV clients

8

Rationale: avoid filters with different sizes

750 1500 2250 3000 1-49 50-99 100-149

Addresses inserted into filter Size of filter Stair stepping

1 1 1

Bloom filter designed for

N addresses 
target FPR when N addresses inserted

@ BF1

1 1 1

@ + @ + BF2

1 1 1 1 1

@ + @ +

Resize of Bloom filter

BF3

exceed N addresses

SLIDE 39

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Stair stepping

Privacy influencing design choices of SPV clients

8

Rationale: avoid filters with different sizes

750 1500 2250 3000 1-49 50-99 100-149

Addresses inserted into filter Size of filter Stair stepping

1 1 1

Bloom filter designed for

N addresses 
target FPR when N addresses inserted

@ BF1

1 1 1

@ + @ + BF2

1 1 1 1 1

@ + @ +

Resize of Bloom filter

BF3

exceed N addresses

Create filter for N addresses, but insert less actual FPR ≤ target FPR

SLIDE 40

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Resizing

Privacy influencing design choices of SPV clients

9

Hash functions adapted to fill space of new Bloom filter  Consequence: New filter yields different false positives

1 1 1 1 1 1 1 1

@ +

SLIDE 41

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Resizing

Privacy influencing design choices of SPV clients

9

Hash functions adapted to fill space of new Bloom filter  Consequence: New filter yields different false positives

1 1 1 1 1 1 1 1

Restarting Fresh seed value for hash functions of new Bloom filter  Consequence: New filter yields different false positives

1 1 1 1 1 1

@ +

SLIDE 42

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Resizing

Privacy influencing design choices of SPV clients

9

Hash functions adapted to fill space of new Bloom filter  Consequence: New filter yields different false positives

1 1 1 1 1 1 1 1

Restarting Fresh seed value for hash functions of new Bloom filter  Consequence: New filter yields different false positives

1 1 1 1 1 1

Summary of current SPV design choices actual FPR ≤ target FPR

1. Stair stepping
2. Resizing
3. Restarting

different False Positives different False Positives @ +

SLIDE 43

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

8500 8600 8700 8800 8900 9000 Actual FPR Target FPR 100 200 300 400 500 0.01 0.02 0.03 0.04 0.05 0.06 Actual FPR Target FPR Number of addresses in wallet False Positive Rate in %

Stair stepping - Actual FPR vs. Target FPR

Evaluation

10

…

Target FPR Actual FPR

SLIDE 44

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

8500 8600 8700 8800 8900 9000 Actual FPR Target FPR 100 200 300 400 500 0.01 0.02 0.03 0.04 0.05 0.06 Actual FPR Target FPR Number of addresses in wallet False Positive Rate in %

Stair stepping - Actual FPR vs. Target FPR

Evaluation

10

actual FPR << target FPR target FPR is constant actual FPR = target FPR

…

Target FPR Actual FPR

SLIDE 45

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

10 20 30 40 50 0.2 0.4 0.6 0.8 1

One Bloom filter

Number of addresses of SPV client Probability of linking all addresses

Evaluation - One Bloom filter

11

Probability of linking all addresses

Current implementation

SLIDE 46

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

1 1 1

Filter 1 @1 @2 @3

SLIDE 47

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

1 1 1

Filter 1 @1 @2 @3

1 1 1

Filter 2 @1 @4 @5

SLIDE 48

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

1 1 1

Filter 1 @1 @2 @3

1 1 1

Filter 2 @1 @4 @5

1 1 1

Filter n . . . @1 @6 @7

SLIDE 49

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

1 1 1

Filter 1 @1 @2 @3

1 1 1

Filter 2 @1 @4 @5

1 1 1

Filter n . . . @1 @6 @7

SLIDE 50

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

1 1 1

Filter 1 @1 @2 @3

1 1 1

Filter 2 @1 @4 @5

1 1 1

Filter n . . . @1 @6 @7

False positives

SLIDE 51

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 1 - No resize

Evaluation - Multiple Bloom filters

13

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

SLIDE 52

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 1 - No resize

Evaluation - Multiple Bloom filters

13

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

SLIDE 53

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 1 - No resize

Evaluation - Multiple Bloom filters

13

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

B1 B2 Intersection

Add addresses, No resize

@1@2@3 @1@2@3@4

SLIDE 54

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 1 - No resize

Evaluation - Multiple Bloom filters

13

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

B1 B2 Intersection

Add addresses, No resize

@1@2@3 @1@2@3@4 Results

B2 yields additional positives compared to B1  The adversary does not learn a lot

SLIDE 55

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 2 - Resize

Evaluation - Multiple Bloom filters

14

B1 B2 Intersection

Add addresses, Resize

@1@2@3 @1@2@5@6

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

SLIDE 56

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 2 - Resize

Evaluation - Multiple Bloom filters

14

B1 B2 Intersection

Add addresses, Resize

@1@2@3 @1@2@5@6

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

Results

Yield mostly different positives Can be used for intersection attack

SLIDE 57

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 3 - Restart

Evaluation - Multiple Bloom filters

15

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

B1 B2 Intersection

Restart, generate a new seed

@1@2@3 @1@2@5@6

SLIDE 58

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 3 - Restart

Evaluation - Multiple Bloom filters

15

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

B1 B2 Intersection

Restart, generate a new seed

@1@2@3 @1@2@5@6 Results

Yield mostly different positives Can be used for intersection attack

SLIDE 59

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 4 - More than 2 filter

Evaluation - Multiple Bloom filters

16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

@ @ @ @ Intersection

SLIDE 60

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 4 - More than 2 filter

Evaluation - Multiple Bloom filters

16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@ Results

Target FPR (%) Probability linking all addresses with 3+ BF 0.05 ~1 0.1 ~1 Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

@ @ @ @ Intersection

SLIDE 61

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Experiment 4 - More than 2 filter

Evaluation - Multiple Bloom filters

16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@ Results

Target FPR (%) Probability linking all addresses with 3+ BF 0.05 ~1 0.1 ~1

3 Bloom filter All addresses inserted into B1 can be linked

Exp. Client Seed Size No resize Same Same Same Resize Same Same Different Restart Same Different Same > 2 filter Same Different Different

@ @ @ @ Intersection

SLIDE 62

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Observations

Countermeasures

17

1. Need of constant false positive rate

 

2. Multiple Bloom filter with different parameters

 

3. SPV clients should keep state (e.g., about seed)

SLIDE 63

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Proposed solution

Countermeasures

18

Pre-generate Bitcoin addresses and insert into filter Keep state about outsourced Bloom filter  Overhead: For 100 addresses, < 1 kb

1 1 1

@1 @2 @3 @100 . . .

1 1 1

@101 @102 @103 @200 . . .

Bloom filter 1 Bloom filter 2 Bloom filter 1

1 1 1

Bloom filter 2

1 1 1

SLIDE 64

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Proposed solution

Countermeasures

18

Pre-generate Bitcoin addresses and insert into filter Keep state about outsourced Bloom filter  Overhead: For 100 addresses, < 1 kb

1 1 1

@1 @2 @3 @100 . . .

1 1 1

@101 @102 @103 @200 . . .

Bloom filter 1 Bloom filter 2 Bloom filter 1

1 1 1

Bloom filter 2

1 1 1

10 20 30 40 50 0.2 0.4 0.6 0.8 1 Number of addresses of SPV client Probability of linking all addresses Countermeasure Current implementation

SLIDE 65

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Summary

19

Information leakage through Bloom Filters in SPV clients Analytical and Empirical evaluation 1 Bloom filter critical if < 20 Bitcoin addresses 3+ Bloom filter intersection attack particularly strong 

SLIDE 66

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Summary

19

Information leakage through Bloom Filters in SPV clients Analytical and Empirical evaluation 1 Bloom filter critical if < 20 Bitcoin addresses 3+ Bloom filter intersection attack particularly strong  Lightweight countermeasure Significantly reduces leakage Intersection attack not effective  Requires few changes

SLIDE 67

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Summary

19

Information leakage through Bloom Filters in SPV clients Analytical and Empirical evaluation 1 Bloom filter critical if < 20 Bitcoin addresses 3+ Bloom filter intersection attack particularly strong  Lightweight countermeasure Significantly reduces leakage Intersection attack not effective  Requires few changes Conclusion Bloom filter for   privacy is delicate Designed carefully we can achieve proper privacy

SLIDE 68

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Summary

19

Thank you!

Information leakage through Bloom Filters in SPV clients Analytical and Empirical evaluation 1 Bloom filter critical if < 20 Bitcoin addresses 3+ Bloom filter intersection attack particularly strong  Lightweight countermeasure Significantly reduces leakage Intersection attack not effective  Requires few changes Conclusion Bloom filter for   privacy is delicate Designed carefully we can achieve proper privacy

SLIDE 69

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Privacy metric

20

Privacy metric Probability of correctly guessing j real addresses of a filter N: # of addresses inserted into filter S: # of false positives

SLIDE 70

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Privacy metric

P(1) = N N + S

20

Privacy metric Probability of correctly guessing j real addresses of a filter N: # of addresses inserted into filter S: # of false positives

SLIDE 71

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Privacy metric

P(1) = N N + S

20

Privacy metric Probability of correctly guessing j real addresses of a filter N: # of addresses inserted into filter S: # of false positives

P(j) =

j−1

Y

k=0

N − k N + S − k = N N + S · N − 1 N + S − 1 . . .

SLIDE 72

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Privacy metric

P(1) = N N + S

20

Privacy metric Probability of correctly guessing j real addresses of a filter N: # of addresses inserted into filter S: # of false positives

P(j) =

j−1

Y

k=0

N − k N + S − k = N N + S · N − 1 N + S − 1 . . .

Guessing all addresses correctly link all addresses

P(N) =

N−1

Y

k=0

N − k N + S − k = N!S! (N + S)!

SLIDE 73

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Adversary’s model

Model

21

Operates full Bitcoin nodes    Parses the Blockchain for addresses    Knows parameter for Bloom filter creation  Target false positive rate  Collects multiple Bloom filters per SPV client Goal: Link Bitcoin addresses inserted within a Bloom filter

1 1 1 1 1 1 1 1 1 1 1 1

Bloom filter

1 1 1

SLIDE 74

/ 19

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Solution to scalability problems

22

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients

Bitcoin

Bitcoin

Peer-to-peer decentralized currency Users keep Bitcoins in a wallet containing multiple addresses (@) Unlinkability between @ Log of all transactions

@1 @2 @3 @4 @5

Total $

Bitcoin for lightweight clients

Bitcoin’s scalability problems

transactions

Bitcoin for lightweight clients

Bitcoin’s scalability problems

transactions

T r a n s a c t i

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1 1 1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion

1 1 1 1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

Bloom filter

Solution to scalability problems

Enable mobile Bitcoin clients

{ @1, @2, @3 } Insertion Membership test { @1, @4, @5 }

1 1 1 1 1

!

@4 False positive

target False Positive Rate (FPR)

@5 True negative

Solution to scalability problems

Simple Payment Verification (SPV)

Filter transactions not relevant for user

SPV client Full Bitcoin node Full Bitcoin node

Solution to scalability problems

Peer-to-peer decentralized currency   Users keep Bitcoins in a wallet  containing multiple addresses (@)    Unlinkability between @    Log of all transactions

transactions 

transactions 