privacy enhancing overlays in bitcoin
play

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University - PowerPoint PPT Presentation

Nov 24, 2023 •319 likes •1.23k views

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin

  1. Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1

  2. Anonymity in Bitcoin 2

  3. Anonymity in Bitcoin 2

  4. Anonymity in Bitcoin 2

  5. Anonymity in Bitcoin 2

  6. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? 2

  7. Outline 3

  8. Outline Background 3

  9. Outline Background Taint resistance 3

  10. Outline Background Taint resistance Achieving taint resistance 3

  11. Outline Background Taint resistance Achieving taint resistance Conclusions 3

  12. Outline Background How Bitcoin works Background Taint resistance Anonymity in Bitcoin Coinjoin Achieving taint resistance Conclusions 3

  13. How Bitcoin works 4

  14. How Bitcoin works peer-to-peer network 4

  15. How Bitcoin works (pk A ,sk A ) (pk B ,sk B ) peer-to-peer network 4

  16. How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4

  17. How Bitcoin works (pk A ,sk A ) address (pk B ,sk B ) peer-to-peer network 4

  18. How Bitcoin works (pk A ,sk A ) address tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  19. How Bitcoin works (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  20. How Bitcoin works blockchain (pk A ,sk A ) address miner tx:Sign(pk B → pk A ) transaction (pk B ,sk B ) peer-to-peer network 4

  21. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? (pk A ,sk A ) address (pk B ,sk B ) 5

  22. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity (pk A ,sk A ) address (pk B ,sk B ) 5

  23. Input clustering [RH13,RS13,A+13, M +13,SMZ14] 1 7 2 15 6 3 Heuristic: the same user controls these addresses 6

  24. Change clustering [A+13, M +13,SMZ14] 1 1 7 1 2 14 0 3 14 Heuristic: the same user also controls this address 7

  25. Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8

  26. Tracking technique [ M +13,HD M +14] cycle theft heists ... = exchange individual thefts service interaction 8

  27. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 9

  28. Privacy-enhancing overlays 10

  29. Privacy-enhancing overlays 10

  30. Privacy-enhancing overlays 10

  31. Privacy-enhancing overlays 10

  32. Privacy-enhancing overlays 10

  33. Privacy-enhancing overlays 10

  34. Privacy-enhancing overlays 10

  35. Coinjoin Introduced on August 22 2013 by Gregory Maxwell “Bitcoin privacy for the real world” 11

  36. Coinjoin 1 1 2 2 3 12

  37. Coinjoin 1 1 2 2 3 12

  38. Coinjoin σ 1 1 1 σ 2 2 2 3 12

  39. Coinjoin σ 1 1 1 σ 2 2 2 σ 3 3 12

  40. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12

  41. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 12

  42. Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13

  43. Coinjoin prevents clustering 1 7 2 15 6 3 Heuristic: the same user controls these addresses 13

  44. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14

  45. Coinjoin signatures contributed separately σ 1 1 1 3 σ 2 2 2 σ 3 3 3 could be: • private communication • IRC (+Tor) • central server (+blind signatures) 14

  46. “Coinjoin” transactions 15

  47. “Coinjoin” transactions “coinjoin” has: • more than 5 inputs • more than 5 outputs 15

  48. “Coinjoin” transactions “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs time 15

  49. “Coinjoin” transactions 13 “coinjoin” has: # “coinjoins” per block • more than 5 inputs • more than 5 outputs 3 2011 8/2013 time 15

  50. Anonymity in Bitcoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16

  51. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 16

  52. Outline Taint resistance Cryptographic background Background Taint resistance Accuracy Taint resistance Achieving taint resistance Conclusions 17

  53. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18

  54. Anonymity in Bitcoin does Coinjoin How much anonymity does Bitcoin really provide? in theory, a lot! addresses are not linked to identity in practice, maybe not so much 18

  55. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 19

  56. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address 19

  57. Coinjoin σ 1 1 1 3 σ 2 2 2 σ 3 3 3 should be hard to figure out which input addresses sent to this output address should be hard to figure out permutation 19

  58. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 20

  59. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? 20

  60. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) 20

  61. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set 20

  62. Taint resistance taint set σ 1 1 1 3 σ 2 2 2 σ 3 3 3 accuracy : how accurately can one identify taint set? input keys (candidate set) |A ∩ T| × |S \ (A ∪ T)| - |A \ T| × |T \ A| MCC = √ (|A||T||S\T||S\A|) guess for taint set (true) taint set taint resistance : no adversary can have good accuracy 20

  63. Bad taint resistance: lopsided values 50.123 σ 1 50.123 2 σ 2 1.987 1.987 21

  64. Bad taint resistance: process of elimination σ 1 1 1 3 σ 2 2 2 σ 3 3 3 22

  65. Outline Cryptographic background Background Taint resistance Achieving taint resistance Achieving taint resistance Conclusions Constructive approaches Is Coinjoin taint resistant? 23

  66. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: • private communication • IRC (+Tor) • central server 24

  67. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication • IRC (+Tor) and A is passive • central server then we can achieve taint resistance 24

  68. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 σ 3 3 could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24

  69. Constructing taint-resistant protocols σ 1 1 1 σ 2 2 2 (like CoinShuffle [RM-SK14]) σ 3 if an active A controls 3 τ fraction of n parties then we can achieve (1-n τ n-1 )-taint resistance could be: if server is trusted • private communication if server is • IRC (+Tor) and A is passive • central server passively corrupted then we can achieve then we can achieve taint resistance (1- ε )-taint resistance 24

  70. Analyzing taint-resistant protocols 25

  71. Analyzing taint-resistant protocols participated in 108 transactions ourselves 25

  72. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address 26

  73. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address (Atlas,Coinjoin Sudoku) 26

  74. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses and knows coinjoins (Atlas,Coinjoin Sudoku) 26

  75. Analyzing taint-resistant protocols implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses passive adversary and knows coinjoins knows no addresses and guesses coinjoins (Atlas,Coinjoin Sudoku) 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Privacy : Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher Independent investigative journalist Research focus: Bitcoin / cryptocurrencies, information security, privacy, surveillance, and

1.3k views • 85 slides
PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR

PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR

PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR MISSION Least Authoritys mission is to build and support ethical and usable technology solutions that advance digital security and privacy as

552 views • 13 slides
Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's Privacy Problem 2 Would you like a new credit card? You will pay almost no fees! Sure! Any fine print? We will publicly broadcast every payment that

473 views • 34 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan apkun ETH Zurich, NEC Research ACSAC 2014 Bitcoin Bitcoin Peer-to-peer decentralized currency

1.06k views • 74 slides
Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in Bitcoin Jonas Nick 1/34 Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy

1.22k views • 96 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Meanings of "Privacy" in Privacy Enhancing Technologies

Meanings of "Privacy" in Privacy Enhancing Technologies

Meanings of "Privacy" in Privacy Enhancing Technologies Claudia Diaz KU Leuven COSIC Digital IdenBty Management (DIM) November 8, 2013 Claudia

565 views • 19 slides
Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016 eprint.iacr.org/2015/1008.pdf github.com/bbuenz/provisions Jeremy Clark Dan Boneh Gaby Dagher Benedikt Bnz Joseph Bonneau Many users use Bitcoin

768 views • 28 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design

Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design

T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design Ulm 9 th -10 th March 2015 11/03/2015 Privacy

668 views • 48 slides
Quantifying Privacy Loss of Human Mobility Graph Topology The 18th Privacy Enhancing Technologies

Quantifying Privacy Loss of Human Mobility Graph Topology The 18th Privacy Enhancing Technologies

Quantifying Privacy Loss of Human Mobility Graph Topology The 18th Privacy Enhancing Technologies Symposium July 2427, 2018 Dionysis Manousakas , Cecilia Mascolo , , Alastair R. Beresford , Dennis Chan , Nikhil Sharma

758 views • 45 slides
Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric

Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric

Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric Brewer presented by Nikita Borisov ECE598NB - Spring 2006 Motivation Threats to privacy Online actions monitored Information

776 views • 26 slides
Tips and Tricks to enhancing transparency in personal information management Victorian Privacy

Tips and Tricks to enhancing transparency in personal information management Victorian Privacy

Tips and Tricks to enhancing transparency in personal information management Victorian Privacy Network Meeting 10 April 2019 Presentation by Melanie Casley www.salingerprivacy.com.au The cause of so much confusion Back to Basics Privacy

388 views • 19 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones MockDroid: Trading Privacy for Application Functionality on Smartphones

429 views • 38 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi (mnavaki@unm.edu) Geoffrey Alexander Jedidiah R. Crandall What is PII? Personally Identifiable Information (PII) is information that can

380 views • 20 slides
Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna Balasubramanian, Anthony LaMarca, David Wetherall 1 Continuous sensing apps Step Counting Fall Detection Driver Monitor Theft Detection Healthcare apps:

743 views • 29 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE Department, Rice University EuroSys 2017 How do we deal with complexity? 2 Modularization complex 1 2 3 4 system 3 Modularization 1

672 views • 26 slides
Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

7/1/2019 Kaestner: Tax, Estate Planning, and Trust Administration Implications Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and

278 views • 23 slides

More recommend