Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University - - PowerPoint PPT Presentation

Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University)

1

Privacy-Enhancing Overlays in Bitcoin

Anonymity in Bitcoin

2

Anonymity in Bitcoin

2

Anonymity in Bitcoin

2

Anonymity in Bitcoin

2

Anonymity in Bitcoin

2

How much anonymity does Bitcoin really provide?

Outline

3

Outline

Background

3

Outline

Background Taint resistance

3

Outline

Background Taint resistance Achieving taint resistance

3

Outline

Background Taint resistance Achieving taint resistance Conclusions

3

Outline

Background Taint resistance Achieving taint resistance Conclusions Background

How Bitcoin works Anonymity in Bitcoin Coinjoin

3

How Bitcoin works

4

How Bitcoin works

4

peer-to-peer network

How Bitcoin works

4

(pkA,skA) (pkB,skB)

peer-to-peer network

How Bitcoin works

4

(pkA,skA) (pkB,skB)

address peer-to-peer network

How Bitcoin works

4

(pkA,skA) (pkB,skB)

address peer-to-peer network

How Bitcoin works

4

(pkA,skA) (pkB,skB)

address peer-to-peer network

tx:Sign(pkB→pkA)

transaction

How Bitcoin works

4

(pkA,skA) (pkB,skB)

address peer-to-peer network miner

tx:Sign(pkB→pkA)

transaction

How Bitcoin works

4

(pkA,skA) (pkB,skB)

blockchain address peer-to-peer network miner

tx:Sign(pkB→pkA)

transaction

Anonymity in Bitcoin

5

How much anonymity does Bitcoin really provide?

(pkA,skA) (pkB,skB)

address

Anonymity in Bitcoin

5

How much anonymity does Bitcoin really provide?

(pkA,skA) (pkB,skB)

address

in theory, a lot! addresses are not linked to identity

Input clustering [RH13,RS13,A+13,M+13,SMZ14]

2 1 3

6

7 15

Heuristic: the same user controls these addresses

6

Change clustering [A+13,M+13,SMZ14]

2 1 3 14

7

7

14

1

1 Heuristic: the same user also controls this address

Tracking technique [M+13,HDM+14] cycle theft ... heists

= exchange

service interaction

8

individual thefts

Tracking technique [M+13,HDM+14] cycle theft ... heists

= exchange

service interaction

8

individual thefts

Anonymity in Bitcoin

9

How much anonymity does Bitcoin really provide?

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Privacy-enhancing overlays

10

Coinjoin

Introduced on August 22 2013 by Gregory Maxwell “Bitcoin privacy for the real world”

11

Coinjoin

12

2 1 3 2 1

Coinjoin

12

2 1 3 2 1

Coinjoin

12

2 1 3 2 1

σ1 σ2

Coinjoin

12

2 1 3 2 1

σ1 σ2 σ3

Coinjoin

12

2 1 3 2 1

σ1 σ2 σ3

3 3

Coinjoin

12

2 1 3 2 1

σ1 σ2 σ3

3 3

signatures contributed separately

Coinjoin prevents clustering

2 1 3

13

7 15

Heuristic: the same user controls these addresses

6

Coinjoin prevents clustering

2 1 3

13

7 15

Heuristic: the same user controls these addresses

6

Coinjoin

14

2 1 3 2 1

σ1 σ2 σ3

could be:

• private communication
• IRC (+Tor)
• central server (+blind signatures)

3 3

signatures contributed separately

Coinjoin

14

2 1 3 2 1

σ1 σ2 σ3

could be:

• private communication
• IRC (+Tor)
• central server (+blind signatures)

3 3

signatures contributed separately

“Coinjoin” transactions

15

“Coinjoin” transactions

15

“coinjoin” has:

• more than 5 inputs
• more than 5 outputs

“Coinjoin” transactions

15

# “coinjoins” per block time

“coinjoin” has:

• more than 5 inputs
• more than 5 outputs

“Coinjoin” transactions

15

2011 8/2013 13 3 # “coinjoins” per block time

“coinjoin” has:

• more than 5 inputs
• more than 5 outputs

Anonymity in Bitcoin

16

How much anonymity does Bitcoin really provide?

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Anonymity in Bitcoin

16

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Outline

17

Cryptographic background Taint resistance Achieving taint resistance Conclusions Background Taint resistance

Accuracy Taint resistance

Anonymity in Bitcoin

18

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Anonymity in Bitcoin

18

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Coinjoin

19

2 1 3 3 3 2 1

σ1 σ2 σ3

Coinjoin

19

2 1 3 3 3 2 1

σ1 σ2 σ3

should be hard to figure out which input addresses sent to this output address

Coinjoin

19

2 1 3 3 3 2 1

σ1 σ2 σ3

should be hard to figure out which input addresses sent to this output address should be hard to figure out permutation

Taint resistance

20

2 1 3 3 3 2 1

σ1 σ2 σ3

taint set

Taint resistance

20

2 1 3 3 3 2 1

σ1 σ2 σ3

taint set accuracy: how accurately can one identify taint set?

Taint resistance

20

2 1 3 3 3 2 1

σ1 σ2 σ3

taint set accuracy: how accurately can one identify taint set?

MCC = |A∩T|×|S \ (A∪T)| - |A \ T|×|T \ A| √(|A||T||S\T||S\A|)

Taint resistance

20

2 1 3 3 3 2 1

σ1 σ2 σ3

taint set accuracy: how accurately can one identify taint set?

MCC = |A∩T|×|S \ (A∪T)| - |A \ T|×|T \ A| √(|A||T||S\T||S\A|)

guess for taint set (true) taint set input keys (candidate set)

Taint resistance

20

2 1 3 3 3 2 1

σ1 σ2 σ3

taint set accuracy: how accurately can one identify taint set? taint resistance: no adversary can have good accuracy

MCC = |A∩T|×|S \ (A∪T)| - |A \ T|×|T \ A| √(|A||T||S\T||S\A|)

guess for taint set (true) taint set input keys (candidate set)

Bad taint resistance: lopsided values

21

2 1.987 50.123 50.123

σ1 σ2

1.987

Bad taint resistance: process of elimination

22

2 1 3 3 3 2 1

σ1 σ2 σ3

Outline

23

Cryptographic background Taint resistance Achieving taint resistance Conclusions Background Achieving taint resistance

Constructive approaches Is Coinjoin taint resistant?

Constructing taint-resistant protocols

24

could be:

• private communication
• IRC (+Tor)
• central server

2 1 3 2 1

σ1 σ2 σ3

Constructing taint-resistant protocols

24

could be:

• private communication
• IRC (+Tor)
• central server

if server is trusted and A is passive then we can achieve taint resistance 2 1 3 2 1

σ1 σ2 σ3

Constructing taint-resistant protocols

24

could be:

• private communication
• IRC (+Tor)
• central server

if server is trusted and A is passive then we can achieve taint resistance if server is passively corrupted then we can achieve (1-ε)-taint resistance 2 1 3 2 1

σ1 σ2 σ3

Constructing taint-resistant protocols

24

could be:

• private communication
• IRC (+Tor)
• central server

if server is trusted and A is passive then we can achieve taint resistance if server is passively corrupted then we can achieve (1-ε)-taint resistance (like CoinShuffle [RM-SK14]) if an active A controls τ fraction of n parties then we can achieve (1-nτn-1)-taint resistance 2 1 3 2 1

σ1 σ2 σ3

Analyzing taint-resistant protocols

25

Analyzing taint-resistant protocols

25

participated in 108 transactions ourselves

Analyzing taint-resistant protocols

26

implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address

Analyzing taint-resistant protocols

26

(Atlas,Coinjoin Sudoku)

implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address

Analyzing taint-resistant protocols

26

(Atlas,Coinjoin Sudoku)

implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses and knows coinjoins

Analyzing taint-resistant protocols

26

(Atlas,Coinjoin Sudoku)

implemented simple subset-sum algorithm: (roughly) if sum of input values is output value, input addresses might be in taint set for output address active adversary knows addresses and knows coinjoins passive adversary knows no addresses and guesses coinjoins

Sanity check: Ground truth output taint

27

10 20 30 40 −1.0 −0.5 0.0 0.5 1.0 Number of input public keys MCC

• m & s=2

n & s=2 c & s=2

Sanity check: Ground truth output taint

27

10 20 30 40 −1.0 −0.5 0.0 0.5 1.0 Number of input public keys MCC

• m & s=2

n & s=2 c & s=2

(due to a quirk in the SharedCoin system)

Sanity check: Ground truth output taint

27

10 20 30 40 −1.0 −0.5 0.0 0.5 1.0 Number of input public keys MCC

• m & s=2

n & s=2 c & s=2

(due to a quirk in the SharedCoin system) (accurate)

Active adversaries: Coinjoin output taint

28

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

Active adversaries: Coinjoin output taint

28

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

how many possible subsets?

Active adversaries: Coinjoin output taint

28

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

how many possible subsets? (didn’t capture behavior)

Active adversaries: Coinjoin output taint

28

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

(less confident) how many possible subsets? (didn’t capture behavior)

Passive adversaries: “Coinjoin” output taint

29

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

Passive adversaries: “Coinjoin” output taint

29

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

(less confident)

Passive adversaries: “Coinjoin” output taint

29

10 20 30 40 10 20 30 40 Number of input public keys Size of set S

• m & s=2

m & s=4 n & s=2 n & s=4 c & s=2 c & s=4

(less confident) passive adversary is much less confident than active one!

Outline

30

Cryptographic background Taint resistance Achieving taint resistance Conclusions Background Conclusions

Conclusions

31

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much

Conclusions

31

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much in theory, can achieve perfect taint resistance

Conclusions

31

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much in theory, can achieve perfect taint resistance in practice, depends on auxiliary information

Conclusions

31

How much anonymity does Bitcoin really provide?

does Coinjoin

in theory, a lot! addresses are not linked to identity in practice, maybe not so much in theory, can achieve perfect taint resistance in practice, depends on auxiliary information

Thanks! Any questions?