Remote Side-Channel Attacks on Anonymous Transactions In Zcash - - PowerPoint PPT Presentation

▶

Jul 22, 2023 177 likes •400 views

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

SLIDE 1

Remote Side-Channel Attacks on Anonymous Transactions

Florian Tramèr and Dan Boneh and Kenny Paterson USENIX Security Symposium

In Zcash & Monero

SLIDE 2

Meet Alice the Anonymous Activist Blogger

anonymous PKA

SLIDE 3

The activist just received $5 from Bob

Alice’s Lack of Privacy

Send $5 to PKA Signed by SKBob

SLIDE 4

Send $5 to PKBob Signed by SKA

Alice’s Lack of Privacy

This P2P node belongs to the activist!

SLIDE 5

Alice’s Lack of Privacy

SLIDE 6

???

The Solution: Anonymous Transactions

Send Enc($5) to Enc(PKA) Signed by Enc(SKBob) + zk-proof π

Bob received $5 from previous txs
These funds haven’t been spent yet
Bob knows SKbob

Zcash, Monero and others

SLIDE 7

Our Attacks: Identifying Transaction Recipients

I know which node belongs to the transaction recipient Send Tx to Enc(PKA)

SLIDE 8

Our Attacks: Linking an Address to a Node

I know which P2P node belongs to the activist Send Tx to Enc(PKA)

SLIDE 9

Summary of Results

Remote side-channel attacks on various system components

f anonymous transactions
1. A general attack framework for any anonymous transaction system
2. Specific attack instantiations for Zcash and Monero
Determine the P2P node of any transaction recipient
Link a (diversified) public key to an IP address
3. Attacks beyond de-anonymization (for Zcash):
Remotely crash user nodes

∼ Remotely extract a user’s secret viewing key ∼ Learn transaction amounts by timing a zk-proof generation

SLIDE 10

Summary of Results

We have disclosed these vulnerabilities to Zcash and Monero and they have all been fixed! The general issues we found, and the lessons we learned, extend to other anonymous payment systems Þ Getting the cryptography right is not enough! Remote side-channel attacks on various system components

f anonymous transactions

SLIDE 11

Summary of Results

Remote side-channel attacks on various system components

f anonymous transactions
1. A general attack framework for any anonymous transaction system
2. Specific attack instantiations for Zcash and Monero
Determine the P2P node of any transaction recipient
Link a (diversified) public key to an IP address
3. Attacks beyond de-anonymization (for Zcash):
Remotely crash user nodes

∼ Remotely extract a user’s secret viewing key ∼ Learn transaction amounts by timing a zk-proof generation

SLIDE 12

De-anonymizing Zcash Transactions

SLIDE 13

OnReceive(Tx={Comm,C,...}): 1) Note = Decrypt(SKA, C) 2) if Note = ⊥, return 3) ($v, r) = Note 4) Check that Comm = Commit(PKA, $v; r) Commitment to a “coin” Commitment

pening encrypted

under the recipient’s public key This check ensures that the coin is spendable

(public key crypto)

Receiving Transactions in Zcash

SLIDE 14

Send Tx to Enc(PKA) Ping That took a while... Tx Tx Pong Oh this one’s for me J let me check the commitment Wallet P2P Node

The PING Attack

SLIDE 15

Adversary can use timing side-channel to infer receiver of any Tx

~1.5ms

London Zürich

The PING Attack

SLIDE 16

P2P node and wallet are tightly decoupled Þ Node & wallet are in completely different layers of the protocol stack Þ The P2P node should just act as a DB for the wallet

Improved Design: (and now also in !)

Tx Tx

Give me all the new Txs P2P Node Wallet

Tx Tx Tx Tx Tx Tx Tx

Check if I got paid

What Went Wrong?

SLIDE 17

So why was Monero also vulnerable?

SLIDE 18

Timing of wallet’s requests leaks wallet’s processing time Monero P2P node acquires global mutex to process a request

while True: txs = request_txs() process(txs) sleep(60)

Time between requests = 60s + time to process txs Request Txs

Exploiting Leaks at Synchronization Points

Request Txs ...

F i x e d !

SLIDE 19

Timing side channels in zkSNARK proof generation

Send Enc($5) to Enc(PKBob) Signed by Enc(SKA) + zk-proof π Cryptographic proof that the transaction is valid Zero-knowledge: proof leaks nothing about PKBob, SKA, $5, ..., right?

SLIDE 20

Timing side channels in zkSNARK proof generation

Transaction generation time leaks (some) information about value!

SLIDE 21

Anonymity is hard!

Flaws are not (only) in the complicated cryptography
Be careful when inheriting designs from non-anonymous

currencies (e.g., Bitcoin → Zcash)

Develop constant-time crypto implementations

Remote Side-Channel Attacks on Anonymous Transactions

Florian Tramèr and Dan Boneh and Kenny Paterson USENIX Security Symposium

In Zcash & Monero

Meet Alice the Anonymous Activist Blogger

anonymous PKA

The activist just received $5 from Bob

Alice’s Lack of Privacy

Send $5 to PKA Signed by SKBob

Send $5 to PKBob Signed by SKA

Alice’s Lack of Privacy

This P2P node belongs to the activist!

Alice’s Lack of Privacy

???

The Solution: Anonymous Transactions

Send Enc($5) to Enc(PKA) Signed by Enc(SKBob) + zk-proof π

Zcash, Monero and others

Our Attacks: Identifying Transaction Recipients

I know which node belongs to the transaction recipient Send Tx to Enc(PKA)

Our Attacks: Linking an Address to a Node

I know which P2P node belongs to the activist Send Tx to Enc(PKA)

Summary of Results

Remote side-channel attacks on various system components

∼ Remotely extract a user’s secret viewing key ∼ Learn transaction amounts by timing a zk-proof generation

Summary of Results

We have disclosed these vulnerabilities to Zcash and Monero and they have all been fixed! The general issues we found, and the lessons we learned, extend to other anonymous payment systems Þ Getting the cryptography right is not enough! Remote side-channel attacks on various system components

Summary of Results

Remote side-channel attacks on various system components

∼ Remotely extract a user’s secret viewing key ∼ Learn transaction amounts by timing a zk-proof generation

De-anonymizing Zcash Transactions

OnReceive(Tx={Comm,C,...}): 1) Note = Decrypt(SKA, C) 2) if Note = ⊥, return 3) ($v, r) = Note 4) Check that Comm = Commit(PKA, $v; r) Commitment to a “coin” Commitment

under the recipient’s public key This check ensures that the coin is spendable

(public key crypto)

Receiving Transactions in Zcash

Send Tx to Enc(PKA) Ping That took a while... Tx Tx Pong Oh this one’s for me J let me check the commitment Wallet P2P Node

The PING Attack

Adversary can use timing side-channel to infer receiver of any Tx

~1.5ms

London Zürich

The PING Attack

P2P node and wallet are tightly decoupled Þ Node & wallet are in completely different layers of the protocol stack Þ The P2P node should just act as a DB for the wallet

Improved Design: (and now also in !)

Tx Tx

Give me all the new Txs P2P Node Wallet

Tx Tx Tx Tx Tx Tx Tx

Check if I got paid

What Went Wrong?

So why was Monero also vulnerable?

Timing of wallet’s requests leaks wallet’s processing time Monero P2P node acquires global mutex to process a request

while True: txs = request_txs() process(txs) sleep(60)

Time between requests = 60s + time to process txs Request Txs

Exploiting Leaks at Synchronization Points

Request Txs ...

F i x e d !

Timing side channels in zkSNARK proof generation

Send Enc($5) to Enc(PKBob) Signed by Enc(SKA) + zk-proof π Cryptographic proof that the transaction is valid Zero-knowledge: proof leaks nothing about PKBob, SKA, $5, ..., right?

Timing side channels in zkSNARK proof generation

Transaction generation time leaks (some) information about value!

Anonymity is hard!

currencies (e.g., Bitcoin → Zcash)

Anonymity = good crypto + good systems design

https://crypto.stanford.edu/timings tramer@cs.stanford.edu

Conclusions and Lessons Learned