SLIDE 1
Malte Möser
Towards Better Privacy with Monero
Based on joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin
2
Towards Better Privacy with Monero Malte Mser Based on joint work - - PowerPoint PPT Presentation
Towards Better Privacy with Monero Malte Mser Based on joint work - - PowerPoint PPT Presentation
Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin 2 3
SLIDE 2
SLIDE 3
Takeaways
▸ Monero improves upon Bitcoin’s privacy
▸ One-time addresses ▸ Hidden values ▸ Obfuscation of payment flows
▸ Incorrect use can severely hurt your anonymity ▸ Used for both illegitimate and legitimate purposes
3
SLIDE 4
Issue 1: Public Reuse of Addresses
5
Send Bitcoin to 1myaddress001
To: 1myaddress001 To: 1myaddress001
SLIDE 5
Issue 1: Public Reuse of Addresses
8
To: 1myaddress001 To: 1myaddress001 To: 1myaddress042 To: 1myaddress612
SLIDE 6
Monero Uses Stealth Addresses
10
Send XMR to mystealthyaddr
To: g77gwvm8mg To: 0yqija6fga
SLIDE 7
Issue 2: Values Are Visible
11
Send XMR to mystealthyaddr
To: g77gwvm8mg To: 0yqija6fga
1 XMR 10.376289 XMR
SLIDE 8
When the Cookie Meets the Blockchain
▸ Each step can leak information to third-party trackers ▸ Timing and values allow to identify corresponding transactions
12
Goldfeder et al. (2018). When the cookie meets the blockchain: Privacy Risks of web payments via cryptocurrencies
SLIDE 9
Amounts Are Encrypted (Since 2017)
13
Send XMR to mystealthyaddr
To: g77gwvm8mg To: 0yqija6fga
?? XMR ?? XMR
SLIDE 10
Issue 3: Tracing Payments
14
Bob Alice Hotel
SLIDE 11
Output Selection in Bitcoin
each input spends a single output
15
SLIDE 12
Output Selection in Monero
each input spends one of multiple outputs
16
ring signature + key image
SLIDE 13
Deduction Technique
initially no mandatory number of mixins
17
SLIDE 14
Deduction Technique
initially no mandatory number of mixins
17
SLIDE 15
Deduction Technique
18
SLIDE 16
How Do You Choose Fake Coins?
20
2 years old 3 months old 2 days old
Most likely to be the real coin being spent
SLIDE 17
Distributions Do Not Match
Real + Fake Real Ruled-out
21
SLIDE 18
The Newest Input Is Usually the Real One
Successful for 80% of all inputs between April 2014 and April 2017
22
SLIDE 19
Timing Attacks
▸ Bob is one of five suspects to have bought drugs at AlphaBay today ▸ I know Bob bought some XMR exactly 3 months ago
23
2 years old 3 months old 2 days old
SLIDE 20
Mining Pools Announce Payouts
24
SLIDE 21
Chain Forks Are a Privacy Hazard
26
Monero MoneroV
SLIDE 22
Chain Forks Are a Privacy Hazard
28
linked by key image
SLIDE 23
Chain Forks Are a Privacy Hazard
29
Intersection reveals true spend
linked by key image
SLIDE 24
AlphaBay
▸ Volume spiked
when AlphaBay started accepting Monero
AlphaBay starts accepting Monero
30
SLIDE 25
AlphaBay - Daily Volume (Number of Transactions)
31
1,000 2,000 3,000 4,000 5,000 Jan 2015 Jul 2015 Jan 2016 Jul 2016 Jan 2017
Date Daily volume (nr. of transactions, 7−day avg.)
XMR or BTC BTC only Unidentified
SLIDE 26
AlphaBay
▸ Volume spiked
when AlphaBay started accepting Monero
▸ At most 25% of txs
can be deposits at AlphaBay
AlphaBay starts accepting Monero
32
SLIDE 27
Summary
▸ Monero improves upon the limited privacy of Bitcoin
▸ Correct use of technology is paramount ▸ It’s hard to patch a broken system
▸ Illicit business tends to be early adopters of new technologies
▸ Many legitimate uses that are less visible
33