Towards Better Privacy with Monero Malte Mser Based on An Empirical - - PowerPoint PPT Presentation

▶

Mar 16, 2023 581 likes •895 views

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey,

SLIDE 1

Malte Möser

Towards Better Privacy with Monero

Based on An Empirical Analysis of Traceability in the Monero Blockchain,  joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava,  Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin.

SLIDE 2

SLIDE 3

Takeaways

▸ Monero improves upon Bitcoin’s privacy

▸ One-time addresses prevent address clustering ▸ Transaction values are hidden ▸ Obfuscation of payment flows

▸ Incorrect use can severely hurt your anonymity ▸ Used for both illegitimate and legitimate purposes

SLIDE 4

Anonymity

Anonymity is the state of not being identifiable within  a set of subjects, the anonymity set.

Pfitzmann & Köhntopp 2001

Indistinguishable

SLIDE 5

Issue 1: Public Reuse of Addresses

Send Bitcoin to  1myaddress001

To: 1myaddress001 To: 1myaddress001

SLIDE 6

Issue 1: Public Reuse of Addresses

To: 1myaddress001 To: 1myaddress001 To: 1myaddress042 To: 1myaddress612

SLIDE 7

Monero Uses Stealth Addresses

Send XMR to  mystealthyaddr

To: g77gwvm8mg

▸ Based on shared secret (ECDH) ▸ Sender embeds information allowing to recover secret ▸ Recipients must try to redeem all outputs on the blockchain

SLIDE 8

Issue 2: Values Are Visible

Send XMR to  mystealthyaddr

To: g77gwvm8mg To: 0yqija6fga

1 XMR 10.376289 XMR

SLIDE 9

When the Cookie Meets the Blockchain

▸ Each step can leak information to third-party trackers ▸ Timing and value allow to identify corresponding transactions

Goldfeder et al. (2018). When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies

SLIDE 10

Amounts Are Encrypted (Since 2017)

Send XMR to  mystealthyaddr

To: g77gwvm8mg To: 0yqija6fga

?? XMR ?? XMR

SLIDE 11

Issue 3: Tracing Payments

Bob Alice Hotel

SLIDE 12

Output Selection in Bitcoin

each input spends a single output

SLIDE 13

Output Selection in Monero

each input spends one of multiple outputs

linkable ring signature (key image)

SLIDE 14

Deduction Technique

initially no mandatory  number of mixins

SLIDE 15

Results of Deducibility Attack

▸ 64% of inputs have no mixins ▸ 63% of inputs with mixins are

deducible

SLIDE 16

How Do You Choose Fake Coins?

2 years old 3 months old 2 days old

Most likely to be the  real coin being spent

SLIDE 17

Distributions Do Not Match

Real + Fake Real Ruled-out

SLIDE 18

The Newest Input Is Usually the Real One

Successful for 80% of all inputs between April 2014 and April 2017

SLIDE 19

How Can We Fix This?

Sample More “Recent” Mixins

▸ More mixins, more “recent” mixins ▸ Simulation results in our paper

Estimate Empirical Distribution Binned Mixin

Time Probability

SLIDE 20

Sophisticated Timing Attacks

▸ Bob is one of five suspects to have bought drugs at AlphaBay today ▸ I know Bob bought some XMR exactly 3 months ago

2 years old 3 months old 2 days old

SLIDE 21

Chain Forks Are a Privacy Hazard

Monero MoneroV

SLIDE 22

Chain Forks Are a Privacy Hazard

Intersection reveals true spend

linked by key image

SLIDE 23

Estimating Performance of Guess-Newest

Source: Abraham Hinteregger and Bernhard Haslhofer. An Empirical Analysis of Monero Cross-Chain Traceability. (2019)

SLIDE 24

Quantifying Privacy-Sensitive Use

▸ Not all transactions

are equally privacy sensitive

▸ Goal: quantify

different usage types

Monero doubles block interval

SLIDE 25

Estimating Mining Activity

▸ Miners announce

blocks and payouts

▸ Website crawl

▸ # blocks found ▸ # payout txs

▸ 0.44 txs per block

related to mining

SLIDE 26

AlphaBay

▸ Volume spiked

when AlphaBay started accepting Monero

AlphaBay starts accepting Monero

SLIDE 27

AlphaBay - Daily Volume (Number of Transactions)

1,000 2,000 3,000 4,000 5,000 Jan 2015 Jul 2015 Jan 2016 Jul 2016 Jan 2017

Date Daily volume (nr. of transactions, 7−day avg.)

XMR or BTC BTC only Unidentified

SLIDE 28

AlphaBay

▸ Volume spiked

when AlphaBay started accepting Monero

▸ At most 25% of txs

can be deposits at AlphaBay

AlphaBay starts accepting Monero

SLIDE 29

Cryptocurrency Privacy Inherits the Worst of

▸ Data anonymization

▸ Blockchain data is public ▸ Weakness can be exploited retroactively

▸ Communication anonymity

▸ Behavior of some users influences anonymity of others ▸ “Anonymity loves company”

cf. Goldfeder, Kalodner, Reisman & Narayanan (2018)

SLIDE 30

Malte Möser

Towards Better Privacy with Monero

Takeaways

▸ Monero improves upon Bitcoin’s privacy

▸ One-time addresses prevent address clustering ▸ Transaction values are hidden ▸ Obfuscation of payment flows

▸ Incorrect use can severely hurt your anonymity ▸ Used for both illegitimate and legitimate purposes

Anonymity

Anonymity is the state of not being identifiable within a set of subjects, the anonymity set.

Issue 1: Public Reuse of Addresses

Issue 1: Public Reuse of Addresses

Monero Uses Stealth Addresses

▸ Based on shared secret (ECDH) ▸ Sender embeds information allowing to recover secret ▸ Recipients must try to redeem all outputs on the blockchain

Issue 2: Values Are Visible

1 XMR 10.376289 XMR

When the Cookie Meets the Blockchain

▸ Each step can leak information to third-party trackers ▸ Timing and value allow to identify corresponding transactions

Amounts Are Encrypted (Since 2017)

?? XMR ?? XMR

Issue 3: Tracing Payments

Bob Alice Hotel

Output Selection in Bitcoin

each input spends a single output

Output Selection in Monero

each input spends one of multiple outputs

Deduction Technique

initially no mandatory number of mixins

Results of Deducibility Attack

▸ 64% of inputs have no mixins ▸ 63% of inputs with mixins are

deducible

How Do You Choose Fake Coins?

2 years old 3 months old 2 days old

Distributions Do Not Match

Real + Fake Real Ruled-out

The Newest Input Is Usually the Real One

Successful for 80% of all inputs between April 2014 and April 2017

How Can We Fix This?

Sample More “Recent” Mixins

▸ More mixins, more “recent” mixins ▸ Simulation results in our paper

Estimate Empirical Distribution Binned Mixin

Sophisticated Timing Attacks

▸ Bob is one of five suspects to have bought drugs at AlphaBay today ▸ I know Bob bought some XMR exactly 3 months ago

2 years old 3 months old 2 days old

Chain Forks Are a Privacy Hazard

Monero MoneroV

Chain Forks Are a Privacy Hazard

Estimating Performance of Guess-Newest

Quantifying Privacy-Sensitive Use

▸ Not all transactions

are equally privacy sensitive

▸ Goal: quantify

different usage types

Estimating Mining Activity

▸ Miners announce

blocks and payouts

▸ Website crawl

▸ # blocks found ▸ # payout txs

▸ 0.44 txs per block

related to mining

AlphaBay

▸ Volume spiked

when AlphaBay started accepting Monero

AlphaBay - Daily Volume (Number of Transactions)

AlphaBay

▸ Volume spiked

when AlphaBay started accepting Monero

▸ At most 25% of txs

can be deposits at AlphaBay

Cryptocurrency Privacy Inherits the Worst of

▸ Data anonymization

▸ Blockchain data is public ▸ Weakness can be exploited retroactively

▸ Communication anonymity

▸ Behavior of some users influences anonymity of others ▸ “Anonymity loves company”

Summary

▸ Monero improves upon the limited privacy of Bitcoin

▸ Correct use of technology is paramount ▸ It’s hard to patch a broken system

▸ Illicit business tends to be early adopters of new technologies

▸ Many legitimate uses that are less visible

Anonymity is the state of not being identifiable within  a set of subjects, the anonymity set.

initially no mandatory  number of mixins