DeepAI
Log In Sign Up

Extending the Anonymity of Zcash

02/19/2019
by   George Kappos, et al.
0

Although Bitcoin in its original whitepaper stated that it offers anonymous transactions, de-anonymization techniques have found otherwise. Therefore, alternative cryptocurrencies, like Dash, Monero, and Zcash, were developed to provide better privacy. As Edward Snowden stated, "Zcash's privacy tech makes it the most interesting Bitcoin alternative (...) because the privacy properties of it are truly unique". Zcash's privacy is based on peer-reviewed cryptographic constructions, hence it is considered to provide the foundations for the best anonymity. However, even Zcash makes some privacy concessions. It does not protect users' privacy in the presence of a global adversary who is able to observe the whole network, and hence correlate the parties exchanging money, by using their network addresses. The recent empirical analysis of Zcash shows, that users often choose naive ways while performing the protocol operations, not realizing that it degrades their anonymity. In this talk, we will discuss an extension of Zcash using mix networks to enhance the privacy guarantees of users that choose to remain anonymous by tackling two major security challenges: one at the application layer of the scheme and one at its network layer.

READ FULL TEXT VIEW PDF

page 1

page 2

09/16/2021

Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and other Cryptocurrencies

Bitcoin and many other similar Cryptocurrencies have been in existence f...
07/01/2020

Cross-Layer Deanonymization Methods in the Lightning Protocol

Payment channel networks (PCNs) have emerged as a promising alternative ...
05/08/2018

An Empirical Analysis of Anonymity in Zcash

Among the now numerous alternative cryptocurrencies derived from Bitcoin...
05/19/2018

The anatomy of a Web of Trust: the Bitcoin-OTC market

Bitcoin-otc is a peer to peer (over-the-counter) marketplace for trading...
09/14/2019

Private and Atomic Exchange of Assets over Zero Knowledge Based Payment Ledger

Bitcoin brings a new type of digital currency that does not rely on a ce...
06/22/2020

Counting Down Thunder: Timing Attacks on Privacy in Payment Channel Networks

The Lightning Network is a scaling solution for Bitcoin that promises to...

1 Introduction

Although Bitcoin [6] in its original whitepaper stated that it offers anonymous transactions, de-anonymization techniques have found otherwise [5, 1]. Therefore, alternative cryptocurrencies, like Dash111https://www.dash.org, Monero222https://getmonero.org and 333https://z.cash, were developed to provide better privacy. As Edward Snowden stated "Zcash’s privacy tech makes it the most interesting Bitcoin alternative […] because the privacy properties of it are truly unique". ’s privacy is based on peer-reviewd cryptographic constructions, hence it is considered to provide the foundations for the best anonymity. However, even makes some privacy concessions. It does not protect users’ privacy in the presence of a global adversary who is able to observe the whole network, and hence correlate the parties exchanging money, by using their network addresses. The recent empirical analysis of  [4] shows, that users often choose naive ways while performing the protocol operations, not realising that it degrades their anonymity.

In this talk, we will discuss an extension of using mix networks to enhance the privacy guarantees of users that choose to remain anonymous by tackling two major security challenges: one at the application layer of the scheme and one at its network layer.

2 zcash in a nutshell

offers two types of user addresses, the , which is also used in Bitcoin, and the , which has the purpose of hiding the identity of its owner. inherits Bitcoin’s functionality, in the sense that the sender may choose to perform a transparent transaction (), in which both the spender and the recipient of the coins are identified by a . However, transparent transactions enable tracking the whole transaction history of any given coin. In order to break the link between senders and recipients, enables a user to transact privately, either through a shielded transaction () in which the recipient’s address remains hidden, a deshielded () one in which the sender’s address remains hidden; or a private () one, in which both of the addresses are unknown and the value of the spent coin remains secret.

POOL

P2P NETWORK

com

ADVERSARY

Figure 1: Naive usage of the Zcash pool VS our implementation using a Mix Network. The set of z-addresses visualised as a centralised pool, for ease of understanding.

Attacks on Zcash’s anonymity

Although applied to different layers, both of the attacks we describe below have a common goal: To correlate a transaction with a one, hence to identify the two end -addresses that are involved in this sequence of transactions. The first attack, at the application layer, can be performed by anyone with access to the blockchain, whereas the second one, at the network layer, can be applied by a global passive adversary (GPA) who observes the whole P2P network.

Application Layer: In a transaction, specifies that the sender must select two distinct destination addresses, like and in Figure 1, to give the incentive to the user to split the coin into two coins and avoid a withdrawal of the same value that was earlier deposited. However, as the analysis in [4] showed, most users send the entire coin value to and to , as shown in in Figure 1. This allows the adversary to correlate the transactions and .

Network Layer: As recent revelations show444https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/, Bitcoin is under an extensive surveillance from the NSA, which monitors its blockchain and global traffic in order to identify users and their transactions. This shows that a GPA capable of observing the P2P network is not a theoretical bugbear, but a realistic danger. Therefore, it is crucial to secure the cryptocurrency at its network level and protect the privacy of the users. A GPA who is able to observe the Zcash network can easily discover the network addresses of users who broadcast, hence correlate their transactions [2]. This attack is applicable to most of the deployed cryptocurrencies. Tor555https://www.torproject.org has been suggested as a possible defence, however, as shown in [2] it is not an ultimate solution since even a low-resourced adversary can perform attacks. These not only deanonymize the participants of the transaction but more importantly allow the adversary to control which blockchain state is visible to the users or which transactions are relayed to them. Moreover, Tor is not resistant to a GPA, therefore it is not suitable for our threat model.

3 Mixes for anonymity

A mix network [3] is a sequence of cryptographic relays, that hides network level metadata, by using end-to-end layered encryption and secret mixing of packets. The more packets are mixed together, the better anonymity. Therefore, traditional mix networks used long batching times and cover traffic, thus significantly limiting their usage to only high-latency communication. Recent research shows [7] that it is possible to build low-latency mix networks by using tunable cover traffic and delays. In contrast to Tor, mix networks protect the users’ privacy even in the presence of a GPA performing sophisticated traffic analysis. In this talk, we want to discuss the idea of using mix networks as the proxy between the users and the network. Implementing a mix network over would ensure that users’ transactions remain anonymous even if the adversary is able to observe the communication channel between the users’ local networks and the whole P2P network. Merging mix networks with cryptocurrencies has a bilateral benefit. On one hand, it allows for truly anonymous transactions. On the other hand, it offers another use-case for mix networks, thus increases their potential.

4 Our scheme

In our proposal, we leverage a mix network as a proxy channel between the users and the network. The mix network would serve the two following roles:

Broadcast It would be responsible for broadcasting all of the users’ transactions to the P2P network. The user encapsulates the transaction into the cryptographic packet format and passes it to the first mix server. Thanks to that, only the first server in the mix chain knows the network address of the user and every other server learns only the address of the previous and the next server. The last server in the chain is responsible for broadcasting the decrypted transaction into the Zcash network. Hence, the network layer attack is now impossible since the network address of the user is only visible to the GPA in the user’s network and it cannot be correlated with any transaction in the blockchain, since the encryption of the packet hides its source, and the broadcasting address belonging to the mix server.

Suggest coin splitting We suggest using mix servers as advisors who recommend to the users the optimal split of their coins, hence help them protect themselves against application layer attacks. Mix servers can aggregate information about prior deposits into the pool and based on this knowledge calculate the best strategy for splitting the coins, which increases the anonymity set of the users. Such blockchain analysis is very low-cost and can be performed by modern personal computers. For example, Figure 1 shows how takes into consideration the transaction that happened earlier by recommending to the user to break his coin as .

5 Discussion Points

The primary goal of this talk is to hear the community’s feedback and suggestions about the scheme, since such design raises many challenges, as well as to spur the discussion regarding the anonymity of the cryptocurrencies. We intend to debate the following points:

  • [noitemsep, leftmargin=*, topsep=0pt]

  • Should the Zcash client enforce the users to transact anonymously by making the private transactions the only option, or should the choice remain? An interesting discussion, as well, is whether and how we can give the users the incentive to use the pool.

  • In order to offer the anonymity properties, a mix network uses additional delays, hence it would introduce additional latency overhead for the transactions. In our opinion, a thoroughly evaluated per hop delay does not significantly increase the overall latency, hence does not degrade the user experience.

  • Some of the mix nodes can be malicious. One of the possible attacks that a corrupt mix can perform is a DoS attack, in which the mix never transmits the received packets, hence decreases the system’s reliability. One possible solution would be for the user to send the same packet carrying a transaction to multiple mix cascades. More importantly, the malicious mix servers cannot craft their own transactions in order to steal users’ money.

  • In order to ensure that the shielded pool processes a large enough number of transactions, hence guarantees anonymity, and that the density of traffic in the mix net does not leak any communication information, we have to use cover traffic. The question of how much of such cover traffic is required opens up a new research challenge which we aim to study.

  • What are the requirements for such design in the opinion of the research and developers communities.

References

  • [1] E. Androulaki, G. O. Karame, M. Roeschlin, T. Scherer, and S. Capkun. Evaluating user privacy in bitcoin. In International Conference on Financial Cryptography and Data Security. Springer, 2013.
  • [2] A. Biryukov and I. Pustogarov. Bitcoin over tor isn’t a good idea. In IEEE Symposium on Security and Privacy, 2015.
  • [3] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 1981.
  • [4] G. Kappos, H. Yousaf, M. Maller, and S. Meiklejohn. An Empirical Analysis of Anonymity in Zcash. ArXiv e-prints, 2018.
  • [5] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G. M. Voelker, and S. Savage. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the Internet measurement conference. ACM, 2013.
  • [6] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.
  • [7] A. M. Piotrowska, J. Hayes, T. Elahi, S. Meiser, and G. Danezis. The loopix anonymity system. In USENIX Security Symposium, 2017.