deanonymization and linkability of cryptocurrency ... · i dash: mixing by masternodes i monero:...
TRANSCRIPT
![Page 1: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/1.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
1/39
Deanonymization and linkability ofcryptocurrency transactions based on
network analysis
Alex Biryukov, Sergei Tikhomirov
University of Luxembourg
17 June 2019Euro S&P
Stockholm, Sweden
![Page 2: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/2.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
2/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 3: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/3.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
3/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 4: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/4.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
4/39
Bitcoin
I The first to solve double-spending with proof-of-work
I Senders broadcast transactions into a P2P network
I Miners construct blocks (thus confirming transactions)
![Page 5: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/5.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
5/39
Privacy in Bitcoin
I Transactions not linked to ”real-world” identity
I Users can generate as many key pairs as they wish
I False sense of privacy?
![Page 6: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/6.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
6/39
Taint analysis heuristics
I All transaction inputs probably belong to the sender
I One output probably also belongs to the sender
Figure: Bitcoin transaction structure
![Page 7: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/7.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
7/39
Privacy coins hinder blockchain analysis...
I Dash: mixing by masternodes
I Monero: ring signatures
I Zcash: zk-SNARKs
![Page 8: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/8.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
8/39
...but what about network analysis?
I How do messages propagate through the network?
I What does a well-connected adversary learn?
I Is it possible to link txs by the same user?
![Page 9: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/9.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
9/39
Our contributions
I We introduce a new transaction clustering methodbased on weighted vectors of IP addresses
I We validate our method with experiments on Bitcoinand three major privacy-focused cryptocurrencies
![Page 10: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/10.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
10/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 11: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/11.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
11/39
Message propagation in Bitcoin
Figure: Bitcoin’s 3-step message exchange
![Page 12: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/12.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
12/39
Broadcast randomization in Bitcoin and forks
I trickling: send to a random subset once every 100 ms
I diffusion: send to each neighbor after a random delay
![Page 13: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/13.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
13/39
Intuition
Transactions issued from thesame node have correlatedbroadcast patterns.
![Page 14: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/14.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
14/39
Outline of our clustering method
I Establish parallel connections to many nodes
I Log timestamps of received tx announcements
I For each tx, consider IPs which announced it to us
I Cluster transactions with ”similar” IP vectors
I Measure the decrease in anonymity
![Page 15: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/15.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
15/39
Parallel connections
I Default connections: 8 outgoing + up to 117 incoming
I We are unlikely to get a new tx quickly with only oneconnection per node
I bcclient establishes parallel connections to nodes
I Bitcoin and Zcash show similar distribution of free slots
![Page 16: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/16.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
16/39
Bitcoin free slots
![Page 17: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/17.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
17/39
Zcash free slots
![Page 18: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/18.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
18/39
Weighting timing vectors
IP addresses pi announce a new tx to us at times ti .We assign exponentially decreasing weights to pi :
w(pi ) = e−(ti/k)2
where the median IP gets weight 0.5:
k =tmedian√− ln(0.5)
![Page 19: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/19.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
19/39
Weighting timing vectors: example
High values indicate higher probability of an IP to be thesender or one of its entry nodes.
Figure: Weight functions for 3 timestamp vectors
![Page 20: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/20.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
20/39
Clustering the correlation matrix
I For each pairwise correlations of weight vectors of txs
I Hypothesis: correlation matrix has a block-diagonalstructure
I With a right permutation of rows and columns, relatedtransactions will form clusters along the main diagonal
![Page 21: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/21.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
21/39
Heatmap visualization
I Display correlations between weight vectors as matrix
I Darker color means higher correlation
I Matrix is symmetric by definition: corr(i , j) = corr(j , i)
I The main diagonal is black: correlation with oneself
![Page 22: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/22.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
22/39
Measuring anonymity
We use anonymity degree proposed by D́ıaz et al.1:
d =−∑N
i=1 pi log2(pi )
log2(N)
where pi is the probability of the i-th tx to originate fromthe given source.
I d = 1: users are equally likely to be the senders of agiven message
I d = 0: the attacker knows the senders of all messages
1D́ıaz, Seys, Claessens, Preneel. Towards measuring anonymity. 2002
![Page 23: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/23.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
23/39
Putting the pieces together
I Connect to many nodes from servers on 3 continents
I Log transaction announcements
I Assign weights to vectors of timestamps
I Calculate pairwise correlations between weight vectors
I Apply the spectral co-clustering algorithm 2
I Calculate anonymity degree for our txs as ground truth
I Ethical considerations: mostly testnet, our own txs
2I.S.Dhillon. Co-clustering documents and words using bipartitespectral graph partitioning. 2001
![Page 24: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/24.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
24/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 25: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/25.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
25/39
Bitcoin testnet: anonymity degree = 0.63
![Page 26: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/26.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
26/39
Bitcoin mainnet: anonymity degree = 0.88
Only connected to 1/10 of nodes, didn’t occupy all slots.
![Page 27: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/27.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
27/39
Zcash: anonymity degree = 0.86
![Page 28: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/28.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
28/39
Monero
Experiment without our own transactions.
![Page 29: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/29.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
29/39
Dash
Experiment without our own transactions.
![Page 30: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/30.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
30/39
Estimating the source IP from ADDR messages
I A new node advertises its IP in ADDR messages
I We intersect the announced IPs from ADDRs with thehighest-weighted IPs in tx clusters (Bitcoin testnet)
I In most experiments, the source IP appeared amongtop-5 highest weighted IPs in our transaction cluster
![Page 31: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/31.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
31/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 32: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/32.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
32/39
Cost of attack
I Feasible for a moderately resourceful attacker
I Main cost components are bandwidth and storage
I We estimate the cost of a full-scale attack on Bitcoinmainnet at hundreds of US dollars
I Our experiments cost $35 on AWS
![Page 33: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/33.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
33/39
Countermeasures
I Don’t issue many txs in the same session
I Run nodes with increased number of connections
I Periodically drop and re-establish random connections
I Implement stronger broadcast randomization
![Page 34: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/34.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
34/39
Countermeasures (contd): new relay protocols
I Dandelion++: two-stage propagation for betteranonymity. Only outgoing connections for first phase.Hard to force a remote node to connect to us
I Erlay (proposed 2019-05-28): ”[A]nnouncements areonly sent directly over a small number of connections(only 8 outgoing ones). [...] We [...] better withstandtiming attacks”
![Page 35: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/35.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
35/39
Outline
Introduction
Transaction clusteringParallel connectionsWeighting timestamp vectorsCorrelation matrixMeasuring anonymity
Experimental resultsEstimating the source IP
Discussion
Conclusion
![Page 36: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/36.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
36/39
Conclusion
I Announcement timings reveal related transactions
I Randomization techniques are not very efficient
I Clustering works better on small networks
![Page 37: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/37.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
37/39
Future work: mobile wallets
I In our experiments, txs were issues from a full node
I How are mobile wallets different in terms of networking?
I Can we cluster transactions issued from mobile wallets?
![Page 38: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/38.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
38/39
Questions?
I cryptolux.org (we are hiring postdocs)
I s-tikhomirov.github.io
![Page 39: Deanonymization and linkability of cryptocurrency ... · I Dash: mixing by masternodes I Monero: ring signatures I Zcash: zk-SNARKs. Deanonymization and linkability of cryptocurrency](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603ec94c07fd412ce41dcc73/html5/thumbnails/39.jpg)
Deanonymizationand linkability ofcryptocurrency
transactions basedon networkanalysis
Biryukov,Tikhomirov
Introduction
Tx clustering
Parallel connections
Weighting timestampvectors
Correlation matrix
Measuring anonymity
Experiments
Estimating the source IP
Discussion
Conclusion
39/39
Image credits
I Transaction structure: Andreas Antonopoulos.https://bit.ly/2MPDpba
I Data exchange: Samuel Omidiora.https://bit.ly/2MO8Mmo