![Page 1: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/1.jpg)
Malte Möser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, Nicolas Christin
PETS 2018: The 18th Privacy Enhancing Technologies Symposium
An Empirical Analysis of Traceability in the Monero Blockchain
![Page 2: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/2.jpg)
Monero
▸ Privacy-centric cryptocurrency (currently top #12)
�2
![Page 3: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/3.jpg)
AlphaBay starts accepting Monero
�3
![Page 4: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/4.jpg)
Monero
▸ Privacy-centric cryptocurrency (currently top #14)
This Talk
▸ Weaknesses in mixin sampling strategy
▸ Studying the ecosystem: does it matter?
▸ Lessons and conclusion
�4
![Page 5: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/5.jpg)
Output Selection in Bitcoin
each input refers to a single output
�5
![Page 6: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/6.jpg)
Output Selection in Monero
each input refers to multiple outputs(with the same denomination)
“mixins”
�6
![Page 7: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/7.jpg)
Deduction Technique initially no mandatorynumber of mixins
�7
![Page 8: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/8.jpg)
Deduction Technique
�8
![Page 9: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/9.jpg)
Results of Deducibility Attack
▸ 64% of inputs have no mixins
▸ 63% of inputs with mixins are deducible
Getting betterover time
�9
![Page 10: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/10.jpg)
Mixin Selection Distributions
Time
Prob
abili
ty
Time
Prob
abili
ty
Time
Prob
abili
ty
Uniform Triangular Triangular+ recentuntil January 2016 January-December 2016
since December 2016
�10
![Page 11: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/11.jpg)
Spend Time of “Real” Inputs and Mixins
Num
ber o
f inp
uts
�11
![Page 12: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/12.jpg)
Spend Time of “Real” Inputs
Num
ber o
f inp
uts
�12
![Page 13: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/13.jpg)
Spend Time of Ruled-Out Mixins
Num
ber o
f inp
uts
�13
![Page 14: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/14.jpg)
Distributions Do Not Match
Real + MixinsReal Ruled-out Mixins
�14
![Page 15: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/15.jpg)
Guess-Newest Heuristic
▸ The newest input is usually the real one
▸ Successful for
▸ 92% of deduced inputs
▸ 80% of all inputs (based on simulation)
�15
![Page 16: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/16.jpg)
How Can We Fix This?
Sample More “Recent” Mixins
▸ More mixins, reduce size of “recent” window
▸ Simulation results in paper
Estimate Empirical Distribution
Binned Mixin
Time
Prob
abili
ty
�16
![Page 17: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/17.jpg)
How Can We Fix This?
Sample More “Recent” Mixins
Estimate Empirical Distribution
▸ Fit distribution to ground truth data
▸ Good fit: Log-Gamma distribution
Binned Mixin
�17
![Page 18: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/18.jpg)
How Can We Fix This?
Sample More “Recent” Mixins
Estimate Empirical Distribution
Binned Mixins
▸ Group outputs to defend against timing attacks
▸ Helps against attacker with prior information
Shuffle Shuffle
Bins
�18
![Page 19: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/19.jpg)
Do These Weaknesses Matter?
▸ Not all transactions are equally privacy sensitive
▸ Goal: quantify different usage types
Monero doubles block interval
�19
![Page 20: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/20.jpg)
Mining Pools Announce Payouts
�20
![Page 21: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/21.jpg)
Estimating Mining Activity
▸ Miners announce blocks and payouts
▸ Website crawl
▸ # blocks found
▸ # payout txs
▸ 0.44 txs per block related to mining
�21
![Page 22: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/22.jpg)
AlphaBay
▸ Volume spiked when AlphaBay started accepting Monero AlphaBay starts
accepting Monero
�22
![Page 23: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/23.jpg)
AlphaBay - Daily Volume (Number of Transactions)
�23
0
1,000
2,000
3,000
4,000
5,000
Jan 2015 Jul 2015 Jan 2016 Jul 2016 Jan 2017Date
Dai
ly v
olum
e(n
r. of
tran
sact
ions
, 7−d
ay a
vg.)
XMR or BTCBTC onlyUnidentified
![Page 24: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/24.jpg)
AlphaBay
▸ Volume spiked when AlphaBay started accepting Monero
▸ At most 25% of txs can be deposits at AlphaBay
AlphaBay starts accepting Monero
�24
![Page 25: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/25.jpg)
Cryptocurrency Privacy Inherits the Worst of
▸ Data anonymization
▸ Blockchain data is public
▸ Weakness can be exploited retroactively
▸ Communication anonymity
▸ Behavior of some users influences anonymity of others
▸ “Anonymity loves company”
cf. Goldfeder, Kalodner, Reisman & Narayanan (2018)
�25
![Page 26: An Empirical Analysis of Traceability in the Monero Blockchain€¦ · Many privacy-sensitive transactions are vulnerable to deanonymization More than a thousand transactions per](https://reader035.vdocuments.us/reader035/viewer/2022071212/6024d6f6ead3e66f9c552c54/html5/thumbnails/26.jpg)
Summary
▸ Identified and quantified two weaknesses in Monero’s mixin selection
▸ Many privacy-sensitive transactions are vulnerable to deanonymization
▸ More than a thousand transactions per day in late 2016
▸ Criminal offenses take years to expire (if at all)
▸ Illicit business tends to be early adopters of new technologies
▸ Many legitimate uses that are less visible
�26