lecture 9 - department of computer scienceabhishek/classes/cs601-641-441-spring2018/lecture9.pdfsome...
TRANSCRIPT
![Page 1: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/1.jpg)
Lecture 9Anonymity in Cryptocurrencies
![Page 2: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/2.jpg)
Some say Bitcoin provides anonymity
“ Bitcoin is a secure and anonymous digital currency ”
— WikiLeaks donations page
![Page 3: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/3.jpg)
Others say it doesn’t
“ Bitcoin won't hide you from the NSA's prying eyes”
— Wired UK
![Page 4: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/4.jpg)
What do we mean by anonymity?
Literally: anonymous = without a name
Bitcoin addresses are public key hashes rather than real identities
Computer scientists call this pseudonymity
![Page 5: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/5.jpg)
Anonymity in computer science
Different interactions of the same user with the system should not be linkable to each other
Anonymity = pseudonymity + unlinkability
![Page 6: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/6.jpg)
Pseudonymity vs anonymity in forums
Reddit: pick a long-term pseudonym
vs.
4Chan: make posts with no attribution at all
![Page 7: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/7.jpg)
Why is unlinkability needed?
1. Many Bitcoin services require real identity
1. Linked profiles can be deanonymized by a variety of side channels
![Page 8: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/8.jpg)
Defining unlinkability in Bitcoin
• Hard to link different addresses of the same user
• Hard to link different transactions of the same user
• Hard to link sender of a “payment” to its recipient
![Page 9: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/9.jpg)
Quantifying anonymityAnonymity set: Anonymity set of a transaction T is the set of transactions which an adversary cannot distinguish from T.
To calculate anonymity set: • define adversary model • reason carefully about: what the adversary knows,
does not know, and cannot know
![Page 10: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/10.jpg)
Why anonymous cryptocurrencies?
Block chain based currencies are totally, publicly, and permanently traceable
Without anonymity, privacy is much worse than traditional banking!
![Page 11: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/11.jpg)
Anonymous e-cash: history
Introduced by David Chaum, 1982
Blind signature: a two-party protocol to create digital signature without signer learning which message is being signed
• An example of secure two-party computation
![Page 12: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/12.jpg)
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
![Page 13: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/13.jpg)
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
![Page 14: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/14.jpg)
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
9
![Page 15: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/15.jpg)
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}9
![Page 16: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/16.jpg)
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}9
![Page 17: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/17.jpg)
Deposit coin # 317038628684424
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}
{317038628684424}
9
![Page 18: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/18.jpg)
Deposit coin # 317038628684424
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}
{317038628684424}
9
6
31703862…
![Page 19: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/19.jpg)
Deposit coin # 317038628684424
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}
{317038628684424}
OK
9
6
31703862…
![Page 20: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/20.jpg)
Deposit coin # 317038628684424
Anonymous e-cash via blind signatures
User Balance
… …
10
… …
5
Spent coins
…
Withdraw anonymous coin
{317038628684424}
{317038628684424}
OK
9
6
31703862…
Bank cannot link the two users
![Page 21: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/21.jpg)
Anonymity & decentralization: in conflict
• Interactive cryptographic protocols with bank are hard to decentralize • Later: Zerocoin and Zerocash overcome this challenge by using non-
interactive cryptographic techniques
• Decentralization often achieved via public traceability to enforce security
![Page 22: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/22.jpg)
How to de-anonymize Bitcoin
![Page 23: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/23.jpg)
Trivial to create new addresses in Bitcoin
Best practice: always receive at fresh address
So, unlinkable?
![Page 24: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/24.jpg)
Alice buys a teapot at Big box store
5
3
6
8
![Page 25: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/25.jpg)
Alice buys a teapot at Big box store
5
3
6
8
Single transaction
![Page 26: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/26.jpg)
Linking addresses
Shared spending is evidence of joint control
Addresses can be linked transitively
![Page 27: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/27.jpg)
Clustering of addressesAn Analysis of Anonymity in the Bitcoin System
F. Reid and M. Harrigan PASSAT 2011
![Page 28: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/28.jpg)
Change addresses
5
3
6
8.5
![Page 29: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/29.jpg)
Change addresses
5
3
6
8.5
.5
![Page 30: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/30.jpg)
Change addresses
5
3
6
8.5
.5 Which address is change?
![Page 31: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/31.jpg)
“Idioms of use”
Idiosyncratic features of wallet software
e.g., each address used only once as change
![Page 32: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/32.jpg)
Shared spending + idioms of useA Fistful of Bitcoins: Characterizing Payments Among Men with No Names
S. Meiklejohn et al. IMC 2013
![Page 33: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/33.jpg)
To tag service providers: transact!A Fistful of Bitcoins: Characterizing Payments Among Men with No Names
S. Meiklejohn et al.
344 transactions • Mining pools • Wallet services • Exchanges • Vendors • Gambling sites
![Page 34: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/34.jpg)
Shared spending + idioms of useA Fistful of Bitcoins: Characterizing Payments Among Men with No Names
S. Meiklejohn et al. IMC 2013
![Page 35: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/35.jpg)
From services to users
1. High centralization in service providers
Most flows pass through one of these — in a traceable way
2. Address — identity links in forums
![Page 36: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/36.jpg)
Achieving Anonymity
![Page 37: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/37.jpg)
Approaches
• Mixing: Pool in multiple transactions (ideally same value), and then create new transactions • Centralized: E.g., online wallets • Decentralized: E.g., CoinJoin • Untrusted intermediary using crypto: Tumblebit
• New cryptocurrencies: • Using Zero-knowledge proofs: Zerocoin and Zerocash • Using Ring signatures: Monero
![Page 38: Lecture 9 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lecture9.pdfSome say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency](https://reader036.vdocuments.us/reader036/viewer/2022070723/5f0201537e708231d4021ba9/html5/thumbnails/38.jpg)
Approaches
• Mixing: Pool in multiple transactions (ideally same value), and then create new transactions • Centralized: E.g., online wallets • Decentralized: E.g., CoinJoin (e.g., implementation: Dash) • Untrusted intermediary using crypto: Tumblebit
• New cryptocurrencies: • Using Zero-knowledge proofs: Zerocoin and Zerocash • Using Ring signatures: Cryptonote (e.g., implementation:
Monero)