Research Pulse #50 01/31/22

  1. On How Zero-Knowledge Proof Blockchain Mixers Improve, and Worsen User Privacy
    Authors: Zhipeng Wang, Stefanos Chaliasos, Kaihua Qin, Liyi Zhou, Lifeng Gao, Pascal Berrang, Ben Livshits, and Arthur Gervais

One of the most prominent and widely-used blockchain privacy solutions are zero-knowledge proof (ZKP) mixers operating on top of smart contract-enabled blockchains. ZKP mixers typically advertise their level of privacy through a so-called anonymity set size, similar to k-anonymity, where a user hides among a set of k other users.
In reality, however, these anonymity set claims are mostly inaccurate, as we find through empirical measurements of the currently most active ZKP mixers. We propose five heuristics that, in combination, can increase the probability that an adversary links a withdrawer to the correct depositor on average by 51.94% (108.63%) on the most popular Ethereum (ETH) and Binance Smart Chain (BSC) mixer, respectively. Our empirical evidence is hence also the first to suggest a differing privacypredilection of users on ETH and BSC. We further identify 105 Decentralized Finance (DeFi) attackers leveraging ZKP mixers as the initial funds and to deposit attack revenue (e.g., from phishing scams, hacking centralized exchanges, and blockchain project attacks).
State-of-the-art mixers are moreover tightly intertwined with the growing DeFi ecosystem by offering “anonymity mining” (AM) incentives, i.e., mixer users receive monetary rewards for mixing coins. However, contrary to the claims of related work, we find that AM does not always contribute to improving the quality of an anonymity set size of a mixer, because AM tends to attract privacy-ignorant users naively reusing addresses.


  1. Designing a Privacy-Preserving Rebalancing Algorithm for Payment Channel Networks
    Author: Roemer Hendrikx

In the past 8 years, Bitcoin has dominated the cryptocurrency markets and drawn attention from academia, developers and legislators alike. Bitcoin has been praised for its impact on decentralizing trust and currencies but also criticized for its volatility and energy-inefficient consensus mechanism. To improve its limitations, in 2016, payment channels and payment channel networks were introduced in the form of the Lightning Network. Payment channels allow for so-called off-chain transactions that, in case of dispute, can be published to an existing cryptocurrency blockchain, like Bitcoin, for arbitration. After its introduction, the concept of payment channels was quickly adopted by many cryptocurrency users. However, although payment channels remove the need for many on-chain transactions, some still remain. An on-chain transaction is required for the opening and closing of a channel. This happens during the initial setup between two users but is also required if one of the users runs out of balance on their side of the channel. The latter is a common occurrence as transactions are often unidirectional, say between a customer and a merchant. To limit the amount of closing and opening on-chain transactions required, a user can start or take part in a rebalancing. A rebalancing is a process with the aim of bringing a channel to a balance as desired by its owners. The state-of-the-art existing protocol to carry out a rebalancing is called Revive, which is a distributed protocol using leader election and a linear program to calculate the optimal rebalancing between its participants. Although effective, the protocol provides little privacy to its participants. We, therefore, designed a new, privacy-preserving peer-to-peer rebalancing protocol. Alongside it, we also introduce an accompanying participant discovery protocol that allows users in a network to find other users interested in running a distributed algorithm. We show that both protocols are secure and that our rebalancing protocol provides more privacy than Revive, at the cost of a suboptimal result and an increased message and time complexity. Finally, we compare our rebalancing protocol and Revive using a payment channel network simulator that simulates transactions taking place during the rebalancing. Using this simulation, we show that both protocols have a negative effect on the payment channel network as they lock the to-be-rebalanced channels while they are executing. We, therefore, conclude that an ideal rebalancing protocol should both be privacy-preserving and concurrent, and propose ideas to achieve this in future research.

Link:Designing a Privacy-Preserving Rebalancing Algorithm for Payment Channel Networks | TU Delft Repositories

  1. Babylon: Reusing Bitcoin Mining to Enhance Proof-of-Stake Security
    Authors: Ertem Nusret Tas, David Tse, Fisher Yu, and Sreeram Kannan

Bitcoin is the most secure blockchain in the world, supported by the immense hash power of its Proof-of-Work miners, but consumes huge amount of energy. Proof-of-Stake chains are energy-efficient, have fast finality and accountability, but face several fundamental security issues: susceptibility to non-slashable long-range safety attacks, non-slashable transaction censorship and stalling attacks and difficulty to bootstrap new PoS chains from low token valuation. We propose Babylon, a blockchain platform which combines the best of both worlds by reusing the immense Bitcoin hash power to enhance the security of PoS chains. Babylon provides a data-available timestamping service, securing PoS chains by allowing them to timestamp data-available block checkpoints, fraud proofs and censored transactions on Babylon. Babylon miners merge mine with Bitcoin and thus the platform has zero additional energy cost. The security of a Babylon-enhanced PoS protocol is formalized by a cryptoeconomic security theorem which shows slashable safety and liveness guarantees.


  1. Do not rug on me: Zero- dimensional Scam Detection
    Authors: Bruno Mazorra, Victor Adan, and Vanesa Daza

Uniswap, like other DEXs, has gained much attention this year because it is a non-custodial and publicly verifiable exchange that allows users to trade digital assets without trusted third parties. However, its simplicity and lack of regulation also makes it easy to execute initial coin offering scams by listing non-valuable tokens. This method of performing scams is known as rug pull, a phenomenon that already existed in traditional finance but has become more relevant in DeFi. Various projects such as [34, 37] have contributed to detecting rug pulls in EVM compatible chains. However, the first longitudinal and academic step to detecting and characterizing scam tokens on Uniswap was made in [44]. The authors collected all the transactions related to the Uniswap V2 exchange and proposed a machine learning algorithm to label tokens as scams. However, the algorithm is only valuable for detecting scams accurately after they have been executed. This paper increases their data set by 20K tokens and proposes a new methodology to label tokens as scams. After manually analyzing the data, we devised a theoretical classification of different malicious maneuvers in Uniswap protocol. We propose various machine-learning-based algorithms with new relevant features related to the token propagation and smart contract heuristics to detect potential rug pulls before they occur. In general, the models proposed achieved similar results. The best model obtained an accuracy of 0.9936, recall of 0.9540, and precision of 0.9838 in distinguishing non-malicious tokens from scams prior to the malicious maneuver.


  1. Decentralized, Privacy-Preserving, Single Sign-On
    Authors: Omid Mir, Michael Roland, and Rene Mayrhofer

In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. &is type of interaction can make authentication schemes challenging in terms of security and availability. From a security perspective, a main threat is theft of authentication reference data stored with identity providers. An adversary could easily abuse such data to mount an offline dictionary attack for obtaining the underlying password or biometric. From a privacy perspective, identity providers are able to track user activity and control sensitive user data. In terms of availability, users rely on trusted third-party servers that need to be available during authentication. We propose a novel decentralized privacy-preserving single sign-on scheme through the Decentralized Anonymous Multi-Factor Authentication (DAMFA), a new authentication scheme where identity providers no longer require sensitive user data and can no longer track individual user activity. Moreover, our protocol eliminates dependence on an always-on identity provider during user authentication, allowing service providers to authenticate users at any time without interacting with the identity provider. Our approach builds on threshold oblivious pseudorandom functions (TOPRF) to improve resistance against offline attacks and uses a distributed transaction ledger to improve availability. We prove the security of DAMFA in the universal composibility (UC) model by defining a UC definition (ideal functionality) for DAMFA and formally proving the security of our scheme via ideal-real simulation. Finally, we demonstrate the practicability of our proposed scheme through a prototype implementation.


  1. Verilay: A Verifiable Proof of Stake Chain Relay
    Authors: Martin Westerkamp and Maximilian Diez

Blockchain relay schemes enable cross-chain state proofs without requiring trusted intermediaries. This is achieved by applying the source blockchain’s consensus validation protocol on the target blockchain. Existing chain relays allow for the validation of blocks created using the Proof of Work (PoW) protocol. Since PoW entails high energy consumption, limited throughput, and no guaranteed finality, Proof of Stake (PoS) blockchain protocols are increasingly popular for addressing these shortcomings. We propose Verilay, the first chain relay scheme that enables validating PoS protocols that produce finalized blocks, for example, Ethereum 2.0, Cosmos, and Polkadot. The concept does not require changes to the source blockchain protocols or validator operations. Signatures of block proposers are validated by a dedicated relay smart contract on the target blockchain. In contrast to basic PoW chain relays, Verilay requires only a subset of block headers to be submitted in order to maintain full verifiability. This yields enhanced scalability. We provide a prototypical implementation that facilitates the validation of Ethereum 2.0 beacon chain headers within the Ethereum Virtual Machine (EVM). Our evaluation proves the applicability to Ethereum 1.0’s mainnet and confirms that only a fraction of transaction costs are required compared to PoW chain relay updates.


  1. Token meets Wallet: Formalizing Privacy and Revocation for FIDO2
    Authors: Lucjan Hanzlik, Julian Loss, and Benedikt Wagner

The FIDO2 standard is widely-used class of challenge-response type protocols that allows to authenticate to an online service using a hardware token. Barbosa et al. (CRYPTO ‘21) provided the first formal security model and analysis for the FIDO2 standard. However, their model has two shortcomings: (1) it does not include privacy, one of the key features claimed by FIDO2 (2) their model and proofs apply only to tokens that store all secret keys locally. In contrast, due to limited memory, most existing FIDO2 tokens use one of the following approaches to handle an unlimited number of keys. Key derivation derives a fresh per-server secret key from a common seed. Key wrapping stores an encryption of the key on the server and retrieves them for each authentication. These approaches substantially complicate the protocols and their security analysis. In particular, they bear additional risks for privacy and security of FIDO2 that are not captured in the model Barbosa et al. model.
In this paper, we revisit the security of the FIDO2 as implemented in practice. Our contributions are as follows. (1) We adapt the model of Barbosa et al. so as to capture authentication tokens using key derivation or key wrapping. (2) In our adapted model, we provide the first formal definition of privacy for FIDO2 and show that these common FIDO2 token implementations are secure in our model, if the underlying building blocks are chosen appropriately. (3) Finally, we address the unsolved problem of global key revocation in FIDO2. We first provide appropriate syntax of a revocation procedure and extend our model to support this feature. We then provide the first secure global key revocation protocol for FIDO2. Our solution is based on the popular BIP32 standard used in cryptocurrency wallets.


  1. Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs
    Authors: Carsten Baum, Robin Jadoul, Emmanuela Orsini, Peter Scholl, and Nigel P. Smart

Zero-Knowledge protocols have increasingly become both popular and practical in recent years due to their applicability in many areas such as blockchain systems. Unfortunately, public verifiability and small proof sizes of zero-knowledge protocols currently come at the price of strong assumptions, large prover time, or both, when considering statements with millions of gates. In this regime, the most prover-efficient protocols are in the designated verifier setting, where proofs are only valid to a single party that must keep a secret state.
In this work, we bridge this gap between designated-verifier proofs and public verifiability by distributing the verifier. Here, a set of verifiers can then verify a proof and, if a given threshold t of the n verifiers is honest and trusted, can act as guarantors for the validity of a statement. We achieve this while keeping the concrete efficiency of current designated-verifier proofs, and present constructions that have small concrete computation and communication cost. We present practical protocols in the setting of threshold verifiers with t < n/4 and t < n/3, for which we give performance figures, showcasing the efficiency of our approach.