Research Summary: Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users

TLDR:

  • From a privacy perspective, Ethereum’s account-based model is less secure than Bitcoin’s unspent transaction output model (UTXO). Several privacy enhancing overlays have been deployed, such as noncustodial, trustless coin mixers and confidential transactions.
  • The authors claim to be the first to propose and implement Ethereum user profiling techniques based on quasi-identifiers to test these overlays.
  • Three different deanonymizing techniques were tested:
    Quasi-identifiers and node-embedded ranking algorithms were applied on regular transactions. Trustless mixers such as Tornado Cash were also applied. Finally, the Danaan-gift attack was used to fingerprint addresses, relinking shielded transactions.
  • The anonymity set of a certain address can be effectively reduced by a factor of 2^1.6 ~= 3.0314 bits on average.

Core Research Question

  • For an account-based paradigm such as Ethereum, can we come out of attacks that reduce the anonymity set to a certain extent and deanonymize accounts in the future?
  • What are the limitations of such attacks?
  • How can users, devs and core devs keep the transactions private, to further increase the anonymity and privacy of the Ethereum network?

Citations

Béres, Ferenc, et al. “Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users.” arXiv preprint arXiv:2005.14051 (2020).

Twitter threads by the author of the paper.

Karate Club: An API Oriented Open-source Python Framework for Unsupervised Learning on Graphs (CIKM 2020).

Code repository used in the paper.

Background

Mixers and confidential transactions are well-used on the Bitcoin blockchain, which is based on a UTXO paradigm. Ethereum differs from Bitcoin in that address reuse is enforced on a protocol level. This paper is the first (to the authors’ knowledge) to propose and implement Ethereum user profiling techniques based on quasi-identifiers. They use graph-representation learning to analyze privacy, specifically anonymization on Ethereum.

Summary

  1. Account-based Ethereum is inferior to UTXO-based Bitcoin from the perspective of privacy, as one has to reuse an account in order to spend any remaining funds. This enables quasi-identifiers for profiling, identifying and linking the person behind accounts.
    1. The paper gave a few novel quasi-identifiers: temporal activity, transaction fee (gas oracle source), and location in the transaction graph.
    2. The authors correlated Ethereum Name Service (ENS) addresses to a certain user via Diff2Vec and Role2Vec. They crawled ENS addresses and corresponding Twitter handle/address pairs via a public Twitter API, as an “answer” or “ground truth”, to evaluate the performance of the method.
    3. They attacked mixing solutions such as Tornado Cash, and pointed out common misuses, which make it possible to deanonymize and relink deposited accounts to withdrawn accounts.
    4. They also describe a Danaan-gift attack, where sending a small but identifiable balance to a target (0.000123456789, for example) could fingerprint the account.
    5. The paper collected and open-sourced their dataset for further research purposes.
  2. They introduce two existing approaches (albeit primitive): analyzing smart contracts, and analyzing addresses.
    1. Smart Contracts were examined for unsupervised clustering techniques, and contract code reuse.
    2. Addresses were crude clustered into four different groups; analyzed based on airdrops/ICOs; stylometry was used to deanonymize contract developers.
  3. The authors offer a brief introduction to a non-custodial mixer called Tornado Cash, Ethereum Name Service (ENS), and node embedding algorithms in Machine Learning.
  4. Methodology of dataset collection: here the authors explain the relationship between ENS, addresses, and humans were collected from Twitter, Humanity DAO, addresses that interacted with Tornado Cash’s mixer contract, and Etherscan.
    1. At this perfunctory stage, the authors discovered that many public addresses could already be linked to real people, and those addresses exposed sensitive activities, such as gambling and adult services.
  5. The paper focused on reducing the anonymity set, rather than finding an exact identification. The paper aims to be the cornerstone for “future privacy” protection.
    1. Treating evaluation as a classification task in ML, AUC (area under curve) as the average rank of results from selected algorithms (harmonic average of Diff2Vec and Role2Vec).
    2. Quantity/efficiency is expressed as entropy gain, where the paper inferred an empirical probability distribution from the former result, to judge the deanonymization power of the algorithms.
  6. Accounts were linked via three quasi-identifiers: temporal activity, transaction fee (gas oracle source), and location in the transaction graph.
    1. Temporal activity of a certain account is represented as μ, x̃, and std in vectors.
    2. Gas price was chosen manually by the user, or automatically by the wallet client - therefore a gas profile (slow, normal, fast) could be constructed for each Ethereum user. Also represented as μ, x̃, and std in vectors.
    3. The pre-processing of raw accounts and transaction data were described, in order to apply node embedded algorithms onto it.
    4. Euclidean feature vectors are calculated with the above-mentioned quasi-identifiers. Different granularity of data range and different algorithms are applied.
    5. The result shows that the harmonic average of rank of Diff2Vec and Role2Vec most promising, and yielded 1.6 extra bits of additional information on the account owner (2^1.6 of anonymity set reduced).
  7. They explain k-anonymity and the concept of anonymity set for native mixing services on Ethereum, using Tornado Cash as an example.
    1. Utilizing gas quasi-identifier and reused deposit/withdrawal account address pairs to deanonymize them, the paper relinked 218, 110, 60, and 7 addresses for 0.1 ETH, 1 ETH, 10 ETH, 100 ETH contracts.
    2. The paper found that users who reused their addresses were more likely to consecutively deposit and withdraw within <24 hours. Thus, a temporal quasi-identifier can further be used to deanonymize addresses if the majority of users are assumed to not leave their funds in the mixer contract for more than 3 days. Also, the account used to withdraw was not fresh i.e., without previous transactions, for most users.
    3. They describe performance evaluation methods. Performance comparison between quasi-identifiers and Diff2Vec. The best result with regard to entropy gain is the concatenated results of both Diff2Vec and quasi-identifiers.
    4. They suggest correct usage for mixers to maintain intended privacy properties. Three best practices:
      1. Leave funds in a contract for more than a week, even better if this includes a randomized deposit and withdraw interval;
      2. Use a relayer to withdraw to fresh addresses;
      3. Use a mixer after every on-chain transaction in order to prevent user behavior profiling.
  8. The authors introduced the Danaan-gift attack on Ethereum, where sending crafted, unusual amounts to victims can be used for fingerprinting addresses.
    1. Taking Aztec’s shielded transaction as an attack example.
  9. The authors discuss future directions of deanonymization techniques, such as combining on-chain data and off-chain data for analysis.
    1. More quasi-identifiers are waiting to be found, such as wallet fingerprints (different ways to calculate gas fees between clients).
    2. Network layer privacy should be considered on Ethereum. The use of relayer could also be potentially harmful to privacy.
    3. Metamask and mobile clients should be further researched in order to prevent fingerprinting.
    4. Quasi-identifiers on Ethereum could also be a possible attack vector on UTXO-based blockchains. UTXOs could be mass-clustered, and are vulnerable to deanonymization attacks.

Part I. Deanonymization Methods, Quasi-Identifiers

Data Preparation

The dataset included linkable relationships between ENS, addresses, and humans. This public data was used as ground truth to evaluate the performance of deanonymization techniques. The dataset was collected from Twitter, Humanity DAO, and addresses that interact with Tornado Cash’s mixer contract. The corresponding raw transaction data was gathered via Etherscan.

Raw transaction data of addresses was pre-processed into Euclidean feature vectors (and represented as a transaction graph) via Karate Club, an API-oriented open-source Python framework for unsupervised learning on graphs.

Assumption

The paper devised three quasi-identifiers, such as temporal activity, transaction fee (gas oracle source), and locations in the transaction graph. The performance of the three would be compared in the later paragraph of the paper.

Algorithmic Adjustment

The average rank and AUC (area under curve) returned by the node embedding algorithms cannot be used directly for evaluation on deanonymization, since it did not produce the priori and posteriori probability distribution directly for us to infer entropy gain := privacy loss := reduction of the anonymity set, after applying different deanonymization techniques.

In order to make the results of different quasi-identifiers “comparable”, please refer to Section V. in the paper for the proof and the method authors used to generate the empirical probability distribution of entropy gain from the returned rank of candidates for the node embedding algorithms.

The size reduction of the anonymity set is therefore represented as entropy gain, a metric we are concerned with for deanonymization techniques.

Evaluation

Quasi-identifiers:

  • Temporal activity of a certain account is represented as μ, x̃, and std in vectors.
  • Gas price is chosen manually by the user, or automatically by the wallet client - therefore a gas profile (slow, normal, fast) can be constructed for each Ethereum user. Also represented as μ, x̃, and std in vectors.
  • Diff2Vec and Role2Vec, the two node embedding algorithms were applied on the transaction graph to rank the similarities between ground truth and the raw transaction data.

Results

The average rank for temporal activity:
圖片

The average rank for gas price:
圖片

The harmonic rank average of Diff2Vec and Role2Vec combined, for the transaction graph:
圖片

One can see that Diff2Vec and Role2Vec are superior to the other two quasi-identifiers.

When it comes to entropy gain:

The result is very clear, where Diff2Vec and Role2Vec combined results excel on every aspect.

Part II. Deanonymization Methods, Mixers such as Tornado Cash.

Data Preparation

Three heuristics were proposed:

  • If there is an address from which a deposit and also a withdrawal have been made, then we should consider these deposits and withdrawals linked.
  • If there is a deposit-withdraw pair with unique and manually set gas prices, then we should consider them linked.
  • Let d be a deposit and w be a withdrawal address in a Tornado Cash (TC) mixer. If there is a transaction between d and w (or vice versa), we should consider the addresses linked.

These linked addresses are used as ground truth pairs, for performance evaluation.

It is worth mentioning that such simple heuristics already deanonymized a significant portion of accounts, as shown in the following table:

圖片

Evaluation

The same methods in Part 1. are also applied here.

Ground truth addresses were separated into three sets, one when the deposit was within the past day of the withdrawal, another when within the past week, and the unfiltered full set, in order to understand the impact on anonymity for consecutive deposit and withdrawals.

Results

Different deanonymization methods, ordered by rank:
圖片

The paper concatenated the feature vectors of Diff2Vec and daily activity (temporal activity) to yield the best result. A detailed description was not easily available.

In terms of entropy gain:

If we were to know the rank trend versus time i.e., after deposit, how long should we wait before withdrawal:

Where one should at least wait for 7 to 15 days for the deposit transactions to increase, increasing the anonymity set.

Part III. Deanonymization Methods, Shielded Transactions such as Aztec.

A common phenomenon in Ethereum is observed. Since 1 ETH = 10^18 wei, but most wallet clients’ gas units are in gwei = 10^9 wei. That is, 98.1% of the wallet clients do not modify the last 9 digits of the account balance, at all.

Danaan-gift attack, where an adversary sends a unique small amount to the victim’s address to fingerprint the account by exploiting the above-mentioned phenomenon, can be conducted on layer 2 shielded transactions such as Aztec protocol, to relink confidential transactions.

Such a fingerprint could survive or disappear after more transactions have been conducted by the victim’s account, with the following probability:

Be advised that such an attack is a proof-of-concept at the moment, the paper did not actually conduct one (yet).

Discussion and Key Takeaways

The authors of the paper were stunned that so few empirical studies had been done on account-based privacy issues. Three quasi-identifiers and one evaluation method (Diff2Vec and Role2Vec combined) were provided in the paper, where on average 2^1.6 entropy could be gained after applying the aforementioned deanonymization techniques. Future privacy can be improved on the results of this work.

A few suggestions were provided to users on different applications and occasions:

  • Do not use sensitive applications with your public, already used address.
  • Do not reuse addresses if possible and feasible.
  • Manually decide your gas amount/use a different gas oracle when doing transactions.
  • When using mixing services, wait at least a week before withdrawal, and do not reuse addresses. Use a relayer to withdraw with a fresh address.

For the ecosystem as a whole, the paper suggested:

  • Wallet clients should implement a certain degree of gas randomization and use a different gas oracle feed.
  • Mixers such as Tornado Cash should improve the UX design for users to better use the mixing service as intended, in order to maintain a healthy size of the anonymity set.
  • A network layer security (libp2p) on Ethereum should be further considered, in order to better achieve/protect future privacy/forward privacy.

Implications and Follow-ups

A research paper called PERIMETER was published, describing a passive network-layer attack that would de-anonymize transactions on Bitcoin and Ethereum with 90% accuracy by intercepting 50% of connections. But there has been little other attention focused on network-layer privacy on the Ethereum blockchain. The Ethereum core development team is focused on improving the throughput of ETH 2.0 and this doesn’t seem to be a high priority ticket yet: https://github.com/ethereum/eth2.0-specs/issues/2285.

9 Likes

@Jerry_Ho Could this kind of analysis also be used against account-based L1s like Solana and DOT?

3 Likes

In order to apply the strategy, more things have to be considered:

First, is solana/polkadot famous enough that (no offense), we can gather enough public data (person-accounts pairs) as ground truth pair for evalution of the algorithm?

That is, we shall check closely that how is solana/polkadot fundamentally different for their network layer behavior, such as the validator design, different transaction format, p2p nodes behavior, to name a few.

One example:
In solana, transaction fee is, in a sense, deterministic. And the way to obtain it, is vastly different from the behavior on Ethereum.

Therefore, gas oracle as a quasi-identifier no longer work on solana, or it has to be heavily tweaked.

Ref:

Personally, I don’t know much about solana and polkadot; but one should always be cautious when applying exciting new techniques - you gotta know what you’re doing, or it could be garbage-in-garbage-out.

P.S. please correct me if my understanding to solana gas fee is flawed; it’d be very appreciated!

2 Likes

Has anyone actually used a Danaan-gift attack yet? How it work in the wild, I wonder

1 Like

It was originally aimed to attack zcash. After a brief search, I cannot find any attack on other blockchain.

The discussions, tools and papers by Alex Biryukov and his team in University of Luxembourg can be found here, in chronological order:

The paper directly cited by Blockchain is Watching You:

And the refined results:
Biryukov, Alex, and Daniel Feher. “Privacy and linkability of mining in zcash.” 2019 IEEE Conference on Communications and Network Security (CNS) . IEEE, 2019.

Biryukov, Alex, Daniel Feher, and Giuseppe Vitto. “Privacy aspects and subliminal channels in Zcash.” Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . 2019.

3 Likes

I would like to add some notes about the Danaan-Gift attack for those who aren’t familiar with Aztec/ZCash like me. To use those 2 protocols, users will turn (shield) a public balance into a private balance and split it into many packs which people cannot see the balance and where it goes.([2]) Then, Danaan-Gift attackers assume users will turn (deshield) the private balance back to the public balance to use it in other ways, this is a reasonable assumption. For many people, the most convenient way is deshielding the whole account, therefore attackers can send a transaction with malicious value to fingerprint an account and discover the deshielding behavior. [3] mentioned the depreciation of the t-address pool (I think they mean transparent value pool) will solve the problem, but may not work for Aztec as Aztec uses ETH thus needs for deshielding is too hard to eliminate.

As I understand, the anonymity set is highly related to the number of users of a chain/mixer. [1] mentioned the ETH 2.0 may help to increase anonymity, so I’m curious about the relationship between it and network capability/famousness (as mentioned above), application (mixers) activity. How will the anonymity set increase with the growth of the other parts (e.g. TPS) of Ethereum (and Solana, Polkadot), and (how) will it affect the reduction?

  1. Y. Zhou, J. Wu and S. Zhang, “Anonymity Analysis of Bitcoin, Zcash and Ethereum,” 2021 IEEE 2nd International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE), 2021, pp. 45-48, doi: 10.1109/ICBAIE52039.2021.9389894.
  2. Williamson, Z. J. (2018). The Aztec protocol. URL: https://github. com/AztecProtocol/AZTEC.
  3. Biryukov, Alex, Daniel Feher, and Giuseppe Vitto. “Privacy aspects and subliminal channels in Zcash.” Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . 2019.
4 Likes

https://eprint.iacr.org/2020/627.pdf was an incredible read that speaks to the challenges already discussed.

Transaction likability attacks such as ITM or Danaan-Gift are seem to be predominantly enabled by bad balance (UTXO) management on the wallet side. Through better input selection management, one could break down a shielding deposit into many transactions and potentially trick those observing the transaction graph.

For example, one could spoof a “change” UTXO before depositing into a shielded pool. Doing so would make it difficult to trace the links of each individual deposit as it breaks the common-input heuristic used to trace transactions. You could then shield transactions from transparent address to z-address. Another transaction from z-address to another z-address would shield the entire transaction.

On your way out of the shielded pool, you could do the same instead of a single transaction, you could make several deposits from shielded to unshielded. While it is true that someone could still trace all permutations of value, the transaction graph would be very large and make it impractical.

It would be great if wallets were to automatically implement these mechanisms to reduce the possibility of linkage in systems of shielded and unshielded balances. It would make transacting more expensive, but it would likely substantially decrease the potential for timing/sizing/fee tracing attacks.

3 Likes

Recently I’ve discovered some interesting changes in IoTA - they chose to move from account-based to UTXO-based in IoTA 1.5, Chrysalis.

Although this is more of a scaling discussion rather than a privacy discussion, I think it could still be somehow related to this thread, as it brings ideas about account-based vs UTXO based paradigm.

The design rationale can be found here:

IoTA cafe, 2019
IoTA 1.5 update note

It is said that due to its peculiar/interesting take of DAG instead of blockchainning, the existence of coordinator were too centralized and was harmful to the longetivity of the network.

If we were to follow the explanation and the context of the above articles, it seems more than neutral for IoTA to switch from account-based to UTXO-based, as they

  1. don’t have smart contract yet
  2. it really makes the resolve of transactions faster

Other references before the question:
Accounts and not UTXOs, Ethereum design rationale
IoTA RFC: Transaction Payload

Here comes the questions, where I couldn’t quite figure them out alone.

  1. Is it going to harm IoTA’s potential on implementing turing complete smart contracts in the future version of IoTA?
  2. If the answer to 1. is no, then what’s ethereum 2.0 (specifically sharding)'s take on this issue i.e., why won’t ethereum encounter similar problem as IoTA did?
1 Like