TLDR:
- From a privacy perspective, Ethereum’s account-based model is less secure than Bitcoin’s unspent transaction output model (UTXO). Several privacy enhancing overlays have been deployed, such as noncustodial, trustless coin mixers and confidential transactions.
- The authors claim to be the first to propose and implement Ethereum user profiling techniques based on quasi-identifiers to test these overlays.
- Three different deanonymizing techniques were tested:
Quasi-identifiers and node-embedded ranking algorithms were applied on regular transactions. Trustless mixers such as Tornado Cash were also applied. Finally, the Danaan-gift attack was used to fingerprint addresses, relinking shielded transactions. - The anonymity set of a certain address can be effectively reduced by a factor of 2^1.6 ~= 3.0314 bits on average.
Core Research Question
- For an account-based paradigm such as Ethereum, can we come out of attacks that reduce the anonymity set to a certain extent and deanonymize accounts in the future?
- What are the limitations of such attacks?
- How can users, devs and core devs keep the transactions private, to further increase the anonymity and privacy of the Ethereum network?
Citations
Twitter threads by the author of the paper.
Code repository used in the paper.
Background
Mixers and confidential transactions are well-used on the Bitcoin blockchain, which is based on a UTXO paradigm. Ethereum differs from Bitcoin in that address reuse is enforced on a protocol level. This paper is the first (to the authors’ knowledge) to propose and implement Ethereum user profiling techniques based on quasi-identifiers. They use graph-representation learning to analyze privacy, specifically anonymization on Ethereum.
Summary
- Account-based Ethereum is inferior to UTXO-based Bitcoin from the perspective of privacy, as one has to reuse an account in order to spend any remaining funds. This enables quasi-identifiers for profiling, identifying and linking the person behind accounts.
- The paper gave a few novel quasi-identifiers: temporal activity, transaction fee (gas oracle source), and location in the transaction graph.
- The authors correlated Ethereum Name Service (ENS) addresses to a certain user via Diff2Vec and Role2Vec. They crawled ENS addresses and corresponding Twitter handle/address pairs via a public Twitter API, as an “answer” or “ground truth”, to evaluate the performance of the method.
- They attacked mixing solutions such as Tornado Cash, and pointed out common misuses, which make it possible to deanonymize and relink deposited accounts to withdrawn accounts.
- They also describe a Danaan-gift attack, where sending a small but identifiable balance to a target (0.000123456789, for example) could fingerprint the account.
- The paper collected and open-sourced their dataset for further research purposes.
- They introduce two existing approaches (albeit primitive): analyzing smart contracts, and analyzing addresses.
- Smart Contracts were examined for unsupervised clustering techniques, and contract code reuse.
- Addresses were crude clustered into four different groups; analyzed based on airdrops/ICOs; stylometry was used to deanonymize contract developers.
- The authors offer a brief introduction to a non-custodial mixer called Tornado Cash, Ethereum Name Service (ENS), and node embedding algorithms in Machine Learning.
- Methodology of dataset collection: here the authors explain the relationship between ENS, addresses, and humans were collected from Twitter, Humanity DAO, addresses that interacted with Tornado Cash’s mixer contract, and Etherscan.
- At this perfunctory stage, the authors discovered that many public addresses could already be linked to real people, and those addresses exposed sensitive activities, such as gambling and adult services.
- The paper focused on reducing the anonymity set, rather than finding an exact identification. The paper aims to be the cornerstone for “future privacy” protection.
- Treating evaluation as a classification task in ML, AUC (area under curve) as the average rank of results from selected algorithms (harmonic average of Diff2Vec and Role2Vec).
- Quantity/efficiency is expressed as entropy gain, where the paper inferred an empirical probability distribution from the former result, to judge the deanonymization power of the algorithms.
- Accounts were linked via three quasi-identifiers: temporal activity, transaction fee (gas oracle source), and location in the transaction graph.
- Temporal activity of a certain account is represented as μ, x̃, and std in vectors.
- Gas price was chosen manually by the user, or automatically by the wallet client - therefore a gas profile (slow, normal, fast) could be constructed for each Ethereum user. Also represented as μ, x̃, and std in vectors.
- The pre-processing of raw accounts and transaction data were described, in order to apply node embedded algorithms onto it.
- Euclidean feature vectors are calculated with the above-mentioned quasi-identifiers. Different granularity of data range and different algorithms are applied.
- The result shows that the harmonic average of rank of Diff2Vec and Role2Vec most promising, and yielded 1.6 extra bits of additional information on the account owner (2^1.6 of anonymity set reduced).
- They explain k-anonymity and the concept of anonymity set for native mixing services on Ethereum, using Tornado Cash as an example.
- Utilizing gas quasi-identifier and reused deposit/withdrawal account address pairs to deanonymize them, the paper relinked 218, 110, 60, and 7 addresses for 0.1 ETH, 1 ETH, 10 ETH, 100 ETH contracts.
- The paper found that users who reused their addresses were more likely to consecutively deposit and withdraw within <24 hours. Thus, a temporal quasi-identifier can further be used to deanonymize addresses if the majority of users are assumed to not leave their funds in the mixer contract for more than 3 days. Also, the account used to withdraw was not fresh i.e., without previous transactions, for most users.
- They describe performance evaluation methods. Performance comparison between quasi-identifiers and Diff2Vec. The best result with regard to entropy gain is the concatenated results of both Diff2Vec and quasi-identifiers.
- They suggest correct usage for mixers to maintain intended privacy properties. Three best practices:
- Leave funds in a contract for more than a week, even better if this includes a randomized deposit and withdraw interval;
- Use a relayer to withdraw to fresh addresses;
- Use a mixer after every on-chain transaction in order to prevent user behavior profiling.
- The authors introduced the Danaan-gift attack on Ethereum, where sending crafted, unusual amounts to victims can be used for fingerprinting addresses.
- Taking Aztec’s shielded transaction as an attack example.
- The authors discuss future directions of deanonymization techniques, such as combining on-chain data and off-chain data for analysis.
- More quasi-identifiers are waiting to be found, such as wallet fingerprints (different ways to calculate gas fees between clients).
- Network layer privacy should be considered on Ethereum. The use of relayer could also be potentially harmful to privacy.
- Metamask and mobile clients should be further researched in order to prevent fingerprinting.
- Quasi-identifiers on Ethereum could also be a possible attack vector on UTXO-based blockchains. UTXOs could be mass-clustered, and are vulnerable to deanonymization attacks.
Part I. Deanonymization Methods, Quasi-Identifiers
Data Preparation
The dataset included linkable relationships between ENS, addresses, and humans. This public data was used as ground truth to evaluate the performance of deanonymization techniques. The dataset was collected from Twitter, Humanity DAO, and addresses that interact with Tornado Cash’s mixer contract. The corresponding raw transaction data was gathered via Etherscan.
Raw transaction data of addresses was pre-processed into Euclidean feature vectors (and represented as a transaction graph) via Karate Club, an API-oriented open-source Python framework for unsupervised learning on graphs.
Assumption
The paper devised three quasi-identifiers, such as temporal activity, transaction fee (gas oracle source), and locations in the transaction graph. The performance of the three would be compared in the later paragraph of the paper.
Algorithmic Adjustment
The average rank and AUC (area under curve) returned by the node embedding algorithms cannot be used directly for evaluation on deanonymization, since it did not produce the priori and posteriori probability distribution directly for us to infer entropy gain := privacy loss := reduction of the anonymity set, after applying different deanonymization techniques.
In order to make the results of different quasi-identifiers “comparable”, please refer to Section V. in the paper for the proof and the method authors used to generate the empirical probability distribution of entropy gain from the returned rank of candidates for the node embedding algorithms.
The size reduction of the anonymity set is therefore represented as entropy gain, a metric we are concerned with for deanonymization techniques.
Evaluation
Quasi-identifiers:
- Temporal activity of a certain account is represented as μ, x̃, and std in vectors.
- Gas price is chosen manually by the user, or automatically by the wallet client - therefore a gas profile (slow, normal, fast) can be constructed for each Ethereum user. Also represented as μ, x̃, and std in vectors.
- Diff2Vec and Role2Vec, the two node embedding algorithms were applied on the transaction graph to rank the similarities between ground truth and the raw transaction data.
Results
The average rank for temporal activity:
The average rank for gas price:
The harmonic rank average of Diff2Vec and Role2Vec combined, for the transaction graph:
One can see that Diff2Vec and Role2Vec are superior to the other two quasi-identifiers.
When it comes to entropy gain:
The result is very clear, where Diff2Vec and Role2Vec combined results excel on every aspect.
Part II. Deanonymization Methods, Mixers such as Tornado Cash.
Data Preparation
Three heuristics were proposed:
- If there is an address from which a deposit and also a withdrawal have been made, then we should consider these deposits and withdrawals linked.
- If there is a deposit-withdraw pair with unique and manually set gas prices, then we should consider them linked.
- Let d be a deposit and w be a withdrawal address in a Tornado Cash (TC) mixer. If there is a transaction between d and w (or vice versa), we should consider the addresses linked.
These linked addresses are used as ground truth pairs, for performance evaluation.
It is worth mentioning that such simple heuristics already deanonymized a significant portion of accounts, as shown in the following table:
Evaluation
The same methods in Part 1. are also applied here.
Ground truth addresses were separated into three sets, one when the deposit was within the past day of the withdrawal, another when within the past week, and the unfiltered full set, in order to understand the impact on anonymity for consecutive deposit and withdrawals.
Results
Different deanonymization methods, ordered by rank:
The paper concatenated the feature vectors of Diff2Vec and daily activity (temporal activity) to yield the best result. A detailed description was not easily available.
In terms of entropy gain:
If we were to know the rank trend versus time i.e., after deposit, how long should we wait before withdrawal:
Where one should at least wait for 7 to 15 days for the deposit transactions to increase, increasing the anonymity set.
Part III. Deanonymization Methods, Shielded Transactions such as Aztec.
A common phenomenon in Ethereum is observed. Since 1 ETH = 10^18 wei, but most wallet clients’ gas units are in gwei = 10^9 wei. That is, 98.1% of the wallet clients do not modify the last 9 digits of the account balance, at all.
Danaan-gift attack, where an adversary sends a unique small amount to the victim’s address to fingerprint the account by exploiting the above-mentioned phenomenon, can be conducted on layer 2 shielded transactions such as Aztec protocol, to relink confidential transactions.
Such a fingerprint could survive or disappear after more transactions have been conducted by the victim’s account, with the following probability:
Be advised that such an attack is a proof-of-concept at the moment, the paper did not actually conduct one (yet).
Discussion and Key Takeaways
The authors of the paper were stunned that so few empirical studies had been done on account-based privacy issues. Three quasi-identifiers and one evaluation method (Diff2Vec and Role2Vec combined) were provided in the paper, where on average 2^1.6 entropy could be gained after applying the aforementioned deanonymization techniques. Future privacy can be improved on the results of this work.
A few suggestions were provided to users on different applications and occasions:
- Do not use sensitive applications with your public, already used address.
- Do not reuse addresses if possible and feasible.
- Manually decide your gas amount/use a different gas oracle when doing transactions.
- When using mixing services, wait at least a week before withdrawal, and do not reuse addresses. Use a relayer to withdraw with a fresh address.
For the ecosystem as a whole, the paper suggested:
- Wallet clients should implement a certain degree of gas randomization and use a different gas oracle feed.
- Mixers such as Tornado Cash should improve the UX design for users to better use the mixing service as intended, in order to maintain a healthy size of the anonymity set.
- A network layer security (libp2p) on Ethereum should be further considered, in order to better achieve/protect future privacy/forward privacy.
Implications and Follow-ups
A research paper called PERIMETER was published, describing a passive network-layer attack that would de-anonymize transactions on Bitcoin and Ethereum with 90% accuracy by intercepting 50% of connections. But there has been little other attention focused on network-layer privacy on the Ethereum blockchain. The Ethereum core development team is focused on improving the throughput of ETH 2.0 and this doesn’t seem to be a high priority ticket yet: https://github.com/ethereum/eth2.0-specs/issues/2285.