TLDR
- Bitcoin is under constant attack by adversaries and government surveillance attempting to trace and/or link transactions to their origins.
- The authors present privacy-compromising attacks found in Bitcoin and other cryptocurrencies and analyze various privacy-preserving algorithms that mitigate or prevent these attacks.
- The authors show that privacy-preserving techniques are designed to tackle specific privacy problems, and only the resolution of a specific problem should be measured when considering effectiveness.
Core Research Question
What privacy attacks are faced by Bitcoin and other cryptocurrencies, and what privacy-preserving algorithms have been used to resolve them?
Citation
Rahalkar, Chaitanya, and Anushka Virgaonkar. âSummarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and Other Cryptocurrencies.â ArXiv.org , 16 Sept. 2021, [2109.07634v1] Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and other Cryptocurrencies.
Background
- Anonymous Network: A network that attempts to allow users to access the web without being tracked or traced. They prevent traffic analysis and network surveillance. I2P and Tor are examples of anonymous networks.
- Atomic Swaps: An atomic swap exchange permits different parties to transact from two different blockchain platforms without trusting a third party.
- CoinSwap: A protocol that allows users to send funds using a swap structure whereby multiple senders and receivers collaborate to make it harder for third parties to link them.
- Confidential Transactions: A confidential transaction is a privacy-preserving technique that focuses on concealing a transaction amount to prevent analysis or any form of inference attack.
- Common-Input-Ownership Heuristic (C-I-OH): If a transaction has more than one input, a heuristic can be made that they may all be owned by a single entity. Since Bitcoin transactions have multiple inputs and outputs, trackers may assume that a transaction which has more than one input is owned by one individual.
- Deterministic Wallets: A system of deriving keys from a seed, used to create multiple addresses.
- Dust Attack: An attack where a tiny amount of cryptocurrency, called dust, is sent to multiple wallet addresses to track them with the aim of de-anonymizing the addresses.
- Dust Transactions: The transfer of an amount of cryptocurrency that is so small it is impractical to cover the transaction fee for processing.
- Equal Output CoinJoin Transaction: A type of transaction used to make Bitcoin flow untraceable.
- Full Anonymity: A protocol that provides absolute concealment of the sender node, receiver node, and transaction details.
- Hierarchical Deterministic Wallet: A type of deterministic wallet that enables the creation of a series of key pairs from one seed to enhance privacy and security.
- Pseudonymity: A state of anonymity where pseudonymous addresses are used. It is a disguised state between complete anonymity and open information.
- Ring Signature: A type of digital signature that can be performed by any member of a group of users who all have their own keys. The anonymity of the ring signature is irrevocable and it is not possible to determine the producer of the signature among the members.
- Set Anonymity: A type of anonymity used in the Monero cryptocurrency through ring signatures where a userâs identity is either 1 out of _n _possible peer identities.
- Stealth Address: A stealth address is a key pair used by a recipient to prevent disclosing their public wallet address.
- Taint Analysis: An analysis that traces the flow of usersâ input to detect vulnerabilities or security implications.
- Unlinkability: When an attacker cannot sufficiently distinguish whether two or more messages or transactions are related or not.
- Untraceability: When a transaction cannot be traced from one wallet to another.
- Wallet Fingerprinting: A wallet software creates unique fingerprints when making transactions. Analysts can use fingerprinting to deduce which software was used to create a transaction.
- Zero-Knowledge Proof: A method by which a party (the prover) can prove possession of knowledge to another party (the verifier) without disclosing additional information.
- Z-Cash: A cryptocurrency that uses zero-knowledge proofs for preserving privacy. Z-addresses and T-addresses are addresses provided by Zcash: the former utilizes zkSNARKs to enhance user privacy whereas the latter are identical to Bitcoin.
- zk-SNARKS: An acronym standing for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. It is a technology that uses non-interactive zero-knowledge cryptographic proof.
Summary
- Bitcoin faces several attacks on multiple fronts, including transaction malleability, double-spending, and block withholding, amongst others.
- Bitcoin falls within the pseudonymity tier in the privacy domain.
- As a result, multiple issues targeting the pseudonymity claims of Bitcoin have been found in the protocol.
- Many privacy attacks are attempted on the Bitcoin blockchain by exploiting its loopholes and limitations.
- Some tools can link addresses and their corresponding transactions using the transaction graph and publicly available ledger. This is known as transaction traceability. This means that if the pseudonymous owner of an address is known, third parties can trace transactions to them. However, when different addresses are used for each transaction, linking transactions to owners becomes more difficult.
- Unique fingerprints made through wallet fingerprinting can reveal information about the wallet software being used. Analysis of fingerprints can lead to deductions about the parties involved in a transaction.
- When transaction amounts are in round figures, e.g. 0.000016 BTC equals 1 USD, and fall within the commonly known cryptocurrency-fiat conversation rate, third parties can sometimes guess a transactionâs potential destination.
- Tracking the flow of coins is a privacy attack done through taint analysis. When a wallet userâs address is known to an adversary, they can track the transactions being made from the address. The recipient is âtaintedâ with coins from the sender.
- In the same vein, an adversary can send dust to multiple accounts and reveal a userâs identity when they consolidate (âsweepâ) the transactions into a single wallet. The adversary may conduct a taint analysis on the dust to discover the owner, thereby de-anonymizing the user.
- When outputs are not equally valued, Equal Output CoinJoin Transactions reveals the change address. CoinJoin is used to fix the problem of CIOH heuristics in Bitcoin.
- The researchers further analyze countermeasures that have been designed to tackle privacy problems in Bitcoin transactions. However, not all of them are being actively used.
- CoinJoin improves the privacy of transactions by combining inputs from multiple senders into one single transaction, making it difficult for third parties to trace transactions or make inferences. Transactions can lead to leakage of IP addresses; therefore, participants are expected to transact on anonymous networks like Tor and I2P. In decentralized systems, CoinJoin can be threatened by denial of service (DDoS) attacks.
- Tracking and tracing off-chain transactions are more complicated when compared to on-chain transactions because not all transactions are recorded on the chain. Transaction information is stored chiefly between users and only periodic summaries are written on chain.
- Another countermeasure is Coin Witness, which allows payment to a user who can produce cryptographic evidence about running a particular deterministic program on a given input argument. The validator learns nothing about the transaction apart from the publicly known inputs and that they were accepted. Coin Witness is on the Bitcoinââs soft-fork wishlist.
- Although P2P Bitcoin transactions are done through trusted intermediaries, CoinSwap requires non-censorship and significant interaction from both parties to a transaction, and can fail if the conditions are not met. CoinSwap has not yet been deployed on the Bitcoin blockchain.
- For hierarchical deterministic (HD) wallets, third-parties can leverage the deterministic nature of HD wallets to conduct attacks. Extended public keys do not protect the privacy of the entire tree of public keys.
- Certain cryptocurrencies have privacy-preserving techniques that can be used to protect the privacy of transactions carried out on their protocols.
- Although ring signatures protect identities, they fail to conceal transaction amounts which can be used to infer transaction patterns.
- A stealth address scheme guarantees the unlinkability of a stealth address and the public wallet address of a recipient. Multiple transactions from different senders to one recipient using their public wallet address can cause the senders to discover that their recipient is the same.
- In the same fashion, Ringâs confidential transactions preserve privacy in cryptocurrencies by hiding the number of coins transferred from sender to receiver in a transaction.
- Finally, using zk-SNARKS, a prover proves to a verifier that they possess a particular piece of information without revealing the information to the verifier.
Method
- The researchers thoroughly review prior work on privacy attacks and techniques that can enhance user privacy.
- They analyze and measure critical aspects of these techniques in the context of the sender and recipient addresses, transaction-level data, as well as metadata available on blockchain ledger.
Results
-
There are asymmetrical approaches to privacy. The researchers found that the ability of a privacy-preserving technique to protect the privacy of users depends on the underlying cryptographic schemes, anonymity set, and blockchain data model.
-
Comparison of privacy-preserving techniques in various cryptocurrencies
-
Privacy-preserving techniques were created to achieve specific privacy goals; therefore, users must be aware of the peculiarities of each technique. For instance, CoinJoin can only provide privacy when the anonymity set is large.
Discussion and Key Takeaways
- Even if privacy-preserving techniques are used, additional information accidentally collected from other sources on the blockchain coupled with de-anonymization attacks may result in attacks on the privacy of transactions. The theoretical guarantee of privacy differs from the practical guarantee of privacy.
- Cryptocurrencies offering absolute anonymity are often avoided by third parties such as centralized exchanges due to money laundering allegations and suspicion of illicit activities. However, there is a fine line between acceptability and privacy in cryptocurrency; therefore, a feasible way to toe the line would be to comply with a moderate layer of privacy while maintaining acceptability.
Implications and Follow-ups
- The researchers demonstrate that privacy-preserving algorithms work to resolve specific privacy attacks that they are created for, such as transaction graph analysis attacks. When the wrong technique is used, privacy of the transaction cannot be guaranteed. For instance, in Zcash, only Z-addresses can be used if users want to keep their transactions private.
- Privacy-preserving techniques sometimes provide limited privacy as they have loopholes that adversaries may exploit. For instance, a user would have to generate new wallet addresses for each transaction to avoid being discovered in stealth addresses. Furthermore, the generation of new wallet addresses for individual transactions is unappealing as stealth addresses are meant to prevent the need for multiple addresses.
Applicability
- Entities needing to transact with strict privacy requirements can benefit from this research because it focuses on privacy-preserving techniques and the risks of various approaches.
- Blockchain developers and academics targeting privacy problems in Bitcoin and other cryptocurrencies should learn about the limitations of each privacy-preserving technique for both practical and research purposes.
- Entities who conduct transactions using cryptocurrencies should learn to mitigate attacks depending on the cryptocurrency used.