程序代写 FIT5214: Blockchain

FIT5214: Blockchain
Lecture 8: Privacy Lecturer:

https://dowsley.net

Copyright By PowCoder代写 加微信 powcoder

Unit Structure
• Lecture 1: Introduction to Blockchain
• Lecture 2: Bitcoin
• Lecture 3: Ethereum and Smart Contracts
• Lecture 4: Proof-of-Work (PoW)
• Lecture 5: Attacks on Blockchains
• Lecture 6: Class Test/Alternatives to PoW
• Lecture 7: Proof-of-Stake (PoS)
• Lecture 8: Privacy
• Lecture 9: Byzantine Agreement
• Lecture 10: Blockchain Network
• Lecture 11: Payment Channels
• Lecture 12: Guest Lecture

Unit Structure
• Lecture 1: Introduction to Blockchain
• Lecture 2: Bitcoin
• Lecture 3: Ethereum and Smart Contracts
• Lecture 4: Proof-of-Work (PoW)
• Lecture 5: Attacks on Blockchains
• Lecture 6: Class Test/Alternatives to PoW
• Lecture 7: Proof-of-Stake (PoS)
• Lecture 8: Privacy
• Lecture 9: Byzantine Agreement
• Lecture 10: Blockchain Network
• Lecture 11: Payment Channels
• Lecture 12: Guest Lecture
Learning outcome:
Basic understandings on privacy preserving technologies for blockchain

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
We know the amount of money being transferred.
Also, normally, one output is to the payee, and the other is the change to the payer.
We can learn that both input 1 and input 2 belong to the same payer.

Bitcoin privacy
In Bitcoin, a user can create a new pair of (PK,SK) for each transaction to try to hide his identity.
Users may reuse the PK (address)
In fact, most users use a single or a few addresses

Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability

Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
❖ pseudonymity: real identity is hidden

(Linking Bitcoin addresses to real identities is not difficult)

Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
❖ pseudonymity: real identity is hidden

(Linking Bitcoin addresses to real identities is not difficult)
❖ unlinkability: cannot link any two transactions to the same user

Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
❖ pseudonymity: real identity is hidden

(Linking Bitcoin addresses to real identities is not difficult)
❖ unlinkability: cannot link any two transactions to the same user
❖ untraceability: cannot trace any coin back to another transaction
(cash flow)

Bitcoin privacy
Bitcoin is Pseudonymous!!!
Anonymity = pseudonymity + unlinkability + untraceability
❖ pseudonymity: real identity is hidden

(Linking Bitcoin addresses to real identities is not difficult)
❖ unlinkability: cannot link any two transactions to the same user
❖ untraceability: cannot trace any coin back to another transaction
(cash flow)
Bitcoin is NOT Anonymous!!!

Bitcoin privacy

Bitcoin privacy
Traceable to anyone (and linkable to the payee)

Bitcoin privacy
Traceable to anyone (and linkable to the payee)
Traceable and Linkable to anyone

Bitcoin privacy
Traceable to anyone (and linkable to the payee)
Additionally, account balance is also revealed in every transaction.
Traceable and Linkable to anyone

Bitcoin privacy

Bitcoin privacy
2 BTC 3 BTC
Linkable transactions (to the same payee)

Bitcoin privacy
2 BTC 2 BTC
The later transaction is traceable (back to two transactions)

Bitcoin privacy
2 BTC 2 BTC
All amounts are also visible!
The later transaction is traceable (back to two transactions)

Bitcoin privacy

A critical question
Is privacy always good?

Screenshots taken on 16th-July-2019 by Dr. , for research purpose only.

Darknet Market
Screenshots taken on 16th-July-2019 by Dr. , for research purpose only.

Darknet Market
Screenshots taken on 16th-July-2019 by Dr. , for research purpose only.

De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.

De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.

De-anonymization: an example
On the network, the first node (e.g. your mobile wallet) that sends out a new transaction, is likely to be the payer.

Ring signature (2001 by Rivest, Shamir, Tauman )
The signature scheme convinces a verifier that a document has been signed by one of n independent signers.
– When signing, other members do not
need to cooperate Bob
– The signer only needs to choose n-1 public-keys of other entities
– The actual signer is indistinguishable from other entities in the ring

signature (2001 by Rivest, Shamir, Tauman )
The signature scheme convinces a verifier that a document has been signed by one of n independent signers.
– When signing, other members do not
need to cooperate Bob
– The signer only needs to choose n-1 public-keys of other entities
– The actual signer is indistinguishable from other entities in the ring

The signer gets some anonymity!
signature (2001 by Rivest, Shamir, Tauman )
❖ wants to anonymously reveal NSA’s secrets.
❖ Any member i of NSA has a pair of keys (PKi, SKi) published on the NSA website.
❖ To reveal a secret, Snowden randomly chooses n-1 public keys from the NSA members, and creates a ring signature on the secret, so that:
❖ A third party can verify that the signer of the revealed
secret is one of the n members from NSA.
❖ No one knows which member has revealed the secret.

Ring signature (2001 by Rivest, Shamir, Tauman )
❖ A ring is an arbitrary set of participants including the actual signer.
❖ Each member i of the ring has a public encryption key PKi.
❖ Only i knows the corresponding secret key SKi.
❖ The signer and verifier need to known the public key of all
ring members.

Ring signature (2001 by Rivest, Shamir, Tauman )
Keyed combining function
Ck,v(y1, y2, . . . , yn) = Ek(yn ⊕ Ek(yn−1 ⊕ Ek( . . . Ek(y1 ⊕ v) . . . ))) = v Where the function takes (k, v, y1, y2, …, yn) as input, and
output value v.
Ek is symmetric key encryption with secret key k.

Ring signature (2001 by Rivest, Shamir, Tauman )
Keyed combining function
Ck,v(y1, y2, . . . , yn) = Ek(yn ⊕ Ek(yn−1 ⊕ Ek( . . . Ek(y1 ⊕ v) . . . ))) = v
Given (k, v) and any n-1 parameters of (y1, y2, …, yn) as input, it is easy to calculate the remaining parameter (as both Ek and xor operation are invertible).

Ring signature (2001 by Rivest, Shamir, Tauman )
Signature generation on message m:
1. k=H(m).
2. Choose random v.
3. Choose random xi for i for all other ring members and
calculate corresponding yi = gi(xi), where gi is a trapdoor function.
4. Solve the Keyed combining function for ys is simple, where i=s is the signer
Ck,v(y1, y2, . . . , yn) = Ek(yn ⊕ Ek(yn−1 ⊕ Ek( . . . Ek(y1 ⊕ v) . . . ))) = v
5. Calculating x from y is also simple x = g−1(y ). sssss
6. The ring signature is (PK1, PK2, …, PKn; v; x1, x2, …, xn).

Ring signature (2001 by Rivest, Shamir, Tauman )
Signature verification on signed message m: Signature is (PK1, PK2, …, PKn; v; x1, x2, …, xn)
1. For all xi, calculate yi = gi(xi).
2. k=H(m). 3. Verify that
Ck,v(y1, y2, . . . , yn) = Ek(yn ⊕ Ek(yn−1 ⊕ Ek( . . . Ek(y1 ⊕ v) . . . ))) = v

Linkable ring signature
Alice (sk)
Link if sk=sk’
Alice (sk’)

J.Liu et.al. Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups, ACISP 2004.

CryptoNote
Alice (sk)
(Must be a new random address)
Alice (sk)
(Must be a new random address)
spending will be identified!

CryptoNote
Alice (sk)

This provides untraceability
(Must be a new random address)
Double spending will be identified!

CryptoNote
Alice (sk)

This provides untraceability
(Must be a new random address) This is called stealth address, which aims
at providing unlinkability
(as no public key address can be reused)
Double spending will be identified!

Commitment scheme
• A commitment scheme is a cryptographic primitive that allows the sender to commit to a value during the commit phase while keeping it hidden from the receiver(s), with the ability to reveal the committed value on a later point (the opening phase).
• A commitment scheme should be binding, meaning that after the commit phase the sender cannot change the committed value.
• A commitment scheme should be hiding, meaning that before the opening phase the receiver(s) cannot learn any information about the committed value.

Commitments in Monero
• The value of all Monero inputs and outputs are committed (hidden), with additional proofs that:
1. The total amount of coins in the committed inputs is equal to the total amount of coins in the committed outputs plus the transaction fee.
2. All committed values are positive. This is done using range proofs and guarantees that coins are not created out of thin air.

Comparison
1 bitcoin 3 bitcoin 5 bitcoin
? Coin ? Coin ? Coin

Recap: Monero
❖ Monero provides better privacy than Bitcoin
❖ One-time stealth address aims at providing unlinkability (e.g. preventing address
clustering)
❖ Transaction values are hidden (by using a commitment scheme with the
accompanying equality and range proofs).
❖ Linkable ring signature is used to provide untraceability (Money flow is hidden).

Monero mixin selection
Initially, Monero has not enforced the number of mixins of transaction.
In Monero, 12158814 transaction inputs do not contain any mixins! (64.04% of all inputs before April 15, 2017, block height 1288774)
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.
et. al. An Empirical Analysis of Traceability in the , Proceedings on Privacy Enhancing Technologies, 2018.

TX2 is a 0-mixin transaction, and has no privacy guarantee!

Why 0-mixin?
Motivation:
In Monero, a transaction with smaller size pays less transaction fee.

Zero Mixin attack
In order to save money, the owner of TX2 chooses to give up its privacy, is this ok? Would it affect the privacy of others?

Zero Mixin attack
❖ The owner of TX2 is traceable!

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!
❖ The probability of guessing
the real input of TX1 is expected to be 1/3.

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!
❖ The probability of guessing
the real input of TX1 is
expected to be 1/3.
❖ Now, it is 1/2.

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!
❖ The probability of guessing
the real input of TX1 is
expected to be 1/3.
❖ Now, it is 1/2.

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!
❖ The probability of guessing
the real input of TX1 is
expected to be 1/3.
❖ Now, it is 1/2.
TX1 ❖ TheownerofbothTX1andTX2 is traceable!
(One coin can only be spent once, and coin 2 is spent in TX2)

Zero Mixin attack
❖ The owner of TX2 is traceable!
❖ The untraceability of the owner
of TX1 is reduced!
❖ The probability of guessing
the real input of TX1 is
expected to be 1/3.
❖ Now, it is 1/2.
TheownerofbothTX1andTX2 is traceable!
(One coin can only be spent once, and coin 2 is spent in TX2)
TX1 ❖ T X2
❖ The owner of both TX1 and TX2 is traceable!
(coin 2 is spent in TX2 and coin 1
is spent in TX3)

Zero Mixin attack
So, users should NOT choose a mixing that is used as a 0-mixin input!

Two new TXs
The owners of the two new transactions only choose coins that is not an input of 0-mix transactions
Question: The input of which transactions are identifiable?

Even worse …
❖ The owners of TX1, TX2,TX3 are traceable!
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Even worse …
❖ The owners of TX1, TX2,TX3 are traceable!
❖ So, coin 3 is also known to be spent in TX1.
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Even worse …
❖ The owners of TX1, TX2,TX3 are traceable!
❖ So, coin 3 is also known to be spent in TX1.
❖ Even though no input of TX4 and TX5 is used as 0-mixin input.
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Even worse …
❖ The owners of TX1, TX2,TX3 are traceable!
❖ So, coin 3 is also known to be spent in TX1.
❖ Even though no input of TX4 and TX5 is used as 0-mixin input.
❖ The owner of TX4 is traceable!
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Even worse …
❖ The owners of TX1, TX2,TX3 are traceable!
❖ So, coin 3 is also known to be spent in TX1.
❖ Even though no input of TX4 and TX5 is used as 0-mixin input.
❖ The owner of TX4 is traceable!
❖ The owner of TX5 is traceable!
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Even worse …
Cascade effect!
❖ The owners of TX1, TX2,TX3 are traceable!
❖ So, coin 3 is also known to be spent in TX1.
❖ Even though no input of TX4 and TX5 is used as 0-mixin input.
❖ The owner of TX4 is traceable!
❖ The owner of TX5 is traceable!
et. al. A Traceability Analysis of Monero’s Blockchain, ESORICS, 2017.

Zero Mixin attack
Before April 15, 2017, block height 1288774
❖ 12158814 transaction Monero inputs do not contain any mixins! (64.04% of all inputs)
❖ For the rest inputs (35.96%), 63% of them are deducable by the cascade effect!
et. al. An Empirical Analysis of Traceability in the , Proceedings on Privacy Enhancing Technologies, 2018.

Mixin selection
When the attack was observed, Monero developers enforced a network-wide rules on the minimum number of mixins, and miners reject transactions with number of mix-ins lower than that:
❖ 2016-03-23, minimum mix-in of 2 (Ring size>=3)
❖ 2017-09-16, minimum mix-in of 4 (Ring size>=5)
❖ 2018-03-29, minimum mix-in of 6 (Ring size>=7)
❖ 2018-10-18, fixed Ring size=11
Does this solve the problem?
https://github.com/monero-project/monero#monero-software-updates-and-consensus-protocol-changes-hard-fork-schedule 37

Can you identify the real input of any transaction? Why?
Passive inference attacks
Example 1: inputs of transactions are
TX1= {1,2}, TX2={1,2}, TX3 ={2,3}, TX4 ={1,4}
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.

Passive inference attacks
Example 1: inputs of transactions are
TX1= {1,2}, TX2={1,2}, TX3 ={2,3}, TX4 ={1,4}
❖ Each coin can only be spent once, so coin 1 and 2 must have been spent in TX1 and TX2, but we don’t know which coin is spent in which TX.
❖ Coin 3 is spent in TX3
❖ Coin 4 is spent in TX4
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.

Can you identify the real input of any transaction? Why?
Passive inference attacks
Example 2: inputs of transactions are
TX1= {1,2}, TX2={3,4}, TX3 ={1,3}, TX4 ={2,4}
By observing, we cannot deanonymise any transaction.
But… What if the attacker is a Monero user?
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.

Active inference attacks
Example 2: inputs of transactions are
TX1= {1,2}, TX2={3,4}, TX3 ={1,3}, TX4 ={2,4}
If the attacker is an owner of coin 1, and it is spent in TX1, then it knows
❖ Coin 3 is spent in TX3
❖ Coin 4 is spent in TX2
❖ Coin 2 is spent in TX4
et. al. Re-thinking untraceability in the CryptoNote-style blockchain, IEEE Computer Security Foundations Symposium, 2019.

Temporal analysis
1 2 … J … K K+1 K+2

Temporal analysis
1 2 … J … K K+1 K+2
1 year old 6 months old 1 week old

Temporal analysis
1 2 … J … K K+1 K+2
1 year old 6 months old 1 week old
This has a very
high probability to be
the real input

Age distribution of inputs
(a) Age distribution of all inputs
(b) Age distribution of inputs that are identified as mixins (from other attacks, e.g. 0-mixin) (c) Estimated age distribution of real inputs
(a)-(b)=(c)
et. al. An Empirical Analysis of Traceability in the , Proceedings on Privacy Enhancing Technologies, 2018.

Age distribution of inputs
The accuracy rate is about 80%, for all non-0-mixin coins!
et. al. An Empirical Analysis of Traceability in the , Proceedings on Privacy Enhancing Technologies, 2018.

Age distribution of inputs
The accuracy rate is about 80%, for all non-0-mixin coins! Solution: Choose more “recent” coins as mixins.
et. al. An Empirical Analysis of Traceability in the Monero Bloc

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com