ValueShuffle: Mixing Confidential Transactions for Comprehensive Transaction Privacy in Bitcoin

Conference Paper · April 2017with 202 Reads 
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
DOI: 10.1007/978-3-319-70278-0_8
Issn: 0302-9743
Cite this publication
Abstract
The public nature of the blockchain has been shown to be a severe threat for the privacy of Bitcoin users. Even worse, since funds can be tracked and tainted, no two coins are equal, and fungibility, a fundamental property required in every currency, is at risk. With these threats in mind, several privacy-enhancing technologies have been proposed to improve transaction privacy in Bitcoin. However, they either require a deep redesign of the currency, breaking many currently deployed features, or they address only specific privacy issues and consequently provide only very limited guarantees when deployed separately. The goal of this work is to overcome this trade-off. Building on CoinJoin, we design ValueShuffle, the first coin mixing protocol compatible with Confidential Transactions, a proposed enhancement to the Bitcoin protocol to hide payment values in the blockchain. ValueShuffle ensures the anonymity of mixing participants as well as the confidentiality of their payment values even against other possibly malicious mixing participants. By combining CoinJoin with Confidential Transactions and additionally Stealth Addresses, ValueShuffle provides comprehensive privacy (payer anonymity, payee anonymity, and payment value privacy) without breaking with fundamental design principles or features of the current Bitcoin system. Assuming that Confidential Transactions will be integrated in the Bitcoin protocol, ValueShuffle makes it possible to mix funds of different value as well as to mix and spend funds in the same transaction, which overcomes the two main limitations of previous coin mixing protocols.

Do you want to read the rest of this conference paper?

Request Full-text Paper PDF
Advertisement
  • ... To cope with these challenges, some proposals for blockchain such as mixers services [22] [23] try to provide a third party in charge of concealing a transaction within a big amount of unrelated transactions. Thus, critical information such as the payer, payee, or payed amount [24] can be fully anonymized [25], although sometimes at expenses of transaction delays and more costs. Some other privacy-preserving crypto solutions are integrating SSI along with secure multiparty computation [26], or with Zero Knowledge Proofs (ZKPs), e.g. ...
    ... In this case, the main idea is inspired by the Elliptic Curve Diffie-Hellman (ECDH) algorithm, in such a way that the payer needs to create a one-time address for every transaction with a specific payee, in order to enhance unlinkability. Based on both approaches, [24] extends the mixing protocol Coin-Shuffle++, through the integration of Stealth Addresses and Confidential Transactions to provide a more comprehensive privacy-preserving approach. Moreover, a recent proposal called Möbius [241] describes an Ethereum-based mixing service that is built through smart contracts to enhance the protection against availability attacks. ...
    ... Besides, storing ring signatures in public blockchain might become a problem. Unlike CryptoNote, CoinJoin [70] or ValueShuffle [24] facilitate pruning, which is a drawback in Cryptonote, as rings signatures make the pruning difficult. ...
    Article
    Full-text available
    Blockchains offer a decentralized, immutable and verifiable ledger that can record transactions of digital assets, provoking a radical change in several innovative scenarios, such as smart cities, eHealth or eGovernment. However, blockchains are subject to different scalability, security and potential privacy issues, such as transaction linkability, crypto-keys management (e.g. recovery), on-chain data privacy, or compliance with privacy regulations (e.g. GDPR). To deal with these challenges, novel privacy-preserving solutions for blockchain based on crypto-privacy techniques are emerging to empower users with mechanisms to become anonymous and take control of their personal data during their digital transactions of any kind in the ledger, following a Self-Sovereign Identity (SSI) model. In this sense, this paper performs a systematic review of the current state of the art on privacy-preserving research solutions and mechanisms in blockchain, as well as the main associated privacy challenges in this promising and disrupting technology. The survey covers privacy techniques in public and permissionless blockchains, e.g. Bitcoin and Ethereum, as well as privacy-preserving research proposals and solutions in permissioned and private blockchains. Diverse blockchain scenarios are analyzed,
  • ... Specifically conceived mixing algorithms of Bitcoin transactions [2,3], which allow a better privacy preservation, can be evaluated by analyzing blockchain data. Furthermore, blockchain data are available for forensic investigation [4,5]. ...
    ... More recently, researchers started a systematic investigation on Bitcoin user interrelations [10] and habits, i.e., the address usage and their strategies to improve the anonymization [2,3], vulnerabilities [11][12][13], and so on, and to allow forensic investigations, to, for instance, identify the origin of scams and illegal activities, such as the case of the blackmail WannaCry, with which criminals required Bitcoin payments to unlock the victim machines [4,5,14]. ...
    Article
    Full-text available
    We present a novel strategy, based on the Extract, Transform and Load (ETL) process, to collect data from a blockchain, elaborate and make it available for further analysis. The study aims to satisfy the need for increasingly efficient data extraction strategies and effective representation methods for blockchain data. For this reason, we conceived a system to make scalable the process of blockchain data extraction and clustering, and to provide a SQL database which preserves the distinction between transaction and addresses. The proposed system satisfies the need to cluster addresses in entities, and the need to store the extracted data in a conventional database, making possible the data analysis by querying the database. In general, ETL processes allow the automation of the operation of data selection, data collection and data conditioning from a data warehouse, and produce output data in the best format for subsequent processing or for business. We focus on the Bitcoin blockchain transactions, which we organized in a relational database to distinguish between the input section and the output section of each transaction. We describe the implementation of address clustering algorithms specific for the Bitcoin blockchain and the process to collect and transform data and to load them in the database. To balance the input data rate with the elaboration time, we manage blockchain data according to the lambda architecture. To evaluate our process, we first analyzed the performances in terms of scalability, and then we checked its usability by analyzing loaded data. Finally, we present the results of a toy analysis, which provides some findings about blockchain data, focusing on a comparison between the statistics of the last year of transactions, and previous results of historical blockchain data found in the literature. The ETL process we realized to analyze blockchain data is proven to be able to perform a reliable and scalable data acquisition process, whose result makes stored data available for further analysis and business.
  • ... Transaction data and key profile are hidden to prevent double-spending attack [65]. However, the introduction of ring signature in CryptoNote will have a negative impact on scalability [66]. ...
    Article
    Full-text available
    As a kind of point-to-point distributed public ledger technology, blockchain has been widely concerned in recent years. The privacy protection of blockchain technology has always been the core issue of people’s attention. In this paper, some existing solutions to the current problems of user identity and transaction privacy protection are surveyed, including coin mixing mechanism, zero knowledge proof, ring signature and other technologies. Secondly, five typical applications of privacy protection technology based on blockchain are proposed and analyzed, which are mainly divided into technology applications based on coin mixing protocol, encryption protocol, secure channel protocol and so on. Finally, in view of the shortages of the existing blockchain privacy protection technology, we explore future research challenges that need to be studied in order to preserve privacy in blockchain system, and looks forward to the future development direction.
  • ... Falcon's construction idea is mainly to instantiate the GPV framework (Gentry, Peikert, Vaikuntanathan proposed in 2008) [81][82][83][84] to construct a lattice-based Hashand-sign digital signature. ...
    Preprint
    In this white paper, we propose a blockchain-based system, named AME, which is a decentralized infrastructure and application platform with enhanced security and self-management properties. The AME blockchain technology aims to increase the transaction throughput by adopting various optimizations in network transport and storage layers, and to enhance smart contracts with AI algorithm support. We introduce all major technologies adopted in our system, including blockchain, distributed storage, P2P network, service application framework, and data encryption. To properly provide a cohesive, concise, yet comprehensive introduction to the AME system, we mainly focus on describing the unique definitions and features that guide the system implementation.
  • ... Privacy protection for one-way transfer. Several approaches have been developed to protect the privacy of one-way transfer in a single-asset blockchain system, including zero-knowledge [16], ring signature [12], and mixnet [7,15]. Most of these techniques cannot be extended directly to protect two-way exchange as they cannot guarantee the fairness feature. ...
  • ... In order to improve this situation, many privacy-enhancing technologies have been proposed by the academic and the cryptocurrency community [6,7,20,21,24,31,32,36,43,45,47,52,53,58], and multiple cryptocurrencies with a special focus on privacy have emerged [37,56,57]. Monero [37] with a market capitalization of $1.6 billion at the time of writing [30] is the largest such privacy-focused cryptocurrency. ...
    Conference Paper
    Monero is the largest cryptocurrency with built-in cryptographic privacy features. The transactions are authenticated using zero-knowledge spend proofs, which provide a certain level of anonymity by hiding the source accounts from which the funds are sent among a set of other accounts. Due to its similarities to ring signatures, this core cryptographic component is called Ring Confidential Transactions (RingCT). Because of its practical relevance, several works attempt to analyze the security of RingCT. Since RingCT is rather complex, most of them are either informal, miss fundamental functionalities, or introduce undesirable trusted setup assumptions. Regarding efficiency, Monero currently deploys a scheme in which the size of the spend proof is linear in the ring size. This limits the ring size to only a few accounts, which in turn limits the acquired anonymity significantly and facilitates de-anonymization attacks. As a solution to these problems, we present the first rigorous formalization of RingCT as a cryptographic primitive. We then propose a generic construction of RingCT and prove it secure in our formal security model. By instantiating our generic construction with new efficient zero-knowledge proofs, we obtain Omniring, a fully-fledged RingCT scheme in the discrete logarithm setting that provides the highest concrete and asymptotic efficiency as of today. Omniring is the first RingCT scheme which 1) does not require a trusted setup or pairing-friendly elliptic curves, 2) has a proof size logarithmic in the size of the ring, and 3) allows to share the same ring between all source accounts in a transaction, thereby enabling significantly improved privacy level without sacrificing performance. Our zero-knowledge proofs rely on novel enhancements to the Bulletproofs framework (S&P 2018), which we believe are of independent interest.
  • ... ValueShuffle [14], bitcoin karıştırma hizmeti olan Coin-Join üzerine kurulmuştur ve işlemlerin ödeme değerlerini gizleyebilen gizli işlemlerle uyumlu ilk bitcoin karıştırma protokolüdür. Dahası, protokole aynı zamanda gizli adresler de ekleyerek, ödeme anonimliği, alacaklı anonimliği ve ödeme değeri gizliliğini garanti eden kapsamlı bir bitcoin gizlilik çözümü sunmaktadır. ...
  • ... Running from 2009, Bitcoin is the most well studied Blockchain network [79] with various published papers on different topics such as privacy [32,148,149,153], economics [14,24,37,115], attacks [17,70], network [59,91] and scalability [46,103,104]. Over the years, Bitcoin's blockchain has grown significantly is size making it difficult for certain devices to store all of it and run as a full node. ...
    Thesis
    Full-text available
    Data are gathered constantly, grow exponentially, and are considered a valuable asset. The need for extensive analysis has emerged by various organizations and researchers. However, they can be sensitive, private, and protected by privacy disclosure acts making data processing by third-parties almost impossible. We propose a protocol for data processing where data controllers can register their datasets and entities can request data processing operations by data processors. A distributed ledger is used as the controller of the system serving as an immutable history log of all actions taken by the participants. The blockchain-based distributed ledger provides data accountability, auditability and provenance tracking. We also use a Zero Knowledge Verifiable Computation scheme where a data processor is enforced to produce a proof of correctness of computation without revealing the dataset itself that the requestor verifies. This records the fact that correct processing has taken place without disclosing any information about the data.
  • ... For example, CoinShuffle [83] hides the origin of transactions among a group of users by allowing them to shuffle freshly generated output addresses in an oblivious manner. Similar proposals include ValueShuffle [82] and CoinJoin [70]. However, the adoption of encryption algorithms often brings extra computational overhead for the system, hence future development of privacy preserving techniques shall target light-weight solutions. ...
    Preprint
    Full-text available
    A blockchain-based smart contract or a "smart contract" for short, is a computer program intended to digitally facilitate the negotiation or contractual terms directly between users when certain conditions are met. With the advance in blockchain technology, smart contracts are being used to serve a wide range of purposes ranging from self-managed identities on public blockchains to automating business collaboration on permissioned blockchains. In this paper, we present a comprehensive survey of smart contracts with a focus on existing applications and challenges they face.
  • Article
    Bitcoin combines a peer-to-peer network and cryptographic algorithm to implement a distributed digital currency system, which keeps all transaction history on a public blockchain. Since all transactions recorded on the blockchain are public to everyone, Bitcoin users face a threat of leaking financial privacy. Many analysis and deanonymization approaches have been proposed to link transaction records to real identities. To eliminate this threat, we present an unlinkable coin mixing scheme that allows users to mix their bitcoins without trusting a third party. This mixing scheme employs a primitive known as ring signature with elliptic curve digital signature algorithm(ECDSA) to conceal the transfer of coins between addresses. The mixing server is only able to check whether the output addresses belong to its customers, but it can not tell which address owned by which customer. Customers do not have to rely on the reputation of a third party to ensure his money will be returned and his privacy will not be leaked. This scheme needs no modifications on current Bitcoin system and is convenient to deploy by any communities. We implemented a prototype of our scheme and tested it under the Bitcoin core’s regtest mode. Security and privacy of our mixing scheme are ensured through the standard ring signature and ECDSA unforgeability.
  • Conference Paper
    This paper proposes a new conceptual architecture for authorization of mobile services based on blockchain technologies, and presents a design of procedures for heterogeneous mobile communication services. Furthermore, an extension of the procedures is considered in order to enhance privacy protection for users. The new architecture realizes the separation of mobile communication infrastructure and billing functions and multiple use of several mobile communication services under a single contract with a billing operator.
  • Article
    CRYPTOCURRENCIES PROMISE TO revolutionize the financial industry, forever changing the way we transfer money. Instead of relying on a central authority (for example, a government entity or a bank) to issue and manage money, cryptocurrencies rely on the mathematical design and security proofs of the underlying cryptographic protocols. Using cryptography and distributed algorithms, cryptocurrencies offer a fully decentralized setting where no single entity can monitor or block the transfer of funds. Cryptocurrencies have grown from early prototypes to a global phenomenon with millions of participating individuals and institutions.17 Bitcoin28 was the first such currency launched in 2009 and in the years since has grown to a market capitalization of over $15 billion (as of January 2017). This has led to the emergence of many alternative cryptocurrencies with additional services or different properties as well as to a fruitful line of academic research. © 2018 Association for Computing Machinery. All rights reserved.
  • Chapter
    Full-text available
    The Cyber Age has brought the world incommensurable advantages: freedom of expression, access to information and instant communication, rendering distance and borders as irrelevant. However, these benefits are heavily debated, as the civil society and national governments stand on very different standpoints. The effects of the Cyber Revolution were clearly seen in the mutations of both the criminal organizations and those of the terrorist organizations which took full advantage of it. Our paper will contend the following: (1) the Cyber Revolution took the world by surprise, very few actors were truly prepared to deal with the fallout; (2) there can be no successful unilateral actions to combat the misuse and exploitation of new technologies; (3) the role of NATO can be revamped to include an integrated approach on combatting state-sponsored hybrid warfare, propaganda and fake news as well as combating criminal and terrorist organisations which make use of such technologies.
  • Conference Paper
    The concept of virtual currencies is an emerging, and perhaps unexpected development in the modern financial world. Bitcoin can be regarded as the first successful virtual currency, followed by many other implementations. Analogous to paper currencies, it is apparent that privacy and anonymity are two pivotal considerations that affect the adoption of virtual currencies by users. However, many studies have identified several problems associated with the privacy and anonymity of Bitcoin. Consequently, a large number of attempts have been made to address these issues, yet it has been proven that many such solutions do not provide an acceptable level of anonymity. This survey presents an account of the level of anonymity achieved through those and attempts to provide a comparative evaluation across different constructions.
  • Article
    Privacy is supreme in cryptocurrencies since most users do not want to reveal their identities or the transaction amount in financial transactions. Nevertheless, achieving privacy in blockchain-based cryptocurrencies remains challenging since blockchain is by default a public ledger. For instance, Bitcoin provides built-in pseudonymity rather than true anonymity, which can be compromised by analyzing the transactions. Several solutions have been proposed to enhance the transaction privacy of Bitcoin. Unfortunately, full anonymity is not always desirable, because malicious users are able to conduct illegal transactions, such as money laundering and drug trading, under the cover of anonymity in cryptocurrencies. As a result, regulation in blockchain-based cryptocurrencies is very essential. In this article, we analyze the privacy issues in Bitcoin and investigate some existing privacy-enhancing techniques in blockchain-based cryptocurrencies as well as some privacy-focused altcoins. In addition, we review and compare some works dealing with regulation of cryptocurrencies. Finally, we propose two possible solutions from a top view to balance privacy and regulation of blockchain-based cryptocurrencies. One solution is based on decentralized group signature, in which a group manager is responsible for building a group and tracing the real payer of the group in a transaction. The other solution is based on verifiable encryption, in which a tracing manager is not actively involved in normal transactions but can trace suspicious transactions via an encrypted tag.
  • Chapter
    Since the advent of bitcoin, the privacy of bitcoin has become a hot issue. Many coin mixing protocols guarantee the anonymity and unlinkability of the payer and payee of a transaction. However, due to the publicity of blockchain, the confidentiality of transaction amounts has not been provided. Everyone has the chance to get the amount of a transaction, which poses a challenge to the privacy of users. To overcome the problem, we propose an improved mixing protocol based on TumbleBit, which is named TumbleBit++. TumbleBit++ combines confidential transactions with centralized untrusted anonymous payment hub, and achieves the protection of transaction amounts without undermining the anonymity of TumbleBit. TumbleBit++ allows multiple payers to trade in different transaction amounts, and Tumbler, as an untrusted third party, does not know the exact amount of each transaction and the flow of funds between the payer and payee of one transaction.
  • Chapter
    Despite their usage of pseudonyms rather than persistent identifiers, most existing cryptocurrencies do not provide users with any meaningful levels of privacy. This has prompted the creation of privacy-enhanced cryptocurrencies such as Monero and Zcash, which are specifically designed to counteract the tracking analysis possible in currencies like Bitcoin. These cryptocurrencies, however, also suffer from some drawbacks: in both Monero and Zcash, the set of potential unspent coins is always growing, which means users cannot store a concise representation of the blockchain. Additionally, Zcash requires a common reference string and the fact that addresses are reused multiple times in Monero has led to attacks to its anonymity. In this paper we propose a new design for anonymous cryptocurrencies, Quisquis, that achieves provably secure notions of anonymity. Quisquis stores a relatively small amount of data, does not require trusted setup, and in Quisquis each address appears on the blockchain at most twice: once when it is generated as output of a transaction, and once when it is spent as input to a transaction. Our result is achieved by combining a DDH-based tool (that we call updatable keys) with efficient zero-knowledge arguments.
  • Preprint
    Full-text available
    Orphan transactions are those whose parental income-sources are missing at the time that they are processed. These transactions are not propagated to other nodes until all of their missing parents are received, and they thus end up languishing in a local buffer until evicted or their parents are found. Although there has been little work in the literature on characterizing the nature and impact of such orphans, it is intuitive that they may affect throughput on the Bitcoin network. This work thus seeks to methodically research such effects through a measurement campaign of orphan transactions on live Bitcoin nodes. Our data show that, surprisingly, orphan transactions tend to have fewer parents on average than non-orphan transactions. Moreover, the salient features of their missing parents are a lower fee and larger size than their non-orphan counterparts, resulting in a lower transaction fee per byte. Finally, we note that the network overhead incurred by these orphan transactions can be significant, exceeding 17% when using the default orphan memory pool size (100 transactions). However, this overhead can be made negligible, without significant computational or memory demands, if the pool size is merely increased to 1000 transactions.
  • Pay to script hash, BIP 16
    • G Andresen
  • Segregated witness: the next steps. https://bitcoincore.org/en
    • Bitcoin Core
  • Segregated witness (consensus layer), BIP 141. https://github.com/bitcoin/bips
    • E Lombrozo
    • J Lau
    • P Wuille
  • Confidential transactions (2015). https
    • G Maxwell
  • CoinJoin: Bitcoin privacy for the real world
    • G Maxwell
  • CryptoNote (2013). https
    • N Van Saberhagen
  • An investigation into Confidential Transactions
    • A Gibson
  • Stealth addresses. Post on Bitcoin development mailing list
    • P Todd
  • Hierarchical deterministic wallets
    • P Wuille
  • Schnorr-SHA256 module in libsecp256k1
    • P Wuille
  • Borromean ring signatures (2015). https://github.com/Blockstream
    • G Maxwell
    • A Poelstra
  • Review of CryptoNote white paper
    • S Noether
  • Bitcoin Core & pruning mode. Bitcoin Forum
    • Omegastarscream
  • An analysis of anonymity in the bitcoin system
    • F Reid
    • M Harrigan
    • Y Altshuler
    • Y Elovici
    • A Cremers
    • N Aharony
  • Article
    Full-text available
    This article introduces a method of hiding transaction amounts in the strongly decentralized anonymous cryptocurrency Monero. Similar to Bitcoin, Monero is a cryptocurrency which is distributed through a proof-of-work “mining” process having no central party or trusted setup. The original Monero protocol was based on CryptoNote, which uses ring signatures and one-time keys to hide the destination and origin of transactions. Recently the technique of using a commitment scheme to hide the amount of a transaction has been discussed and implemented by Bitcoin Core developer Gregory Maxwell. In this article, a new type of ring signature, A Multilayered Linkable Spontaneous Anonymous Group signature is described which allows one to include a Pedersen Commitment in a ring signature. This construction results in a digital currency with hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation. The author would like to note that early drafts of this were publicized in the Monero Community and on the #bitcoin-wizards IRC channel. Blockchain hashed drafts are available showing that this work was started in Summer 2015, and completed in early October 2015. An eprint is also available at http://eprint.iacr.org/2015/1098.
  • Conference Paper
    Although Bitcoin is often perceived to be an anonymous currency, research has shown that a user’s Bitcoin transactions can be linked to compromise the user’s anonymity. We present solutions to the anonymity problem for both transactions on Bitcoin’s blockchain and off the blockchain (in so called micropayment channel networks). We use an untrusted third party to issue anonymous vouchers which users redeem for Bitcoin. Blind signatures and Bitcoin transaction contracts (aka smart contracts) ensure the anonymity and fairness during the bitcoin \(\leftrightarrow \) voucher exchange. Our schemes are practical, secure and anonymous.
  • Article
    Full-text available
    Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we consider the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
  • Conference Paper
    In this paper, we explore the role of privacy-enhancing overlays in Bitcoin. To examine the effectiveness of different solutions, we first propose a formal definitional framework for virtual currencies and put forth a new notion of anonymity, taint resistance, that they can satisfy. We then approach the problem from a theoretical angle, by proposing various solutions to achieve provable taint resistance, and from a practical angle, by examining the taint resistance of the Coinjoin protocol.
  • Conference Paper
    Mixcoin is a Bitcoin mixing protocol proposed by Bonneau et al. which provides strong accountability guarantees [13]. However, in the Mixcoin protocol, the mapping from a user’s input to output address is visible to the mixing server. We modify the Mixcoin protocol to provide guarantees that the input/output address mapping for any user is kept hidden from the mixing server. In order to achieve this, we make use of a blind signature scheme [14, 23] as well as an append-only public log. The scheme is fully compatible with Bitcoin, forces mixes to be accountable, preserves user anonymity even against a malicious mix, is resilient to denial of service attacks, and easily scales to many users.
  • Conference Paper
    Full-text available
    Bitcoin, the famous peer-to-peer, decentralized electronic currency system, allows users to benefit from pseudonymity, by generating an arbitrary number of aliases (or addresses) to move funds. However, the complete history of all transactions ever performed, called “blockchain”, is public and replicated on each node. The data it contains is difficult to analyze manually, but can yield a high number of relevant information. In this paper we present a modular framework, BitIodine, which parses the blockchain, clusters addresses that are likely to belong to a same user or group of users, classifies such users and labels them, and finally visualizes complex information extracted from the Bitcoin network. BitIodine labels users semi-automatically with information on their identity and actions which is automatically scraped from openly available information sources. BitIodine also supports manual investigation by finding paths and reverse paths between addresses or users. We tested BitIodine on several real-world use cases, identified an address likely to belong to the encrypted Silk Road cold wallet, or investigated the CryptoLocker ransomware and accurately quantified the number of ransoms paid, as well as information about the victims. We release a prototype of BitIodine as a library for building Bitcoin forensic analysis tools.
  • Article
    Full-text available
    A fundamental limitation of Bitcoin and its variants is that the movement of coin between addresses can be observed by examining the public block chain. This record enables ad-versaries to link addresses to individuals, and to identify multiple addresses as belonging to a single participant. Users can try to hide this information by mixing, where a participant exchanges the funds in an address coin-for-coin with another participant and address. In this paper, we describe the weaknesses of extant mixing protocols, and analyze their vulnerability to Sybil-based denial-of-service and inference attacks. As a solution, we propose Xim, a two-party mixing protocol that is compatible with Bitcoin and related virtual currencies. It is the first decentralized protocol to simultane-ously address Sybil attackers, denial-of-service attacks, and timing-based inference attacks. Xim is a multi-round protocol with tunably high success rates. It includes a decentralized system for anonymously finding mix partners based on ads placed in the block chain. No outside party can confirm or find evidence of participants that pair up. We show that Xim's design increases attacker costs linearly with the total number of participants, and that its probabilistic approach to mixing mitigates Sybil-based denial-of-service attack effects. We evaluate protocol delays based on our measurements of the Bitcoin network.
  • Conference Paper
    We propose Mixcoin, a protocol to facilitate anonymous payments in Bitcoin and similar cryptocurrencies. We build on the emergent phenomenon of currency mixes, adding an accountability mechanism to expose theft. We demonstrate that incentives of mixes and clients can be aligned to ensure that rational mixes will not steal. Our scheme is efficient and fully compatible with Bitcoin. Against a passive attacker, our scheme provides an anonymity set of all other users mixing coins contemporaneously. This is an interesting new property with no clear analog in better-studied communication mixes. Against active attackers our scheme offers similar anonymity to traditional communication mixes.
  • Conference Paper
    Over the last 4 years, Bitcoin, a decentralized P2P crypto-currency, has gained widespread attention. The ability to create pseudo-anonymous financial transactions using bitcoins has made the currency attractive to users who value their privacy. Although previous work has analyzed the degree of anonymity Bitcoin offers using clustering and flow analysis, none have demonstrated the ability to map Bitcoin addresses directly to IP data. We propose a novel approach to creating and evaluating such mappings solely using real-time transaction traffic collected over 5 months. We developed heuristics for identifying ownership relationships between Bitcoin addresses and IP addresses. We discuss the circumstances under which these relationships become apparent and demonstrate how nearly 1,000 Bitcoin addresses can be mapped to their likely owner IPs by leveraging anomalous relaying behavior.
  • Conference Paper
    Bitcoin is quickly emerging as a popular digital payment system. However, in spite of its reliance on pseudonyms, Bitcoin raises a number of privacy concerns due to the fact that all of the transactions that take place are publicly announced in the system. In this paper, we investigate the privacy provisions in Bitcoin when it is used as a primary currency to support the daily transactions of individuals in a university setting. More specifically, we evaluate the privacy that is provided by Bitcoin (i) by analyzing the genuine Bitcoin system and (ii) through a simulator that faithfully mimics the use of Bitcoin within a university. In this setting, our results show that the profiles of almost 40% of the users can be, to a large extent, recovered even when users adopt privacy measures recommended by Bitcoin. To the best of our knowledge, this is the first work that comprehensively analyzes, and evaluates the privacy implications of Bitcoin.
  • Conference Paper
    Full-text available
    Bitcoin is a digital currency that uses anonymous cryptographic identities to achieve financial privacy. However, Bitcoin's promise of anonymity is broken as recent work shows how Bitcoin's blockchain exposes users to reidentification and linking attacks. In consequence, different mixing services have emerged which promise to randomly mix a user's Bitcoins with other users' coins to provide anonymity based on the unlinkability of the mixing. However, proposed approaches suffer either from weak security guarantees and single points of failure, or small anonymity sets and missing deniability. In this paper, we propose CoinParty a novel, decentralized mixing service for Bitcoin based on a combination of decryption mixnets with threshold signatures. CoinParty is secure against malicious adversaries and the evaluation of our prototype shows that it scales easily to a large number of participants in real-world network settings. By the application of threshold signatures to Bitcoin mixing, CoinParty achieves anonymity by orders of magnitude higher than related work as we quantify by analyzing transactions in the actual Bitcoin blockchain and is first among related approaches to provide plausible deniability.
  • The decentralized currency network Bitcoin is emerging as a potential new way of performing financial transactions across the globe. Its use of pseudonyms towards protecting users’ privacy has been an attractive feature to many of its adopters. Nevertheless, due to the inherent public nature of the Bitcoin transaction ledger, users’ privacy is severely restricted to linkable anonymity, and a few transaction deanonymization attacks have been reported thus far. In this paper we propose CoinShuffle, a completely decentralized Bitcoin mixing protocol that allows users to utilize Bitcoin in a truly anonymous manner. CoinShuffle is inspired by the accountable anonymous group communication protocol Dissent and enjoys several advantages over its predecessor Bitcoin mixing protocols. It does not require any (trusted, accountable or untrusted) third party and it is perfectly compatible with the current Bitcoin system. CoinShuffle introduces only a small communication overhead for its users, while completely avoiding additional anonymization fees and minimalizing the computation and communication overhead for the rest of the Bitcoin system.
  • Article
    Non-interactive key exchange (NIKE) is a fundamental but much-overlooked cryptographic primitive. It appears as a major contribution in the ground-breaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models for this primitive and explore the relationships between them. We then give constructions for secure NIKE in the Random Oracle Model based on the hardness of factoring and in the standard model based on the hardness of a variant of the decisional Bilinear Diffie Hellman Problem for asymmetric pairings. We also study the relationship between NIKE and public key encryption (PKE), showing that a secure NIKE scheme can be generically converted into an IND-CCA secure PKE scheme. Our conversion also illustrates the fundamental nature of NIKE in public key cryptography.
  • Conference Paper
    Full-text available
    Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we characterize longitudinal changes in the Bitcoin market, the stresses these changes are placing on the system, and the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
  • Conference Paper
    Bitcoin is the first e-cash system to see widespread adoption. While Bitcoin offers the potential for new types of financial interaction, it has significant limitations regarding privacy. Specifically, because the Bitcoin transaction log is completely public, users' privacy is protected only through the use of pseudonyms. In this paper we propose Zerocoin, a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions. Our system uses standard cryptographic assumptions and does not introduce new trusted parties or otherwise change the security model of Bitcoin. We detail Zerocoin's cryptographic construction, its integration into Bitcoin, and examine its performance both in terms of computation and impact on the Bitcoin protocol.
  • Conference Paper
    Full-text available
    Bitcoin is a distributed digital currency which has attracted a substan- tial number of users. We perform an in-depth investigation to understand what made Bitcoin so successful, while decades of research on cryptographic e-cash has not lead to a large-scale deployment. We ask also how Bitcoin could become a good candidate for a long-lived stable currency. In doing so, we identify several issues and attacks of Bitcoin, and we propose novel techniques to address them.
  • Article
    Full-text available
    We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in p where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in p such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
  • Conference Paper
    It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons. Any k of these persons can later find the secret (1 ≤ k ≤ n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret “in the well” and distribute it verifiably among themselves.
  • Conference Paper
    Full-text available
    Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to disrupt the group's communication. Existing messaging protocols such as DC-nets leave groups vulnerable to denial-of-service and Sybil attacks, Mix-nets are difficult to protect against traffic analysis, and accountable voting protocols are unsuited to general anonymous messaging. We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members wish to transmit in a given round. The N group members first cooperatively shuffle an N x N matrix of pseudorandom seeds, then use these seeds in N "pre-planned" DC-nets protocol runs. Each DC-nets run transmits the variable-length bulk data comprising one member's message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large, unbalanced message loads. A working prototype demonstrates the protocol's practicality for anonymous messaging in groups of 40+ members.
  • Conference Paper
    We propose a new computational problem called the twin Diffie–Hellman problem. This problem is closely related to the usual (computational) Diffie–Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie–Hellman problem. Moreover, the twin Diffie–Hellman problem is at least as hard as the ordinary Diffie–Hellman problem. However, we are able to show that the twin Diffie–Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem—this is a feature not enjoyed by the Diffie–Hellman problem, in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie–Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie–Hellman problem is hard. We present several other applications as well, including a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer–Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh–Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
  • Article
    Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide variety of practical considerations.
  • Article
    An argument system for NP is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian '92 and Micali '94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made non-interactive in the random-oracle model. However, we currently do not have any construction of succinct non-interactive arguments (SNARGs) in the standard model with a proof of security under any simple cryptographic assumption. In this work, we give a broad black-box separation result, showing that black-box reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (one-way functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor '03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption. Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.
  • Article
    Full-text available
    We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practical design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency. We briefly describe our experiences with an international network of more than 30 nodes. We close with a list of open problems in anonymous communication.