Anonimity in Blockchains With slides by BFMNG What

Anonimity in Blockchains * With slides by BFMNG

What do we mean by anonymity? Literally: anonymous = without a name Bitcoin addresses are public key hashes rather than real identities Computer scientists call this pseudonymity

What’s “real” anonimity? Anonymity = pseudonymity + unlinkability Different interactions of the same user with the system should not be linkable to each other

Seems hard to achieve… Public ledgers are by definition publicly and permanently traceable, Very different than say in traditional banking!

Why is anonymity needed? • Threat ranges from privacy loss to extortion. • Front running on trades. • Transaction censorship by miners.

What about money laundering? Legitimate worry Bottleneck: moving large flows into and out of Bitcoin (“cashing out”) Common conundrum in cryptography: uses that are very different morally use the same technology

Similar dilemma: Tor Anonymous communication network Sender and receiver of message unlinkable Used by: • Normal people • Journalists & activists • Law enforcement • Malware • Pedofiles Funded by (among others): U. S. State Department

Anonymous e-cash: history David Chaum, 1980’s Blind signature: two-party protocol to create digital signature without signer knowing the input

Anonymous e-cash via blind signatures Withdraw anonymous coin User Balance Spent coins … … … 10 9 31703862… {317038628684424} Deposit coin # 317038628684424 {317038628684424} … … 5 6 OK Bank cannot link the two users

Blinds signaturs in blockchains • Bank has a crucial role in this solution. • Eventually, didn’t catch on…

How anonymous is Bitcoin?

Trivial to create new address Best practice: always receive at fresh address Unlinkable?

Alice buys a teapot at Big box store 5 8 3 Single transaction 6 Shared spending is evidence of joint control

Change addresses 5 8. 5 3 6 . 5 Which address is change?

Can tag service providers: transact! A Fistful of Bitcoins: Characterizing Payments Among Men with No Names S. Meiklejohn et al. 344 transactions • Mining pools • Wallet services • Exchanges • Vendors • Gambling sites

From services to users 1. High centralization in service providers Most flows pass through one of these — in a traceable way 2. Address — identity links in forums

Transaction graph can be analyzed Linked profiles can be deanonymized.

Mixing

Mixing Centralized server, many people send coins, Mixer shuffles and sends the right amounts to each user (less a fee), unlinkingthe sources of transactions

Mixing Online wallets do this Centralized server, many people send coins, Mixer shuffles and sends the right amounts to each user (less a fee), unlinkingthe sources of transactions

Risks • Mixer can still track transactions. • Low mixing volume makes tracing easy. • Mixer could potentially steal your cash.

Decentralized mixing: Coinjoin 1. 2. 3. 4. Find peers who want to mix Exchange input/output addresses Construct transaction Send it around, collect signatures Before signing, each peer checks if her output is present 5. Broadcast the transaction

Coinjoin: problems • • • How to find peers Peers know your inputoutput mapping (This is a worse problem than for centralized mixes) Denial of service

Toward full anonymization: zero knowledge proofs

Zerocoin: protocol-level mixing Mixing capability baked into protocol Zerocoin: Anonymous Distributed E-Cash from Bitcoin Advantage: cryptographic guarantee of mixing I. Miers et al. IEEE S&P 2013

Zerocoin in a nutshell Built over a base coin (like Bitcoin): Standard coins are converted into zerocoins, mixed, and come back anonymous. Breaks link between original and new coins.

Minting a zerocoin Ser i 317 al num 038 628 ber: 684 424

Minting a zerocoin Zerocoins come in standard denominations (Let’s assume 1 basecoin) Anyone can make one! They have value once put on the block chain That costs 1 basecoin

Minting a zerocoin Relate commitment C to a coin on blockchain Create Mint Tx with 1 (standard) coin as input Mint signed by A H(S, r) H( )

Spending a zerocoin:

Zero-knowledge proofs Goldwasser-Micali-Rackoff ‘ 85 A way to prove a statement without revealing any information but the fact that its true. Example: • “I know an input that hashes to some hash in the following set: … ” We’ll dive into zero knowledge soon…

Zerocoin is anonymous The commitment remains hiding, no one can figure out which zerocoin corresponds to serial number S … H(S, r) h 1 h 2 h. N

Zerocash Differences • Zerocoin statement and proof are very long. Zcash makes them short and fast to verify. • Extended functionality (no need for base coin). Zerocash: Decentralized Anonymous Payments from Bitcoin E. Ben-Sasson et al. Usenix Security 2014

Lot’s of activity in this direction…