Difference between revisions of "Bitcoin"

From CryptoLUX
Jump to: navigation, search
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
* [[Alex Biryukov]], [[Dmitry Khovratovich]], [[Ivan Pustogarov]], "Deanonymisation of clients in Bitcoin P2P network", [http://arxiv.org/abs/1405.7418 archive]
* [[Alex Biryukov]], [[Dmitry Khovratovich]], [[Ivan Pustogarov]], "Deanonymisation of clients in Bitcoin P2P network", ACM CCS 2014, Arizona, USA  ([http://arxiv.org/abs/1405.7418 early version in archive], [[Media:Ccsfp614s-biryukovATS.pdf| revised paper]])
== Informal description of the client deanonymization attack on the Bitcoin P2P network. ==
[[Informal description of the Bitcoin deanonymization attack]].
The attack can achieve two aims and this is what most people miss.
* [[Alex Biryukov]], [[Ivan Pustogarov]], "Proof-of-Work as Anonymous Micropayment: Rewarding a Tor Relay", Financial Cryptography 2015, Puerto-Rico, USA. ([[Media:Alex-ivan-tor-micropayments.pdf‎| paper]])
-Identification of client's IP address
  [[Press release on secure, anonymous, easy way to pay for online content]]
-Linkage of transactions coming from a single client during one session.
* [[Alex Biryukov]], [[Ivan Pustogarov]], "Bitcoin over Tor isn't a good idea", IEEE Security and Privacy Symposium 2015, ([[Media:1410.6079v2.pdf‎| paper]], [[Media:SnP-2015-pustogarov.pdf‎|slides]])
The attack can reveal the public IP address of the user who generated a
transaction as well as the entry nodes which connect the user's node to
the rest of the Bitcoin network. In the case of users behind NAT (the most
common case in the current Bitcoin network) the IP address is an address
of the user's ISP which in some cases may correctly point to the user's
street or even home*.
*See [https://www.ccsl.carleton.ca/~jamuir/papers/TR-06-05.pdf this paper], section 2 for a Survey of IP Geolocation Techniques. Some accuracy tests of a GeoIP2 City database can be found [https://www.maxmind.com/en/city_accuracy here].
See also our work on memory-hard proofs of work, like [[Argon|Argon2]].
One may argue however that a large ISP may serve as a good anonymizer,
moreover a more careful user may go through
multiple VPNs, or through anonymity network like Tor, and thus IP
geolocation would be irrelevant in his case. This is true, but the
less obvious bit is that the set of entry nodes would still serve as a
unique user ID in all these seemingly anonymous cases.
Knowing even only three  of these nodes (out of  total eight in most
cases)  serves as a unique
user ID for the duration of a session (until Bitcoin client software is
closed or until the computer is switched off).
The crucial idea is that when a user generates a transaction the entry
nodes are very likely to be among the first to forward the
transaction. We show that the set of entry nodes can be learned at the
time of connection and then used to identify the origin of a transaction
and link transactions made during one session even if they belong to new or
unrelated public keys in the transaction graph.
The attack targets the
anonymity of Bitcoin users on the network level and is complementary to
what can be found via transaction graph analysis.
We also show that  the attacker can ban  all Tor exit nodes (or public
proxies)  by exploiting Bitcoin's anti-DoS protection.
The attack may consist of the following steps:
# (Optional)  Ban connections to Bitcoin network from Tor (or target public proxy service) by sending malformed messages through each Tor exit node to each Bitcoin peer server (i.e.  Bitcoin peer accepting incoming connections).
# Establish many connections to each Bitcon server (about 50). All connections can be established from a few machines, the number depends on how stealthy the attacker wants to be.
# Listen to the clients advertising their address on the connections established during step 2 and for each client's IP address save the peers from which the advertised address is received; we call these nodes entry nodes, even 3 of them uniquely identify the client.
# Listen for transactions. If a transaction is first relayed by a subset of entry nodes of some client, mark the transaction as belonging to this client.
The attack requires only a few machines that establish a
certain number of connections by Bitcoin protocol and log
the incoming traffic. In a concrete example, an attacker with
a few GB of storage and no more than 50 connections to each
Bitcoin server can disclose the sender's IP address in 11%
of all transactions generated in the Bitcoin network. If the
attacker allows a slight DoS of the network, he may achieve
deanonymization rates up to 60%, which has been confirmed
by the experiments in the Bitcoin test network. We estimate
the cost of the attack on the full Bitcoin network to be under
1500 EUR per month (this mainly includes the cost of renting 50 servers to make the attack less noticeable).
You can find answers to some common questions in [[Bitcoin P2P deanonymization attack FAQ]].

Latest revision as of 10:48, 22 May 2015

Informal description of the Bitcoin deanonymization attack.
 Press release on secure, anonymous, easy way to pay for online content

See also our work on memory-hard proofs of work, like Argon2.