Deanonymization and linkability of cryptocurrency transactions based on network analysis

(1)

Deanonymization and linkability of cryptocurrency transactions based on network analysis Biryukov, Tikhomirov Introduction Tx clustering Parallel connections Weighting timestamp vectors Correlation matrix Measuring anonymity Experiments

Estimating the source IP Discussion Conclusion

1/39

Deanonymization and linkability of

cryptocurrency transactions based on

network analysis

Alex Biryukov, Sergei Tikhomirov University of Luxembourg

(2)

Outline

Introduction Transaction clustering Parallel connections

Weighting timestamp vectors Correlation matrix

Measuring anonymity Experimental results

Estimating the source IP Discussion

(3)

Estimating the source IP Discussion Conclusion 3/39

Outline

Measuring anonymity

Experimental results

Estimating the source IP

(4)

Bitcoin

(5)

5/39

Privacy in Bitcoin

(6)

Taint analysis heuristics

I All transaction inputs probably belong to the sender I One output probably also belongs to the sender

(7)

7/39

Privacy coins hinder blockchain analysis...

I Dash: mixing by masternodes

I Monero: ring signatures

(8)

...but what about network analysis?

(9)

9/39

Our contributions

I We introduce a new transaction clustering method based on weighted vectors of IP addresses

(10)

Outline

Measuring anonymity

(11)

11/39

Message propagation in Bitcoin

(12)

Broadcast randomization in Bitcoin and forks

(13)

13/39

Intuition

(14)

Outline of our clustering method

(15)

15/39

Parallel connections

I Default connections: 8 outgoing + up to 117 incoming I We are unlikely to get a new tx quickly with only one

connection per node

(16)

(17)

17/39

(18)

Weighting timing vectors

IP addresses pi announce a new tx to us at times ti. We assign exponentially decreasing weights to pi:

w (pi) = e−(ti/k)

2

where the median IP gets weight 0.5: k = tmedian

(19)

19/39

Weighting timing vectors: example

High values indicate higher probability of an IP to be the sender or one of its entry nodes.

(20)

Clustering the correlation matrix

I For each pairwise correlations of weight vectors of txs I Hypothesis: correlation matrix has a block-diagonal

structure

(21)

21/39

Heatmap visualization

I Display correlations between weight vectors as matrix I Darker color means higher correlation

(22)

Deanonymization and linkability of cryptocurrency transactions based on network analysis Biryukov, Tikhomirov Introduction Tx clustering Parallel connections Weighting timestamp vectors Correlation matrix Measuring anonymity Experiments Estimating the source IP Discussion Conclusion

Measuring anonymity

We use anonymity degree proposed by D´ıaz et al.1: d = −

PN

i =1pilog2(pi) log2(N)

where pi is the probability of the i -th tx to originate from the given source.

I d = 1: users are equally likely to be the senders of a given message

(23)

Deanonymization and linkability of cryptocurrency transactions based on network analysis Biryukov, Tikhomirov Introduction Tx clustering Parallel connections Weighting timestamp vectors Correlation matrix Measuring anonymity Experiments Estimating the source IP Discussion Conclusion

23/39

Putting the pieces together

I Connect to many nodes from servers on 3 continents I Log transaction announcements

I Assign weights to vectors of timestamps

I Calculate pairwise correlations between weight vectors I Apply the spectral co-clustering algorithm 2

I Calculate anonymity degree for our txs as ground truth I Ethical considerations: mostly testnet, our own txs

2

(24)

Outline

Measuring anonymity

(25)

25/39

(26)

(27)

27/39

(28)

(29)

29/39

Dash

(30)

Discussion Conclusion

Estimating the source IP from ADDR messages

I A new node advertises its IP in ADDR messages I We intersect the announced IPs from ADDRs with the

highest-weighted IPs in tx clusters (Bitcoin testnet) I In most experiments, the source IP appeared among

(31)

Discussion Conclusion 31/39

Outline

Measuring anonymity

Discussion

(32)

Discussion

Conclusion

Cost of attack

I Feasible for a moderately resourceful attacker I Main cost components are bandwidth and storage I We estimate the cost of a full-scale attack on Bitcoin

(33)

Discussion

Conclusion

33/39

Countermeasures

I Don’t issue many txs in the same session

(34)

Discussion

Conclusion

Countermeasures (contd): new relay protocols

I Dandelion++: two-stage propagation for better anonymity. Only outgoing connections for first phase. Hard to force a remote node to connect to us

(35)

Estimating the source IP Discussion Conclusion 35/39

Outline

Measuring anonymity

Discussion

(36)

Conclusion

(37)

Conclusion

37/39

Future work: mobile wallets

(38)

Conclusion

Questions?

I

cryptolux.org

(we are hiring postdocs)

(39)

Conclusion

39/39

Image credits

I Transaction structure: Andreas Antonopoulos. https://bit.ly/2MPDpba