Privacy Aspects and Subliminal Channels in Zcash

(1)

Privacy Aspects and Subliminal Channels in Zcash Alex Biryukov, Daniel Feher, Giuseppe Vitto Introduction to Zcash Transaction Linking Subliminal Channels

Privacy Aspects and Subliminal Channels in Zcash

Alex Biryukov, Daniel Feher, Giuseppe Vitto

University of Luxembourg

(2)

(3)

(4)

Introduction to Zcash

I

Zcash is a privacy oriented digital currency.

I

Built on a variety of cryptographic primitives:

I

_{zkSNARKs, commitment schemes, Merkle trees, encryption, etc.}

(5)

Zcash: Addresses

I

Zcash offers two types of addresses:

(6)

Zcash Transaction Types

Public

Hiding

Revealing

Private

t-address

z-address

t-address

z-address

(7)

Zcash Transaction Layout

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

Spend Description 1

Output Description 1

Spend Description 2

Output Description 2

.

Spend Description K

Output Description L

(8)

Zcash Transaction Layout

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

Spend Description 1

Output Description 1

Spend Description 2

Output Description 2

.

Spend Description K

Output Description L

(9)

(10)

(11)

(12)

(13)

(14)

(15)

(16)

Value Fingerprints

I

~97% of shielded transactions use 10

4 Zatoshis as fee.

I

Last 4 digits are not changed by the fee.

(17)

(18)

(19)

Danaan-Gift Attack

I

What is the success ratio of the attack?

(20)

Zcash Transaction Layout

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

Spend Description 1

Output Description 1

Spend Description 2

Output Description 2

.

Spend Description K

Output Description L

(21)

Zcash Transaction Layout

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

Spend Description 1

Output Description 1

(22)

Zcash Transaction Layout

(23)

(24)

(25)

(26)

(27)

(28)

(29)

The Survival Probability of Fingerprints

I

We have developed a statistical model for the shielded pool.

I

Based on the number of inputs and outputs in a shielded transaction.

I

Markov-chain of all possible scenarios.

(30)

The Survival Probability of Fingerprints

FP

(31)

The Survival Probability of Fingerprints

FP

(32)

The Survival Probability of Fingerprints

FP

(33)

The Survival Probability of Fingerprints

FP

(34)

The Survival Probability of Fingerprints

I

The average number of hops a path goes through inside the shielded

pool is only 1.42.

I

The survival probability of good fingerprints is ~16.6%.

(35)

Countermeasures

I

Dust Attack is recognizable: move funds once.

I

Danaan-gift Attack manual defense: do not use default fees.

(36)

(37)

(38)

(39)

(40)

(41)

(42)

Subliminal Channels

I

We found 3 subliminal channels by exploiting malleability of Pedersen’s

commitments and Groth16’s zkSNARKs proofs:

1 Pedersen Subliminal Channel (commitment scheme)

2 Inner Subliminal Channel (zkSNARK)

3 Outer Subliminal Channel (zkSNARK)

I

Key Idea: use re-randomization until a desired subliminal message is

(43)

Shielded Transaction Layout

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

Binding Signature

Spend Description Output Description

Spend DATA

Committed Input Note Value

zk-SNARK Proof

Output DATA

Committed Output Note Value

(44)

Pedersen Subliminal Channel

I

A note value v is committed to c with randomness r as

v

−→ c = g

v

h

r

= 0xf2c71e906

I

c can be re-randomized to c

0 as

c −→ c

0 =

c · h

s

=

g

v

h

r +s

I

By selecting different random values s, we found that

c

0 =

c · h

s

= 0x76b760123

(45)

Pedersen Subliminal Channel

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

c

in,1

= 0xf34aca1c

c

out,1

= 0xce10e552

c

in,2

= 0xdb1bba91

c

out,2

= 0x180c7891

..

.

..

.

c

in,K

= 0xc1c41a7a

c

out,L

= 0x76b760123

Binding Signature

(46)

Pedersen Subliminal Channel

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

g

vin,1

_{= 0xab59a74d}

_g

vout,1

_{= 0x53b57fe8}

g

vin,2

_{= 0xbd18d746}

_g

vout,2

_{= 0xca6d4be2}

..

.

..

.

g

vin,K

_{= 0xbaf072a4}

_c

_out,L

_{= 0x76b760123}

Binding Signature

(47)

Pedersen Subliminal Channel

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

Fee

v

in,1

= 1.12 ZEC

v

out,1

= 0.05 ZEC

v

in,2

= 3.47 ZEC

v

out,2

= 2.01 ZEC

..

.

..

.

v

in,K

= 5.14 ZEC

c

out,L

= 0x76b760123

Binding Signature

(48)

Pedersen Subliminal Channel

Transparent Input(s)

Transparent Output(s)

Hidden Value Balance

= 2.43 ZEC

Fee

v

in,1

= 1.12 ZEC

v

out,1

= 0.05 ZEC

v

in,2

= 3.47 ZEC

v

out,2

= 2.01 ZEC

..

.

..

.

v

in,K

= 5.14 ZEC

v

out,L

= 4.62 ZEC

Binding Signature

(49)

Decoupled Spend Authority

(50)

Decoupled Spend Authority

(51)

The Inner Subliminal Channel

I

A zkSNARK proof is generated by choosing two different random

values.

I

A malicious proving system can iteratively select different randomness

until the resulting π embeds the subliminal message.

I

‘Inner’ because a message is embedded before π is finalized.

π

(52)

The Outer Subliminal Channel

I

A proof π can be re-randomized using some non-expensive elliptic

curve operations and without knowing any witness.

I

π

is iteratively re-randomized until the subliminal message is embedded.

I

‘Outer’ because re-randomization is done on an already generated

proof.

π

0

(53)

Implementation Results

I

We embedded 9 bytes in a fully shielded transaction with 1 shielded

input and 2 shielded outputs (3 bytes per description).

I

On a standard laptop, it took on average 3.0087s compared to 2.8412s

normally needed (just a 6% increase).

(54)

Countermeasures

I

Use proof re-randomization to disrupt any embedded subliminal

message.

π

I

Combine two (even tagged) proofs for the same statement.

π

1

π

2

(55)

Summary

I

Two different approaches for transaction tagging and linking in Zcash:

1. Transaction Linking Attacks:

I

_{Based on interplay of transparent and hidden transactions;}

I

_{Verified with a rigorous statistical model.}

2. Subliminal Channels:

I