Pedro MMCI, Saarland University

Transcription

1 CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin [project page] Pedro MMCI, Saarland University Aniket

2 Introduction Alice Dealer Hash Hash(vk) = Bitcoin address Money 3J98t1WpEZ73CNmQv iecrnyiwrnqrhwnly Bitcoin Transaction 2

3 Bitcoin 101 itcoin Address A = Hash(vk) sk: signing key vk: verification key Bitcoin Transaction A': BB public list of transactions 3

4 Linkability of Pseudonyms A': BB B' A A' 4

5 Linkability of Pseudonyms A': BB B' A A' 5

6 Linkability of Pseudonyms B' C' A D' A' A'' A''' 6

7 Deanonymization Attacks in Practice [Meiklejohn et al., IMC'13] Push-the-button tool for clustering: Check out bitiodine.net [Spagnuolo et. al., FC'14] 7

8 Avoiding the Linkability Zerocoin [Miers et al., S&P'13] and Zerocash [Ben-Sasson et al., S&P'14] Unlinkability by design Inefficient or requires trusted setup Not compatible with Bitcoin 8

9 Naïve Coin Mixing tainted addresses fresh addresses!? 9

10 Naïve Coin Mixing tainted addresses fresh addresses Problems Mix can still link the addresses accountability possible Mix can steal the money using Mixcoin [Bonneau et al., FC'14] Mix may require a fee 10

11 Mixing using CoinJoin [Maxwell] σb σc B: B C: B C': B A': B σb σc Coins cannot be stolen. (Verifiability) How to create shuffled list of outputs obliviously? (Unlinkability) How to prevent DoS attacks? (Robustness) 11

12 Goals System Security Unlinkability After a successful run of the protocol, participants' input and output addresses are unlinkable. Compatibility with Bitcoin Decentralization Efficiency Verifiability Coins cannot be stolen. Robustness If the protocol does not complete, we can expose at least one misbehaving user (and restart without this user). 12

13 Scenario and Threat Model Alice Bob (ska, vka) (skb, vkb) Carol Dave (skc, vkc) (skd, vkd) Bitcoin cryptographic keys Bulletin board does not exclude participants Two honest participants required for unlinkability 13

14 CoinShuffle: Announcement (eka, dka) EncGen(); A' AddrGen(); (ekb, dkb) EncGen(); B' AddrGen(); ek: encryption key dk: decryption key sk: signing key (ekc, dkc) EncGen(); C' AddrGen(); (ekd, dkd) EncGen(); D' AddrGen(); Sign(skA; A) Sign(skB; ekb, B) Sign(skC; ekc, C) Sign(skD; ekd, D) B: B C: B D: B 14

15 CoinShuffle: Shuffling inspired from Dissent [Corrigan-Gibbs and Ford, CCS'10], with 4x speedup ekb ekc ekd s A' A' B' B' D': B B' A' C' B': B C' A' A': B D' C': B 15

16 CoinShuffle: Transaction Verification σb σc σd B: B C: B D': B A': B C': B B: B C: B D: B D': B C': B D: B σb σc σd σb σc σd E': B (no signature for A) σb σc σd Blame phase 16

17 CoinShuffle: Blame s A' A' B' B' B' E' A' C' C' E' B A': E': D' C': B D': B B B': dka dkb dkc dkd All (other) cases are discussed in the paper in detail. 17

18 Evaluation Prototype implementation in Python OpenSSL cryptographic library Emulab testbed Measured time for: Running the whole protocol (local and global network scenarios) Only computation 18

19 Communication with the Bitcoin Community BitcoinAuthenticator (Chris Pacia) Demo (Bryan Vu) youtube.com/watch?v=t-cx-s8fq5a NXT meetup.com/sf-bitcoin-devs/events/ / twitter.com/comefrombeyond/status/

20 Conclusions Linkability of transactions is a privacy concern for users We present CoinShuffle: A decentralized, efficient and totally compatible protocol Based on mixing and CoinJoin Security guarantees: unlinkability, verifiability and robustness Next step: Specification and real implementation Project page with paper and prototype implementation: / Contact: 20