Deanonymization of Clients in Bitcoin P2P Network Talk about how anonymous are Bitcoin transactions? How many of you think they’re anonymous? If they aren’t anonymous, then why were they used on Silk Road? Deanonymization of Clients in Bitcoin P2P Network
What is Bitcoin? Digital Currency First proposed in 2007 by Satoshi Nakamoto Decentralized No central authority Doesn’t rely on trust Central authority Currency trading Confiscation Change in Power Devaluation when governments change etc.
How does Bitcoin work? Balances Transaction Security Processing https://bitcoin.org/en/how-it-works Have to have something that keeps track of who has what. Have to have a way of trading the currency. Have to have computers to process the transaction and those computers have to be distributed.
Transactions (key pair) Based on asymmetric encryption ID is base 58 encoding of the hash of the public key Sign transactions with private key. If person A wants to send person B money, they build the transaction with person B’s ID as the owner and then they sign it with their private key. All your bitcoins are included in each transaction – no partial payments Transaction includes source/input, amount and output
Balances (block chain)
Balances (block chain) Operates on a collection of blocks Similar to a general ledger Hi=SHA-256(SHA-256(Hi-1||Ti||TXi||di||Ni)) < f(di) Hi = header block Ti = timestamp TXi = hash of the transaction data di =difficulty parameter N = nonce 80 byte F(d) is a linear function of the difficulty. Currently must be smaller that 2198 – i.e. the 64 most significant bits are 0
Processing (mining) Block has to be confirmed/recording Mining is process of including transaction in block Brute force SHA-256 hash to find value < f(d) Hi=SHA-256(SHA-256(Hi-1||Ti||TXi||di||Ni)) < f(di) Reward is 25 bitcoins Change nonce
Bitcoin P2P Network
Bitcoin P2P Network Address Propagation Peer Discovery Transaction Propagation Three pieces to communication in bitcoin network Publishing your address to help peers discover other peers Discover other peers to connect to Forward transactions after they occur Bitcoin peers try to maintain 8 outgoing connections. Servers accept up to 117 incoming connections – total 125 Currently 8,000 servers and 100,000 clients
Address Propagation Peers request addresses from each other. Node computers Hash of each neighbor with address to forward, salt, day, memory address Node sorts the hash and forwards to the one on top Node N0 get address from Node N3 N0 looks up top hash (let’s say N1) and sends the address 100 ms later N0 looks up next top hash (let’s say N3) so nothing to do N0 looks up next top hash (N2) and sends the address
Peer Discovery Connects to two hard-coded sites to get external IP Client makes connection to server and publishes IP Remote peer propagates address
Transaction Propagation Sender computes hash for random wait time Sender transmits INVENTORY message to peers Receiver requests transaction data with GETDATA Receiver forwards transaction to peers ASSUMPTION: Entry node will always forward fastest Receiver runs a series of check on the information in the Inventory message and if it all looks good will request the transaction
To connect a Bitcoin address to User’s IP. What is the Goal? To connect a Bitcoin address to User’s IP.
The Onion Routing (TOR) What is TOR? How does TOR affect Bitcoin?
How does TOR affect Bitcoin? TOR would make it impossible to tie Bitcoins to anything other than the TOR exit node.
Disconnecting from TOR First phase of attack Exploit Bitcoin Denial of Service protection Approximately 1008 TOR exit nodes Possible countermeasures Countermeasure – similar to adding a cookie for Diffie Hellman clogging attack protection – make connection to TOR more computationally expensive initially
What’s new here? Attack purposed in original paper Method targets clients Crucial idea is each client can be uniquely identified by the entry nodes it connects to. Deanonymization rates of 11%-60%.
Learning Topology Connect to W Bitcoin servers where W is close to the total number of servers For each advertised Client IP, log the servers that forwarded the IP to you. Problem: Server might broadcast elsewhere. Solution: Make multiple connections to entry servers Broadcast Client IP to target entry nodes When you broadcast the IP to everyone else, they won’t send it to you in the future. This helps to make sure that when the client reconnects, the entry point will send the client IP to the client and stop the propagation. Learn which servers are entry nodes for which IP’s over time.
Deanonymization Getting the list of servers Composing the deanonymization list Mapping clients to their entry nodes 3 entry nodes identify user Sometime only need 2 nodes Mapping transactions to entry nodes
Recap Make many connections to servers. Learn client entry nodes by listening to address propagation Tie transactions to clients based on which server forwards the transaction first assuming entry nodes will always forward first.
Experimental Results Custom bitcoin client 50 additional connections to each server if possible Sent transactions from clients Transaction first forwarded by entry nodes Correctly linked 59.9% of transactions Using only 20 connections identified 41% of transactions
Analysis Success depended on number of connections to servers/all target’s entry nodes False Positives? Overall success rate: With 50 connections, expect to capture 11% Must send 9 transactions to reveal address Change IP every connection to thwart
Conclusion Correlates ID/public key to IP Technique to learn network Could be used in other point-to-point networks.
Other Topics Alternate Reality Further learning to Topography Estimating Success Rate: Details (Appendix) Attack Costs (Appendix) Transaction Propagation Delay (Appendix) On Stability of the Fingerprint (Appendix) Denial of Service (Appendix)
Questions?