Professional Documents
Culture Documents
Most blockchain users remain susceptible to privacy attacks. Many researchers advocate using anonymous
communications networks, such as Tor, to ensure access privacy. We challenge this approach, showing the
need for mechanisms through which non-anonymous users can publish and fetch transactions without
enabling others to link those transactions to their network addresses or to their other transactions.
38 July/August 2018 Copublished by the IEEE Computer and Reliability Societies 1540-7993/18/$33.00 © 2018 IEEE
brought to bear an arsenal of powerful heuristics using reflected in all replicas of the blockchain within some
which attackers can effectively link disparate Bitcoin predefined expected time, which can range from a few
transactions to a common user and, in many cases, to seconds (for instance, in Ripple) to a few minutes (for
that user’s real-world identity. Ultimately, instead of pro- instance, in Bitcoin).
viding the bastion of privacy for financial transactions Each transaction is associated with a pair of pseud-
that its early adopters envisioned, Bitcoin and its altcoin onyms (often called wallets), respectively identifying
brethren are in many ways less private than traditional the sender and receiver of some digital assets. Users
banking, where government regulations mandate basic can generate new pseudonymous wallets with which
privacy protections. In an attempt to address this situa- to receive digital assets arbitrarily and at will; it is con-
tion, the cryptography and privacy research communi- sidered a best practice for Bitcoin users to generate a
ties have proposed and implemented several protocols fresh, ephemeral wallet whenever they wish to conduct
aiming to improve blockchain privacy. These protocols a new transaction. The primary motivation for gener-
all try to decouple users’ pseudonymous identities from ating such ephemeral wallets is to protect user privacy
the specific transactions they make, thereby frustrating by making it difficult for an attacker to link together the
attempts to link transacting parties based on data that various transactions involving a given user by simply
appears in the blockchain. However, none of the pro- examining the sender and receiver pseudonyms appear-
posed protocols attempts to hide the identities of users ing in transactions recorded in the ledger. However, as
from network-level adversaries as the users publish or Bitcoin and related altcoins grow ever-more prevalent,
retrieve data from the blockchain. Instead, the proposed there is a growing concern that the “privacy” offered by
protocols “outsource” this crucial step, relying on an this approach is illusory at best. Indeed, as mentioned
external anonymous communications network such as previously, the past eight years of research into block-
Tor (https://www.torproject.org). However, running chain privacy has given rise to a veritable treasure trove
complex protocols over general-purpose, low-latency of effective heuristics using which attackers can link
anonymity networks such as Tor is fraught with risks Bitcoin transactions back to a common user, despite the
and can expose users to subtle-yet-devastating deano- widespread use of ephemeral wallets.1–3
nymization attacks, thereby undermining the privacy Figure 1 depicts a traditional blockchain architec-
guarantees of the entire blockchain system. We can ture. (We use the qualifier “traditional” here to differ-
do better! entiate the blockchain architectures we consider from
those involving payment channels and other layer-2
Cryptography to the Rescue? applications, which introduce a host of new privacy
Most blockchains are, at their core, massively dis- concerns that are beyond the scope of this article.) For
tributed and publicly accessible databases; therefore, the purposes of this article, we focus on the two arrows
beyond ensuring that the data they store does not, in that are bold and highlighted in green; specifically, we
and of itself, betray user privacy, any research program focus on the need for innovative mechanisms that allow
that seeks to fully address blockchain privacy must addi- users to
tionally consider (at the very least) privacy for two fun-
damental types of transactions: reading data from and ■■ announce and publish transactions anonymously, a
writing data to a blockchain. task for which we envision a tailor-made anonymity
In the context of cryptocurrencies like Bitcoin, the mechanism that is integrated directly into the block-
database represented by the blockchain is a publicly chain architecture; and
accessible and verifiable ledger of financial transactions. ■■ fetch transactions privately, a task for which we envi-
Specifically, whenever a transaction occurs, the origi- sion using special private information retrieval (PIR)
nating party publicly announces the transaction to a protocols designed and optimized to support efficient
handful of selected entities, who then spread the details and expressive queries for transactions stored in a
of that transaction throughout the network via a gossip blockchain.
protocol. The transaction is ultimately aggregated
with several other (unrelated) transactions into a dis- We note that a handful of second-generation
crete block, which then gets irreversibly appended to a altcoins—including Zcash (https://z.cash) and Monero
chain comprising all earlier blocks. The chain of blocks (https://getmoreno.org)—natively employ crypto-
can—indeed, to obtain strong integrity and availability, graphic techniques to prevent the contents of transac-
must—be replicated and shared in its entirety among tion on the blockchain from leaking private information
many nodes in a network, thereby providing each node about transacting parties. Likewise, the research litera-
with a global, eventually consistent view of every trans- ture contains several proposals (a selection of which
action that has ever taken place. New transactions are we summarize in the next subsection) that aim to
www.computer.org/security 39
BLOCKCHAIN SECURITY AND PRIVACY
Focus 1:
Announcing
transactions
Miner/
validator
Relay
Full
client
Focus 2:
Fetching Thin
transactions client
Figure 1. Topology of a typical blockchain system. The two bold arrows (highlighted in green) illustrate sensitive
information flows that must be protected to prevent attackers from leveraging network-level information to compromise
the privacy of blockchain users.
provide similar transaction privacy atop the deployed the mixing service from stealing assets that users try
Bitcoin, Ripple, and Ethereum blockchains. While such to route through it. A series of progressively more
approaches are effective at protecting blockchain users sophisticated protocols have been proposed to address
against a subset of the deanonymization heuristics that CoinJoin’s limitations.
plague mainstream deployed blockchains, we empha- The first improvement was Mixcoin, which attempts
size that the existing approaches, so far, focus on pre- to mitigate the risk of theft by holding the mixing ser-
venting the data stored in a blockchain from leaking vice “accountable” if it steals a user’s assets (though
private information—they do nothing significant to theft is still technically possible and the mixing service
mitigate against inferences that leverage network-level still learns who is transacting with whom). Building on
information (for example, IP addresses) or access pat- a series of incremental improvements to this basic idea
terns (for example, specific blocks or portions thereof) (including BlindCoin and Blindly Signed Contracts),
revealed when users interact with the blockchain data. a proposal called TumbleBit4 finally addressed the
As such, the existing proposals all fall far short of solv- accountability and anonymity weaknesses of Mixcoin
ing the blockchain privacy problem in its entirety. in a manner fully compatible with Bitcoin; however, the
TumbleBit approach requires upwards of 20 minutes
Existing Protocols for Transaction Privacy (that is, two Bitcoin blocks) per transaction on aver-
As the insufficiency of ephemeral pseudonyms became age and introduces additional transaction fees. Aniket
apparent to the Bitcoin community, a proposal called Kate’s CoinShuffle and CoinShuffle115 take a differ-
CoinJoin emerged as a potential solution. In CoinJoin, ent approach, having users perform a special multiparty
users route their transactions through a centralized computation among themselves so that no third-party
mixing service (sometimes called a tumbler), which mixing service is necessary.
serves to obscure the relationships between the send- The emerging privacy-centric cryptocurrencies,
ers and receivers of those transactions before they are such as Zcash and Monero, employ cryptographic
posted to the ledger. However, such centralized mix- primitives such as zero-knowledge succinct noninter-
ing services introduce a single point of trust and fail- active argument of knowledge (zk-SNARK), traceable
ure; indeed, the mixing service always knows the link ring signatures, confidential transactions, and stealth
between the sender and receiver of each transaction, addresses to offer significantly better privacy properties
and perhaps more troublingly, there is nothing to stop than those possible for Bitcoin transactions.
www.computer.org/security 41
BLOCKCHAIN SECURITY AND PRIVACY
Finally, due to their decentralized design, blockchain The blockchains underlying Ripple and the Linux
systems seem like prime candidates for fulfilling their own Foundation’s Hyperledger (https://www.hyperledger
anonymity and privacy needs, avoiding the dependency on .org) are two prominent examples of permissioned
external services and providing performance and privacy/ blockchains. In contrast to permissionless blockchains,
anonymity guarantees tailored to their own needs. permissioned blockchains do place restrictions on
In short, we believe that effective blockchain privacy who participates in the consensus process. A group of
necessitates rethinking the one-size-fits-all approach highly available entities (with strong identities) collec-
of using external anonymous communications infra- tively decide which blocks should be appended to the
structures to solve all problems requiring anonymity. chain by leveraging a Byzantine fault-tolerant atomic
Although anonymity does indeed love company, mixing broadcast protocol. This approach allows permissioned
two dissimilar types of traffic together does not neces- blockchains to reach consensus very rapidly, requir-
sarily improve anonymity for either type and, if not done ing as little as a few seconds for each transaction to be
very carefully and correctly, may in fact provide weaker reflected in the ledger.
anonymity than protecting each type of traffic with its The contrasting security assumptions and efficiency
own tailor-made solution. guarantees of permissionless and permissioned block-
chains make them well suited to different use cases,
Publishing Transactions Anonymously and indeed, the two varieties are prospering together:
By their very design, blockchain systems require exten- traditionally structured organizations/consortiums are
sive overlay networks through which participants increasingly adopting permissioned blockchains, while
announce transactions and agree on what transactions peer-to-peer (P2P) solutions continue to leverage per-
should ultimately appear on the blockchain. Thus, it missionless blockchains.
seems natural to leverage the existing overlay structure
to realize anonymous transaction publishing, rather Publishing to Permissionless Blockchains
than relying on an external service like Tor. We propose Permissionless blockchain systems (like Bitcoin and
that blockchain privacy protocols should de-link users’ Ethereum) employ P2P networks of relays to propa-
network-level information from their transactions using gate transactions and blockchain updates throughout
mechanisms that piggyback on the overlay network the network using a best-effort gossip protocol. Such
that is already in place for announcing transactions. P2P networks typically experience considerable churn,
The specifics of how such a mechanism might work with relays joining, leaving, and rejoining the network
vary, depending on the structure of the overlay network at will; however, the average number of relays in the net-
imposed by the consensus protocol—that is, depending work at any given time can remain relatively high. For
on how participants decide which transactions qualify example, at the time of writing, the number of online
for inclusion in the blockchain. relays in the Bitcoin network at any given time is about
Proposed and deployed blockchains fall into two one-and-a-half times the number of Tor relays. (As of
distinct categories based on the mechanism they use to 4 October 2017, Tor Metrics estimates about 6,300
build a consensus around what data to immortalize in Tor relays [https://metrics.torproject.org] versus the
the blockchain: permissionless and permissioned. Bitnode estimate of about 9,900 full Bitcoin nodes
The blockchains underlying Bitcoin and Ethereum [https://bitnodes.21.co].) One might, therefore, con-
constitute two prominent examples of permissionless sider employing the elaborate Bitcoin communica-
blockchains. As their name implies, permissionless tion infrastructure toward improving the anonymity
blockchains place no restrictions on who participates of users’ announcements. Given the P2P nature of the
in the consensus process. Instead, unrestricted entities network, we believe it may be possible to leverage the
called miners collectively decide which blocks should existing academic research on P2P anonymous commu-
be appended to the chain by providing an associated nications networks. For instance, such a solution could
proof of work. In the case of Bitcoin, this proof of work be based on Pisces,8 employing the social trust links to
takes the form of a “partial hash inversion,” wherein the construct anonymous communication paths that are
miners seek inputs that lead a cryptographic hash func- robust to compromise in the presence of route-capture
tion to produce a digest whose numerical value does not attacks and Sybil nodes. However, given the dynamic
exceed some global-parameter target. and open nature of permissionless blockchains such as
Such a permissionless consensus guarantees that Bitcoin, establishing trust in relays will be a prominent
only valid blocks get appended to the blockchain challenge.
(approximately) under the assumption that more than The Kovri project (https://www.getcorvi.org), an
half of all mining resources in the network are con- offshoot of the Monero and Bitcoin developers’ recent
trolled by honest—or, at least, noncolluding—entities. interest in the Dandelion networking policies,9 clearly
www.computer.org/security 43
BLOCKCHAIN SECURITY AND PRIVACY
Take advantage of the special resources for job seekers—job alerts, career
advice, webinars, templates, and resumes viewed by top employers.
www.computer.org/jobs
www.computer.org/security 45