Ke Huang,Yi Mu,Fatemeh Rezaeibagha,Xiaosong Zhang,Xiong Li,Sheng Cao

DOI: https://doi.org/10.1109/tdsc.2023.3251735

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Monero is a privacy-centric cryptocurrency that allows users to obscure their transactions with multiple input and output addresses. Current research on Monero mainly focuses on identifying design vulnerabilities or optimizing towards stronger privacy, security, etc. For example, improving the design of ring confidential transaction (RingCT) protocol proposed by Noether et al. As revealed by Ali et al. in USENIX 2016, new blockchains have inadequate nodes and network computing resources to resist powerful attack (e.g., 51% attack). Obviously, Monero blockchain is not an exception. Ateniese et al. proposed the notion of redactable blockchain in EuroS $ \& amp;$ P 2017, which begins the trend of formalizing blockchain with extra cryptographic primitives. The motivation is to turn an immutable blockchain into a mutable ledger by adapting the blockchain design and integrating with new cryptographic schemes. In such a setting, users could use their private keys to perform the secure multi-party computation to reverse blockchain history. The idea of redactable blockchain has attracted many researchers to pursuit this topic. However, few works have considered the privacy-preserving setting. Even fewer have practised their designs in an actual cryptocurrency. In this paper, we seek to adapt the RingCT protocol with several building blocks. Our proposal achieves most of the desired properties for blockchain redaction. It allows multiple tracing authorities to collaboratively trace users’ identities, and a system manager to perform multi-grained (including block-level, transaction-level, accumulator-level and commitment-level) redaction on block contents. Our proposal can be seen as an extension of RingCT protocol. We give rigorous security requirements and comprehensive analysis of our scheme. The performance evaluation suggested that our scheme suffers from some unscalabilities in large-scale implementations. A more elegant design to achieve stronger security and ideal scalability is deemed as a challenging and interesting future work.

Abraham Hinteregger,Bernhard Haslhofer

DOI: https://doi.org/10.48550/arXiv.1812.02808

2019-01-04

Abstract:Monero is a privacy-centric cryptocurrency that makes payments untraceable by adding decoys to every real input spent in a transaction. Two studies from 2017 found methods to distinguish decoys from real inputs, which enabled traceability for a majority of transactions. Since then, a number protocol changes have been introduced, but their effectiveness has not yet been reassessed. Furthermore, little is known about traceability of Monero transactions across hard fork chains. We formalize a new method for tracing Monero transactions, which is based on analyzing currency hard forks. We use that method to perform a (passive) traceability analysis on data from the Monero, MoneroV and Monero Original blockchains and find that only a small amount of inputs are traceable. We then use the results to estimate the effectiveness of known heuristics for recent transactions and find that they do not significantly outperform random guessing. Our findings suggest that Monero is currently mostly immune to known passive attack vectors and resistant to tracking and tracing methods applied to other cryptocurrencies.

Cryptography and Security

Nada Hammad,Friedhelm Victor

2024-08-10

Abstract:Privacy-focused cryptoassets like Monero are intentionally difficult to trace. Over the years, several traceability heuristics have been proposed, most of which have been rendered ineffective with subsequent protocol upgrades. Between 2019 and 2023, Monero wallet application bugs "Differ By One" and "10 Block Decoy Bug" have been observed and identified and discussed in the Monero community. In addition, a decentralized mining pool named P2Pool has proliferated, and a controversial UTXO NFT imitation known as Mordinals has been tried for Monero. In this paper, we systematically describe the traceability heuristics that have emerged from these developments, and evaluate their quality based on ground truth, and through pairwise comparisons. We also explore the temporal perspective, and show which of these heuristics have been applicable over the past years, what fraction of decoys could be eliminated and what the remaining effective ring size is. Our findings illustrate that most of the heuristics have a high precision, that the "10 Block Decoy Bug" and the Coinbase decoy identification heuristics have had the most impact between 2019 and 2023, and that the former could be used to evaluate future heuristics, if they are also applicable during that time frame.

Cryptography and Security

Jingting Xue,Lingjie Shi,Liang Liu,Xiaojun Zhang,Fagen Li

DOI: https://doi.org/10.1007/s12083-023-01567-w

IF: 3.488

2023-01-01

Peer-to-Peer Networking and Applications

Abstract:Mixing serves as an effective method to safeguard the privacy of nodes in digital currency systems by introducing a mixer to break the link between transaction inputs and outputs. Existing mixing schemes heavily rely on stringent security assumptions to prevent potential risks, including privacy breaches and coin loss. Recognizing this concern, we propose DcMix, a decentralized private coin mixing scheme that ensures unconditional anonymity for nodes within a peer-to-peer network. To establish a mixing group that offers forward security, we employ the challenge-response model, forming a one-time chat room. This room utilizes a hierarchical key tree structure, generated through a key derivation primitive, wherein distinct branches serve specific purposes. This approach enables nodes in the group to construct their individual key trees, preventing the tracing of mixing records in an open network environment. Additionally, DcMix incorporates a variation of the Abe-Ohkubo-Suzuki (AOS) ring signature to conceal identities from both group nodes and online adversaries. DcMix achieves robust anonymity and transaction unforgeability, effectively countering known message attacks. Experimental results demonstrate that DcMix exhibits a computation overhead approximately 60% lower than CoinParty and CoinLayering with eight mixers. Furthermore, even with a high transaction volume of up to 1,900, DcMix’s computation overhead remains 25% lower than that of the aforementioned schemes.

Nasser Alsalami,Bingsheng Zhang

DOI: https://doi.org/10.1109/iwqos49365.2020.9213064

2020-01-01

Abstract:Public blockchains can be abused to covertly store and disseminate potentially harmful digital content which poses a serious regulatory issue. In this work, we show the severity of the problem by demonstrating that blockchains can be exploited to surreptitiously distribute arbitrary content. More specifically, all major blockchain systems use randomized cryptographic primitives, such as digital signatures and non-interactive zero-knowledge proofs; we illustrate how the uncontrolled randomness in such primitives can be maliciously manipulated to enable covert communication and hidden persistent storage. To clarify the potential risk, we design, implement and evaluate our technique against the widely-used ECDSA signature scheme, the CryptoNote's ring signature scheme, and Monero's ring confidential transactions. Importantly, the significance of the demonstrated attacks stems from their undetectability, their adverse effect on the future of decentralized blockchains, and their serious repercussions on users' privacy and crypto funds. Finally, we present a generic framework to immunize blockchains against these attacks.

Shi-Feng Sun,Man Ho Au,Joseph K. Liu,Tsz Hon Yuen

DOI: https://doi.org/10.1007/978-3-319-66399-9_25

2017-01-01

Abstract:In this work, we initially study the necessary properties and security requirements of Ring Confidential Transaction (RingCT) protocol deployed in the popular anonymous cryptocurrency Monero. Firstly, we formalize the syntax of RingCT protocol and present several formal security definitions according to its application in Monero. Based on our observations on the underlying (linkable) ring signature and commitment schemes, we then put forward a new efficient RingCT protocol (RingCT 2.0), which is built upon the well-known Pedersen commitment, accumulator with one-way domain and signature of knowledge (which altogether perform the functions of a linkable ring signature). Besides, we show that it satisfies the security requirements if the underlying building blocks are secure in the random oracle model. In comparison with the original RingCT protocol, our RingCT 2.0 protocol presents a significant space saving, namely, the transaction size is independent of the number of groups of input accounts included in the generalized ring while the original RingCT suffers a linear growth with the number of groups, which would allow each block to process more transactions.

Domokos Miklós Kelen,István András Seres

2024-06-01

Abstract:Cryptocurrencies aim to replicate physical cash in the digital realm while removing centralized and trusted intermediaries. Decentralization is achieved by the blockchain, a permanent public ledger that contains a record of every transaction. The public ledger ensures transparency, which enables public verifiability but harms untraceability, fungibility, and anonymity. In the last decade, cryptocurrencies attracted millions of users, with their total market cap reaching approximately three trillion USD at its peak. However, their anonymity guarantees are poorly understood and plagued by widespread misbeliefs. Indeed, previous notions of privacy, anonymity, and traceability for cryptocurrencies are either non-quantitative or inapplicable, e.g., computationally hard to measure. In this work, we put forward a formal framework to measure the (un)traceability and anonymity of cryptocurrencies, allowing us to quantitatively reason about the mixing characteristics of cryptocurrencies and the privacy-enhancing technologies built on top of them. Our methods apply absorbing Markov chains combined with Shannon entropy. To the best of our knowledge, our work provides the first practical, efficient, and probabilistic measure to assess the traceability of cryptocurrencies quantitatively, which also generalizes to entire cryptocurrency transaction graphs. We implement and extensively evaluate our proposed traceability measure on several cryptocurrency transaction graphs. Among other quantitative results, we find that in the studied one-week interval, the Bitcoin blockchain, on average, provided comparable but quantifiably more natural mixing than the Ethereum blockchain.

Cryptography and Security

Zhenshuai Yue,Haoran Zhu,Xiaolin Chang,Jelena Mišić,Vojislav B. Mišić,Junchao Fan

2024-05-07

Abstract:Traditional covert transmission (CT) approaches have been hindering CT application while blockchain technology offers new avenue. Current blockchain-based CT approaches require off-chain negotiation of critical information and often overlook the dynamic session keys updating, which increases the risk of message and key leakage. Additionally, in some approaches the covert transactions exhibit obvious characteristics that can be easily detected by third-parties. Moreover, most approaches do not address the issue of decreased reliability of message transmission in blockchain attack scenarios. Bitcoin- and Ethereum-based approaches also have the issue of transaction linkability, which can be tackled by Monero-based approaches because of the privacy protection mechanisms in Monero. However, Monero-based CT has the problem of sender repudiation. In this paper, we propose a novel Monero-Based CT approach (MBCT), which enables on-chain session key dynamically updating without off-chain negotiation. MBCT can assure non-repudiation of transmission participants, confidentiality of keys, reliability of message transmission and less observable characteristics. There are achieved by the three components in MBCT, namely, a sender authentication method, a dynamically on-chain session key updating method and a state feedback method. We implement MBCT in Monero-

Cryptography and Security

Liang Liu,Lin Liu,Beibei Li,Yi Zhong,Shan Liao,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108759

IF: 5.493

2022-03-01

Computer Networks

Abstract:Existing public blockchain-based covert communication systems are suffering the issues of insufficient robustness, anti-temper modification, and anonymity at both the transaction and network layers. In this paper, to overcome this problem, we propose a novel Monero-based security-enhanced covert communication system, in which a new storage-type covert channel is developed. This channel makes Monero transaction amount as data carrier for covert communication. Then, we devise two new algorithms, respectively for resisting Eclipse attacks and the two existing node crawling attacks. Extensive simulation experiments show that the developed new covert communication channel can achieve higher robustness, anti-detection, and anonymity. The new security-enhanced algorithms can effectively mitigate Eclipse attacks by 37.6%, and the two existing node crawling attacks by 21.1% and 17.1% respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lei Wu,Yufeng Hu,Yajin Zhou,Haoyu Wang,Xiaopu Luo,Zhi Wang,Fan Zhang,Kui Ren

DOI: https://doi.org/10.1145/3442381.3449880

2021-01-01

Abstract:ABSTRACT One reason for the popularity of Bitcoin is due to its anonymity. Although several heuristics have been used to break the anonymity, new approaches are proposed to enhance its anonymity at the same time. One of them is the mixing service. Unfortunately, mixing services have been abused to facilitate criminal activities, e.g., money laundering. As such, there is an urgent need to systematically understand Bitcoin mixing services. In this paper, we take the first step to understand state-of-the-art Bitcoin mixing services. Specifically, we propose a generic abstraction model for mixing services and observe that there are two mixing mechanisms in the wild, i.e. swapping and obfuscating. Based on this model, we conduct a transaction-based analysis and successfully reveal the mixing mechanisms of four representative services. Besides, we propose a method to identify mixing transactions that leverage the obfuscating mechanism. The proposed approach is able to identify over 92% of the mixing transactions. Based on identified transactions, we then estimate the profit of mixing services and provide a case study of tracing the money flow of stolen Bitcoins.

Tsz Hon Yuen,Shifeng Sun,Joseph K. Liu,Man Ho Au,Muhammed F. Esgin,Qingzhao Zhang,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-51280-4_25

2020-01-01

Abstract:In this paper, we propose the most efficient blockchain ring confidential transaction protocol (RingCT3.0) for protecting the privacy of the sender's identity, the recipient's identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of our RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Taking the advantage of our compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee which will have a significant impact on the crypto-economy. In addition to the significant improvement in terms of efficiency, our scheme is proven secure in a stronger security model. We remove the trusted setup assumption used in RingCT2.0. Our scheme is anonymous against non-signing users who are included in the ring, while we show that the RingCT1.0 is not secure in this improved model. Our implementation result shows that our protocol outperforms existing solutions, in terms of efficiency and security.

Junke Duan,Shihui Zheng,Wei Wang,Licheng Wang,Xiaoya Hu,Lize Gu

DOI: https://doi.org/10.1109/tdsc.2024.3367888

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ring Confidential Transactions (RingCT) is a typical privacy-preserving protocol for blockchain, which is used for the most popular anonymous cryptocurrency Monero in recent years. RingCT provides the user's identity anonymity based on the linkable ring signature. At the cost of that, the transaction size is increased linearly to the involved users. In this article, we aim to overcome this inefficient aspect of RingCT by introducing the linkable threshold ring signature (LTRS). We first propose a construction of threshold ring signatures for homomorphic cryptosystems, and present an efficient instantiation based on the intractability assumption of the discrete logarithm problem. Based on this framework, an efficient LTRS scheme and a novel construction of the RingCT protocol are presented. Our proposed RingCT protocol enables multiple payers to co-construct an anonymous transaction without revealing their secret account keys, and it is more concise under multiple input accounts. For a transaction with a ring size of 100 and the input accounts number of 64, the communication overhead is about 4% of the original RingCT protocol.

computer science, information systems, software engineering, hardware & architecture

Yi Liu,Zhen Liu,Yu Long,Zhiqiang Liu,Dawu Gu,Fei Huan,Yanxue Jia

DOI: https://doi.org/10.1007/978-3-030-31919-9_21

2019-01-01

Abstract:Since the advent of bitcoin, the privacy of bitcoin has become a hot issue. Many coin mixing protocols guarantee the anonymity and unlinkability of the payer and payee of a transaction. However, due to the publicity of blockchain, the confidentiality of transaction amounts has not been provided. Everyone has the chance to get the amount of a transaction, which poses a challenge to the privacy of users. To overcome the problem, we propose an improved mixing protocol based on TumbleBit, which is named TumbleBit++. TumbleBit++ combines confidential transactions with centralized untrusted anonymous payment hub, and achieves the protection of transaction amounts without undermining the anonymity of TumbleBit. TumbleBit++ allows multiple payers to trade in different transaction amounts, and Tumbler, as an untrusted third party, does not know the exact amount of each transaction and the flow of funds between the payer and payee of one transaction.

Zhen Liu,Khoa Nguyen,Guomin Yang,Huaxiong Wang,Duncan S. Wong

DOI: https://doi.org/10.1007/978-3-030-29959-0_35

2019-01-01

Abstract:First proposed in CryptoNote, a collection of popular privacy-centric cryptocurrencies have employed Linkable Ring Signature and a corresponding Key Derivation Mechanism (KeyDerM) for keeping the payer and payee of a transaction anonymous and unlinkable. The KeyDerM is used for generating a fresh signing key and the corresponding public key, referred to as a stealth address, for the transaction payee. The stealth address will then be used in the linkable ring signature next time when the payee spends the coin. However, in all existing works, including Monero, the privacy model only considers the two cryptographic primitives separately. In addition, to be applied to cryptocurrencies, the security and privacy models for Linkable Ring Signature should capture the situation that the public key ring of a signature may contain keys created by an adversary (referred to as adversarially-chosen-key attack), since in cryptocurrencies, it is normal for a user (adversary) to create self-paying transactions so that some maliciously created public keys can get into the system without being detected .In this paper, we propose a new cryptographic primitive, referred to as Linkable Ring Signature Scheme with Stealth Addresses (SALRS), which comprehensively and strictly captures the security and privacy requirements of hiding the payer and payee of a transaction in cryptocurrencies, especially the adversarially-chosen-key attacks. We also propose a lattice-based SALRS construction and prove its security and privacy in the random oracle model. In other words, our construction provides strong confidence on security and privacy in twofolds, i.e., being proved under strong models which capture the practical scenarios of cryptocurrencies, and being potentially quantum-resistant. The efficiency analysis also shows that our lattice-based SALRS scheme is practical for real implementations.

Bo Mi,Bingqing Wu,Darong Huang,Yang Liu,Lu Chen,Shaohua Wan

DOI: https://doi.org/10.1155/2022/9946088

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Immutability and traceability are the main reasons for the popularity of blockchain. Nevertheless, its transparency also makes the transactions visible to all participants, which seriously violates the privacy of some dealers. In order to transfer accounts over blockchain, all verifiers should be empowered with the ability to confirm the transactions, leading to the conflict between extensive consensus and individual privacy. Orienting to privacy issues of UTXO (Unspent Transaction Output), this paper exploited the unconditional security of Shamir's secret sharing to construct a logic-physical map for public chain, which enabled noninteractive transaction verification without privacy infringement. A comprehensive analysis indicated that the proposed scheme is secure under UC (Universal Composability) framework with practical computation and communication overheads.

Haaroon Yousaf

DOI: https://doi.org/10.48550/arXiv.2203.14684

2022-03-28

Abstract:This thesis presents techniques to investigate transactions in uncharted cryptocurrencies and services. Cryptocurrencies are used to securely send payments online. Payments via the first cryptocurrency, Bitcoin, use pseudonymous addresses that have limited privacy and anonymity guarantees. Research has shown that this pseudonymity can be broken, allowing users to be tracked using clustering and tagging heuristics. Such tracking allows crimes to be investigated. If a user has coins stolen, investigators can track addresses to identify the destination of the coins. This, combined with an explosion in the popularity of blockchain, has led to a vast increase in new coins and services. These offer new features ranging from coins focused on increased anonymity to scams shrouded as smart contracts. In this study, we investigated the extent to which transaction privacy has improved and whether users can still be tracked in these new ecosystems. We began by analysing the privacy-focused coin Zcash, a Bitcoin-forked cryptocurrency, that is considered to have strong anonymity properties due to its background in cryptographic research. We revealed that the user anonymity set can be considerably reduced using heuristics based on usage patterns. Next, we analysed cross-chain transactions collected from the exchange ShapeShift, revealing that users can be tracked as they move across different ledgers. Finally, we present a measurement study on the smart-contract pyramid scheme Forsage, a scam that cycled $267 million USD (of Ethereum) within its first year, showing that at least 88% of the participants in the scheme suffered a loss. The significance of this study is the revelation that users can be tracked in newer cryptocurrencies and services by using our new heuristics, which informs those conducting investigations and developing these technologies.

Cryptography and Security

Patrik Keller,Martin Florian,Rainer Böhme

DOI: https://doi.org/10.48550/arXiv.2005.03535

2021-02-26

Abstract:Privacy-seeking cryptocurrency users rely on anonymization techniques like CoinJoin and ring transactions. By using such technologies benign users potentially provide anonymity to bad actors. We propose overlay protocols to resolve the tension between anonymity and accountability in a peer-to-peer manner. Cryptocurrencies can adopt this approach to enable prosecution of publicly recognized crimes. We illustrate how the protocols could apply to Monero rings and CoinJoin transactions in Bitcoin.

Cryptography and Security,Computers and Society

Mixue Xu,Chao Yuan,Xueming Si,Gang Yu,Jinhua Fu,Feng Gao

DOI: https://doi.org/10.1109/hoticn.2018.8605975

2018-01-01

Abstract:Bitcoin is the first decentralized cryptocurrency proposed by Satoshi Nakamoto. Although transactions are conducted between pseudonyms, Bitcoin cannot offer strong privacy guarantees. Mixing coins, to some extent, can address this drawback through different technologies, but also meets flexibility, storage and anonymity problems. This paper proposes a decentralized coin mixing scheme CoinMingle, based on ring signature, one-time output address, CoinJoin and our mutual recognition delegation strategy. Our mutual recognition delegation strategy is simple but effective: when a user prepares to submit messages, he will delegate it to other users for anonymity. Users in CoinMingle don’t need pre-compute. And CoinMingle can tolerate different input amounts and plug the leak of personal information in shuffling phase. In addition, CoinMingle owns parallel structure which is more efficient than other coin mixing schemes.

Wangze Ni,Han Wu,Peng Cheng,Lei Chen,Xuemin Lin,Lei Chen,Xin Lai,Xiao Zhang

DOI: https://doi.org/10.48550/arXiv.2003.06826

2020-03-15

Abstract:By allowing users to obscure their transactions via including "mixins" (chaff coins), ring signature schemes have been widely used to protect a sender's identity of a transaction in privacy-preserving blockchain systems, like Monero and Bytecoin. However, recent works point out that the existing ring signature scheme is vulnerable to the "chain-reaction" analysis (i.e., the spent coin in a given ring signature can be deduced through elimination). Especially, when the diversity of mixins is low, the spent coin will have a high risk to be detected. To overcome the weakness, the ring signature should be consisted of a set of mixins with high diversity and produce observations having "similar" distributions for any two coins. In this paper, we propose a notion, namely $\epsilon$-coin-indistinguishability ($\epsilon$-CI), to formally define the "similar" distribution guaranteed through a differential privacy scheme. Then, we formally define the CI-aware mixins selection problem with disjoint-superset constraint (CIA-MS-DS), which aims to find a mixin set that has maximal diversity and satisfies the constraints of $\epsilon$-CI and the budget. In CIA-MS-DS, each ring signature is either disjoint with or the superset of its preceding ring signatures. We prove that CIA-MS-DS is NP-hard and thus intractable. To solve the CIA-MS-DS problem, we propose two approximation algorithms, namely the Progressive Algorithm and the Game Theoretic Algorithm, with theoretic guarantees. Through extensive experiments on both real data sets and synthetic data sets, we demonstrate the efficiency and the effectiveness of our approaches.

Cryptography and Security,Databases

Zhipeng Wang,Stefanos Chaliasos,Kaihua Qin,Liyi Zhou,Lifeng Gao,Pascal Berrang,Ben Livshits,Arthur Gervais

DOI: https://doi.org/10.48550/arXiv.2201.09035

2022-01-22

Cryptography and Security

Abstract:Zero-knowledge proof (ZKP) mixers are one of the most widely-used blockchain privacy solutions, operating on top of smart contract-enabled blockchains. We find that ZKP mixers are tightly intertwined with the growing number of Decentralized Finance (DeFi) attacks and Blockchain Extractable Value (BEV) extractions. Through coin flow tracing, we discover that 205 blockchain attackers and 2,595 BEV extractors leverage mixers as their source of funds, while depositing a total attack revenue of 412.87M USD. Moreover, the US OFAC sanctions against the largest ZKP mixer, Tornado.Cash, have reduced the mixer's daily deposits by more than 80%. Further, ZKP mixers advertise their level of privacy through a so-called anonymity set size, which similarly to k-anonymity allows a user to hide among a set of k other users. Through empirical measurements, we, however, find that these anonymity set claims are mostly inaccurate. For the most popular mixers on Ethereum (ETH) and Binance Smart Chain (BSC), we show how to reduce the anonymity set size on average by 27.34% and 46.02% respectively. Our empirical evidence is also the first to suggest a differing privacy-predilection of users on ETH and BSC. State-of-the-art ZKP mixers are moreover interwoven with the DeFi ecosystem by offering anonymity mining (AM) incentives, i.e., users receive monetary rewards for mixing coins. However, contrary to the claims of related work, we find that AM does not necessarily improve the quality of a mixer's anonymity set. Our findings indicate that AM attracts privacy-ignorant users, who then do not contribute to improving the privacy of other mixer users.