flexible models for secure systems · practical security of digital signatures signatures are...

Flexible Models for Secure Systems

Sarah Meiklejohn

A creation story

2

Motivating scenario that founded modern cryptography:

A creation story

2

Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

2

Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

2

(Browser) (Web server)

(CC#)Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

Security model for this interaction is well established

2

(Browser) (Web server)

(CC#)Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

Security model for this interaction is well established

2

?(Browser) (Web server)

(CC#)Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

Security model for this interaction is well established

Encryption works for secure online communication: SSL/TLS [1996]

2

?(Browser) (Web server)

(CC#)Motivating scenario that founded modern cryptography:

A creation story

Hi Bob!

Security model for this interaction is well established

Encryption works for secure online communication: SSL/TLS [1996]

2

encryption

(Browser) (Web server)

(CC#)Motivating scenario that founded modern cryptography:

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Fast-forward 15 years…

3

Problem #1: everyone is an adversary!

Fast-forward 15 years…

3

Problem #1: everyone is an adversary!

Fast-forward 15 years…

3

Problem #1: everyone is an adversary!

Fast-forward 15 years…

3

Problem #1: everyone is an adversary!

Fast-forward 15 years…

3

Problem #1: everyone is an adversary!

Fast-forward 15 years…

4

Problem #2: what are the security goals?

Fast-forward 15 years…

4

Problem #2: what are the security goals?

Fast-forward 15 years…

4

• can Bob retrieve Alice’s files?

Problem #2: what are the security goals?

Fast-forward 15 years…

4

• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?

Problem #2: what are the security goals?

Fast-forward 15 years…

4

• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?

Problem #2: what are the security goals?

Fast-forward 15 years…

4

• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?

Problem #2: what are the security goals?

Fast-forward 15 years…

4

• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?• ?

Problem #2: what are the security goals?

A spectrum of solutions

5

A spectrum of solutions

theory practice

5

A spectrum of solutions

theory practice

5

A spectrum of solutions

theory practicee-cash [C82]

5

A spectrum of solutions

theory practicee-cash [C82]

5

A spectrum of solutions

theory practicee-cash [C82]outsourced comp. [GGP10]

5

A spectrum of solutions

theory practice

FHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

5

ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

FHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

5

ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

FHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

5

Wickr

ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

FHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

5

Wickr

ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

FHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

5

Wickr

diaspora*ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

SSL/TLS

Tor

BitcoinFHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

PGP

5

TrueCrypt Wickr

diaspora*ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

SSL/TLS

Tor

BitcoinFHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

PGP

5

TrueCrypt Wickr

diaspora*ORAM [GO96]

MPC [Y82]

A spectrum of solutions

theory practice

SSL/TLS

Tor

BitcoinFHE [G09]

e-cash [C82]outsourced comp. [GGP10]

RKA [B93,K93]

PGP

5

TrueCrypt Wickr

diaspora*ORAM [GO96]

MPC [Y82]

My research

6

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

My research

6

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

BitcoinRKA

My research

6

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

BitcoinRKA

My research

6

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

BitcoinRKA

My research

6

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

BitcoinRKA

Digital signatures are everywhere

7

Digital signatures are everywhere

7

Digital signatures are everywhere

7

Digital signatures are everywhere

7

Digital signatures are everywhere

7

Practical security of digital signatures

8

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

RKA (related key attack) security considers these attacks

8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

sk φ,m m′,σ′Sign(φ(sk),m)

pk

Practical security of digital signaturesSignatures are proved secure in standard cryptographic models

Standard model is useless against side channels and fault injection

RKA (related key attack) security considers these attacks

Our research can help create better RKA schemes8

skm

pk

σSign(sk,m) Verify(pk,m,σ)

KeyGen

sk φ,m m′,σ′Sign(φ(sk),m)

pk

Standard definitions for signatures [GMR88]

9

Standard definitions for signatures [GMR88]

9

Standard definitions for signatures [GMR88]

9

sk

pkKeyGen

Standard definitions for signatures [GMR88]

9

skm

pk

σSign(sk,m)KeyGen

Standard definitions for signatures [GMR88]

9

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk m

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk mσ

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk mσ

m′,σ′

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk mσ

m′,σ′

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Standard definitions for signatures [GMR88]

sk mσ

m′,σ′

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle

9

pk

skm

pk

σSign(sk,m) Verify(pk,m,σ)KeyGen

Problem: This assumption is violated by tampering [AK96,…], side channels [W91,KJJ99,…] and fault injection [BS97,BdML97,…]

Related key attacks (RKA)

Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)

10

Related key attacks (RKA)

Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)

dp

σ = H(m)d mod N

10

N,e

dq

Related key attacks (RKA)

Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)

σ = H(m)d mod N

10

anyperturbation

at all! dp′

N,e

dq

Related key attacks (RKA)

Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)

σ = H(m)d mod N

mσ′

10

anyperturbation

at all! dp′

N,e

dq

Related key attacks (RKA)

Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)

σ = H(m)d mod N

mσ′ p,q

10

anyperturbation

at all! dp′

N,e

dq

φ-RKA-secure signatures [BCM11]

sk

11

pk

φ-RKA-secure signatures [BCM11]

sk φ,m

11

pk

φ-RKA-secure signatures [BCM11]

sk φ,mSign(φ(sk),m)

11

pk

φ-RKA-secure signatures [BCM11]

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

Φ={id} gives standard unforgeability

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

Φ={id} gives standard unforgeability

Φ={all functions} isn’t possible [BK03]

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

dp φ≠id mod p,mSign(φ(d),m)

p,qdq

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

dp φ≠id mod p,mSign(φ(d),m)

p,qdq

φ-RKA-secure signatures [BCM11]

A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)

[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ

sk φ,m m′,σ′Sign(φ(sk),m)

11

pk

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

dp φ≠id mod p,mSign(φ(d),m)

p,qdq

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

12

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

12

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZK

12

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

simple construction [DHLW10,CKLM14]

}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

simple construction [DHLW10,CKLM14]

}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)

proof of knowledgeof secret key

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

KDM storage

Joint Enc/Sig

simple construction [DHLW10,CKLM14]

}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)

proof of knowledgeof secret key

Signature inherits Φ-RKA security from one-way function

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

simple construction [DHLW10,CKLM14]

}

Signature inherits Φ-RKA security from one-way function

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

actuallyquite natural

simple construction [DHLW10,CKLM14]

}

Signature inherits Φ-RKA security from one-way function

Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

actuallyquite natural

simple construction [DHLW10,CKLM14]

}

Signature inherits Φ-RKA security from one-way function

Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions

Creating new RKA-secure signatures is easier!

Our construction [Bellare M Thomson Eurocrypt14]

φ-RKA-OWF

SE-NIZKφ-RKA signature

12

actuallyquite natural

simple construction [DHLW10,CKLM14]

}

Takeaway

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

Takeaway

Φ-RKA-secure one-way functions are natural

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

Takeaway

Φ-RKA-secure one-way functions are natural

• RSA function is secure w.r.t. exponentiation

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

Takeaway

Φ-RKA-secure one-way functions are natural

• RSA function is secure w.r.t. exponentiation

• Exponentiation (f(x)=gx) is secure w.r.t. linear functions

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

Takeaway

Φ-RKA-secure one-way functions are natural

• RSA function is secure w.r.t. exponentiation

• Exponentiation (f(x)=gx) is secure w.r.t. linear functions

• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

Takeaway

Φ-RKA-secure one-way functions are natural

• RSA function is secure w.r.t. exponentiation

• Exponentiation (f(x)=gx) is secure w.r.t. linear functions

• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition

Our result can pave the way for easier RKA constructions

13

Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)

My research

14

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

RKA Bitcoin

My research

14

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

RKA Bitcoin

What is Bitcoin?

15

What is Bitcoin?

15

What is Bitcoin?

15

Centralized

What is Bitcoin?

15

DecentralizedCentralized

What is Bitcoin?

15

DecentralizedCentralizedReal-world identities

What is Bitcoin?

15

DecentralizedPseudonyms

CentralizedReal-world identities

What is Bitcoin?

15

DecentralizedPseudonyms

CentralizedReal-world identitiesNon-public transactions

What is Bitcoin?

15

DecentralizedPseudonymsPublic transactions

CentralizedReal-world identitiesNon-public transactions

What is Bitcoin?

15

DecentralizedPseudonymsPublic transactions

CentralizedReal-world identitiesNon-public transactionsRegulated

What is Bitcoin?

15

DecentralizedPseudonymsPublic transactionsUnregulated*

CentralizedReal-world identitiesNon-public transactionsRegulated

What is Bitcoin?

15

DecentralizedPseudonymsPublic transactionsUnregulated*

CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous

What is Bitcoin?

15

DecentralizedPseudonymsPublic transactionsUnregulated*Potentially anonymous

CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous

Why study Bitcoin?

16

Why study Bitcoin?

16

Why study Bitcoin?

16

Why study Bitcoin?

16

Why study Bitcoin?

16

How much anonymity does Bitcoin really provide?

Bitcoin’s explosive growth

17Jan’11 Jan’13

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13

we buy 30 bitcoins at $5/BTC

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13 Jan’14

we buy 30 bitcoins at $5/BTC

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13

250

Jan’14

we buy 30 bitcoins at $5/BTC

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13

250

1,200

Jan’14

we buy 30 bitcoins at $5/BTC

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13

250

1,200

Jan’14

we buy 30 bitcoins at $5/BTC

1,000*

$/BT

C

Bitcoin’s explosive growth

17Jan’11 Jan’13

250

1,200

current market capitalization of > $10B!*

Jan’14

we buy 30 bitcoins at $5/BTC

1,000*

$/BT

C

How does Bitcoin work?

18

How does Bitcoin work?

18

• decentralized

How does Bitcoin work?

18

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

pkB

public key address

pkA

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

pkB

public key address

pkA1

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

Verify

Verify

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money

How does Bitcoin work?

18

tx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How does Bitcoin work?

18

tx

tx

tx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How does Bitcoin work?

18

tx

tx

tx

tx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How does Bitcoin work?

18

txtx

tx

txtx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How does Bitcoin work?

18

txtxtxtx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How does Bitcoin work?

18

txtxtxtx

pkB

public key address

pkA1

m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)

• decentralized • decentralized• transfer money • decentralized• transfer money• generate money

How do bitcoins get spent?

19

• decentralized• transfer money• generate money• prevent double-spending

How do bitcoins get spent?

19

25

25

tx1

• decentralized• transfer money• generate money• prevent double-spending

How do bitcoins get spent?

19

25

25

10

34

1tx1tx2

• decentralized• transfer money• generate money• prevent double-spending

To spend bitcoins, a user must indicate the previous transaction

How do bitcoins get spent?

19

25

25

10

34

1tx1tx2

m = (tx1, , )

• decentralized• transfer money• generate money• prevent double-spending

To spend bitcoins, a user must indicate the previous transaction

How do bitcoins get spent?

19

25

25

10

34

1 2

32

tx1tx2

tx3

m = (tx1, , )

• decentralized• transfer money• generate money• prevent double-spending

To spend bitcoins, a user must indicate the previous transaction

How do bitcoins get spent?

19

25

25

10

34

1 2

32

tx1tx2

tx3

m = (tx1, , ) m = (tx2, , )

• decentralized• transfer money• generate money• prevent double-spending

To spend bitcoins, a user must indicate the previous transaction

All bitcoins received in a transaction must be spent all at once

How do bitcoins get spent?

19

25

25

10

34

1 2

32

tx1tx2

tx3

m = (tx1, , ) m = (tx2, , )

• decentralized• transfer money• generate money• prevent double-spending

How to identify users? [MPGLMVS IMC13]

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

How to identify users? [MPGLMVS IMC13]

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

How to identify users? [MPGLMVS IMC13]

Cluster

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

How to identify users? [MPGLMVS IMC13]

Cluster

Collapse into a more manageable graph of clusters of public keys representing distinct entities

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

How to identify users? [MPGLMVS IMC13]

Cluster

Transactus

them

Collapse into a more manageable graph of clusters of public keys representing distinct entities

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

How to identify users? [MPGLMVS IMC13]

Cluster

Transactus

them

Collapse into a more manageable graph of clusters of public keys representing distinct entities

Collect ground truth data by participating in transactions

20

Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys

Clustering by inputs

21

Clustering by inputs

2

1

3

21

7

15

Clustering by inputs

2

1

3

21

7

15

Clustering by inputs

2

1

3

21

7

156

Clustering by inputs

2

1

3

21

7

15

Heuristic #1: the same user controls these addresses [N08,RH11,RS13,A+13]

6

Change addresses

2

1

3

22

7

15

Change addresses

2

1

3

22

7

15

Change addresses

2

1

3

22

7

15 1414

Change addresses

2

1

3

22

7

15 14114

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

14114

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

11

0 1414

Change addresses

2

1

3

22

7

15

All bitcoins received in a transaction must be spent all at once

In the standard idiom, change addresses are used at most twice: to receive change and to spend it

pk

11

0 1414

Clustering by change

2

1

3 14

23

7

0 14

11

Clustering by change

2

1

3 14

23

7

0

pk

14

11

identify using one-time behavior

Clustering by change

2

1

3 14

23

7

0

pk

14

11

identify using one-time behavior

Heuristic #2: the same user also controls this address

Data collection

24

Data collection

24

Engaged in transactions with:

Data collection

24

Engaged in transactions with:

• Exchanges

Data collection

24

Engaged in transactions with:

• Exchanges • Vendors

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Vendors

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Vendors

• Gambling sites

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Wallet services

• Vendors

• Gambling sites

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Wallet services

• Vendors

• Gambling sites

• Mix services

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Wallet services

Scraped published tags

• Vendors

• Gambling sites

• Mix services

Data collection

24

Engaged in transactions with:

• Exchanges

• Mining pools

• Wallet services

Scraped published tags

Found addresses discussed on forums

• Vendors

• Gambling sites

• Mix services

Exchanges

25

Vendors

26

Putting it all together

27

Putting it all together

Transactus

them

27

Putting it all together

Transactus

them

27

Putting it all together

ClusterTransactus

them

27

Putting it all together

ClusterTransactus

them

27

Putting it all together

ClusterTransactus

them

Bootstrap

27

Putting it all together

ClusterTransactus

them

Bootstrap

27

Putting it all together

ClusterTransactus

them

Bootstrap

27

Interacted with 31 MtGox addresses, tagged 518,723!

Participated in 344 transactions and tagged 1.3M public keys

Clustering using Heuristic 2

satoshi dicebtc dice

clone dice

mtgox

silk road

instawallet

28

Clustering using Heuristic 2

satoshi dicebtc dice

clone dice

mtgox

silk road

instawallet

bicycle wheel withgambling at center

28

Clustering using Heuristic 2

satoshi dicebtc dice

clone dice

mtgox

silk road

instawallet

bicycle wheel withgambling at center

strongly connected componentwith most of our named users

28

Following bitcoins

29

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

29

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

29

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

29

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

29

change address

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

29

meaningfulrecipient change address

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

Identifying recipients potentially de-anonymizes user

29

meaningfulrecipient change address

Following bitcoins

Can see when bitcoins meaningfully cross cluster boundaries

Identifying recipients potentially de-anonymizes user

29

meaningfulrecipient change address

Hypothesis: if you subpoena exchanges, you can identify users

Tracking technique

30

Tracking technique

...

tracking heists

= exchange

30

Tracking technique

[HDM+ NDSS’14]

...

tracking heists

= exchange

30

Tracking technique

[HDM+ NDSS’14]

...

tracking heists

= exchange

30

individual thefts

Tracking technique

[HDM+ NDSS’14]

...

tracking heists

= exchange

service interaction

30

individual thefts

Tracking technique

[HDM+ NDSS’14]

...

tracking heists

= exchange

service interaction

30

individual thefts

>1,794 BTC ≈2,084 BTC

Tracking technique

[HDM+ NDSS’14]

...

tracking heists

= exchange

service interaction

30

individual thefts

>1,794 BTC ≈2,084 BTC

We traced over $3M back to illicit activities!

Takeaway

31

How much anonymity does Bitcoin really provide?

Our analysis provides a real-world way to track flows of bitcoins

Takeaway

31

How much anonymity does Bitcoin really provide?

Our analysis provides a real-world way to track flows of bitcoins

Seems hard to launder significant quantities of money

Takeaway

31

How much anonymity does Bitcoin really provide?

My research

32

ZKPDL

[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]

[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]

RKA Bitcoin

Acknowledgements

33

[CMZ14]

RKA Bitcoin

Acknowledgements

33

[CMZ14]

RKA BitcoinThanks! Any questions?