flexible models for secure systems · practical security of digital signatures signatures are...
TRANSCRIPT
Flexible Models for Secure Systems
Sarah Meiklejohn
A creation story
2
Motivating scenario that founded modern cryptography:
A creation story
2
Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
2
Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
2
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
Security model for this interaction is well established
2
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
Security model for this interaction is well established
2
?(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
Security model for this interaction is well established
Encryption works for secure online communication: SSL/TLS [1996]
2
?(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
A creation story
Hi Bob!
Security model for this interaction is well established
Encryption works for secure online communication: SSL/TLS [1996]
2
encryption
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
Fast-forward 15 years…
4
Problem #2: what are the security goals?
Fast-forward 15 years…
4
Problem #2: what are the security goals?
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?
Problem #2: what are the security goals?
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?
Problem #2: what are the security goals?
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?
Problem #2: what are the security goals?
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?
Problem #2: what are the security goals?
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?• ?
Problem #2: what are the security goals?
A spectrum of solutions
5
A spectrum of solutions
theory practice
5
A spectrum of solutions
theory practice
5
A spectrum of solutions
theory practicee-cash [C82]
5
A spectrum of solutions
theory practicee-cash [C82]
5
A spectrum of solutions
theory practicee-cash [C82]outsourced comp. [GGP10]
5
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
diaspora*ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
Digital signatures are everywhere
7
Digital signatures are everywhere
7
Digital signatures are everywhere
7
Digital signatures are everywhere
7
Digital signatures are everywhere
7
Practical security of digital signatures
8
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
RKA (related key attack) security considers these attacks
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
sk φ,m m′,σ′Sign(φ(sk),m)
pk
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
RKA (related key attack) security considers these attacks
Our research can help create better RKA schemes8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
sk φ,m m′,σ′Sign(φ(sk),m)
pk
Standard definitions for signatures [GMR88]
9
Standard definitions for signatures [GMR88]
9
Standard definitions for signatures [GMR88]
9
sk
pkKeyGen
Standard definitions for signatures [GMR88]
9
skm
pk
σSign(sk,m)KeyGen
Standard definitions for signatures [GMR88]
9
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk m
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk mσ
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Problem: This assumption is violated by tampering [AK96,…], side channels [W91,KJJ99,…] and fault injection [BS97,BdML97,…]
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
10
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
dp
σ = H(m)d mod N
10
N,e
dq
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
10
anyperturbation
at all! dp′
N,e
dq
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
mσ′
10
anyperturbation
at all! dp′
N,e
dq
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
mσ′ p,q
10
anyperturbation
at all! dp′
N,e
dq
φ-RKA-secure signatures [BCM11]
sk
11
pk
φ-RKA-secure signatures [BCM11]
sk φ,m
11
pk
φ-RKA-secure signatures [BCM11]
sk φ,mSign(φ(sk),m)
11
pk
φ-RKA-secure signatures [BCM11]
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Φ={id} gives standard unforgeability
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Φ={id} gives standard unforgeability
Φ={all functions} isn’t possible [BK03]
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
12
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
12
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZK
12
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
proof of knowledgeof secret key
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
KDM storage
Joint Enc/Sig
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
proof of knowledgeof secret key
Signature inherits Φ-RKA security from one-way function
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}
Signature inherits Φ-RKA security from one-way function
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
Signature inherits Φ-RKA security from one-way function
Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
Signature inherits Φ-RKA security from one-way function
Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions
Creating new RKA-secure signatures is easier!
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
Takeaway
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
Takeaway
Φ-RKA-secure one-way functions are natural
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition
Our result can pave the way for easier RKA constructions
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
My research
14
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
My research
14
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
What is Bitcoin?
15
What is Bitcoin?
15
What is Bitcoin?
15
Centralized
What is Bitcoin?
15
DecentralizedCentralized
What is Bitcoin?
15
DecentralizedCentralizedReal-world identities
What is Bitcoin?
15
DecentralizedPseudonyms
CentralizedReal-world identities
What is Bitcoin?
15
DecentralizedPseudonyms
CentralizedReal-world identitiesNon-public transactions
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactions
CentralizedReal-world identitiesNon-public transactions
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactions
CentralizedReal-world identitiesNon-public transactionsRegulated
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*
CentralizedReal-world identitiesNon-public transactionsRegulated
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*
CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*Potentially anonymous
CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous
Why study Bitcoin?
16
Why study Bitcoin?
16
Why study Bitcoin?
16
Why study Bitcoin?
16
Why study Bitcoin?
16
How much anonymity does Bitcoin really provide?
Bitcoin’s explosive growth
17Jan’11 Jan’13
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13
we buy 30 bitcoins at $5/BTC
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13 Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
Jan’14
we buy 30 bitcoins at $5/BTC
1,000*
$/BT
C
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
current market capitalization of > $10B!*
Jan’14
we buy 30 bitcoins at $5/BTC
1,000*
$/BT
C
How does Bitcoin work?
18
How does Bitcoin work?
18
• decentralized
How does Bitcoin work?
18
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
pkB
public key address
pkA
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
pkB
public key address
pkA1
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
Verify
Verify
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money
How does Bitcoin work?
18
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How does Bitcoin work?
18
tx
tx
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How does Bitcoin work?
18
tx
tx
tx
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How does Bitcoin work?
18
txtx
tx
txtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How does Bitcoin work?
18
txtxtxtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How does Bitcoin work?
18
txtxtxtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
How do bitcoins get spent?
19
• decentralized• transfer money• generate money• prevent double-spending
How do bitcoins get spent?
19
25
25
tx1
• decentralized• transfer money• generate money• prevent double-spending
How do bitcoins get spent?
19
25
25
10
34
1tx1tx2
• decentralized• transfer money• generate money• prevent double-spending
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1tx1tx2
m = (tx1, , )
• decentralized• transfer money• generate money• prevent double-spending
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , )
• decentralized• transfer money• generate money• prevent double-spending
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , ) m = (tx2, , )
• decentralized• transfer money• generate money• prevent double-spending
To spend bitcoins, a user must indicate the previous transaction
All bitcoins received in a transaction must be spent all at once
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , ) m = (tx2, , )
• decentralized• transfer money• generate money• prevent double-spending
How to identify users? [MPGLMVS IMC13]
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
How to identify users? [MPGLMVS IMC13]
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
How to identify users? [MPGLMVS IMC13]
Cluster
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
How to identify users? [MPGLMVS IMC13]
Cluster
Collapse into a more manageable graph of clusters of public keys representing distinct entities
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
How to identify users? [MPGLMVS IMC13]
Cluster
Transactus
them
Collapse into a more manageable graph of clusters of public keys representing distinct entities
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
How to identify users? [MPGLMVS IMC13]
Cluster
Transactus
them
Collapse into a more manageable graph of clusters of public keys representing distinct entities
Collect ground truth data by participating in transactions
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
Clustering by inputs
21
Clustering by inputs
2
1
3
21
7
15
Clustering by inputs
2
1
3
21
7
15
Clustering by inputs
2
1
3
21
7
156
Clustering by inputs
2
1
3
21
7
15
Heuristic #1: the same user controls these addresses [N08,RH11,RS13,A+13]
6
Change addresses
2
1
3
22
7
15
Change addresses
2
1
3
22
7
15
Change addresses
2
1
3
22
7
15 1414
Change addresses
2
1
3
22
7
15 14114
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
14114
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
11
0 1414
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
In the standard idiom, change addresses are used at most twice: to receive change and to spend it
pk
11
0 1414
Clustering by change
2
1
3 14
23
7
0 14
11
Clustering by change
2
1
3 14
23
7
0
pk
14
11
identify using one-time behavior
Clustering by change
2
1
3 14
23
7
0
pk
14
11
identify using one-time behavior
Heuristic #2: the same user also controls this address
Data collection
24
Data collection
24
Engaged in transactions with:
Data collection
24
Engaged in transactions with:
• Exchanges
Data collection
24
Engaged in transactions with:
• Exchanges • Vendors
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Vendors
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Vendors
• Gambling sites
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
• Vendors
• Gambling sites
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
• Vendors
• Gambling sites
• Mix services
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
Scraped published tags
• Vendors
• Gambling sites
• Mix services
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
Scraped published tags
Found addresses discussed on forums
• Vendors
• Gambling sites
• Mix services
Exchanges
25
Vendors
26
Putting it all together
27
Putting it all together
Transactus
them
27
Putting it all together
Transactus
them
27
Putting it all together
ClusterTransactus
them
27
Putting it all together
ClusterTransactus
them
27
Putting it all together
ClusterTransactus
them
Bootstrap
27
Putting it all together
ClusterTransactus
them
Bootstrap
27
Putting it all together
ClusterTransactus
them
Bootstrap
27
Interacted with 31 MtGox addresses, tagged 518,723!
Participated in 344 transactions and tagged 1.3M public keys
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
28
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
bicycle wheel withgambling at center
28
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
bicycle wheel withgambling at center
strongly connected componentwith most of our named users
28
Following bitcoins
29
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
change address
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
meaningfulrecipient change address
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
Identifying recipients potentially de-anonymizes user
29
meaningfulrecipient change address
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
Identifying recipients potentially de-anonymizes user
29
meaningfulrecipient change address
Hypothesis: if you subpoena exchanges, you can identify users
Tracking technique
30
Tracking technique
...
tracking heists
= exchange
30
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
30
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
30
individual thefts
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
>1,794 BTC ≈2,084 BTC
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
>1,794 BTC ≈2,084 BTC
We traced over $3M back to illicit activities!
Takeaway
31
How much anonymity does Bitcoin really provide?
Our analysis provides a real-world way to track flows of bitcoins
Takeaway
31
How much anonymity does Bitcoin really provide?
Our analysis provides a real-world way to track flows of bitcoins
Seems hard to launder significant quantities of money
Takeaway
31
How much anonymity does Bitcoin really provide?
My research
32
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
Acknowledgements
33
[CMZ14]
RKA Bitcoin
Acknowledgements
33
[CMZ14]
RKA BitcoinThanks! Any questions?