On the Anonymity Guarantees of Anonymous Proof-of-Stake Protocols

In proof-of-stake (PoS) blockchains, stakeholders that extend the chain are selected according to the amount of stake they own. In S&P 2019 the "Ouroboros Crypsinous" system of Kerber et al. (and concurrently Ganesh et al. in EUROCRYPT 2019) presented a mechanism that hides the identity of the stakeholder when adding blocks, hence preserving anonymity of stakeholders both during payment and mining in the Ouroboros blockchain. They focus on anonymizing the messages of the blockchain protocol, but suggest that potential identity leaks from the network-layer can be removed as well by employing anonymous broadcast channels.In this work we show that this intuition is flawed. Even ideal anonymous broadcast channels do not suffice to protect the identity of the stakeholder who proposes a block.We make the following contributions. First, we show a formal network-attack against Ouroboros Crypsinous, where the adversary can leverage network delays to distinguish who is the stakeholder that added a block on the blockchain. Second, we abstract the above attack and show that whenever the adversary has control over the network delay – within the synchrony bound – loss of anonymity is inherent for any protocol that provides liveness guarantees. We do so, by first proving that it is impossible to devise a (deterministic) state-machine replication protocol that achieves basic liveness guarantees and better than (1−2f) anonymity at the same time (where f is the fraction of corrupted parties). We then connect this result to the PoS setting by presenting the tagging and reverse tagging attack that allows an adversary, across several executions of the PoS protocol, to learn the stake of a target node, by simply delaying messages for the target. We demonstrate that our assumption on the delaying power of the adversary is realistic by describing how our attack could be mounted over the Zcash blockchain network (even when Tor is used). We conclude by suggesting approaches that can mitigate such attacks.

[1]  Alex Biryukov,et al.  Deanonymization and Linkability of Cryptocurrency Transactions Based on Network Analysis , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[2]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[3]  Andrew Miller,et al.  Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees , 2018, SIGMETRICS.

[4]  Shen Noether,et al.  Ring SIgnature Confidential Transactions for Monero , 2015, IACR Cryptol. ePrint Arch..

[5]  Aggelos Kiayias,et al.  Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain , 2018, EUROCRYPT.

[6]  Andrew Miller,et al.  Discovering Bitcoin ’ s Public Topology and Influential Nodes , 2015 .

[7]  Pedro Moreno-Sanchez,et al.  P2P Mixing and Unlinkable Bitcoin Transactions , 2017, NDSS.

[8]  Cristina Pérez-Solà,et al.  TxProbe: Discovering Bitcoin's Network Topology Using Orphan Transactions , 2018, Financial Cryptography.

[9]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[10]  Laurent Vanbever,et al.  SABRE: Protecting Bitcoin against Routing Attacks , 2018, NDSS.

[11]  Alex Biryukov,et al.  Privacy Aspects and Subliminal Channels in Zcash , 2019, CCS.

[12]  Adi Shamir,et al.  Quantitative Analysis of the Full Bitcoin Transaction Graph , 2013, Financial Cryptography.

[13]  Fergal Reid,et al.  An Analysis of Anonymity in the Bitcoin System , 2011, PASSAT 2011.

[14]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Aniket Kate,et al.  Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency - Choose Two , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[16]  Aggelos Kiayias,et al.  Ouroboros Crypsinous: Privacy-Preserving Proof-of-Stake , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Matthew Green,et al.  ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[18]  Sarah Meiklejohn,et al.  QuisQuis: A New Design for Anonymous Cryptocurrencies , 2019, IACR Cryptol. ePrint Arch..

[19]  Jing Chen,et al.  Algorand: A secure and efficient distributed ledger , 2019, Theor. Comput. Sci..

[20]  Gabriel Bracha,et al.  Asynchronous Byzantine Agreement Protocols , 1987, Inf. Comput..

[21]  Patrick D. McDaniel,et al.  An Analysis of Anonymity in Bitcoin Using P2P Network Traffic , 2014, Financial Cryptography.

[22]  Aggelos Kiayias,et al.  Ouroboros Genesis: Composable Proof-of-Stake Blockchains with Dynamic Availability , 2018, IACR Cryptol. ePrint Arch..

[23]  Aniket Kate,et al.  HoneyBadgerMPC and AsynchroMix: Practical Asynchronous MPC and its Application to Anonymous Communication , 2019, IACR Cryptol. ePrint Arch..

[24]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[25]  Daniel Tschudi,et al.  Proof-of-Stake Protocols for Privacy-Aware Blockchains , 2019, IACR Cryptol. ePrint Arch..

[26]  Benny Pinkas,et al.  Blinder: MPC Based Scalable and Robust Anonymous Committed Broadcast , 2020, IACR Cryptol. ePrint Arch..

[27]  Stefano Tessaro,et al.  Asynchronous verifiable information dispersal , 2005, 24th IEEE Symposium on Reliable Distributed Systems (SRDS'05).

[28]  S A R A H M E I K L E J O H N,et al.  A Fistful of Bitcoins Characterizing Payments Among Men with No Names , 2013 .

[29]  Pramod Viswanath,et al.  Deanonymization in the Bitcoin P2P Network , 2017, NIPS.

[30]  Alex Biryukov,et al.  Bitcoin over Tor isn't a Good Idea , 2014, 2015 IEEE Symposium on Security and Privacy.

[31]  Ueli Maurer,et al.  Bitcoin as a Transaction Ledger: A Composable Treatment , 2017, CRYPTO.

[32]  S. Nakamoto Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[33]  Alex Biryukov,et al.  Deanonymisation of Clients in Bitcoin P2P Network , 2014, CCS.