[Update] Research explores how Zcash and other privacy coins can de-anonymize users, suggests defenses [Update] Research explores how Zcash and other privacy coins can de-anonymize users, suggests defenses
🚨 This article is 4 years old...

[Update] Research explores how Zcash and other privacy coins can de-anonymize users, suggests defenses

[Update] Research explores how Zcash and other privacy coins can de-anonymize users, suggests defenses

Photo by Jesús Rocha on Unsplash

[Update at 14:50 UTC]

Benjamin Winston, Director of Security at ECC, told CryptoSlate via a tweet the paper was simply a  “review” of existing material and proposes a new attack that is based on a “faulty understanding” of the Zcash protocol by the Hush team.

In another tweet to the paper’s authors, Winston mentioned:

[Original article follows]

Research by an independent group claims possible vulnerabilities in Zcash’s metadata, mainly due to certain procedures used by the protocol that blockchain attackers could potentially exploit. Others, such as Bitcoin forked coins and MimbleWimble-based currencies face similar threats. 

However, the research noted Zcash’s zk-snark protocol remains sound, and no critical threat to the blockchain can mathematically exist. Still, bad actors can potentially take advantage of the mechanism, specifically its consensus rules and the Transaction Format protocol to unearth information about and de-anonymize users. 

Leakage of metadata is fodder for attackers

Published on May 10, the research was conducted by the developers heading the privacy protocol Hush. The group explored various “metadata attacks” that could be targeted towards the Zcash protocol and other privacy-centric cryptocurrencies. They specifically detail an “ITM attack” and suggest a new protocol, their own, as a response to such potential threats. 

The research states that enough funds, “big time” attackers can analyze minute data and transaction outputs stemming from the Zcash protocol, creating a linkability loophole that could connect transactions with certain user behavior, which can then be tied to personal identities.

Importantly, the average individual is not capable of such attacks. Conducting analysis of huge metadata is both technically complex and financially draining. However, bodies like the National Security Agency and other intelligence providers are, on paper, capable of conducting such attacks if they deem to. 

Various types of analysis can be conducted to attach transactional behavior with users. The paper lists metadata information based on time, value, dust attacks, and even fees as potentially identifying, which each following a different method and complexity.  

An excerpt from the site suggests:

“The number of shielded outputs in the average Zcash transaction is not enough to have strong privacy in light of new advances in blockchain analysis theory.”

The workings of a Zcash exploit

While a fully “shielded” transaction does not directly reveal user address, a large amount of metadata is leaked at the protocol level, which “is not rendered by block explorers nor well understood by the industry.” 

The researchers’ state exchanges and third-party wallets are most exposed to this kind of metadata, making de-anonymization an easy process. The research suggests such businesses must spend significantly to save user privacy and protect a blockchain. 

“Mining pools are a wealth of information,” notes the research. In theory, mining-pools that operate a pay-out process to single addresses are exposed to attackers joining the pool and “mine enough” to get a single payout. Such actors are now conversant with one of the addresses, and the exact amount being paid out in that transaction. This can then be traced to the user. 

To protect against such vulnerabilities and ensure total privacy, the research suggests using the “Sietch” protocol, which incidentally, is the framework that the paper’s authors are developing. 

Sietch suggests using a “non-determinism” approach towards shielding privacy, or in simple words, one that uses employs random outputs for data. In their view, attacks become impractical when test outcomes are no longer “deterministic.” 

The paper dives into specifics about Sietch, suggesting Zcash developers to produce a minimum of four “zaddrs” to make ITM attacks impractical. But more importantly, they appeal to Zcash users to not reveal transaction I.Ds and related information on social forums, if complete privacy is expected. 

Mentioned in this article