[Update] Research explores how Zcash and other privacy coins can de-anonymize users, suggests defenses
[Update at 14:50 UTC] Benjamin Winston, Director of Security at ECC, told CryptoSlate via a tweet the paper was simply a “review” of existing material and proposes a new attack that is based on a “faulty understanding” of the Zcash protocol by the Hush team.
[Update at 14:50 UTC]
Benjamin Winston, Director of Security at ECC, told CryptoSlate via a tweet the paper was simply a “review” of existing material and proposes a new attack that is based on a “faulty understanding” of the Zcash protocol by the Hush team.
We reviewed this on May 6th and found it to be baseless. There's no code, no list of applicable transactions, just wild speculation that turns out to be wrong. Dressing it up as a paper just looks silly.
— Benjamin Winston (@industrybambam) May 13, 2020
In another tweet to the paper’s authors, Winston mentioned:
… Specifically it seems as though the attack relies on the protocol and software selecting Sapling outputs from the mempool, when in fact they can only be selected from existing blocks. Sapling outputs can only be referred to by an anchor after the transaction is mined. (2/2)
— Benjamin Winston (@industrybambam) May 11, 2020
[Original article follows]
Research by an independent group claims possible vulnerabilities in Zcash’s metadata, mainly due to certain procedures used by the protocol that blockchain attackers could potentially exploit. Others, such as Bitcoin forked coins and MimbleWimble-based currencies face similar threats.
However, the research noted Zcash’s zk-snark protocol remains sound, and no critical threat to the blockchain can mathematically exist. Still, bad actors can potentially take advantage of the mechanism, specifically its consensus rules and the Transaction Format protocol to unearth information about and de-anonymize users.
Leakage of metadata is fodder for attackers
Published on May 10, the research was conducted by the developers heading the privacy protocol Hush. The group explored various “metadata attacks” that could be targeted towards the Zcash protocol and other privacy-centric cryptocurrencies. They specifically detail an “ITM attack” and suggest a new protocol, their own, as a response to such potential threats.
The research states that enough funds, “big time” attackers can analyze minute data and transaction outputs stemming from the Zcash protocol, creating a linkability loophole that could connect transactions with certain user behavior, which can then be tied to personal identities.
Attacking Zcash For Fun And Profithttps://t.co/90mnrtEMRZ
Subscribe here: https://t.co/RKdIKaCjnx
Happy Bitcoin Halving Day! pic.twitter.com/ecwzooLfNc
— Duke Leto (@dukeleto) May 11, 2020
Importantly, the average individual is not capable of such attacks. Conducting analysis of huge metadata is both technically complex and financially draining. However, bodies like the National Security Agency and other intelligence providers are, on paper, capable of conducting such attacks if they deem to.
Various types of analysis can be conducted to attach transactional behavior with users. The paper lists metadata information based on time, value, dust attacks, and even fees as potentially identifying, which each following a different method and complexity.
An excerpt from the site suggests:
“The number of shielded outputs in the average Zcash transaction is not enough to have strong privacy in light of new advances in blockchain analysis theory.”
The workings of a Zcash exploit
While a fully “shielded” transaction does not directly reveal user address, a large amount of metadata is leaked at the protocol level, which “is not rendered by block explorers nor well understood by the industry.”
The researchers’ state exchanges and third-party wallets are most exposed to this kind of metadata, making de-anonymization an easy process. The research suggests such businesses must spend significantly to save user privacy and protect a blockchain.
“Mining pools are a wealth of information,” notes the research. In theory, mining-pools that operate a pay-out process to single addresses are exposed to attackers joining the pool and “mine enough” to get a single payout. Such actors are now conversant with one of the addresses, and the exact amount being paid out in that transaction. This can then be traced to the user.
To protect against such vulnerabilities and ensure total privacy, the research suggests using the “Sietch” protocol, which incidentally, is the framework that the paper’s authors are developing.
These graphics illustrate the edge that our Sietch privacy enhancing protocol gives us. Over the coming days/weeks/months we will be releasing information about #privacy vulnerabilities that have been discovered in the #Zcash protocol, solved on the $HUSH chain. Stay tuned! pic.twitter.com/fZSHz0uDiz
— Hush (@MyHushTeam) May 10, 2020
Sietch suggests using a “non-determinism” approach towards shielding privacy, or in simple words, one that uses employs random outputs for data. In their view, attacks become impractical when test outcomes are no longer “deterministic.”
The paper dives into specifics about Sietch, suggesting Zcash developers to produce a minimum of four “zaddrs” to make ITM attacks impractical. But more importantly, they appeal to Zcash users to not reveal transaction I.Ds and related information on social forums, if complete privacy is expected.