diff --git a/sietch.pdf b/sietch.pdf index 8ad2068..8dcc3f3 100644 Binary files a/sietch.pdf and b/sietch.pdf differ diff --git a/sietch.tex b/sietch.tex index 8439f6b..0adca16 100644 --- a/sietch.tex +++ b/sietch.tex @@ -521,7 +521,9 @@ ago and there was no financial profit in studying the data. That has obviously drastically changed. This paper will be primarily concered with \textbf{shielded transaction graphs} -which are \textbf{directed acyclic graphs (DAGs)}. A \shielded transaction +which are \textbf{directed acyclic graphs (DAGs)} where a node represents a \textbf{transaction} +with a unique id called \textbf{txid} and the incoming vertices are inputs being spent +and the outgoing vertices are new outputs being created. A fully \shielded transaction does not reveal the address of Alice, nor Bob, nor the amount transacted but it does leak a large amount of metadata at the protocol level, which is not rendered by block explorers nor well understood by the industry. @@ -786,6 +788,8 @@ As far as the authors know this is a new technique that has not been publicly de \nsection{Sietch: Theory} +\nsubsection{Sietch: Basics} + The ITM Attack relies on the fact that the most common shielded transaction on most currently existing Zcash Protocol blockchains have only 2 outputs $T: z \rightarrow z,z$ and the basic fact that if some metadata can be leaked about one output, if it's \textbf{spent} or \textbf{unspent} or it's range of possible values, it provides a lot of metadata on the other output as well. If there were 3 outputs, then there would be uncertainty involved, instead of a more direct algebraic relation such as "if one output had amount=5 then the other output had an amount of $total - 5$". When 3 \zaddr outputs are involved, knowing the value of one \zaddr output does not provide as much information on the value of any other particular \zaddr. @@ -807,6 +811,26 @@ outputs that exact values being transferred cannot be ascertained. This mimics t where an infected person cannot easily infect another person with a virus because the people near them are already in recovery or immune. +\nsubsection{Sietch: Non-Determinism} + +In addition to a minimum number of \zaddr outputs, Sietch introduces \textbf{non-determinism} +into Zcash Protocol. Zcash inherited determinism from Bitcoin, where it is a good idea. +In privacy coins, it turns out that determinism can reduce privacy in some situations and it +is not actually a requirement for the cryptocoin to function. + +Sietch employs 3 kinds of non-determinism: + +\begin{itemize} +\item 1 The order of automatically added \zaddr outputs is random +\item 2 The exact number of automatically added outputs is random +\item 3 The \zaddrs which are sent to are random +\end{itemize} + +Hush developers feel that non-determinism is a powerful mitigation against \textbf{Metaverse Attacks} +because when attempting to simulate the blockchain and look for oracles or leak useful bits of metadata, +the outcome of a "test" is no longer deterministic and therefore some attacks will become impractical +or impossible. + \nsection{Sietch: Code In Production} Sietch uses a default rule of a minimum of 7 \zaddr outputs in a transaction. Because @@ -847,9 +871,7 @@ expensive for even the largest players. \nsection{Thoughts On Device Seizure} -TLDR: You should really care about this. - -For example, say Alice sent Bob and Charlie funds in a fully shielded transaction with shielded change: $ z \rightarrow z,z,z$ +Say Alice sent Bob and Charlie funds in a fully shielded transaction with shielded change: $ z \rightarrow z,z,z$ . Now let us say that Alice and Charlie have their devices seized, wallet.dat's "liberated" and uploaded into chain analysis software that understands Zcash Protocol and ITM-Style Attacks. Bob is now in a @@ -871,10 +893,6 @@ to about 5 seconds on modern hardware, when spending a small number of inputs. T of time for users to make a transaction, given that the original Sprout \zaddrs took over a minute to make the simplest of transactions. -Shielded coinbase seems interesting but leaks a grave amount of metadata about the zaddress of the miner, which -can feed into this analysis. We recommend Pirate, Arrow and other coins implementing enforced \zaddr usage -avoid implementing the new ZIPXXX. - Allowing users to spend huge numbers of inputs at once makes their transactions stand out. GUI wallets and education need to improve to reduce loss of privacy. @@ -882,6 +900,30 @@ Do not advocate that users post \zaddrs and the txid's and explorer links they a keep this metadata to private messages, DMs and other non-public places. The fewer people that know your \zaddr, the better! +\nsection{Future Considerations} + +This section considers various new technologies coming down the pipeline and how they interact with existing +and new metadata analysis techniques. + +\nsubsection{Shielded Coinbase} + +Shielded coinbase seems interesting but leaks a grave amount of metadata about the zaddress of the miner, which +can feed into this analysis. We recommend Pirate, Arrow and other coins implementing enforced \zaddr usage +avoid implementing the new ZIPXXX. + +Shielded Coinbase will drastiscally reduce privacy of \zaddr miners, because they will re-use the same \zaddr +for every block and it leaks the \zaddr being mined to. The "normal" behavior of mining to a taddr first then +sending to a \zaddr isolates metadata leakage to the taddr. The \zaddr of a miner is never disclosed publicly. + +By using Timing and Value Analysis with Shielded Coinbase, an analyst can get a much better estimate on the minimum +value a \zaddr likely has and how much funds pass thru it per time interval, as well as txid's to correlate to the +\zaddr. These can all be used as inputs to the ITM Attack, as well. + +In summary, Shielded Coinbase was implemented by Electric Coin Company with no regard to increasing privacy on their +blockchain. Since increased \zaddr usage does not translate into more profits, it does not seem likely that they +will ever have meaningful privacy on Zcash mainnet. Only Zcash Protocol coin which enforce \zaddr usage have a +chance at meaningful privacy. + \nsection{Special Thanks} Special thanks to jl777, ITM, denioD and Biz for their feedback.