|
|
@ -303,7 +303,7 @@ linkability, transaction graphs, shielded transactions, blockchain analysis } |
|
|
|
\newcommand{\blockchain}{\term{block chain}} |
|
|
|
\newcommand{\blockchains}{\term{block chains}} |
|
|
|
\newcommand{\mempool}{\term{mempool}} |
|
|
|
\newcommand{\zchain}{\textbf{zchain}} |
|
|
|
\newcommand{\zchain}{\textbf{zchain} } |
|
|
|
\newcommand{\treestate}{\term{treestate}} |
|
|
|
\newcommand{\treestates}{\term{treestates}} |
|
|
|
\newcommand{\nullifier}{\term{nullifier}} |
|
|
@ -840,6 +840,10 @@ and try a new change to extract new data. This is trivially possible with virtua |
|
|
|
machine images, docker containers and/or Git, and is left as an exercise to the |
|
|
|
motivated blockchain analyst. |
|
|
|
|
|
|
|
There may be much more performant ways to launch an \ITM but currently the method |
|
|
|
known is quite expensive. It's only viable for a company or organization that wants |
|
|
|
to de-anonymize the entire blockchain, but that is indeed who we want to protect against. |
|
|
|
|
|
|
|
\nsubsection{ITM Attack: Consensus Oracle} |
|
|
|
|
|
|
|
We now analyze a specific $T: z \rightarrow z,z$ at a speficic block height $H$ which |
|
|
@ -869,7 +873,7 @@ a structure where we can remove an "inner zutxo" that other things depend on. |
|
|
|
The \ITM marks $z3$ as invalid via HaveShieldedRequirements() or GetSaplingAnchorAt() returning false when actually the conditions |
|
|
|
are valid. When $z4$ transaction is attempted, it will fail since the zk-snark proof will reveal a depedency on $z2$. ITM calls this |
|
|
|
a "reverse proof". There is also the possibility of a "forward proof" when z4 allows the z2 to be spent but z3 fails. In that instance, we can |
|
|
|
say $ t12 \rightarrow x12 \rightarrow y12 \rightarrow z12 $ with high probability. |
|
|
|
say $ t \rightarrow z1 \rightarrow z2 \rightarrow z3 $ with high probability. |
|
|
|
|
|
|
|
These \textbf{zchains} are the main objects of attack and study in an \ITM, where it is an iterative process. Where chains of size $N$ are studied |
|
|
|
and sometimes a linkage can be determined, but often it cannot. When \ITM does find a valid reverse proof, it can attempt to extend it's knowledge |
|
|
|