Dissertation Docteur De L'université Du Luxembourg
Total Page:16
File Type:pdf, Size:1020Kb
PhD-FSTM-2020-45 The Faculty of Sciences, Technology and Medicine DISSERTATION Defence held on 17/09/2020 in Esch-sur-Alzette to obtain the degree of DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE by Sergei TIKHOMIROV Born on 29 May 1991 in Moscow (USSR) SECURITY AND PRIVACY OF BLOCKCHAIN PROTOCOLS AND APPLICATIONS Dissertation defence committee Dr Alex Biryukov, dissertation supervisor Professor, Université du Luxembourg Dr Matteo Maffei Professor, TU Wien Dr Volker Müller, Chairman Associate Professor, Université du Luxembourg Dr Patrick McCorry CEO, PISA Research Dr Andrew Miller, Vice Chairman Assistant Professor, University of Illinois, Urbana-Champaign iii “Imagine there was a base metal as scarce as gold but with the following properties: – boring grey in colour – not a good conductor of electricity – not particularly strong, but not ductile or easily malleable either – not useful for any practical or ornamental purpose and one special, magical property: can be transported over a communications channel.” Satoshi Nakamoto v UNIVERSITY OF LUXEMBOURG Abstract Faculty of Science, Technology and Medicine Department of Computer Science Doctor of Philosophy Security and Privacy of Blockchain Protocols and Applications by Sergei TIKHOMIROV Bitcoin is the first digital currency without a trusted third party. This revolution- ary protocol allows mutually distrusting participants to agree on a single common history of transactions. Bitcoin nodes pack transactions into blocks and link those in a chain (the blockchain). Hash-based proof-of-work ensures that the blockchain is computationally infeasible to modify. Bitcoin has spawned a new area of research at the intersection of computer sci- ence and economics. Multiple alternative cryptocurrencies and blockchain projects aim to address Bitcoin’s limitations. This thesis explores the security and privacy of blockchain systems. In PartI, we study the privacy of Bitcoin and the major privacy-focused cryp- tocurrencies. In Chapter2, we explore the peer-to-peer (P2P) protocols underpin- ning cryptocurrencies. In Chapter3, we show how a network adversary can link transactions issued by the same node. We test the efficiency of this novel attack in real networks, successfully linking our own transactions. Chapter4 studies the pri- vacy characteristics of mobile cryptocurrency wallets. We discover that most wallets do not follow the best practices aimed at protecting users’ privacy. PartII is dedicated to the Lightning Network (LN). Bitcoin’s architecture em- phasizes security but severely limits transaction throughput. The LN is a promi- nent Bitcoin-based protocol that aims to alleviate this issue. It performs low-latency transactions off-chain but leverages Bitcoin’s security guarantees for dispute resolu- tion. We introduce the LN and outline the history of off-chain protocols in Chapter5. Then, in Chapter6, we introduce a probing attack that allows an adversary to dis- cover user balances in the LN. Chapter7 estimates the likelihood of various privacy attacks on the LN. In Chapter8, we describe a limitation on the number of concur- rent LN payments and quantify its effects on transaction throughput. Part III explores the security and privacy of Ethereum smart contracts. Bitcoin’s language for defining spending conditions is intentionally restricted. Ethereum is a blockchain network allowing for more programmability. Ethereum users can write programs in a Turing-complete high-level language called Solidity. These programs, called smart contracts, are stored on-chain along with their state. Chapter9 out- lines the history of blockchain-based programming. Chapter 10 describes Findel – a Solidity-based declarative domain-specific language for financial contracts. In Chapter 11, we classify the vulnerabilities in real-world Ethereum contracts. We then present SmartCheck – a static analysis tool for bug detection in Solidity pro- grams. Finally, Chapter 12 introduces an Ethereum-based cryptographic protocol for privacy-preserving regulation compliance. vii Acknowledgements This work would not be possible without the help and support of many people. This is an incomplete list of those to whom I would like to express my gratitude. First of all, I am deeply grateful to my advisor, Prof. Alex Biryukov, for the op- portunity to pursue my research interests and the invaluable guidance throughout this journey. I appreciate Prof. Volker Müller, A-Prof. Andrew Miller, Prof. Mat- teo Maffei, Dr. Patrick McCorry, and A-Prof. Arthur Gervais agreeing to serve as jury members. I thank my co-authors: Dmitry Khovratovich, Ekaterina Voskresen- skaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, Yaroslav Alexandrov, Pedro Moreno-Sanchez, Matteo Maffei, René Pickhardt, and Mariusz Nowostawski. I have learned a lot during our fruitful collaborations. A special thanks goes to Pe- dro Moreno-Sanchez and Matteo Maffei for inviting me to spend three months on a research visit at TU Wien in the beautiful city of Vienna. I thank my colleagues for the insightful and fun conversations: Aleksei Udovenko, Brian Shaft, Christof Beierle, Dag Arne Osvik, Daniel Dinu, Daniel Feher, Dmitry Khovratovich, Giuseppe Vitto, Johann Großschädl, Luan Cardoso dos Santos, Léo Perrin, Qingju Wang, Ritam Bhaumik, Shange Fu, Vesselin Velichkov, and Yann Le Corre. The country of Luxembourg and the University of Luxembourg generously pro- vided me with excellent research conditions. I specifically thank Fabienne Schmitz, Ida Ienna, and Catherine Violet for their assistance in administrative matters. A huge thanks goes to my co-hosts for the Basic Block Radio podcast Ivan Ivan- itskiy, Sergei Pavlin, and Alexander Seleznev, and to all our guests and listeners, for helping spread the word about decentralized technologies for the Russian-speaking audience. My deepest gratitude goes to my family for their endless love and support. I want to specifically thank my parents for encouraging me to pursue education abroad. Finally, I thank Satoshi Nakamoto. Your ingenious invention continues to amaze and inspire me. I admire your wisdom and humility. It is an honor to be a part of the movement you started. ix Contents Abstractv Acknowledgements vii 1 Introduction1 1.1 Foreword....................................1 1.2 Historical overview..............................2 1.2.1 Evolution of the Internet.......................2 1.2.2 Evolution of money.........................4 1.3 Bitcoin.....................................7 1.3.1 Bitcoin architecture..........................8 1.3.2 Is proof-of-work wasteful?.....................9 1.3.3 Professionalization of mining.................... 10 1.4 Challenges for cryptocurrencies....................... 12 1.4.1 Expressiveness............................ 12 1.4.2 Scalability............................... 13 1.4.3 Privacy................................. 13 1.5 Our contributions............................... 15 I Network privacy in Bitcoin and privacy-focused cryptocurrencies 17 2 P2P protocols in cryptocurrencies 19 2.1 Design goals for a cryptocurrency P2P network.............. 19 2.2 P2P protocols in cryptocurrencies...................... 20 2.2.1 Bitcoin P2P protocol......................... 20 2.2.2 Dandelion............................... 21 2.3 Taxonomy of nodes.............................. 22 2.4 Network-level privacy in cryptocurrencies................ 23 2.4.1 Network-based transaction deanonymization.......... 23 3 Deanonymization of transactions with network analysis 27 3.1 Transaction clustering with timing analysis................ 27 3.1.1 Weight functions and clustering.................. 28 3.1.2 Measuring clustering quality.................... 30 3.1.3 Measuring the degree of deanonymization............ 30 3.2 Implementation details............................ 31 3.3 Experimental evaluation........................... 32 3.3.1 Results for desktop wallets..................... 33 3.3.1.1 Bitcoin testnet....................... 34 3.3.1.2 Bitcoin mainnet...................... 35 3.3.1.3 Zcash............................ 36 3.3.1.4 Dash............................. 37 x 3.3.1.5 Monero........................... 37 3.3.2 Results for mobile wallets...................... 39 3.4 Attack cost estimation............................ 42 3.5 Discussion and countermeasures...................... 42 3.6 Conclusion................................... 44 4 Privacy of cryptocurrency wallets 45 4.1 Minimal privacy criteria........................... 45 4.2 Analysis of selected wallets......................... 46 4.2.1 Manual inspection.......................... 47 4.2.2 Static analysis............................. 50 4.3 Conclusion................................... 52 II Privacy of the Lightning Network 53 5 Introduction to Lightning Network 55 5.1 Evolution of payment channels in Bitcoin................. 55 5.1.1 Transaction replacement with sequence numbers........ 55 5.1.2 Unidirectional channels....................... 56 5.1.3 Replace-by-timelock and Duplex channels............ 56 5.1.4 Poon-Dryja channels (Lightning).................. 57 5.2 Lightning Network architecture....................... 58 5.2.1 Nodes................................. 58 5.2.2 Channels................................ 58 5.2.3 P2P network and path-finding................... 61 5.2.4 The future of Lightning....................... 61 5.3 Research directions in payment channel networks............ 62 6 Probing Lightning channel balances 63 6.1 Probing algorithm............................... 63 6.1.1 Overview..............................