PhD-FSTM-2020-43 The Faculty of Sciences, Technology and Medicine DISSERTATION Defence held on 24/09/2020 in Esch-sur-Alzette to obtain the degree of DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE by Dániel FEHÉR Born on 5 March 1993 in Miskolc, (Hungary) DATA ANALYTICS AND CONSENSUS MECHANISMS IN BLOCKCHAINS Dissertation defence committee Dr Alex Biryukov, dissertation supervisor Professor, Université du Luxembourg Dr Paulo Esteves-Veríssimo, Chairman Professor, Université du Luxembourg Dr Volker Müller, Vice Chairman Associate Professor, Université du Luxembourg Dr Rainer Böhme Professor, Universität Innsbruck Dr Ghassan Karame Head of Security Research, NEC Laboratories Europe iii Abstract Blockchains, and especially Bitcoin have soared in popularity since their inceptions. This thesis furthers our knowledge of blockchains and their uses. First, we analyze transaction linkability in the privacy preserving cryptocur- rency Zcash, based on the currency minting transactions (mining). Using pre- dictable usage patterns and clustering heuristics on mining transactions, an attacker can link to publicly visible addresses in over 84% of the privacy pre- serving transactions Then, we further analyze privacy issues for the privacy-oriented cryptocur- rency Zcash. We study privacy preserving transactions and show ways to finger- print user transactions, including active attacks. We introduce two new attacks, which we call the Danaan-gift attack and the Dust attack. Then, we investigate the generic landscape and hierarchy of miners as ex- emplified by Ethereum and Zcash. Both chains used application-specific inte- grated circuit (ASIC) resistant proofs-of-work which favor GPU mining in order to keep mining decentralized. This, however, has changed with the introduction of ASIC miners for these chains. This transition allows us to develop methods that might detect hidden ASIC mining in a chain (if it exists), and to study how the introduction of ASICs affects the decentralization of mining power. Fi- nally, we describe how an attacker might use public blockchain information to invalidate miners' privacy, deducing the mining hardware of individual miners and their mining rewards. Then, we analyze the behavior of cryptocurrency exchanges on the Bitcoin blockchain, and compare the results to the exchange volumes reported by the same exchanges. We show, that in multiple cases these two values are close to each other, which confirms the integrity of their reported volumes. Finally, we present a heuristic to try to classify large clusters of addresses in the blockchain, and whether these clusters are controlled by an exchange. Finally, we describe how to couple reputation systems with distributed con- sensus protocols to provide a scalable permissionless consensus protocol with a low barrier of entry, while still providing strong resistance against Sybil attacks for large peer-to-peer networks of untrusted validators. We introduce the repu- tation module ReCon, which can be laid on top of various consensus protocols such as PBFT or HoneyBadger. The protocol takes external reputation rank- ing as input and then ranks nodes based on the outcomes of consensus rounds run by a small committee, and adaptively selects the committee based on the current reputation. v Acknowledgements This dissertation would not be possible without the support and help from many people. First of all, I would like to thank my supervisor, Prof. Alex Biryukov, for leading my research and providing me with the freedom to choose many topics. I would like to thank my thesis supervision committee members, Prof. Paulo Esteves Verissimo, and Prof. Volker M¨uller,for following my research and giving valuable advice. I am grateful to Prof. Rainer B¨ohmeand to Dr. Ghassan Karame for agreeing to serve on my defense as jury members. I would like to thank the University of Luxembourg and the Interdisciplinary Centre for Security, Reliability and Trust for providing me an excellent research environment. I am thankful to all my colleagues at CryptoLUX and at the University for the happy years and the countless conversations we had during our coffee breaks. My greatest gratitude is to my family and friends who have always supported me in every decision I took in my life. vii Contents Abstract iii Acknowledgementsv List of Figures xi List of Tables xiii List of Abbreviations xv 1 Introduction1 1.1 Currencies..............................1 1.1.1 Main Challenges of Digital Currencies..........2 1.1.2 Digital Currencies......................4 1.2 Bitcoin................................4 1.2.1 Transaction Structure...................4 1.2.2 Blocks............................6 1.2.3 Proof-of-Work Protocol...................7 1.2.4 Mining Hardware......................9 1.2.5 Mining Pools........................ 10 1.2.6 Network Communication.................. 11 1.2.7 Security of Bitcoin..................... 12 1.2.8 Advantages and Disadvantages.............. 13 1.2.9 Main Actors in Bitcoin................... 14 1.3 Scalability of Cryptocurrencies................... 15 1.4 Privacy in Cryptocurrencies.................... 16 1.4.1 Privacy-oriented Cryptocurrencies............. 17 1.5 Contributions............................ 19 I Data Analytics in Blockchains 21 2 Deanonymizing Miners in Zcash 23 2.1 Zcash................................. 23 2.1.1 Notation........................... 26 2.2 Analytics tool for Zcash...................... 27 2.3 Related Work............................ 28 2.4 Deanonymizing The Miners.................... 29 2.4.1 Pattern T Mining Pools.................. 29 2.4.2 Pattern Z Mining Pools.................. 30 viii 2.4.3 Results of the Heuristics.................. 32 2.4.4 Accuracy of the Heuristics................. 33 2.4.5 Comparison of results to previous work.......... 34 2.4.6 Inflation of results..................... 35 2.5 Summary and Conclusions..................... 35 3 Further Transaction Linking in Zcash 37 3.1 Linking with Transaction Values.................. 37 3.1.1 Direct Value Linking Including Transaction Fees..... 38 3.1.2 Subset sum......................... 39 3.1.3 Fingerprinted Values.................... 39 3.1.4 Further Results....................... 41 3.2 The Model for the Probability of Fingerprint Survival...... 42 3.2.1 Experimental results.................... 44 3.2.2 Notation........................... 44 3.2.3 Sapling Transactions Dataset............... 45 3.3 Danaan-Gift Attack (Malicious Value Fingerprinting)...... 48 3.4 Dust Attack............................. 49 3.4.1 Official Linux Command-line Zcash Wallet........ 50 3.4.2 GUI-based Sapling-supporting Wallets.......... 50 3.4.3 Combining Danaan and Dust Attacks........... 51 3.5 Usage of zk-SNARKs........................ 51 3.5.1 Interaction Between Sapling and Sprout Transactions.. 51 3.6 Summary and Conclusions..................... 52 4 Privacy of Miners in Zcash and Ethereum 53 4.1 Terminology............................. 54 4.2 Background and Related Work................... 55 4.3 Mining Landscape.......................... 55 4.3.1 Ethereum.......................... 56 4.3.2 Zcash............................ 57 4.3.3 GPU Mining........................ 58 4.3.4 GPU vs ASIC mining.................... 60 4.4 Detecting ASIC miners....................... 60 4.4.1 Fraction of large miners in the mining power....... 60 4.4.2 Mining Software Developer Fees.............. 61 4.4.3 Public Introduction of ASICs............... 63 4.5 Mining Centralization....................... 64 4.6 Privacy of Miners.......................... 65 4.6.1 Linkability of Mining rewards............... 65 4.6.2 Countermeasures...................... 66 4.7 Summary and Conclusions..................... 67 5 Estimating Exchange Traffic 69 5.1 Evaluating Identified Clusters................... 70 5.2 Classifying Large Clusters..................... 75 5.3 Summary and Conclusions..................... 77 ix II Consensus Protocols in Blockchains 79 6 ReCon 81 6.0.1 Related Work........................ 83 6.1 Existing Consensus Protocols................... 83 6.1.1 Proof-of-Work........................ 83 6.1.2 Proof-of-Stake........................ 85 6.1.3 Byzantine Agreement.................... 85 6.1.4 Hybrid Protocols...................... 86 6.2 Preliminaries of Our Protocol................... 87 6.2.1 Generic........................... 87 6.2.2 Assumptions......................... 88 6.2.3 Nodes............................ 89 6.3 Reputation module......................... 89 6.3.1 External Reputation.................... 90 6.3.2 Committee selection.................... 91 6.3.3 Rewards and penalties................... 92 6.3.4 Probability of a forgery................... 93 6.3.5 Types of Blocks....................... 95 6.3.6 Source of randomness.................... 96 6.3.7 Fairness........................... 96 6.3.8 Dealing with forks..................... 97 6.3.9 Convergence......................... 97 6.3.10 Pseudocode......................... 98 6.4 Simulation Results......................... 98 6.4.1 External reputation: discrete (no information)...... 99 6.4.2 External reputation with normal distribution....... 100 6.4.3 External reputation with exponential distribution.... 101 6.5 Attacks and their mitigation.................... 101 6.5.1 Botnet takeover....................... 101 6.5.2 Sybil attack: saturation.................. 102 6.5.3 Sybil attack: lie and wait strategy............. 102 6.5.4 Attacks on randomness................... 102 6.5.5 Honest majority....................... 103 6.5.6 Detection