Deanonymisation of Clients in Bitcoin P2P Network Alex Biryukov Dmitry Khovratovich Ivan Pustogarov University of Luxembourg {alex.biryukov, dmitry.khovratovich, ivan.pustogarov}@uni.lu ABSTRACT rapidly with introduction of Bitcoin [12]. Bitcoin is a decen- Bitcoin is a digital currency which relies on a distributed tralized digital currency which does not rely on a trusted is- set of miners to mint coins and on a peer-to-peer network suing entity but rather on a peer-to-peer network with peers to broadcast transactions. The identities of Bitcoin users minting Bitcoins by brute-forcing double SHA-256 hash func- are hidden behind pseudonyms (public keys) which are rec- tion. To make the money generation process computation- ommended to be changed frequently in order to increase ally hard, the Bitcoin protocol requires the minters to present transaction unlinkability. the hash value of a data block with new portion of Bitcoins We present an efficient method to deanonymize Bitcoin and new transactions to have a certain number of zeros (an users, which allows to link user pseudonyms to the IP ad- instance of the Proof-of-Work concept). dresses where the transactions are generated. Our tech- Bitcoin is now accepted as a currency by many compa- niques work for the most common and the most challenging nies from online retailer Overstock to exotic Virgin Galactic. scenario when users are behind NATs or firewalls of their One of its main advantages over bank transfers is it's decen- ISPs. They allow to link transactions of a user behind a NAT tralized architecture and absence of intermediaries. This prevents shutting it down or seizing by a government. Bit- and to distinguish connections and transactions of different 1 users behind the same NAT. We also show that a natural coin money transfers are non-refundable, reasonably fast countermeasure of using Tor or other anonymity services can and allow to send money to any part of the world. The Bit- be cut-off by abusing anti-DoS countermeasures of the Bit- coin peer network consists of homogeneous nodes and pro- coin network. Our attacks require only a few machines and vides peer discovery and reputation mechanisms to achieve have been experimentally verified. The estimated success stability. The number of Bitcoin peers is estimated to be rate is between 11% and 60% depending on how stealthy an about 100,000 nowadays. The vast majority of these peers attacker wants to be. We propose several countermeasures (we call them clients), about 90%, are located behind NAT to mitigate these new attacks. and do not allow any incoming connections, whereas they choose 8 outgoing connections to servers (Bitcoin peers with public IP). Categories and Subject Descriptors In a Bitcoin transaction, the address of money sender(s) C.2.0 [Computer-Communication Networks]: General| or receiver(s) is a hash of his public key. We call such Security and protection; K.4.4 [Computers And Soci- address a pseudonym to avoid confusion with the IP ad- ety]: Electronic Commerce|Cybercash, digital cash; K.4.1 dress of the host where transactions are generated, and the [Computers And Society]: Public Policy Issues |Pri- latter will be called just address throughout the text. In vacy the current Bitcoin protocol the entire transaction history is publicly available so anyone can see how Bitcoins travel from one pseudonym to another and potentially link differ- Keywords ent pseudonyms of the same user together. A theoretical Bitcoin; Anonymity; P2P; Tor possibility of such attack was already mentioned in the orig- inal Bitcoin paper [12]. Since then several papers [11, 15] showed that it is indeed possible by analysing the transaction 1. INTRODUCTION graph to cluster pseudonyms to different users. Combined Digital currency based on cryptography is not a new idea [6] with some other sources (e.g. forum posts), the clusters but till recently it did not attract much attention. It changed (and thus the users) can sometimes be mapped to real iden- tities [14, 11]. Even so, these methods are not generic, and Permission to make digital or hard copies of all or part of this work for personal or the problem of how to tie a Bitcoin address to an actual classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation identity remained unsolved. on the first page. Copyrights for components of this work owned by others than the Evidently, studying the entire IP traffic of the Bitcoin author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or peers would reveal the origins of each transaction and dis- republish, to post on servers or to redistribute to lists, requires prior specific permission close the identities of many users, but how much can be and/or a fee. Request permissions from [email protected]. CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA. 1 Copyright is held by the owner/author(s). Publication rights licensed to ACM. The network sees a transaction immediately, but the re- ACM 978-1-4503-2957-6/14/11 ...$15.00. ceiver has to wait for 1-2 hours to be sure that there is no http://dx.doi.org/10.1145/2660267.2660379. double-spending. 15 achieved by an ordinary attacker with a few machines and The computational power needed to disclose the sender no access to clients behind NAT has been unclear. of a single transaction is negligible and is far smaller than Lerner [10] and Koshy et al. [9] were the first who at- the amount of work needed to process the transaction graph tempted an attack in this direction. A vulnerability which in [14, 11]. For the best of our knowledge this is the first allowed to link IP addresses of clients to their bitciond wal- attack which targets Bitcoin peers behind NAT. Our attack lets' addresses was reported by Lerner [10]. The vulnera- does not assume any anomaly in the behaviour of peers or in bility exploited a protection against \penny-flooding" which the traffic and would work even if Bitcoin would encrypt the prevents a transaction with very low fees and big size to be connection. It might be applicable to other digital currencies forwarded or even stored by a Bitcoin peer. The protection derived from Bitcoin. tested if a transaction was from a wallet owned by the user, As another interesting though unrelated to deanonymisa- and if it was the case, then the protection was skipped. This tion idea we look at how to decrease block mining difficulty allowed an attacker to test if a peer possessed a Bitcoin ad- by creating an alternative blockchain reality. This becomes dress by sending him specifically crafted transactions. The important since Bitcoin by design is not adaptive to rapid vulnerability required that the attacker had a connection to drops in hash power of miners and might become necessary a peer (thus targeting either Bitcoin servers or clients which in case of many miners quit mining. This is not just a hypo- established connections to the attacker). This vulnerability thetical case, since Bitcoin exchange rate can fall suddenly was fixed since version 0.7.2. and rapidly, making block mining unprofitable. Koshy et al. [9] managed to deanonymize 1162 addresses over the period of 5 months. Their approach, however, is Roadmap. limited to the transactions that expose anomalous behaviour Our paper is structured as follows: like transactions relayed only once or transaction that were relayed multiple times by the same IP. Secondly, the pro- • We give necessary background of how Bitcoin works posed method only allows to get IP addresses of servers, and the rules its peers follow to broadcast their ad- which constitute only 10% of the network, and not of the dresses and transactions. clients. Finally, their paper does not discuss the case when • As a first step towards deanonymization, we show how a Bitcoin peer protects himself by proxying his transactions to prohibit Bitcoin clients from using the Tor anonymity through the Tor anonymity network. network by exploiting Bitcoin anti-DoS protection mech- anism (Section 3). Our contributions. In this paper we describe a generic method to deanonymize • We show how to learn the connections of the Bitcoin a significant fraction of Bitcoin users and correlate their clients in Section 4. pseudonyms with public IP addresses. The method explic- itly targets the clients (i.e. peers behind NAT or firewalls) • We finally show how to identify the sender of a trans- and can differentiate the nodes with the same public IP. Fur- action (i.e. deanonymize him) in Section 5. We recover thermore, our method also handles the case when the clients the public IP address of the sender and further differ- use anonymity services like Tor. If a client uses two different entiate clients sharing the same public IP. pseudonyms during a single session, and even if they are un- • We discuss how to choose parameters of the attack related in the transaction graph so that the linkage would be and its success rate and explain our experiments on totally unachievable via the transaction graph analysis [11], the test network. We also propose countermeasures to our method is likely to catch it and glue the pseudonyms mitigate the attack. together. The method is generic and might be used in other P2P networks. • As an extra result, we outline a strategy to lower the The crucial idea is that each client can be uniquely iden- difficulty of the system by adding a properly selected tified by a set of nodes he connects to (entry nodes).