-
Blockchain has its own privacy protection mechanism
pseudonym mechanism
Users can independently generate any number of blockchain addresses without registration or authentication, and different addresses generated by the same user can be used independently without any relationship between them. Only through the address can not be linked to the real identity of the user, this mechanism can hide the records of the user's different operations on the blockchain.
broadcast mechanism
The blockchain system transmits data through the P2P network, and uses the flooding broadcast protocol to spread the message. The receiving node cannot judge whether the source of the message is the direct initiator or the forwarder, thus protecting the identity of the real initiator.
The pseudonym mechanism and broadcast mechanism can protect the privacy of users to a certain extent, but in practical applications, the privacy of blockchain users still faces many threats. The main reason is that in order to ensure the correctness and security of the decentralized system, all nodes jointly maintain a consistent distributed ledger and record all historical data in the blockchain, so that all nodes can verify the correctness of the ledger, All data in the ledger should be kept public, so the ledger data can be easily obtained by attackers, and users' privacy can be spied on by analyzing the public records. In addition, the blockchain system also uses a decentralized network for communication. In the public chain, nodes do not need any identity authentication to join the network, which enhances the scalability of the system, but also allows attackers to freely deploy nodes to join the network. Monitor the privacy and communication information of nodes in the network.
-
Blockchain Privacy Threats
Here, the blockchain privacy threats are divided into three aspects:
Privacy Threats at the Transaction Layer
· Transaction privacy threats . Attackers can obtain information by analyzing transaction records, such as the fund balance of a specific account, transaction details, and the flow of specific funds.
· Identity privacy threats . On the basis of analyzing the transaction data, the attacker obtains the identity information of the trader by combining some background knowledge.
Privacy Threats at the Network Layer
Malicious nodes can easily access the network and monitor the communication data at the network layer.
Privacy Threats at the Application Layer
·Privacy leakage caused by user behavior and blockchain service providers.
Here we mainly analyze the privacy threats at the transaction level . For threats to transaction privacy, clustering analysis can be performed on related blockchain addresses, and a lot of valuable information can be obtained. For example, the financial relationship between different addresses can be found, especially for some special accounts. This method Better results. It can also track some special transactions, such as transactions for large-value transactions or suspected theft and other malicious behaviors, and can track the flow of funds by continuously monitoring subsequent transaction information. Regarding the threat to identity privacy, since there is a lot of potential information in blockchain transactions, it is possible to infer the identity privacy behind the transaction data by using this potential information. For example, most multi-input transactions are initiated by the same user, which is widely used by many The researchers use it as a heuristic speculation condition, and multiple output addresses in the same coinbase transaction belong to the same user set, the change address and the input address belong to the same user, etc. Using this information, different addresses can be found The correlation between them reduces the anonymity of the blockchain address.
-
Privacy protection mechanism of transaction layer
By analyzing the attack methods of the transaction layer, it can be seen that the attacker mainly obtains private information by analyzing the public blockchain transaction data. Therefore, the focus of the transaction layer protection mechanism is to prevent malicious nodes from obtaining accurate transaction data on the basis of satisfying the normal operation of the blockchain. There are three main methods:
Data Distortion Based Techniques
·By obfuscating part of the data of the transaction content , the attacker cannot obtain accurate data, which increases the difficulty of analysis. The difficulty is to prevent attackers from discovering the relationship between different addresses without destroying the transaction results.
·Address obfuscation mechanism ("coin mixing" mechanism)
technology based on data encryption
·By encrypting the transaction information , the attacker cannot obtain the specific transaction information, so that the analysis cannot be carried out. The difficulty of this scheme is that while implementing encryption, it must ensure that the original authentication mechanism is not affected.
Monero, Zcash (zero-knowledge proof zk-SNARKs)
Technology based on restricted release
·By publishing a small amount or no transaction data , the information that the attacker can obtain is reduced and the analysis difficulty is increased.
Lightning Network, Consortium Chains and Private Chains
Among them, various methods of address obfuscation technology are mainly analyzed here.
-
Address Obfuscation Mechanism
There are many different implementation forms of the address obfuscation mechanism. According to the specific operator, it is divided into two types of technologies: centralized currency mixing and decentralized currency mixing :
Centralized currency mixing technology requires the participation of centralized currency mixing service providers to help currency mixing users perform currency mixing operations.
In the decentralized currency mixing technology, all users participating in the currency mixing process spontaneously conduct currency mixing transactions according to the agreement.
The two types of implementation technologies have their own advantages and disadvantages . The centralized currency mixing technology is easy for users to use, but there are security risks for the currency mixing service providers. Decentralized currency mixing technology is more secure, but requires users to find currency mixing partners and interact with other currency mixing users to construct mixed currency transactions, which is inconvenient to use.
In addition, for various implementation technologies in the address obfuscation mechanism, three metrics are proposed:
·Asset security
After the address obfuscation operation, the user can get back the assets (deducting the handling fee) that he participated in the currency mixing before the appointed time.
·External privacy
The relationship between the input and output addresses of the user participating in the mixed currency transaction, and the possibility of being associated by an external attacker.
·Internal privacy
The relationship between the input and output addresses of the user participating in the currency mixing transaction, and the possibility of being associated with the attacker participating in the currency mixing process.
-
Centralized currency mixing
First, let’s briefly introduce the centralized currency mixing.
Its basic model consists of four stages, namely negotiation, input, output, and termination .
There are two main problems with the basic centralized currency mixing service:
·The behavior of centralized currency mixing service providers has certain characteristics
There is a risk of internal evil
In response to the existing problems, researchers have proposed corresponding technologies to increase the external privacy, internal privacy and asset security of the centralized currency mixing protocol. The implementation mechanism is as follows:
· Randomization mechanism
Electronic signature-based commitment mechanism: Mixcoin protocol
·Hidden mechanism based on blind signature technology: Blindcoin protocol
The randomization mechanism reduces the specific behavioral characteristics of currency mixing service providers and increases the difficulty of attacker analysis, thereby enhancing external privacy;
Among them, the randomization mechanism reduces the specific behavior characteristics of currency mixing service providers, increases the difficulty of attacker analysis, thereby enhancing external privacy; the currency mixing service providers are required to electronically sign the parameters in the negotiation stage as a commitment to prevent service providers from stealing users. assets, enhancing asset security;
The hidden mechanism based on blind signature technology uses blind signature technology in the negotiation stage to protect key parameters from being visible to service providers on the premise of maintaining the commitment mechanism, thereby hiding the relationship between the user's input and output addresses from service providers, providing internal privacy.
Among them, for the commitment mechanism based on electronic signature, the Mixcoin protocol will be introduced, and for the hidden mechanism based on blind signature technology, the Blindcoin protocol will be introduced. Each part is described in detail below.
-
Centralized currency mixing - basic model
First, the basic model of centralized currency mixing is introduced.
·The general idea of centralized currency mixing is that service providers help users who want to conduct currency mixing transactions to find partners, construct currency mixing transactions, and charge a certain fee from them. In this process, the currency mixing service provider acts as an intermediary to conduct transactions with each user, and after receiving the user's assets, random confusion is performed, and then returned to the corresponding destination address. By exchanging the assets of different users with each other, the effect of confusing addresses is achieved. However, the analysis attack can only cluster all the addresses participating in the currency mixing service together, and it is difficult to distinguish the account addresses belonging to a single user.
The basic model is shown in the figure, and the specific process is mainly divided into four stages: negotiation, input, output and end
1. Negotiation stage : Users who wish to participate in currency mixing will negotiate with the currency mixing service provider to agree on the input address, output address, service provider's accepting address, return address, currency mixing amount, and currency mixing input and output time for currency mixing. , currency mixing fees and other related parameters.
2. Input stage : According to the relevant parameters agreed in the negotiation stage, the user sends the agreed assets from the input address to the receiving address designated by the service provider before the agreed time.
3. Output stage : Before the appointed time, the service provider will send the assets after deducting the handling fee to the output address specified by the user through the return address.
4. End stage : If the normal operation of the protocol ends, the service provider and the user will destroy the records left in the negotiation stage to protect user privacy.
-
Centralized currency mixing - there are problems
However, the centralized currency mixing service mainly has two problems:
On the one hand, the behavior of centralized currency mixing service providers has certain characteristics , such as the time rule of currency mixing transactions, the extraction of a certain percentage of handling fees, and the existence of a commonly used address pool. Attackers can use these features to analyze mixed currency transactions and associate users' input and output addresses, which is difficult to meet external privacy.
On the other hand, the centralized currency mixing service provider has the risk of internal evil, and cannot guarantee that the corresponding assets will be returned to the user after receiving the user's input assets . In the blockchain system, all addresses on the chain are pseudonyms generated by algorithms, so users cannot prove whether their assets have been stolen, and it is difficult for the platform to provide evidence to prove their innocence. In addition, service providers cannot guarantee that records of user input and output associations are deleted, so asset security and internal privacy cannot be guaranteed.
-
Centralized currency mixing-randomization mechanism
Then, in order to prevent attackers from correlating the input and output addresses of mixed currency users according to the platform's fixed handling fees and other configurations, the randomization mechanism is used in the output stage to artificially create randomness of transaction time, handling fees and other information, and conceal the randomness of mixed currency transactions. feature. Here are two specific examples of implementing randomization mechanisms:
The centralized currency mixing platform Bitcoin Fog sets the fee to be charged as a random value within a range, and randomly selects a time within the user-specified time to return the asset to the output address. This solution can reduce the possibility of external attackers associating user addresses based on currency mixing characteristics, and protect user privacy to a certain extent.
However, in practical applications, in order to prevent centralized currency mixing service providers from leaking user privacy, users will confuse assets in multiple currency mixing service providers in turn. At this time, the fee characteristics of continuous currency mixing transactions will expose user privacy. . to solve this problem
The Mixcoin protocol has designed a random, all-or-nothing handling fee mechanism. The mixing service provider reserves all the mixed coin amount of some users as handling fee with an agreed probability, and other users The amount of mixed coins will be fully refunded.
Summarizing these two methods, the randomization mechanism mainly enhances the external privacy of the centralized currency mixing scheme, preventing external attackers from analyzing the user's currency mixing process through the fixed characteristics of the currency mixing transaction. However, it cannot provide internal privacy and asset security. Mixing service providers may steal user assets or leak private information such as user address relationships.
-
Centralized currency mixing-a commitment mechanism based on electronic signatures
Then look at the commitment mechanism based on electronic signatures
Since in the blockchain system, the centralized currency mixing service provider does not have an entity identity as a credit guarantee, and the theft of user assets may occur, it is difficult for users to trust the currency mixing service provider. At the same time, there is no corresponding identity for the user's account address, so it is difficult for the service provider to prove his innocence. In order to protect the security of user assets, currency mixing service providers use the unforgeable and non-repudiation features of digital signature technology to add a commitment mechanism to help users prove whether the platform has theft. In the negotiation stage, the currency mixing service provider needs to provide the electronic signature corresponding to the identity as a commitment. The commitment includes the agreed input and output addresses, the amount of the obfuscated asset, the agreed time, etc., and is signed with the private key corresponding to the long-term public key of the currency mixing service provider.
The service provider makes the user trust the service provider by maintaining its own "virtual reputation", that is, using a long-term valid public key representing the identity. Use the signature of the public key corresponding to the private key to promise the user that there will be no theft on the platform; otherwise, the user can prove to other users that the platform has theft by disclosing the promise and the blockchain records that do not meet the promise, destroying the service provider reputation. The commitment mechanism ensures the security of user assets to a certain extent, and on the other hand avoids malicious rumors by users.
Based on this idea, the Mixcoin protocol appeared, which enhances asset security through electronic signatures. The core steps of this protocol are shown in the figure. In the negotiation stage, a commitment mechanism is added. The service provider needs to sign the negotiation parameters as a commitment. After the user gets the commitment Then pay the mixed currency asset to the service provider. If the service provider does not return the assets before the agreed time as promised, the user can publicize it at the end stage, and the promise received in the negotiation stage and the blockchain record prove that the service provider has broken the promise.
Although the Mixcoin protocol protects the security of user assets to a certain extent through the commitment mechanism, the protocol cannot provide internal privacy, that is, the platform cannot prove that the user's mixed currency record has been destroyed as promised, and the user cannot verify it. Therefore, in order to protect the privacy of their currency mixing from being leaked by malicious platforms, users usually use the method of continuous currency mixing on multiple platforms. But this brings higher fees and more mixed currency records, providing attackers with more features for analysis.
-
Centralized currency mixing-a hidden mechanism based on blind signature technology
In order to provide the internal privacy of centralized currency mixing, it is necessary for service providers to carry out the input and output stages without knowing the correspondence between the user's input and output addresses, which can be achieved by using blind signature technology. It is a special digital signature technology, and the signer does not know what the message content is in the process of signing the message.
Blind signature technology satisfies two properties, namely:
1. The signed message is invisible to the signer, that is to say, the signer does not know the specific content of the message he signed.
2. The signed message cannot be traced. When the signed message is deblind and published, the signer cannot match the deblind signature with the blinded signature.
Among them, the first property guarantees the content privacy of the signed message, and the second property guarantees the identity privacy of the signature requester. The overall process of blind signature technology is shown in the figure, which is mainly divided into 4 steps:
1. The signature applicant first blinds the message and sends the blinded message to the signer.
2. The signer performs a signature operation on the blinded message and returns the blinded signature to the signature applicant.
3. The signature applicant performs deblind transformation on the received blinded signature, and the result is the signature of the signer on the original data.
4. The signature applicant can publish the original message and unblinded signature, which will be verified by the verifier.
This is blind signature technology, so how to ensure the internal privacy of centralized currency mixing through blind signature technology?
The Blindcoin protocol appeared . This protocol retains the randomization fee, commitment and other mechanisms of the Mixcoin protocol. On this basis, the blind signature technology makes the user's input and output address relationship invisible to service providers.
The core steps are shown in the figure. The Blindcoin protocol protocol first modifies the signature part of the negotiation stage, and the service provider blindly signs the commitment of the user's output address. Then, the user deblinds the blinded signature, obtains the signature for the real output address, and sends it to the service provider as the certificate for the output address to obtain the mixed currency asset. The service provider can verify the correctness of the signature and whether it has been used. Since the service provider knows the user's input address but does not know the output address in the negotiation stage, and knows the output address but does not know the corresponding input address in the output stage, it is impossible to determine the relationship between the user's input and output addresses. Blind signature technology can effectively enhance the internal privacy of the centralized currency mixing scheme. In order to maintain the auditability of the MixCoin protocol, the protocol also needs to record the content of blind signatures and deblind signatures in the public ledger to achieve timestamp authentication. Effect. This design will not expose the user's privacy, and once the coin mixing service provider fails to fulfill its commitment, the user can publicize the service provider's commitment and use the message stored in the blockchain ledger as the proof of breach.
-
Decentralized currency mixing
Although centralized currency mixing technology guarantees asset security and privacy to a certain extent, relying on currency mixing service providers will still bring some potential risks, such as hacker attacks and theft of user assets. Therefore, researchers have proposed a series of decentralized currency mixing protocols, replacing centralized currency mixing service providers with multi-party protocols, so that users do not need to send their assets to the currency mixing service providers first, but in the network Find other users who need to mix currency, construct a consistent currency mixing transaction through multi-party participants running the agreement, and sign after confirmation to make the transaction effective. This series of protocols fundamentally solves the trust problem of centralized currency mixing and saves the handling fee charged by the mixing service provider, but there are also some shortcomings, such as the difficulty in finding other mixing users, and it is easy for external The attacker mixes in and monitors the mixing relationship and even conducts denial of service attacks that cause the mixing to fail. Below, we will introduce decentralized currency mixing from these two aspects, namely the basic model and implementation mechanism.
basic model
4 stages: negotiate, obfuscate, confirm, close
Implementation Mechanism
·Multi-party currency mixing technology: ideas, advantages and disadvantages
·Bilateral currency mixing technology: ideas, advantages, disadvantages
-
Decentralized currency mixing - basic model
Let’s first look at the basic model, which is divided into four stages: negotiation, confusion, confirmation, and termination. In the figure, the red node represents the mixed attacker. The main difference from the centralized currency mixing protocol is that the role of execution is changed from the centralized currency mixing server to the users participating in the currency mixing.
1. Negotiation stage: The user finds other partners participating in the currency mixing, and negotiates the parameters required by the decentralized currency mixing protocol, such as the input and output addresses of each user's currency mixing, the mixing amount and other parameters.
2. Obfuscation stage: Users participating in currency mixing confuse all output addresses according to the protocol, and hide the association between user input and output addresses.
3. Confirmation stage: The mixed currency user constructs the mixed currency transaction according to the obfuscated transaction output obtained in the confusion stage, broadcasts after confirming that it is correct, and sends the mixed currency asset to the output address specified by each user.
4. End stage: If the currency mixing protocol ends normally, the users who participate in the mixing process will destroy the relevant records of the mixing process. If the process aborts with an error, the users involved in the mixing identify and eliminate the user who caused the error.
-
Decentralized currency mixing-implementation mechanism
Finally, there are two types of implementation mechanisms for decentralized currency mixing: multi-party currency mixing technology and two-party currency mixing technology.
The main idea of multi-party currency mixing technology is that n participants agree on an equal amount of currency mixing, the number of participants is required to be greater than or equal to 3, and the degree of privacy protection is positively related to the number of participants, constructing an n-to-n multi-signature transaction to ensure that each Each transaction output is of the same amount, and external attackers cannot distinguish different outputs by analyzing transactions, so they cannot analyze the relationship between each output and the input address to ensure external privacy.
The advantage of the multi -party currency mixing technology is that the multi-participant enhances the external privacy of address confusion, and the multi-participant constructing a transaction can also save transaction fees. The disadvantage is that the increase in the number of participants will increase the probability of attackers mixing in. The attacker can monitor and analyze the relationship between the input and output addresses of other participants during the protocol process, threatening internal privacy, and even interrupting denial of service attacks. agreement process.
In order to prevent malicious attackers from participating in currency mixing, the researchers propose to limit a single currency mixing operation to be performed between two users, which is called two-party currency mixing technology, which can reduce the probability of malicious attackers mixing in, and can also reduce the attacker's attack. hazard.
The core idea of the two-party currency mixing protocol is to change multiple participants to perform a currency mixing transaction, and change the currency mixing users to find different currency mixing partners for multiple times, and conduct multiple rounds of currency mixing between the two parties, and finally achieve the same external privacy. Effect.
The advantage of this type of protocol is that in order to obtain the user's asset flow, the attacker must participate in each round of the user's currency mixing, but this probability is difficult to achieve, thereby reducing the threat of the attacker, improving the privacy of the protocol, and every time The operation of mixing coins is simple. The disadvantage is that multiple rounds of currency mixing need to publish multiple transactions on the blockchain ledger, which increases transaction fees and brings extra time. This is the basic realization mechanism of the decentralized currency mixing technology.
-
Summary of Address Obfuscation Mechanism
Centralized currency mixing
Basic model: negotiation, input, output, termination
·There is a problem
Implementation mechanism: randomization mechanism, electronic signature commitment mechanism, blind signature technology hiding mechanism
Decentralized currency mixing
Basic model: negotiate, obfuscate, confirm, close
Implementation mechanism: multi-party currency mixing technology, two-party currency mixing technology
To sum up, this article mainly summarizes the privacy threats at the transaction level, and introduces in detail the various implementation methods and advantages and disadvantages of the address obfuscation mechanism for the privacy protection mechanism of the transaction layer. We will continue to study other privacy protection mechanisms in depth in the future.