We describe remote side-channel attacks on receiver privacy in anonymous cryptocurrencies. Our attacks, which we validate on Zcash and Monero, enable a remote attacker to:
In addition, for Zcash, the vulnerabilities underlying our attacks can be abused to remotely corrupt and crash any Zcash node for which the attacker knows a payment address, as well as to set up a remote timing side-channel on an ECDH key exchange between a victim node's private key and an attacker's ephemeral public key. In principle, this side-channel can be used to fully recover the victim's private key, thereby completely breaking receiver anonymity.
Our attacks rely on differences in the way that a user's wallet processes a transaction, depending on whether the user is the transaction's payee. We show that these differences in wallet behavior affect the behavior of the P2P node that the wallet is connected to. In turn, a remote adversary can exploit various network and timing side-channels to observe these differences in the P2P node's behavior, and thereby infer the wallet's receipt of a transaction.