Stanford University

Linking Anonymous Transactions via Remote Side-Channel Attacks

Summary

We describe remote side-channel attacks on receiver privacy in anonymous cryptocurrencies. Our attacks, which we validate on Zcash and Monero, enable a remote attacker to:

Identify the payee for any anonymous transaction being sent into the network.
Locate the machine (i.e., its IP address) that holds the private key that corresponds to an attacker-known public address.
Break unlinkability of a user's diversified addresses, by determining whether two attacker-known public payment addresses correspond to a same private key.

In addition, for Zcash, the vulnerabilities underlying our attacks can be abused to remotely corrupt and crash any Zcash node for which the attacker knows a payment address, as well as to set up a remote timing side-channel on an ECDH key exchange between a victim node's private key and an attacker's ephemeral public key. In principle, this side-channel can be used to fully recover the victim's private key, thereby completely breaking receiver anonymity.

Our attacks rely on differences in the way that a user's wallet processes a transaction, depending on whether the user is the transaction's payee. We show that these differences in wallet behavior affect the behavior of the P2P node that the wallet is connected to. In turn, a remote adversary can exploit various network and timing side-channels to observe these differences in the P2P node's behavior, and thereby infer the wallet's receipt of a transaction.

We disclosed these attacks to the Zcash and Monero security teams, who fixed the underlying vulnerabilities in their latest releases.
For Zcash, the fixes are introduced in the v2.0.7-3 release of the Zcash client. See Zcash's security announcemenet and blogpost.
For Monero, the fixes are introduced in the v0.15.0 release of the Monero client. Our disclosure to Monero and the resulting discussion are publicly available on HackerOne.
Users who have updated their client to the latest release are no longer vulnerable to the attacks described here.
Since the attacks require active monitoring and participation in the Zcash or Monero peer-to-peer networks, they cannot be applied retroactively to earlier transactions.

A more detailed description of the attacks can be found in our paper. An earlier write-up on the Zcash attacks, as well as a FAQ are here.

Materials

People

Florian Tramèr, Stanford University
Dan Boneh, Stanford University
Kenneth G. Paterson, ETH Zürich