Stanford University

PING and REJECT:

The Impact of Side-Channels on Zcash Privacy

Summary

We present two types of active side-channel attacks against private (a.k.a. shielded) transactions in Zcash. The attacks, called PING and REJECT, exploit differences in behavior between the payee of a particular shielded transaction and the remaining Zcash clients. By monitoring peer-to-peer traffic and injecting its own messages, an active attacker can remotely observe these differences due to fault and timing side-channels. The PING and REJECT attacks can be used to:

Determine — with a high degree of confidence — which Zcash client is the payee of a shielded transaction being sent into the mempool. This removes transaction anonymity by allowing the attacker to link shielded transactions sent to a same user.
Discover the IP address of a Zcash client, given a shielded payment address belonging to that client. This weakens the privacy of any Zcash user that has shared a shielded payment address with a third party.
Determine whether two diversified payment addresses belong to the same client. This violates Zcash's unlinkability property for diversified shielded addresses.
Corrupt and crash a Zcash client, given a shielded payment address belonging to that client. This represents a denial-of-service avenue against Zcash clients.
Mount a remote timing attack against an ECDH key-exchange involving a Zcash client's incoming viewing key. This would — in principle — allow the attacker to passively link all transactions sent to that client, altough this attack is probably impractical.

The PING and REJECT attacks exploit vulnerabilities introduced in Zcash's Sapling network upgrade (v2.0.0). Earlier Sprout transactions were not affected by the REJECT attack and were likely not remotely exploitable by the PING attack. Most of the above attacks apply even if the victim Zcash client uses an anonymity network such as Tor.

We disclosed these attacks to the Zcash security team, who fixed the underlying vulnerabilities in the v2.0.7-3 release of the Zcash client. See Zcash's security announcemenet and blogpost.
Users who have updated their client to the latest release are no longer vulnerable to the attacks described here.
Since the attacks require active monitoring and participation in the Zcash peer-to-peer network, they cannot be applied retroactively to earlier transactions.

A more detailed description of the attacks, as well as a FAQ can be found in our Technical Report.

Materials

People

Florian Tramèr, Stanford University
Dan Boneh, Stanford University
Kenneth G. Paterson, ETH Zürich