We describe remote side-channel attacks on the privacy guarantees of anonymous cryptocurrencies.
Our attacks, which we validate on Zcash and Monero, enable a remote attacker to identify the P2P node of the payee of any anonymous transaction being sent into the network. This enables the adversary to link all transactions sent to a user, to recover a user's IP address from their anonymous payment address, and to link a user's diversified addresses.
In addition, for Zcash, we show that an attacker can remotely crash any Zcash node for which the attacker knows a payment address, and set up a remote timing attack on an ECDH key exchange involving a victim's private viewing key. In principle, this attack can fully recover the victim's private viewing key, thereby completely breaking receiver privacy.
Our attacks rely on differences in the way that a user's wallet processes a transaction, depending on whether the user is the transaction's payee. We show that these differences in wallet behavior affect the behavior of the P2P node that the wallet is connected to. In turn, a remote adversary can exploit various network and timing side-channels to observe these differences in the P2P node's behavior, and thereby infer the wallet's receipt of a transaction.
We have also investigated whether current implementations of zk-SNARK protocols could leak transaction secrets through timing side-channels. We find that this is indeed the case for Zcash's implementation. As a proof-of-concept of this leakage, we show that the time to produce a proof for a Zcash transaction is strongly correlated with the (secret) amount of transacted funds. However, this leakage may be hard to measure and exploit remotely in the current Zcash system.