On the Anonymity Guarantees of Anonymous Proof-of-Stake Protocols

2021 IEEE Symposium on Security and Privacy (SP) Pub Date : 2021-05-01 DOI:10.1109/SP40001.2021.00107

Markulf Kohlweiss, Varun Madathil, Kartik Nayak, Alessandra Scafuro

{"title":"On the Anonymity Guarantees of Anonymous Proof-of-Stake Protocols","authors":"Markulf Kohlweiss, Varun Madathil, Kartik Nayak, Alessandra Scafuro","doi":"10.1109/SP40001.2021.00107","DOIUrl":null,"url":null,"abstract":"In proof-of-stake (PoS) blockchains, stakeholders that extend the chain are selected according to the amount of stake they own. In S&P 2019 the \"Ouroboros Crypsinous\" system of Kerber et al. (and concurrently Ganesh et al. in EUROCRYPT 2019) presented a mechanism that hides the identity of the stakeholder when adding blocks, hence preserving anonymity of stakeholders both during payment and mining in the Ouroboros blockchain. They focus on anonymizing the messages of the blockchain protocol, but suggest that potential identity leaks from the network-layer can be removed as well by employing anonymous broadcast channels.In this work we show that this intuition is flawed. Even ideal anonymous broadcast channels do not suffice to protect the identity of the stakeholder who proposes a block.We make the following contributions. First, we show a formal network-attack against Ouroboros Crypsinous, where the adversary can leverage network delays to distinguish who is the stakeholder that added a block on the blockchain. Second, we abstract the above attack and show that whenever the adversary has control over the network delay – within the synchrony bound – loss of anonymity is inherent for any protocol that provides liveness guarantees. We do so, by first proving that it is impossible to devise a (deterministic) state-machine replication protocol that achieves basic liveness guarantees and better than (1−2f) anonymity at the same time (where f is the fraction of corrupted parties). We then connect this result to the PoS setting by presenting the tagging and reverse tagging attack that allows an adversary, across several executions of the PoS protocol, to learn the stake of a target node, by simply delaying messages for the target. We demonstrate that our assumption on the delaying power of the adversary is realistic by describing how our attack could be mounted over the Zcash blockchain network (even when Tor is used). We conclude by suggesting approaches that can mitigate such attacks.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"5 1","pages":"1818-1833"},"PeriodicalIF":0.0000,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40001.2021.00107","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

In proof-of-stake (PoS) blockchains, stakeholders that extend the chain are selected according to the amount of stake they own. In S&P 2019 the "Ouroboros Crypsinous" system of Kerber et al. (and concurrently Ganesh et al. in EUROCRYPT 2019) presented a mechanism that hides the identity of the stakeholder when adding blocks, hence preserving anonymity of stakeholders both during payment and mining in the Ouroboros blockchain. They focus on anonymizing the messages of the blockchain protocol, but suggest that potential identity leaks from the network-layer can be removed as well by employing anonymous broadcast channels.In this work we show that this intuition is flawed. Even ideal anonymous broadcast channels do not suffice to protect the identity of the stakeholder who proposes a block.We make the following contributions. First, we show a formal network-attack against Ouroboros Crypsinous, where the adversary can leverage network delays to distinguish who is the stakeholder that added a block on the blockchain. Second, we abstract the above attack and show that whenever the adversary has control over the network delay – within the synchrony bound – loss of anonymity is inherent for any protocol that provides liveness guarantees. We do so, by first proving that it is impossible to devise a (deterministic) state-machine replication protocol that achieves basic liveness guarantees and better than (1−2f) anonymity at the same time (where f is the fraction of corrupted parties). We then connect this result to the PoS setting by presenting the tagging and reverse tagging attack that allows an adversary, across several executions of the PoS protocol, to learn the stake of a target node, by simply delaying messages for the target. We demonstrate that our assumption on the delaying power of the adversary is realistic by describing how our attack could be mounted over the Zcash blockchain network (even when Tor is used). We conclude by suggesting approaches that can mitigate such attacks.

查看原文本刊更多论文

论匿名权益证明协议的匿名性保证

在权益证明(PoS)区块链中，扩展链的利益相关者是根据他们拥有的股权数量来选择的。在标普2019中，Kerber等人的“Ouroboros Crypsinous”系统(以及EUROCRYPT 2019中的Ganesh等人)提出了一种机制，该机制在添加区块时隐藏利益相关者的身份，从而在Ouroboros区块链的支付和挖矿过程中保持利益相关者的匿名性。他们专注于匿名化区块链协议的消息，但建议也可以通过采用匿名广播通道来消除网络层的潜在身份泄漏。在这项工作中，我们表明这种直觉是有缺陷的。即使是理想的匿名广播通道也不足以保护提出区块的利益相关者的身份。我们做出以下贡献。首先，我们展示了针对Ouroboros Crypsinous的正式网络攻击，攻击者可以利用网络延迟来区分谁是在区块链上添加块的利益相关者。其次，我们对上述攻击进行了抽象，并表明只要攻击者控制了网络延迟(在同步范围内)，任何提供活动性保证的协议都固有地失去了匿名性。我们这样做，首先证明不可能设计出一种(确定性的)状态机复制协议，既能实现基本的活性保证，又能同时优于(1−2f)匿名性(其中f是损坏方的比例)。然后，我们通过展示标记和反向标记攻击将该结果与PoS设置联系起来，这种攻击允许攻击者通过多次执行PoS协议来了解目标节点的利害关系，只需延迟发送给目标的消息。通过描述我们的攻击如何在Zcash区块链网络上进行(即使使用Tor)，我们证明了我们对对手延迟能力的假设是现实的。最后，我们提出了可以减轻此类攻击的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量