On the Privacy Provisions of Bloom Filters in Lightweight ... · On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais / 19 Bitcoin 2 Bitcoin

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients

Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan Čapkun

ETH Zurich, NEC Research

ACSAC 2014

/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais

Bitcoin

2

Bitcoin

Peer-to-peer decentralized currency

Users keep Bitcoins in a wallet containing multiple addresses (@)

Unlinkability between @

Log of all transactions

@1 @2 @3 @4 @5

Total $


Bitcoin for lightweight clients

3

Bitcoin’s scalability problems

1. Log of transactions (>25 GB)

2. Clients receive irrelevant transactions

3. Limited data traffic over 3G/4G


Bitcoin for lightweight clients

3

Bitcoin’s scalability problems

1. Log of transactions (>25 GB)

2. Clients receive irrelevant transactions

3. Limited data traffic over 3G/4G

Trans

actio

n


0 0 0 0 0 0 0Bloom filter

Solution to scalability problems

4

Enable mobile Bitcoin clients




4


{ @1, @2, @3 }Insertion




4


{ @1, @2, @3 }Insertion

0 1 0 0 1 0 0




4


{ @1, @2, @3 }Insertion

0 1 0 0 1 0 00 1 0 0 1 1 0




4


{ @1, @2, @3 }Insertion

0 1 0 0 1 0 00 1 0 0 1 1 0




4


{ @1, @2, @3 }Insertion

Membership test { @1, @4, @5 }

0 1 0 0 1 0 00 1 0 0 1 1 0




4


{ @1, @2, @3 }Insertion


0 1 0 0 1 0 00 1 0 0 1 1 0




4


{ @1, @2, @3 }Insertion


0 1 0 0 1 0 00 1 0 0 1 1 0




4


{ @1, @2, @3 }Insertion


0 1 0 0 1 0 00 1 0 0 1 1 0

! @4 False positive target False Positive Rate (FPR)




4


{ @1, @2, @3 }Insertion


0 1 0 0 1 0 00 1 0 0 1 1 0





4


{ @1, @2, @3 }Insertion


0 1 0 0 1 0 00 1 0 0 1 1 0


@5 True negative



5

Simple Payment Verification (SPV)

Filter transactions not relevant for user

SPV client Full Bitcoin node

Full Bitcoin node



5




Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter



5




Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter

ConnectionBloom filter 0 1 0 0 1 1 0



5



transactions

Is transaction relevant for Bloom filter?


Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter




5



Relevant transactions transactions



Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter




5






Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter




5






Full Bitcoin node

0 1 0 0 1 1 0

@1@2@3

Bloom filter


33 mio addresses in the Blockchain target FPR: 0.1 %

"User addresses hidden amongst 33 000" false positives

Promise:


Main contributions

6

1. Given one Bloom filter, Bitcoin addresses partially linkable - Addresses linkable if < 20 addresses in wallet

2. Given multiple Bloom filter, addresses nearly always linkable

3. Propose a lightweight and efficient countermeasure- Significantly enhances the privacy offered by SPV clients - Requires minimum modifications to Bitcoin

Main contributions

Bloom filter 0 1 0 0 1 1 0


Model and Privacy measure

Experimental setting

7

SPV client

Blockchain

Adversary




7

SPV client

Blockchain

Adversary

0 1 0 0 1 1 0

Bloom filter 1+ parameters (seed, FPR)




7

SPV client

Blockchain

All addresses of the Blockchain

Adversary

0 1 0 0 1 1 0





7

SPV client

Blockchain


AdversaryPositive@Positive@Positive@

0 1 0 0 1 1 0





7

SPV client

Blockchain


Adversary

@+

Positive@Positive@Positive@

0 1 0 0 1 1 0





7

SPV client

Blockchain


Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


0 1 0 0 1 1 0





7

SPV client

Blockchain


Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


Total positives


0 1 0 0 1 1 0





7

SPV client

Blockchain


Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


Total positives



Intersection

0 1 0 0 1 1 0





7

SPV client

Blockchain



True positives

Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


Total positives



Intersection

0 1 0 0 1 1 0





7

SPV client

Blockchain



True positives

Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


Total positives



Intersection

0 1 0 0 1 1 0


Measure privacy




7

SPV client

Blockchain



True positives

Adversary

@+ 0 1 0 0 1 1 0

Bloom filter 2


Total positives



Intersection

0 1 0 0 1 1 0


Measure privacy


Stair stepping

Privacy influencing design choices of SPV clients

8

0 1 0 0 1 1 0

Bloom filter designed for - N addresses- target FPR when N addresses inserted

@ BF1


Stair stepping


8

0 1 0 0 1 1 0


@ BF1

0 1 0 0 1 1 0@+@+ BF2


Stair stepping


8

0 1 0 0 1 1 0


@ BF1

0 1 0 0 1 1 0@+@+ BF2

0 1 0 0 1 1 0 0 1 1 0 0@+@+

Resize of Bloom filter

BF3

exceed N addresses


Stair stepping


8

Rationale: avoid filters with different sizes

0

750

1500

2250

3000

1-49 50-99 100-149

Addresses inserted into filter

Size

of fi

lter

Stair stepping0 1 0 0 1 1 0


@ BF1

0 1 0 0 1 1 0@+@+ BF2

0 1 0 0 1 1 0 0 1 1 0 0@+@+


BF3

exceed N addresses


Stair stepping


8

Rationale: avoid filters with different sizes

0

750

1500

2250

3000

1-49 50-99 100-149

Addresses inserted into filter

Size

of fi

lter

Stair stepping0 1 0 0 1 1 0


@ BF1

0 1 0 0 1 1 0@+@+ BF2

0 1 0 0 1 1 0 0 1 1 0 0@+@+


BF3

exceed N addresses

Create filter for N addresses, but insert less

actual FPR ≤ target FPR


Resizing


9

Hash functions adapted to fill space of new Bloom filter

Consequence: New filter yields different false positives

0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0

@+


Resizing


9



0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0

Restarting

Fresh seed value for hash functions of new Bloom filter


0 1 0 0 1 1 0 0 1 0 0 1 1 0

@+


Resizing


9



0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0

Restarting

Fresh seed value for hash functions of new Bloom filter


0 1 0 0 1 1 0 0 1 0 0 1 1 0

Summary of current SPV design choices

actual FPR ≤ target FPR1. Stair stepping 2. Resizing 3. Restarting

different False Positivesdifferent False Positives

@+


8500 8600 8700 8800 8900 9000

Actual FPRTarget FPR

0 100 200 300 400 5000

0.01

0.02

0.03

0.04

0.05

0.06


Number of addresses in wallet

Fals

e Po

sitiv

e Ra

te in

%

Stair stepping - Actual FPR vs. Target FPR

Evaluation

10

…Target FPRActual FPR


8500 8600 8700 8800 8900 9000


0 100 200 300 400 5000

0.01

0.02

0.03

0.04

0.05

0.06


Number of addresses in wallet

Fals

e Po

sitiv

e Ra

te in

%

Stair stepping - Actual FPR vs. Target FPR

Evaluation

10

actual FPR << target FPR

target FPR is constant

actual FPR = target FPR

…Target FPRActual FPR


0 10 20 30 40 500

0.2

0.4

0.6

0.8

1

One Bloom filter

Number of addresses of SPV client

Prob

abilit

y of

link

ing

all a

ddre

sses

Evaluation - One Bloom filter

11

Probability of linking all addresses

Current implementation


Multiple Bloom filters

Evaluation - Multiple Bloom filters

12

0 1 0 0 1 1 0

Filter 1

@1 @2 @3




12

0 1 0 0 1 1 0

Filter 1

@1 @2 @3

0 1 0 0 1 1 0

Filter 2

@1 @4 @5




12

0 1 0 0 1 1 0

Filter 1

@1 @2 @3

0 1 0 0 1 1 0

Filter 2

@1 @4 @5

0 1 0 0 1 1 0

Filter n. . .

@1 @6 @7




12

0 1 0 0 1 1 0

Filter 1

@1 @2 @3

0 1 0 0 1 1 0

Filter 2

@1 @4 @5

0 1 0 0 1 1 0

Filter n. . .

@1 @6 @7




12

0 1 0 0 1 1 0

Filter 1

@1 @2 @3

0 1 0 0 1 1 0

Filter 2

@1 @4 @5

0 1 0 0 1 1 0

Filter n. . .

@1 @6 @7

False positives


Experiment 1 - No resize


13

Exp. Client Seed Size

No resize Same Same Same

Resize Same Same DifferentRestart Same Different Same

> 2 filter Same Different Different




13








13





B1 B2

Intersection

Add addresses, No resize

@1@2@3 @1@2@3@4




13





B1 B2

Intersection

Add addresses, No resize

@1@2@3 @1@2@3@4

ResultsB2 yields additional positives compared to B1

The adversary does not learn a lot


Experiment 2 - Resize


14

B1 B2

Intersection

Add addresses, Resize

@1@2@3 @1@2@5@6






Experiment 2 - Resize


14

B1 B2

Intersection

Add addresses, Resize

@1@2@3 @1@2@5@6





ResultsYield mostly different positives

Can be used for intersection attack


Experiment 3 - Restart


15





B1 B2

Intersection

Restart, generate a new seed

@1@2@3 @1@2@5@6


Experiment 3 - Restart


15





B1 B2

Intersection

Restart, generate a new seed

@1@2@3 @1@2@5@6

ResultsYield mostly different positives

Can be used for intersection attack


Experiment 4 - More than 2 filter


16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@





@ @ @ @

Intersection




16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@

Results

Target FPR (%)

Probability linking all addresses with

3+ BF

0.05 ~1

0.1 ~1





@ @ @ @

Intersection




16

B1 B2 B3 B4 B5

+50@ +50@ +50@ +50@

@

Results

Target FPR (%)

Probability linking all addresses with

3+ BF

0.05 ~1

0.1 ~1

3 Bloom filter

All addresses inserted into B1 can be linked





@ @ @ @

Intersection


Observations

Countermeasures

17

1. Need of constant false positive rate

2. Multiple Bloom filter with different parameters

3. SPV clients should keep state (e.g., about seed)


Proposed solution

Countermeasures

18

Pre-generate Bitcoin addresses and insert into filter

Keep state about outsourced Bloom filter

Overhead: For 100 addresses, < 1 kb

0 1 0 0 1 1 0

@1@2@3

@100

...

0 1 0 0 1 1 0

@101@102@103

@200

...

Bloom filter 1 Bloom filter 2

Bloom filter 1 0 1 0 0 1 1 0

Bloom filter 2 0 1 0 0 1 1 0


Proposed solution

Countermeasures

18

Pre-generate Bitcoin addresses and insert into filter

Keep state about outsourced Bloom filter

Overhead: For 100 addresses, < 1 kb

0 1 0 0 1 1 0

@1@2@3

@100

...

0 1 0 0 1 1 0

@101@102@103

@200

...

Bloom filter 1 Bloom filter 2

Bloom filter 1 0 1 0 0 1 1 0

Bloom filter 2 0 1 0 0 1 1 0

0 10 20 30 40 500

0.2

0.4

0.6

0.8

1

Number of addresses of SPV client

Prob

abilit

y of

link

ing

all a

ddre

sses

Countermeasure

Current implementation


Summary

19

Information leakage through Bloom Filters in SPV clients

Analytical and Empirical evaluation

1 Bloom filter critical if < 20 Bitcoin addresses

3+ Bloom filter intersection attack particularly strong


Summary

19





Lightweight countermeasure

Significantly reduces leakage

Intersection attack not effective

Requires few changes


Summary

19









ConclusionBloom filter for privacy is delicate

Designed carefully we can achieve proper privacy


Summary

19

Thank you!









ConclusionBloom filter for privacy is delicate

Designed carefully we can achieve proper privacy


Privacy metric

20

Privacy metric

Probability of correctly guessing j real addresses of a filter

N: # of addresses inserted into filter

S: # of false positives


Privacy metric

P (1) =N

N + S

20

Privacy metric





Privacy metric

P (1) =N

N + S

20

Privacy metric




P (j) =j�1Y

k=0

N � k

N + S � k=

N

N + S· N � 1

N + S � 1. . .


Privacy metric

P (1) =N

N + S

20

Privacy metric




P (j) =j�1Y

k=0

N � k

N + S � k=

N

N + S· N � 1

N + S � 1. . .

Guessing all addresses correctly link all addresses

P (N) =N�1Y

k=0

N � k

N + S � k=

N !S!

(N + S)!


Adversary’s model

Model

21

Operates full Bitcoin nodes

Parses the Blockchain for addresses

Knows parameter for Bloom filter creation Target false positive rate

Collects multiple Bloom filters per SPV client

Goal: Link Bitcoin addresses inserted within a Bloom filter

0 1 0 0 1 1 0

0 1 0 0 1 1 00 1 0 0 1 1 0

0 1 0 0 1 1 0

Bloom filter 0 1 0 0 1 1 0



22

Bloom filter false positive rate

n Size of the Bloom filter in bits

m Number of elements inserted into the Bloom filter

k Number of hash functions of the Bloom filter

Notation

FPR(m) =

1�

✓1� 1

n

◆km!k

Documents

On the Privacy Provisions of Bloom Filters in Lightweight ... · On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais / 19 Bitcoin 2 Bitcoin