Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients
Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan Čapkun
ETH Zurich, NEC Research
ACSAC 2014
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Bitcoin
2
Bitcoin
Peer-to-peer decentralized currency
Users keep Bitcoins in a wallet containing multiple addresses (@)
Unlinkability between @
Log of all transactions
@1 @2 @3 @4 @5
Total $
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Bitcoin for lightweight clients
3
Bitcoin’s scalability problems
1. Log of transactions (>25 GB)
2. Clients receive irrelevant transactions
3. Limited data traffic over 3G/4G
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Bitcoin for lightweight clients
3
Bitcoin’s scalability problems
1. Log of transactions (>25 GB)
2. Clients receive irrelevant transactions
3. Limited data traffic over 3G/4G
Trans
actio
n
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
0 1 0 0 1 0 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
0 1 0 0 1 0 00 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
0 1 0 0 1 0 00 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
! @4 False positive target False Positive Rate (FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
! @4 False positive target False Positive Rate (FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 0 0 0 0 0 0Bloom filter
Solution to scalability problems
4
Enable mobile Bitcoin clients
{ @1, @2, @3 }Insertion
Membership test { @1, @4, @5 }
0 1 0 0 1 0 00 1 0 0 1 1 0
! @4 False positive target False Positive Rate (FPR)
@5 True negative
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
SPV client Full Bitcoin node
Full Bitcoin node
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
ConnectionBloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
transactions
Is transaction relevant for Bloom filter?
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
ConnectionBloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
Relevant transactions transactions
Is transaction relevant for Bloom filter?
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
ConnectionBloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
Relevant transactions transactions
Is transaction relevant for Bloom filter?
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
ConnectionBloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
5
Simple Payment Verification (SPV)
Filter transactions not relevant for user
Relevant transactions transactions
Is transaction relevant for Bloom filter?
SPV client Full Bitcoin node
Full Bitcoin node
0 1 0 0 1 1 0
@1@2@3
Bloom filter
ConnectionBloom filter 0 1 0 0 1 1 0
33 mio addresses in the Blockchain target FPR: 0.1 %
"User addresses hidden amongst 33 000" false positives
Promise:
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Main contributions
6
1. Given one Bloom filter, Bitcoin addresses partially linkable - Addresses linkable if < 20 addresses in wallet
2. Given multiple Bloom filter, addresses nearly always linkable
3. Propose a lightweight and efficient countermeasure- Significantly enhances the privacy offered by SPV clients - Requires minimum modifications to Bitcoin
Main contributions
Bloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
Adversary
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
Adversary
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Adversary
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
AdversaryPositive@Positive@Positive@
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Adversary
@+
Positive@Positive@Positive@
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
Total positives
Positive@Positive@Positive@
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
Total positives
Positive@Positive@Positive@
Positive@Positive@Positive@
Intersection
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Positive@Positive@Positive@
True positives
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
Total positives
Positive@Positive@Positive@
Positive@Positive@Positive@
Intersection
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Positive@Positive@Positive@
True positives
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
Total positives
Positive@Positive@Positive@
Positive@Positive@Positive@
Intersection
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
Measure privacy
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Model and Privacy measure
Experimental setting
7
SPV client
Blockchain
All addresses of the Blockchain
Positive@Positive@Positive@
True positives
Adversary
@+ 0 1 0 0 1 1 0
Bloom filter 2
Positive@Positive@Positive@
Total positives
Positive@Positive@Positive@
Positive@Positive@Positive@
Intersection
0 1 0 0 1 1 0
Bloom filter 1+ parameters (seed, FPR)
Measure privacy
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Stair stepping
Privacy influencing design choices of SPV clients
8
0 1 0 0 1 1 0
Bloom filter designed for - N addresses- target FPR when N addresses inserted
@ BF1
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Stair stepping
Privacy influencing design choices of SPV clients
8
0 1 0 0 1 1 0
Bloom filter designed for - N addresses- target FPR when N addresses inserted
@ BF1
0 1 0 0 1 1 0@+@+ BF2
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Stair stepping
Privacy influencing design choices of SPV clients
8
0 1 0 0 1 1 0
Bloom filter designed for - N addresses- target FPR when N addresses inserted
@ BF1
0 1 0 0 1 1 0@+@+ BF2
0 1 0 0 1 1 0 0 1 1 0 0@+@+
Resize of Bloom filter
BF3
exceed N addresses
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Stair stepping
Privacy influencing design choices of SPV clients
8
Rationale: avoid filters with different sizes
0
750
1500
2250
3000
1-49 50-99 100-149
Addresses inserted into filter
Size
of fi
lter
Stair stepping0 1 0 0 1 1 0
Bloom filter designed for - N addresses- target FPR when N addresses inserted
@ BF1
0 1 0 0 1 1 0@+@+ BF2
0 1 0 0 1 1 0 0 1 1 0 0@+@+
Resize of Bloom filter
BF3
exceed N addresses
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Stair stepping
Privacy influencing design choices of SPV clients
8
Rationale: avoid filters with different sizes
0
750
1500
2250
3000
1-49 50-99 100-149
Addresses inserted into filter
Size
of fi
lter
Stair stepping0 1 0 0 1 1 0
Bloom filter designed for - N addresses- target FPR when N addresses inserted
@ BF1
0 1 0 0 1 1 0@+@+ BF2
0 1 0 0 1 1 0 0 1 1 0 0@+@+
Resize of Bloom filter
BF3
exceed N addresses
Create filter for N addresses, but insert less
actual FPR ≤ target FPR
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Resizing
Privacy influencing design choices of SPV clients
9
Hash functions adapted to fill space of new Bloom filter
Consequence: New filter yields different false positives
0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0
@+
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Resizing
Privacy influencing design choices of SPV clients
9
Hash functions adapted to fill space of new Bloom filter
Consequence: New filter yields different false positives
0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0
Restarting
Fresh seed value for hash functions of new Bloom filter
Consequence: New filter yields different false positives
0 1 0 0 1 1 0 0 1 0 0 1 1 0
@+
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Resizing
Privacy influencing design choices of SPV clients
9
Hash functions adapted to fill space of new Bloom filter
Consequence: New filter yields different false positives
0 1 0 0 1 1 0 0 1 1 0 00 1 0 0 1 1 0
Restarting
Fresh seed value for hash functions of new Bloom filter
Consequence: New filter yields different false positives
0 1 0 0 1 1 0 0 1 0 0 1 1 0
Summary of current SPV design choices
actual FPR ≤ target FPR1. Stair stepping 2. Resizing 3. Restarting
different False Positivesdifferent False Positives
@+
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
8500 8600 8700 8800 8900 9000
Actual FPRTarget FPR
0 100 200 300 400 5000
0.01
0.02
0.03
0.04
0.05
0.06
Actual FPRTarget FPR
Number of addresses in wallet
Fals
e Po
sitiv
e Ra
te in
%
Stair stepping - Actual FPR vs. Target FPR
Evaluation
10
…Target FPRActual FPR
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
8500 8600 8700 8800 8900 9000
Actual FPRTarget FPR
0 100 200 300 400 5000
0.01
0.02
0.03
0.04
0.05
0.06
Actual FPRTarget FPR
Number of addresses in wallet
Fals
e Po
sitiv
e Ra
te in
%
Stair stepping - Actual FPR vs. Target FPR
Evaluation
10
actual FPR << target FPR
target FPR is constant
actual FPR = target FPR
…Target FPRActual FPR
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
0 10 20 30 40 500
0.2
0.4
0.6
0.8
1
One Bloom filter
Number of addresses of SPV client
Prob
abilit
y of
link
ing
all a
ddre
sses
Evaluation - One Bloom filter
11
Probability of linking all addresses
Current implementation
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Multiple Bloom filters
Evaluation - Multiple Bloom filters
12
0 1 0 0 1 1 0
Filter 1
@1 @2 @3
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Multiple Bloom filters
Evaluation - Multiple Bloom filters
12
0 1 0 0 1 1 0
Filter 1
@1 @2 @3
0 1 0 0 1 1 0
Filter 2
@1 @4 @5
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Multiple Bloom filters
Evaluation - Multiple Bloom filters
12
0 1 0 0 1 1 0
Filter 1
@1 @2 @3
0 1 0 0 1 1 0
Filter 2
@1 @4 @5
0 1 0 0 1 1 0
Filter n. . .
@1 @6 @7
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Multiple Bloom filters
Evaluation - Multiple Bloom filters
12
0 1 0 0 1 1 0
Filter 1
@1 @2 @3
0 1 0 0 1 1 0
Filter 2
@1 @4 @5
0 1 0 0 1 1 0
Filter n. . .
@1 @6 @7
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Multiple Bloom filters
Evaluation - Multiple Bloom filters
12
0 1 0 0 1 1 0
Filter 1
@1 @2 @3
0 1 0 0 1 1 0
Filter 2
@1 @4 @5
0 1 0 0 1 1 0
Filter n. . .
@1 @6 @7
False positives
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 1 - No resize
Evaluation - Multiple Bloom filters
13
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 1 - No resize
Evaluation - Multiple Bloom filters
13
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 1 - No resize
Evaluation - Multiple Bloom filters
13
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
B1 B2
Intersection
Add addresses, No resize
@1@2@3 @1@2@3@4
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 1 - No resize
Evaluation - Multiple Bloom filters
13
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
B1 B2
Intersection
Add addresses, No resize
@1@2@3 @1@2@3@4
ResultsB2 yields additional positives compared to B1
The adversary does not learn a lot
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 2 - Resize
Evaluation - Multiple Bloom filters
14
B1 B2
Intersection
Add addresses, Resize
@1@2@3 @1@2@5@6
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 2 - Resize
Evaluation - Multiple Bloom filters
14
B1 B2
Intersection
Add addresses, Resize
@1@2@3 @1@2@5@6
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
ResultsYield mostly different positives
Can be used for intersection attack
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 3 - Restart
Evaluation - Multiple Bloom filters
15
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
B1 B2
Intersection
Restart, generate a new seed
@1@2@3 @1@2@5@6
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 3 - Restart
Evaluation - Multiple Bloom filters
15
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
B1 B2
Intersection
Restart, generate a new seed
@1@2@3 @1@2@5@6
ResultsYield mostly different positives
Can be used for intersection attack
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 4 - More than 2 filter
Evaluation - Multiple Bloom filters
16
B1 B2 B3 B4 B5
+50@ +50@ +50@ +50@
@
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
@ @ @ @
Intersection
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 4 - More than 2 filter
Evaluation - Multiple Bloom filters
16
B1 B2 B3 B4 B5
+50@ +50@ +50@ +50@
@
Results
Target FPR (%)
Probability linking all addresses with
3+ BF
0.05 ~1
0.1 ~1
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
@ @ @ @
Intersection
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Experiment 4 - More than 2 filter
Evaluation - Multiple Bloom filters
16
B1 B2 B3 B4 B5
+50@ +50@ +50@ +50@
@
Results
Target FPR (%)
Probability linking all addresses with
3+ BF
0.05 ~1
0.1 ~1
3 Bloom filter
All addresses inserted into B1 can be linked
Exp. Client Seed Size
No resize Same Same Same
Resize Same Same DifferentRestart Same Different Same
> 2 filter Same Different Different
@ @ @ @
Intersection
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Observations
Countermeasures
17
1. Need of constant false positive rate
2. Multiple Bloom filter with different parameters
3. SPV clients should keep state (e.g., about seed)
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Proposed solution
Countermeasures
18
Pre-generate Bitcoin addresses and insert into filter
Keep state about outsourced Bloom filter
Overhead: For 100 addresses, < 1 kb
0 1 0 0 1 1 0
@1@2@3
@100
...
0 1 0 0 1 1 0
@101@102@103
@200
...
Bloom filter 1 Bloom filter 2
Bloom filter 1 0 1 0 0 1 1 0
Bloom filter 2 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Proposed solution
Countermeasures
18
Pre-generate Bitcoin addresses and insert into filter
Keep state about outsourced Bloom filter
Overhead: For 100 addresses, < 1 kb
0 1 0 0 1 1 0
@1@2@3
@100
...
0 1 0 0 1 1 0
@101@102@103
@200
...
Bloom filter 1 Bloom filter 2
Bloom filter 1 0 1 0 0 1 1 0
Bloom filter 2 0 1 0 0 1 1 0
0 10 20 30 40 500
0.2
0.4
0.6
0.8
1
Number of addresses of SPV client
Prob
abilit
y of
link
ing
all a
ddre
sses
Countermeasure
Current implementation
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Summary
19
Information leakage through Bloom Filters in SPV clients
Analytical and Empirical evaluation
1 Bloom filter critical if < 20 Bitcoin addresses
3+ Bloom filter intersection attack particularly strong
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Summary
19
Information leakage through Bloom Filters in SPV clients
Analytical and Empirical evaluation
1 Bloom filter critical if < 20 Bitcoin addresses
3+ Bloom filter intersection attack particularly strong
Lightweight countermeasure
Significantly reduces leakage
Intersection attack not effective
Requires few changes
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Summary
19
Information leakage through Bloom Filters in SPV clients
Analytical and Empirical evaluation
1 Bloom filter critical if < 20 Bitcoin addresses
3+ Bloom filter intersection attack particularly strong
Lightweight countermeasure
Significantly reduces leakage
Intersection attack not effective
Requires few changes
ConclusionBloom filter for privacy is delicate
Designed carefully we can achieve proper privacy
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Summary
19
Thank you!
Information leakage through Bloom Filters in SPV clients
Analytical and Empirical evaluation
1 Bloom filter critical if < 20 Bitcoin addresses
3+ Bloom filter intersection attack particularly strong
Lightweight countermeasure
Significantly reduces leakage
Intersection attack not effective
Requires few changes
ConclusionBloom filter for privacy is delicate
Designed carefully we can achieve proper privacy
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Privacy metric
20
Privacy metric
Probability of correctly guessing j real addresses of a filter
N: # of addresses inserted into filter
S: # of false positives
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Privacy metric
P (1) =N
N + S
20
Privacy metric
Probability of correctly guessing j real addresses of a filter
N: # of addresses inserted into filter
S: # of false positives
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Privacy metric
P (1) =N
N + S
20
Privacy metric
Probability of correctly guessing j real addresses of a filter
N: # of addresses inserted into filter
S: # of false positives
P (j) =j�1Y
k=0
N � k
N + S � k=
N
N + S· N � 1
N + S � 1. . .
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Privacy metric
P (1) =N
N + S
20
Privacy metric
Probability of correctly guessing j real addresses of a filter
N: # of addresses inserted into filter
S: # of false positives
P (j) =j�1Y
k=0
N � k
N + S � k=
N
N + S· N � 1
N + S � 1. . .
Guessing all addresses correctly link all addresses
P (N) =N�1Y
k=0
N � k
N + S � k=
N !S!
(N + S)!
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Adversary’s model
Model
21
Operates full Bitcoin nodes
Parses the Blockchain for addresses
Knows parameter for Bloom filter creation Target false positive rate
Collects multiple Bloom filters per SPV client
Goal: Link Bitcoin addresses inserted within a Bloom filter
0 1 0 0 1 1 0
0 1 0 0 1 1 00 1 0 0 1 1 0
0 1 0 0 1 1 0
Bloom filter 0 1 0 0 1 1 0
/ 19On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients - Arthur Gervais
Solution to scalability problems
22
Bloom filter false positive rate
n Size of the Bloom filter in bits
m Number of elements inserted into the Bloom filter
k Number of hash functions of the Bloom filter
Notation
FPR(m) =
1�
✓1� 1
n
◆km!k