Settling that purchase from Silk Road 2.0 or perhaps Porn.com with some anonymous cryptocurrency? Or perhaps you're simply completing an innocuous hotel booking with Expedia. Either way, don't be too sure that your bitcoin buys will remain unconnected from your real-world identity.
A new study from the University of Luxembourg has found that an attacker with a couple of spare laptops and a $2,000 budget could deanonymise up to 60% of bitcoin clients on the network, tying bitcoin addresses to IP addresses. Perhaps even more disturbingly, such attacks could be taking place currently, an author of the study says.
The paper, by three researchers at the university's cryptology research group CryptoLux, describes an attack on the bitcoin network that links bitcoin addresses to public IP addresses., which can be traced back to a user's home address, in some cases. The attack is relatively cheap to mount and an individual could launch it with the right know-how.
"If I had a couple of computers , I could launch this attack from our office, very cheaply," said Ivan Pustogarov, one of the authors of the paper.
The researchers also found that the attack could be designed to prevent the use of the Tor network, which anonymises traffic. Additionally, the attack can 'glue' transactions, so that transactions performed on one machine using multiple bitcoin addresses can be grouped together.
According to Pustogarov, the attack would be directed at the whole bitcoin network, and would deanonymise 11% of all transactions at any given time. More IP addresses can be revealed by changing one of the attack parameters, but this would compromise the attacker's secrecy.
Pustogarov indicated that he had mounted the attack on the bitcoin test network and achieved deanonymisation rates of 60%, adding:
"The range of success is between 11% and 60% [of all transactions]. The exact figure depends on how stealthy an attacker wants to be."
The cost of this type of attack on the bitcoin network to be less than 1,500 euros ($2,000) a month, he said.
The kind of attack Pustogarov and his co-authors have described could be taking place right now, unmasking seemingly anonymous bitcoin transactions.
"I'm running several bitcoin servers and from time to time I get many connections from the same IP address [...] I have suspicions that someone is trying to mount this kind of attack," he said.
Pustogarov stressed that he did not have firm evidence that such an attack was being directed at the bitcoin network currently, and added that he was motivated to prematurely publish his paper online, while it was being reviewed for presentation at a cryptography conference, because of his suspicion that such an attack was taking place.
The paper is published at Arxiv.org, a non-peer-reviewed platform for scholarly scientific and mathematical papers funded by Cornell University.
How it works
The attack described by the CryptoLux paper takes a different approach from earlier deanonymisation bitcoin research.
While earlier papers have focused on correlating users with transactions on the blockchain (Meiklejohn et al., Ron and Shamir), this method relies on analysis of traffic on the bitcoin network to expose identity information. As a result, the CryptoLux approach allows an attacker to view results in real-time.
Here's how it works. When you perform a transaction on the bitcoin network, your bitcoin client typically joins the network by connecting to a set of eight servers. This initial set of connections are your entry nodes, and each user gets a unique set of entry nodes.
As your wallet sends bitcoin to complete a purchase to, say, Expedia.com, the entry nodes forward the transaction to the rest of the bitcoin network. The researchers' insight was that identifying a set of entry nodes meant identifying a particular bitcoin client, and by extension, a user. This means a bitcoin client's IP address could be grouped with the transactions it makes.
An attacker would therefore have to make multiple connections to bitcoin servers on the network. Once connected, the attacker would have to listen as clients made their initial connections to servers, potentially revealing a client's IP address.
As transactions flow through the network, they would be correlated to a client's entry nodes. If there's a match, then the attacker would know a transaction originated from a particular client.
An attacker can take the extra step of preventing Tor or other anonymity services from connecting to the bitcoin network to ensure that only genuine IP addresses are exposed.
"Even if you're sharing an office [with other users], these eight entry nodes, they will be different for you and someone else in the same office. This allows us to distinguish two people behind the same [Internet service provider]," Pustogarov said.
Who's being identified
If Pustogarov's hunch is right and someone is identifying bitcoin addresses at network scale, just how much information could the attacker potentially be gathering?
A good portion of bitcoin users need not worry about being identified. Web wallet users won't have their IP addresses exposed by the attack. An attack would only reveal the IP addresses used by the web wallet service.
"Those clients are not influenced by this attack. Our attack will only be able to determine the IP address of the [web wallet] service," Pustogarov said.
However, he pointed out that web wallet users probably don't place a high premium on anonymity and security anyway, as they are placing their trust in a third-party service:
"They are still exposed because they trust [the web wallet provider]. If someone wants to remain anonymous they shouldn't be using these services."
The CryptoLux attack also isn't designed to expose the IP address of a targeted user. An attacker would require a combination of luck and patience to discover the real-world location of a specific bitcoin address.
Since an attack has an 11% chance of unmasking a bitcoin address, the attacker would have to listen to an average of 10 transactions from a specific bitcoin address before the associated IP address is exposed, Pustogarov explained.
Core developers' response
Given the ease with which an deanonymisation attack could be mounted, what is the core developers' response to the Cryptolux paper? According to bitcoin core developer Mike Hearn, nothing.
"We knew about these sorts of attacks already," he said.
In a post responding to the paper on Bitcointalk, Hearn noted that several measures to protect against it could be too costly or slow down transactions greatly. However, he noted that an attack that disabled Tor, for example, would likely come at the cost of being noticed by users on the bitcoin network, and so therefore would probably not be an attractive option.
"Highly visible attacks like that aren't appealing to all adversaries, like intelligence agencies," he said.
Bitcoin anonymity is fragile
Bitcoin's ability to keep users anonymous has been thrown into question recently. For example Blockchain's SharedCoin service, a coin 'mixer', was designed to obfuscate the transactions made by a particular user.
However, consultant Kristov Atlas revealed that the service provided little cover from a skilled investigator. The CryptoLux paper further underscores the cryptocurrency's weaknesses when it comes to maintaining anonymity.
As Hearn notes:
"Combined with the recent news that the blockchain.info SharedCoin service doesn't work, I think people are starting to get the picture here – bitcoin is not quite the anonymous currency it was made out to be."
The question of anonymity goes to the heart of bitcoin's potential. Both Pustogarov and Hearn describe the trade-off between privacy and performance. For example, Pustogarov suggests several responses to his deanonymisation attack, but each one delivers greater privacy at the expense of performance.
Transactions will either be delayed or require more resources to execute, Pustogarov said, explaining:
"With an anonymity network, increasing the quality of service and performance always decreases the anonymity. The faster the system, the less anonymity you have."
Hearn concluded by pointing to the essential contradiction contained in bitcoin's mechanics:
"Privacy is difficult and privacy in public networks is even harder: bitcoin makes all data public, yet its users expect total privacy. There's obviously a difficult contradiction in there that requires a lot of technical smarts to resolve."
Featured image: jdhancock / Flickr