Security and Privacy of Bitcoin

Main content

Bitcoin is a decentralized payment system that is based on Proof-of-Work. Bitcoin is currently gaining popularity as a digital currency; several businesses are starting to accept Bitcoin transactions. In this project we investigate user-privacy and certain security aspects of this payment system. In particular we analyze the resistance of fast payments in Bitcoin to double-spending attacks, and demonstrate in what ways user privacy in Bitcoin can be compromised if Bitcoin were to substitute cash.

Tampering with the Delivery of Blocks and Transactions in Bitcoin

Given the increasing adoption of Bitcoin, the number of transactions and the block sizes within the system are only expected to increase. To sustain its correct operation in spite of its ever-increasing use, Bitcoin implements a number of necessary optimizations and scalability measures. These measures limit the amount of information broadcast in the system to the minimum necessary. In this paper, we show that current scalability measures adopted by Bitcoin come at odds with the security of the system. More specifically, we show that an adversary can exploit these measures in order to effectively delay the propagation of transactions and blocks to specific nodes—without causing a network partitioning in the system. We show that this allows the adversary to easily mount Denial-of-Service attacks, considerably increase its mining advantage in the network, and double-spend transactions in spite of the current countermeasures adopted by Bitcoin. Based on our results, we propose a number of countermeasures in order to enhance the security of Bitcoin without deteriorating its scalability.

Members of the project: Arthur Gervais, Hubert Ritzdorf, Ghassan O. Karame and Srdjan Capkun

Related publication

  • Arthur Gervais, Hubert Ritzdorf, Ghassan O. Karame, Srdjan Capkun
    Tampering with the Delivery of Blocks and Transactions in Bitcoin
    in ACM Conference on Computer and Communication Security (CCS), 2015 [Preprint]

Quantifying Location Privacy Leakage from Transaction Prices

Large-scale datasets of consumer behavior might revolutionize the way we gain competitive advantages and increase our knowledge in the respective domains. At the same time, valuable datasets pose potential privacy risks that are difficult to foresee. In this paper we study the impact that the prices from consumers’ purchase histories have on the consumers’ location privacy. We show that using a small set of low-priced product prices from the consumers’ purchase histories, an adversary can determine the country, city, and local retail store where the transaction occurred with high confidence. Our paper demonstrates that even when the product category, precise time of purchase, and currency are removed from the consumers’ purchase history (e.g., for privacy reasons), information about the consumers’ location is leaked. The results are based on three independent datasets containing thousands of low-priced and frequently-bought consumer products. In addition, we show how to identify the local currency, given only the total price of a consumer purchase in a global currency (e.g., in Bitcoin). The results show the existence of location privacy risks when releasing consumer purchase histories. As such, the results highlight the need for systems that hide transaction details in consumer purchase histories.

Members of the project: Arthur Gervais, Hubert Ritzdorf, Mario Lucic and Srdjan Capkun

Related publication

  • Arthur Gervais, Hubert Ritzdorf, Mario Lucic, Srdjan Capkun
    Quantifying Location Privacy Leakage from Transaction Prices
    Cryptology ePrint Archive: Report 2015/496 [Paper]

Misbehavior in Bitcoin: A Study of Double-Spending and Accountability

Bitcoin is a decentralized payment system that relies on Proof-of-Work (PoW) to resist double-spending through a distributed time-stamping service. To ensure the operation and security of Bitcoin, it is essential that all transactions and their order of execution are available to all Bitcoin users.

Unavoidably, in such a setting, the security of transactions comes at odds with transaction privacy. Motivated by the fact that transaction confirmation in Bitcoin requires tens of minutes, we analyze the conditions for performing successful double-spending attacks against fast payments in Bitcoin, where the time between the exchange of currency and goods is short (in the order of a minute). We show that, unless new detection techniques are integrated in the Bitcoin implementation, double-spending attacks on fast payments succeed with considerable probability and can be mounted at low cost. We propose a new and lightweight countermeasure that enables the detection of double-spending attacks in fast transactions. In light of such misbehavior, accountability becomes crucial. We show that in the specific case of Bitcoin, accountability complements privacy. To illustrate this tension, we provide accountability and privacy definition for Bitcoin and we investigate analytically and empirically the privacy and accountability provisions in Bitcoin.

Members of the project: Ghassan O. Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais and Srdjan Capkun

Related publication

  • Ghassan O. Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais,
    Srdjan Capkun
    Misbehavior in Bitcoin: A Study of Double-Spending and Accountability
    in ACM Transactions on Information and System Security (TISSEC), 2015 [PDF]

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients

Lightweight Bitcoin clients are gaining increasing adoption among Bitcoin users, owing to their reduced resource and bandwidth con- sumption. These clients support a simplified payment verification (SPV) mode as they are only required to download and verify a part of the block chain—thus supporting the usage of Bitcoin on con- strained devices, such as smartphones. SPV clients rely on Bloom filters to receive transactions that are relevant to their local wal- let. These filters embed all the Bitcoin addresses used by the SPV clients, and are outsourced to more powerful Bitcoin nodes which then only forward to those clients transactions relevant to their out- sourced Bloom filters.

We explore the privacy of existing SPV clients. We show analytically and empirically that the reliance on Bloom filters within existing SPV clients leaks considerable information about the addresses of Bitcoin users. Our results show that an SPV client who uses a modest number of Bitcoin addresses (e.g., < 20) risks revealing almost all of his addresses. We also show that this information leakage is further exacerbated when users restart their SPV clients and/or when the adversary has access to more than one Bloom filter pertaining to the same SPV client. Motivated by these findings, we propose an efficient countermeasure to enhance the privacy of users which rely on SPV clients; our proposal can be directly integrated within existing SPV client implementations. 

Members of the project: Arthur Gervais, Ghassan Karame, Damian Gruber, Srdjan Capkun

Related publication

  • Arthur Gervais, Ghassan Karame, Damian Gruber, Srdjan Capkun
    On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients
    In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014 (Acceptance rate: ~19.9%)
    [Extended version PDF (PDF, 379 KB) | BibTeX (BIB, 330 Bytes) | Slides (PDF, 3.9 MB)]

Is Bitcoin a Decentralized Currency?

Bitcoin has achieved large-scale acceptance and popularity by promising its users a fully decentralized and low-cost virtual currency system. However, recent incidents and observations are revealing the true limits of decentralization in the Bitcoin system. In this article, we show that the vital operations and decisions that Bitcoin is currently undertaking are not decentralized. More specifically, we show that a limited set of entities currently control the services, decision making, mining, and the incident resolution processes in Bitcoin. We also show that third-party entities can unilaterally decide to “devalue” any specific set of Bitcoin addresses pertaining to any entity participating in the system. Finally, we explore possible avenues to enhance the decentralization in the Bitcoin system.

Members of the project: Arthur Gervais, Ghassan Karame, Srdjan Capkun and Vedran Capkun

Related publication

  • Arthur Gervais, Ghassan O. Karame, Srdjan Capkun, Vedran Capkun
    Is Bitcoin a Decentralized Currency?
    IEEE Security and Privacy Magazine
    , 2014
    [Preliminary version PDF | BibTeX]

Double-spending Attacks on Fast Payments in Bitcoin

Bitcoin is a decentralized payment system that is based on Proof-of-Work. Bitcoin is currently gaining popularity as a digital currency; several businesses are starting to accept Bitcoin transactions. An example case of the growing use of Bitcoin was recently reported in the media; here, Bitcoins were used as a form of fast payment in a local fast-food restaurant.

We analyze the security of using Bitcoin for fast payments, where the time between the exchange of currency and goods is short (i.e., in the order of few seconds). We focus on double-spending attacks on fast payments and demonstrate that these attacks can be mounted at low cost on currently deployed versions of Bitcoin. We further show that the measures recommended by Bitcoin developers for the use of Bitcoin in fast transactions are not always effective in resisting double-spending; we show that if those recommendations are integrated in future Bitcoin implementations, double-spending attacks on Bitcoin will still be possible. Finally, we leverage on our findings and propose a lightweight countermeasure that enables the detection of double-spending attacks in fast transactions.

Members of the project: Elli Androulaki, Ghassan Karame, Srdjan Capkun

Related publication

  • Ghassan O. Karame, Elli Androulaki, Srdjan Capkun
    Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin
    In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012
    Related technical report: Cryptology ePrint Archive Report 2012/248, 2012 [PDF | BibTeX]

Countermeasures

Our proposed countermeasure modifies the Bitcoin client in a way that it propagates information about Double-Spending Attacks faster and further through the network. Thereby the victim is more likely to observe the malicious activity and is enabled to respond accordingly. The victim also gets presented with a message either warning about malicious activities or notifying that no simple Double-Spending Attacks was observed.

We patched the Bitcoin client with version 0.5.0:

  • Differences introduced by the patch

Evaluating User Privacy in Bitcoin

Bitcoin is quickly emerging as a popular digital payment system. However, in spite of its reliance on pseudonyms, Bitcoin raises a number of privacy concerns due to the fact that all of the transactions that take place are publicly announced in the system.

In this paper, we investigate the privacy guarantees of Bitcoin in the setting where Bitcoin is used as a primary currency for the daily transactions of individuals. More specifically, we evaluate the privacy that is provided by Bitcoin (i) by analyzing the genuine Bitcoin system and (ii) through a simulator that faithfully mimics the operation of Bitcoin in the context where Bitcoin is used for all transactions within a university. In this setting, our results show that the profiles of almost 40% of the users can be, to a large extent, recovered even when users adopt privacy measures recommended by Bitcoin. To the best of our knowledge, this is the first work that comprehensively analyzes, and evaluates the privacy implications of Bitcoin. As a by-product, we have designed and implemented the first simulator of Bitcoin; our simulator can be used to model the interaction between Bitcoin users in generic settings.

Members of the Project: Elli Androulaki, Ghassan O. Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun

Related Publication

  • Elli Androulaki, Ghassan O. Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun
    Evaluating User Privacy in Bitcoin
    In Proceedings of the International Conference on Financial Cryptography and Data Security, 2013 [PDF]
 
 
Page URL: http://www.syssec.ethz.ch/research/Bitcoin.html
27.07.2017
© 2017 Eidgenössische Technische Hochschule Zürich