Linking Anonymous Transactions via Remote Side-Channel Attacks

Florian Tramèr, Dan Boneh, and Kenneth G Paterson

Stanford Blockchain Conference, 2020.



We describe remote side-channel attacks on receiver privacy in anonymous cryptocurrencies. Our attacks, which we validate on Zcash and Monero, enable a remote attacker to:
1. Identify the payee for any anonymous transaction being sent into the network.
2. Locate the machine (i.e., its IP address) that holds the private key that corresponds to
an attacker-known public address.
3. Break unlinkability of a user’s diversified addresses, by determining whether two attackerknown public payment addresses correspond to a same private key.
In addition, for Zcash, the vulnerabilities underlying our attacks can be abused to remotely
corrupt and crash any Zcash node for which the attacker knows a payment address, as well
as to set up a remote timing side-channel on an ECDH key exchange between a victim node’s
private key and an attacker’s ephemeral public key. In principle, this side-channel can be used
to fully recover the victim’s private key, thereby completely breaking receiver anonymity.
Our attacks rely on differences in the way that a user’s wallet processes a transaction,
depending on whether the user is the transaction’s payee. We show that these differences in
wallet behavior affect the behavior of the P2P node that the wallet is connected to. In turn,
a remote adversary can exploit various network and timing side-channels to observe these
differences in the P2P node’s behavior, and thereby infer the wallet’s receipt of a transaction.
The vulnerabilities underlying our attacks were disclosed to Zcash and Monero, and have
been fixed in recent versions of both projects.

  author   =   {Tram{\`e}r, Florian and Boneh, Dan and Paterson, Kenneth G},
  title   =   {Linking Anonymous Transactions via Remote Side-Channel Attacks},
  booktitle   =   {Stanford Blockchain Conference},
  year   =   {2020}