Bitcoin Security and Privacy
By Albert Szmigielski
Bitcoin is a decentralized currency and payment system. In order to be an effective and secure payment system it should satisfy several security requirements. The first of these requirements is fairness. On the surface Bitcoin meets the property as users can only sign for coins that they control. However, upon further examination of recent research we do see that several double-spend attacks have been performed that would negate the fairness property of Bitcoin. On the other hand Bitcoin does satisfy resistance to impersonation attacks very well. No one can obtain the private keys (assuming they are stored properly and securely) of another person in the system to sign their transactions. As a result of resistance to impersonation attacks, non-repudiation follows. Since no one can obtain someone else’s private keys, a signed transaction cannot be disputed. That is once an actor in the system signs a transaction he/she cannot claim later that they did not do so.
Payment systems need to observe privacy if they want to gain users. Most people do not want to advertise what they spend their money on. In a payment system with a public ledger privacy becomes a little bit tricky as all transaction data is public. A desirable property of a payment system with respect to privacy is transaction unlinkability. This property ensures that no two transaction by the same individual can be linked together. Bitcoin tries to fulfill this property by being pseudonymous, and by recommending the usage of a new address for each transaction. However, those features are not enough. Several studies used clever analysis to link addresses and transactions together. Some analysis is based on users’ behaviour and it would be very challenging to countermeasure behavioural analysis as it is not part of the payment system itself.
Another desirable property is transaction anonymity, this property ensures that a transaction cannot be linked to an identity any more than it can be linked to any other identity in the system. Unfortunately the same techniques used to link transactions together combined with web crawlers that find Bitcoin addresses posted on different forums and blogs, allow the linking of identities to transactions.
One way to improve transaction unlinkability would be to build a mixer service as part of the Bitcoin system itself. Such a mixer would accept inputs in one denomination in order to deter analysis by amounts. The amount could be small so that most coins can be mixed. To thwart multi-address input analysis, anytime that a user needs to make a payment from multiple addresses the coins would go through the mixer service and would be returned to one new address. Change from a transaction would also go through the mixer service so that on the blockchain itself the change address from any transaction would be one from the mixer. While there are obviously technical details to be worked out for a system wide mixer, recent developments in Zerocash techniques, or even a system wide CoinJoin, bring this goal much closer to reality. A native to Bitcoin mixer service would also help to ensure transaction anonymity.
Another improvement would be to enhance the fairness property. This is no easy task and probably not doable in practice as it would need the approval of miners who have a lot of capital invested in current mining hardware that supports the status quo. In order to prevent double-spending we would need to thwart all the attacks (described in research and presented during the class) that facilitate double spending. The idea here is to design a POW puzzle that can also be solved on multipurpose machines, and even resource constrained devices, such as smart phones. The puzzle would have to be designed in such a way that employing a large number of devices (such as a botnet) does not give one any advantage over a user who runs just one device. This would take mining back to its origins of one CPU – one vote.
To prevent eclipse, and delay of object delivery attacks we can established well-known trusted nodes on the network to which all clients can connect. Such nodes can be run by established players like Coinbase, Blockchain.info, Bitcoin Foundation, 21Inc, and so on. Such companies can have multiple nodes in geographically dispersed areas, and maintain them by security experts to ensure correct operation. Having such trusted nodes can also help with zero-confirmation transactions. If all the trusted nodes received a transaction, then there is a very low probability that a double-spend will follow.
To improve zero confirmation transactions and guard against double-spending, and therefore preserve the fairness property, we can utilize sidechains. Theoretically it would be possible to design a sidechain that has fast confirmation times (let’s say on the order of seconds), yet it is secure enough to prevent known attacks. Being a sidechain, and therefore bitcoin based one would not have to worry about the token losing value. Such an approach could solve both the fast payments issue and double spending issue. Of course a careful design is the premise of this approach.
The Bitcoin system guards very well against non-repudiation and is resistant to impersonation attacks. Where Bitcoin could use improvements is in the area of fairness and privacy. Both transaction unlinkability, and transaction anonymity are not very well preserved (or even observed) in the Bitcoin system. Improvements to enhance fairness and privacy have been suggested and can be implemented after a careful design and analysis.