Toward Active and Passive Confidentiality Attacks on Cryptocurrency Off-chain Networks

Nisslmueller, Utz; Foerster, Klaus-Tycho; Schmid, Stefan; Decker, Christian

doi:10.5220/0009429200070014

Cited by 27 publications

(26 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The considerable higher timelocks in shadow routing facilitate longer fund reservation and hence increase the severity of the attack. Furthermore, timing attacks still allow inferring the hop distance to the receiver in practice [20].…”

Section: Lightning Multi-hop Paymentsmentioning

confidence: 99%

“…However, the evaluation was limited in the sense that only paths of up to length 5 was allowed between any pair of nodes. Other works evaluating the anonymity in Bitcoin's Lightning network studied the effectiveness of inferring the receiver through timing attacks [20], linkability of payments at different locations in the network [17], and an attack that determines whether the predecessor is indeed the source [13]. The only attack that explicitly makes use of Lightning's predictable routing targets availability rather than anonymity [29].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

How Lightning’s Routing Diminishes its Anonymity

Kumble

Epema

Roos

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Lightning, the prevailing solution to Bitcoin's scalability issue, uses onion routing to hide senders and recipients of payments. Yet, the path between the sender and the recipient along which payments are routed is selected such that it is short, cost efficient, and fast. The low degree of randomness in the path selection entails that anonymity sets are small. However, quantifying the anonymity provided by Lightning is challenging due to the existence of multiple implementations that differ with regard to the path selection algorithm and exist in parallel within the network. In this paper, we propose a general method allowing a local internal attacker to determine sender and recipient anonymity sets. Based on an in-depth code review of three Lightning implementations, we analyze how an adversary can predict the sender and the recipient of a multi-hop transaction. Our simulations indicate that only one adversarial node on a payment path uniquely identifies at least one of sender and recipient for around 70% of the transactions observed by the adversary. Moreover, multiple colluding attackers can almost always identify sender and receiver uniquely. CCS CONCEPTS• Security and privacy → Distributed systems security; • Networks → Network simulations.

show abstract

Section: Lightning Multi-hop Paymentsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

How Lightning’s Routing Diminishes its Anonymity

Kumble

Epema

Roos

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Off-chain networks, in particular, attracted many researchers to study possible attacks. Some of these attacks overload the channels with pending transactions to DoS the network [26], create congestion in the underlined blockchain to steal money [15], and deanonymize users with active and passive timing attacks [31], [34].…”

Section: Related Workmentioning

confidence: 99%

Route Hijacking and DoS in Off-Chain Networks

Tochner

Zohar

Schmid

2020

Proceedings of the 2nd ACM Conference on Advances in Financial Technologies

Self Cite

View full text Add to dashboard Cite

Off-chain transaction networks can mitigate the scalability issues of today's trustless blockchain systems such as Bitcoin. However, these peer-to-peer networks also introduce a new attack surface which is not yet fully understood. This paper identifies and analyzes a novel type of Denial-of-Service attack which is based on attracting routes, i.e., which exploits the way transactions are routed and executed along the channels of the network in order to attract nodes to route through the attacker. This attack is conceptually interesting as it highlights a fundamental design tradeoff for the defender (who determines its own routes): to become less susceptible to hijacking, a rational node has to pay higher fees to nodes that forward its payments. We focus on the Lightning network, and we investigate both the structure of the network using real data collected over an extended period of time, and the routing algorithms of different implementations. We find that the three most common implementations (lnd, C-lightning, Eclair) approach routing differently. We then explore the routes chosen by these implementations in the current Lightning network. We find that very few nodes route most of the traffic: nearly 60% of all routes pass through only five nodes, while 80% go through only 15 nodes. Thus, a relatively small number of colluding nodes can deny service to a large fraction of the network. We then turn to study an external attacker who creates links to the network and draws more routes through its nodes by asking for lower fees. While finding the optimal set of links to create is NP-complete, we show that using a greedy attack strategy, an attacker can obtain a 1 − 1/e approximation. Given this strategy, we find that just five new links are enough to draw the majority (65%-75%) of the traffic regardless of the implementation being used. The cost of creating these links is very low. Drawing this traffic, the attacker is then able to deny service to all those who route through it. We further show that newer routing algorithms recently introduced into lnd, to penalize routes that failed in the past and avoid selecting them again, do not effectively prevent such attacks. Finally, we suggest modified routing policies, which may help alleviate the problem.

show abstract

“…Concurrently to our work, Kappos et al [33] refine prior approaches of traffic simulation and introduce a probabilistic model based on observed path lengths in order to estimate probable payment endpoints. Moreover, while a recent entry by Nisslmueller et al [48] mention the possibility of timing attacks, their investigation remains in a preliminary state.…”

Section: Related Workmentioning

confidence: 99%

Counting Down Thunder

Rohrer

Tschorsch

2020

Proceedings of the 2nd ACM Conference on Advances in Financial Technologies

View full text Add to dashboard Cite

The Lightning Network is a scaling solution for Bitcoin that promises to enable rapid and private payment processing. In Lightning, multihop payments are secured by utilizing Hashed Time-Locked Contracts (HTLCs) and encrypted on the network layer by an onion routing scheme to avoid information leakage to intermediate nodes. In this work, we however show that the privacy guarantees of the Lightning Network may be subverted by an on-path adversary conducting timing attacks on the HTLC state negotiation messages. To this end, we provide estimators that enable an adversary to reduce the anonymity set and infer the likeliest payment endpoints. We developed a proof-of-concept measurement node that shows the feasibility of attaining time differences and evaluate the adversarial success in model-based network simulations. We find that controlling a small number of malicious nodes is sufficient to observe a large share of all payments, emphasizing the relevance of the on-path adversary model. Moreover, we show that adversaries of different magnitudes could employ timing-based attacks to deanonymize payment endpoints with high precision and recall. CCS CONCEPTS • Security and privacy → Distributed systems security; • Networks → Network privacy and anonymity.

show abstract

Toward Active and Passive Confidentiality Attacks on Cryptocurrency Off-chain Networks

Cited by 27 publications

References 4 publications

How Lightning’s Routing Diminishes its Anonymity

How Lightning’s Routing Diminishes its Anonymity

Route Hijacking and DoS in Off-Chain Networks

Counting Down Thunder

Contact Info

Product

Resources

About