Empirical analysis of the Zcash blockchain

[feddan35]

CryptoLUX Research Group, University of Luxembourg application for Zcash foundation grants.

Our proposal is the empirical analysis of the Zcash blockchain. Despite Zcash positioning itself as a privacy-preserving blockchain, still about 80\% of all the transactions are transparent, which makes them suitable for analysis. Until the Sapling update is released, and private transactions are made mandatory, there can be unintended vulnerabilities concerning the privacy of the users, and those problems may surface with an empirical analysis. We propose the following:

• Investigate existing approaches for Bitcoin analysis, and apply and extend them to the Zcash blockchain
• Use existing or our own tools. Extend these tools with Zcash specific functions, and release it to the public
• Investigate JoinSplit transactions between z- and t-addresses, whether there are cases of deanonymization for the z-address holders
• By empirical analysis provide a more accurate prediction of the transaction fees for wallet implementations, as currently users are usually either overpaying, or waiting too long for their transactions to be accepted, while with a more accurate estimate these problems could be mitigated
• Analyze big clusters of addresses, like marketplaces, exchanges, especially in cases of transactions between z- and t-addresses, as Zcash users are generally conscious about their privacy, and personal data disclosure based on blockchain analysis would harm the reputation of Zcash
• Investigate the privacy implications of SPV wallets in Zcash, as Bloom filter based light wallets in Bitcoin can lead to privacy related attacks (On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients, ACSAC 2014)
• Analyze the network properties of the blockchain as well, as our team has expertise in this topic. (Deanonymisation of clients in Bitcoin P2P network, ACM CCS 2014)
• The work would lead to a working paper of our findings
• The work will be done in ethical way, no individual data would be deanonymized, results of experiments on real data would not be stored. For demonstration purposes we will deanonymize our own transactions. We have prior experience with our studies of privacy in Tor and Bitcoin on how to carry such work in an ethical way.

The team that would work on the project would consist of PI Alex Biryukov, and two of his PhD students, Daniel Feher and Sergei Thikomirov. Our budget would be 24000\$, which would cover around 9 person months of work.

[tromer]

Is this to be a research grant awarded through the university, or something else? Who are the PI and (if known) students? Will the tools be released to the public? The data? Querying the servers? Please discuss ethical ramifications and handling of recovered private information.

[iangfc]

Presumably this would lead to a working paper?

[s-tikhomirov]

@tromer The PI is Alex Biryukov, the students are Daniel Feher ( @feddan35 ) and Sergei Tikhomirov (that's me) -- see our site for more info about us.

[tromer]

In addition to the above open questions, can you also discuss your plans regarding JoinSplit and shielded transactions? These will clearly be a challenge to your existing algorithms, and also to implementations that rely on Bitcoin's plaintext transaction format.

Porting Bitcoin analysis to Zcash while supporting only unshielded transactions is easy (and already done by BlockSci), but far less useful and instructive than analyzing JoinSplits as well.

Bear in mind that using a t-address is willingly giving up privacy, so the most important question is what privacy is provided to users of z-addresses.

[mineZcash]

I concur with @tromers reasoning, it is well known that transparent addresses inherit the flaws of a public blockchain so an analysis of the public facing data does not seem to be needed. And it is already planned to eventually depreciate transparent transactions once z-addresses are viable for most devices.

If there were to be a strong analysis of the security of the shielded system that would be more important in my opinion.

[tromer]

See also https://github.com/ZcashFoundation/GrantProposals-2017Q4/issues/31#issuecomment-330054686, on doing real-time analysis to advise wallet users.

[feddan35]

We updated the proposal and answered your questions.

[tromer]

Thanks, @feddan35. This is very helpful!

Can you comment on similarities, differences and potential collaborations between your team and that of #31? (Feel free to talk and coordinate together.)

[acityinohio]

Every informal proposal has multiple reviews by the review committee. The reviews are being collected and discussed in a private google doc (the 5 reviewers all have edit access to it, no one else can view it). By way of early, informal feedback, the reviewers have made a list of projects that they consider leading candidates for grant funding.

In that vein, your project was selected as one of the leading candidates, and the review committee encourages you to submit a full proposal by October 6th and looks forward to reviewing it.

[acityinohio]

Also just a reminder @feddan35 that the submission deadline is October 6th! Please endeavor to have a final proposal submitted by then, as an attachment to this issue (and yes, it can be October 6th anywhere in the world).

[feddan35]

Our official proposal is attached below. CryptoLUX_Zcash_grant_proposal.pdf

[tromer]

To be clear: you're proposing to release the tool as software, but not to run an online service that that uses the tool, right? The hope is that third parties will pick up the tool and run it as an online service? (ping @lustro @radix42 @mineZcash)

[feddan35]

Yes, we plan to release the tool as a software. Also we have started working on the project and have some preliminary results.

We have fixed the tool so that it now works with Zcash (almost) and parsed the full Zcash blockchain into the database. We have started looking at z-t address play, labeling obvious patterns. We also noticed that the data on https://explorer.zcha.in/statistics/network has some discrepancy: If we sum up all the block rewards issued so far, it is around 2,432K ZEC, but if we add the transparent value, the unspent block rewards and the shielded value, we get only 2,283K ZEC, which means there is about 150K ZEC missing. On the other hand our calculations show that there is about 84K ZEC in shielded addresses compared to the 58K claimed by this site.

We have also looked into the usage of JoinSplit transactions, and found that from all the transactions (1,400K transactions overall) about 19.4% are JoinSplit transaction (272K transactions), and from the JoinSplit transactions 1.7% (4.7K transactions) are pure z-to-z address transactions (i.e. it does not involve any t address).

If we take a look at the recent trends (the last 10K blocks), then there were 93K transactions overall and the fraction of JoinSplit transactions goes down to 11% (10.2K transactions), while the fraction of pure z-to-z transactions goes slightly up to 2.5% (250 transactions).

We have started labeling the claims of block rewards, as they are the most obvious transactions between t and z addresses, and found that these transaction take up over 87% (98K transactions) of all transactions from a t-address to a z-address. This trend has been decreasing, as for the last 10K blocks this ratio is only 80% (4500 transactions).

There are also hints that even after transparent transactions are depreciated, traffic regularities would probably reveal some interesting info, so countermeasures against traffic analysis might be needed.

[acityinohio]

@feddan35 : I'm thrilled to inform you that the Grant Review committee—and the Zcash Foundation board—has tentatively approved your proposal! While the recommendations are already posted, we are planning to make a more public post tomorrow morning (November 21st) Pacific Standard Time.

Next steps: please email me josh [at] z.cash.foundation with an email address suitable as a point of contact. Due to our newfound 501(c)3 status there are additional reporting and compliance burdens that may delay or change disbursements, but we are working through them as fast as we can.

Just in case you didn't see it, please find the committee recommendation for your project below, and congratulations again!

The research group proposes to extend the open-source BlockSci blockchain analysis tool, to fully support the Zcash blockchain including shielded transactions. They will use this tool to analyze the privacy implications of the interaction between transparent and shielded transactions in the Zcash blockchain, and analyze the linkability of shielded transactions.

This addresses crucial questions about the privacy properties of the Zcash as a whole, and will provide new guidance to users on safely using shielded and transparent transactions together.

CryptoLux is an established academic group of accomplished cryptography researchers, and has designed the Equihash proof-of-work used by Zcash. They have also posted preliminary results of the proposed research. They thus appear capable of successfully and responsibly executing the proposed analysis. The budget is commensurate with the proposed effort, at typical academic scholarship rates.

Note: CryptoLUX is headed by Prof. Alex Biryukov, who serves on the review committee. To avoid conflict of interest, he was excluded from discussion of this proposal.

[feddan35]

Here is a close to final working draft of our research on Zcash blockchain privacy study. https://cryptolux.org/images/d/d9/Zcash.pdf We are open to comments and suggestions for possible improvements, any bugs reported - welcome as well.

[mineZcash]

Nice work!

CC @zookozcash

[tromer]

Great work, @feddan35 and Alex! This is very valuable analysis and guidance.

What do you think would be a good way to keep track of the evolution of these metrics and visualisations, as usage patterns (and with the coming Sapling upgrade, transaction format) evolve?

What are your plans regarding releasing the analysis tools as open source?

[feddan35]

We are planning to release the tool at the end of June, as it still needs some minor improvements.

Regarding the figures and metrics, it is possible to recompute them every 6/12 months, but for regular updates we need a better solution.

[sonyamann]

Hi @feddan35 — is late June still your ETA for this project? Perhaps at Zcon0?

[feddan35]

The tool is available here: https://github.com/cryptolu/BlockSci