Draft of Flipstarter for CashFusion Red Team
Please send feedback to @Rucknium on Telegram, Reddit or Discord or Rucknium@protonmail.com
Flipstarter amount requested: 18 BCH
Funding campaign start: August 19
Funding campaign end: September 9
The CashFusion transaction privacy protocol is one of BCH's crown jewels. What if it could be made even more robust through a Red Team analysis? Red Team analysis is a concept from the fields of cybersecurity and military planning that involves investigating the strength of security measures by simulating attacks on the defenses and then developing improvements to those security measures.
It is almost a certainty that chain analysis firms are Red Teaming CashFusion for real right now -- and they're playing for keeps. We need to know what the weaknesses are, if any, and address them. This Flipstarter will fund the first phase of a CashFusion Red Team project.
Versión en español disponible: haz clic en el circulo inferior derecho.
Statement of the problem
"People are born free, and everywhere they are in chains." -- Rousseau, 1762
Privacy is a fundamental human right that all people deserve. Over the last decade, governments and private entities around the world have rapidly augmented their capacity and eagerness to engage in mass surveillance of the daily social, political, and economic lives of all humans on earth. However, all hope is not lost. Individuals have begun reclaiming their right to privacy. They have done this not by nicely asking authority to respect their privacy, but by taking charge themselves and ensuring that it is mathematically infeasible to invade the personal details of their lives. Some of the tools and techniques being used include end-to-end encryption, steganography, and TOR.
Maintaining privacy in economic affairs presents a special challenge. Unlike personal communication, in which only the intended parties to a conversation must be able to verify the contents of the message, economic activity is driven by a concept -- money -- that ultimately must be verifiable by economic actors that are not supposed to be privy to the private details of the transactions themselves.
Bullion precious metals and fiat currency, with their well-known drawbacks, rely on chemical self-verification and verification by a centralized authority, respectively. Bitcoin, with its own novel solution to the verification problem in the form of a distributed blockchain ledger with all transactions in plain sight, leaks personal financial information in ways that bullion precious metals and fiat currency do not. The privacy features of bitcoin, as described in section 10 of its white paper, have turned out to be no defense against attacks by advanced statistical techniques, putting users' privacy at risk and as well as their physical safety.
In essence, CashFusion allows users to coordinate with each other in an anonymous fashion to create one huge transaction with many inputs and outputs in which any particular input cannot be linked to any particular output. It is similar to individuals placing identical metal coins into a real bucket, shaking the bucket, and giving random coins back to the individuals who originally put coins in the bucket. It is impossible to know which coins originally belong to which users. Thus, CashFusion breaks the chain of linkages that could otherwise be used to unmask the true identity of a BCH user.
Recent events demonstrate urgency for improvements to CashFusion
In just the past two months, regulators in the European Union and the United States have proposed massive changes in the requirements to disclose cryptocurrency use for cryptocurrency services providers as well as ordinary users. Ostensibly, these proposals are designed to defeat terrorism financing and tax evasion, but their effect is a severe invasion of the financial privacy of cryptocurrency users. Furthermore, the U.S. federal government in particular does not have the best track record in protecting personal data from data breach. Therefore, once the U.S. government gains access to data on the cryptocurrency activities of millions of people, that information may well be considered as having passed into the hands of cryptocurrency thieves, foreign governments, and miscellaneous hackers -- and possibly exposed publicly.
Legal threats, of course, require that a state be able to exercise its classical monopoly on violence, which entails that a state can identify the squishy human bodies that are linked with cryptocurrency transactions. Strong privacy measures at the blockchain protocol level could defeat such threats. However, even protocol-level privacy is under attack. In 2020, the IRS, the federal tax agency of the United States, awarded a $1.25 million contract to a chain analysis firm to develop methods to track transactions on BTC's Lightning Network and the Monero blockchain.
It is unknown how successful the chain analysis firm may have been, but if Monero is vulnerable, then CashFusion may also be at risk. The CashFusion developers have acknowledged that CashFusion "does not offer everything Monero does". CashFusion may already be under attack by sophisticated statistical techniques.
Putting fresh eyes onto privacy protocols has been fruitful for other cryptocurrencies. Last year, a serious flaw in Wasabi Wallet's BTC CoinJoin protocol was discovered by external researchers. Just a few weeks ago an external software engineer discovered a significant privacy bug in Monero's reference wallet software. I am personally one of the people working to patch that particular Monero bug in a way that is statistically sound.
CashFusion Red Team: Sometimes the best defense is a good offense
In June 2020 Kudelski Security completed a security audit of CashFusion. The audit primarily dealt with ensuring that the protocol could not steal coins from CashFusion participants and that the communication channels used to negotiate the construction of CashFusion transactions are secure. They did analyze the privacy guarantees, but not very thoroughly.
One of the audit's recommendations was:
[A] higher level of assurance could be achieved by providing a thorough security analysis of the protocol under realistic adversarial conditions. Specifically, we would recommend to add: A threat model...[and] more rigorous analysis of the amount linkage risks (the combinatorial arguments is a good start.)....The exercise of working out such documents may in turn reveal overlooked design aspects or unforeseen optimizations.
I have confirmed with Electron Cash lead maintainer Jonald Fyookball that Electron Cash has not yet made progress on this recommendation from the audit.
The CashFusion Red Team project, if funded by this Flipstarter proposal, would follow through on this recommendation by probing for weaknesses in the privacy guarantees of the CashFusion protocol and user utilization of it. It will focus on any clues left on the blockchain by Cashfusion that could be weaponized by chain analysis firms or other opponents of privacy. Any hypothetical attacks on CashFusion dealing with attacks on the CashFusion server itself are outside of the scope of the CashFusion Red Team, at least in the medium term.
I pledge to follow responsible disclosure procedures by informing Electron Cash developers of all significant findings before they are revealed publicly, if at all, so that they can be fixed or mitigated.
From observation and some quick searches of the r/btc subreddit, it is apparent that there is already implicit demand for something like a CashFusion Red Team. There is widespread confusion among users about what behavior is safe while they are using CashFusion. (Yes, there are 8 separate links there.) How many fusions should you do before you are 100% protected? To what extent can you consolidate coins after fusing them? This isn't a matter of inadequately communicating information to users; reliable answers to these questions do not exist yet.
I have a sense of what is almost certainly unsafe user behavior and what is probably safe user behavior, at the extremes. Sending X amount of BCH to a new wallet, running a few CashFusion transactions, and then consolidating the fused coins into a single coin and spending all X BCH is almost certainly unsafe, for instance. The "endpoint" transactions can be linked by an adversary by simply searching for nearly-identical amounts of BCH at the beginning and end of the CashFusion process.
On the other hand, fusing coins many times and leaving them in a fused, unspent state would probably prevent an adversary from knowing which coins are yours. However, BCH was meant to be spent -- and it is in the spending (and possible consolidation) that user privacy could be endangered.
The vast majority of users are going to engage in behavior between these two extremes. The privacy risks associated with this behavior are unknown. Part of the goal of the CashFusion Red Team is to uncover any privacy risks, issue recommendations to users, suggest optimal defaults for CashFusion transaction parameters, and determine if any changes should be made to the core CashFusion protocol to better guard user privacy.
Work already completed
Before launching this Flipstarter campaign, I laid some groundwork. Using the R statistical programming language, I scanned the BCH blockchain by querying my full node and extracted all CashFusion transactions with code I wrote available here. Then I built a basic webapp with R Shiny that allows users to visualize trends in CashFusion use over time, available at fusionstats.redteam.cash . One insight that is already apparent in this limited work is that there is no substantial difference between the number of CashFusion transactions completed in Fridays, despite the weekly Fusion Fridays campaign.
Phase One of the CashFusion Red Team campaign will build on this work.
Phase One Deliverables
1) Expanded feature set and robustness of fusionstats.redteam.cash
The first deliverable will be a feature-complete and production-ready fusionstats.redteam.cash . It differs from the existing https://stats.cash/#/fusion in that it offers a high degree of interactivity with the CashFusion data.
Expanded feature set:
- Add a visualizer of individual CashFusion transactions as a network graph as well as their ancestor and descendent transactions.
- Add an explanation of how CashFusion works with a visual, possibly animated, component.
- Statistics on the total proportion of all BCH in existence that has ever been part of a CashFusion transaction. This is different from -- and much harder to compute than -- the current displayed sum of BCH involved in every CashFusion transaction, which double-counts the coins that have been fused many times.
- These features will be tested for user-friendliness by a focus group of individuals who will receive micropayments in BCH for their time. Additional feature requests from the focus group could be incorporated into the plan for fusionstats.redteam.cash
- Technical improvements to make the server processes multi-threaded on multiple CPU cores.
- Auto-update the data. Right now, I must run a script manually to update the data.
- Make it so someone can run the R Shiny app on their own computer by following only one or two steps.
- Multi-language support: Definitely Spanish. Possibly Mandarin Chinese and other languages.
- Possibly have a .onion version of the webapp so that it can be used via the TOR onion network for high privacy.
Benefits to BCH community:
- fusionstats.redteam.cash will enable monitoring of the spread of adoption of CashFusion. Greater adoption of CashFusion is important for the privacy of even existing CashFusion users since it increases the total anonymity set of CashFusion users.
- fusionstats.redteam.cash will promote adoption of CashFusion because users considering using CashFusion can be referred to the website and see CashFusion in action.
- Existing users of CashFusion will be able to see the network graph of their CashFusion transactions as well as their ancestors and descendants.
rbch, a BCH blockchain package for the R statistical programming language
The CashFusion Red Team research program will require an extensive toolkit for the extraction, manipulation, analysis, and simulation of CashFusion transactions as well as their ancestor and descendant transactions. If funded, Phase One will build a strong base for this toolkit by creating
rbch, a package written in the R statistical programming language, and ensuring that it is made available to all R users on the Comprehensive R Archive Network (CRAN).
Already available on CRAN is
rbtc, a package for analysis of the BTC blockchain. Since
rbtc is open source under a GPL-3 license, I can use its code as a starting point. Most of its RPC-based functions that are used to extract data from the blockchain do not work on BCH, however, so substantial labor is needed to reach feature parity between
rbtc. Once feature parity with
rbtc is reached, functions will be written to handle blockchain characteristics that are particular to BCH, such as CashFusion transactions, SLP tokens, multiple OP_RETURNs, Schnorr signatures, and so forth.
In preparation for the computationally intensive work necessary for future phases of the Red Team research program, I will also run performance benchmarks to determine the best way to extract data from the blockchain. These benchmarks will involve, at a minimum, extracting all transactions from the entire BCH blockchain using the JSON-RPC methods available from the six BCH full node implementations: BCHD, Bitcoin Cash Node (BCHN), Bitcoin Unlimited (BU), Bitcoin Verde, Flowee, and Knuth. It may also involve testing the non-RPC methods, such as APIs and gRPC, that particular node implementations provide.
Benefits to BCH community:
- The main benefit of writing rbch is that it would provide a springboard for statistical analysis of the BCH blockchain, including of course possible weaknesses in CashFusion. Answers to myriad research questions regarding transaction patterns would be within reach. According to the BCH community, BCH is the best platform for peer-to-peer electronic cash. It's time to evaluate that claim with data.
rbchon CRAN would "put BCH on the map" for R programmers, raising its status among the world's top statisticians. R is number 14 among all programming languages in the TIOBE Programming Community index of popularity -- ranking above Go, Ruby, and Rust -- and it is the #1 statistical programming language, beating MATLAB, SAS, Julia, and Stata. Similar packages are already available for other blockchains: one for BTC and two for ETH. A
rbchpackage would put BCH on an equal footing with these other cryptocurrencies.
- I have confirmed with developers of 5 of the 6 full node implementations that they are unaware of any benchmarks comparing the performance of their nodes' JSON-RPC capabilities. My benchmarks will therefore be the first such benchmarks. This would benefit other developers in the BCH ecosystem by providing them with information about RPC performance across the full node implementations. It could also reveal bottlenecks in the full nodes' RPC methods, encouraging the nodes' developers to boost performance. Competition spurs innovation, after all.
3) Establishment of the CashFusion Red Team as a brand concept
I chose the term "Red Team" for branding for a number of reasons. First, it fits the concept: using statistical techniques that may be used by the adversaries of privacy, such as chain analysis firms, for the purpose of making CashFusion more difficult to defeat.
Second, a "Red Team" is clearly distinguished from an "audit", which was already performed in 2020 by Kudelski Security, so there is no confusion among the public. "Audit" as a term suggests the notion of a piece of software meeting or exceeding some industry-wide standard. Establishing resistance to a chain analysis statistical attack is a very new field. There are no clear standards. Everything is experimental and cutting-edge.
Third, it is consistent with other coins' evocative terms for introspective examinations of their privacy measures. For example, Monero developers produced a 14-part series called "Breaking Monero" that examined possible weaknesses in Monero's security model. Figuratively, I am the Red Team pitted against the Electron Cash developers' Blue Team. Of course, usually a team has more than one member. To be clear, I am open to working with others on this project, including reallocating a share of the Flipstarter funds, if a productive collaboration can be established.
Benefits to the BCH community:
- A Red Team for CashFusion is good for BCH marketing. CashFusion itself is a crown jewel of BCH, mending one of the few weaknesses in bitcoin's original protocol as outlined in Satoshi's white paper. It has appeared in numerous BCH marketing materials, from Twitter to Youtube to earned media. The existing marketing efforts for CashFusion can be augmented by adding, "And CashFusion even has a Red Team using advanced statistical techniques to look for any weaknesses and fix them."
5 BCH -- Skilled labor to make fusionstats.redteam.cash feature-complete and robust
10 BCH -- Skilled labor to write rbch, a BCH blockchain package for the R statistical programming language
0.2 BCH -- Micropayments to participants in focus groups for feedback on fusionstats.redteam.cash
1.8 BCH -- Two years of Njalla VPS "45" configuration (45 Euros/month for two years = 1,080 Euros) and two years of domain name registration of redteam.cash (30 Euros/year for two years = 60 Euros)
1 BCH -- Additional computer hardware for computationally expensive tasks, particularly benchmarks of JSON-RPC on all 6 full node implementations
18 BCH Total
Phase One is only the first step in the CashFusion Red Team project. It lays a strong foundation for carrying out the rest of the project, which can be grouped into the following phases. (The exact structure of future phases is subject to change as more is learned about CashFusion's statistical properties, and future Flipstarters will possibly combine two phases into a single funding round. Phases 3 and 4 might be prioritized over Phase 2 under certain conditions.)
Part A: Identify theoretically unsafe user behavior. Certain spending patterns, such as combining most or all fused outputs, could lead to de-anonymization.
Part B: Determine if this unsafe behavior exists "in the wild" on the blockchain in the actual CashFusions made to date.
Part C: There is potential for an Electron Cash plugin that would warn you if you are about to make a transaction that would expose you to certain de-anoymizing risks. Based on numerous user questions and concerns about usage risks of CashFusion on Reddit, there seems to be high demand for such a plugin.
Examine weaknesses in the protocol and wallet behavior that may leak information, excluding the combinatorics of the CashFusion transactions themselves. Just from observing CashFusion in my own wallet, I have identified 4 avenues to investigate. Revealing them is probably not too sensitive, but to be safe I will keep the list close to my chest for now.
Examine weaknesses in the combinatorial argument itself. This will require sophisticated mathematical techniques, a deep review of the academic literature, and long nights at the chalkboard. The results of the CashFusion Red Team analysis may appear as a peer-reviewed article in an academic journal, once information that could compromise user privacy is purged from the analysis.
Timeline and reporting progress
This Flipstarter will finalize on September 9. I expect that Phase One will take a maximum of three months to complete, so anticipated completion is no later than December 9. Since software produced in Phase One will be completely open source, frequent updates to the codebases will be visible on my GitHub account. I will also provide short written progress reports on a monthly basis at my read.cash account.
I am an empirical microeconomist. That means that I use real-world data, rather than mathematical theory, to investigate economic questions at the level of consumers, businesses, and industries. While reading about bitcoin's skyrocketing price in 2017, I set out to see if I could prove to myself the hypothesis that bitcoin was just a classic tulip-mania-style asset bubble.
I tried to keep an open mind, and the more I read the more I recognized that bitcoin does actually present a solution to many real economic problems. So I rejected my initial hypothesis and have since kept abreast of developments in cryptocurrency. As an economist I was aware of the Nobel Prize-winning work of economic historian Douglass North who found that reduction of transaction costs was a key driver of economic prosperity throughout history. BTC's small-block route with its rising transaction costs seemed to put the vehicle of economic progress in reverse, and so I have been more interested in big-block BCH ever since the August 2017 schism.
I have chosen to remain pseudonymous for many reasons. Among them are the legal and extralegal threats against individuals working on privacy software within the cryptocurrency ecosystem. Pseudonymity creates difficulties with accountability and reputation. In terms of accountability, I have structured this Flipstarter as a series of phases rather than one large project with a high BCH request because multiple phases of a repeated game creates greater incentives for cooperation within a game theory framework. In terms of reputation: yes I am a new face in the BCH community, but my limited body of high-quality work available at my GitHub and read.cash accounts shows what I am capable of.