Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja - PowerPoint PPT Presentation

Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja Venkatakrishnan, Giulia Fanti, Andrew Miller, Pramod Viswanath

Why do People Use Cryptocurrencies? Technical Properties/ Currency Stability Investment Ideology

“Untraceable Bitcoin”

This is false.

Blockchain sd93fjj2 Bitcoin Reminder pckrn29 … our transaction Transaction k A sends k tx to k B Bob Alice k B k A k tx

How can users be deanonymized? Entire transaction histories can be compromised. Blockchain Meiklejohn et al., 2013

What about the peer-to-peer network? Public Key IP Address

Our Work Analysis Redesign 2) Spreading Phase 1) Anonymity Phase Pr(detection) Dandelion Under submission, 2017 ACM Sigmetrics 2017

Model Assumptions and Notation

Attacks on the Network Layer Eavesdropper Biryukov et al., 2014 Koshy et al., 2014 Alice

What can go wrong? Eavesdropper Alice

What the eavesdropper can do about it 2 3 1 Alice

Summary of adversarial model Eavesdropper number 𝜾 fraction p connections compromised 𝜄 = 2 nodes

∞ Part II Redesign Botnet Part I Analysis Connections 𝜄 Eavesdropper to adversary 1 p 1 0 Fraction of Spies

Analysis How bad is the problem?

Flooding Protocols Trickle (pre-2015) Diffusion (post-2015) (4) (1) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇) (2) (3)

Does diffusion provide stronger anonymity than trickle spreading?

d-regular trees Eavesdropper Fraction of spies 𝑞 = 1 Arbitrary number of connections 𝜄

timestamps 𝑄(detection|𝝊, 𝐻) Anonymity Metric graph 𝜐 8 = 2.0 𝜐 @ = 0.3 𝜐 8 𝜐 = 𝜐 ; = 0.7 𝝊 = … 𝜐 H 𝜐 = = 1.1 𝜐 > = 1.5

timestamps 𝑄(detection|𝝊, 𝐻) Estimators graph 𝜐 8 = 2.0 𝜐 @ = 0.3 𝜐 ; = 0.7 Maximum- First-Spy Likelihood 𝜐 = = 1.1 𝜐 > = 1.5

Results: d-Regular Trees Trickle Diffusion 𝑃 log 𝑒 𝑃 log 𝑒 First-Timestamp 𝑒 𝑒 Ω(1) Ω(1) Maximum-Likelihood Intuition: Symmetry outweighs local randomness! Probability of Detection Maximum-Likelihood First-timestamp Degree, d

Proof sketch (diffusion, max likelihood) Not yet received Received - Generalized Polya Urns Source Received and reported - Concentration of measure

Results: Trees Trickle Probability of Detection Diffusion Number of Eavesdropper Connections

Results: Bitcoin Graph 1 Trickle Probability of Detection 0.9 0.8 Diffusion 0.7 0.6 0.5 Trickle, Theoretical lower bound 0.4 Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical 0.3 Diffusion, Simulation 0 5 10 15 20 Number of Eavesdropper Connections

Diffusion does not have (significantly) better anonymity properties than trickle.

Redesign Can we design a better network?

Botnet adversarial model observe all identities metadata unknown spies collude fraction p of spies honest- but-curious

� � Metric for Anonymity Users Transactions Recall Precision 1 𝑜 O 1 𝑁 𝑤 R s ¡tx = 𝑤 1 𝑜 O 1 𝑁 𝑤 R s ¡tx = 𝑤 # ¡tx ¡mapped ¡to ¡v U U Mapping User Number honest users 𝔽[Recall] ¡= ¡ Mapping 𝑁 Probability ¡of ¡Detection

Goal: Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary.

Fundamental Limits 1 Thm : Maximum recall ≥ 𝑞 . Precision Thm : Maximum precision ≥ 𝑞 = . Fraction of spies p 2 1 0 p Recall

What are we looking for? Asymmetry Mixing spy 2 3 1 4

What can we control? Spreading Topology Dynamicity Protocol Approximately Dynamic Diffusion regular Static What is the underlying How often does the Given a graph, how graph topology? graph change? do we spread content?

Spreading Protocol: Dandelion 2) Spreading Phase 1) Anonymity Phase

Why Dandelion spreading? Theorem : Dandelion spreading has an 8 optimally low maximum recall of 𝑞 + 𝑃 H . lower bound = p fraction number of of spies nodes

Graph Topology: Line tx1 Anonymity graph tx2 “Regular” graph

Dynamicity: High Change the anonymity graph frequently.

D ANDELION Network Policy Spreading Topology Dynamicity Protocol Dandelion Line Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content?

lower bound = p 2 Theorem : D ANDELION has a nearly-optimal maximum precision of =d e = 8 8fd log d + 𝑃 H .* fraction number of of spies nodes 8 *For 𝑞 < >

Performance: Achievable Region 1 Flooding Precision Diffusion D ANDELION p 2 0 p 1 Recall

Why does D ANDELION work? Strong mixing properties. Tree Complete graph Too many paths Too many leaves d 8fd (1 − 𝑓 df8 ) Precision: Precision: 𝑃(𝑞)

How practical is this?

Dandelion spreading 2) Spreading Phase 1) Anonymity Phase

Anonymity graph construction Degree

Dealing with stronger adversaries Misbehave during Misbehave during Learn the graph construction propagation graph Only send 4-regular Multiple nodes messages on graphs diffuse outgoing edges

Anonymity graph construction

Latency Overhead: Estimate Avg. Dandelion delay = 1-4 seconds (3-5% overhead) PDF Time to first transaction sighting (s) Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013

Deployment considerations Not running Dandelion Running Dandelion tx1

Why not alternative solutions? Connect through Tor I2P Integration (e.g. Monero) Tor

Strength of Guarantees Dandelion Date of Invention Narayanan and Möser, 2017

Take-Home Messages 1) Bitcoin’s P2P network has poor anonymity. 2) Moving from trickle to diffusion did not help. 3) D ANDELION may be a lightweight solution for certain classes of adversaries. https://github.com/gfanti/bitcoin

D ANDELION vs. Tor, Crowds, etc. 1) Messages propagate over the same cycle graph 2) Anonymity graph changes dynamically. 3) No encryption required.

Upper bound (Known graph) Lower bound Line (unknown) (Known graph) Line (known) 4-reg (unknown) 4-reg (known) Precision Upper bound d-regular graphs give robustness! (Unknown graph) 10 -1 10 -1 10 -1 Lower bound (Unknown graph) 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.1 0.1 0.15 0.15 0.2 0.2 0.25 0.25 0.3 0.3 0.35 0.35 0.4 0.4 0.45 0.45 0.5 0.5 Fraction of Spies

Anonymity graph construction Base Case k=1 Rounds k=1 rounds of Degree Base Case Degree-Checking

Dealing with stronger adversaries Misbehave during Misbehave during Learn the graph construction propagation graph 4-regular Get rid of Multiple nodes graphs degree-checking diffuse

Learning the anonymity graph Precision Line Random regular 𝑃 p = log ¡ 1 Graph unknown 𝑞 ? Ω(𝑞) Graph known

Manipulating the anonymity graph

D ANDELION++ Network Policy Spreading Topology Dynamicity Protocol Dandelion 4-regular Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content?