Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja - PowerPoint PPT Presentation

Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja Venkatakrishnan, Giulia Fanti, Pramod Viswanath

“Untraceable Bitcoin” https://www.youtube.com/watch?v=k8LqlMzEe-­‑I

This is false.

Blockchain sd93fjj2 Bitcoin Primer pckrn29 … our transaction Transaction k A sends k coin to k B Bob Alice k B k A k coin

How can users be deanonymized? What about the peer-to-peer network? Blockchain Meiklejohn et al., 2013

Attacks on the Network Layer Eavesdropper Biryukov et al., 2014 Koshy et al., 2014 Alice

Our Work Analysis Redesign 2) Spreading Phase 1) Anonymity Phase Pr(detection) Dandelion Under submission, 2017 Under submission, 2017

Analysis How bad is the problem?

Flooding Protocols Trickle (pre-2015) Diffusion (post-2015) (4) (1) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇) (2) (3)

Does diffusion solve the problem?

Results: d-Regular Trees Theorem : The maximum-likelihood probabilities of detection for diffusion and trickle are asymptotically identical in d.

Results: Trees Trickle Probability of Detection Diffusion Number of Corrupt Connections

Results: Bitcoin Graph 1 Trickle Probability of Detection 0.9 0.8 Diffusion 0.7 0.6 0.5 Trickle, Theoretical lower bound 0.4 Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical 0.3 Diffusion, Simulation 0 5 10 15 20 Number of Corrupt Connections

Diffusion does not have (significantly) better anonymity properties than trickle.

Redesign Can we design a better network?

Adversarial Model observe all metadata learn the graph over fraction p time of spies honest- but-curious

Metric for Anonymity Recall (Probability of Precision Detection)

Goal: Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary.

Fundamental Limits 1 1 Max ¡recall ≥ 𝑞 Precision p Max ¡precision ≥ 𝑞 6 p 2 0 1 0 p 1 Recall

Proposed Algorithm: Dandelion 2) Spreading Phase 1) Anonymity Phase

How is Dandelion different from Tor? 1) Messages propagate over the same cycle graph 2) Cycle graph changes dynamically. 3) No encryption required.

Performance: Achievable Region 1 Flooding Precision Diffusion Dandelion p 2 0 p 1 Recall

Practical Issues Base Case Constructing a Hamiltonian cycle k=1 Rounds k=1 rounds of Degree Base Case Degree-Checking

Comparison with Alternative Solutions Connect through Tor I2P Integration (e.g. Monero) Tor

Next Steps Other Practical Byzantine adversarial demonstration nodes models of viability

Take-Home Messages 1) Bitcoin P2P anonymity = L . 2) Moving from trickle to diffusion did not help. 3) Dandelion may be a lightweight solution for certain classes of adversaries.