Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin’s P2P Network Presenter: Giulia Fanti Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath 1
Blockchain Bitcoin P2P Primer sd93fjj2 pckrn29 … tx tx Bob Alice k B k A 2
Privacy requirement: Address and real identity must be unlinkable Bitcoin Address IP Address 3
Today, messages spread with diffusion. t=0.25 t=2.9 ! ! ! ! ! ! ! ! Alice ! t=1.1 4
Diffusion is vulnerable to source detection! Biryukov et al. CCS 2014 Koshy et al., Financial Crypto 2014 F. and Viswanath, NIPS 2017 5
Dandelion Lightweight transaction propagation algorithm with provable privacy guarantees. Venkatakrishan et al. , ACM Sigmetrics 2017; F. et al. , ACM Sigmetrics 2018 6
FAQ: Why not alternative solutions? Connect through Tor I2P Integration (e.g. Monero) Tor 7
Model Assumptions and Notation 8
Adversarial model observe all identities metadata unknown spies collude fraction p of spies honest- but-curious 9
Metric for Anonymity Users Transactions Re Recall ll Precisi sion 1 1 % & ' s tx = & 1 1 % & ' s tx = & " # " # # tx mapped to v $ $ Mapping User Number honest users Mapping % 10
Goal: Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary. 11
Fundamental Limits 1 Thm : Maximum Thm recall ≥ " . Precision Thm : Maximum Thm precision ≥ " # . Fraction of spies p 2 1 0 p Recall 12
What are we looking for? As Asymmetry Mi Mixing spy 2 3 1 4 13
What can we control? Spreading Topology Dynamicity Protocol Approximately Dynamic Diffusion regular Static What is the underlying How often does the Given a graph, how graph topology? graph change? do we spread content? 14
Spreading Protocol: Dandelion 2) Spreading Phase 1) Anonymity Phase 15
Why Dandelion spreading? Theor Theorem em : Dandelion spreading has an $ optimally low maximum recall of ! + # % . lower bound = p fraction number of of spies nodes 16
Graph Topology: Line tx1 Anonymity graph tx2 “Regular” graph 17
Dynamicity: High Change the anonymity graph frequently. 18
D ANDELION Network Policy Spreading Topology Dynamicity Protocol Dandelion Line Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content? 19
lower bound = p 2 Theor Theorem em : D ANDELION has a nearly-optimal !" # ! $ $%" log " + * maximum precision of + .* fraction number of of spies nodes *For , < $ . 20
Performance: Achievable Region 1 Flood Fl ooding ng Precision Di Diffusion D AN ANDELION p 2 0 p 1 Recall 21
Why does D ANDELION work? Strong mixing properties. Complete graph Tree (Crowds, Tor) Too many paths Too many leaves % &'% (1 − * %'& ) Precision: Precision: !(#) 22
Graph construction in practice tx1 Choose d=1 outbound edges 23
Gives approximate d-regular anonymity graph d=1 24
What are drawbacks of Dandelion? Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees, ACM Sigmetrics 2018 25
Experiments on mainnet 16 %est )Lt 14 0LnLPuP (est) TLPe to 10% (seFonds) 12 10 8 6 4 2 0 0 2 4 6 8 10 12 Path Length 26
Take-Home Messages 1) Bitcoin’s P2P network has weak anonymity protections 2) DANDELION may be a lightweight solution against large-scale deanonymization attacks (but doesn’t replace Tor!) 3) More information at: https://github.com/dandelion-org/bips https://github.com/dandelion-org/bitcoin 27
Simulation on Bitcoin P2P Topology 1 Probability of Detection 0.9 0.8 Diffusion 0.7 0.6 0.5 Trickle, Theoretical lower bound 0.4 Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical 0.3 Diffusion, Simulation 0 5 10 15 20 # Supernode Connections per Node 28 F. and Viswanath, NIPS 2017
4-Regular Graphs • More robust against adversaries that learn the graph • Per-transaction routing vulnerable to intersection attacks One-to-one Routing • Pro : Increases cost of graph-learning attacks • Con : Can make transactions from the same source easier to link 29
FAQ: Why not Tor? • Tor, VPNs, etc. address this problem • Only work for savvy or privacy-aware users • If Bitcoin is to become a mainstream payment system, it should protect everyone’s transactions • Dandelion: lightweight, easy to integrate into existing network 30
Strength of Guarantees Dandelion Date of Invention 31 Narayanan and Möser, 2017
Moving from theory to practice 32
Adversarial Implementation Model Byzantine Intersection AS-Level Graph Deployment nodes attacks Adversaries construction 33
Implementation: Dandelion spreading 2) Spreading Phase 1) Anonymity Phase 34
Anonymity graph construction Degree 35
Adversarial Model: Byzantine nodes Learn Lear n the he Mi Misbehave during Misbehave during Mi gr graph ph gr graph ph construction pr propa paga gation 4-re regular gr graph phs 36
Anonymity graph construction 37
Dealing with stronger adversaries Learn Lear n the he Mi Misbehave during Mi Misbehave during gr graph ph graph gr ph construction pr propa paga gation On Only send send 4-re regular Multiple nodes Mu me messages on graph gr phs di diffuse out outgoi oing ng ed edges es 38
Partial deployment Not running Dandelion Running Dandelion tx1 39
Latency Overhead: Estimate PDF Time to first transaction sighting (s) 40 twork, Decker and Wattenhofer, 2013 In Info formati tion P Propagati tion i in th the B Bitc tcoin N Netw
< 5 sec 41
D ANDELION vs. Tor, Crowds, etc. 1) Messages propagate over the sa same cycle graph 2) Anonymity graph changes dynamically. 3) No encryption required. 42
Upper bound (Known graph) Lower bound Line (unknown) (Known graph) Line (known) 4-reg (unknown) 4-reg (known) Precision Upper bound d-regular graphs give robustness! (Unknown graph) 10 -1 10 -1 10 -1 Lower bound (Unknown graph) 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.1 0.1 0.15 0.15 0.2 0.2 0.25 0.25 0.3 0.3 0.35 0.35 0.4 0.4 0.45 0.45 0.5 0.5 Fraction of Spies 43
44
Anonymity graph construction Base Case k=1 Rounds k=1 rounds of Base Case Degree Degree-Checking 45
Dealing with stronger adversaries Lear Learn n the he Misbehave during Mi Mi Misbehave during graph gr ph gr graph ph construction pr propa paga gation 4-re regular Ge Get rid of degree- Mu Multiple nodes gr graph phs checki checking ng di diffuse 46
Learning the anonymity graph Precisi sion Line Random regular ! p # log 1 Graph unknown ( ? Ω(() Graph known 47
Manipulating the anonymity graph 48
D ANDELION++ Network Policy Spreading Topology Dynamicity Protocol Dandelion 4-regular Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content? 49
Recommend
More recommend