dandelion privacy preserving transaction propagation in
play

Dandelion: Privacy-Preserving Transaction Propagation in Bitcoins - PowerPoint PPT Presentation

Dandelion: Privacy-Preserving Transaction Propagation in Bitcoins P2P Network Presenter: Giulia Fanti Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath 1 Blockchain


  1. Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin’s P2P Network Presenter: Giulia Fanti Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath 1

  2. Blockchain Bitcoin P2P Primer sd93fjj2 pckrn29 … tx tx Bob Alice k B k A 2

  3. Privacy requirement: Address and real identity must be unlinkable Bitcoin Address IP Address 3

  4. Today, messages spread with diffusion. t=0.25 t=2.9 ! ! ! ! ! ! ! ! Alice ! t=1.1 4

  5. Diffusion is vulnerable to source detection! Biryukov et al. CCS 2014 Koshy et al., Financial Crypto 2014 F. and Viswanath, NIPS 2017 5

  6. Dandelion Lightweight transaction propagation algorithm with provable privacy guarantees. Venkatakrishan et al. , ACM Sigmetrics 2017; F. et al. , ACM Sigmetrics 2018 6

  7. FAQ: Why not alternative solutions? Connect through Tor I2P Integration (e.g. Monero) Tor 7

  8. Model Assumptions and Notation 8

  9. Adversarial model observe all identities metadata unknown spies collude fraction p of spies honest- but-curious 9

  10. Metric for Anonymity Users Transactions Re Recall ll Precisi sion 1 1 % & ' s tx = & 1 1 % & ' s tx = & " # " # # tx mapped to v $ $ Mapping User Number honest users Mapping % 10

  11. Goal: Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary. 11

  12. Fundamental Limits 1 Thm : Maximum Thm recall ≥ " . Precision Thm : Maximum Thm precision ≥ " # . Fraction of spies p 2 1 0 p Recall 12

  13. What are we looking for? As Asymmetry Mi Mixing spy 2 3 1 4 13

  14. What can we control? Spreading Topology Dynamicity Protocol Approximately Dynamic Diffusion regular Static What is the underlying How often does the Given a graph, how graph topology? graph change? do we spread content? 14

  15. Spreading Protocol: Dandelion 2) Spreading Phase 1) Anonymity Phase 15

  16. Why Dandelion spreading? Theor Theorem em : Dandelion spreading has an $ optimally low maximum recall of ! + # % . lower bound = p fraction number of of spies nodes 16

  17. Graph Topology: Line tx1 Anonymity graph tx2 “Regular” graph 17

  18. Dynamicity: High Change the anonymity graph frequently. 18

  19. D ANDELION Network Policy Spreading Topology Dynamicity Protocol Dandelion Line Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content? 19

  20. lower bound = p 2 Theor Theorem em : D ANDELION has a nearly-optimal !" # ! $ $%" log " + * maximum precision of + .* fraction number of of spies nodes *For , < $ . 20

  21. Performance: Achievable Region 1 Flood Fl ooding ng Precision Di Diffusion D AN ANDELION p 2 0 p 1 Recall 21

  22. Why does D ANDELION work? Strong mixing properties. Complete graph Tree (Crowds, Tor) Too many paths Too many leaves % &'% (1 − * %'& ) Precision: Precision: !(#) 22

  23. Graph construction in practice tx1 Choose d=1 outbound edges 23

  24. Gives approximate d-regular anonymity graph d=1 24

  25. What are drawbacks of Dandelion? Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees, ACM Sigmetrics 2018 25

  26. Experiments on mainnet 16 %est )Lt 14 0LnLPuP (est) TLPe to 10% (seFonds) 12 10 8 6 4 2 0 0 2 4 6 8 10 12 Path Length 26

  27. Take-Home Messages 1) Bitcoin’s P2P network has weak anonymity protections 2) DANDELION may be a lightweight solution against large-scale deanonymization attacks (but doesn’t replace Tor!) 3) More information at: https://github.com/dandelion-org/bips https://github.com/dandelion-org/bitcoin 27

  28. Simulation on Bitcoin P2P Topology 1 Probability of Detection 0.9 0.8 Diffusion 0.7 0.6 0.5 Trickle, Theoretical lower bound 0.4 Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical 0.3 Diffusion, Simulation 0 5 10 15 20 # Supernode Connections per Node 28 F. and Viswanath, NIPS 2017

  29. 4-Regular Graphs • More robust against adversaries that learn the graph • Per-transaction routing vulnerable to intersection attacks One-to-one Routing • Pro : Increases cost of graph-learning attacks • Con : Can make transactions from the same source easier to link 29

  30. FAQ: Why not Tor? • Tor, VPNs, etc. address this problem • Only work for savvy or privacy-aware users • If Bitcoin is to become a mainstream payment system, it should protect everyone’s transactions • Dandelion: lightweight, easy to integrate into existing network 30

  31. Strength of Guarantees Dandelion Date of Invention 31 Narayanan and Möser, 2017

  32. Moving from theory to practice 32

  33. Adversarial Implementation Model Byzantine Intersection AS-Level Graph Deployment nodes attacks Adversaries construction 33

  34. Implementation: Dandelion spreading 2) Spreading Phase 1) Anonymity Phase 34

  35. Anonymity graph construction Degree 35

  36. Adversarial Model: Byzantine nodes Learn Lear n the he Mi Misbehave during Misbehave during Mi gr graph ph gr graph ph construction pr propa paga gation 4-re regular gr graph phs 36

  37. Anonymity graph construction 37

  38. Dealing with stronger adversaries Learn Lear n the he Mi Misbehave during Mi Misbehave during gr graph ph graph gr ph construction pr propa paga gation On Only send send 4-re regular Multiple nodes Mu me messages on graph gr phs di diffuse out outgoi oing ng ed edges es 38

  39. Partial deployment Not running Dandelion Running Dandelion tx1 39

  40. Latency Overhead: Estimate PDF Time to first transaction sighting (s) 40 twork, Decker and Wattenhofer, 2013 In Info formati tion P Propagati tion i in th the B Bitc tcoin N Netw

  41. < 5 sec 41

  42. D ANDELION vs. Tor, Crowds, etc. 1) Messages propagate over the sa same cycle graph 2) Anonymity graph changes dynamically. 3) No encryption required. 42

  43. Upper bound (Known graph) Lower bound Line (unknown) (Known graph) Line (known) 4-reg (unknown) 4-reg (known) Precision Upper bound d-regular graphs give robustness! (Unknown graph) 10 -1 10 -1 10 -1 Lower bound (Unknown graph) 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.1 0.1 0.15 0.15 0.2 0.2 0.25 0.25 0.3 0.3 0.35 0.35 0.4 0.4 0.45 0.45 0.5 0.5 Fraction of Spies 43

  44. 44

  45. Anonymity graph construction Base Case k=1 Rounds k=1 rounds of Base Case Degree Degree-Checking 45

  46. Dealing with stronger adversaries Lear Learn n the he Misbehave during Mi Mi Misbehave during graph gr ph gr graph ph construction pr propa paga gation 4-re regular Ge Get rid of degree- Mu Multiple nodes gr graph phs checki checking ng di diffuse 46

  47. Learning the anonymity graph Precisi sion Line Random regular ! p # log 1 Graph unknown ( ? Ω(() Graph known 47

  48. Manipulating the anonymity graph 48

  49. D ANDELION++ Network Policy Spreading Topology Dynamicity Protocol Dandelion 4-regular Dynamic Spreading graph Static What is the anonymity How often does the Given a graph, how graph topology? graph change? do we spread content? 49

Recommend


More recommend