Post on 21-Aug-2020
Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin’s P2P Network
Presenter: Giulia Fanti
Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath
1
Bitcoin P2P Primer
Alice BobkA kB
tx
Blockchainsd93fjj2pckrn29
…tx
2
Privacy requirement:
Address and real identity must be unlinkable
Bitcoin Address IP Address
3
Today, messages spread with diffusion.
Alice
t=0.25
t=1.1
t=2.9!
!!
!
!
!
!
! !
4
Diffusion is vulnerable to source detection!
5
Biryukov et al. CCS 2014Koshy et al., Financial Crypto 2014
F. and Viswanath, NIPS 2017
Dandelion
Lightweight transaction propagation algorithm with provable privacy guarantees.
Venkatakrishan et al., ACM Sigmetrics 2017; F. et al., ACM Sigmetrics 20186
FAQ: Why not alternative solutions?Connect through Tor I2P Integration (e.g. Monero)
Tor
7
ModelAssumptions and Notation
8
Adversarial model
fraction pof spies
spies collude
honest-but-curious
observe allmetadata identities
unknown
9
Metric for Anonymity
Recall Precision1"#$
1 % &'s tx = &
Mapping %
User
UsersTransactions
Number honestusers
Mapping
1"#$
1 % &'s tx = &# tx mapped to v
10
Goal:
Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a
computationally-unbounded adversary.
11
Fundamental Limits
Precision
Recall0 1
1
pp2
Thm: Maximum precision ≥ "# .
Thm: Maximum recall ≥ ".
Fraction of spies
12
What are we looking for?
1 2 3 4 spy
Asymmetry Mixing
13
Approximatelyregular
What can we control?SpreadingProtocol
Topology Dynamicity
Static
Dynamic
How often does thegraph change?
What is the underlyinggraph topology?
Given a graph, how do we spread content?
Diffusion
14
Spreading Protocol: Dandelion
1) AnonymityPhase
2) SpreadingPhase
15
Theorem: Dandelion spreading has an optimally low maximum recall of ! + # $
% .
fraction of spies
number of nodes
lower bound = p
Why Dandelion spreading?
16
Graph Topology: Linetx1
tx2
Anonymity graph
“Regular” graph
17
Dynamicity: HighChange the anonymity graph frequently.
18
Linegraph
DANDELION Network PolicySpreadingProtocol
Topology Dynamicity
Static
Dynamic
How often does thegraph change?
What is the anonymitygraph topology?
Given a graph, how do we spread content?
DandelionSpreading
19
Theorem: DANDELION has a nearly-optimal maximum precision of !"
#
$%" log!" + * $
+ .*
fraction of spies
lower bound = p2
number of nodes
*For , < $.20
Performance: Achievable Region
Flooding
Diffusion
DANDELION
Precision
Recall0 1
1
pp2
21
Why does DANDELION work?Strong mixing properties.
Precision:!(#) Precision: %&'% (1 − *%'&)
Tree Complete graph(Crowds, Tor)
Too many leaves Too many paths
22
Graph construction in practicetx1
Choose d=1 outbound edges
23
Gives approximate d-regular anonymity graph
24
d=1
What are drawbacks of Dandelion?
Attack Effect on Dandelion Proposed Solution Effect
Graph Learning
Precision increases to !(#)
4-regular anonymity graph Limits precision gain (Thm. 1)
Intersection Empirical precision increase
Pseudorandom forwarding Improved robustness (Thm. 2)
Graph construction
Empirical precision increase
Non-interactive construction
Reduced precision gain
Black hole Transactions do not propagate
Random stem timers Provides robustness (Prop. 3)
Partial deployment
Arbitrary recall increase Blind stem selection Reduces recall (Thm. 3)
Attack Effect on Dandelion Proposed Solution Effect
Graph Learning
Precision increases to !(#)
4-regular anonymity graph Limits precision gain (Thm. 1)
Intersection Empirical precision increase
Pseudorandom forwarding Improved robustness (Thm. 2)
Graph construction
Empirical precision increase
Non-interactive construction
Reduced precision gain
Black hole Transactions do not propagate
Random stem timers Provides robustness (Prop. 3)
Partial deployment
Arbitrary recall increase Blind stem selection Reduces recall (Thm. 3)
Attack Effect on Dandelion Proposed Solution Effect
Graph Learning
Precision increases to !(#)
4-regular anonymity graph Limits precision gain (Thm. 1)
Intersection Empirical precision increase
Pseudorandom forwarding Improved robustness (Thm. 2)
Graph construction
Empirical precision increase
Non-interactive construction
Reduced precision gain
Black hole Transactions do not propagate
Random stem timers Provides robustness (Prop. 3)
Partial deployment
Arbitrary recall increase Blind stem selection Reduces recall (Thm. 3)
Attack Effect on Dandelion Proposed Solution Effect
Graph Learning
Precision increases to !(#)
4-regular anonymity graph Limits precision gain (Thm. 1)
Intersection Empirical precision increase
Pseudorandom forwarding Improved robustness (Thm. 2)
Graph construction
Empirical precision increase
Non-interactive construction
Reduced precision gain
Black hole Transactions do not propagate
Random stem timers Provides robustness (Prop. 3)
Partial deployment
Arbitrary recall increase Blind stem selection Reduces recall (Thm. 3)
25Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees, ACM Sigmetrics 2018
Experiments on mainnet
0 2 4 6 8 10 12Path Length
0
2
4
6
8
10
12
14
16
TLP
e t
o 1
0%
(se
Fon
ds)
%est )Lt0LnLPuP (est)
26
Take-Home Messages1) Bitcoin’s P2P network has weak anonymity protections
2) DANDELION may be a lightweight solution against large-scale deanonymization attacks (but doesn’t replace Tor!)
3) More information at:
https://github.com/dandelion-org/bipshttps://github.com/dandelion-org/bitcoin
27
Simulation on Bitcoin P2P Topology
0 5 10 15 20
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Trickle, Theoretical lower boundTrickle, SimulatedTrickle, Theoretical lower bound (d=2)Diffusion, TheoreticalDiffusion, Simulation
Prob
abilit
y of
Det
ectio
nDiffusion
# Supernode Connections per Node 28
F. and Viswanath, NIPS 2017
• More robust against adversaries that learn the graph
• Per-transaction routing vulnerable to intersection attacks
• Pro: Increases cost of graph-learning attacks• Con: Can make transactions from the same source easier to link
4-Regular Graphs
One-to-oneRouting
29
FAQ: Why not Tor? • Tor, VPNs, etc. address this problem
• Only work for savvy or privacy-aware users
• If Bitcoin is to become a mainstream payment system, it should protect everyone’s transactions
• Dandelion: lightweight, easy to integrate into existing network
30
Narayanan and Möser, 2017
Date of Invention
Stre
ngth
of
Gua
rant
ees
Dandelion
31
Moving from theory to practice
32
Implementation
Graph construction Deployment
Adversarial Model
Byzantine nodes
Intersection attacks
AS-Level Adversaries
33
Implementation: Dandelion spreading
1) AnonymityPhase
2) SpreadingPhase
34
Anonymity graph construction
Degree
35
Adversarial Model: Byzantine nodes
Learn the graph
Misbehave during graph construction
Misbehave during propagation
4-regulargraphs
36
Anonymity graph construction
37
Dealing with stronger adversaries
Learn the graph
Misbehave during graph construction
Misbehave during propagation
4-regulargraphs
Only send messages on
outgoing edgesMultiple nodes
diffuse
38
Partial deployment
tx1
Not running DandelionRunning
Dandelion
39
Latency Overhead: Estimate
Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013Time to first transaction sighting (s)
40
< 5 sec
41
DANDELION vs. Tor, Crowds, etc.
3) No encryption required.
1) Messages propagate over the same cycle graph
2) Anonymity graph changes dynamically.
42
Fraction of Spies
Prec
isio
n
0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
10-1
0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
10-1
0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
10-1
Lower bound(Unknown graph)
Lower bound(Known graph)
Upper bound(Known graph)
Upper bound(Unknown graph)
Line (unknown)Line (known)
4-reg (unknown)4-reg (known)
d-regular graphs give robustness!
43
44
Anonymity graph construction
Base Case k=1 rounds of Degree-Checking Degree
Base Case
k=1 Rounds
45
Dealing with stronger adversaries
Learn the graph
Misbehave during graph construction
Misbehave during propagation
4-regulargraphs
Get rid of degree-checking
Multiple nodes diffuse
46
Learning the anonymity graph
Graph unknown
Graph known
Precision
! p#log 1(
Ω(()
Line Random regular
?47
Manipulating the anonymity graph
48
4-regulargraph
DANDELION++ Network PolicySpreadingProtocol
Topology Dynamicity
Static
Dynamic
How often does thegraph change?
What is the anonymitygraph topology?
Given a graph, how do we spread content?
DandelionSpreading
49