Dandelion: Privacy -Preserving Transaction Propagation in ... · What are drawbacks of Dandelion ?...

Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin’s P2P Network

Presenter: Giulia Fanti

Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath

1

Bitcoin P2P Primer

Alice BobkA kB

tx

Blockchainsd93fjj2pckrn29

…tx

2

Privacy requirement:

Address and real identity must be unlinkable

Bitcoin Address IP Address

3

Today, messages spread with diffusion.

Alice

t=0.25

t=1.1

t=2.9!

!!

!

!

!

!

! !

4

Diffusion is vulnerable to source detection!

5

Biryukov et al. CCS 2014Koshy et al., Financial Crypto 2014

F. and Viswanath, NIPS 2017

Dandelion

Lightweight transaction propagation algorithm with provable privacy guarantees.

Venkatakrishan et al., ACM Sigmetrics 2017; F. et al., ACM Sigmetrics 20186

FAQ: Why not alternative solutions?Connect through Tor I2P Integration (e.g. Monero)

Tor

7

ModelAssumptions and Notation

8

Adversarial model

fraction pof spies

spies collude

honest-but-curious

observe allmetadata identities

unknown

9

Metric for Anonymity

Recall Precision1"#$

1 % &'s tx = &

Mapping %

User

UsersTransactions

Number honestusers

Mapping

1"#$

1 % &'s tx = &# tx mapped to v

10

Goal:

Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a

computationally-unbounded adversary.

11

Fundamental Limits

Precision

Recall0 1

1

pp2

Thm: Maximum precision ≥ "# .

Thm: Maximum recall ≥ ".

Fraction of spies

12

What are we looking for?

1 2 3 4 spy

Asymmetry Mixing

13

Approximatelyregular

What can we control?SpreadingProtocol

Topology Dynamicity

Static

Dynamic

How often does thegraph change?

What is the underlyinggraph topology?

Given a graph, how do we spread content?

Diffusion

14

Spreading Protocol: Dandelion

1) AnonymityPhase

2) SpreadingPhase

15

Theorem: Dandelion spreading has an optimally low maximum recall of ! + # $

% .

fraction of spies

number of nodes

lower bound = p

Why Dandelion spreading?

16

Graph Topology: Linetx1

tx2

Anonymity graph

“Regular” graph

17

Dynamicity: HighChange the anonymity graph frequently.

18

Linegraph

DANDELION Network PolicySpreadingProtocol

Topology Dynamicity

Static

Dynamic


What is the anonymitygraph topology?


DandelionSpreading

19

Theorem: DANDELION has a nearly-optimal maximum precision of !"

#

$%" log!" + * $

+ .*

fraction of spies

lower bound = p2

number of nodes

*For , < $.20

Performance: Achievable Region

Flooding

Diffusion

DANDELION

Precision

Recall0 1

1

pp2

21

Why does DANDELION work?Strong mixing properties.

Precision:!(#) Precision: %&'% (1 − *%'&)

Tree Complete graph(Crowds, Tor)

Too many leaves Too many paths

22

Graph construction in practicetx1

Choose d=1 outbound edges

23

Gives approximate d-regular anonymity graph

24

d=1

What are drawbacks of Dandelion?

Attack Effect on Dandelion Proposed Solution Effect

Graph Learning

Precision increases to !(#)

4-regular anonymity graph Limits precision gain (Thm. 1)

Intersection Empirical precision increase

Pseudorandom forwarding Improved robustness (Thm. 2)

Graph construction

Empirical precision increase

Non-interactive construction

Reduced precision gain

Black hole Transactions do not propagate

Random stem timers Provides robustness (Prop. 3)

Partial deployment

Arbitrary recall increase Blind stem selection Reduces recall (Thm. 3)


Graph Learning





Graph construction






Partial deployment



Graph Learning





Graph construction






Partial deployment



Graph Learning





Graph construction






Partial deployment


25Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees, ACM Sigmetrics 2018

Experiments on mainnet

0 2 4 6 8 10 12Path Length

0

2

4

6

8

10

12

14

16

TLP

e t

o 1

0%

(se

Fon

ds)

%est )Lt0LnLPuP (est)

26

Take-Home Messages1) Bitcoin’s P2P network has weak anonymity protections

2) DANDELION may be a lightweight solution against large-scale deanonymization attacks (but doesn’t replace Tor!)

3) More information at:

https://github.com/dandelion-org/bipshttps://github.com/dandelion-org/bitcoin

27

Simulation on Bitcoin P2P Topology

0 5 10 15 20

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Trickle, Theoretical lower boundTrickle, SimulatedTrickle, Theoretical lower bound (d=2)Diffusion, TheoreticalDiffusion, Simulation

Prob

abilit

y of

Det

ectio

nDiffusion

# Supernode Connections per Node 28

F. and Viswanath, NIPS 2017

• More robust against adversaries that learn the graph

• Per-transaction routing vulnerable to intersection attacks

• Pro: Increases cost of graph-learning attacks• Con: Can make transactions from the same source easier to link

4-Regular Graphs

One-to-oneRouting

29

FAQ: Why not Tor? • Tor, VPNs, etc. address this problem

• Only work for savvy or privacy-aware users

• If Bitcoin is to become a mainstream payment system, it should protect everyone’s transactions

• Dandelion: lightweight, easy to integrate into existing network

30

Narayanan and Möser, 2017

Date of Invention

Stre

ngth

of

Gua

rant

ees

Dandelion

31

Moving from theory to practice

32

Implementation

Graph construction Deployment

Adversarial Model

Byzantine nodes

Intersection attacks

AS-Level Adversaries

33

Implementation: Dandelion spreading

1) AnonymityPhase

2) SpreadingPhase

34

Anonymity graph construction

Degree

35

Adversarial Model: Byzantine nodes

Learn the graph

Misbehave during graph construction

Misbehave during propagation

4-regulargraphs

36


37

Dealing with stronger adversaries

Learn the graph



4-regulargraphs

Only send messages on

outgoing edgesMultiple nodes

diffuse

38

Partial deployment

tx1

Not running DandelionRunning

Dandelion

39

Latency Overhead: Estimate

Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013Time to first transaction sighting (s)

PDF

40

< 5 sec

41

DANDELION vs. Tor, Crowds, etc.

3) No encryption required.

1) Messages propagate over the same cycle graph

2) Anonymity graph changes dynamically.

42

Fraction of Spies

Prec

isio

n

0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5

10-1

0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5

10-1

0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5

10-1

Lower bound(Unknown graph)

Lower bound(Known graph)

Upper bound(Known graph)

Upper bound(Unknown graph)

Line (unknown)Line (known)

4-reg (unknown)4-reg (known)

d-regular graphs give robustness!

43


Base Case k=1 rounds of Degree-Checking Degree

Base Case

k=1 Rounds

45

Dealing with stronger adversaries

Learn the graph



4-regulargraphs

Get rid of degree-checking

Multiple nodes diffuse

46

Learning the anonymity graph

Graph unknown

Graph known

Precision

! p#log 1(

Ω(()

Line Random regular

?47

Manipulating the anonymity graph

48

4-regulargraph

DANDELION++ Network PolicySpreadingProtocol

Topology Dynamicity

Static

Dynamic


What is the anonymitygraph topology?


DandelionSpreading

49

Dandelion: Privacy -Preserving Transaction Propagation in ... · What are drawbacks of Dandelion ?...

Documents

Transcript of Dandelion: Privacy -Preserving Transaction Propagation in ... · What are drawbacks of Dandelion ?...