Anonymity in the Bitcoin Peer-to-Peer Network Shaileshh Bojja - - PowerPoint PPT Presentation

Anonymity in the Bitcoin Peer-to-Peer Network

Shaileshh Bojja Venkatakrishnan, Giulia Fanti, Andrew Miller, Pramod Viswanath

Why do People Use Cryptocurrencies?

Currency Stability Investment Technical Properties/ Ideology

“Untraceable Bitcoin”

This is false.

Bitcoin Reminder

Alice Bob kA kB

Transaction kA sends ktx to kB

ktx

Blockchain sd93fjj2 pckrn29 …

• ur transaction

How can users be deanonymized?

Blockchain

Meiklejohn et al., 2013

Entire transaction histories can be compromised.

What about the peer-to-peer network?

Public Key IP Address

Our Work

Analysis Redesign

Under submission, 2017 ACM Sigmetrics 2017

Pr(detection)

Dandelion

1) Anonymity Phase 2) Spreading Phase

Model

Assumptions and Notation

Attacks on the Network Layer

Eavesdropper

Biryukov et al., 2014 Koshy et al., 2014

Alice

What can go wrong?

Eavesdropper

Alice

What the eavesdropper can do about it

2

Alice

1 3

fraction p compromised nodes number 𝜾 connections

𝜄 = 2 Eavesdropper

Summary of adversarial model

Fraction of Spies 1 ∞ 1 p 𝜄

Botnet Eavesdropper

Connections to adversary

Part I

Analysis

Part II

Redesign

Analysis

How bad is the problem?

Flooding Protocols

Trickle (pre-2015) Diffusion (post-2015) (3) (2) (1) (4) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇) exp ¡ (𝜇)

Does diffusion provide stronger anonymity than trickle spreading?

d-regular trees

Eavesdropper

Arbitrary number of connections 𝜄 Fraction of spies 𝑞 = 1

Anonymity Metric

𝜐8 = 2.0 𝜐; = 0.7 𝜐= = 1.1 𝜐> = 1.5 𝜐@ = 0.3

𝑄(detection|𝝊, 𝐻)

graph timestamps

𝝊 = 𝜐8 𝜐= … 𝜐H

Estimators

First-Spy

𝜐8 = 2.0 𝜐; = 0.7 𝜐= = 1.1 𝜐> = 1.5 𝜐@ = 0.3

Maximum- Likelihood

𝑄(detection|𝝊, 𝐻)

graph timestamps

Results: d-Regular Trees

Trickle Diffusion First-Timestamp 𝑃 log 𝑒 𝑒 𝑃 log 𝑒 𝑒 Maximum-Likelihood Ω(1) Ω(1)

Probability

• f Detection

Degree, d

First-timestamp Maximum-Likelihood

Intuition: Symmetry outweighs local randomness!

Proof sketch (diffusion, max likelihood)

Source Not yet received Received Received and reported

• Generalized

Polya Urns

• Concentration of

measure

Results: Trees

Number of Eavesdropper Connections Probability of Detection Diffusion Trickle

Results: Bitcoin Graph

5 10 15 20 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Trickle, Theoretical lower bound Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical Diffusion, Simulation

Probability of Detection Diffusion Trickle Number of Eavesdropper Connections

Diffusion does not have (significantly) better anonymity properties than trickle.

Redesign

Can we design a better network?

Botnet adversarial model

fraction p

• f spies

spies collude honest- but-curious

• bserve all

metadata identities unknown

Metric for Anonymity

Recall Precision

1 𝑜 O 1 𝑁 𝑤Rs ¡tx = 𝑤

• U

Mapping 𝑁

User

Users Transactions

Number honest users Mapping

1 𝑜 O 1 𝑁 𝑤Rs ¡tx = 𝑤 # ¡tx ¡mapped ¡to ¡v

• U

𝔽[Recall] ¡= ¡ Probability ¡of ¡Detection

Goal:

Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary.

Fundamental Limits

Precision Recall

1 1 p p2

Thm: Maximum precision ≥ 𝑞=. Thm: Maximum recall ≥ 𝑞.

Fraction

• f spies

What are we looking for?

1 2 3 4 spy

Asymmetry Mixing

Approximately regular

What can we control?

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the underlying graph topology? Given a graph, how do we spread content?

Diffusion

Spreading Protocol: Dandelion

1) Anonymity Phase 2) Spreading Phase

Theorem: Dandelion spreading has an

• ptimally low maximum recall of 𝑞 + 𝑃

8 H . fraction

• f spies

number of nodes lower bound = p

Why Dandelion spreading?

Graph Topology: Line

tx1 tx2

Anonymity graph “Regular” graph

Dynamicity: High

Change the anonymity graph frequently.

Line graph

DANDELION Network Policy

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content?

Dandelion Spreading

Theorem: DANDELION has a nearly-optimal maximum precision of =de

8fd log = d + 𝑃 8 H .* fraction

• f spies

lower bound = p2 number of nodes

*For 𝑞 <

8 >

Performance: Achievable Region

Flooding Diffusion DANDELION

Precision Recall

1 1 p p2

Why does DANDELION work?

Strong mixing properties.

Precision: 𝑃(𝑞) Precision:

d 8fd (1 − 𝑓df8)

Tree Complete graph

Too many leaves Too many paths

How practical is this?

Dandelion spreading

1) Anonymity Phase 2) Spreading Phase

Anonymity graph construction

Degree

Dealing with stronger adversaries

Learn the graph Misbehave during graph construction Misbehave during propagation 4-regular graphs Only send messages on

• utgoing edges

Multiple nodes diffuse

Anonymity graph construction

Latency Overhead: Estimate

Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013

Time to first transaction sighting (s) PDF

• Avg. Dandelion delay = 1-4 seconds

(3-5% overhead)

Deployment considerations

tx1 Not running Dandelion Running Dandelion

Why not alternative solutions?

Connect through Tor I2P Integration (e.g. Monero)

Tor

Narayanan and Möser, 2017

Date of Invention Strength of Guarantees Dandelion

Take-Home Messages

1) Bitcoin’s P2P network has poor anonymity. 2) Moving from trickle to diffusion did not help. 3) DANDELION may be a lightweight solution for certain classes of adversaries.

https://github.com/gfanti/bitcoin

DANDELION vs. Tor, Crowds, etc.

3) No encryption required. 1) Messages propagate over the same cycle graph 2) Anonymity graph changes dynamically.

Fraction of Spies Precision

0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1

Lower bound (Unknown graph) Lower bound (Known graph) Upper bound (Known graph) Upper bound (Unknown graph)

Line (unknown) Line (known) 4-reg (unknown) 4-reg (known)

d-regular graphs give robustness!

Anonymity graph construction

Base Case k=1 rounds of Degree-Checking

Degree

Base Case k=1 Rounds

Dealing with stronger adversaries

Learn the graph Misbehave during graph construction Misbehave during propagation 4-regular graphs Get rid of degree-checking Multiple nodes diffuse

Learning the anonymity graph

Graph unknown Graph known Precision 𝑃 p=log ¡ 1 𝑞 Ω(𝑞) Line Random regular

?

Manipulating the anonymity graph

4-regular graph

DANDELION++ Network Policy

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content?

Dandelion Spreading