[PPT] - Dandelion: Privacy-Preserving Transaction Propagation in Bitcoins PowerPoint Presentation

SLIDE 1

Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin’s P2P Network

Presenter: Giulia Fanti Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath

1

SLIDE 2

Bitcoin P2P Primer

Alice Bob kA kB tx

Blockchain sd93fjj2 pckrn29 … tx

2

SLIDE 3

Privacy requirement:

Address and real identity must be unlinkable Bitcoin Address IP Address

3

SLIDE 4

Today, messages spread with diffusion.

Alice t=0.25 t=1.1 t=2.9

! ! ! ! ! ! ! ! !

4

SLIDE 5

Diffusion is vulnerable to source detection!

5

Biryukov et al. CCS 2014 Koshy et al., Financial Crypto 2014

F. and Viswanath, NIPS 2017

SLIDE 6

Dandelion

Lightweight transaction propagation algorithm with provable privacy guarantees.

Venkatakrishan et al., ACM Sigmetrics 2017; F. et al., ACM Sigmetrics 2018

6

SLIDE 7

FAQ: Why not alternative solutions?

Connect through Tor I2P Integration (e.g. Monero)

Tor

7

SLIDE 8

Model

Assumptions and Notation

8

SLIDE 9

Adversarial model

fraction p

f spies

spies collude honest- but-curious

bserve all

metadata identities unknown

9

SLIDE 10

Metric for Anonymity

Re Recall ll Precisi sion

1 " #

$

1 % &'s tx = &

Mapping %

User

Users Transactions

Number honest users Mapping

1 " #

$

1 % &'s tx = & # tx mapped to v

10

SLIDE 11

Goal:

Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary.

11

SLIDE 12

Fundamental Limits

Precision Recall

1 1 p p2 Thm Thm: Maximum precision ≥ "#. Thm Thm: Maximum recall ≥ ".

Fraction

f spies

12

SLIDE 13

What are we looking for?

1 2 3 4 spy

As Asymmetry Mi Mixing

13

SLIDE 14

Approximately regular

What can we control?

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the underlying graph topology? Given a graph, how do we spread content?

Diffusion

14

SLIDE 15

Spreading Protocol: Dandelion

1) Anonymity Phase 2) Spreading Phase

15

SLIDE 16

Theor Theorem em: Dandelion spreading has an

ptimally low maximum recall of ! + #

$ % . fraction

f spies

number of nodes lower bound = p

Why Dandelion spreading?

16

SLIDE 17

Graph Topology: Line

tx1 tx2

Anonymity graph “Regular” graph

17

SLIDE 18

Dynamicity: High

Change the anonymity graph frequently.

18

SLIDE 19

Line graph

DANDELION Network Policy

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content?

Dandelion Spreading

19

SLIDE 20

Theor Theorem em: DANDELION has a nearly-optimal maximum precision of

!"# $%" log ! " + * $ + .* fraction

f spies

lower bound = p2 number of nodes

*For , < $

.

20

SLIDE 21

Performance: Achievable Region

Fl Flood

oding

ng Di Diffusion DAN

ANDELION

Precision Recall

1 1 p p2

21

SLIDE 22

Why does DANDELION work?

Strong mixing properties.

Precision:!(#) Precision:

% &'% (1 − *%'&)

Tree Complete graph (Crowds, Tor)

Too many leaves Too many paths

22

SLIDE 23

Graph construction in practice

tx1

Choose d=1

utbound edges

23

SLIDE 24

Gives approximate d-regular anonymity graph

24

d=1

SLIDE 25

What are drawbacks of Dandelion?

25

Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees, ACM Sigmetrics 2018

SLIDE 26

Experiments on mainnet

2 4 6 8 10 12 Path Length 2 4 6 8 10 12 14 16 TLPe to 10% (seFonds)

%est )Lt 0LnLPuP (est)

26

SLIDE 27

Take-Home Messages

1) Bitcoin’s P2P network has weak anonymity protections 2) DANDELION may be a lightweight solution against large-scale deanonymization attacks (but doesn’t replace Tor!) 3) More information at: https://github.com/dandelion-org/bips https://github.com/dandelion-org/bitcoin

27

SLIDE 28

Simulation on Bitcoin P2P Topology

5 10 15 20 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Trickle, Theoretical lower bound Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical Diffusion, Simulation

Probability of Detection Diffusion # Supernode Connections per Node

28

F. and Viswanath, NIPS 2017

SLIDE 29

More robust against adversaries that learn the graph
Per-transaction routing vulnerable to intersection attacks
Pro: Increases cost of graph-learning attacks
Con: Can make transactions from the same source easier to link

4-Regular Graphs

One-to-one Routing

29

SLIDE 30

FAQ: Why not Tor?

Tor, VPNs, etc. address this problem
Only work for savvy or privacy-aware users
If Bitcoin is to become a mainstream payment system, it should

protect everyone’s transactions

Dandelion: lightweight, easy to integrate into existing network

30

SLIDE 31

Narayanan and Möser, 2017

Date of Invention Strength of Guarantees Dandelion

31

SLIDE 32

Moving from theory to practice

32

SLIDE 33

Implementation Graph construction Deployment Adversarial Model Byzantine nodes Intersection attacks AS-Level Adversaries

33

SLIDE 34

Implementation: Dandelion spreading

1) Anonymity Phase 2) Spreading Phase

34

SLIDE 35

Anonymity graph construction

Degree

35

SLIDE 36

Adversarial Model: Byzantine nodes

Lear Learn n the he gr graph ph Mi Misbehave during gr graph ph construction Mi Misbehave during pr propa paga gation 4-re regular gr graph phs

36

SLIDE 37

Anonymity graph construction

37

SLIDE 38

Dealing with stronger adversaries

Lear Learn n the he gr graph ph Mi Misbehave during gr graph ph construction Mi Misbehave during pr propa paga gation 4-re regular gr graph phs On Only send send me messages on

ut
utgoi
ing

ng ed edges es Mu Multiple nodes di diffuse

38

SLIDE 39

Partial deployment

tx1 Not running Dandelion Running Dandelion

39

SLIDE 40

Latency Overhead: Estimate

In Info formati tion P Propagati tion i in th the B Bitc tcoin N Netw twork, Decker and Wattenhofer, 2013

Time to first transaction sighting (s) PDF

40

SLIDE 41

< 5 sec

41

SLIDE 42

DANDELION vs. Tor, Crowds, etc.

3) No encryption required. 1) Messages propagate over the sa same cycle graph 2) Anonymity graph changes dynamically.

42

SLIDE 43

Fraction of Spies Precision

0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 10-1

Lower bound (Unknown graph) Lower bound (Known graph) Upper bound (Known graph) Upper bound (Unknown graph)

Line (unknown) Line (known) 4-reg (unknown) 4-reg (known)

d-regular graphs give robustness!

43

SLIDE 44

44

SLIDE 45

Anonymity graph construction

Base Case k=1 rounds of Degree-Checking

Degree

Base Case k=1 Rounds

45

SLIDE 46

Dealing with stronger adversaries

Lear Learn n the he gr graph ph Mi Misbehave during gr graph ph construction Mi Misbehave during pr propa paga gation 4-re regular gr graph phs Ge Get rid of degree- checki checking ng Mu Multiple nodes di diffuse

46

SLIDE 47

Learning the anonymity graph

Graph unknown Graph known Precisi sion ! p#log 1 ( Ω(() Line Random regular

?

47

SLIDE 48

Manipulating the anonymity graph

48

SLIDE 49

4-regular graph

DANDELION++ Network Policy

Spreading Protocol Topology Dynamicity

Static Dynamic

How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content?

Dandelion Spreading

49