Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti

Transcript

1. Anonymity in the Bitcoin
   Peer-to-Peer Network
   Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby,
   Shruti Bhargava, Andrew Miller, Pramod Viswanath
   Giulia Fanti
   

   View Slide

2. “Untraceable Bitcoin”
   

   View Slide

3. This is false.
   

   View Slide

4. Bitcoin Primer
   Alice Bob
   kA
   kB
   Transaction
   kA
   sends kcoin
   to kB
   kcoin
   Blockchain
   sd93fjj2
   pckrn29
   …
   our transaction
   

   View Slide

5. Multiple Identities
   Alice
   Public
   Key
   IP Address
   Used in the
   P2P Network
   Used in the
   Blockchain
   Used nowhere
   

   View Slide

6. How can users be deanonymized?
   Blockchain
   Meiklejohn et al., 2013
   Ober et al., 2013
   Entire transaction histories
   can be compromised.
   

   View Slide

7. What about the peer-to-peer
   network?
   Public Key IP Address
   

   View Slide

8. This Talk
   How to break privacy How to fix it
   1) Anonymity
   Phase
   2) Spreading
   Phase
   

   View Slide

9. Early attacks
   • A. Biryukov, D. Khovratovich, I. Pustagurov, “Deanonymisation
   of clients in Bitcoin P2P network”, CCS 2014
   • P. Koshy, D. Koshy, P. McDaniel, “An analysis of anonymity in
   Bitcoin using P2P network traffic”, Financial Crypto 2014
   

   View Slide

10. Attacks on the Network Layer
    Eavesdropper
    Alice
    

    View Slide

11. What can go wrong?
    Eavesdropper
    Alice
    

    View Slide

12. What the eavesdropper can do about it
    2
    Alice
    1 3
    

    View Slide

13. Key Results
    • Make ≈ 50 connections per node
    • Between 11-34% of users deanonymized, even behind NAT!
    

    View Slide

14. Bitcoin Core Responds
    Trickle (pre-2015) Diffusion (post-2015)
    (3)
    (2)
    (1)
    (4)
    exp()
    exp()
    exp()
    exp()
    

    View Slide

15. Does diffusion provide stronger
    anonymity than trickle spreading?
    G. F., P. Viswanath, “Anonymity in the Bitcoin P2P Network”,
    NeurIPS 2017
    

    View Slide

16. d-regular trees
    Eavesdropper
    Arbitrary
    number of
    connections
    

    View Slide

17. Anonymity Metric
    ,
    = 2.0
    0
    = 0.7
    2
    = 1.1
    4
    = 1.5
    5
    = 0.3
    (detection|, )
    graph
    timestamps
    =
    ,
    2
    …
    C
    

    View Slide

18. Estimators
    First-Spy
    ,
    = 2.0
    0
    = 0.7
    2
    = 1.1
    4
    = 1.5
    5
    = 0.3
    Maximum-
    Likelihood
    (detection|, )
    graph
    timestamps
    

    View Slide

19. Results: d-Regular Trees
    Trickle Diffusion
    First-Timestamp
    
    log
    
    
    log
    
    Maximum-Likelihood Ω(1) Ω(1)
    Probability
    of Detection
    Degree, d
    First-timestamp
    Maximum-Likelihood
    Intuition: Symmetry outweighs local randomness!
    

    View Slide

20. Proof sketch (diffusion, max likelihood)
    Source
    Not yet received
    Received
    Received and reported
    - Generalized
    Polya Urns
    - Concentration of
    measure
    

    View Slide

21. Results: Trees
    Number of Eavesdropper Connections
    Probability of Detection
    Diffusion
    Trickle
    

    View Slide

22. Results: Bitcoin Graph
    0 5 10 15 20
    0.3
    0.4
    0.5
    0.6
    0.7
    0.8
    0.9
    1
    Trickle, Theoretical lower bound
    Trickle, Simulated
    Trickle, Theoretical lower bound (d=2)
    Diffusion, Theoretical
    Diffusion, Simulation
    Probability of Detection
    Diffusion
    Trickle
    Number of Eavesdropper Connections
    

    View Slide

23. Diffusion does not have
    (significantly) better anonymity
    properties than trickle.
    

    View Slide

24. Redesign
    Can we fix this problem?
    

    View Slide

25. First-order solutions
    Connect through Tor I2P Integration (e.g. Monero)
    Tor
    

    View Slide

26. Botnet adversarial model
    fraction p
    of spies
    spies
    collude
    honest-
    but-curious
    observe all
    metadata identities
    unknown
    

    View Slide

27. Metric for Anonymity
    Recall Precision
    1
    
    J
    K
    1 Ns tx =
    Mapping
    User
    Users
    Transactions
    Number
    honest
    users
    Mapping
    1
    
    J
    K
    1 Ns tx =
    # tx mapped to v
    [Recall] =
    Probability of Detection
    

    View Slide

28. Goal:
    Design a distributed flooding protocol that minimizes
    the maximum precision and recall achievable by a
    computationally-unbounded adversary.
    S. B. Venkatakrishnan, G. F., P. Viswanath, “Dandelion: Redesigning the
    Bitcoin Network for Anonymity ”, Sigmetrics 2017
    

    View Slide

29. Fundamental Limits
    Precision
    Recall
    0 1
    1
    p
    p2
    Thm: Maximum
    precision ≥ 2.
    Thm: Maximum
    recall ≥ .
    Fraction
    of spies
    

    View Slide

30. What are we looking for?
    1 2 3 4 spy
    Asymmetry Mixing
    

    View Slide

31. Approximately
    regular
    What can we control?
    Spreading
    Protocol
    Topology Dynamicity
    Static
    Dynamic
    How often does the
    graph change?
    What is the underlying
    graph topology?
    Given a graph, how
    do we spread content?
    Diffusion
    

    View Slide

32. Spreading Protocol: Dandelion
    1) Anonymity
    Phase
    2) Spreading
    Phase
    

    View Slide

33. Theorem: Dandelion spreading has an
    optimally low maximum recall of + ,
    C
    .
    fraction
    of spies
    number of
    nodes
    Theorem: Fundamental lower bound = p
    Why Dandelion spreading?
    

    View Slide

34. Graph Topology: Line
    tx1
    tx2
    Anonymity graph
    “Regular” graph
    

    View Slide

35. Dynamicity: High
    Change the anonymity
    graph frequently.
    

    View Slide

36. Line
    graph
    DANDELION Network Policy
    Spreading
    Protocol
    Topology Dynamicity
    Static
    Dynamic
    How often does the
    graph change?
    What is the anonymity
    graph topology?
    Given a graph, how
    do we spread content?
    Dandelion
    Spreading
    

    View Slide

37. Theorem: DANDELION has a nearly-optimal
    maximum precision of 2ab
    ,ca
    log 2
    a
    + ,
    C
    .*
    fraction
    of spies
    Theorem: Fundamental lower bound = p2
    number of
    nodes
    *For < ,
    4
    

    View Slide

38. Performance: Achievable Region
    Flooding
    Diffusion
    DANDELION
    Precision
    Recall
    0 1
    1
    p
    p2
    

    View Slide

39. Why is DANDELION good?
    Strong mixing properties.
    Precision:() Precision: a
    ,ca
    (1 − ac,)
    Tree Complete graph
    Too many leaves Too many paths
    

    View Slide

40. How practical is this?
    

    View Slide

41. Latency Overhead: Estimate
    Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013
    Time to first transaction sighting (s)
    PDF
    

    View Slide

42. Empirical Delay Distribution
    Time to reach 10% of nodes (sec)
    

    View Slide

43. Practical Challenges: Partial deployment
    

    View Slide

44. Narayanan and Möser, 2017
    Date of Invention
    Strength of
    Guarantees
    Dandelion
    

    View Slide

45. Take-Home Messages
    1) Bitcoin’s P2P network has poor anonymity.
    2) Moving from trickle to diffusion did not help.
    3) DANDELION may be a lightweight solution for
    certain classes of adversaries.
    https://github.com/dandelion-org/bitcoin
    BIP 156
    

    View Slide