Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti

Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti

Recently, researchers have demonstrated deanonymization attacks that exploit weaknesses in the Bitcoin network's peer-to-peer (P2P) networking protocols. In particular, the P2P network currently forwards content in a structured way that allows observers to link users' Bitcoin addresses to their IP addresses. This is a substantial privacy vulnerability that extends to several other cryptocurrencies as well. In this talk, I will discuss how these attacks work, and how effective they are at deanonymizing users. I will also talk about countermeasures, including proposed modifications to the networking stack.



September 12, 2019


  1. Anonymity in the Bitcoin Peer-to-Peer Network Joint work with: Shaileshh

    Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath Giulia Fanti
  2. “Untraceable Bitcoin”

  3. This is false.

  4. Bitcoin Primer Alice Bob kA kB Transaction kA sends kcoin

    to kB kcoin Blockchain sd93fjj2 pckrn29 … our transaction
  5. Multiple Identities Alice Public Key IP Address Used in the

    P2P Network Used in the Blockchain Used nowhere
  6. How can users be deanonymized? Blockchain Meiklejohn et al., 2013

    Ober et al., 2013 Entire transaction histories can be compromised.
  7. What about the peer-to-peer network? Public Key IP Address

  8. This Talk How to break privacy How to fix it

    1) Anonymity Phase 2) Spreading Phase
  9. Early attacks • A. Biryukov, D. Khovratovich, I. Pustagurov, “Deanonymisation

    of clients in Bitcoin P2P network”, CCS 2014 • P. Koshy, D. Koshy, P. McDaniel, “An analysis of anonymity in Bitcoin using P2P network traffic”, Financial Crypto 2014
  10. Attacks on the Network Layer Eavesdropper Alice

  11. What can go wrong? Eavesdropper Alice

  12. What the eavesdropper can do about it 2 Alice 1

  13. Key Results • Make ≈ 50 connections per node •

    Between 11-34% of users deanonymized, even behind NAT!
  14. Bitcoin Core Responds Trickle (pre-2015) Diffusion (post-2015) (3) (2) (1)

    (4) exp() exp() exp() exp()
  15. Does diffusion provide stronger anonymity than trickle spreading? G. F.,

    P. Viswanath, “Anonymity in the Bitcoin P2P Network”, NeurIPS 2017
  16. d-regular trees Eavesdropper Arbitrary number of connections

  17. Anonymity Metric , = 2.0 0 = 0.7 2 =

    1.1 4 = 1.5 5 = 0.3 (detection|, ) graph timestamps = , 2 … C
  18. Estimators First-Spy , = 2.0 0 = 0.7 2 =

    1.1 4 = 1.5 5 = 0.3 Maximum- Likelihood (detection|, ) graph timestamps
  19. Results: d-Regular Trees Trickle Diffusion First-Timestamp log log Maximum-Likelihood Ω(1)

    Ω(1) Probability of Detection Degree, d First-timestamp Maximum-Likelihood Intuition: Symmetry outweighs local randomness!
  20. Proof sketch (diffusion, max likelihood) Source Not yet received Received

    Received and reported - Generalized Polya Urns - Concentration of measure
  21. Results: Trees Number of Eavesdropper Connections Probability of Detection Diffusion

  22. Results: Bitcoin Graph 0 5 10 15 20 0.3 0.4

    0.5 0.6 0.7 0.8 0.9 1 Trickle, Theoretical lower bound Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical Diffusion, Simulation Probability of Detection Diffusion Trickle Number of Eavesdropper Connections
  23. Diffusion does not have (significantly) better anonymity properties than trickle.

  24. Redesign Can we fix this problem?

  25. First-order solutions Connect through Tor I2P Integration (e.g. Monero) Tor

  26. Botnet adversarial model fraction p of spies spies collude honest-

    but-curious observe all metadata identities unknown
  27. Metric for Anonymity Recall Precision 1 J K 1 Ns

    tx = Mapping User Users Transactions Number honest users Mapping 1 J K 1 Ns tx = # tx mapped to v [Recall] = Probability of Detection
  28. Goal: Design a distributed flooding protocol that minimizes the maximum

    precision and recall achievable by a computationally-unbounded adversary. S. B. Venkatakrishnan, G. F., P. Viswanath, “Dandelion: Redesigning the Bitcoin Network for Anonymity ”, Sigmetrics 2017
  29. Fundamental Limits Precision Recall 0 1 1 p p2 Thm:

    Maximum precision ≥ 2. Thm: Maximum recall ≥ . Fraction of spies
  30. What are we looking for? 1 2 3 4 spy

    Asymmetry Mixing
  31. Approximately regular What can we control? Spreading Protocol Topology Dynamicity

    Static Dynamic How often does the graph change? What is the underlying graph topology? Given a graph, how do we spread content? Diffusion
  32. Spreading Protocol: Dandelion 1) Anonymity Phase 2) Spreading Phase

  33. Theorem: Dandelion spreading has an optimally low maximum recall of

    + , C . fraction of spies number of nodes Theorem: Fundamental lower bound = p Why Dandelion spreading?
  34. Graph Topology: Line tx1 tx2 Anonymity graph “Regular” graph

  35. Dynamicity: High Change the anonymity graph frequently.

  36. Line graph DANDELION Network Policy Spreading Protocol Topology Dynamicity Static

    Dynamic How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content? Dandelion Spreading
  37. Theorem: DANDELION has a nearly-optimal maximum precision of 2ab ,ca

    log 2 a + , C .* fraction of spies Theorem: Fundamental lower bound = p2 number of nodes *For < , 4
  38. Performance: Achievable Region Flooding Diffusion DANDELION Precision Recall 0 1

    1 p p2
  39. Why is DANDELION good? Strong mixing properties. Precision:() Precision: a

    ,ca (1 − ac,) Tree Complete graph Too many leaves Too many paths
  40. How practical is this?

  41. Latency Overhead: Estimate Information Propagation in the Bitcoin Network, Decker

    and Wattenhofer, 2013 Time to first transaction sighting (s) PDF
  42. Empirical Delay Distribution Time to reach 10% of nodes (sec)

  43. Practical Challenges: Partial deployment

  44. Narayanan and Möser, 2017 Date of Invention Strength of Guarantees

  45. Take-Home Messages 1) Bitcoin’s P2P network has poor anonymity. 2)

    Moving from trickle to diffusion did not help. 3) DANDELION may be a lightweight solution for certain classes of adversaries. BIP 156