Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti

Papers_We_Love
September 12, 2019
Technology
0
92

Anonymity in the Bitcoin Peer-to-Peer Network by Giulia Fanti

Recently, researchers have demonstrated deanonymization attacks that exploit weaknesses in the Bitcoin network's peer-to-peer (P2P) networking protocols. In particular, the P2P network currently forwards content in a structured way that allows observers to link users' Bitcoin addresses to their IP addresses. This is a substantial privacy vulnerability that extends to several other cryptocurrencies as well. In this talk, I will discuss how these attacks work, and how effective they are at deanonymizing users. I will also talk about countermeasures, including proposed modifications to the networking stack.

Papers_We_Love

September 12, 2019
Tweet

More Decks by Papers_We_Love

See All by Papers_We_Love
What About the Natural Numbers by José Manuel Calderón Trilla
paperswelove
0
66
Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali
paperswelove
1
130
On the Expressive Power of Programming Languages by Shriram Krishnamurthi
paperswelove
1
94
Building Personable Machines by Star Simpson
paperswelove
0
27
PWL SF 03/18 > Cathie Yun on "Bulletproofs: Short Proofs for Confidential Transactions and More"
paperswelove
1
290
Bonnie Eisenman on Multiphase Numerical Modeling... for Jigsaw Puzzle Generation
paperswelove
0
520
Suz Hinton on Accessible images (AIMS)
paperswelove
0
760
Hannes Frederic Sowa on "BBR: Congestion-Based Congestion Control"
paperswelove
0
1.1k
David Ashby on SHA256
paperswelove
0
1.1k

Other Decks in Technology

See All in Technology
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
220
また(CDK界隈の)世界を縮めてしまった
bun913
0
500
Race Conditions em Microsserviços: Desmistificando um Problema Comum em Arquiteturas Distribuídas
jordihofc
0
320
ZOZOTOWNの裏側に迫る! Javaで作られたBFFの開発事例を紹介
yutaro527
0
280
nlp2023 位置属性を有しない事物に対する地理的特定性の分析
takashiinui
0
140
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
240
Software Craftsmanship against Nova Era
koic
0
270
開発チーム内でのQAの役割
iseki
0
130
Data Lake, Real-time Analytics, or Both? Exploring Presto and ClickHouse
ahana
0
110
replace of cart system on ZOZOTOWN
takahashikazutaro
0
290
試して分かった!AWS を使った PLCのデータ収集と分析基盤の実践ノウハウ #FA設備技術勉強会#13
ganota
1
250
関数型で表現するイベントソーシングの実装とその教育
tomohisa
0
180

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1351
200k
Reflections from 52 weeks, 52 projects
jeffersonlam
340
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
7
670
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.3k
Infographics Made Easy
chrislema
236
17k
Designing for humans not robots
tammielis
245
24k
Bash Introduction
62gerente
602
210k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k
Faster Mobile Websites
deanohume
296
29k
The Language of Interfaces
destraynor
149
21k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
121
29k

Transcript

  1. Anonymity in the Bitcoin
    Peer-to-Peer Network
    Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby,
    Shruti Bhargava, Andrew Miller, Pramod Viswanath
    Giulia Fanti

    View Slide

  2. “Untraceable Bitcoin”

    View Slide

  3. This is false.

    View Slide

  4. Bitcoin Primer
    Alice Bob
    kA
    kB
    Transaction
    kA
    sends kcoin
    to kB
    kcoin
    Blockchain
    sd93fjj2
    pckrn29

    our transaction

    View Slide

  5. Multiple Identities
    Alice
    Public
    Key
    IP Address
    Used in the
    P2P Network
    Used in the
    Blockchain
    Used nowhere

    View Slide

  6. How can users be deanonymized?
    Blockchain
    Meiklejohn et al., 2013
    Ober et al., 2013
    Entire transaction histories
    can be compromised.

    View Slide

  7. What about the peer-to-peer
    network?
    Public Key IP Address

    View Slide

  8. This Talk
    How to break privacy How to fix it
    1) Anonymity
    Phase
    2) Spreading
    Phase

    View Slide

  9. Early attacks
    • A. Biryukov, D. Khovratovich, I. Pustagurov, “Deanonymisation
    of clients in Bitcoin P2P network”, CCS 2014
    • P. Koshy, D. Koshy, P. McDaniel, “An analysis of anonymity in
    Bitcoin using P2P network traffic”, Financial Crypto 2014

    View Slide

  10. Attacks on the Network Layer
    Eavesdropper
    Alice

    View Slide

  11. What can go wrong?
    Eavesdropper
    Alice

    View Slide

  12. What the eavesdropper can do about it
    2
    Alice
    1 3

    View Slide

  13. Key Results
    • Make ≈ 50 connections per node
    • Between 11-34% of users deanonymized, even behind NAT!

    View Slide

  14. Bitcoin Core Responds
    Trickle (pre-2015) Diffusion (post-2015)
    (3)
    (2)
    (1)
    (4)
    exp()
    exp()
    exp()
    exp()

    View Slide

  15. Does diffusion provide stronger
    anonymity than trickle spreading?
    G. F., P. Viswanath, “Anonymity in the Bitcoin P2P Network”,
    NeurIPS 2017

    View Slide

  16. d-regular trees
    Eavesdropper
    Arbitrary
    number of
    connections

    View Slide

  17. Anonymity Metric
    ,
    = 2.0
    0
    = 0.7
    2
    = 1.1
    4
    = 1.5
    5
    = 0.3
    (detection|, )
    graph
    timestamps
    =
    ,
    2

    C

    View Slide

  18. Estimators
    First-Spy
    ,
    = 2.0
    0
    = 0.7
    2
    = 1.1
    4
    = 1.5
    5
    = 0.3
    Maximum-
    Likelihood
    (detection|, )
    graph
    timestamps

    View Slide

  19. Results: d-Regular Trees
    Trickle Diffusion
    First-Timestamp

    log


    log

    Maximum-Likelihood Ω(1) Ω(1)
    Probability
    of Detection
    Degree, d
    First-timestamp
    Maximum-Likelihood
    Intuition: Symmetry outweighs local randomness!

    View Slide

  20. Proof sketch (diffusion, max likelihood)
    Source
    Not yet received
    Received
    Received and reported
    - Generalized
    Polya Urns
    - Concentration of
    measure

    View Slide

  21. Results: Trees
    Number of Eavesdropper Connections
    Probability of Detection
    Diffusion
    Trickle

    View Slide

  22. Results: Bitcoin Graph
    0 5 10 15 20
    0.3
    0.4
    0.5
    0.6
    0.7
    0.8
    0.9
    1
    Trickle, Theoretical lower bound
    Trickle, Simulated
    Trickle, Theoretical lower bound (d=2)
    Diffusion, Theoretical
    Diffusion, Simulation
    Probability of Detection
    Diffusion
    Trickle
    Number of Eavesdropper Connections

    View Slide

  23. Diffusion does not have
    (significantly) better anonymity
    properties than trickle.

    View Slide

  24. Redesign
    Can we fix this problem?

    View Slide

  25. First-order solutions
    Connect through Tor I2P Integration (e.g. Monero)
    Tor

    View Slide

  26. Botnet adversarial model
    fraction p
    of spies
    spies
    collude
    honest-
    but-curious
    observe all
    metadata identities
    unknown

    View Slide

  27. Metric for Anonymity
    Recall Precision
    1

    J
    K
    1 Ns tx =
    Mapping
    User
    Users
    Transactions
    Number
    honest
    users
    Mapping
    1

    J
    K
    1 Ns tx =
    # tx mapped to v
    [Recall] =
    Probability of Detection

    View Slide

  28. Goal:
    Design a distributed flooding protocol that minimizes
    the maximum precision and recall achievable by a
    computationally-unbounded adversary.
    S. B. Venkatakrishnan, G. F., P. Viswanath, “Dandelion: Redesigning the
    Bitcoin Network for Anonymity ”, Sigmetrics 2017

    View Slide

  29. Fundamental Limits
    Precision
    Recall
    0 1
    1
    p
    p2
    Thm: Maximum
    precision ≥ 2.
    Thm: Maximum
    recall ≥ .
    Fraction
    of spies

    View Slide

  30. What are we looking for?
    1 2 3 4 spy
    Asymmetry Mixing

    View Slide

  31. Approximately
    regular
    What can we control?
    Spreading
    Protocol
    Topology Dynamicity
    Static
    Dynamic
    How often does the
    graph change?
    What is the underlying
    graph topology?
    Given a graph, how
    do we spread content?
    Diffusion

    View Slide

  32. Spreading Protocol: Dandelion
    1) Anonymity
    Phase
    2) Spreading
    Phase

    View Slide

  33. Theorem: Dandelion spreading has an
    optimally low maximum recall of + ,
    C
    .
    fraction
    of spies
    number of
    nodes
    Theorem: Fundamental lower bound = p
    Why Dandelion spreading?

    View Slide

  34. Graph Topology: Line
    tx1
    tx2
    Anonymity graph
    “Regular” graph

    View Slide

  35. Dynamicity: High
    Change the anonymity
    graph frequently.

    View Slide

  36. Line
    graph
    DANDELION Network Policy
    Spreading
    Protocol
    Topology Dynamicity
    Static
    Dynamic
    How often does the
    graph change?
    What is the anonymity
    graph topology?
    Given a graph, how
    do we spread content?
    Dandelion
    Spreading

    View Slide

  37. Theorem: DANDELION has a nearly-optimal
    maximum precision of 2ab
    ,ca
    log 2
    a
    + ,
    C
    .*
    fraction
    of spies
    Theorem: Fundamental lower bound = p2
    number of
    nodes
    *For < ,
    4

    View Slide

  38. Performance: Achievable Region
    Flooding
    Diffusion
    DANDELION
    Precision
    Recall
    0 1
    1
    p
    p2

    View Slide

  39. Why is DANDELION good?
    Strong mixing properties.
    Precision:() Precision: a
    ,ca
    (1 − ac,)
    Tree Complete graph
    Too many leaves Too many paths

    View Slide

  40. How practical is this?

    View Slide

  41. Latency Overhead: Estimate
    Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013
    Time to first transaction sighting (s)
    PDF

    View Slide

  42. Empirical Delay Distribution
    Time to reach 10% of nodes (sec)

    View Slide

  43. Practical Challenges: Partial deployment

    View Slide

  44. Narayanan and Möser, 2017
    Date of Invention
    Strength of
    Guarantees
    Dandelion

    View Slide

  45. Take-Home Messages
    1) Bitcoin’s P2P network has poor anonymity.
    2) Moving from trickle to diffusion did not help.
    3) DANDELION may be a lightweight solution for
    certain classes of adversaries.
    https://github.com/dandelion-org/bitcoin
    BIP 156

    View Slide