Slide 1

Slide 1 text

Anonymity in the Bitcoin Peer-to-Peer Network Joint work with: Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Brad Denby, Shruti Bhargava, Andrew Miller, Pramod Viswanath Giulia Fanti

Slide 2

Slide 2 text

“Untraceable Bitcoin”

Slide 3

Slide 3 text

This is false.

Slide 4

Slide 4 text

Bitcoin Primer Alice Bob kA kB Transaction kA sends kcoin to kB kcoin Blockchain sd93fjj2 pckrn29 … our transaction

Slide 5

Slide 5 text

Multiple Identities Alice Public Key IP Address Used in the P2P Network Used in the Blockchain Used nowhere

Slide 6

Slide 6 text

How can users be deanonymized? Blockchain Meiklejohn et al., 2013 Ober et al., 2013 Entire transaction histories can be compromised.

Slide 7

Slide 7 text

What about the peer-to-peer network? Public Key IP Address

Slide 8

Slide 8 text

This Talk How to break privacy How to fix it 1) Anonymity Phase 2) Spreading Phase

Slide 9

Slide 9 text

Early attacks • A. Biryukov, D. Khovratovich, I. Pustagurov, “Deanonymisation of clients in Bitcoin P2P network”, CCS 2014 • P. Koshy, D. Koshy, P. McDaniel, “An analysis of anonymity in Bitcoin using P2P network traffic”, Financial Crypto 2014

Slide 10

Slide 10 text

Attacks on the Network Layer Eavesdropper Alice

Slide 11

Slide 11 text

What can go wrong? Eavesdropper Alice

Slide 12

Slide 12 text

What the eavesdropper can do about it 2 Alice 1 3

Slide 13

Slide 13 text

Key Results • Make ≈ 50 connections per node • Between 11-34% of users deanonymized, even behind NAT!

Slide 14

Slide 14 text

Bitcoin Core Responds Trickle (pre-2015) Diffusion (post-2015) (3) (2) (1) (4) exp() exp() exp() exp()

Slide 15

Slide 15 text

Does diffusion provide stronger anonymity than trickle spreading? G. F., P. Viswanath, “Anonymity in the Bitcoin P2P Network”, NeurIPS 2017

Slide 16

Slide 16 text

d-regular trees Eavesdropper Arbitrary number of connections

Slide 17

Slide 17 text

Anonymity Metric , = 2.0 0 = 0.7 2 = 1.1 4 = 1.5 5 = 0.3 (detection|, ) graph timestamps = , 2 … C

Slide 18

Slide 18 text

Estimators First-Spy , = 2.0 0 = 0.7 2 = 1.1 4 = 1.5 5 = 0.3 Maximum- Likelihood (detection|, ) graph timestamps

Slide 19

Slide 19 text

Results: d-Regular Trees Trickle Diffusion First-Timestamp log log Maximum-Likelihood Ω(1) Ω(1) Probability of Detection Degree, d First-timestamp Maximum-Likelihood Intuition: Symmetry outweighs local randomness!

Slide 20

Slide 20 text

Proof sketch (diffusion, max likelihood) Source Not yet received Received Received and reported - Generalized Polya Urns - Concentration of measure

Slide 21

Slide 21 text

Results: Trees Number of Eavesdropper Connections Probability of Detection Diffusion Trickle

Slide 22

Slide 22 text

Results: Bitcoin Graph 0 5 10 15 20 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Trickle, Theoretical lower bound Trickle, Simulated Trickle, Theoretical lower bound (d=2) Diffusion, Theoretical Diffusion, Simulation Probability of Detection Diffusion Trickle Number of Eavesdropper Connections

Slide 23

Slide 23 text

Diffusion does not have (significantly) better anonymity properties than trickle.

Slide 24

Slide 24 text

Redesign Can we fix this problem?

Slide 25

Slide 25 text

First-order solutions Connect through Tor I2P Integration (e.g. Monero) Tor

Slide 26

Slide 26 text

Botnet adversarial model fraction p of spies spies collude honest- but-curious observe all metadata identities unknown

Slide 27

Slide 27 text

Metric for Anonymity Recall Precision 1 J K 1 Ns tx = Mapping User Users Transactions Number honest users Mapping 1 J K 1 Ns tx = # tx mapped to v [Recall] = Probability of Detection

Slide 28

Slide 28 text

Goal: Design a distributed flooding protocol that minimizes the maximum precision and recall achievable by a computationally-unbounded adversary. S. B. Venkatakrishnan, G. F., P. Viswanath, “Dandelion: Redesigning the Bitcoin Network for Anonymity ”, Sigmetrics 2017

Slide 29

Slide 29 text

Fundamental Limits Precision Recall 0 1 1 p p2 Thm: Maximum precision ≥ 2. Thm: Maximum recall ≥ . Fraction of spies

Slide 30

Slide 30 text

What are we looking for? 1 2 3 4 spy Asymmetry Mixing

Slide 31

Slide 31 text

Approximately regular What can we control? Spreading Protocol Topology Dynamicity Static Dynamic How often does the graph change? What is the underlying graph topology? Given a graph, how do we spread content? Diffusion

Slide 32

Slide 32 text

Spreading Protocol: Dandelion 1) Anonymity Phase 2) Spreading Phase

Slide 33

Slide 33 text

Theorem: Dandelion spreading has an optimally low maximum recall of + , C . fraction of spies number of nodes Theorem: Fundamental lower bound = p Why Dandelion spreading?

Slide 34

Slide 34 text

Graph Topology: Line tx1 tx2 Anonymity graph “Regular” graph

Slide 35

Slide 35 text

Dynamicity: High Change the anonymity graph frequently.

Slide 36

Slide 36 text

Line graph DANDELION Network Policy Spreading Protocol Topology Dynamicity Static Dynamic How often does the graph change? What is the anonymity graph topology? Given a graph, how do we spread content? Dandelion Spreading

Slide 37

Slide 37 text

Theorem: DANDELION has a nearly-optimal maximum precision of 2ab ,ca log 2 a + , C .* fraction of spies Theorem: Fundamental lower bound = p2 number of nodes *For < , 4

Slide 38

Slide 38 text

Performance: Achievable Region Flooding Diffusion DANDELION Precision Recall 0 1 1 p p2

Slide 39

Slide 39 text

Why is DANDELION good? Strong mixing properties. Precision:() Precision: a ,ca (1 − ac,) Tree Complete graph Too many leaves Too many paths

Slide 40

Slide 40 text

How practical is this?

Slide 41

Slide 41 text

Latency Overhead: Estimate Information Propagation in the Bitcoin Network, Decker and Wattenhofer, 2013 Time to first transaction sighting (s) PDF

Slide 42

Slide 42 text

Empirical Delay Distribution Time to reach 10% of nodes (sec)

Slide 43

Slide 43 text

Practical Challenges: Partial deployment

Slide 44

Slide 44 text

Narayanan and Möser, 2017 Date of Invention Strength of Guarantees Dandelion

Slide 45

Slide 45 text

Take-Home Messages 1) Bitcoin’s P2P network has poor anonymity. 2) Moving from trickle to diffusion did not help. 3) DANDELION may be a lightweight solution for certain classes of adversaries. https://github.com/dandelion-org/bitcoin BIP 156