mirror of
https://github.com/bitcoin/bips.git
synced 2024-11-19 01:40:05 +01:00
322 lines
17 KiB
Plaintext
322 lines
17 KiB
Plaintext
<pre>
|
||
BIP: 156
|
||
Layer: Peer Services
|
||
Title: Dandelion - Privacy Enhancing Routing
|
||
Author: Brad Denby <bdenby@cmu.edu>
|
||
Andrew Miller <soc1024@illinois.edu>
|
||
Giulia Fanti <gfanti@andrew.cmu.edu>
|
||
Surya Bakshi <sbakshi3@illinois.edu>
|
||
Shaileshh Bojja Venkatakrishnan <shaileshh.bv@gmail.com>
|
||
Pramod Viswanath <pramodv@illinois.edu>
|
||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0156
|
||
Status: Rejected
|
||
Type: Standards Track
|
||
Created: 2017-06-09
|
||
License: CC0-1.0
|
||
</pre>
|
||
|
||
==Abstract==
|
||
|
||
Bitcoin's transaction spreading protocol is vulnerable to deanonymization
|
||
attacks. Dandelion is a transaction routing mechanism that provides formal
|
||
anonymity guarantees against these attacks. When a node generates a transaction
|
||
without Dandelion, it transmits that transaction to its peers with independent,
|
||
exponential delays. This approach, known as diffusion in academia, allows
|
||
network adversaries to link transactions to IP addresses.
|
||
|
||
Dandelion mitigates this class of attacks by sending transactions over a
|
||
randomly selected path before diffusion. Transactions travel along this path
|
||
during the "stem phase" and are then diffused during the "fluff phase" (hence
|
||
Dandelion). We have shown that this routing protocol provides near-optimal
|
||
anonymity guarantees among schemes that do not introduce additional encryption
|
||
mechanisms.
|
||
|
||
==Motivation==
|
||
|
||
Transaction diffusion in Bitcoin is vulnerable to deanonymization attacks.
|
||
Because transactions are sent to peers with independent, exponential delays,
|
||
messages spread through the network in a statistically symmetric manner. This
|
||
pattern allows colluding spy nodes to infer the transaction source. Breaking
|
||
this symmetry prevents the attack. However, we have shown that an adversary with
|
||
knowledge of the network topology can launch a much more effective "fingerprint"
|
||
attack if the symmetry breaking is not done properly.
|
||
|
||
Consider a botnet-style adversary with access to the P2P graph. Botnets of size
|
||
comparable to the Bitcoin P2P network are common and cheap, and these
|
||
adversaries can learn the network structure with probe messages. We have shown
|
||
that such an adversary can achieve total deanonymization of the entire network
|
||
after observing less than ten transactions per node.
|
||
|
||
Dandelion is a practical, lightweight privacy solution that provides the Bitcoin
|
||
network formal anonymity guarantees. While other privacy solutions aim to
|
||
protect individual users, Dandelion protects anonymity by limiting the
|
||
capability of adversaries to deanonymize the entire network.
|
||
|
||
==How Dandelion Works==
|
||
|
||
Dandelion enhances user privacy by sending transactions through an anonymity
|
||
phase before diffusing them throughout the network. At a high level, Dandelion
|
||
enhances privacy by (i) breaking the symmetry of diffusion and (ii) mixing
|
||
transactions by forwarding messages from different sources along the same path.
|
||
|
||
Dandelion routing can be conceptualized in three phases. First, a privacy graph
|
||
is constructed. In practice, this privacy graph is constructed in a fully
|
||
decentralized manner and is a subgraph of the existing Bitcoin P2P network.
|
||
Next, transactions are forwarded along this privacy graph during the "stem
|
||
phase." Finally, messages are broadcast to the network during the "fluff phase"
|
||
using the typical method of diffusion.
|
||
|
||
[[File:bip-0156/1-dandelion.png|framed|center|alt=An illustration of Dandelion routing|Figure 1]]
|
||
Figure 1
|
||
|
||
In order to select the privacy graph in a decentralized manner, each node
|
||
selects a subset of its outbound peers to be Dandelion destinations. Dandelion
|
||
transactions (transactions in their stem phase) that arrive at this node via
|
||
inbound connections are forwarded to these Dandelion destinations.
|
||
|
||
In an ideal setting, we have found that a Hamiltonian circuit provides
|
||
near-optimal privacy guarantees. However, constructing a Hamiltonian circuit
|
||
through the Bitcoin P2P network in a decentralized, trustless manner is not
|
||
feasible. Thus, we recommend that each node select two Dandelion destinations
|
||
uniformly at random without replacement from its list of outbound peers. Our
|
||
tests have shown that this method provides comparable privacy with increased
|
||
robustness.
|
||
|
||
During stem phase routing, there is a question of how to route messages in order
|
||
to protect privacy. For example, if two Dandelion transactions arrive at a node
|
||
from different inbound peers, to which Dandelion destination(s) should these
|
||
transactions be sent? We have found that some choices are much better than
|
||
others.
|
||
|
||
Consider the case in which each Dandelion transaction is forwarded to a
|
||
Dandelion destination selected uniformly at random. This approach results in a
|
||
fingerprint attack allowing network-level botnet adversaries to achieve total
|
||
deanonymization of the P2P network after observing less than ten transactions
|
||
per node.
|
||
|
||
[[File:bip-0156/2-attack.png|framed|center|alt=An illustration of a fingerprint attack|Figure 2]]
|
||
Figure 2
|
||
|
||
During a fingerprint attack, a botnet-style adversary with knowledge of the
|
||
graph structure first simulates transaction propagation. This offline step lets
|
||
the adversary generate fingerprints for each network node. During the online
|
||
attack, the adversary collects transactions at its spy nodes and matches these
|
||
observations to the simulated fingerprints. Our simulations have shown that this
|
||
attack results in devastating, network-wide deanonymization.
|
||
|
||
[[File:bip-0156/3-attack-plot.png|framed|center|alt=A plot illustrating total deanonymization|Figure 3]]
|
||
Figure 3
|
||
|
||
To avoid this issue, we suggest "per-inbound-edge" routing. Each inbound peer is
|
||
assigned a particular Dandelion destination. Each Dandelion transaction that
|
||
arrives via this peer is forwarded to the same Dandelion destination.
|
||
Per-inbound-edge routing breaks the described attack by blocking an adversary's
|
||
ability to construct useful fingerprints. Fingerprints arise when routing
|
||
decisions are made independently per transaction at each node. In this case, two
|
||
transactions from the same node generally take different paths through the
|
||
network. Crucially, this results in multiple, unique data points that are
|
||
aggregated to match with a fingerprint.
|
||
|
||
Dandelion ensures that two transactions from the same node take the same network
|
||
path, limiting adversaries to the far-left of the graph in Figure 3. In other
|
||
words, adversary knowledge is limited to the case of one observed message rather
|
||
than a rich profile of multiple transaction paths. Dandelion also breaks the
|
||
symmetry of diffusion, making the source of the transaction difficult to infer.
|
||
|
||
[[File:bip-0156/4-dandelion-plot.png|framed|center|alt=A plot illustrating limited deanonymization|Figure 4]]
|
||
Figure 4
|
||
|
||
After a transaction has traveled along a Dandelion stem for a random number of
|
||
hops, it transitions into the fluff phase of routing. The transaction is shared
|
||
with the network through the existing process of diffusion. In practice, this
|
||
fluff mechanism is enforced by a weighted coin flip at each node. If the random
|
||
value is below some threshold, the Dandelion transaction is transformed into a
|
||
typical transaction. In our testing, we have chosen a probability of ten percent
|
||
that a given Dandelion transaction enters fluff phase when leaving a given node.
|
||
This value strikes a good balance between stem path length and transaction
|
||
spreading latency.
|
||
|
||
Note that Dandelion's expected precision guarantees are a population-level
|
||
metric, whereas the expected recall guarantees can be interpreted as an
|
||
individual-level metric. Expected recall is equivalent to the probability that
|
||
an adversary associates a single transaction with a given source. These
|
||
guarantees are probabilistic. They do not address scenarios in which a node has
|
||
been eclipsed by other nodes, or when a node is specifically targeted by an
|
||
ISP-like adversary. Individuals who are concerned about targeted deanonymization
|
||
should still use Tor.
|
||
|
||
At a high level, Dandelion is like an "anonymity inoculation" for the public at
|
||
large - including users who are not aware of Bitcoin's privacy issues. Higher
|
||
adoption leads to greater benefits, even for users who do not use Tor. Early
|
||
adopters of Dandelion still receive privacy benefits. In the worst case when no
|
||
neighbors support Dandelion, transactions make at least one hop before
|
||
diffusing. Note that any solution based only on routing cannot be perfectly
|
||
anonymous due to the fundamental lower bounds on precision and recall shown in
|
||
the original Dandelion paper. Dandelion provides near-optimal anonymity
|
||
guarantees among such solutions.
|
||
|
||
==Specification==
|
||
|
||
Dandelion can be specified with a handful of features: Dandelion transaction
|
||
support, Dandelion routing data and logic, periodic Dandelion route shuffling,
|
||
memory pool logic, the fluff mechanism, transaction embargoes, and Dandelion
|
||
transaction logic. Specification details are summarized below.
|
||
|
||
===Dandelion transaction support===
|
||
|
||
During the stem phase, transactions are "Dandelion transactions." When a
|
||
Dandelion transaction enters fluff phase, it becomes a typical Bitcoin
|
||
transaction. Dandelion transactions and typical transactions differ only in
|
||
their <code>NetMsgType</code>.
|
||
|
||
Dandelion (stem phase) transactions MUST be differentiable from typical Bitcoin
|
||
transactions.
|
||
|
||
===Dandelion routing data and logic===
|
||
|
||
Dandelion routing during the stem phase requires notions of inbound peers,
|
||
outbound peers, Dandelion destinations, and Dandelion routes. Inbound peers
|
||
consist of all currently connected peers that initiated the peer connection.
|
||
Outbound peers consist of all currently connected peers that were connected to
|
||
by this node. Dandelion destinations are a subset of outbound peers. The number
|
||
of Dandelion destinations is limited by the
|
||
<code>DANDELION_MAX_DESTINATIONS</code> parameter. In the reference
|
||
implementation, this parameter is set to two. Our tests have shown that this
|
||
value provides both privacy and robustness (see the reference paper for more
|
||
details on the parameter tradeoffs). Dandelion routes are a map of inbound peers
|
||
to Dandelion destinations. Every inbound peer is mapped to a Dandelion
|
||
destination.
|
||
|
||
Note that a Dandelion node may choose a different
|
||
<code>DANDELION_MAX_DESTINATIONS</code> parameter without splitting from the
|
||
privacy graph. When mapping inbound connections to outbound connections for
|
||
Dandelion routes, we implement the following routing logic. First, select a set
|
||
of Dandelion destinations from the set of outbound peers. This set of Dandelion
|
||
destinations is of size less than or equal to
|
||
<code>DANDELION_MAX_DESTINATIONS</code>. For each inbound connection, first
|
||
identify the subset of Dandelion destinations with the least number of routes.
|
||
For example, some subset of Dandelion destinations may be affiliated with zero
|
||
routes while all other Dandelion destinations are affiliated with one or more
|
||
routes. From this subset, select one Dandelion destination uniformly at random.
|
||
Establish a Dandelion route from the inbound connection to this Dandelion
|
||
destination.
|
||
|
||
For a given Dandelion routing epoch, two distinct Dandelion destinations SHOULD
|
||
be selected uniformly at random from the set of outbound connections. All
|
||
Dandelion transactions that arrive via a given inbound connection MUST be
|
||
transmitted to the same Dandelion destination. When choosing a Dandelion
|
||
destination for a given inbound connection, the destination MUST be selected
|
||
uniformly at random from the set of Dandelion destinations with the least number
|
||
of inbound connections mapped to them.
|
||
|
||
===Periodic Dandelion route shuffling===
|
||
|
||
The map of Dandelion routes is cleared and reconstructed every ten minutes on
|
||
average. We have chosen the value of ten minutes heuristically in order to make
|
||
privacy graph learning difficult for adversaries. Note that a Dandelion node may
|
||
choose a different average shuffle time without splitting from the privacy
|
||
graph.
|
||
|
||
Dandelion routes MUST be cleared and reconstructed at random intervals.
|
||
Dandelion routes SHOULD be cleared and reconstructed every ten minutes on
|
||
average.
|
||
|
||
===Memory pool logic===
|
||
|
||
Dandelion transactions are segregated from typical transactions. The
|
||
<code>mempool</code> remains unchanged. Another instance of the
|
||
<code>CTxMemPool</code> class, called the <code>stempool</code>, is used for
|
||
Dandelion transactions. Information flows from <code>mempool</code> to
|
||
<code>stempool</code> in order to ensure proper transaction propagation.
|
||
Information does not flow from <code>stempool</code> to <code>mempool</code>,
|
||
except when a Dandelion transaction fluffs into a typical transaction.
|
||
|
||
When a Dandelion transaction arrives, the transaction MUST be added to the
|
||
stempool and MUST NOT be added to the mempool. When a typical Bitcoin
|
||
transaction arrives, the transaction MUST be added to the mempool and MUST be
|
||
added to the stempool. When a Dandelion transaction fluffs, the transaction MUST
|
||
be added to the mempool.
|
||
|
||
===The fluff mechanism===
|
||
|
||
When relaying a Dandelion transaction along a Dandelion route, there is a 10%
|
||
chance that the Dandelion transaction becomes a typical Bitcoin transaction and
|
||
is therefore relayed via diffusion. In our testing, this value strikes a good
|
||
balance between stem path length and transaction spreading latency. Note that a
|
||
Dandelion node may choose a different chance of fluffing without splitting from
|
||
the privacy graph.
|
||
|
||
When a node prepares to transmit a Dandelion transaction, the node MUST flip a
|
||
biased coin. If the outcome is "Dandelion transaction," then the node MUST
|
||
transmit the transaction to the appropriate Dandelion destination. Otherwise,
|
||
the node MUST convert the Dandelion transaction into a typical Bitcoin
|
||
transaction. A Dandelion transaction SHOULD fluff into a typical Bitcoin
|
||
transaction with a 10% probability.
|
||
|
||
===Transaction embargoes===
|
||
|
||
During the stem phase, transactions are relayed along a single path. If any node
|
||
in this path were to receive the Dandelion transaction and go offline, then the
|
||
transaction would cease to propagate. To increase robustness, every node that
|
||
forwards a Dandelion transaction initializes a timer at the time of reception.
|
||
If the Dandelion transaction does not appear in the memory pool by the time the
|
||
timer expires, then the transaction enters fluff phase and is forwarded via
|
||
diffusion.
|
||
|
||
When a Dandelion transaction arrives, the node MUST set an embargo timer for a
|
||
random time in the future. If the Dandelion transaction arrives as a typical
|
||
Bitcoin transaction, the node MUST cancel the timer. If the timer expires before
|
||
the Dandelion transaction is observed as a typical Bitcoin transaction, then the
|
||
node MUST fluff the Dandelion transaction.
|
||
|
||
===Dandelion transaction logic===
|
||
|
||
The following cases define a node's behavior when receiving network packets
|
||
referencing Dandelion transactions.
|
||
* Receive INV for Dandelion TX: If the peer is inbound and the Dandelion transaction has not been received from this peer, then reply with GETDATA.
|
||
* Receive GETDATA for Dandelion TX: If the peer is not inbound and the Dandelion transaction has been advertised to this peer, then reply with the Dandelion transaction.
|
||
* Receive Dandelion TX: If the peer is inbound, then relay the Dandelion TX to the appropriate Dandelion destination.
|
||
|
||
==Implementation==
|
||
|
||
A reference implementation is available at the following URL:
|
||
https://github.com/dandelion-org/bitcoin/tree/dandelion-feature-commits
|
||
|
||
All features have been compressed into a single commit at the following URL:
|
||
https://github.com/dandelion-org/bitcoin/tree/dandelion
|
||
|
||
==Compatibility==
|
||
|
||
Dandelion does not conflict with existing versions of Bitcoin. A Bitcoin node
|
||
that supports Dandelion appears no differently to Bitcoin nodes running older
|
||
software versions. Bitcoin nodes that support Dandelion can identify feature
|
||
support through a probe message. Obviously, older nodes are not capable of
|
||
Dandelion routing. If a Bitcoin node supporting Dandelion has no peers that also
|
||
support Dandelion, then its behavior naturally decays to that of a Bitcoin node
|
||
without Dandelion support due to the Dandelion transaction embargoes.
|
||
|
||
==Acknowledgements==
|
||
|
||
We would like to thank the Bitcoin Core developers and Gregory Maxwell in
|
||
particular for their insightful comments, which helped to inform this
|
||
implementation and some of the follow-up work we conducted. We would also like
|
||
to thank the Mimblewimble development community for coining the term "stempool,"
|
||
which we happily adopted for this implementation.
|
||
|
||
==References==
|
||
|
||
# An Analysis of Anonymity in Bitcoin Using P2P Network Traffic http://fc14.ifca.ai/papers/fc14_submission_71.pdf
|
||
# Deanonymisation of clients in Bitcoin P2P network https://arxiv.org/abs/1405.7418
|
||
# Discovering Bitcoin’s Public Topology and Influential Nodes https://cs.umd.edu/projects/coinscope/coinscope.pdf
|
||
# (Sigmetrics 2017) Dandelion: Redesigning the Bitcoin Network for Anonymity https://arxiv.org/abs/1701.04439
|
||
# (Sigmetrics 2018) Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees https://arxiv.org/pdf/1805.11060.pdf
|
||
|
||
==Copyright==
|
||
|
||
To the extent possible under law, the author(s) have dedicated all copyright and
|
||
related and neighboring rights to this work to the public domain worldwide. This
|
||
work is distributed without any warranty.
|
||
|
||
You should have received a copy of the CC0 Public Domain Dedication with this
|
||
work. If not, see https://creativecommons.org/publicdomain/zero/1.0/ .
|