Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8D308CAF for ; Sun, 8 Jul 2018 12:51:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f41.google.com (mail-oi0-f41.google.com [209.85.218.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 12E13334 for ; Sun, 8 Jul 2018 12:51:20 +0000 (UTC) Received: by mail-oi0-f41.google.com with SMTP id c6-v6so31290629oiy.0 for ; Sun, 08 Jul 2018 05:51:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andrew-cmu-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=XTV+NCf47jgYj8zk9IkU1SKTXGbsWNkJtW8xn1/a2LM=; b=h9cI0iqMye8yFe486QnVUSGHiuNd7L1MeXbNzisbqyAiPvOdzAo85zbNfIGDeT9QFR xMfLsxQ/845/JNWa/q7zA45eYs/i6zeVx5aCNpcEE7AQ3rDgZ+1Exuj9eHxO8cjfLa6t N5B2moaPn42BvwdFR1dciXbp5MjxeUHh5iAMObgwDH8AfXCNtUGrSEGP2sjSdJGuOMq8 TH1IxTA8SwLramduOOWEtscL4Ttyi5zDAn9gFMqUBfnpT8lnQ8ne2Y5wvTcVdjYZ8x+5 QMPj6en2gCVaOCW8LxLsffwFtfc7xDePg0Jo+QNUUImbE3c5IlDWKeag5aiYoGgPt8ha /8CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=XTV+NCf47jgYj8zk9IkU1SKTXGbsWNkJtW8xn1/a2LM=; b=d0PCXXO/P8je1TuR2xYQOOLFlin3RhZFN/HGv4teEy9dSTPo2E2+Z7OX/cMoQF2XgI 9XuTfIJVUYC7L+/JEYinjq1WT92wdOI8+e1KipAWzAZlcreZQJWLHZ4gdImaB7yMnXt4 8FG1/6Bcn3kNlrtLjT2cXPH7PLCiNKCp5llAr+q0Npx+jr0dDe8xUPjGPCBVHxJPYHMr 58ucojny/juzTyy+aoq0ieZcfX67E5Ka3dCcVZwuv/5P4rUsVRYOxMtXOVbP+xQt1J6D OkUwzCjx39NJrgZTjyFQyqU44Garmrgl1nMtnKkCvnFXQsmFXwykoqGX1TYOFsxOidhz s6nw== X-Gm-Message-State: APt69E2CTqF7Z0U9qy5U86JfJ1ZKtyN3demAiGFnMRrK/iH3VqnVbnZw yxHiIge0MF9IEh7SrTmZalYG79Mq1HA5CCnOYQXzF6yq X-Google-Smtp-Source: AAOMgpdOsuBg6CaWubBmoqB6oHNFp66sAzVki34ynHRgSxNUkoLT6YTlLshSr6JNMQiAhnX6QTsZylE6UUr6y882h38= X-Received: by 2002:aca:2ec9:: with SMTP id u192-v6mr13675885oiu.17.1531054279092; Sun, 08 Jul 2018 05:51:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Giulia Fanti Date: Sun, 8 Jul 2018 08:50:43 -0400 Message-ID: To: bitcoin-dev@lists.linuxfoundation.org Content-Type: multipart/alternative; boundary="0000000000006ff6e705707c5af9" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 08 Jul 2018 14:26:30 +0000 Subject: Re: [bitcoin-dev] BIP proposal - Dandelion: Privacy Preserving Transaction Propagation X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2018 12:51:21 -0000 --0000000000006ff6e705707c5af9 Content-Type: text/plain; charset="UTF-8" Hi Till, Thank you for the comments! Responses are inline: * Could you elaborate on the reasoning behind choosing the periodic route > shuffling interval to be around 10 minutes? I guess that there is some > tradeoff between making intersection attacks possible by choosing a too > small interval, and making graph-learning attacks possible by choosing a > too large interval. Intuitively, this interval should depend on the number > of forwarded Dandelion transactions, because these are the events that leak > information, and not the absolute elapsed time. On the other hand, making > the interval dependent on the number of processed transactions would allow > an active adversary to trigger route shuffling by sending Dandelion > transaction to specific peers, which could enable intersection attacks... > Your intuition is spot-on in the sense that shorter intervals help with intersection attacks, whereas longer ones help with graph learning. On that tradeoff curve, we would recommend favoring graph learning attacks; intersection attacks can be really devastating (with recall tending to 1), whereas graph learning attacks still have limited recall and precision. If we decide to allow graph learning in order to prevent intersection attacks, the natural conclusion would be to use as long a time interval as possible. We are open to changing this time interval; 10 minutes was just a heuristic we proposed at the time of writing. > * Speaking of active adversaries: Adversaries could send a large number of > transactions to selected peers - either by creating the transactions on > their own, or by relaying (Dandelion) transactions observed by the > adversary?s peers to the selected peer. Could this allow the adversary to > launch fingerprinting attacks on the selected peer by comparing the > observed propagation of the transactions relayed through the peer to other > transactions observed? > Yes, this is one of the main ways we envision adversaries potentially learning the graph in practice. > * If an adversary performs a black-hole attack (i.e., drops Dandelion > transactions), and if the adversary is able to identify the diffusion > source, reconstruction of parts of the anonymity graph (i.e., the part > between the diffusion source and the last peer before the black-hole) might > be possible. I understand that the adversary does not gain much from the > knowledge of the anonymity graph, but it nonetheless helps the adversary. > This is also true. Using a small shuffle time interval would help prevent this, but if we go with a longer interval, this approach could certainly help with graph learning. > * Out of personal interest: Inferring Bitcoin?s network topology is hard. > I think it?s wise to assume a strong adversary that has perfect knowledge > of the topology, but can you make any statements on the sensitivity of the > adversary?s precision and recall regarding imperfect topology knowledge? > We only studied what happens when the adversary has full knowledge of the graph and local knowledge (i.e. the spy nodes know their own neighbors, but nothing else). We did not study what happens when the adversary has partial graph knowledge, but that would be an interesting and useful question to look at. > > --Till > > > From: bitcoin-dev-bounces@lists.linuxfoundation.org [mailto: > bitcoin-dev-bounces@lists.linuxfoundation.org] On Behalf Of Bradley Denby > via bitcoin-dev > Sent: Monday, June 4, 2018 10:30 PM > To: bitcoin-dev@lists.linuxfoundation.org > Subject: Re: [bitcoin-dev] BIP proposal - Dandelion: Privacy Preserving > Transaction Propagation > > Hello all, > > We now have an arXiv preprint of our latest findings available, which > provides additional details regarding Dandelion: > https://arxiv.org/pdf/1805.11060.pdf > > Note that Dandelion's precision guarantees are at the population level, > while the recall guarantees can be interpreted as individual guarantees. > Expected recall is equivalent to the probability of an adversary > associating a single transaction with a given source. > > Since these guarantees are probabilistic, a node cannot be sure whether > all of its peers are monitoring it. Dandelion does not protect against > these adversaries, and individuals who are worried about targeted > deanonymization should still use Tor. > > One way to conceptualize Dandelion is as a "public health" fix or an > "anonymity vaccination." Higher adoption leads to greater benefits, even > for those who are not using Tor. Individuals who adopt Dandelion benefit > because their transactions make at least one hop before diffusing (or more > as adoption increases). > > Nevertheless, the probabilistic nature of the guarantees means that they > are not absolute. We have shown that any solution based only on routing > cannot be absolute due to fundamental lower bounds on precision and recall. > > Thank you to Eric Voskuil, Pieter Wuille, Suhas Daftuar, Christian Decker, > and Tim Ruffing for the recent feedback! > > On Thu, May 10, 2018 at 8:59 AM, Bradley Denby wrote: > Hi all, > > We're writing with an update on the Dandelion project. As a reminder, > Dandelion > is a practical, lightweight privacy solution that provides Bitcoin users > formal > anonymity guarantees. While other privacy solutions aim to protect > individual > users, Dandelion protects privacy by limiting the capability of > adversaries to > deanonymize the entire network. > > Bitcoin's transaction spreading protocol is vulnerable to deanonymization > attacks. When a node generates a transaction without Dandelion, it > transmits > that transaction to its peers with independent, exponential delays. This > approach, known as diffusion in academia, allows network adversaries to > link > transactions to IP addresses. > > Dandelion prevents this class of attacks by sending transactions over a > randomly > selected path before diffusion. Transactions travel along this path during > the > "stem phase" and are then diffused during the "fluff phase" (hence the name > Dandelion). We have shown that this routing protocol provides near-optimal > anonymity guarantees among schemes that do not introduce additional > encryption > mechanisms. > > Since the last time we contacted the list, we have: > - Completed additional theoretical analysis and simulations > - Built a working prototype > (https://github.com/mablem8/bitcoin/tree/dandelion) > - Built a test suite for the prototype > ( > https://github.com/mablem8/bitcoin/blob/dandelion/test/functional/p2p_dandelion.py > ) > - Written detailed documentation for the new implementation > ( > https://github.com/mablem8/bips/blob/master/bip-dandelion/dandelion-reference-documentation.pdf > ) > > Among other things, one question we've addressed in our additional > analysis is > how to route messages during the stem phase. For example, if two Dandelion > transactions arrive at a node from different inbound peers, to which > Dandelion > destination(s) should these transactions be sent? We have found that some > choices are much better than others. > > Consider the case in which each Dandelion transaction is forwarded to a > Dandelion destination selected uniformly at random. We have shown that this > approach results in a fingerprint attack allowing network-level botnet > adversaries to achieve total deanonymization of the P2P network after > observing > less than ten transactions per node. > > To avoid this issue, we suggest "per-inbound-edge" routing. Each inbound > peer is > assigned a particular Dandelion destination. Each Dandelion transaction > that > arrives via this peer is forwarded to the same Dandelion destination. > Per-inbound-edge routing breaks the described attack by blocking an > adversary's > ability to construct useful fingerprints. > > This iteration of Dandelion has been tested on our own small network, and > we > would like to get the implementation in front of a wider audience. An > updated > BIP document with further details on motivation, specification, > compatibility, > and implementation is located here: > https://github.com/mablem8/bips/blob/master/bip-dandelion.mediawiki > > We would like to thank the Bitcoin Core developers and Gregory Maxwell in > particular for their insightful comments, which helped to inform this > implementation and some of the follow-up work we conducted. We would also > like > to thank the Mimblewimble development community for coining the term > "stempool," > which we happily adopted for this implementation. > > All the best, > Brad Denby > Andrew Miller > Giulia Fanti > Surya Bakshi > Shaileshh Bojja Venkatakrishnan > Pramod Viswanath > > > ------------------------------ > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > End of bitcoin-dev Digest, Vol 38, Issue 8 > ****************************************** > --0000000000006ff6e705707c5af9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
=C2=A0Hi Till,=C2=A0
=

Thank you for the comments! Responses are inline:
=

* Could you elaborate on the reasoning behind choosing the periodic route s= huffling interval to be around 10 minutes? I guess that there is some trade= off between making intersection attacks possible by choosing a too small in= terval, and making graph-learning attacks possible by choosing a too large = interval. Intuitively, this interval should depend on the number of forward= ed Dandelion transactions, because these are the events that leak informati= on, and not the absolute elapsed time. On the other hand, making the interv= al dependent on the number of processed transactions would allow an active = adversary to trigger route shuffling by sending Dandelion transaction to sp= ecific peers, which could enable intersection attacks...
Your intuition is spot-on in the sense that shorter intervals help with = intersection attacks, whereas longer ones help with graph learning. On that= tradeoff curve, we would recommend favoring graph learning attacks; inters= ection attacks can be really devastating (with recall tending to 1), wherea= s graph learning attacks still have limited recall and precision. If we dec= ide to allow graph learning in order to prevent intersection attacks, the n= atural conclusion would be to use as long a time interval as possible. We a= re open to changing this time interval; 10 minutes was just a heuristic we = proposed at the time of writing.=C2=A0
=C2=A0
* Speaking of active adversaries: Adversaries could send a large number of = transactions to selected peers - either by creating the transactions on the= ir own, or by relaying (Dandelion) transactions observed by the adversary?s= peers to the selected peer. Could this allow the adversary to launch finge= rprinting attacks on the selected peer by comparing the observed propagatio= n of the transactions relayed through the peer to other transactions observ= ed?
Yes, this is one of the main ways we envision adve= rsaries potentially learning the graph in practice.=C2=A0=C2=A0
= =C2=A0
* If an adversary performs a black-hole attack (i.e., drops Dandelion trans= actions), and if the adversary is able to identify the diffusion source, re= construction of parts of the anonymity graph (i.e., the part between the di= ffusion source and the last peer before the black-hole) might be possible. = I understand that the adversary does not gain much from the knowledge of th= e anonymity graph, but it nonetheless helps the adversary.
=
This is also true. Using a small shuffle time interval=C2=A0 would hel= p prevent this, but if we go with a longer interval, this approach could ce= rtainly help with graph learning.
=C2=A0
* Out of personal interest: Inferring Bitcoin?s network topology is hard. I= think it?s wise to assume a strong adversary that has perfect knowledge of= the topology, but can you make any statements on the sensitivity of the ad= versary?s precision and recall regarding imperfect topology knowledge?
<= /blockquote>
We only studied what happens when the adversary has full k= nowledge of the graph and local knowledge (i.e. the spy nodes know their ow= n neighbors, but nothing else). We did not study what happens when the adve= rsary has partial graph knowledge, but that would be an interesting and use= ful question to look at.
=C2=A0

--Till


From: bitcoin-dev-bounces@lists.linuxfoundation.org [mailto:bitcoin-dev-bounces@lists.linuxfoundation.org] On Behalf Of Bradle= y Denby via bitcoin-dev
Sent: Monday, June 4, 2018 10:30 PM
To: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] BIP proposal - Dandelion: Privacy Preserving Tra= nsaction Propagation

Hello all,

We now have an arXiv preprint of our latest findings available, which provi= des additional details regarding Dandelion: https://arxiv.org/pd= f/1805.11060.pdf

Note that Dandelion's precision guarantees are at the population level,= while the recall guarantees can be interpreted as individual guarantees. E= xpected recall is equivalent to the probability of an adversary associating= a single transaction with a given source.

Since these guarantees are probabilistic, a node cannot be sure whether all= of its peers are monitoring it. Dandelion does not protect against these a= dversaries, and individuals who are worried about targeted deanonymization = should still use Tor.

One way to conceptualize Dandelion is as a "public health" fix or= an "anonymity vaccination." Higher adoption leads to greater ben= efits, even for those who are not using Tor. Individuals who adopt Dandelio= n benefit because their transactions make at least one hop before diffusing= (or more as adoption increases).

Nevertheless, the probabilistic nature of the guarantees means that they ar= e not absolute. We have shown that any solution based only on routing canno= t be absolute due to fundamental lower bounds on precision and recall.

Thank you to Eric Voskuil, Pieter Wuille, Suhas Daftuar, Christian Decker, = and Tim Ruffing for the recent feedback!

On Thu, May 10, 2018 at 8:59 AM, Bradley Denby <bdenby@cmu.edu> wrote:
Hi all,

We're writing with an update on the Dandelion project. As a reminder, D= andelion
is a practical, lightweight privacy solution that provides Bitcoin users fo= rmal
anonymity guarantees. While other privacy solutions aim to protect individu= al
users, Dandelion protects privacy by limiting the capability of adversaries= to
deanonymize the entire network.

Bitcoin's transaction spreading protocol is vulnerable to deanonymizati= on
attacks. When a node generates a transaction without Dandelion, it transmit= s
that transaction to its peers with independent, exponential delays. This approach, known as diffusion in academia, allows network adversaries to lin= k
transactions to IP addresses.

Dandelion prevents this class of attacks by sending transactions over a ran= domly
selected path before diffusion. Transactions travel along this path during = the
"stem phase" and are then diffused during the "fluff phase&q= uot; (hence the name
Dandelion). We have shown that this routing protocol provides near-optimal<= br> anonymity guarantees among schemes that do not introduce additional encrypt= ion
mechanisms.

Since the last time we contacted the list, we have:
=C2=A0- Completed additional theoretical analysis and simulations
=C2=A0- Built a working prototype
=C2=A0 =C2=A0(https://github.com/mablem8/bitcoin/tr= ee/dandelion)
=C2=A0- Built a test suite for the prototype
=C2=A0 =C2=A0(http= s://github.com/mablem8/bitcoin/blob/dandelion/test/functional/p2p_dandelion= .py)
=C2=A0- Written detailed documentation for the new implementation
=C2=A0 =C2=A0(https://github.com/mablem8/bips/blob/master/bip-dandelion/dandelio= n-reference-documentation.pdf)

Among other things, one question we've addressed in our additional anal= ysis is
how to route messages during the stem phase. For example, if two Dandelion<= br> transactions arrive at a node from different inbound peers, to which Dandel= ion
destination(s) should these transactions be sent? We have found that some choices are much better than others.

Consider the case in which each Dandelion transaction is forwarded to a
Dandelion destination selected uniformly at random. We have shown that this=
approach results in a fingerprint attack allowing network-level botnet
adversaries to achieve total deanonymization of the P2P network after obser= ving
less than ten transactions per node.

To avoid this issue, we suggest "per-inbound-edge" routing. Each = inbound peer is
assigned a particular Dandelion destination. Each Dandelion transaction tha= t
arrives via this peer is forwarded to the same Dandelion destination.
Per-inbound-edge routing breaks the described attack by blocking an adversa= ry's
ability to construct useful fingerprints.

This iteration of Dandelion has been tested on our own small network, and w= e
would like to get the implementation in front of a wider audience. An updat= ed
BIP document with further details on motivation, specification, compatibili= ty,
and implementation is located here:
https://github.com/mablem8/bips/b= lob/master/bip-dandelion.mediawiki

We would like to thank the Bitcoin Core developers and Gregory Maxwell in particular for their insightful comments, which helped to inform this
implementation and some of the follow-up work we conducted. We would also l= ike
to thank the Mimblewimble development community for coining the term "= stempool,"
which we happily adopted for this implementation.

All the best,
Brad Denby <bdenby@c= mu.edu>
Andrew Miller <soc1024@illinois.edu>
Giulia Fanti <gfanti@andrew.cmu.edu>
Surya Bakshi <sbakshi3@illinois.edu>
Shaileshh Bojja Venkatakrishnan <shaileshh.bv@gmail.com>
Pramod Viswanath <pramodv@illinois.edu>


------------------------------

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev


End of bitcoin-dev Digest, Vol 38, Issue 8
******************************************
--0000000000006ff6e705707c5af9--