Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7E227DAB for ; Tue, 1 Mar 2016 00:58:01 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ig0-f169.google.com (mail-ig0-f169.google.com [209.85.213.169]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0E2DEED for ; Tue, 1 Mar 2016 00:58:00 +0000 (UTC) Received: by mail-ig0-f169.google.com with SMTP id hb3so7661085igb.0 for ; Mon, 29 Feb 2016 16:57:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=yAn/Q+DwpGxHTzTnu/B3BHbeRKa85mh6Ox3xohIeo3U=; b=N7ifgUbRwt547QPwiTVbybmdwL8qaJ4CaYHvBUVxVpzbQkJJWD60AcP2wx73PyFrKT DBodooFnHV6SmqvOlZINxYg5AHJ+afghei/x1yVnxFr4RBLgysD6b+CmDGw9h6UEkKlB oGoV3ry3qG1+gHLiV0wU2M24Cm6YydVkkw/yLOV5Ol+VXrP4mB4AEzG/B/+YE/bWWBXL rR3N/CKcQmGD1u/l3sCXd/Cx+7iBZl9iBWV2JOApcI9tyJd2XewjwuQV8L3TAxx7KawL Y7+MXkpgX8IRch9AkLQfWVpsnyW6DVL4SNWDvKI05C6eM4w0y5ezJhDOguQN7tl49Lvd U6ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=yAn/Q+DwpGxHTzTnu/B3BHbeRKa85mh6Ox3xohIeo3U=; b=V2PTiYZDju4W9Nhj/2PbqUkvmy31GBub05dmFsIzX338nxaNdu2CcRUM/EV3mxMi5+ iQcSe38A7dpSg+tsIzWK2pRhRFQxToJA/NzrjcNHgleBys2LXBbpFpyxeyN0gvXaD0Ar J+ez87qqG5q0aDbJrD/UiSBZf9PZpkoXnzEmZd8/jAIIgXCNSBcHPXz/wEI4OxUSCb8W F+Tz2vkKPBA6koxB2VW22/JrmW6t+8B1m9d571g99uL/H61PcM6QZfFLZ58ylyWaU6YO 0sAwMx9DwEOpkpbfLPAvQugxltOzFjOVEa8fFedj1giD+lv8wBTblQpoOrvCZPDMwLzO 8VGg== X-Gm-Message-State: AD7BkJKEKoHey2pfVsRF+dSuow2Dj9fUa4xIevziGUKjkJx9wEYmEFDKC1NCLreAVbbtK8yxE0IiUibAWsumMg== MIME-Version: 1.0 X-Received: by 10.50.111.230 with SMTP id il6mr809975igb.66.1456793879446; Mon, 29 Feb 2016 16:57:59 -0800 (PST) Sender: gmaxwell@gmail.com Received: by 10.107.132.75 with HTTP; Mon, 29 Feb 2016 16:57:58 -0800 (PST) In-Reply-To: References: Date: Tue, 1 Mar 2016 00:57:58 +0000 X-Google-Sender-Auth: A3eKNURFCYg6nU-zEDN3twabyyA Message-ID: From: Gregory Maxwell To: Kristov Atlas Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev , wei@openbitcoinprivacyproject.org Subject: Re: [bitcoin-dev] Open Bitcoin Privacy Protect Privacy Questionnaire, Mid-Year 2015 report X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2016 00:58:01 -0000 Better late than never, I should correct things here. In the future it would probably be more productive to open an issue. Otherwise there is no mechanism for someone to take ownership of a response. On Sun, Aug 30, 2015 at 7:45 PM, Kristov Atlas via bitcoin-dev wrote: >> 1. Does your application take any steps to create ambiguity between >> transactions which unavoidably spend from multiple addresses at the same >> time and intentional mixing transactions? > No, Bitcoin-Qt does not try to make non-mixing transactions look like mix= ing > transactions. >> 2. What algorithms does your application use for ordering inputs an= d >> outputs in a transaction? In particular, how do you handle the change ou= tput >> and do you take into account common practices of other wallet applicatio= ns >> when determining ordering? > > Not yet BIP 69. These notes suggest that outputs are randomized: > https://bitcoin.org/en/release/v0.8.1 The ordering used by Bitcoin-QT is cryptographically randomized. This provides the greatest privacy possible. The BIP 69 recommendation would currently be equally as private if universally used, but today would reduce privacy by making the software more distinguishable. It is unclear if BIP69 will be equal in privacy in the future, because external infrastructure may impose ordering requirements that are incompatible with it. >> 3. Does your application minimize the harmful effects of address >> reuse by spending every spendable input (=E2=80=9Csweeping=E2=80=9D) fro= m an address when a >> transaction is created? > > Unknown >> 4. Does your application fully implement BIP 62? BIP 62 is withdrawn. The useful mechanisms in it for standardness rules are, of course, implemeted in Bitcoin Core-- were invented there, and have been there for years. >> Mixing >> >> 5. If your application supports mixing: It's unclear to me precisely what is meant here. I'll answer broadly. Bitcoin Core is compatible with and can be used with the joinmarket module to include coinjoins. The raw transaction functionality in Bitcoin Core was also created specifically to facilitate coinjoins. Beyond joinmarket there have been several other coinjoin modules created for Bitcoin Core though today JM is by far the most common, This functionality is not directly implemented for a number of reasons including the non-existence of decenteralized tools for this that don't harm the user's privacy in other ways. >> a. What is the average number of participants a user can expect to >> interact with on a typical join transaction? >> b. Does your application attempt to construct join transactions in = a >> way that avoids distinguishing them from non-join transactions? >> c. Does your application perform any kind of reversibility analysis >> on join transactions prior to presenting them to the user for confirmati= on? >> d. Is the mixing technique employed secure against correlation >> attacks by the facilitator, such as a CoinJoin server or off-chain mixin= g >> service? >> e. Is the mixing technique employed secure against theft of funds b= y >> the facilitator or its participants? Skipped as these are specific to the implementation in use. >> Donations >> 6. If your application has a fee or donation to the developers >> feature: > No donation feature last time I checked. >> a. What steps do you take to make the donations indistinguishable >> from regular spend in terms of output sizes and destination addresses? As Kristov noted, Bitcoin Core does not implement anti-features like donati= ons. >> Balance Queries and Tx Broadcasting >> >> 7. Please describe how your application obtains balance information >> in terms of how queries from the user=E2=80=99s device can reveal a conn= ection >> between the addresses in their wallet. >> a. Does the application keep a complete copy of the blockchain >> locally (full node)? > Yes Optionally, but in all cases the user's privacy is indistinguishable from keeping all the data locally. >> b. Does the user=E2=80=99s device provide a filter which matches so= me >> fraction of the blockchain while providing a false positive rate (bloom = or >> prefix filters)? > No, it just downloads the whole blockchain and performs local queries. It would be more correct to say that Bitcoin Core always has the highest possible FP rate. It uses the only currently available tool to avoid leaking private address information to indexing services. As several academic studies have shown, bloom filters are completely inadequate for protecting user privacy. >> i. If so, approximately what fraction of the blockchain does the >> filter match in a default configuration (0% - 100%)? > 100%, unless a user bootstraps downloading the blockchain. Bootstrapping > will potentially limit the user's anonymity set to other people who have > downloaded that bootstrap.dat file. I user that has downloaded a bootstrap.dat is indistinguishable from any other user on the network; their transaction anonymity set is not reduced in any way by doing this. By running bitcoin at all they are distinguished from other people who do not, but thousands of hosts run Bitcoin without even having a wallet. >> c. Does the user=E2=80=99s device query all of their addresses at t= he same >> time? > N/A To be clear: This is N/A because there are no queries that would leak private information about the user's wallet. >> d. Does the user=E2=80=99s device query addresses individually in= a manner >> that does not allow the query responder to correlate queries for differe= nt >> addresses? > No. Just download blocks and processes that information locally. Yes. Because the Bitcoin Core downlaods all information, the third parties cannot correlate responses. >> e. Can users opt to obtain their balance information via Tor (or >> equivalent means)? > If Tor is set up as a SOCKS proxy, you can configure Bitcoin-QT download = the > blockchain and broadcast txs through a single Tor circuit. This can be > configured once before opening Bitcoin-Qt. Bitcoin Core does make remote queries to obtain "balance information", but it can be directed to perform all commmunications via tor, before starting it as noted. >> 8. Does the applications route outgoing transactions independently >> from the manner in which it obtains balance information? Can users opt t= o >> have their transactions submitted to the Bitcoin network via Tor (or an >> equivalent means) independently of how they obtain their balance >> information? > No, you can only configure a single proxy. Bitcoin Core can simultaneously connect to both Tor hidden services and the public IPv4 network for improved partitioning resistance (and has been able to for years). Instead of setting the socks proxy, the user configures onion=3D. As of 0.12 inbound tor HS is also auto-configured by default when tor is installed. >> 9. If your application supports multiple identities/wallets, does >> each one connect to the network as if it were completely independent fro= m >> the other? > > > No built-in support for multiple identities. You can hotswap wallet files= to > crudely simulate this. You'd have to manually change the Tor connection > outside of Bitcoin-Qt to create the effect of making the network connecti= ons > independent. All network connections are independent via Tor by default, no manual change is required there. Separate "identities" do require separate wallets, as noted. >> a. Does the application ever request balance information for >> addresses belonging to multiple identities in the same network query? No it does not and cannot. Freedom from this kind of leak is one of the benefits of the current design that doesn't allow intermixing "identities" in wallets. > Blocks are downloaded and tx broadcasts received/relayed rather than > querying the utxo set for a particular address. When swapping between wal= let > files, some information may be leaked e.g. the client may be at the same > block height in terms of what it has downloaded from the p2p network, whi= ch > may leak to global passive adversaries/AS's or sybil attackers the fact t= hat > a single client was used for multiple wallets. However, unlikely most other wallets, Bitcoin nodes forward transactions for third parties and do not make external queries for private information. Because of this the ability to correlate a particular node connection multiple times does not necessarily leak anything about wallet usage. >> b. Are outgoing transactions from multiple identities routed >> independently of each other to the Bitcoin network? > > Transactions from multiple identities would not be routed at the same tim= e. > I'm not clear what happens if you have a single wallet (identity) open an= d > then open a new wallet (identity) without closing Bitcoin-Qt -- some of t= he > same routing paths may still be used such that an attacker might observe > transactions broadast signed by private keys from multiple wallets > (identities) and observe that they appear to come from the same wallet > client. OBPP should assume the worst unless prevented contrary evidence. This assumption is incorrect. All the private wallet state is stored in the wallet. If the wallet is changed the node does know any of them anymore. There is no ability to open a new wallet without restarting the software. That said, Bitcoin Core normally relays transactions for third parties-- unlikely virtually all other wallets. This means that where observation of a transaction from another wallet would give a nearly guaranteed identification that the system on the other end of the link is the source, with Bitcoin Core sending a transaction is merely potentially suggestive of origination. >> c. When an identity/wallet is deleted, does the deletion process >> eliminate all evidence from the user's device that the wallet was previo= usly >> installed? > Identity is primarily tied to a wallet.dat file. Deleting it will remove > most of the evidence that the wallet was installed on that device, but th= ere > may be some extra information in ancillary files that should also be > deleted. This is an OS-level function, as there is no operation built in= to > the client to delete a wallet file (identity). After review and testing we've determined that reliable deletion of private data is not very feasible on current hardware/OSes. Techniques which used to work, like overwriting are defeated by write balancing. We recommend users use OS level encryption to protect their privacy locally. >> Network Privacy >> 10. When a user performs a backup operation for their wallet, does >> this generate any automatic network activity, such as a web query or ema= il? > No. Backups are local, and no email or SMS is linked. No web queries rela= ted > to backup. Right. >> 11. Does your application perform any lookup external to the user=E2= =80=99s >> device related to identifying transaction senders or recipients? > No Not for normal transactions. Bitcoin Core currently supports payment URIs and BIP70, and if a user follows a payment URI it may instruct the user to make a connection to a location requested by the payee. >> 12. Does you application connect to known endpoints which would be >> visible to an ISP, such as your domain? > Yes, some connections to known p2p full nodes to bootstrap the connection= to > the Bitcoin p2p network. This is configurable, but there are defaults. An > ISP is likely to be able to identify a customer as running the Bitcoin-Qt > client in particular on this basis. Kind of. If a Bitcoin Core node already knows of peers through prior operation and is able to get at least two network connections within 11 seconds, it will make no further queries. If a node is completely new and hasn't been otherwise configured; it will perform four DNS queries to determine lists of candidate nodes. These queries are frequently answered by caching name servers and do not go all the way back to their origins. Only if both of these step fail does it consult a hardcoded list of several hundred nodes to attempt initialization. That said, Bitcoin traffic is easily identifiable regardless of how peers are found. We recommend users run Tor, and if tor is used no identifiable traffic should happen, except for timing/volume analysis. And many parties run Bitcoin Core nodes without running wallets; so the use of Bitcoin does not identify a user as even having a wallet at all. >> 13. If your application connects directly to nodes in the Bitcoin P2= P >> network, does it either use an unremarkable user agent string (Bitcoin C= ore. >> BitcoinJ, etc), or randomize its user agent on each connection? > > > BIP12 specifies format for user agents: > https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki > > It appears that the Bitcoin-QT leaks specific information about its clien= t > version through User Agent. This file defines the current client version: > https://github.com/bitcoin/bitcoin/blob/55294a9fb673ab0a7c99b9c18279fe12a= 5a07890/src/clientversion.h > > Various other files seem to use this to build up the UA string, which is > transmitted to other peers. Bitcoin Core is this questions _definition_ of an unremarkable useragent. But yes, the useragent notes the major/minor version. Concealing this would have little to no privacy advantage, as functional/behavioral analysis would easily reveal the version with at least that level of precision. >> 14. Does the application uninstall process for your application >> eliminate all evidence from the user's device that the application was >> previously installed? Does it also eliminate wallet data? > Probably depends on the platform. Last time I checked, I think Bitcoin-Qt > leaves behind a .bitcoin directory on most platforms even after you run a= n > uninstall script. If uninstall deleted the wallet it would reliably result in massive funds loss for users. To conceal their user of Bitcoin users should at a minimum do a security erase of their system. Other wallets who claim to "delete" private information which was previously stored on disk are likely giving their users a false sense of security. Doubly so in that many other wallets are written in dynamic lanaguages which make it impossible to prevent highly secret data from being written to system swap. >> 15. Does your application use techniques such as steganography to >> store persistent wallet metadata in a form not identifiable as belong to= a >> Bitcoin wallet application? > No I believe any software which claimed to do this would have to meet a rather high burden of proof. >> 16. Please describe the degree to which users can use passwords/PINs >> to protect their data: >> a. Can the user set a password/PIN to protect their private keys? > You can encrypt the wallet file with a password. The wallet is "locked" > until the password is entered, preventing decryption of the private keys. Correct. And unlike some other Wallets the KDF used to harden the users key takes 100ms with efficient native code; this substantially limits attacker brute for performance. >> b. Can the user set a password/PIN to protect their public keys and >> balance information? > No -- any wallet.dat file can be opened and the public keys inspected > without the password. >> c. Can the user set a password/PIN to encrypt other wallet metadata= , >> such as address books and transaction notes? > No -- any wallet.dat file can be opened and the metadata inspected withou= t > the password. We recommend users use full disk encryption. Encrypting the public data in the wallet would require the wallet to enter their key at every use and increase the probability that their key was leaked (or if two keys were used, that they'd forget their spending key). Even if the public key information were encrypted, other data on their computer (browser cache, swap, logs) would likely compromise the user's privacy, thus the full disk encryption recommendation. Full disk encryption is a common, easily used tool; and I don't believe any wallet software that stores data locally can provide strong privacy in practice without it. >> d. Does the application use a single password/PIN to cover all >> protected data, or does it allow the use of multiple passwords/PINs? > A single password for the wallet file. Right. Each wallet file can have it's own single password which protect spending. >> 17. Do you as a wallet provider ever have access to unencrypted copi= es >> of the user=E2=80=99s private keys, public keys, or any other wallet met= adata which >> may be used to associate a user with their transactions or balances? > No custodianship. Right. >> Telemetry Data >> 18. If your application reports telemetry data, such as usage >> information or automatic crash reporting, does the user have the opportu= nity >> to review and approve all information transmitted before it is sent? > No obvious telemetry data being sent. No telemetry data. >> Source Code and Building >> 19. Can a user of your application compile the application themselve= s >> in a manner that produces a binary version identical to the version you >> distribute (deterministic build system)? Yes, and a large portion of our user base does their own builds. Our determinstic build process is also actively audited by a good dozen parties who post cryptographic signatures of their duplicated builds.