summaryrefslogtreecommitdiff
path: root/5f/28de7a0a8231d602ecdf2c888b9b3ad2fa09d7
blob: 6e2e1e7484b448e4cdc44c8e6ed2e910f10c75f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
Return-Path: <bdenby@andrew.cmu.edu>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 3C84B1429
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 11 Jun 2018 14:31:14 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f44.google.com (mail-lf0-f44.google.com
	[209.85.215.44])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 39AD975A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 11 Jun 2018 14:31:12 +0000 (UTC)
Received: by mail-lf0-f44.google.com with SMTP id u4-v6so30908069lff.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 11 Jun 2018 07:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=cmu-edu.20150623.gappssmtp.com; s=20150623;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to; 
	bh=sA57eUUZXiZIklnWKrtbptP/25SDEmW7Nqv2zCaVyyk=;
	b=dlOPLQ7XyTr5wcwBygaNSed5Za47nJZK+MACXH4GDDGMt/xX0q3nlPQreOREkmnE13
	WM720gewQsXHpIyzP2Z6S0shw+mmdq5JND/pBHJWuT1T+xy8CXcFfVFh60aX8rJzNQ1Q
	z2VZ7DnVqqsg8dgTlcnJFXQSiseM1bnFuik/Ix1vIkxw+jY0mVjhkPE4XF/hmugpx6T1
	sEIxYFEWTkJowduI4LHgeb2kFfMvj/WuXvdaBnd75hpeAdvQ4g8kzY8dKUYAsWbrTLOC
	POJx+ilSNjL+MtD62nlnfkPbzwvEomyR2ajbrXrvPMNTpXOkz8O2EluiKQXLJF28P+vp
	SrWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to;
	bh=sA57eUUZXiZIklnWKrtbptP/25SDEmW7Nqv2zCaVyyk=;
	b=bge8AAsLAFZx8kaCJOllnQEg5z7JSygRj/348XKlIIpJ3fR5vrGwPfklsmlnwGYF6s
	Ynu/SVYDsNuZ4DRdJK0WcXQKnzUluJv9qzoVbpvjxDtQpIQS73V3ANFWSNa/taN8isc8
	CI1WpqImzwnkxmN8tJ3eX+CJvTN3YYLApNCoNOZbLdSnmsIDC53dRvkd9rjod/1+NhvV
	+uFWfwTTRUfHN/Adm3QBMdMl3gLgAJGSEbRyf4KSuvrWBjXNMMGmSebn869oxo0/jv+O
	38fnBp1Wt0h2s70tuLxv+cowm76VvqTslEoP78ktaCZdX7Sqqpn0fM39twpFRu0UqrCU
	kTSQ==
X-Gm-Message-State: APt69E07fTTGoG8gwmy2q+LF6M6+jJwHzOOwue4jwllIANI3G7fz8y+0
	5LM0h7iz1d5eYi3v4Uh62DaG1G8ADjBgAkpEbOGnu/c=
X-Google-Smtp-Source: ADUXVKJCXXCjKJUYugjwA02AabXSc2Slh2FuLpCmPdIXWEuoPoV5BB7IQ7lFK6dsr+F4meWtWzEzkY4FhDNFSNG/RkQ=
X-Received: by 2002:a2e:4149:: with SMTP id
	o70-v6mr12446425lja.3.1528727470330; 
	Mon, 11 Jun 2018 07:31:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:4381:0:0:0:0:0 with HTTP; Mon, 11 Jun 2018 07:31:09
	-0700 (PDT)
In-Reply-To: <CAPg+sBjdTmZ4m5c92CQK5DsU18M=GKgTM-OZZzwgjpE3hqe6=w@mail.gmail.com>
References: <CAGq_bNLvnZcOGU7c-8i7OL-OGAp4N2bX9T5SEROm59YBGL5yzw@mail.gmail.com>
	<CAPg+sBjdTmZ4m5c92CQK5DsU18M=GKgTM-OZZzwgjpE3hqe6=w@mail.gmail.com>
From: Bradley Denby <bdenby@cmu.edu>
Date: Mon, 11 Jun 2018 10:31:09 -0400
Message-ID: <CAGq_bNKj4rA9pzk7CPA0r099PXOy3naNfZsr=MSPpYh08OZ6TQ@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000d3e6c7056e5e995b"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 11 Jun 2018 14:36:48 +0000
Subject: Re: [bitcoin-dev] BIP proposal - Dandelion: Privacy Preserving
 Transaction Propagation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 14:31:14 -0000

--000000000000d3e6c7056e5e995b
Content-Type: text/plain; charset="UTF-8"

Thanks for the comments Pieter!

We can make descriptions for the intended node behaviors more clear in the
BIP.

Regarding interaction with BIPs 37 and 133, we have found that if Dandelion
routing decisions are based on self-reported features, malicious nodes can
often exploit that to launch serious deanonymization attacks. As a result,
we recommend not allowing fee filters from peers to influence the choice of
route. Your suggestion of automatically fluffing is a good solution.
Another (similar) option would be to apply fee filters in the stempool.
This would prevent the tx from propagating in stem phase, so eventually an
embargo timer on the stem will expire and the transaction will fluff. This
is slower than auto-fluffing, but requires (slightly) less code.

Regarding mempool-dependent transactions, the reference implementation adds
any mempool transactions to the stempool but not vice-versa so that the
stempool becomes a superset of the mempool. In other words, information is
free to flow from the mempool to the stempool. Information does not flow
from the stempool to the mempool except when a transaction fluffs. As a
result, a node's stempool should accept and propagate Dandelion
transactions that depend on other unconfirmed normal mempool transactions.
The behavior you described is not intended; if you have any tests
demonstrating this behavior, would you mind sharing them?

Orphans: stem orphans can occur when a node on the stem shuffles its route
between sending dependent transactions. One way to deal with this issue
would be to re-broadcast all previous Dandelion transactions that have not
been fluffed after Dandelion route shuffling. This could add a fair amount
of data and logic. This re-broadcast method also telegraphs the fact that a
Dandelion shuffle has taken place and can result in bursts of transactions
depending on traffic patterns. A second option (which we used in the
reference implementation) is to wait for the fluff phase to begin, at which
point the orphans will be resolved. This should happen within 15 seconds
for most transactions. Do you have any thoughts on which option would be
more palatable? Or if there are other options we have missed?

Regarding preferred connections, we have found that making Dandelion
routing decisions based on claims made by peer nodes can cause problems and
therefore would recommend against biasing the peer selection code.

On the implementation side:

* We apply the same logic to the stempool as the mempool in the reference
implementation. The stempool should remain a superset of the mempool to
allow for proper handling of mempool-dependent transactions.

* We'll take a look at setDandelionInventoryKnown.

* We will look into using scheduler jobs instead of a separate
thread--could you point us towards somewhere else in the code that uses a
scheduler job?

Based on the feedback we have received so far, we are planning to
prioritize writing up a clearer spec for node behavior in the BIP. Does
that seem reasonable, or are there other issues that are more pressing at
this point?

Cheers

On Wed, Jun 6, 2018 at 12:01 AM, Pieter Wuille <pieter.wuille@gmail.com>
wrote:

> On Thu, May 10, 2018 at 5:59 AM, Bradley Denby via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Hi all,
> >
> > ...
> >
> > This iteration of Dandelion has been tested on our own small network,
> and we
> > would like to get the implementation in front of a wider audience. An
> > updated
> > BIP document with further details on motivation, specification,
> > compatibility,
> > and implementation is located here:
> > https://github.com/mablem8/bips/blob/master/bip-dandelion.mediawiki
>
> Hi Bradley,
>
> thank you for working on this and going as far as implementing the
> entire protocol. It looks like a very well-worked out idea already,
> and its semantics can probably be adopted pretty much as-is. It would
> be very exciting to bring these kinds of privacy improvements to
> Bitcoin's P2P protocol.
>
> I do have a number of comments on the specification and suggested
> implementation in Bitcoin Core. I'm dumping my thoughts here, though
> at this stage the specification is probably more important. The
> implementation can be discussed more thoroughly when there is a PR
> open.
>
> Specification
>
> * Overall, I think it would be worthwhile to describe the intended
> node behavior in the BIP, at a higher level than Bitcoin Core
> patchsets, but more detailed than what is in the BIP now. The
> patch-based descriptions are both hard to read for developers working
> on different systems who are unfamiliar with the Core codebase, and
> don't make it clear to what extent implementation decisions are local
> policy (which can be changed without network coordination), and which
> follow from security or privacy arguments for the protocol.
>
> * Interaction with feefilter (BIP 133) and Bloom filter (BIP 37). When
> peers have given us filters on what transactions they will accept,
> should Dandelion transactions be subject to the same? Should it
> influence the choice of route? One simple possibility is perhaps to
> avoid choosing BIP37 peers as Dandelion routes, and treat transactions
> that do not pass the feefilter for its
> would-be-outgoing-Dandelion-route as an automatic fluff - justified by
> noting that relaying a transaction close to what fee is acceptable to
> the network's mempools is already less likely to get good privacy due
> to reduced chances of propagation.
>
> * Mempool dependant transactions. It looks like the current
> implementation accepts Dandelion transactions which are dependant on
> other Dandelion (stempool) transactions and on confirmed blockchain
> transactions, but not ones that are dependant on other unconfirmed
> normal mempool transactions. Is this intentional, or resulting from a
> difficulty in implementing this? Should the correct behaviour be
> specified, or left free for nodes to decide?
>
> * Orphan transactions. It looks like the current implementation
> assumes no orphan transactions, but in a dynamic network (especially
> with occasionally shuffling of Dandelion routes), I expect that
> sometimes a dependent transaction will go on a different route than
> its parent. Do you have any thoughts about that (even if not addressed
> in a very implementation). Could we have a Dandelion-orphan-pool of
> transactions, similar to the normal mempool has a set of orphan
> transactions?
>
> * Preferred connections. Should we bias the outgoing connection peer
> selection code to prefer Dandelion-capable peers when the number is
> too low?
>
> Implementation
>
> * How do we control the size of the stempool? Should acceptance of a
> transaction to the normal mempool and/or blockchain result in eviction
> of it (and conflicts) from the stempool? The existing code
> intentionally has an upper bound on the size of the mempool to assure
> predictable resource usage - the introduction of the stempool
> shouldn't change that.
>
> * I don't think you need to fully materialize all the routes. Instead,
> you can just maintain a vector of 2 selected Dandelion-supporting
> peers (and if one disconnects, replace just that one with another
> one). To map incoming peers to an index in that list of peers, you can
> use deterministic randomness (see SipHasher in the source code) with
> the incoming node_id as data and a single global secret nonce (chosen
> at startup, and reset on reshuffle).
>
> * setDandelionInventoryKnown looks like it can grow unboundedly. A
> rolling Bloom filter (like used for filterInventoryKnown) is perhaps
> easier to guarantee predictable memory usage for.
>
> * Use a scheduler job instead of a separate thread for shuffling the
> routes (extra threads use unnecessarily large amounts of memory).
>
> * (nit) coding style: doc/developer-notes.md has a number of
> guidelines on coding style you may want to check out.
>
> Cheers,
>
> --
> Pieter
>

--000000000000d3e6c7056e5e995b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thanks for the comments Pieter!</div><div><br></div><=
div>We can make descriptions for the intended node behaviors more clear in =
the BIP.</div><div><br></div><div>Regarding interaction with BIPs 37 and 13=
3, we have found that if Dandelion routing decisions are based on self-repo=
rted features, malicious nodes can often exploit that to launch serious dea=
nonymization attacks. As a result, we recommend not allowing fee filters fr=
om peers to influence the choice of route. Your suggestion of automatically=
 fluffing is a good solution. Another (similar) option would be to apply fe=
e filters in the stempool. This would prevent the tx from propagating in st=
em phase, so eventually an embargo timer on the stem will expire and the tr=
ansaction will fluff. This is slower than auto-fluffing, but requires (slig=
htly) less code.=C2=A0</div><div><br></div><div>Regarding mempool-dependent=
 transactions, the reference implementation adds any mempool transactions t=
o the stempool but not vice-versa so that the stempool becomes a superset o=
f the mempool. In other words, information is free to flow from the mempool=
 to the stempool. Information does not flow from the stempool to the mempoo=
l except when a transaction fluffs. As a result, a node&#39;s stempool shou=
ld accept and propagate Dandelion transactions that depend on other unconfi=
rmed normal mempool transactions. The behavior you described is not intende=
d; if you have any tests demonstrating this behavior, would you mind sharin=
g them?</div><div><br></div><div>Orphans: stem orphans can occur when a nod=
e on the stem shuffles its route between sending dependent transactions. On=
e way to deal with this issue would be to re-broadcast all previous Dandeli=
on transactions that have not been fluffed after Dandelion route shuffling.=
 This could add a fair amount of data and logic. This re-broadcast method a=
lso telegraphs the fact that a Dandelion shuffle has taken place and can re=
sult in bursts of transactions depending on traffic patterns. A second opti=
on (which we used in the reference implementation) is to wait for the fluff=
 phase to begin, at which point the orphans will be resolved. This should h=
appen within 15 seconds for most transactions. Do you have any thoughts on =
which option would be more palatable? Or if there are other options we have=
 missed?=C2=A0</div><div><br></div><div>Regarding preferred connections, we=
 have found that making Dandelion routing decisions based on claims made by=
 peer nodes can cause problems and therefore would recommend against biasin=
g the peer selection code.</div><div><br></div><div>On the implementation s=
ide:</div><div><br></div><div>* We apply the same logic to the stempool as =
the mempool in the reference implementation. The stempool should remain a s=
uperset of the mempool to allow for proper handling of mempool-dependent tr=
ansactions.=C2=A0</div><div><br></div><div>* We&#39;ll take a look at setDa=
ndelionInventoryKnown.=C2=A0</div><div><br></div><div>* We will look into u=
sing scheduler jobs instead of a separate thread--could you point us toward=
s somewhere else in the code that uses a scheduler job?</div><div><br></div=
><div>Based on the feedback we have received so far, we are planning to pri=
oritize writing up a clearer spec for node behavior in the BIP. Does that s=
eem reasonable, or are there other issues that are more pressing at this po=
int?=C2=A0</div><div><br></div><div>Cheers</div></div><div class=3D"gmail_e=
xtra"><br><div class=3D"gmail_quote">On Wed, Jun 6, 2018 at 12:01 AM, Piete=
r Wuille <span dir=3D"ltr">&lt;<a href=3D"mailto:pieter.wuille@gmail.com" t=
arget=3D"_blank">pieter.wuille@gmail.com</a>&gt;</span> wrote:<br><blockquo=
te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so=
lid;padding-left:1ex">On Thu, May 10, 2018 at 5:59 AM, Bradley Denby via bi=
tcoin-dev<br>
&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@li=
sts.<wbr>linuxfoundation.org</a>&gt; wrote:<br>
&gt; Hi all,<br>
&gt;<br>
&gt; ...<br>
<span class=3D"">&gt;<br>
&gt; This iteration of Dandelion has been tested on our own small network, =
and we<br>
&gt; would like to get the implementation in front of a wider audience. An<=
br>
&gt; updated<br>
&gt; BIP document with further details on motivation, specification,<br>
&gt; compatibility,<br>
&gt; and implementation is located here:<br>
&gt; <a href=3D"https://github.com/mablem8/bips/blob/master/bip-dandelion.m=
ediawiki" rel=3D"noreferrer" target=3D"_blank">https://github.com/mablem8/<=
wbr>bips/blob/master/bip-<wbr>dandelion.mediawiki</a><br>
<br>
</span>Hi Bradley,<br>
<br>
thank you for working on this and going as far as implementing the<br>
entire protocol. It looks like a very well-worked out idea already,<br>
and its semantics can probably be adopted pretty much as-is. It would<br>
be very exciting to bring these kinds of privacy improvements to<br>
Bitcoin&#39;s P2P protocol.<br>
<br>
I do have a number of comments on the specification and suggested<br>
implementation in Bitcoin Core. I&#39;m dumping my thoughts here, though<br=
>
at this stage the specification is probably more important. The<br>
implementation can be discussed more thoroughly when there is a PR<br>
open.<br>
<br>
Specification<br>
<br>
* Overall, I think it would be worthwhile to describe the intended<br>
node behavior in the BIP, at a higher level than Bitcoin Core<br>
patchsets, but more detailed than what is in the BIP now. The<br>
patch-based descriptions are both hard to read for developers working<br>
on different systems who are unfamiliar with the Core codebase, and<br>
don&#39;t make it clear to what extent implementation decisions are local<b=
r>
policy (which can be changed without network coordination), and which<br>
follow from security or privacy arguments for the protocol.<br>
<br>
* Interaction with feefilter (BIP 133) and Bloom filter (BIP 37). When<br>
peers have given us filters on what transactions they will accept,<br>
should Dandelion transactions be subject to the same? Should it<br>
influence the choice of route? One simple possibility is perhaps to<br>
avoid choosing BIP37 peers as Dandelion routes, and treat transactions<br>
that do not pass the feefilter for its<br>
would-be-outgoing-Dandelion-<wbr>route as an automatic fluff - justified by=
<br>
noting that relaying a transaction close to what fee is acceptable to<br>
the network&#39;s mempools is already less likely to get good privacy due<b=
r>
to reduced chances of propagation.<br>
<br>
* Mempool dependant transactions. It looks like the current<br>
implementation accepts Dandelion transactions which are dependant on<br>
other Dandelion (stempool) transactions and on confirmed blockchain<br>
transactions, but not ones that are dependant on other unconfirmed<br>
normal mempool transactions. Is this intentional, or resulting from a<br>
difficulty in implementing this? Should the correct behaviour be<br>
specified, or left free for nodes to decide?<br>
<br>
* Orphan transactions. It looks like the current implementation<br>
assumes no orphan transactions, but in a dynamic network (especially<br>
with occasionally shuffling of Dandelion routes), I expect that<br>
sometimes a dependent transaction will go on a different route than<br>
its parent. Do you have any thoughts about that (even if not addressed<br>
in a very implementation). Could we have a Dandelion-orphan-pool of<br>
transactions, similar to the normal mempool has a set of orphan<br>
transactions?<br>
<br>
* Preferred connections. Should we bias the outgoing connection peer<br>
selection code to prefer Dandelion-capable peers when the number is<br>
too low?<br>
<br>
Implementation<br>
<br>
* How do we control the size of the stempool? Should acceptance of a<br>
transaction to the normal mempool and/or blockchain result in eviction<br>
of it (and conflicts) from the stempool? The existing code<br>
intentionally has an upper bound on the size of the mempool to assure<br>
predictable resource usage - the introduction of the stempool<br>
shouldn&#39;t change that.<br>
<br>
* I don&#39;t think you need to fully materialize all the routes. Instead,<=
br>
you can just maintain a vector of 2 selected Dandelion-supporting<br>
peers (and if one disconnects, replace just that one with another<br>
one). To map incoming peers to an index in that list of peers, you can<br>
use deterministic randomness (see SipHasher in the source code) with<br>
the incoming node_id as data and a single global secret nonce (chosen<br>
at startup, and reset on reshuffle).<br>
<br>
* setDandelionInventoryKnown looks like it can grow unboundedly. A<br>
rolling Bloom filter (like used for filterInventoryKnown) is perhaps<br>
easier to guarantee predictable memory usage for.<br>
<br>
* Use a scheduler job instead of a separate thread for shuffling the<br>
routes (extra threads use unnecessarily large amounts of memory).<br>
<br>
* (nit) coding style: doc/developer-notes.md has a number of<br>
guidelines on coding style you may want to check out.<br>
<br>
Cheers,<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
-- <br>
Pieter<br>
</font></span></blockquote></div><br></div>

--000000000000d3e6c7056e5e995b--