summaryrefslogtreecommitdiff
path: root/92/bacd311ae83c2fea9b9a83bc4af1fdb51c0f56
blob: fe04eceae68c08cf53e68433569728693fb0771f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id C577EB65
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 13 Jun 2017 01:00:52 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f44.google.com (mail-vk0-f44.google.com
	[209.85.213.44])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id ABBC716C
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 13 Jun 2017 01:00:51 +0000 (UTC)
Received: by mail-vk0-f44.google.com with SMTP id y70so17957597vky.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 12 Jun 2017 18:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to:cc:content-transfer-encoding;
	bh=U5KOeZkXHaEURzNC6JFS0YZ9aSjQWboptJdEot3IFqI=;
	b=aGIyMl7NPl7IB9UV+zy1AOVjdONQ4o6tHPLyMf6DYkh9ciP1Q2EnckpbbVUhsSlAE5
	TzhGNvSX8UREDM+/3njPyL5DuGX2emrm3Gay6GCJdg5UVI2Ajin7zgsRqjZXtFYhZkit
	xJQpf3Kw6wkgwPV2dw9TRp6DEFNL08uNhlnHKP2HRx3sxjs4guAWLt9+GnUh7Q4MGs9n
	tLodmy7b0Exe7c074nMOHDVZbYLpHwzAcfmrF/ahSVWt3SxA+qpNorpn2mHUNC0A2JT6
	E3Qfpp7p8sRZn06LKvSuquel36WIgODpeuEpM9fKbNlnPOh5lplEWjDCMNceh49VQ0JM
	yZMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
	:date:message-id:subject:to:cc:content-transfer-encoding;
	bh=U5KOeZkXHaEURzNC6JFS0YZ9aSjQWboptJdEot3IFqI=;
	b=pXM1drtrIbmzZ+SSi6NHoOQDJ93QgJsOTcRHNBDypCVOZxBh3ktdnKdr5k+p17GoGV
	+MIGPGqNyuNJ3vcRjm0LLUTrgU5iEco9NQeXBECPcEQ94TS9/OBDEykTAOCt1EyJcEEm
	hp/nH73acr7LYRCjLdCqgRcg2neNZ/nH/ixQrFZNrOc4r+CMVUz5sgZX2wEdhN32qNYE
	jQfSplO/LiSktI1pSjowSwhd4T4G9iJJPlNtBvdHqkKCKTF/qdDI2IFcQQdFd5whkKkU
	3/gTih+Hn0C7kylUbO/c+U+rz96DQY3U4MS2NJtRKA66RuygdpO0LHdV3VtgBJhowwNe
	bNxw==
X-Gm-Message-State: AODbwcBJWuTqJSRy+WzLDlk1b9uD/AogkWLyQUAl1LvRpIjfxJVKhnjA
	0bigVsIEu1u15h/lK2xAT2nFjJVwv5Ts
X-Received: by 10.31.129.17 with SMTP id c17mr22819995vkd.36.1497315650718;
	Mon, 12 Jun 2017 18:00:50 -0700 (PDT)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 10.103.13.7 with HTTP; Mon, 12 Jun 2017 18:00:50 -0700 (PDT)
In-Reply-To: <CAF7tpExcfbB5mvL0nNnSTJxU5eJOeFs2z3Gor9ZXWYxh1szSTg@mail.gmail.com>
References: <CAF7tpExcfbB5mvL0nNnSTJxU5eJOeFs2z3Gor9ZXWYxh1szSTg@mail.gmail.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Tue, 13 Jun 2017 01:00:50 +0000
X-Google-Sender-Auth: 1hiO88YH-ebF8jR0WPiDErFMJEw
Message-ID: <CAAS2fgRAnGMMxKPCaj1SL=z3O2wuGS8nyPrgtGhSpuGgAoVtKg@mail.gmail.com>
To: Andrew Miller <soc1024@illinois.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP proposal - Dandelion: Privacy Preserving
 Transaction Propagation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 01:00:52 -0000

On Mon, Jun 12, 2017 at 2:46 PM, Andrew Miller via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Dear bitcoin-dev,
>    We've put together a preliminary implementation and BIP for
> Dandelion, and would love to get your feedback on it. Dandelion is a
> privacy-enhancing modification to Bitcoin's transaction propagation
> mechanism. Its goal is to obscure the original source IP of each
> transaction.

I'm glad to see this out now, so I'm not longer invading the git repo
uninvited. :)

>  - Stronger attacker model: we defend against an attacker that
> actively tries to learn which nodes were involved in the stem phase.
> Our approach is called "Mempool Embargo", meaning a node that receives
> a "stem phase" transaction behaves as though it never heard of it,
> until it receives it again from someone else (or until a random timer
> elapsess).


The description in the BIP appears inadequate:


> That is, Alice will not include the embargoed transaction when responding=
 to MEMPOOL requests, and will not respond to GETDATA requests from another=
 node (Bob) unless Alice previously sent an INV to Bob. The embargo period =
ends as soon as Alice receives an INV advertising the transaction as being =
in fluff mode.

For example, it's not clear if I can query for the existence of a
transaction by sending a conflict.  If this doesn't seem problematic,
consider the case where I, communicating with you over some private
channel, send you a payment inside a payment protocol message. You
announce it to the network and I concurrently send a double spend.
Only nodes that were part of the stem will reject my double spend, so
I just learned a lot about your network location.

It's also appears clear that I can query by sending an inv and
noticing that no getdata arrives.  An example attack in the latter is
that when I get a stem transaction I rapidly INV interrogate the
entire network and by observing who does and doesn't getdata I will
likely learn the entire stem path upto permutation.

The extra network capacity used by getdata-ing a transaction you
already saw via dandelion would be pretty insignificant.

I believe the text should be simplified and clarified so just say:

"With the exception of her behavior towards the peer sending in the
stem transaction and the peer sending out the transaction Alice's
behavior should be indistinguishable from a node which has not seen
the transaction at all until she receives it via ordinary forwarding
or until after the timeout." -- then its up to the implementation to
achieve indistinguishably regardless of what other protocol features
it uses.

> Are there other ways we haven't thought of? We think the alternative
> approach (bypassing mempool entirely) seems even harder to get right,
> and foregoes existing DoS protection.

I think avoiding the is the most sensible way; and from a software
maintenance perspective I expect that anything less will end up
continually suffering from serious information leaks which are hard to
avoid accidentally introducing via other changes.

The primary functionality should be straightforward to implement,
needing just a flag to determine if a transaction would be accepted to
the mempool but for the flag, but which skips actually adding it.

Handling chains of unconfirmed stem transactions is made more
complicated by this and this deserves careful consideration. I'm not
sure if its possible to forward stem children of stem transactions
except via the same stem path as the parent without leaking
information, it seems unlikely.

This approach would mostly take additional complexity from the need to
limit the amplification of double spends. I believe this can be
resolved by maintaining a per-peer map of the not yet expired vin's
consumed by stem fowards sent out via that peer. E.g. vin->{timeout,
feerate}.  Then any new forward via that stem-peer is tested against
that map and suppressed if it it spends a non-timed-out input and
doesn't meet the feerate epsilon for replacement.

Use of the orphan map is not indistinguishable as it is used for block
propagation, and itself also a maintenance burden to make sure
unrelated code is not inadvertently leaking the stem transactions.

> After a random number of hops along the stem, the transaction enters the =
fluff phase,

The BIP is a bit under-specified on this transition, I think-- but I
know how it works from reading the prior implementation (I have not
yet read the new implementation).

The way it works (assuming I'm not confused and it hasn't changed) is
that when a new stem transaction comes in there is a chance that it is
treated as coming in as a normal transaction.

An alternative construction would be that when a stem transaction goes
out there is a random chance that the stem flag is not set (with
suitable adjustment to keep the same expected path length)

For some reason I believe this would be a superior construction, but I
am only able to articulate one clear benefit:  It allows non-dandelion
capable nodes to take on the role of the last stem hop, which I
believe would improve the anonymity set during the transition phase.

Unrelated:

Has any work been given to the fact that dandelion propagation
potentially making to measure properties of the inter-node connection
graph?  e.g.  Say I wish to partition node X by disconnecting all of
its outbound connections, to do that it would be useful to learn whom
is connected to X.  I forward a transaction to X, observe the first
node to fluff it,  then DOS attack that node to take it offline.  Will
I need to DOS attack fewer or more nodes  to get all of X's outbounds
if X supports rapid stem forwarding?