Deanonymization in the Bitcoin P2P Network Giulia Fanti and Pramod Viswanath

● What is deanonymization?● Deanonymization simply means that some other node in the network will know

about the transactions made by a particular node in the network.● In bitcoin every node has been given a pseudonym. If the attacker can

associate this pseudonym with the real identity of the user, the privacy of the user would be compromised.

● What did bitcoin community do in 2015 to counter the problem of deanonymization?

● Was it really helpful?

Example of P2P Network in Bitcoin

Anonymity Research resulting in change in protocol● One of the research used a supernode to connect to all active Bitcoin nodes

and listen to the transaction traffic they relay.● They were able to link the IP addresses to Bitcoin pseudonyms with an

accuracy of 30%.● This linkage shocked the bitcoin community and they responded by replacing

the trickle spreading protocol with the diffusion spreading protocol.● The main idea of the paper is to infer that even changing the protocol from

trickle spreading to diffusion spreading would not really affect the anonymity issues of the network.

Modeling

Network Model:

● A P2P network is modelled as a graph G(V,E)● V : Set of all server nodes.● E : Connections between the nodes● Every server can have upto 8 outgoing connections. ● This graph can be modelled as a 16-regular graph.

Spreading Protocols● Each transaction must broadcast in the network● Trickle spreading: It’s a gossip based protocol that chooses its neighbours at

random at every 200 msec. ● The researchers model trickle spreading by considering a simple spreading

protocol, round robin gossip.● In this protocol every node will randomly order its peers who have not

received the message and then send the message in that corresponding order.

● Diffusion Spreading: In diffusion spreading we simply take the exp(𝞴) delay and broadcast the peers with a delay of exp(𝞴)

Adversarial Model

Adversarial Model● The goal of the adversary is to find out the source of the transmitted

message. ● The adversary makes 𝜽 connections with each of the node in the network.● So one block will be received by the adversary 𝜽 *N times.● Let T denote the set of timestamps at which the adversary receives the block

from the nodes.

Source Estimation● Given the observed timestamps T and the graph G, find an estimator M(T,G)

that outputs the true source.● The first time stamp estimator simply means taking the minimum value of the

timestamp and output that particular node whose block came first.● Another estimator is the maximum likelihood estimator MML = arg maxvP(T|G,

v*=v)● The ML estimator depends on the time of estimation t to the extent that T only

contains timestamp up to an instant of time t.

Analysis of Trickle● What is trickle?

First-timestamp Estimator

Maximum Likelihood Estimator

● Terminologies

First-Timestamp

Degree (d)

Connections (Θ)

First Timestamp EstimatorConsider timestamp as T1,T2…. for each node other than the source

Let Tm be the minimum observed timestamp among nodes -> Tm = min(T1,T2….)

If Tm is the minimum then the source will report in T0 which will be less than Tm, probability for that node to report will be P(T0<Tm )

TheoremTheorem:

● Consider a d-regular tree of servers where each node where each node has Θ connections.

● Here we bound by conditioning on the time at which the source reports to the adversary.

● When adversary establishes only one connection i.e Θ = 1, we have fromTaylor expansion of the equation in the theorem as:

● Observation: As degree d increases, likelihood that a source node will be reported to the adversary decreases.

● To learn how tight the bound is simulation were performed and itappeared that the lower bound is tightly bounded.

So increasing the d should reduce the adversary’s probability of detection?

Maximum Likelihood estimatorLet Xv be the timestamp at which the node v receives.

1. With timestamp we can arrange the node in the order which their received, this is called ordering of the nodes.2. Multiple nodes may receive the message simultaneously, so that can be grouped together.3. With the observed timestamp, the adversary can get the set of possible ordering.4. We select the one feasible ordering which satisfy the rules of trickle propagation.

Let T be not the the first time stamp but all the timestamp from each honest servers with Θ connections.

Timestamp rumor centrality: Who is the culprit? From where did the rumour originate? D. Shah and T. Zaman. Detecting sources of computer viruses in networks:It counts the number of feasible ordering originating from each source and we select the most feasible ordering.

TheoremTheorem: Consider a trickle process over a d-regular graph, where each node has Θ connections to the eavesdropper adversary. Any feasible orderings o1 and o2 with respect to observed timestamps T and graph G have the same likelihood.

Observations:

● More the feasible ordering from source the better the likelihood.

How does the timestamp rumour centrality works?

Timestamp rumour centralityIt is message passing algorithm:

● Given T, determine the number of time that node got infected and we do this recursively.● Pass the “feasible times of receipt” from candidate source to the largest feasible infected subtree and prune if it

conflicts with the observed time stamp.● Now, for every node we have count of feasible times. So starting from the leaves we go to source such that we pass

partial ordering and prune the one that do not satisfy trickle propagation.

Paper provides simplified version of timestamp rumor centrality that approaches optimal probabilities of detection as t grows which is called as ball centrality.

Ball Centrality● It checks if the candidate source v has generated each of the object independently. ● We arrange the nodes in order of their timestamp and for each node we also have the observed timestamp. ● After a time t, we run the estimator and the adversary will see t-1 timestamps. Now for each timestamp we draw a

circle of radius Tv -1. ● This bubble or circle represents all the nodes that are close to that node. ● From this we determine the source within the intersection of the bubble.● It is found that the probability of detection approaches a fundamental upper bound exponentially fast.

TheoremTheorem: Consider a trickle spreading process over a d-regular graph of honest servers. In addition, each server has ✓ independent connections to an eavesdropper adversary. The ML probability of detection at time t satisfies the following expression:

Observations:

● Right hand side is always greater than 0.5● Increasing d won’t affect the probability of detection, so adversary can figure out. ● With time t, the upper bound approaches exponentially fast.● So with this estimator, the adversary can achieve its goals.

Analysis of Diffusion● What is diffusion?

First-timestamp Estimator

Centrality-based Estimator

Theorem to prove the First-timestamp estimator● Each node’s infection time is λ = Θ, where Θ > 1.●● For a fixed degree d, the probability of detection is positive t -> ∞● When Θ=1, the probability ~ log(d)/d. Which tends to 0 as d-> ∞● This is same as the trickle protocol.

Centrality-based estimators● The Y(t) is the summation of all the nodes in the

networks that has reported the adversary at time t.● N(t) are the infected nodes in the system.● The value of R(t) is 1, if the node has reported by

time t● The estimator counts the number of nodes that have

reported to the adversary from each of the node’s adjacent subtrees

● It picks a random node from which the number of reporting node is equal in each subtree

Critique● Limitations of inadequate processing power● Simultaneous reporting is rare, so our lower bound is close to the empirical

probability of detection of the first-timestamp estimator● Paper fails to consider network congestion into the probability estimate and

also the delay can cause temporal attack or deanonymity● Paper only describes if the attack is possible or not. It does not give such

example where attacker was able to identify the source.

Key Takeaways ● Diffusion does not improve the situation● Anonymity linked to message transfer

Solutions?● Marlin protocol (https://www.marlin.pro/whitepaper)● Alternative cryptocurrencies (Dash, Monero)● Bitcoin mixing (Möser, Malte. “Anonymity of Bitcoin Transactions An Analysis of Mixing

Services.” (2013).) and Demixing (Younggee Hong, Hyunsoo Kwon, Jihwan Lee, and Junbeom Hur. 2018. A Practical De-mixing Algorithm for Bitcoin Mixing Services. In Proceedings of the 2nd ACM Workshop on Blockchains, Cryptocurrencies, and Contracts (BCC ’18). Association for

Computing Machinery, New York, NY, USA, 15–20. DOI:https://doi.org/10.1145/3205230.3205234)