Twistedpair: Towards Practical Anonymity in the Bitcoin P2P Network

TwistedPair: Towards Practical Anonymity in the Bitcoin P2P Network

Abstract—Recent work has demonstrated significant anonymity vulnerabilities in Bitcoin’s networking stack. In particular, the current mechanism for broadcasting Bitcoin transactions allows third-party observers to link transactions to the IP addresses that originated them. This lays the groundwork for low-cost, large-scale deanonymization attacks. In this Fig. 1: Supernodes can observe flooding metadata to infer work, we present TwistedPair, a first-principles, theoretically- which node was the source of a transaction message (tx). justified defense against large-scale deanonymization attacks. TwistedPair is lightweight, scalable, and completely interoperable with the existing Bitcoin network. We evaluate TwistedPair through experiments on Bitcoin’s mainnet to demonstrate with an overview of Bitcoin’s P2P network, and explain why its interoperability with the current network, as well as low it enables deanonymization attacks. broadcast latency overhead. A. Bitcoin’s P2P Network I. INTRODUCTION Bitcoin nodes are connected over a P2P network of TCP links. This network is used to communicate transactions, the Anonymity is an important property for a financial system, blockchain, and control packets, and it plays a crucial role in especially given the often-sensitive nature of transactions [15]. maintaining the network’s consistency. Each peer is identified Unfortunately, the anonymity protections in Bitcoin and similar by its (IP address, port) combination. Whenever a node gen cryptocurrencies can be fragile. This is largely because Bitcoin erates a transaction, it broadcasts a record of the transaction users are identified by cryptographic pseudonyms (a user can over the P2P network; critically, transaction messages do not have multiple pseudonyms). When a user Alice wishes to include the sender’s IP address—only their pseudonym. Since transfer funds to another user Bob, she generates a transaction the network is not fully-connected, transactions are relayed message that includes Alice’s pseudonym, the quantity of funds according to epidemic flooding [37]. This ensures that all transferred, the prior transaction from which these funds are nodes receive the transaction and can add it to the blockchain. drawn, and a reference to Bob’s pseudonym [35]. The system- Hence, the broadcasting of transactions enables the network to wide sequence of transactions is recorded in a public, append- learn about transactions quickly and reliably. only ledger known as the blockchain. The public nature of the blockchain means that users only remain anonymous as long However, the broadcasting of transactions can also have as their pseudonyms cannot be linked to their true identities. negative anonymity repercussions. The statistical symmetry of Bitcoin’s current broadcasting mechanism spreads content This mandate has proved challenging to uphold in practice. isotropically over the graph; this allows adversarial peers Several vulnerabilities have enabled researchers, law enforce who observe the spreading dynamics of a given transaction ment, and possibly others to partially deanonymize users [12]. to infer the source IP of each transaction. For example, in Publicized attacks have so far included: (1) linking different recent attacks [10], [28], researchers launched a supernode public keys that belong to the same user [31], (2) associating that connected to all nodes in the P2P network (Figure 1), users’ public keys with their IP addresses [10], [28], and in and logged all observed traffic. This allowed the supernode some cases, (3) linking public keys to human identities [21]. to observe the spread of each transaction over the network Such deanonymization exploits tend to be cheap, easy, and over time, and ultimately infer the source IP. Since transaction scalable [31], [10], [28]. messages include the sender’s pseudonym, the supernodes were able to deanonymize users, or link their pseudonyms to Although researchers have traditionally focused on the an IP address [10], [28]. Such deanonymization attacks are privacy implications of the blockchain [36], [41], [31], we problematic because of Bitcoin’s transparency: once a user is are interested in lower-layer vulnerabilities that emerge from deanonymized, her other transactions can often be linked, even Bitcoin’s peer-to-peer (P2P) network. Recent work has demon if she creates fresh pseudonyms for each transaction [31]. strated P2P-layer anonymity vulnerabilities that allow trans actions to to be linked to users’ IP addresses with accu There have been recent proposals for mitigating these racies up to 30% [10], [28]. Understanding how to patch vulnerabilities, included broadcasting protocols that reduce the these vulnerabilities without harming utility remains an open symmetry of epidemic flooding. Bitcoin Core [5], the most question. The goal of our work is to propose a practical, commonly-used Bitcoin implementation, adopted a protocol lightweight modification to Bitcoin’s networking stack that called diffusion, where each node spreads transactions with provides theoretical anonymity guarantees against the types independent, exponential delays to its neighbors on the P2P of attacks demonstrated in [10], [28], and others. We begin graph. Diffusion is still in use today. However, proposed solutions (including diffusion) tend to be heuristic, and recent suggesting that transactions by the same user can be linked, work shows that they do not provide sufficient anonymity even if the user adopts different addresses [31]. In response, protection [19]. Other proposed solutions offer theoretical researchers proposed alternative cryptocurrencies and/or tum anonymity guarantees [13], but do so under idealistic assump blers that provide anonymity at the blockchain level [29], tions that are unlikely to hold in practice. The aim of this [4], [43], [42], [25], [26]. It was not until 2014 that re work is to propose a broadcasting mechanism that (a) provides searchers turned to the P2P network, showing that regardless provable anonymity guarantees under realistic adversarial and of blockchain implementation, users can be deanonymized network assumptions, and (b) does not harm the network’s by network attackers [28], [10], [11], [19]. In some cases broadcasting robustness or latency. We do this by revisiting researchers were able to link transactions to IP addresses the DANDELION system proposed in [13], and redesigning it with accuracies up to 30% [10]. These attacks proceeded by to withstand a variety of practical threats. connecting a supernode to a majority of active Bitcoin server nodes. More recently, [8] demonstrated the serious anonymity B. Contributions and routing risks posed by an AS-level attacker. These papers suggest a need for networking protocols that defend against The main contributions of this paper are threefold: deanonymization attacks. (1) We identify several key idealistic assumptions made by Anonymous communication for P2P/overlay networks has DANDELION [13], and show how anonymity is degraded when been an active research topic for decades. Most work relies on those assumptions are violated. In particular, [13] assumes an two ideas: randomized routing (e.g., onion routing, Chaumian honest-but-curious adversary that has limited knowledge of mixes) and/or dining cryptographer (DC) networks. Systems the P2P graph topology and only observes one transaction that use DC nets [14] are typically designed for broadcast per node. If adversaries are instead malicious and collect communication, which is our application of interest. However, more information over time, we show that they are able to DC nets are known to be inefficient and brittle [24]. Proposed arbitrarily weaken the anonymity guarantees of [13] through systems [23], [49], [16], [48] improved these properties sig a combination of attacks, including side information, graph nificantly, but DC networks never became scalable enough to manipulation, black hole, and intersection attacks. enjoy widespread adoption in practice. (2) We propose a new protocol called TWISTEDPAIR1 that Systems based on randomized routing are generally more subtly changes most of the implementation choices of DAN efficient, but focus on point-to-point communication (though DELION, from the graph topology to the randomization mech these tools can be adapted for broadcast communication). Early anisms for message forwarding. Mathematically, these (rel works like Crowds [40], Tarzan [20], and P5 [45] paved the atively small) algorithmic changes completely change the way for later practical systems, such as Tor [18] and I2P anonymity analysis by exponentially augmenting the problem [50], as well as recent proposals like Drac [17], Pisces [34], state space. Using analytical tools from the theory of Galton- and Vuvuzela [46]. Our work differs from this body of work Watson trees and random processes over graphs, we show that along two principal axes: (1) usage goals, and (2) analysis TWISTEDPAIR offers significant anonymity gains over DAN metrics/results. DELION, both theoretically and in simulation, when adversaries (1) Usage goals. have stronger capabilities. TWISTEDPAIR is currently being Among tools with real-world adoption, Tor considered for integration in Bitcoin Core.2 [18] is the most prominent; privacy-conscious Bitcoin users frequently use it to anonymize transmissions. However, Tor (3) We demonstrate the practical feasibility of TWISTED requires users to route their network traffic through a third- PAIR by evaluating an implementation on Bitcoin’s main- party service; this is neither a scalable nor adequate solution net. We show that TWISTEDPAIR does not increase latency for users who are unaware of Bitcoin’s privacy vulnerabilities. significantly compared to current methods for broadcasting Our goal is instead to propose internal solutions that can be transactions, and it is robust to node failures and misbehavior. implemented within the cryptocurrency itself. In this vein, I2P is an onion-routing overlay that is implemented within P2P The paper is structured as follows: in §II, we discuss rele networks [50]; the altcoin Monero currently is integrating I2P vant work on anonymity in cryptocurrencies and P2P networks. with its network. While this may be a workable long-term solu In §III, we present our adversarial model, which is based on tion, cryptographic routing protocols are complex and difficult prior attacks in the literature. §II presents DANDELION in to implement correctly; Monero has been implementing I2P for more detail; in §IV, we analyze DANDELION’s weaknesses, at least four years [3] with no clear end in sight [6], and none and propose TWISTEDPAIR as an alternative. We present of the other major cryptocurrency wallets (Bitcoin, Ethereum, experimental evaluation results for TWISTEDPAIR in §V, and Ripple) have announced plans to integrate anonymized routing. discuss the implications of these results in §VI. Hence, there is a need for simple, lightweight solutions.

II. RELATED WORK (2) Analysis. The differences in analysis are more subtle. Many of the above systems include theoretical analysis, but The anonymity properties of cryptocurrencies have been none provide optimality guarantees. Moreover, they analyze studied extensively. Several papers have exploited anonymity per-user metrics, such as probability of linkage [40], [20], vulnerabilities in the blockchain [7], [39], [36], [41], [31], [46]. This metric overlooks the fact that adversaries often use data from many users to execute joint deanonymization. We 1The name TWISTEDPAIR is derived from a twisted pair cable, which resembles the proposed spreading pattern. are interested in the (mathematically more complex) problem 2Bitcoin Core is a Bitcoin wallet used by over 70% of active nodes. The of population-level deanonymization using all data available name TWISTEDPAIR has been altered for anonymous review. to the adversary. Finally, the protocols of prior work may

2 appear similar, but the corresponding anonymity analyses and deanonymize honest users.3 guarantees are significantly different. We assume adversaries are interested in simultaneously The most relevant solution to our problem is a recent pro deanonymizing all the users in the network from observed posal called DANDELION [13], which uses statistical obfusca information. This is distinct from a setting where adversaries tion to provide anonymity against distributed, resource-limited seek to deanonymize specific users. While the latter is a adversaries (pseudocode in Appendix A). DANDELION prop more common, well-studied problem [12], [11], [7], typical agates transactions in two phases: (i) an anonymity (or stem) solutions tend to require hosts to change their behavior, e.g. phase, and (ii) a spreading (or fluff ) phase. In the anonymity by adopting a new cryptocurrency. Our goal is to provide a phase, each message is passed to a single, randomly-chosen (weaker) network-wide anonymity that does not require users neighbor in an anonymity graph H (this graph can be an to change behavior. While this approach will not stop targeted overlay of the P2P graph G). This propagation continues for a attacks, it does provide a first line of defense against broad geometric number of hops with parameter q. However, unlike deanonymization attacks that are currently eminently feasible. prior work, different users forward their transactions along Note that recent work on ISP- or AS-level adversaries [8] the same anonymity graph H, which is chosen as a directed can be modeled as a special case of this botnet adversary, cycle in [13]. In the spreading phase, messages are rapidly except edges rather than nodes are corrupted. This adversary is flooded over the P2P network G via diffusion, just as in today’s outside the scope of this paper, but the topic is of great interest, Bitcoin network. DANDELION periodically re-randomizes the and we expect that the intuitions developed in this paper may line graph, so the adversaries’ knowledge of the graph is be useful for defending against such an adversary. In §VI, we assumed to be limited to their immediate neighborhood. discuss the compatibility of our proposed methods with the countermeasures proposed in [8] for large-scale adversaries. Under these conditions, DANDELION exhibits near-optimal anonymity guarantees under a joint-deanonymization model [13]. As mentioned earlier, DANDELION’s guarantees are B. Anonymity Metrics: Precision and Recall based on very restrictive adversarial assumptions. Our work The adversary’s goal is to associate transactions with users’ illustrates DANDELION’s fragility to basic Byzantine attacks IP addresses through some association map. This association and proposes a scheme that is robust to Byzantine intersection map can be interpreted as a classifier that classifies each attacks. This relaxation requires completely new analysis, transaction (and its corresponding metadata) to an IP address. which is the theoretical contribution of this paper. Hence an adversary’s deanonymization capabilities can be measured by evaluating the adversary’s associated classifier. We adopt a common metric for classifiers: precision and recall. III. MODEL Let VH denote the set of all IP addresses of honest peers A. Adversary in the network. To begin, we will assume that each peer in v ∈ VH performs exactly one transaction Xv . We relax this The adversaries studied in prior work exhibit two basic assumption in §IV-B. Let X = ∪v∈V Xv denote the set of capabilities: creating nodes and creating outbound connec H all transactions. Assuming VH is known to the adversary, let tions to other nodes. At one extreme, a single supernode M : X → VH denote the adversary’s map from transaction can establish outbound connections to every node in the x ∈ X to IP address M(x) ∈ VH . The precision and recall of network; this resembles recent attacks on the Bitcoin P2P M at any honest peer v ∈ VH are given, respectively, by network [10], [28] and related measurement tools [27], [33]. J(M(X ) = v) At the other extreme is a botnet with many honest-but-curious D(v) = v (1) nodes, each of which creates few outbound edges according J(M(X ) = v) u∈VH u to protocol. This captures the adversarial model in [13] and R(v) = J(M(Xv) = v), (2) botnets observed in Bitcoin’s P2P network [30]. In this paper, we combine both models: a botnet adversary that can corrupt where J(·) denotes the indicator function. Precision (denoted some fraction of Bitcoin nodes and establish arbitrarily many D(v)) measures accuracy by normalizing against the number outbound connections. of transactions associated with v. A large number of transac tions mapped to v implies a greater plausible deniability for v. We model the botnet adversary as a set of colluding hosts Recall (denoted R(v)) measures the accuracy or completeness spread over the network. Out of n total peers in the network, of the mapping. We define the average precision and recall for e e we assume a fraction p (i.e., np peers) are malicious. The v∈V D(v) v∈V R(v) the network as D = H and R = H . In our botnet seeks to link transactions and their associated public |VH | |VH | keys with the IP addresses of the hosts generating those theoretical analyses under a probabilistic model (see §III-C), transactions. The adversarial hosts (or spies) need not follow we will be interested in the expected values of these quantities, protocol. Spies can generate as many outbound edges as they denoted by D and R, respectively. want, to whichever nodes they choose; however, they cannot force honest nodes to create outbound edges to spies. The C. Transaction and Network Model spies perform IP address deanonymization by observing the We follow the probabilistic network model of [13, §2]. transaction propagation patterns in the network. Adversaries Let V denote the set of IP addresses of current honest log transaction information including, timestamps, sending H hosts, and other control packets. This information, together 3Honest users are Bitcoin hosts that are not part of the adversarial botnet. with global knowledge (e.g., network structure) is used to We assume honest users follow the specified protocols without deviations.

3 Algorithm 1: APPROXIMATE 2η-REGULAR GRAPH simple-yet-robust first-spy estimator, used in [10], [28]. The first-spy estimator outputs the first honest node to deliver a Input: Set V = {v , v , . . . , v } of nodes; 1 2 n given transaction to the adversary as the source. Output: A connected, directed graph G(V, E) with average degree 2η for v ← V do IV. TWISTEDPAIR /* pick η random targets */ DANDELION’s theoretical anonymity guarantees only hold N ← ∅ under three, idealized assumptions: (1) all nodes obey protocol, for i ← {1, . . . , η} do (2) each node generates exactly one transaction, (3) all Bitcoin e ∼ Unif(V \ {v} \ N) nodes run DANDELION. None of these assumptions necessarily N ← N ∪ {e} holds in practice. In this section, we show how DANDELION’s end anonymity properties break when the assumptions are violated, / make connections / * * and propose a new solution called TWISTEDPAIR that ad E = E ∪ {(v → u), u ∈ N} dresses these concerns. TWISTEDPAIR passes transactions over end intertwined paths, or ‘cables’, before diffusing to the network return G(V, E) (Fig. 2).

users in the network, Xv the message from user v ∈ VH and X the set of all transaction messages. Let n˜ = |VH | denote the number of honest peers; let the sets VH and X be known to the adversaries. We assume a uniform prior on Fig. 2: TWISTEDPAIR forwards messages over one of two in

Xv over the set X , i.e., the ordered tuple (Xv1 ,Xv2 ,...,Xvn˜ ) tertwined lines (‘cables’) on a 4-regular graph, then broadcasts is a uniform random permutation of messages in X where using diffusion. Here, tx propagates over the blue solid cable. VH = {v1, v2, . . . , vn˜ }. We also assume transaction times are unknown to the adversary. This section is structured according to Table I. The weak We model the Bitcoin network as a directed graph G(V, E) adversarial model in [13] enables five distinct attacks: graph where the vertices V = VH ∪ VA comprise honest peers VH learning attacks, intersection attacks, graph construction at and adversarial peers VA. The edges E correspond to TCP tacks, black hole attacks, and deployment attacks. For each links between peers in the network. Although these links are attack, we first demonstrate its impact on anonymity (and/or technically bidirectional, the Bitcoin network treats them as robustness); in many cases, these effects can lead to arbi directed. An outbound link from Alice to Bob is one that Alice trarily high deanonymization accuracies. Next, we propose initiated (and vice versa for inbound links); we also refer to the lightweight implementation changes to mitigate this threat, and tail node of an edge as the one that originated the connection. justify these choices with theoretical analysis and simulations. To construct the Bitcoin network, each node establishes We adopt the same ‘stem phase’ and ‘fluff phase’ terminology up to eight outbound connections, and maintains up to 125 as DANDELION, along with dandelion spreading (Algorithm total connections [2]. In practice, the eight outbound connec 4). The main algorithmic changes in TWISTEDPAIR are: tions are chosen from each node’s locally-maintained address 1) use a random 4-regular graph instead of a line graph for book; we assume each node chooses outbound connections the anonymity phase (§IV-A), randomly from the set of all nodes (Algorithm 1). This graph 2) use pseudorandom forwarding rather than independent, construction model results in a random graph where each node randomized forwarding (§IV-B), has expected degree 2η = 16. Although this approximates the 3) use open-loop graph construction- and maintenance behavior of many nodes in Bitcoin’s P2P network, Byzantine mechanisms (§IV-C and §IV-D). nodes need not follow protocol. We will describe the behavior of Byzantine nodes as needed in the paper. Perhaps surprisingly, these small algorithmic changes com pletely alter the anonymity analysis by introducing an Upon creating a transaction message, peers propagate it exponentially-growing state space. For example, moving from according to a pre-specified spreading policy. The propagation a line graph to a 4-regular graph (item (1)) invalidates the dynamics are observed by the spies, whose goal is to estimate exact probability computation in [13], and requires a more the IP addresses of transaction sources. For each transaction sophisticated analysis over Galton-Watson branching processes x ∈ X a ∈ V (x, v, t) received by adversarial node A, the tuple to understand effects like intersection attacks. We also simulate v a is logged where is the peer that sent the message to , the proposed mechanisms for all attacks and find improved and t is the timestamp when the message was received. The anonymity compared to DANDELION.4 botnet adversary may also know partial information about the network structure. Clearly, peers neighboring adversarial nodes are known. However in some cases the adversary might also A. Graph-Learning Attacks be able to learn the locations of honest peers not directly con Theoretical results in [13] assume that the anonymity graph nected to botnet nodes. For simplicity, we use O to denote all is unknown to the adversary; that is, the adversary knows observed information—message timestamps, knowledge of the the randomized graph construction protocol, but it does not graph, and any other control packets—known to the adversary. Given these observations, one common source estimator is the 4Simulation code will be released; URL redacted for anonymous review.

4 TABLE I: Summary of changes proposed in TWISTEDPAIR, with references to relevant evidence and/or analysis.

Problem Effect on DANDELION [13] TWISTEDPAIR Proposed solution Effect Graph-learning attacks (§IV-A) Order-level precision increase [13] 4-regular anonymity graph Limits precision gain (Thm. 1, Fig. 3) Intersection attacks (§IV-E) Empirical precision increase (Fig. 5) Pseudorandom forwarding Robust to intersection attacks (Thm. 2) Graph construction attacks (§IV-C) Empirical precision increase (Fig. 10) Non-interactive graph construction Reduces precision gain (Figs. 8, 9) Black-hole attacks (§IV-D) Transactions do not propagate Random stem timers Provides robustness (Prop. 3) Partial deployment (§IV-E) Arbitrary recall increase (Fig. 11) Protocol-agnostic stem selection Improves recall (Thm. 3, Fig. 11) know the realization of that protocol outside its own local Line, max-weight (theoretical) neighborhood. Under these conditions, DANDELION, which uses a line topology, achieves a maximum expected precision Max-weight estimator of O(p2 log(1/p)), which is near-optimal. However, if an (simulated) Complete graph adversary somehow learns the anonymity graph, the maximum (theoretical) expected precision increases to O(p) [13, Proposition 4]— an order-level increase. On the other hand, recall guarantees Line, first-spy do not change if the adversary learns the graph. This is 10-1 (theoretical) because under dandelion spreading (Algorithm 4), the first-spy estimator is recall-optimal [13]. Since the first-spy estimator First-spy estimator is graph-independent, learning the graph does not improve the (simulated) d = 2 (line), first spy d = 2 (line), max-weight adversary’s maximum expected recall. A natural question is d = 4, first-spy how to avoid this jump in precision. d = 4, max-weight d = 6, first spy d = 6, max-weight DANDELION proposes a heuristic solution in which the line graph is periodically reshuffled to a different (random) 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 line graph [13]. The intuition is that changing the line graph Fig. 3: Average precision as a function of p for random, frequently does not allow enough time for the adversaries directed d-regular graphs. to learn the graph. However, the efficacy of this heuristic is difficult to evaluate. Fundamentally, the problem is that it is unclear how fast an adversary can learn a graph, which calls into question the resulting anonymity guarantees. precision estimator differently. [13] showed that the precision- 1) Proposal: 4-Regular Graphs: We propose an alterna optimal estimator is a maximum-weight matching from trans tive solution that inherently protects against adversaries that actions to nodes, where the weight of the edge between node are able to learn the anonymity graph—either due to the v and transaction x is the posterior probability P(Xv = x|O) TWISTEDPAIR protocol itself or other implementation issues. (Theorem 3, [13]). Since the anonymity graph contains cycles, In particular, we suggest that TWISTEDPAIR should use this posterior is difficult to compute exactly, because it requires random, directed, 4-regular graphs instead of line graphs as the (NP-hard) enumeration of every path between a candidate anonymity graph topology. 4-regular graphs naturally extend source and the first spy to observe a given transaction [44]. We line graphs, which are 2-regular. Although the forwarding therefore approximate the posterior probabilities by assuming mechanism will be revisited in §IV-B, for now, users relay that each candidate source can only pass a given message along transactions randomly to one of their two outbound neighbors the shortest path to the spy that first observes the message in the 4-regular graph until fluff phase. (note that the shortest path is also the most likely one). This path likelihood can be computed exactly and used as a proxy Although theoretical analysis of expected precision on d- for the desired posterior probability. Given these approximate regular anonymity graphs is challenging for d > 2, we can likelihoods, we compute a maximum-weight matching, and simulate randomized spreading over different topologies, while calculate the precision of the resulting matching. measuring anonymity empirically using theoretically-optimal (or near-optimal) estimators. Figure 3 plots the average preci Assuming the adversary knows the graph and uses this sion obtained on d-regular graphs, for d = 2 (corresponding quasi-precision-optimal estimator, the precision on a line graph to a line graph), 4 and 6, as a function of p, the fraction of increases to the blue dotted line at the top of the plot. For adversaries, for a network of 50 nodes. The blue solid line at example, at p = 0.15, knowing the graph gives a precision the bottom corresponds to the line graph when the graph is un boost of 0.12, or about 250%. On the other hand, if a 4-regular known to the adversary; this matches the theoretical precision graph is unknown to the adversary, it has a precision very close of O(p2 log(1/p)) shown in [13]. The solid lines in Figure to that of line graphs (orange solid line in Figure 3). But if the 3 (i.e., unknown graph) were generated by running the first- graph becomes known to the adversary (orange dotted line), spy estimator, which maps each transaction to the first honest the increase in precision is smaller. At p = 0.15, the gain is node that forwarded the transaction to an adversarial node. 0.06—half as large as the gain for line graphs. This suggests When the graph is unknown, we show in Theorem 1 that the that 4-regular graphs are more robust than lines to adversaries first-spy estimator is close to optimal; hence, Figure 3 shows learning the graph, while sacrificing minimal precision when results from an approximately-precision-optimal estimator. the adversary does not know the graph. When the graph is known, we approximate the maximum- Figure 3 also highlights a distinct trend in precision values,

5 as the degree d varies. If the adversary has not learned the and hence the trivial bound used above cannot be used here. h,h topology, then line graphs have the lowest expected precision Let us first consider the event Ev(a,h ) where only the left and hence offer the best anonymity. As the degree d increases, predecessor node of v is an adversary. Let U ∈ VH denote the the expected precision progressively worsens until d = n, right predecessor of v and FU the number of fresh transactions where n is the number of peers in the network. When d = n that are forwarded by U to v. Then from Lemma 1 we have (i.e., the graph is a complete graph), peers forward their h,h h,h 1 [maxx∈X (Xv = x|S, Γ(VA),FU , Ev( ))|FU , Ev ( )] ≤ transactions to a random peer in each hop of the dandelion E P a,h a,h FU +1 stem. On the other hand, if the topologies are known to the h,h ⇒ P(FU = f, Ev( )) · adversary, then the performance trend reverses. In this case, a,h f≥0 line graphs (for d = 2) have the worst (highest) expected h,h h,h E[max P(Xv = x|S, Γ(VA),FU , Ev (a,h ))|FU , Ev(a,h )] precision among random d-regular graphs; As the degree x∈X increases, precision decreases monotonically until d = n. h,h 1 2DFS(v) ≤ P(Ev(a,h ))E ≤ p = 2DFS(v). Finally, recall that our simulations used the ‘first-spy’ FU + 1 p estimator as the deanonymization policy for d-regular graphs when the graph is unknown to the adversary. A priori, it is not where we have again used independence of FU and the local clear whether this is an optimal estimator for d-regular graphs neighborhood upstream of U and Lemma 2. By analogous arguments we can similarly bound the expected payoff under for d ≥ 4 ([13] shows that the first-spy estimator is optimal h,h a,h h,a for line graphs). As such the optimal precision curve could be events Ev()h,a , Ev ()h,h and Ev()h,h . much higher than the one plotted in Figure 3. However, the E (h,h) v following theorem—our first main theoretical contribution of Finally consider v h,h , in which case ’s location is this paper—shows that this is not the case. completely hidden from the adversaries. Let I be the set of such nodes. Since each adversary is a neighbor to at most 4 Theorem 1: The maximum expected precision on a ran honest nodes, there are at least n˜ − 4np = (1 − 5p)n nodes in h,h dom 4-regular graph with graph unknown to the adversary is I. So ∀x ∈ X , we have (Xv = x|S, Γ(VA), G, I, Ev( )) 2 3 P h,h bounded by DOPT ≤ 8DFS +6p +O(p ), where DOPT and DFS h,h ' denote the expected precision under the optimal and first-spy 1 = P(Xv = x|S, Γ(VA), G, I, Ev(h,h )) ∀v ∈ I (3) estimators respectively. h,h 1 1 i,j ⇒ P(Xv = x|S, Γ(VA), G, I, Ev(h,h )) ≤ ≤ Proof: For i, j, k, l ∈ {a, h}, let Ev(k,l) denote the event |I| (1 − 5p)n that v’s left successor, right successor, left predecessor and h,h 1 ⇒ max P(Xv = x|S, Γ(VA), Ev(h,h )) ≤ , (4) right predecessor are of types i, j, k and l respectively, where x∈X (1 − 5p)n type of a denotes an adversarial node and a type h denotes an honest node. Also, assume that for any honest node v ∈ and hence E[maxx∈X P(Xv = h,h h,h 1 VH the number of messages forwarded by v is statistically x|S, Γ(VA), Ev(h,h ))|Ev ( h,h )] ≤ (1−5p)n . Summing over independent of the local neighborhood upstream of v. This all the cases considered gives the result. assumption follows from the locally-tree-like nature of sparse This result says that precision under the first-spy estimator random graphs [32]. We use the following two lemmas, whose 2 proofs are included in Appendix B: is within a constant factor of optimal (p is a fundamental lower bound on the maximum expected precision of any Lemma 1: Let Jv denote the number of transactions (from scheme [13]). Thus the precision gain from line graphs to 4 honest servers) that reach v before reaching an adversary. regular graphs is indeed small, as Figure 3 suggests. These a,h h,a h,h h,h Then, for each event E ∈ {Ev()h,h, Ev() h,h, Ev() a,h , Ev()h,a } observations motivate the use of 4-regular graphs, specifically 1 in lieu of higher-degree regular graphs. First, 4-regular graphs E[maxx∈X P(Xv = x|S, Γ(VA), E,Jv)|E,Jv] ≤ J +1 . v have similar precision to complete graphs when the graph is Lemma 2: For any server v ∈ VH , let Fv denote the known (i.e., the red dotted line is close to the middle black number of transactions that (i) reach v before reaching any solid line, which is a lower bound on precision for regular adversary and (ii) are forwarded by v along its left outgoing e graphs), but they sacrifice minimal precision when the graph edge. Then 1 ≤ 2DFS(v) . is unknown. Hence, they provide robustness to graph-learning. E Fv +1 p i,j Lesson: Use 4-regular graphs instead of line graphs for H. Now, recall the events Ev ()k,l , where i, j, k, l ∈ {a, h}. There are a total of 24 = 16 such events that are possible for i4 p B. Intersection Attacks the neighborhood around server v. Out of these events, 2 = 6 2 2 a,a of them occur with a probability of p (1−p) (such as Ev (h,h) The previous section showed that 4-regular graphs are i4 p for e.g.). Similarly 3 = 4 events occur with a probability of robust to deanonymization attacks, even when the adversary p3(1 − p) and one event occurs with a probability of p4. Since knows the graph. However, those results assume that each the cost can be at most 1, the above events contribute to a user generates exactly one transaction per epoch. In this cumulative cost of at most 6p2 + 4p3+ p 4. section, we relax the one-transaction-per-node assumption, and allow nodes to generate an arbitrary number of transactions. The remaining cases are events where only one neighbor is DANDELION specifies that each transaction should take an E ()a,h , E ()h,a , E ()h,h E ()h,h adversarial— v h,h v h,h v a,h and v h,a —or when independent path over the anonymity graph. In our case, this h,h all of the neighbors are honest Ev(h,h). Note that each of implies that if a node generates multiple transactions, each these events occur with a probability of at least p(1 − p)3 one will traverse a random walk (of geometrically-distributed

6 length) over a 4-regular digraph. Under such a model, ad this paper—suggests that one-to-one forwarding has near- versaries can aggregate metadata from multiple, linked trans optimal precision when the adversary does not know the graph, actions to launch intersection attacks. We first demonstrate even in the face of intersection attacks (recall the lower bound DANDELION’s vulnerability to intersection attacks, and then of p2 [13]). The other two mechanisms do not. provide an alternative propagation technique. Theorem 2: Suppose the graph is unknown to the adver Attack. Suppose the adversary knows the graph. For each sary, each node generates an arbitrary number of transactions, honest source v ∈ VH , each of its transactions will reach one and the adversary can link transactions from the same user. of the np spy nodes first. In particular, each spy node has The expected precision of the precision-optimal estimator for some fixed probability of being the first spy for transactions the one-to-one (DOPT−OtO), all-to-one (DOPT−AtO), and per originating at v (given the graph). We let Ψv denote the pmf incoming-edge (DOPT−PIE) message forwarding schemes are: of the first spy for transactions starting at v; the support of 1 D = Θ p2 log (5) this distribution is the set of all spies. We hypothesize that in OPT−OtO p realistic graphs, for v = w, Ψv = Ψw. DOPT−AtO = Θ(p) (6) This hypothesis suggests a natural attack, which consists of DOPT−PIE = Ω(p). (7) a training phase and a test phase. In the training phase, for each candidate source, the adversary simulates dandelion spreading (Proof in Section IV-B1) N times. The resulting empirical distribution of first-spies for Figure 6 illustrates simulated first spy precision values a given source determines the adversary’s estimate of Ψv. The for each of these techniques, as well as diffusion (the status adversary computes such a signature for each candidate source. quo). ‘Per-transaction’ forwarding denotes the baseline i.i.d. At testing, the adversary gets to observe m transactions random forwarding. This figure is plotted for the special from a given node, m « N. The adversary again com case of one transaction per node; if nodes were to generate putes the empirical distribution Ψˆ of first-spies from those m arbitrarily many transactions, the pseudorandom lines would stay the same (all-to-one, one-to-one, and per-incoming-edge), observations. The adversary then classifies Ψˆ to one of the ˆ whereas Figure 5 suggests that the per-transaction curve could |VH | classes (i.e., source nodes) by matching Ψ to the closest ˆ increase arbitrarily close to 1, depending on traffic patterns. Ψi from training. For each trial, Ψ and Ψv are matched by The same is true for diffusion, as illustrated in prior work maximizing the likelihood of signatures (i.e. by minimizing [47]. In addition, when the graph is unknown and there is only the KL divergence). one transaction per node, Figure 6 suggests that one-to-one Figure 5 shows the recall for such an attack on a 4-regular forwarding achieves precision values that are close to the lower graph of size 1000 with fraction p = 0.3 of spies. The two bound of per-transaction forwarding. An important question trend lines correspond to signatures trained on N = 15000 is what happens when the graph is known. The following and N = 35000 simulations. By observing 10 transactions per corollary bounds the jump in precision under such a scenario. node, the recall exceeds 0.8. This suggests that independent random forwarding leads to serious intersection attacks. Hence, Proposition 1: If the adversary knows the graph and inter a naive implementation of DANDELION critically damages nal routing decisions, then the precision-optimal estimator for anonymity properties. one-to-one forwarding has an expected precision of O(p). Solution. To address these attacks, we consider forwarding (Proof in Appendix D) mechanisms with correlated randomness. The key insight is that messages from the same source should traverse the An adversary that does not know internal forwarding deci same path; this prevents adversaries from learning additional sions for all nodes has lower precision, because it must disam information from multiple transactions. However, a naive im biguate between exponentially many paths for each transaction. plementation (e.g., adding a tag that identifies transactions Despite requiring completely new analysis, the 4-regular graph from the same source, and sending all such transactions over results for Theorem 2 and Proposition 1 are order-equivalent the same path) makes it trivial to link transactions, which to the line graph results in [13]. Nonetheless, we maintain is undesirable for other reasons. Hence, we consider three that 4-regular graphs are preferable to line graphs because (1) forwarding schemes that pseudorandomize the forwarding tra the precision bound constants are smaller (as seen in §IV-A), jectory. In “one-to-one” forwarding, each node maps each of an (2) 4-regular graphs are more difficult to learn, since more its inbound edges to a unique outbound edge; messages in stem information is needed to specify a 4-regular graph. Quantifying mode only get relayed according to this mapping (Fig. 4). Each this fact is an interesting question for future work. node also chooses exactly one outbound edge for all of its own Lesson. Use pseudorandom, one-to-one forwarding. transactions. The idea is that we are pseudorandomizing not by source, but by incoming edge (for relayed transactions). 1) Proof of Theorem 2: We start with two lemmas that Similarly, “all-to-one” forwarding maps all inbound edges to reduce the problem to a first-spy precision calculation. the same outbound edge, and “per-incoming-edge” forwarding Lemma 3 (Intersection): Under each of the spreading maps each inbound edge to a uniformly selected outbound mechanisms (all-to-one, one-to-one, and per-incoming-edge), edge (with replacement). the adversary’s maximum expected precision DOPT is not a function of the number of transactions per node. Perhaps counterintuitively, these spreading mechanisms al ter the anonymity guarantees even when the graph is unknown. This proof follows directly from the pseudorandomness of the Our next result—the second main theoretical contribution of forwarding mechanisms, and is omitted for brevity.

7 Fig. 4: Pseudorandom forwarding. Thick, colored lines denote for warding rules for incoming edges and the node’s own transactions Fig. 5: Recall vs. number of transactions Fig. 6: First-spy precision for 4-regular (green dotted line). per node in random 4-regular graphs. graphs under various forwarding schemes.

Lemma 4 (First-Spy Optimality): For all spreading mech anisms (all-to-one, one-to-one, and per-incoming-edge), there 2 exists a constant C such that DOPT ≤ C · DFS + O(p ), where DFS denotes the expected precision of the first-spy estimator. Lemma 4 is proved analogously to Theorem 1. The full proof is omitted for brevity. Together, lemmas 3 and 4 imply that to characterize the precision-optimal estimator, we can focus on Fig. 7: Branching process model of upstream neighborhood. the first-spy estimator. For brevity, we prove only all-to-one Red nodes are spies; blue dots denote nodes that divert their and one-to-one results in the following lemmas. transactions out of the tree. Both events result in pruning. Lemma 5 (One-to-One First-Spy): The expected precision of the first-spy estimator for one-to-one forwarding satisfies 2 1 i DFS-OtO = O p log . Lemma 8: Under all-to-one forwarding, P |Wv| = w s ∈ p w−1 w+1 p (2w)! 1−p 1+p VA = . Proof: Let v ∈ VH , and denote the vertex to which v (w+1)!w! 2 2 forwards its message X as s ∈ V . In the case that s ∈ V v H (Proof in Appendix C). the precision of the first spy estimator for v is 0, because e Xv is never matched to v. When s ∈ VA, the precision of 1 ∞ i 1 Note that E |W | s ∈ VA = w=1 P |Wv| = w s ∈ the first spy estimator for v is , where Wv denotes the v |Wv | p 1 set of nodes from which all fresh messages that v transmits VA w . We can lower bound this summation by computing to s originate. Note that v ∈ W . Now [D (v)] = (s ∈ only the first term using Lemma 8. This gives P(|Wv| = v E FS P 1 2 1 1 1 1 1|s ∈ VA) = 4 p + 2p + 4 . Hence E[DFS(v)] = P(s ∈ VA)E[ |s ∈ VA], where P(s ∈ VA) = p and E s ∈ 1 p 2 |Wv | |Wv | VA) [ |s ∈ VA] ≥ + O(p ), or [DFS(v)] = Ω(p). e E |Wv | 4 E V = ∞ i |W | = w s ∈ V p 1 . A w=1 P v A w Upper bound. Due to the branching properties of all-to-one

i forwarding, we now model v’s upstream neighborhood (i.e. Lemma 6: Under one-to-one forwarding, P |Wv| = w s ∈ w p 2p 1−p nodes that can send transactions to v) as a Galton-Watson VA = 1−p 1+p . (GW) branching process [9]. This modeling assumption is (Proof in Appendix C). Using Lemma 6 to expand the appropriate as n → ∞ due to the locally-tree-like properties w 1 e ∞ 1 2p 1−p of sparse random graphs [32]. summation gives E s ∈ VA = = |Wv | w=1 w 1−p 1+p −2p 2p 1 e 2p 1+p Each node in a realization of the GW process is a viable log . Thus, s ∈ VA = log and 1−p 1+p E |Wv | 1−p 2p candidate source whose own transactions could reach v. The 2p 2 1+p branching distribution of the process is therefore determined E[DFS-OtO(v)] = log . 1−p 2p by the fraction of spies p, and the forwarding mechanism Lemma 7 (All-to-One First-Spy): The expected precision (in this case, all-to-one). Wv is the number of nodes in this of the ﬁrst-spy estimator for all-to-one forwarding satisﬁes tree. Figure 7 illustrates this model. Suppose we start with DFS-AtO = Θ(p). a binary tree rooted at v—this includes the entire upstream anonymity graph with respect to v. Each node has a second Proof: We demonstrate upper and a lower bounds on outbound edge (dashed grey line); due to our locally-tree-like D . As before, these bounds are obtained by computing FS-AtO assumption, those edges cannot be used to reach v, and are the expected precision of a given node v ∈ V , and we denote H not part of the branching process. If a node is a spy, the spy the node to which v forwards its message X as s ∈ V . Let W v v and its upstream ancestors get pruned from the tree. Similarly, be the set of nodes from which all fresh messages transmitted 1 if a node chooses to forward its incoming messages along the by v to s originate; our goal is to compute l[ |s ∈ VA]. Wv grey edge, then none of its upstream children’s transactions Lower bound. We use the following lemma: will reach v; hence we prune the node and its ancestors. We

8 let ν denote the probability that a node is a spy or forwards Algorithm 2: APPROXIMATE 4-REGULAR GRAPH 1 its transactions on its grey edge, ν = 2 (1 + p). The mean Approximates a directed 4-regular graph in a fully- of this offspring distribution µ = 2(1 − ν) = 1 − p < 1 for distributed fashion. p = 0, so this GW process is subcritical and goes extinct with Input: Set V = {v1, v2, . . . , vn} of nodes; probability 1 [9]. Hence we can focus our analysis on trees of Output: A connected, directed anonymity graph 1 e finite size. We use Lemma 8 to expand s ∈ VA = H(V, E) with average degree 4 E |Wv | for v ← V do ∞ / pick two random targets / 1 (2w)! 1 − p w−1 1 + p w+1 * * = ( ) ( ) u ∼ Unif(V \ {v}) w (w + 1)!w! 2 2 1 w=1 u2 ∼ Unif(V \ {v, u1}) ∞ 2 1 1 2e 1 1 w−1 /* make connections */ = (1 + p)2 4w−1i (1 − p2)p .(8) 4 w π w + 1 4 E = E ∪ (v → u1) ∪ (v → u2) w=1 end return H(V, E) where (8) uses Stirling’s inequalities. For p ∈ [0, 1], ∞ (1−p2 )w−1 ∞ 1 1 ≤ = 1. Thus, E s ∈ w=1 w(w+1) w=1 w(w+1) |Wv | e e2 2 e2 2 VA ≤ 2π (1 + p) and DFS-AtO ≤ 2π p + O(p ). Lying about in-degrees. In step (1) of the graph-construction protocol, when a user queries an adversarial neighbor for C. Graph-Construction Attacks its current in-degree, the adversary might deliberately report a lower degree than its actual degree. This can cause the We have considered graph-learning attacks and intersec querying user to falsely underestimate the neighbor’s in-degree tion attacks. Another important aspect of TWISTEDPAIR is and make a connection. In the extreme case, the adversarial the anonymity graph construction, which should be fully node can consistently report an in-degree of zero, thus attract distributed. DANDELION proposed an interactive, distributed ing many incoming edges from honest nodes. This degrades algorithm (explained below) that constructs a randomized ap anonymity by increasing the likelihood of honest nodes passing proximate line graph. In this section, we study how Byzantine their transactions directly to the adversary in the first hop. nodes can change the graph to boost their accuracy. First, We find experimentally that such attacks significantly increase we show how to generate 4-regular graphs in the presence of precision as / grows; plots are omitted due to space constraints. Byzantine nodes. Next, we show how to choose q (path length parameter) for robustness against Byzantine nodes manipulat To avoid nodes lying about their in-degrees, we abandon ing the graph. We start with the graph-construction protocol the interactive aspect of DANDELION graph construction. In ApxLine(1), users select a random peer and make an edge from DANDELION. regardless of the recipient’s in-degree. We therefore run Apx 1) Graph construction in DANDELION [13]: For any Line(1) twice, as shown in Algorithm 2. Note that Algorithm integral parameter / > 0, DANDELION uses the protocol 2 closely mirrors the graph construction protocol used in ApxLine(/) to build a /-approximate line graph as follows: (1) Bitcoin’s P2P network today, so the protocol itself is not novel. Each node contacts / random candidate neighbors, and asks In the line graphs of DANDELION, a higher / value was needed for their current in-degrees. (2) The node makes an outbound since ApxLine(/) for / = 1 was shown to have significantly connection to the candidate with the smallest in-degree. Ties worse anonymity performance than / ≥ 2. However such are broken at random. This protocol is simple, distributed, a loss is avoided in TWISTEDPAIR since the application of and allows the graph to be periodically rebuilt. Though the ApxLine(1) twice eliminates leaves. resulting graph need not be an exact line, nodes have an expected degree of two, and experiments show low precision. What is not previously known is how the approximate- Increasing / also enhances the likeness of the graph to a line regular construction in Algorithm 2 affects anonymity com and reduces the expected precision in simulation. pared to an exact 4-regular topology. First, note that the ex pected recall does not change because dandelion spreading (Al 1 2) Construction of 4-regular graphs.: A natural extension gorithm 4) has an optimally-low maximum recall of p+O( n ), of DANDELION’s graph-construction protocol to 4-regular regardless of the underlying graph (Thm. 4, [13]). Hence, graphs involves repeating ApxLine(/) twice for parameter we wish to understand the effect of approximate regularity / > 0. That is, each peer makes two outgoing edges, where on maximum expected precision. We simulated dandelion the target of each edge is chosen according to ApxLine(/). As spreading on approximate 4-regular graphs and exact 4-regular in the approximate line algorithm, the resulting graph is not graphs, using the same approximate precision-optimal estima exactly regular. However, the expected node degree is 4, and tor from Figure 3. For comparison, we have also included because each node generates two outgoing edges, the resulting the first-spy estimator. Figure 8 shows that the difference in graph has no leaves. This improves anonymity because leaf precision between 4-regular graphs and approximate 4-regular nodes are known to degrade average precision [13]. graphs (computed with Algorithm 2) is less than 0.02 across a wide range of spy fractions p. Compared to line graphs [13, 3) The impact of Byzantine nodes: Byzantine nodes can Figure 8], 4-regular graphs appear significantly more robust to misbehave as recipients and/or creators of edges. As recipients, irregularities in the graph construction. nodes can lie about their in-degrees during the degree-checking phase. As creators of edges, misbehaving nodes can generate Creating many edges. DANDELION is naturally robust to many edges, even connecting to each honest node. nodes that create a disproportionate number of edges, because

9 0.5 0.95 0.95 Approximate 4-regular (maximum-weight) 0.45 Approximate 4-regular (first-spy) 0.75 0.75 4-regular (maximum-weight) 0.4 4-regular (first-spy) 0.55 0.55 0.35 0.45 0.45

0.3 0.35 0.35

0.25 0.25 0.25

0.2

Average Precision 0.15 0.15 0.15 Average Precision Average Precision 0.1 q=0.0 q=0.0 0.05 q=0.25 q=0.5 q=0.5 q=0.25 0 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 Diffusion (current approach) Diffusion (current method) Fraction of Spies (p) 0.05 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 Fig. 8: Average precision for approximate Fraction of Spies (p) Fraction of Spies (p) 4-regular graphs compared to exact 4 Fig. 9: Honest-but-curious spies obey Fig. 10: Malicious spies make outbound regular graphs. graph construction protocol. edges to every honest node.

spies can only create outbound edges to honest nodes. This Lesson. To defend against graph-manipulation attacks, use matters because in the stem phase, honest nodes only forward noninteractive protocols and small q. messages on outbound edges. Proposition 2: Consider dandelion spreading (Algorithm D. Black-Hole Attacks 4) with q = 0 over a connected anonymity graph H con structed according to graph-construction policy P (Algorithm Since dandelion spreading forwards messages to exactly one neighbor in each hop, propagation can terminate entirely if 1). Let DOPT(P) and ROPT(P) denote the maximum expected precision and recall over graphs constructed according to an adversarial relay chooses not to forward a message; we refer P. Now consider an alternative policy Q that is identical to this as a black-hole attack. To prevent black-hole attacks, to P except adversarial nodes are allowed to choose their TWISTEDPAIR sets a random expiration timer at each stem relay immediately upon receiving transaction messages. If the outbound edges arbitrarily. Let DOPT(Q) and ROPT(Q) denote the maximum expected precision and recall over all graphs relay does not receive an INV (i.e. an advertisement) for the constructed according to Q. Then transaction before his timer expires, then the relay diffuses the transaction. This policy provides a two-fold advantage ROPT(Q) = ROPT(P) over DANDELION: (1) messages are guaranteed to eventually DOPT(Q) = DOPT(P). (9) propagate through the network, and (2) the random timers can help anonymize peers initiating the spreading phase in the (Proof in Appendix E). This result bounds the deanonymiza event of a black-hole attack. tion abilities of Byzantine nodes in general and supernodes To implement this, TWISTEDPAIR nodes are initialized in particular [10], [28], neither of which was covered by the with a timeout parameter T . In the stem phase, when a relay analysis of [13]. It shows that for the special case where base v receives a transaction, it sets an expiration time T (v): the transition probability from stem to fluff phase q = 0 out (i.e., infinite stem phase), supernodes gain no deanonymization Tout(v) ∼ current_time + exp(1/Tbase), (10) power by connecting to most or all of the honest nodes. In practice, we need q > 0 to reduce broadcast latency, but i.i.d. across relays. If the transaction is not received again analyzing this requires an upper bound on the probability of by relay v before Tout(v), v broadcasts the message using detecting the source of a diffusion process under sampled diffusion. Pseudocode is shown in Algorithm 5 (Appendix A). timestamp observations—a known open problem [38], [51]. We therefore simulate precision for nonzero q as a function Algorithm 5 solves the problem of message stalling, as of spy fraction p, when spies obey protocol (Fig. 9) and when relays independently broadcast if they have not received the they generate outbound edges to every honest node (Fig. 10). message within a certain time. However, the protocol also We generate a P2P graph via Algorithm 1 with out-degree ensures that the first relay node to broadcast is approximately η = 8, and an anonymity graph H via Algorithm 2, except uniformly selected among all relays that have received the spies generate outbound edges to every honest node. message. This is due to the memorylessness of the exponential clocks: conditioned on a given node blocking the message, Figures 9 and 10 highlights two points: First, even when each of the remaining clocks can be reset assuming propaga spies follow protocol, increasing q increases precision. q has tion latency in the stem is negligible. Ideally, the exponential the largest effect when p is small; when p = 0.1, using q = clocks should be slow enough that they only trigger (with high 0.5 increases the expected precision by about 0.1 compared to probability) during a black-hole attack. On the other hand, they q = 0.0. For q ≤ 0.2, we can expect increases in precision on must also be fast enough to keep propagation latency low. This the order of 0.05. Second, spies can increase their precision by trade-off is analyzed in the following proposition. adding outbound edges; when p = 0.1 and q = 0.5, we observe a precision increase of about 0.2. Thus by choosing parameter Proposition 3: For a timeout parameter Tbase ≥ −k(k−1)δhop q ≤ 0.2, we can limit the increase in average precision to 0.1, 2 log(1−E) , where k, E are parameters and δhop is the even when spies connect to every honest node. time between each hop (e.g., network and/or internal node

10 Algorithm 3: VERSION-CHECKING. Nout(G, v) de handshake. Next, v runs Algorithm 2, drawing candidate notes the out-neighbors of node v on digraph G. neighbors only from Dv . If |Dv | = 1, v uses the single node in D as its outbound anonymity graph edge. If |D | = 0, v picks Input: Main (directed) P2P graph G(V, E), desired v v 2 outbound neighbors uniformly at random, and uses them as degree d of output anonymity graph anonymity graph edges. Upon forwarding a transaction to a Output: Directed anonymity graph H(V, E˜) node that does not support TWISTEDPAIR, the receiving node v ∈ V for do will, by default, relay the message using diffusion, thereby / Find TwistedPair neighbors / * * ending the stem phase. While version checking is a natural D ← {w ∈ v strategy, adversarial nodes can lie about their version number Nout(G, v) | w supports TWISTEDPAIR} d and/or run nodes that support TWISTEDPAIR. if 0 ≤ |Dv| < 2 then ˜ ˜ Under the second approach, no-version-checking, each E ← E ∪ Dv end node v instead selects 2 outgoing edges uniformly from the /* Non-TwistedPair neighbors */ set of all outgoing edges, without considering TWISTEDPAIR- if |Dv| == 0 then compatibility. This noninteractive protocol shortens the ex R ← d nodes drawn uniformly from pected length of the stem, thereby potentially weakening 2 anonymity guarantees. Nout(G, v), without replacement E˜ ← E˜ ∪ R If all nodes supported TWISTEDPAIR, these two ap end proaches would be identical. To model gradual deployment, we end assume that all spy nodes run TWISTEDPAIR, and a fraction β of the remaining honest nodes are using TWISTEDPAIR. Honest users are distributed uniformly over the network. Let latency), transactions travel for k hops without any peer VD denote the nodes that support TWISTEDPAIR: |VD| = initiating diffusion with a probability of at least 1 − E. pn + (1 − p)βn. We wish to characterize the maximum expected recall of TWISTEDPAIR as a function of p and β, (Proof in Appendix F) Let Δ1 £ kδhop be the time taken for version-checking and no-version-checking. The following for the message to traverse k hops. Conditioned on reaching k theorem bounds this quantity under a recall-optimal estimator. hops and stalling, let Δ2 denote the additional time taken for the message to start diffusion. Then, Δ2 is the minimum of Theorem 3: Consider n nodes in an approximately-2η exponential random variables each of rate 1/Tbase. As such Δ2 regular graph G generated according to Algorithm 1. A frac is itself exponentially distributed with rate k/Tbase. Choosing tion p of nodes are spies running TWISTEDPAIR. Among the WISTED AIR Tbase as in Proposition 3, the mean additional time taken to remaining honest nodes, a fraction β support T P . diffuse the message is Under version-checking, the expected recall across honest, TWISTEDPAIR-compatible nodes, under a recall-optimal map Tbase −(k − 1)δhop −Δ1 Δ1 ping strategy satisfies E[Δ2] = = ≤ ≈ . k 2 log(1 − E) 2 log(1 − E) 2E p p (11) (1 − (1 − f)η) ≤ R (1 − (1 − f)η ) + f OPT ;f η The standard deviation of Δ2 is identical to the mean. Thus (1 − f) + C(1 − β)) (12) by choosing Tbase as in Proposition 3 in Algorithm 5 we incur an additional delay at most a constant factor 1/(2E) from our where f is the fraction of all nodes that support TWIST p η 1−(1−φ)n˜ delay Δ1 otherwise. EDPAIR and C = 1 − f (1 − (1 − f)) nφ˜ , where 1 η Lesson. Use random timers selected according to Prop. 3. φ = 1−(1− n−η ) , and n˜ = (1−p)n is the number of honest nodes in the system. Under no-version-checking, E. Partial-Deployment Attacks 1 − (1 − φ)n˜ p ≤ ROPT ; p + (1 − β(1 − q))(1 − p) . (13) The original DANDELION analysis does not consider the nφ˜ fact that instantaneous, full-network deployment of TWIST EDPAIR is practically infeasible. In this section, we show that (Proof in Appendix G) Here ; denotes approximate inequal if implemented naively, Byzantine nodes can exploit partial ity; i.e., A(n) ; B(n) implies that there exist constants n0 > 0 ' ' DANDELION deployment to launch serious anonymity at and C > 0 such that for all n > n0, A(n) ≤ C B(n). In this tacks. We also demonstrate a (counterintuitive) implementation case, such a condition holds for any C' > 1. mechanism that neutralizes this threat. Our discussions with p = 0.2 Bitcoin Core developers suggest that they are more likely to Figure 11 plots these results for fraction of spies q = 0.2 WISTED AIR accept solutions in which the anonymity graph is an overlay of and probability of ending the T P stem, the existing P2P network. Given this, we consider two natural on an approximately-16-regular P2P graph. Our theoretical approaches for constructing the anonymity graph. bounds delimit the shaded regions; for comparison, we in clude a lower bound on the recall of diffusion, computed Version-checking (Algorithm 3) generates an anonymity by simulating diffusion with a first-spy estimator. The green graph from edges between TWISTEDPAIR-compatible nodes. solid line is a lower bound on the maximum expected recall Each node v first identifies its outbound peers on the main P2P of any spreading protocol (Thm. 2, [13]). When β is small, network that support TWISTEDPAIR; we call this set Dv. Dv version-checking recall close to 1; in the same regime, no can be learned from existing signaling in Bitcoin’s version version-checking exhibits lower recall than both diffusion and

11 16 16 1 14 Version-checking Best Fit 0.9 No-version-checking 14 Diffusion (first-spy) Minimum (est) 12 0.8 Lower bound 12 10 0.7 10 0.6 8 8 0.5 6 6 0.4 4 4

Expected Recall 0.3

Time from 10-50% (seconds) 2

0.2 Time from 10-50% (seconds) 2 0 0.1 0 0 2 4 6 8 10 12 0 2 4 6 8 10 12 Path Length 0 Path Length 0 0.2 0.4 0.6 0.8 1 Fraction of Honest Node Adoption (-) Fig. 13: The time it takes to go from Fig. 12: The time it takes to propagate to 10% to 50% of the network. The blue Fig. 11: Bounds on maximum expected 10% of the network as a function of the line indicated where data was split into recall for p = q = 0.2 and n = 1000, on path length. Blue is the line of best ﬁt at two categories by hop length with almost an approximately-16-regular graph. 218ms per hop, and green is the minimum equal numbers of samples (low: 26, high: estimated delay at 300ms per hop. 29).

version-checking. Intuitively, when adoption is low (low β), properly and not stalled by adversaries. Our approach is to any TWISTEDPAIR peers are likely to be spies. Therefore, store stem mode transactions in an additional data structure, version-checking actually increases the likelihood of getting the “embargo map,” such that embargoed transactions are deanonymized. In the same low-β regime, no-version-checking omitted from GetData responses. The embargo map serves is more likely to choose a TWISTEDPAIR-incompatible node w two purposes: 1. it tracks transactions that are currently in as the next stem node. While this prematurely ends the stem, the stem phase and 2. it ensures that malicious adversaries it still introduces more uncertainty than vanilla diffusion. can not stop propagation of transactions. When a TWISTED PAIR transaction arrives, the node marks the transaction as Lesson. Use no-version-checking to construct the graph. “under embargo” and assigns a time, t = 10s + Poisson(30), that the node waits to see the transaction again before forcing V. EVALUATION the fluff phase itself. If the next hop in the stem phase is a malicious node that stops stem propagation, the embargo time A. Implementation in Bitcoin ensures the transaction will still be propagated. We have developed a prototype implementation of TWIST EDPAIR. Our prototype is a modification of Bitcoin Core B. Experimental Setup (referred to as Core from now on), the most commonly-used We used our prototype implementation to conduct inte client implementation in the Bitcoin network. In total, our gration experiments, by launching our own nodes running implementation required a patch modifying approximately 500 the TWISTEDPAIR software, and connecting to the actual lines of code. A vital part of our implementation is allowing Bitcoin network. The primary goal of our experiments is to nodes to recognize other TWISTEDPAIR nodes in a straight characterize how TWISTEDPAIR affects transaction propa forward way. In Core, the way to signal supported features gation latency. The experiments also serve to validate our is by modifying the nServices field in the handshake. implementation and its compatibility with the existing network. For example, segwit support is signalled by setting bit 4 in nServices. In our case, TWISTEDPAIR support is signalled For our experiments we launched a total of 30 Dandelion by setting the 25th bit. instances of m3.medium Amazon EC2 nodes (t2.medium used in Seoul and Mumbai where m3.medium is not avail In order to minimize our footprint on the Core codebase, able). The nodes are spread geographically across 10 different we insert TWISTEDPAIR functionality into the preexisting AWS regions (California, Sydney, Tokyo, Frankfurt, etc.) – main threads/signals that handle the processing and transmis 3 nodes per region [1]. To control the topology between the sion of messages. However, creating the 4-regular anonymity Dandelion nodes, we use Core’s -connect or -addnode graph and processing TWISTEDPAIR transactions requires command line flags. Our measurements use the Coinscope [33] careful consideration of the many concurrency and DoS tool to connect to each node in the Bitcoin network and record protection mechanisms already at play in Core. For instance, a timestamped log of transaction propagation messages. Core’s data structures for transactions and inventory messages are designed to facilitate responses to GetData requests, C. Evaluation Results while broadcasting transactions to all nodes with exponential delays. These data structures are not sufficient for TWISTED 1) Propagation latency at fixed stem lengths: We con PAIR because they facilitate broadcasting knowledge of trans ducted a preliminary experiment to inform our choice of action and block hashes. In particular, TWISTEDPAIR nodes the coin flip (stem length) parameter, q. In this experiment, need to hide knowledge of transactions that are still in the we arranged our TWISTEDPAIR nodes in a chain topology stem phase, but at the same time ensure that they are relayed (each with one outgoing connection to the next, with the last

12 node connected to the Bitcoin network) so that we could Unlike the first scatter plot, visual inspection doesn’t reveal deterministically control the stem length. Based on 20 trials any relationship between the two variables in this case. This for stems up to length 12, we estimated that each additional is also what we expect because TWISTEDPAIR should not have hop adds an expected 300 miliseconds to the propagation any impact on transaction propagation after it has entered fluff latency. There is also a constant 2.5 second delay added to phase. We also perform a Mann-Whitney U Test to test the null each transactions due to the exponential process of propagation hypothesis: time from 10-50% coverage does not depend on when it first enters the fluff phase. Taking a propagation delay path length. Using the path length as the independent variable, of 4.5 seconds as our goal, we chose q = 0.1 or q = 0.2 as we split it into two categories: high and low. The blue dotted our parameter (recall the expected stem length is 1/q). line in Figure 13 is the boundary of the two categories where there are 26 samples in “low” and 29 in “high”. The Mann The observed delays originate from two primary sources. Whitney U test gives a U statistic of 443 and a p-value of First, each hop incurs network latency due to transit time 0.269. This implies that there is weak evidence against the between nodes. A recent measurement study of the Bitcoin net null hypothesis, therefore we fail to reject it. work estimated a median latency of 110ms between nodes [22], and Bitcoin transaction propagation requires three messages As expected, the minimum delay brought on by TWISTED (INV, GETDATA, TX). The latency between our EC2 nodes is PAIR has a positive correlation with the time it takes to reach somewhat faster, with a median of only 86ms across all pairs. 10% of the Bitcoin network. Similarly, once a transaction has Although our EC2 nodes are geographically distributed, they left the stem phase, it begins normal propagation through the are closely connected to internet backbone endpoints. Second, network and is therefore no longer be affected by TWISTED Bitcoin Core buffers each Inv messages for an average of PAIR. This prediction is confirmed by our test of independence 2.5 seconds; however, our implementation pushes TWISTED of hop length (high v. low) and time from 10-50% coverage. PAIR transactions to be relayed immediately, so internal node delays should be negligible. We therefore heuristically estimate VI. CONCLUSION 300 miliseconds of delay per stem node, which is consistent with our preliminary experiments. A gap exists between the theory and practice of protecting user anonymity in cryptocurrency P2P networks. In particular, 2) Topology: In order to create a connected graph of there are no safeguards against population-level deanonymiza TWISTEDPAIR nodes, we use all of the eight outgoing tion, which is the focus of this paper. We aim to narrow that connections from each of our nodes to connect to other gap by identifying strong or unrealistic assumptions in a state- TWISTEDPAIR nodes. This ensures that we can measure many of-the-art proposal [13], demonstrating the anonymity effects different stem lengths and how they affect the propagation of violating those assumptions, and proposing lightweight fixes to the rest of the network. We must also account for an in the form of TWISTEDPAIR. This methodology complements artifact of our experiment setup, namely that short cycles the usual development pattern in cryptocurrencies, which has in the stems are more likely among our 30 well connected mainly evolved by applying ad hoc patches against specific TWISTEDPAIR nodes 5. We therefore parse debug logs from attacks. We instead take a first-principles, theoretically-justified our nodes for each trial in order to determine the effective stem approach to design. length, which we then use as the basis of our evaluation. Finally, TWISTEDPAIR does not explicitly protect against In our experiment, we re-randomize the topology fre ISP- or AS-level adversaries, which can deanonymize users quently so as to not bias our results to a specific setting. through routing attacks [8]. Understanding how to analyze For each randomization of the connections, we generate 5 and protect against such attacks is of fundamental interest. transactions, 10 seconds apart. We repeat this “burst” 4 times However, note that TWISTEDPAIR is already compatible with a day over three separate days. The transactions are injected a number of the countermeasures proposed in [8]. For instance, into the network via a randomly chosen one of our nodes. We [8] proposes to enhance network diversity through multi- show the results of the experiment in Figures 12 and 13. homing of nodes and routing-aware network connectivity. Such countermeasures directly support TWISTEDPAIR by ensuring Figure 12 plots the time it takes TWISTEDPAIR trans that nodes are less likely to establish outbound anonymity actions to reach 10% of the network. As mentioned in Sec edges exclusively to spies. We expect that understanding how tion V-C1, for every additional hop in the stem phase there is to enforce such network diversity in the presence of Byzantine a minimum delay added by three messages and a expected nodes will be an important question moving forward, both for delay of 2.5 seconds. The solid green line represents the anonymity and general network robustness. minimum expected delay and the dotted blue line representst the best linear fit over the transaction data. As we expect, the propagation delay to reach 10% coverage increases with REFERENCES the path length due to the minimum added delay. We also [1] “AWS Regions and Endpoints,” http://docs.aws.amazon.com/general/ computed the two-sided Pearson Correlation Coefficient over latest/gr/rande.html. the two variables: path length and time to reach 10%. The [2] “Bitcoin core integration/staging tree,” https://github.com/bitcoin/ coefficient r = 0.292 implies a small positive correlation bitcoin. between the two variables. [3] “The kovri i2p router project,” https://github.com/monero-project/kovri. [4] “Monero,” https://getmonero.org/home. Figure 13 plots the the time it takes a transaction to go from [5] “Bitcoin core commit 5400ef6,” 2015, https://github.com/bitcoin/ 10% to 50% of the network with respect to the path length. bitcoin/commit/5400ef6bcb9d243b2b21697775aa6491115420f3. [6] “reddit/r/monero,” 2016, https://www.reddit.com/r/Monero/comments/ 5Our implementation enters fluff mode if there is a loop in the stem. 4aki0k/what is the status of monero and i2p/.

13 [7] E. Androulaki, G. O. Karame, M. Roeschlin, T. Scherer, and S. Capkun, [33] A. Miller, J. Litton, A. Pachulski, N. Gupta, D. Levin, N. Spring, and “Evaluating user privacy in bitcoin,” in International Conference on B. Bhattacharjee, “Discovering bitcoin’s public topology and influential Financial Cryptography and Data Security. Springer, 2013, pp. 34– nodes,” 2015. 51. [34] P. Mittal, M. Wright, and N. Borisov, “Pisces: Anonymous communi [8] M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking bitcoin: cation using social networks,” in NDSS. ACM, 2013. Large-scale network attacks on cryptocurrencies,” arXiv preprint [35] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008. arXiv:1605.07524, 2016. [36] M. Ober, S. Katzenbeisser, and K. Hamacher, “Structure and anonymity [9] K. B. Athreya and P. E. Ney, Branching processes. Courier Corpora of the bitcoin transaction graph,” Future internet, vol. 5, no. 2, pp. 237– tion, 2004. 250, 2013. [10] A. Biryukov, D. Khovratovich, and I. Pustogarov, “Deanonymisa [37] L. L. Peterson and B. S. Davie, Computer networks: a systems ap tion of clients in bitcoin p2p network,” in Proceedings of the 2014 proach. Elsevier, 2007. ACM SIGSAC Conference on Computer and Communications Security. [38] P. C. Pinto, P. Thiran, and M. Vetterli, “Locating the source of diffusion ACM, 2014, pp. 15–29. in large-scale networks,” Physical review letters, vol. 109, no. 6, p. [11] A. Biryukov and I. Pustogarov, “Bitcoin over tor isn’t a good idea,” in 068702, 2012. Symposium on Security and Privacy. IEEE, 2015, pp. 122–134. [39] F. Reid and M. Harrigan, “An analysis of anonymity in the bitcoin [12] J. Bohannon, “Why criminals can’t hide behind bitcoin,” Science, 2016. system,” in Security and privacy in social networks. Springer, 2013, pp. 197–223. [13] S. Bojja Venkatakrishnan, G. Fanti, and P. Viswanath, “Dandelion: Redesigning the bitcoin network for anonymity,” Proceedings of the [40] M. K. Reiter and A. D. Rubin, “Crowds: Anonymity for web trans ACM on Measurement and Analysis of Computing Systems, vol. 1, no. 1, actions,” ACM Transactions on Information and System Security (TIS p. 22, 2017. SEC), vol. 1, no. 1, pp. 66–92, 1998. [14] D. Chaum, “The dining cryptographers problem: Unconditional sender [41] D. Ron and A. Shamir, “Quantitative analysis of the full bitcoin trans and recipient untraceability,” Journal of cryptology, vol. 1, no. 1, 1988. action graph,” in International Conference on Financial Cryptography and Data Security. Springer, 2013, pp. 6–24. [15] R. K. Chellappa and R. G. Sin, “Personalization versus privacy: An empirical examination of the online consumer’s dilemma,” Information [42] T. Ruffing, P. Moreno-Sanchez, and A. Kate, “CoinShuffle: Practical technology and management, vol. 6, no. 2, pp. 181–202, 2005. decentralized coin mixing for bitcoin,” in European Symposium on Research in Computer Security. Springer, 2014, pp. 345–364. [16] H. Corrigan-Gibbs and B. Ford, “Dissent: accountable anonymous [43] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and group messaging,” in CCS. ACM, 2010. M. Virza, “Zerocash: Decentralized anonymous payments from bitcoin,” [17] G. Danezis, C. Diaz, C. Troncoso, and B. Laurie, “Drac: An architecture in Symposium on Security and Privacy. IEEE, 2014, pp. 459–474. for anonymous low-volume communications.” in Privacy Enhancing [44] A. Schrijver, Combinatorial optimization: polyhedra and efficiency. Technologies, vol. 6205. Springer, 2010, pp. 202–219. Springer Science & Business Media, 2002, vol. 24. [18] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second- [45] R. Sherwood, B. Bhattacharjee, and A. Srinivasan, “P5: A protocol for generation onion router,” DTIC Document, Tech. Rep., 2004. scalable anonymous communication,” Journal of Computer Security, [19] G. Fanti and P. Viswanath, “Anonymity properties of the bitcoin p2p vol. 13, no. 6, pp. 839–876, 2005. network,” arXiv preprint arXiv:1703.08761, 2017. [46] J. van den Hooff, D. Lazar, M. Zaharia, and N. Zeldovich, “Scalable [20] M. Freedman and R. Morris, “Tarzan: A peer-to-peer anonymizing private messaging resistant to traffic analysis.” network layer,” in Proc. CCS. ACM, 2002. [47] Z. Wang, W. Dong, W. Zhang, and C. W. Tan, “Rumor source detection [21] S. Frizell, “Bitcoins are easier to track than you think,” Time, January with multiple observations: Fundamental limits and algorithms,” in 2015. ACM SIGMETRICS Performance Evaluation Review, vol. 42, no. 1. ACM, 2014, pp. 1–13. [22] A. E. Gencer and E. G. Sirer, “State of the bitcoin net work,” Hacking Distributed, http://hackingdistributed.com/2017/02/15/ [48] D. I. Wolinsky, H. Corrigan-Gibbs, B. Ford, and A. Johnson, “Dissent state-of-the-bitcoin-network/, February 2017. in numbers: Making strong anonymity scale.” in OSDI, 2012, pp. 179– 182. [23] S. Goel, M. Robson, M. Polte, and E. Sirer, “Herbivore: A scalable and efficient protocol for anonymous communication,” Tech. Rep., 2003. [49] M. Zamani, J. Saia, M. Movahedi, and J. Khoury, “Towards provably- secure scalable anonymous broadcast,” in USENIX FOCI, 2013. [24] P. Golle and A. Juels, “Dining cryptographers revisited,” in Advances [50] B. Zantout and R. Haraty, “I2P data communication system,” in in Cryptology-Eurocrypt 2004, 2004. Proceedings of ICN. Citeseer, 2011, pp. 401–409. [25] E. Heilman, L. Alshenibr, F. Baldimtsi, A. Scafuro, and S. Goldberg, [51] K. Zhu and L. Ying, “A robust information source estimator with sparse “Tumblebit: An untrusted bitcoin-compatible anonymous payment hub,” observations,” Computational Social Networks, vol. 1, no. 1, p. 3, 2014. Cryptology ePrint Archive, Report 2016/575, Tech. Rep., 2016. [26] T. Jedusor, “Mimblewimble,” 2016. PPENDIX [27] P. Koshy, “Coinseer: A telescope into bitcoin,” Ph.D. dissertation, The A Pennsylvania State University, 2013. A. Algorithms [28] P. Koshy, D. Koshy, and P. McDaniel, “An analysis of anonymity in bitcoin using p2p network traffic,” in International Conference on DANDELION pseudocode is presented in Algorithm 4. Financial Cryptography and Data Security. Springer, 2014, pp. 469– Pseudocode for handling black-hole attacks is included in 485. Algorithm 5. [29] G. Maxwell, “Coinjoin: Bitcoin privacy for the real world,” in Post on Bitcoin Forum, 2013. [30] D. McMillen, “Mirai iot botnet: Mining for bitcoins?” SecurityIntelli B. Proofs of Lemmas Used in Theorem 1 gence, April 2017. Lemma 1: Let Jv denote the number of transactions (from [31] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, honest servers) that reach v before reaching an adversary. G. M. Voelker, and S. Savage, “A fistful of bitcoins: characterizing a,h h,a h,h h,h payments among men with no names,” in Proceedings of the 2013 Then, for each event E ∈ {Ev()h,h, Ev() h,h, Ev() a,h , Ev()h,a } conference on Internet measurement conference 1 . ACM, 2013, pp. 127– E[maxx∈X P(Xv = x|S, Γ(VA), E,Jv )|E,Jv ] ≤ . 140. Jv +1

[32] M. Mezard and A. Montanari, Information, physics, and computation. Proof: W.l.o.g., let U1,U2,...,UJv be the servers Oxford University Press, 2009. whose transactions are received by v and let Wv =

14 1 Algorithm 4: DANDELION SPREADING [13]. ⇒ P(Xv = x|S, Γ(VA), E,Jv ) ≤ Jv + 1 Nout(G, v) denotes the out-neighbors of node v on directed graph G. 1 ⇒ max P(Xv = x|S, Γ(VA), E,Jv) ≤ x∈X Jv + 1 Input: Message Xv, source v, anonymity graph H, spreading graph G, parameter q ∈ (0, 1) 1 ⇒ E[max P(Xv = x|S, Γ(VA), E,Jv )|E,Jv] ≤ (16). anonPhase ← True x∈X Jv + 1 head ← v The claim follows. recipients ← {v} while anonPhase do Lemma 2: For any server v ∈ VH , let Fv denote the number of transactions that (i) reach v before reaching any /* relay message to random node */ adversary and (ii) are forwarded by v along its left outgoing target ∼ Unif(Nout(H, head)) e recipients ← recipients ∪{X } from head to edge. Then 1 ≤ 2DFS(v) . v E Fv +1 p target head ← target Proof: For server v, consider event Ev in which the node u ∼ Unif([0, 1]) incident on v’s left outgoing edge is an adversary. Also, let Lv if u ≤ q then denote the event that Xv is forwarded along v’s left outgoing anonPhase ← False edge. Then clearly, end p D (v) ≥ (E , L ) [D (v)|E , L ] = [D (v)|E , L ]. (17) end FS P v v E FS v v 2 E FS v v / Run diffusion on G from ‘head’ / * * Now, from our assumption Fv is independent of the events DIFFUSION(Xv, head,G) E and L . In this case, the expected precision becomes v v 1 1 e E[DFS(v)|Ev, Lv] = E Ev, Lv = E , which Fv +1 Fv +1 Algorithm 5: TWISTEDPAIR SPREADING at node combined with Equation (17) gives the lemma. v. The protocol guarantees eventual network-wide propagation of transactions. C. Proofs of Lemmas Used in Theorem 2 Input: Message and timeout parameter (X, Tbase) i received by v in the anonymity phase, Lemma 6: Under one-to-one forwarding, P |Wv | = w s ∈ w out-neighbors N (G, v) on anonymity graph p 2p 1−p out VA = 1−p 1+p . G, spreading graph H, parameter q ∈ (0, 1) Tout(v) ∼ exp(1/Tbase) // set timer Proof: Under one-to-one forwarding, all messages other forward (X, Tbase) according to dandelion than Xv transmitted by v to s are received by v from the ' ' /* wait until message re-received */ same predecessor v . Likewise, all messages transmitted by v ' '' while current time ≤ Tout do to v are received by v from the same predecessor v (other if X received then than Xv1 in the case that Xv1 is transmitted to v). Continuing timer ← inactive this reasoning results in a line graph of predecessor nodes. break Note that the ﬁrst adversary predecessor node in this line end graph prevents any subsequent predecessors from contributing continue to Wv. We condition on |T |, the number of vertices in the i p ∞ i end line graph: P |Wv| = w s ∈ VA = P |T | = t s ∈ p i p t=w i /* start diffusion */ VA P |Wv | = w |T | = t, s ∈ VA . Here, P |T | = t s ∈ p t−1 if timer is active then VA = p(1 − p) (recall that v is a member of T with DIFFUSION(X, v, H) i probability 1). Additionally, P |Wv | = w |T | = t, s ∈ end p it−1 p 1 w−1 1 t−w i VA =w−1 ( 2 ) ( 2 ) . Therefore, P |Wv| = w s ∈ w−1 t−w p ∞ t−1 (t−1)! 1 1 VA = t=w p(1 − p) (w−1)!(t−w)! 2 2 = w−1 t−1 1−w p 1 ∞ (t−1)! 1 1 {v, U1,U2,...,UJ }. Consider any matching x where xu is t−1 v (w−1)! 2 t=w(1 − p) (t−w)! 2 2 = the message assigned to server u. Then t−1 p ∞ (t−1)! 1 (1−p)w−1 ' (w−1)! t=w (t−w)! 2 (1 − p) = 2p (1+p)w = P(S|G, Wv, X = x) = P(S|G, Wv, X = x ) (14) w 2p 1−p ' ' 1−p 1+p where x is a new assignment of messages such that x u = xu ' for all u ∈ VH , u ∈/ Wv and x = xW . This implies, for any i Wv v Lemma 8: Under all-to-one forwarding, P |Wv| = w s ∈ ﬁxed x ∈ X , (Xv = x|S, Γ(VA), E,Jv, G, Wv,XV \W ) = w−1 w+1 P H v p (2w)! 1−p 1+p VA = (w+1)!w! 2 2 . P(Xv = x, S,XVH \Wv |Γ(VA), E,Jv, G, Wv ) = Proof: In a 4-regular digraph, every v ∈ V has two P(S,XVH \Wv |Γ(VA), E,Jv, G, Wv) predecessors. Thus, the upstream graph of v may be modeled P(S|Γ(VA), E,Jv , G, Wv ,Xv = x, XVH \Wv ) = as a binary tree Bv rooted at v. For any member vertex m of ' x1 P(S|Γ(VA), E,Jv, G, Wv ,Xv = x ,XVH \Wv ) Bv , if m ∈ VA then neither m nor any members of the sub-tree 1 rooted at m transmit fresh messages to s via v. Additionally, ≤ (15) Jv + 1 every vertex transmits all received and generated messages

15 across one outbound edge (either left or right with equal statistic for detection. Since the stem-phase occurs via peers’ probability) for the entire epoch. No messages are transmitted outbound edges, P and Q have similar stem-phase propagation across the other outbound edge for the entire epoch. For any and differ only in the diffusion phase. As such precision and member vertex m of Bv , if m transmits messages across the recall are not affected by how the message spreads in the outbound edge that is not part of Bv then neither m nor any diffusion phase. members of the sub-tree rooted at m may contribute messages transmitted by v to s. These cases occur with probability 1 . For simplicity, let us assume a small q, i.e., messages 2 are always received by a spy node in the stem-phase before 1 Accounting for these cases yields a new tree Tv rooted diffusion begins. For any message x ∈ X let Ox be the random at v. This tree Tv consists of the remaining members of Bv variable comprising a three-tuple (Uh,Ua,T ) where, in the after pruning sub-trees rooted at adversary nodes and sub-trees stem-phase propagation of x (i) Ua ∈ VA is the first spy to rooted at nodes that transmit all messages across the outbound receive x, (ii) Uh ∈ VH is the honest peer that forwarded x to edge that is not part of Bv . A node is the root of a pruned Ua and (iii) T is the time when x was received by Ua. Next, let 1 2 sub-tree with probability 2 (1 + p). Ox denote the random variable that comprises of observations made by the adversary after it has been forwarded by U in the All messages generated by members of T are transmitted a v stem-phase. This includes all tuples (u, v, t) such that honest by v to s. The number of nodes in T is equal to |W |. Since a v v peer u ∈ V forwarded x to v ∈ V at time t > T . Lastly node is the root of a pruned sub-tree with probability 1 (1+p), H A 2 let Y denote the honest peer v ∈ V that is the source of T 1 (1−p) x H then a node is a member of v with probability 2 . Note transaction x. To get a worst-case guarantee we also assume that v is a member of Tv with probability 1. When Tv consists that the adversary has complete knowledge of the topology H of |W | = w nodes, the leaves of T each have two pruned v v i p of the anonymity graph. children (w + 1 in total). Therefore, P |Wv| = w s ∈ VA = w−1 w+1 Since the stem-phase propagation is over a line, we observe (2w)! 1−p 1+p . (w+1)!w! 2 2 that once a message x reaches a spy node Ua for the first- time, the subsequent spreading dynamics depends entirely on D. Proof of Proposition 1 the action taken by Ua (who it forwards x to, when it forwards etc.) and is conditionally independent of the past. This is true Given a graph G and observations after one epoch S, for every message x ∈ X . As such we have, an adversary can construct sets Sv at every adversary node. Each set S consists of the fresh messages forwarded by 2 2 1 1 v P(Ox ,..., Ox |Ox ,..., Ox ,Yx1 ,...,Yxn ,H) v 1 n 1 n . As a worst-case assumption, suppose the adversary learns = (O2 ,..., O2 |O1 ,..., O1 ,H) (18) the one-to-one forwarding mappings, but not the edges over P x1 xn x1 xn ⇒ (Y ,...,Y |O1 ,..., O1 , O2 ,..., O2 ,H) which honest nodes send their own messages. As a result, an P x1 xn x1 xn x1 xn 1 1 adversary must first match each honest node u ∈ VH with = (Y ,...,Y |O ,..., O ,H) P x1 xn x1 xn (19) one of two possible sets Sv and Sv1 . Then, the adversary must 1 1 2 2 ⇒ P(Yxi |Ox ,..., Ox , Ox ,..., Ox ,H) match these honest nodes with messages in these sets. Let AS 1 n 1 n = (Y |O1 ,..., O1 ,H) ∀i ∈ [n]. denote the event in which u is matched to the correct set Sv, P xi x1 xn (20) and let AC denote the event in which u is matched to the S Thus the posterior is conditionally independent of later obser incorrect set Sv1 . 1 1 vations, given stem-phase observations Ox ,..., Ox . Now, ' 1 n The expected precision for u ∈ VH is E[DMAT(u)|G, S] = consider a network H that is derived from H by removing all C C P(AS )E[DMAT(u)|G, S, AS ] + P(AS )E[DMAT(u)|G, S, AS ] = outgoing edges from adversarial peers. Since the observations 1 1 e O log transactions that have been received for the first time (AS ) [DMAT(u)|G, S, AS ] = (AS ) G, S, AS = x P E P E |Sv | 1 by a spy, it implies the routes taken by the transactions do (AS ) . The overall expected precision may be written P |Sv | not include any spy node. Hence the statistics of the stem 1 1 1 ' as (AS ) . Each term occurs in the phase spreading are identical in H and H. Mathematically (1−p)n u∈VH P |Sv | |Sv | summation |Sv| times, which means that the expected precision this implies, 2pn over all graphs G may be written as (1−p)n P(AS )P(|Sv | > 0). 1 1 P(Yxi , Ox ,..., Ox |H) (Y |O1 ,..., O1 ,H) = 1 n P xi x1 xn 1 1 Note that P(|Sv| = 0) is given by P(|Sv| = 0) = (O ,..., O |H) ∞ i p ∞ P x1 xn t=0 P(|T | = t)P |Sv| = 0 |T | = t = t=0(1 − 1 1 ' P(Yxi , Ox ,..., Ox |H ) t 2 1 n 1 1 ' t 2 1 2 2 2p = = P(Yxi |Ox ,..., Ox ,H ). p) p = p . Thus, (|Sv| > 0) = 1 − = (O1 ,..., O1 |H' ) 1 n 2 1+p P 1+p P x1 xn 1+p−2p 2 1 (21) 1+p . Since 2 ≤ P(AS ) ≤ 1, then From Theorems 3 and 4 in [13] we know that the optimal value 2pn 1 1 + p − 2p2 2pn 1 + p − 2p2 ≤ DMAT ≤ 1 of the expected precision and recall is a function of the pos (1 − p)n 2 1 + p (1 − p)n 1 + p (Y |O1 ,..., O1 , O2 ,..., O2 ,H) terior probabilities P xi x1 xn x1 xn , p+p 2 −2p 3 2p+2p 2−4p3 which by combining Equations (20) and (21) in turn equals 1 1 ' Simplifying gives (1−p2) ≤ DMAT ≤ (1−p2) . (Y |O ,..., O ,H ) P xi x1 xn . E. Proof of Proposition 2 We finish the proof by applying the above results on networks P and Q. Let HP and HQ denote the topologies '' The proof follows by identifying that the first spy node of P and Q respectively; let HP and HQ denote the networks to receive a message along dandelion’s stem is a sufficient obtained by removing outgoing spy edges from P and Q

16 '' respectively. By construction we have H P = HQ. As such To compute the upper bound, we have the two probability spaces, each comprising of the random η η 1 1 ' n − η − |V | fn variables Yx ,...,Yx , O ,..., O ,H , pertaining to the D 1 n x1 xn P(D) ≤ 1 − = 1 − 1 − networks P and Q are identical. Hence we conclude the n − η n − η optimal values of precision and recall in the two networks n − 1 − |V | η (D) ≤ D = (1 − f)η . must also be the same. P n − 1

Trivially, P(ˆv = v |D) ≤ 1.To bound P(ˆv = v |D), we con F. Proof of Proposition 3 dition on the event S, where v’s ﬁrst node in its TWISTED PAIR stem (call it w) is a spy node. The ﬁrst-spy estimator Proof: Let v1 be the source of a message that propagates is recall-optimal if there is a spy node in the stem (Theorem along a path v , v , . . . , v of length k. Let δ be the delay 1 2 k hop 4 in [13]). We have P(ˆv = v |D) = P(ˆv = v |D, S)P(S|D) + incurred between each hop, and let T (v ) be the random out i P(ˆv = v |D, S)P(S|D), and timeout at node vi for i = 1, . . . , k. Note that the message takes δ k time to traverse k hops and reach v . We desire pn p hop k P(ˆv = v |D, S) ≤ 1, P(S|D) = , P(S|D) ≤ 1 − . that none of the vi, i = 1, . . . , k, initiate diffusion during this fn − 1 f time with high probability. Since the random variables Tout(vi) are exponential, this probability can be bounded as To bound P(ˆv = v |D, S), we condition on F , the event where w chooses to extend the stem. P(ˆv = v |D, S) = (ˆv = v |F, D, S) (F |D, S) + (ˆv = v |F , D, S) (F |D, S). e −(k−1)δhop /Tbase e −(k−2)δhop /Tbase ... e −(k−k)δhop/Tbase P P P P For this upper bound, we also assume that an oracle gives the −k(k − 1)δ adversary the source of the diffusion process in the spreading −k(k−1)δhop/(2Tbase) hop = e ≥ 1 − E ⇒ Tbase ≥ , 2 log(1 − E) phase. That is, let /1(x),...,/Mx (x) denote the stem nodes associated with transaction x; in this case, /1(x) = v, and Mx denotes the length of the stem. We assume an oracle gives the

adversary /Mx (x). If w chooses not to extend the stem (event

F ), then the /Mx (x) = w. We also assume that the adversary G. Proof of Theorem 3 knows VD, the set of nodes running TWISTEDPAIR. Hence, we have P(F |D, S) = 1 − q and P(F |D, S) = q. We now Under dandelion spreading, for any message x, the recall- wish to bound P(ˆv = v |F, D, S) and P(ˆv = v |F , D, S)—the optimal estimator chooses the node v that maximizes P(Xv = probabilities of detection given that v passed the message to x|O) (Theorem 4 [13]). Since we assume a uniform prior on honest TWISTEDPAIR neighbor w, conditioned on w’s decision sources, this is equivalent to a maximum-likelihood estimator to either extend or terminate the stem, respectively. that returns vˆ = argmaxv P(O|Xv = x). From [13], we know that for a given adversarial mapping strategy, the expected Recall that if there is a spy in the stem (e.g., /i(x) ∈ recall is equivalent to the probability of detection, P(ˆv = v). VA for some i ∈ [Mx]), then the ﬁrst-spy estimator is recall- optimal. If there are no spies in the stem (i.e., when VA ∩

Consider a TWISTEDPAIR source node v that transmits {/1(x),...,/Mx (x)} = ∅), /1(x) → /Mx (x) → O form a a transaction x. In order to characterize the expected recall Markov chain. Since none of the stem nodes are are spies, the over all honest nodes in VD, by symmetry, it is sufficient to spy observations are conditionally independent of the source compute the probability of detecting v as the source of x, node given /Mx (x). Since the adversary learns /Mx (x) = / where the probability is taken over the spreading realization, exactly from the oracle, the recall-optimizing strategy becomes randomness in the graph, and any randomness in the adver vˆ = arg maxu P(/Mx (x) = /|Xu = x). sary’s estimator. This proof bounds the probability of detection Part 1: To bound (ˆv = v |F , D, S), note that / (x) = w. for v under version-checking and no-version-checking. Let D P Mx denote the event where v has at least one outbound neighbor Suppose that in addition to revealing w, the oracle also tells the adversary that w is not the true source. Consider the set that supports TWISTEDPAIR (i.e., |Dv| > 0), and let D denote the complement of that event. R = {u ∈ VD | w ∈ Du}, which contains all nodes that could have feasibly relayed a TWISTEDPAIR transaction to w. For nodes u ∈ R, the likelihood of each node being the Version-checking: For the lower bound, we have P(ˆv = v) = 1 source is P(/Mx (x) = w|Xu = x) = (q + (1 − q)δ) P(ˆv = v |D)P(D) + P(ˆv = v |D)P(D) ≥ P(ˆv = v |D)P(D). |Du| We can separately bound each of these terms: where δ is the probability that the stem, having reached w without terminating, loops back to w and terminates at some later hop. Conditioned on the stem passing through w, the n − 1 − |VD| n − 2 − |VD| n − η − |VD| (D) = 1 − ... rest of the stem is independent of the source, so δ does not P n − 1 n − 2 n − η η η depend on u. Let vˆ denote the most likely source among the n − 1 − |VD| |VD| η R vˆ = arg max (/ (x) = w|X = x) = ≥ 1 − ≥ 1 − 1 − = 1 − (1 − f) , nodes in . u∈R P Mx u n − 1 n arg minu∈R |Du|. It is straightforward to show that for any alternative source z =v ˆ, z ∈ VH has a lower likelihood. This where f = p + (1 − p)β is the total fraction of nodes running follows trivially if z ∈ R. If z ∈/R, the stem from z to w p TWISTEDPAIR, and P(ˆv = v |D) ≥ f , since the first-spy would require at least two hops, which reduces the likelihood estimator detects the true source if the first node in the stem of candidate source v ∗ by a factor of at least (1 − q). Hence p η is a spy node. Thus P(ˆv = v) ≥ f (1 − (1 − f) ). vˆ is the ML source estimate, and we want to know P(ˆv = v).

17 Since each node u in R is equally likely to have the smallest u)P(u ∈ Dv ) = 1 Du set, we have P(ˆv = v |F , D, S) ≤ E[ |R| ]. We know that = (/ = w) + (/ = u) (u ∈(23) D ) |R| ≥ 1, because v is connected to w by construction. Since P Mx(x) P Mx(x) P v each node chooses its η connections independently, this can u∈VD \{v,w} be computed as E[1/(Z + 1)] where Z ∼ Binom(ñ − 1, φ), ≤ P(/Mx(x) = w) + γ (24) and φ is the probability of any given node choosing w as w ∈ D one of its outbound edges. We can compute φ as φ = 1 − where (23) holds because we already know that v n−2 n−3 n−η−1 by definition, and since we are conditioning on event D, v n−1 n−2 ... n−η η will never relay the message to a non-TWISTEDPAIR node. 1 ≥ 1 − 1 − n−η . Henceforth, we will abuse notation and (24) holds because each TWISTEDPAIR node other than w η is equally likely to be in Dv, so for u ∈ VD \{v, w}, take φ = 1 − 1 − 1 . By using this lower bound on φ, n−η γ £ P(u ∈ Dv) does not depend on u. By the same we are reducing the probability of any given node choosing logic as before, limn→∞ P(/Mx(x)=w) = 0. Hence we only w as an outbound edge, and thereby increasing the overall need to show that limn→∞ γ = 0. We can write out γ = n probability of detection. Given that, it is straightforward to (η −2) η−1 n = n−η+2 , so limn→∞ γ = 0. Given this, we have that show that (η−1) limn→∞ P(ˆv = v |F, D, S) = 0. 1 1 − (1 − φ)n˜ (ˆv = v |F , D, S) ≤ = ζ. (22) Combining the two parts gives P E Z + 1 nφ˜ £ P(ˆv = v |D, S) ; ζq. (25) Overall, we have (ˆv = v) η P ; fn pn p η 1 − 1 − n−η fn−1 + (1 − f )qζ + (1 − f) . Taking Part 2: lim (ˆv = v |F, D, S) = 0 We want to show that n→∞ P ; η p p if this is the case, then the asymptotic inequality in Theorem 3 the limit as n → ∞ gives (1 − (1 − f)) f + (1 − f )qζ + holds for any C' > 1. There are three ways the adversary can (1 − f)η . The claim follows. identify the correct source v under conditions F , D, and S: 1) the stem eventually loops back to v, and then transmits to a spy No-version-checking: The lower bound comes directly from node (we call this event A), 2) the stem loops back to v, which Theorem 2 in [13]. terminates the stem (event B), or 3) the stem terminates before To prove the upper bound, we first condition on whether reaching a spy node, and the set of TWISTEDPAIR nodes with v’s selected stem relay w is a spy node; as before, S denotes outbound edges to the stem’s terminus / includes v (event C). this event. In this section, we will repurpose our previous Note that we are still assuming the adversary learns the last notation and use D to denote the event where the selected stem node /. Also, B and C are not sufficient conditions for relay supports TWISTEDPAIR. Again, we will assume that the detection, but they do guarantee a nonzero probability of de adversary knows the underlying graph H, V , and the final tection under a recall-optimal estimator. Therefore, since these D stem node /M (x). We have events are disjoint, P(ˆv = v |F, D, S) ≤ P(A)+P(B)+P(C); x we can individually bound each of these events. P(ˆv = v) = P(ˆv = v |S)P(S) + P(ˆv = v |S)P(S) (26) pn (1 − p)n (A) (S) = (S) = (ˆv = v |S) = 1 To bound P , we first compute the probability of the P n − 1 P n − 1 P stem looping back to v without reaching any spy nodes or terminating (we call this event A '); since this event is To bound P(ˆv = v |S), we condition on D: P(ˆv = v |S) = necessary but not sufficient for detection under event A, we P(ˆv = v |S, D)P(D|S) + P(ˆv = v |S, D)P(D|S). have (A) ≤ (A' ). (A ' ) can be upper bounded by relaxing P P P β(1 − p)n βn˜ the restriction of not hitting any spy nodes before reaching v. P(D|S) = = So we just want the probability of the stem looping around (1 − p)n − 1 n˜ − 1 and reaching v before terminating. We let M˜ denote the stem (1 − β)(1 − p)n (1 − β)ñ x (D|S) = = length (ignoring the first two hops of v and w); it is a geometric P (1 − p)n − 1 n˜ − 1 random variable with parameter q. We let Tv denote the (ˆv = v |S, D) ζq, (27) random number of hops before hitting node v, given starting P ; ' (ˆv = v |S, D) ≤ ζ, (28) point w (the number of hops excludes w). Thus P(A ) ≤ P ˜ P(Tv ≤ Mx). As an upper bound, we assume all nodes run where (27) follows from (25), and (28) follows from (22) by 1 TWISTEDPAIR. Hence, each node has an equal probability n−1 assuming the adversary is told that w is not the true source. 1 of forwarding the message to v, so Tv ∼ Geom()n−1 . Then Combining gives ˜ ∞ ˜ ∞ P(Tv ≤ Mx) = i=1 P(Mx = i)P(Tv ≤ i) = i=1 q(1 − qβn˜ (1 − β)ñ ζ(1 − β(1 − q))ñ i−1 1 i 1 1 (ˆv = v |S) ζ + = . q) (1 − (1 − n ) ) = 1 − q(1 − n ) 1 . Taking the P ; 1−(1−q)(1− n ) n˜ − 1 n˜ − 1 n˜ − 1 1 1 q limit gives limn→∞ 1 − q(1 − n ) 1 = 1 − q = 0, pn 1−(1−q)(1− n ) Plugging into (26) gives P(ˆv = v) ≤ n−1 + so limn→∞ P(A) = 0. The same argument applies for event (1−p)n ζ(1−β(1−q))ñ . Taking the limit as n → ∞ gives B, so limn→∞ P(B) = 0. n−1 n˜−1 p + ζ(1 − β(1 − q))(1 − p). For event C we have (C) = (/ = P u∈VH \{v} P Mx(x)