1 Introduction
-
we study the potential benefits of an open network topology for the Bitcoin P2P network;
-
we show that most attacks mentioned in literature as aided by topology information are actually independent from such knowledge;
-
we design a protocol to prove connections among peers, and propose a system to monitor the topology of the reachable network;
-
we employ a reputation scheme to discourage malicious nodes from misbehaving and, at the same time, decentralize trust in the monitoring nodes;
-
we implement a proof of concept and evaluate the accuracy of our solution through simulations.
2 The bitcoin P2P network
ADDR
messages from their current neighbors. These messages advertise other known nodes in the network to which it is possible to connect.3 Motivation
4 Security concerns of open topology
4.1 Network-level attacks
4.2 Deanonymization
5 Related work
addr
messages: as nodes advertise their own address when connecting to a new peer, and such messages are forwarded to other peers, it was possible to detect the target’s peers by connecting to all nodes and analyzing received addresses. Similarly, in [11], Miller et al. proposed a network-wide technique, called AddressProbe, that allowed inferring connections among reachable nodes. Their technique exploited the timestamp attached to each entry of addr
messages: since the address of each outbound peer was updated every time a message was received, it was possible to determine which entries in the addr
message corresponded to outbound peers by looking at their timestamp. Both techniques were made ineffective by an update in the reference client [47].inv
message contains all transactions received since the last inv
message was sent. Based on this fact, the adversary creates marker transactions for all peers and observes inv
messages to infer links. This technique shows high precision (more than 90%) but has very low recall (10%), and is hardly practical in real life. The second method targets a single node, and exploits the fact that clients do not relay double-spending transactions. To infer the target’s peers, the adversary sends a different double-spending transaction to each node, except the target. Then she observes which transaction the target relays and deduces a link with the node to which that transaction was sent. Although this technique has very high precision (97%) and good recall (60%), no countermeasures have been introduced to date.6 The AToM protocol
6.1 Protocol overview
6.2 Approach
6.3 The AToM design
6.3.1 Securing the protocol
7 Protocol procedures
-
marker = [target,monitor,value]
: sent by a monitor M to a node N, where target=N, monitor=M and value is a random number; -
verified
= [\({L_{N}^{M}}\)]: sent by a monitor M to a node N, where \({L_{N}^{M}}\) is the list of peers of N currently verified by M.
marker
message with the following payload:
t
for receiving markers back from other nodes. When a marker
message is received from a node P, it is checked against the one sent to N. If it matches, P is added to the list of verified peers \({L_{N}^{M}}\). When t
expires, the PeeV round ends, and the procedure outputs the list \({L_{N}^{M}}\).marker
=[M, N, r] message is received, nodes process it with the HandleMarker procedure, shown in Algorithm 3. This procedure acts depending on the source of the message (pfrom): if pfrom is a legit monitor M, the marker
is forwarded to all outbound peers; if pfrom is an inbound peer and corresponds to the target N, the marker
is forwarded to the monitor M.
verified
message is then sent to N with the list of the verified peers, that is, \({L_{N}^{M}}\) plus all known inbound peers currently verified by other PeeV executions (getPeers()). Note that peer lists do not change between PeeV rounds, which means that a connection stays in GM until a PeeV execution fails to verify it.verified
message from a monitor M, nodes execute the HandleV erified procedure shown in Algorithm 5. This procedure uses the list of verified peers \({L_{N}^{M}}\) included in the message to maintain a reputation system.verified
message is received. If the reputation value falls below a threshold \(\tau {=}\frac {|{\varGamma }|}{2}\), the peer is disconnected. Therefore, a connection is maintained as long as it is confirmed by the majority of monitors.8 Analysis
8.1 Correctness
marker
message to be transmitted through the sequence of nodes M−N−P−M.marker
=[N, M, r] and sends it to N; N receives marker
from M, and since pfrom=M, it sends marker
to every peer in L; since (N, P)∈E ⇒ P∈L, P receives marker
from N; as pfrom=N, P sends marker
to M; M receives marker
from P; as marker=[N, M, r], M executes \({L_{N}^{M}}{:=}{L_{N}^{M}}{\cup }{P}\); finally, the PeeV (N) procedure outputs \({L_{N}^{M}}\), such that \(P{\in }{L_{N}^{M}}\).marker
=[N, M, r] and sends it to N; N receives marker
from M, and since pfrom=M, it sends marker
to every peer in L; since (N, P)∉E ⇒ P∉L, P does not receive marker
from N; as M does not receive marker
from P, it does not execute \({L_{N}^{M}}{:=}{L_{N}^{M}}{\cup }{P}\); finally, the PeeV (N) procedure outputs \({L_{N}^{M}}\), such that \(P{\notin }{L_{N}^{M}}\).while
loop for N; the AToM procedure loop executes \({L_{N}^{M}} \leftarrow PeeV(N)\); the AToM procedure loop executes \(updateTopology(E_{M},{L_{N}^{M}})\); since, by Theorem 1, \((N,P){\in }E \iff P{\in }{L_{N}^{M}}\), \(updateTopology(E_{M}, {L_{N}^{M}})\) adds (N, P) to EM if and only if (N, P)∈E. □8.2 Security analysis
marker
to P, then the following condition holds when PeeV (N) ends: \((P){\notin }{L_{N}^{M}}\).marker
received from M. Then, the following occurs: P receives marker
and runs the HandleMarker procedure (Algorithm 3); in this procedure, since pfrom = N, the if
statement at line 5 yields true; since pfrom.out = true, the if
statement at line 6 yields false, so line 7 (send(M,marker)) is not executed; during the execution of PeeV (N), since marker
is not received from P, line 8 (\({L_{N}^{M}} := {L_{N}^{M}} \cup \{P\}\)) is not executed; hence, at the end of PeeV (N), \(P{\notin }{L_{N}^{M}}\). □marker
to C, and C forwards it to P, then the following condition holds when PeeV (N) ends: \(P{\notin }{L_{N}^{M}}\).marker
to C, and C forwards it to P. Then, the following occurs: P receives marker
and runs the HandleMarker procedure (Algorithm 3); in this procedure, since pfrom = C, the if
statement at line 5 yields false, so line 7 (send(M,marker)) is not executed; during the execution of PeeV (N), since marker
is not received from P, line 8 (\({L_{N}^{M}} := {L_{N}^{M}} \cup \{P\}\)) is not executed; hence, at the end of PeeV (N), \(P{\notin }{L_{N}^{M}}\). □marker
message setting the colluding node C as the target. In this case, P would consider the message valid and forward it to M. However, the value field would not match the target, making the monitor discard the marker.marker
\(\mu ^{\prime }=[P,M,r_{j}]\), and N sends μ to M. Then, the following occurs: M receives μ from N, a compare it with \(\mu ^{\prime }\); since \(\mu {\neq }\mu ^{\prime }\), line 8 (\({L_{N}^{M}} := {L_{N}^{M}} \cup \{P\}\)) is not executed; hence, at the end of PeeV (P)j, N∉LP. □marker
message during the PeeV round, which is forwarded to P (|Γ| messages in total). At the end of each PeeV round, N receives a verified
message from each monitor M, containing the list \({L_{N}^{M}}\) of verified peers.8.3 Accuracy
marker
message and correctly remove (N, P) from EM.8.4 Overhead
-
a
marker
message from each monitor in Γ, which is forwarded to all outbound peers; -
a
verified
message from each monitor in Γ; -
a
marker
message from each inbound peer, which is forwarded to the corresponding monitor.
9 Experimental results
9.1 Implementation
9.2 Evaluation
0% | 5% | 10% | 20% | 30% | 40% | 50% | |
var= 10 | 100 | 100 | 98.9 | 96.9 | 79.9 | 62.9 | 47.6 |
var= 5 | 100 | 100 | 97.2 | 95.7 | 66.1 | 50.8 | 47.6 |
var= 1 | 100 | 99.2 | 95.6 | 84.2 | 64.8 | 51.7 | 51.3 |
0% | 5% | 10% | 20% | 30% | 40% | 50% | |
---|---|---|---|---|---|---|---|
var= 10 | 100 | 99.5 | 98.0 | 95.9 | 88.3 | 79.5 | 54.6 |
var= 5 | 99.9 | 99.0 | 97.3 | 95.8 | 82.5 | 75.7 | 50.1 |
var= 1 | 99.8 | 98.8 | 96.7 | 91.3 | 82.3 | 68.6 | 43.0 |