What is the tradeoff between privacy and implementation complexity of Dandelion (BIP156)
up vote
10
down vote
favorite
Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.
- Does Dandelion introduce more complexity into the code base?
- Are there possible attack vectors introduced with Dandelion?
- What is the hold-up with implementing Dandelion in Bitcoin Core?
bitcoincore-development dandelion p2p bip156
add a comment |
up vote
10
down vote
favorite
Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.
- Does Dandelion introduce more complexity into the code base?
- Are there possible attack vectors introduced with Dandelion?
- What is the hold-up with implementing Dandelion in Bitcoin Core?
bitcoincore-development dandelion p2p bip156
add a comment |
up vote
10
down vote
favorite
up vote
10
down vote
favorite
Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.
- Does Dandelion introduce more complexity into the code base?
- Are there possible attack vectors introduced with Dandelion?
- What is the hold-up with implementing Dandelion in Bitcoin Core?
bitcoincore-development dandelion p2p bip156
Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.
- Does Dandelion introduce more complexity into the code base?
- Are there possible attack vectors introduced with Dandelion?
- What is the hold-up with implementing Dandelion in Bitcoin Core?
bitcoincore-development dandelion p2p bip156
bitcoincore-development dandelion p2p bip156
edited Nov 30 at 1:00
Murch♦
34.4k27112323
34.4k27112323
asked Nov 30 at 0:56
Chris Stewart
638516
638516
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
11
down vote
accepted
In my view, the main implementation detail to be worked out with Dandelion
is ensuring that there are no new DoS vectors introduced.
In the existing transaction relay model of Bitcoin Core, transactions that
do not make it into a node's mempool -- a proxy for what we expect to be
(eventually) mined -- do not get relayed to other nodes.
In the Dandelion protocol, transactions are relayed (in the stem phase) prior
to acceptance into a node's mempool. As a result, there are potential DoS
vectors if transactions can be systematically relayed via Dandelion but
ultimately not be accepted to any node's mempool -- this could either introduce
a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
relaying ultimately useless data; or a CPU-exhaustion DoS, if
expensive-to-validate transactions can be relayed without ultimately being
mined. [In general, the only way attackers "pay" for the network's resources
they consume when relaying is via the transaction fee in their transactions; if
attackers can generate transactions that do not ultimately get mined, then any
side effects of the relay -- such as validation cost and bandwidth used -- can
be achieved for free since those transaction fees are never actually paid,
which typically implies that the network's resources could be utilized entirely
(since it would be costless for an attacker to ramp up usage).]
It turns out that -- in a naive Dandelion implementation -- it would not be
very difficult to generate transactions that would propagate in the stem-phase
but never be accepted to the mempool (at very low cost). This is largely a
consequence of the complexity around mempool acceptance logic, and seems
particularly unavoidable given the mempool's own anti-DoS limits.
The existing mempool acceptance logic attempts to prevent or limit the effect
of these kinds of DoS attacks. Transactions don't have their signatures
checked until just before mempool acceptance, after all other transaction
policy rules have been met, to avoid CPU exhaustion attacks. Preventing
bandwidth attacks is more involved:
transactions are only relayed after being accepted to our own mempool
if our mempool fills up (it is a memory-limited data structure), then we can
evict low feerate transactions to make room for new transactions, but new
transactions are subject to a higher minimum relay fee, designed to offset/pay
the relay fee for transactions which were evicted from the
mempool (and will thus no longer be mined until they relay again).
In short, there's quite a bit of complexity in the mempool acceptance logic to
prevent DoS. So in my view, the questions around a Dandelion implementation are:
(a) Do we need something as complex as the current mempool logic in order to
avoid DoS vectors with Dandelion, or can we do something simpler?
(b) Are there acceptable modifications to the Dandelion protocol that would
simplify the DoS analysis and allow for a simpler implementation while still
providing a significant privacy boost to the network? As an example: would it
be acceptable to implement Dandelion in such a way that under DoS scenarios, we
just fall back to the current relay model?
(c) If we don't have simpler solutions that work, is it worth implementing
something akin to the current mempool logic (called a "stempool" in some of the
discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
complexity worth the privacy benefit that Dandelion would confer? While
improving privacy on the network is obviously a good thing, the privacy
benefits of Dandelion are limited, so is this the kind of thing that's worth
spending a lot of energy to implement and maintain, or should we focus our
mental energy elsewhere?
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "308"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81503%2fwhat-is-the-tradeoff-between-privacy-and-implementation-complexity-of-dandelion%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
11
down vote
accepted
In my view, the main implementation detail to be worked out with Dandelion
is ensuring that there are no new DoS vectors introduced.
In the existing transaction relay model of Bitcoin Core, transactions that
do not make it into a node's mempool -- a proxy for what we expect to be
(eventually) mined -- do not get relayed to other nodes.
In the Dandelion protocol, transactions are relayed (in the stem phase) prior
to acceptance into a node's mempool. As a result, there are potential DoS
vectors if transactions can be systematically relayed via Dandelion but
ultimately not be accepted to any node's mempool -- this could either introduce
a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
relaying ultimately useless data; or a CPU-exhaustion DoS, if
expensive-to-validate transactions can be relayed without ultimately being
mined. [In general, the only way attackers "pay" for the network's resources
they consume when relaying is via the transaction fee in their transactions; if
attackers can generate transactions that do not ultimately get mined, then any
side effects of the relay -- such as validation cost and bandwidth used -- can
be achieved for free since those transaction fees are never actually paid,
which typically implies that the network's resources could be utilized entirely
(since it would be costless for an attacker to ramp up usage).]
It turns out that -- in a naive Dandelion implementation -- it would not be
very difficult to generate transactions that would propagate in the stem-phase
but never be accepted to the mempool (at very low cost). This is largely a
consequence of the complexity around mempool acceptance logic, and seems
particularly unavoidable given the mempool's own anti-DoS limits.
The existing mempool acceptance logic attempts to prevent or limit the effect
of these kinds of DoS attacks. Transactions don't have their signatures
checked until just before mempool acceptance, after all other transaction
policy rules have been met, to avoid CPU exhaustion attacks. Preventing
bandwidth attacks is more involved:
transactions are only relayed after being accepted to our own mempool
if our mempool fills up (it is a memory-limited data structure), then we can
evict low feerate transactions to make room for new transactions, but new
transactions are subject to a higher minimum relay fee, designed to offset/pay
the relay fee for transactions which were evicted from the
mempool (and will thus no longer be mined until they relay again).
In short, there's quite a bit of complexity in the mempool acceptance logic to
prevent DoS. So in my view, the questions around a Dandelion implementation are:
(a) Do we need something as complex as the current mempool logic in order to
avoid DoS vectors with Dandelion, or can we do something simpler?
(b) Are there acceptable modifications to the Dandelion protocol that would
simplify the DoS analysis and allow for a simpler implementation while still
providing a significant privacy boost to the network? As an example: would it
be acceptable to implement Dandelion in such a way that under DoS scenarios, we
just fall back to the current relay model?
(c) If we don't have simpler solutions that work, is it worth implementing
something akin to the current mempool logic (called a "stempool" in some of the
discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
complexity worth the privacy benefit that Dandelion would confer? While
improving privacy on the network is obviously a good thing, the privacy
benefits of Dandelion are limited, so is this the kind of thing that's worth
spending a lot of energy to implement and maintain, or should we focus our
mental energy elsewhere?
add a comment |
up vote
11
down vote
accepted
In my view, the main implementation detail to be worked out with Dandelion
is ensuring that there are no new DoS vectors introduced.
In the existing transaction relay model of Bitcoin Core, transactions that
do not make it into a node's mempool -- a proxy for what we expect to be
(eventually) mined -- do not get relayed to other nodes.
In the Dandelion protocol, transactions are relayed (in the stem phase) prior
to acceptance into a node's mempool. As a result, there are potential DoS
vectors if transactions can be systematically relayed via Dandelion but
ultimately not be accepted to any node's mempool -- this could either introduce
a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
relaying ultimately useless data; or a CPU-exhaustion DoS, if
expensive-to-validate transactions can be relayed without ultimately being
mined. [In general, the only way attackers "pay" for the network's resources
they consume when relaying is via the transaction fee in their transactions; if
attackers can generate transactions that do not ultimately get mined, then any
side effects of the relay -- such as validation cost and bandwidth used -- can
be achieved for free since those transaction fees are never actually paid,
which typically implies that the network's resources could be utilized entirely
(since it would be costless for an attacker to ramp up usage).]
It turns out that -- in a naive Dandelion implementation -- it would not be
very difficult to generate transactions that would propagate in the stem-phase
but never be accepted to the mempool (at very low cost). This is largely a
consequence of the complexity around mempool acceptance logic, and seems
particularly unavoidable given the mempool's own anti-DoS limits.
The existing mempool acceptance logic attempts to prevent or limit the effect
of these kinds of DoS attacks. Transactions don't have their signatures
checked until just before mempool acceptance, after all other transaction
policy rules have been met, to avoid CPU exhaustion attacks. Preventing
bandwidth attacks is more involved:
transactions are only relayed after being accepted to our own mempool
if our mempool fills up (it is a memory-limited data structure), then we can
evict low feerate transactions to make room for new transactions, but new
transactions are subject to a higher minimum relay fee, designed to offset/pay
the relay fee for transactions which were evicted from the
mempool (and will thus no longer be mined until they relay again).
In short, there's quite a bit of complexity in the mempool acceptance logic to
prevent DoS. So in my view, the questions around a Dandelion implementation are:
(a) Do we need something as complex as the current mempool logic in order to
avoid DoS vectors with Dandelion, or can we do something simpler?
(b) Are there acceptable modifications to the Dandelion protocol that would
simplify the DoS analysis and allow for a simpler implementation while still
providing a significant privacy boost to the network? As an example: would it
be acceptable to implement Dandelion in such a way that under DoS scenarios, we
just fall back to the current relay model?
(c) If we don't have simpler solutions that work, is it worth implementing
something akin to the current mempool logic (called a "stempool" in some of the
discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
complexity worth the privacy benefit that Dandelion would confer? While
improving privacy on the network is obviously a good thing, the privacy
benefits of Dandelion are limited, so is this the kind of thing that's worth
spending a lot of energy to implement and maintain, or should we focus our
mental energy elsewhere?
add a comment |
up vote
11
down vote
accepted
up vote
11
down vote
accepted
In my view, the main implementation detail to be worked out with Dandelion
is ensuring that there are no new DoS vectors introduced.
In the existing transaction relay model of Bitcoin Core, transactions that
do not make it into a node's mempool -- a proxy for what we expect to be
(eventually) mined -- do not get relayed to other nodes.
In the Dandelion protocol, transactions are relayed (in the stem phase) prior
to acceptance into a node's mempool. As a result, there are potential DoS
vectors if transactions can be systematically relayed via Dandelion but
ultimately not be accepted to any node's mempool -- this could either introduce
a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
relaying ultimately useless data; or a CPU-exhaustion DoS, if
expensive-to-validate transactions can be relayed without ultimately being
mined. [In general, the only way attackers "pay" for the network's resources
they consume when relaying is via the transaction fee in their transactions; if
attackers can generate transactions that do not ultimately get mined, then any
side effects of the relay -- such as validation cost and bandwidth used -- can
be achieved for free since those transaction fees are never actually paid,
which typically implies that the network's resources could be utilized entirely
(since it would be costless for an attacker to ramp up usage).]
It turns out that -- in a naive Dandelion implementation -- it would not be
very difficult to generate transactions that would propagate in the stem-phase
but never be accepted to the mempool (at very low cost). This is largely a
consequence of the complexity around mempool acceptance logic, and seems
particularly unavoidable given the mempool's own anti-DoS limits.
The existing mempool acceptance logic attempts to prevent or limit the effect
of these kinds of DoS attacks. Transactions don't have their signatures
checked until just before mempool acceptance, after all other transaction
policy rules have been met, to avoid CPU exhaustion attacks. Preventing
bandwidth attacks is more involved:
transactions are only relayed after being accepted to our own mempool
if our mempool fills up (it is a memory-limited data structure), then we can
evict low feerate transactions to make room for new transactions, but new
transactions are subject to a higher minimum relay fee, designed to offset/pay
the relay fee for transactions which were evicted from the
mempool (and will thus no longer be mined until they relay again).
In short, there's quite a bit of complexity in the mempool acceptance logic to
prevent DoS. So in my view, the questions around a Dandelion implementation are:
(a) Do we need something as complex as the current mempool logic in order to
avoid DoS vectors with Dandelion, or can we do something simpler?
(b) Are there acceptable modifications to the Dandelion protocol that would
simplify the DoS analysis and allow for a simpler implementation while still
providing a significant privacy boost to the network? As an example: would it
be acceptable to implement Dandelion in such a way that under DoS scenarios, we
just fall back to the current relay model?
(c) If we don't have simpler solutions that work, is it worth implementing
something akin to the current mempool logic (called a "stempool" in some of the
discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
complexity worth the privacy benefit that Dandelion would confer? While
improving privacy on the network is obviously a good thing, the privacy
benefits of Dandelion are limited, so is this the kind of thing that's worth
spending a lot of energy to implement and maintain, or should we focus our
mental energy elsewhere?
In my view, the main implementation detail to be worked out with Dandelion
is ensuring that there are no new DoS vectors introduced.
In the existing transaction relay model of Bitcoin Core, transactions that
do not make it into a node's mempool -- a proxy for what we expect to be
(eventually) mined -- do not get relayed to other nodes.
In the Dandelion protocol, transactions are relayed (in the stem phase) prior
to acceptance into a node's mempool. As a result, there are potential DoS
vectors if transactions can be systematically relayed via Dandelion but
ultimately not be accepted to any node's mempool -- this could either introduce
a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
relaying ultimately useless data; or a CPU-exhaustion DoS, if
expensive-to-validate transactions can be relayed without ultimately being
mined. [In general, the only way attackers "pay" for the network's resources
they consume when relaying is via the transaction fee in their transactions; if
attackers can generate transactions that do not ultimately get mined, then any
side effects of the relay -- such as validation cost and bandwidth used -- can
be achieved for free since those transaction fees are never actually paid,
which typically implies that the network's resources could be utilized entirely
(since it would be costless for an attacker to ramp up usage).]
It turns out that -- in a naive Dandelion implementation -- it would not be
very difficult to generate transactions that would propagate in the stem-phase
but never be accepted to the mempool (at very low cost). This is largely a
consequence of the complexity around mempool acceptance logic, and seems
particularly unavoidable given the mempool's own anti-DoS limits.
The existing mempool acceptance logic attempts to prevent or limit the effect
of these kinds of DoS attacks. Transactions don't have their signatures
checked until just before mempool acceptance, after all other transaction
policy rules have been met, to avoid CPU exhaustion attacks. Preventing
bandwidth attacks is more involved:
transactions are only relayed after being accepted to our own mempool
if our mempool fills up (it is a memory-limited data structure), then we can
evict low feerate transactions to make room for new transactions, but new
transactions are subject to a higher minimum relay fee, designed to offset/pay
the relay fee for transactions which were evicted from the
mempool (and will thus no longer be mined until they relay again).
In short, there's quite a bit of complexity in the mempool acceptance logic to
prevent DoS. So in my view, the questions around a Dandelion implementation are:
(a) Do we need something as complex as the current mempool logic in order to
avoid DoS vectors with Dandelion, or can we do something simpler?
(b) Are there acceptable modifications to the Dandelion protocol that would
simplify the DoS analysis and allow for a simpler implementation while still
providing a significant privacy boost to the network? As an example: would it
be acceptable to implement Dandelion in such a way that under DoS scenarios, we
just fall back to the current relay model?
(c) If we don't have simpler solutions that work, is it worth implementing
something akin to the current mempool logic (called a "stempool" in some of the
discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
complexity worth the privacy benefit that Dandelion would confer? While
improving privacy on the network is obviously a good thing, the privacy
benefits of Dandelion are limited, so is this the kind of thing that's worth
spending a lot of energy to implement and maintain, or should we focus our
mental energy elsewhere?
answered Nov 30 at 2:02
sdaftuar
12612
12612
add a comment |
add a comment |
Thanks for contributing an answer to Bitcoin Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81503%2fwhat-is-the-tradeoff-between-privacy-and-implementation-complexity-of-dandelion%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown