What is the tradeoff between privacy and implementation complexity of Dandelion (BIP156)












10














Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.




  1. Does Dandelion introduce more complexity into the code base?

  2. Are there possible attack vectors introduced with Dandelion?

  3. What is the hold-up with implementing Dandelion in Bitcoin Core?










share|improve this question





























    10














    Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.




    1. Does Dandelion introduce more complexity into the code base?

    2. Are there possible attack vectors introduced with Dandelion?

    3. What is the hold-up with implementing Dandelion in Bitcoin Core?










    share|improve this question



























      10












      10








      10


      1





      Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.




      1. Does Dandelion introduce more complexity into the code base?

      2. Are there possible attack vectors introduced with Dandelion?

      3. What is the hold-up with implementing Dandelion in Bitcoin Core?










      share|improve this question















      Dandelion is a new relay protocol for transactions on cryptocurrency peer-to-peer networks. It has been heralded as a huge privacy improvement for cryptocurrencies at the networking level– I'm wondering what costs this comes at.




      1. Does Dandelion introduce more complexity into the code base?

      2. Are there possible attack vectors introduced with Dandelion?

      3. What is the hold-up with implementing Dandelion in Bitcoin Core?







      bitcoincore-development dandelion p2p bip156






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 30 '18 at 1:00









      Murch

      34.7k27113325




      34.7k27113325










      asked Nov 30 '18 at 0:56









      Chris StewartChris Stewart

      638516




      638516






















          1 Answer
          1






          active

          oldest

          votes


















          11














          In my view, the main implementation detail to be worked out with Dandelion
          is ensuring that there are no new DoS vectors introduced.



          In the existing transaction relay model of Bitcoin Core, transactions that
          do not make it into a node's mempool -- a proxy for what we expect to be
          (eventually) mined -- do not get relayed to other nodes.



          In the Dandelion protocol, transactions are relayed (in the stem phase) prior
          to acceptance into a node's mempool. As a result, there are potential DoS
          vectors if transactions can be systematically relayed via Dandelion but
          ultimately not be accepted to any node's mempool -- this could either introduce
          a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
          relaying ultimately useless data; or a CPU-exhaustion DoS, if
          expensive-to-validate transactions can be relayed without ultimately being
          mined. [In general, the only way attackers "pay" for the network's resources
          they consume when relaying is via the transaction fee in their transactions; if
          attackers can generate transactions that do not ultimately get mined, then any
          side effects of the relay -- such as validation cost and bandwidth used -- can
          be achieved for free since those transaction fees are never actually paid,
          which typically implies that the network's resources could be utilized entirely
          (since it would be costless for an attacker to ramp up usage).]



          It turns out that -- in a naive Dandelion implementation -- it would not be
          very difficult to generate transactions that would propagate in the stem-phase
          but never be accepted to the mempool (at very low cost). This is largely a
          consequence of the complexity around mempool acceptance logic, and seems
          particularly unavoidable given the mempool's own anti-DoS limits.



          The existing mempool acceptance logic attempts to prevent or limit the effect
          of these kinds of DoS attacks. Transactions don't have their signatures
          checked until just before mempool acceptance, after all other transaction
          policy rules have been met, to avoid CPU exhaustion attacks. Preventing
          bandwidth attacks is more involved:




          • transactions are only relayed after being accepted to our own mempool


          • if our mempool fills up (it is a memory-limited data structure), then we can
            evict low feerate transactions to make room for new transactions, but new
            transactions are subject to a higher minimum relay fee, designed to offset/pay
            the relay fee for transactions which were evicted from the
            mempool (and will thus no longer be mined until they relay again).



          In short, there's quite a bit of complexity in the mempool acceptance logic to
          prevent DoS. So in my view, the questions around a Dandelion implementation are:



          (a) Do we need something as complex as the current mempool logic in order to
          avoid DoS vectors with Dandelion, or can we do something simpler?



          (b) Are there acceptable modifications to the Dandelion protocol that would
          simplify the DoS analysis and allow for a simpler implementation while still
          providing a significant privacy boost to the network? As an example: would it
          be acceptable to implement Dandelion in such a way that under DoS scenarios, we
          just fall back to the current relay model?



          (c) If we don't have simpler solutions that work, is it worth implementing
          something akin to the current mempool logic (called a "stempool" in some of the
          discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
          complexity worth the privacy benefit that Dandelion would confer? While
          improving privacy on the network is obviously a good thing, the privacy
          benefits of Dandelion are limited, so is this the kind of thing that's worth
          spending a lot of energy to implement and maintain, or should we focus our
          mental energy elsewhere?






          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "308"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81503%2fwhat-is-the-tradeoff-between-privacy-and-implementation-complexity-of-dandelion%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            11














            In my view, the main implementation detail to be worked out with Dandelion
            is ensuring that there are no new DoS vectors introduced.



            In the existing transaction relay model of Bitcoin Core, transactions that
            do not make it into a node's mempool -- a proxy for what we expect to be
            (eventually) mined -- do not get relayed to other nodes.



            In the Dandelion protocol, transactions are relayed (in the stem phase) prior
            to acceptance into a node's mempool. As a result, there are potential DoS
            vectors if transactions can be systematically relayed via Dandelion but
            ultimately not be accepted to any node's mempool -- this could either introduce
            a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
            relaying ultimately useless data; or a CPU-exhaustion DoS, if
            expensive-to-validate transactions can be relayed without ultimately being
            mined. [In general, the only way attackers "pay" for the network's resources
            they consume when relaying is via the transaction fee in their transactions; if
            attackers can generate transactions that do not ultimately get mined, then any
            side effects of the relay -- such as validation cost and bandwidth used -- can
            be achieved for free since those transaction fees are never actually paid,
            which typically implies that the network's resources could be utilized entirely
            (since it would be costless for an attacker to ramp up usage).]



            It turns out that -- in a naive Dandelion implementation -- it would not be
            very difficult to generate transactions that would propagate in the stem-phase
            but never be accepted to the mempool (at very low cost). This is largely a
            consequence of the complexity around mempool acceptance logic, and seems
            particularly unavoidable given the mempool's own anti-DoS limits.



            The existing mempool acceptance logic attempts to prevent or limit the effect
            of these kinds of DoS attacks. Transactions don't have their signatures
            checked until just before mempool acceptance, after all other transaction
            policy rules have been met, to avoid CPU exhaustion attacks. Preventing
            bandwidth attacks is more involved:




            • transactions are only relayed after being accepted to our own mempool


            • if our mempool fills up (it is a memory-limited data structure), then we can
              evict low feerate transactions to make room for new transactions, but new
              transactions are subject to a higher minimum relay fee, designed to offset/pay
              the relay fee for transactions which were evicted from the
              mempool (and will thus no longer be mined until they relay again).



            In short, there's quite a bit of complexity in the mempool acceptance logic to
            prevent DoS. So in my view, the questions around a Dandelion implementation are:



            (a) Do we need something as complex as the current mempool logic in order to
            avoid DoS vectors with Dandelion, or can we do something simpler?



            (b) Are there acceptable modifications to the Dandelion protocol that would
            simplify the DoS analysis and allow for a simpler implementation while still
            providing a significant privacy boost to the network? As an example: would it
            be acceptable to implement Dandelion in such a way that under DoS scenarios, we
            just fall back to the current relay model?



            (c) If we don't have simpler solutions that work, is it worth implementing
            something akin to the current mempool logic (called a "stempool" in some of the
            discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
            complexity worth the privacy benefit that Dandelion would confer? While
            improving privacy on the network is obviously a good thing, the privacy
            benefits of Dandelion are limited, so is this the kind of thing that's worth
            spending a lot of energy to implement and maintain, or should we focus our
            mental energy elsewhere?






            share|improve this answer


























              11














              In my view, the main implementation detail to be worked out with Dandelion
              is ensuring that there are no new DoS vectors introduced.



              In the existing transaction relay model of Bitcoin Core, transactions that
              do not make it into a node's mempool -- a proxy for what we expect to be
              (eventually) mined -- do not get relayed to other nodes.



              In the Dandelion protocol, transactions are relayed (in the stem phase) prior
              to acceptance into a node's mempool. As a result, there are potential DoS
              vectors if transactions can be systematically relayed via Dandelion but
              ultimately not be accepted to any node's mempool -- this could either introduce
              a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
              relaying ultimately useless data; or a CPU-exhaustion DoS, if
              expensive-to-validate transactions can be relayed without ultimately being
              mined. [In general, the only way attackers "pay" for the network's resources
              they consume when relaying is via the transaction fee in their transactions; if
              attackers can generate transactions that do not ultimately get mined, then any
              side effects of the relay -- such as validation cost and bandwidth used -- can
              be achieved for free since those transaction fees are never actually paid,
              which typically implies that the network's resources could be utilized entirely
              (since it would be costless for an attacker to ramp up usage).]



              It turns out that -- in a naive Dandelion implementation -- it would not be
              very difficult to generate transactions that would propagate in the stem-phase
              but never be accepted to the mempool (at very low cost). This is largely a
              consequence of the complexity around mempool acceptance logic, and seems
              particularly unavoidable given the mempool's own anti-DoS limits.



              The existing mempool acceptance logic attempts to prevent or limit the effect
              of these kinds of DoS attacks. Transactions don't have their signatures
              checked until just before mempool acceptance, after all other transaction
              policy rules have been met, to avoid CPU exhaustion attacks. Preventing
              bandwidth attacks is more involved:




              • transactions are only relayed after being accepted to our own mempool


              • if our mempool fills up (it is a memory-limited data structure), then we can
                evict low feerate transactions to make room for new transactions, but new
                transactions are subject to a higher minimum relay fee, designed to offset/pay
                the relay fee for transactions which were evicted from the
                mempool (and will thus no longer be mined until they relay again).



              In short, there's quite a bit of complexity in the mempool acceptance logic to
              prevent DoS. So in my view, the questions around a Dandelion implementation are:



              (a) Do we need something as complex as the current mempool logic in order to
              avoid DoS vectors with Dandelion, or can we do something simpler?



              (b) Are there acceptable modifications to the Dandelion protocol that would
              simplify the DoS analysis and allow for a simpler implementation while still
              providing a significant privacy boost to the network? As an example: would it
              be acceptable to implement Dandelion in such a way that under DoS scenarios, we
              just fall back to the current relay model?



              (c) If we don't have simpler solutions that work, is it worth implementing
              something akin to the current mempool logic (called a "stempool" in some of the
              discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
              complexity worth the privacy benefit that Dandelion would confer? While
              improving privacy on the network is obviously a good thing, the privacy
              benefits of Dandelion are limited, so is this the kind of thing that's worth
              spending a lot of energy to implement and maintain, or should we focus our
              mental energy elsewhere?






              share|improve this answer
























                11












                11








                11






                In my view, the main implementation detail to be worked out with Dandelion
                is ensuring that there are no new DoS vectors introduced.



                In the existing transaction relay model of Bitcoin Core, transactions that
                do not make it into a node's mempool -- a proxy for what we expect to be
                (eventually) mined -- do not get relayed to other nodes.



                In the Dandelion protocol, transactions are relayed (in the stem phase) prior
                to acceptance into a node's mempool. As a result, there are potential DoS
                vectors if transactions can be systematically relayed via Dandelion but
                ultimately not be accepted to any node's mempool -- this could either introduce
                a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
                relaying ultimately useless data; or a CPU-exhaustion DoS, if
                expensive-to-validate transactions can be relayed without ultimately being
                mined. [In general, the only way attackers "pay" for the network's resources
                they consume when relaying is via the transaction fee in their transactions; if
                attackers can generate transactions that do not ultimately get mined, then any
                side effects of the relay -- such as validation cost and bandwidth used -- can
                be achieved for free since those transaction fees are never actually paid,
                which typically implies that the network's resources could be utilized entirely
                (since it would be costless for an attacker to ramp up usage).]



                It turns out that -- in a naive Dandelion implementation -- it would not be
                very difficult to generate transactions that would propagate in the stem-phase
                but never be accepted to the mempool (at very low cost). This is largely a
                consequence of the complexity around mempool acceptance logic, and seems
                particularly unavoidable given the mempool's own anti-DoS limits.



                The existing mempool acceptance logic attempts to prevent or limit the effect
                of these kinds of DoS attacks. Transactions don't have their signatures
                checked until just before mempool acceptance, after all other transaction
                policy rules have been met, to avoid CPU exhaustion attacks. Preventing
                bandwidth attacks is more involved:




                • transactions are only relayed after being accepted to our own mempool


                • if our mempool fills up (it is a memory-limited data structure), then we can
                  evict low feerate transactions to make room for new transactions, but new
                  transactions are subject to a higher minimum relay fee, designed to offset/pay
                  the relay fee for transactions which were evicted from the
                  mempool (and will thus no longer be mined until they relay again).



                In short, there's quite a bit of complexity in the mempool acceptance logic to
                prevent DoS. So in my view, the questions around a Dandelion implementation are:



                (a) Do we need something as complex as the current mempool logic in order to
                avoid DoS vectors with Dandelion, or can we do something simpler?



                (b) Are there acceptable modifications to the Dandelion protocol that would
                simplify the DoS analysis and allow for a simpler implementation while still
                providing a significant privacy boost to the network? As an example: would it
                be acceptable to implement Dandelion in such a way that under DoS scenarios, we
                just fall back to the current relay model?



                (c) If we don't have simpler solutions that work, is it worth implementing
                something akin to the current mempool logic (called a "stempool" in some of the
                discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
                complexity worth the privacy benefit that Dandelion would confer? While
                improving privacy on the network is obviously a good thing, the privacy
                benefits of Dandelion are limited, so is this the kind of thing that's worth
                spending a lot of energy to implement and maintain, or should we focus our
                mental energy elsewhere?






                share|improve this answer












                In my view, the main implementation detail to be worked out with Dandelion
                is ensuring that there are no new DoS vectors introduced.



                In the existing transaction relay model of Bitcoin Core, transactions that
                do not make it into a node's mempool -- a proxy for what we expect to be
                (eventually) mined -- do not get relayed to other nodes.



                In the Dandelion protocol, transactions are relayed (in the stem phase) prior
                to acceptance into a node's mempool. As a result, there are potential DoS
                vectors if transactions can be systematically relayed via Dandelion but
                ultimately not be accepted to any node's mempool -- this could either introduce
                a bandwidth DoS, where the Bitcoin network's bandwidth is used up or wasted
                relaying ultimately useless data; or a CPU-exhaustion DoS, if
                expensive-to-validate transactions can be relayed without ultimately being
                mined. [In general, the only way attackers "pay" for the network's resources
                they consume when relaying is via the transaction fee in their transactions; if
                attackers can generate transactions that do not ultimately get mined, then any
                side effects of the relay -- such as validation cost and bandwidth used -- can
                be achieved for free since those transaction fees are never actually paid,
                which typically implies that the network's resources could be utilized entirely
                (since it would be costless for an attacker to ramp up usage).]



                It turns out that -- in a naive Dandelion implementation -- it would not be
                very difficult to generate transactions that would propagate in the stem-phase
                but never be accepted to the mempool (at very low cost). This is largely a
                consequence of the complexity around mempool acceptance logic, and seems
                particularly unavoidable given the mempool's own anti-DoS limits.



                The existing mempool acceptance logic attempts to prevent or limit the effect
                of these kinds of DoS attacks. Transactions don't have their signatures
                checked until just before mempool acceptance, after all other transaction
                policy rules have been met, to avoid CPU exhaustion attacks. Preventing
                bandwidth attacks is more involved:




                • transactions are only relayed after being accepted to our own mempool


                • if our mempool fills up (it is a memory-limited data structure), then we can
                  evict low feerate transactions to make room for new transactions, but new
                  transactions are subject to a higher minimum relay fee, designed to offset/pay
                  the relay fee for transactions which were evicted from the
                  mempool (and will thus no longer be mined until they relay again).



                In short, there's quite a bit of complexity in the mempool acceptance logic to
                prevent DoS. So in my view, the questions around a Dandelion implementation are:



                (a) Do we need something as complex as the current mempool logic in order to
                avoid DoS vectors with Dandelion, or can we do something simpler?



                (b) Are there acceptable modifications to the Dandelion protocol that would
                simplify the DoS analysis and allow for a simpler implementation while still
                providing a significant privacy boost to the network? As an example: would it
                be acceptable to implement Dandelion in such a way that under DoS scenarios, we
                just fall back to the current relay model?



                (c) If we don't have simpler solutions that work, is it worth implementing
                something akin to the current mempool logic (called a "stempool" in some of the
                discussions) in order to introduce Dandelion into Bitcoin Core? Is the code
                complexity worth the privacy benefit that Dandelion would confer? While
                improving privacy on the network is obviously a good thing, the privacy
                benefits of Dandelion are limited, so is this the kind of thing that's worth
                spending a lot of energy to implement and maintain, or should we focus our
                mental energy elsewhere?







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 30 '18 at 2:02









                sdaftuarsdaftuar

                12612




                12612






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Bitcoin Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81503%2fwhat-is-the-tradeoff-between-privacy-and-implementation-complexity-of-dandelion%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Bundesstraße 106

                    Verónica Boquete

                    Ida-Boy-Ed-Garten