Exploiting Transaction Accumulation and Double Spends for Topology Inference in Bitcoin Matthias Grundmann, Till Neudecker, Hannes Hartenstein Prof. Dr. Hannes Hartenstein | DSN Research Group

Bitcoin Network Topology Bitcoin is based on a P2P-network How the Bitcoin network looks Our view on the network Our goal: Get information about network How the Bitcoin network looks Our view on the Bitcoin network 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Network Topology Inference Goal Get view of the full network Previous work Coinscope [1] Timing Analysis [2] [1] Andrew Miller, James Litton, Andrew Pachulski, Neal Gupta, Dave Levin, Neil Spring, and Bobby Bhattacharjee. Discovering bitcoin’s public topology and influential nodes. 2015. [2] T. Neudecker, P. Andelfinger, and H. Hartenstein. Timing analysis for inferring the topology of the bitcoin peer-to-peer network. July 2016. 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Two New Approaches Exploit Transaction Accumulation Detection of unpredictable connections Exploit Dropping of Double Spends Detection of connections of one targeted peer 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Agenda Introduction Basics Exploit Transaction Accumulation Exploit Dropping of Double Spends Conclusion 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Goal and Assumptions about Adversary Goal of adversary Infer connections between nodes accepting incoming connections Adversary can … connect to all publicly reachable peers estimate latencies create transactions (but has to pay fees) Accepting incoming connections Not accepting incoming connections 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Basics: Transaction Propagation … Inputs not already spent ⇒ No “double spend” ... ID INV Exploit Dropping of Double Spends Transaction is unknown ⇒ Send request ID INV ID INV Weitere Validation: Transaktion schon in Blockchain? Signatur gültig? Inputs sind Outputs einer andere Transaktion? ID INV ID GETDATA ID INV TX Check if transaction is valid: If invalid ⇒ Drop silently If valid ⇒ Announce to own neighbors I. Announce II. Request III. Send IV. Validate 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Delayed Forwarding in Bitcoin Core (≥ v0.14.1) Transactions are not announced directly once they are received or created ToDo: Hier schon Vereinfachung Weiterleitung statt Ankündigung. Besser erst im nächsten Schritt? Fanti nennt die Methode „Diffusion Spreading“ => Message Accumulation Exploit Transaction Accumulation For each neighbor Queue with transactions to announce Timestamp for next announcement 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Exploiting Transaction Accumulation Procedure Connect adversary to all reachable peers Create transactions ti Individually for each peer Send ti to all peers Monitor received transactions For each peer analyze first message received If exactly one transaction: Found directly connected peer  If more than one transaction: Ignore  1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Discussion of Accumulation Approach Success relies on first message received by a peer containing one single transaction Only infrequent Cannot be influenced or predicted by adversary False positives if assumptions fail E.g. not reachable peer forwards transaction High cost: One transaction per reachable peer Variant DSk Reduces cost to k transaction fees Validation in testnet difficult Variant Double Spend Transactions share k different inputs Every peer keeps only first transaction per input Cost: k transaction fees 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Simulation of Accumulation Approach Setup 500 peers in network Simplified implementation of forwarding behavior Detection for simple version and variant DS3 ⇒ For cost of 3 transaction fees on average 20 connections correctly found with 2 false positives Simplifications: Send TX without previous INV message, latencies normally distributed with μ = 100 ms and σ = 50 ms 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Agenda Introduction Basics Exploit Transaction Accumulation Exploit Dropping of Double Spends Conclusion 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Exploiting Dropping of Double Spends Remember: Transaction is dropped if it is spending already spent coins Procedure Connect adversary to target and all reachable peers Create transactions ti Individually for each peer All ti spend the same coins Send ti to all peers except target Wait for target to send transaction Transaction received from target discloses neighbor of target False Positives Peer receives transaction from adversary too late Neighbor is not reachable for adversary 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Analysis of „Double Spend“-Approach Simulation Setup 500 peers in network Simplified implementation of forwarding behavior Precision up to 98.1% ⇒ Approach can be used to disclose one neighbor of a specific peer! Repeat to find more neighbors Variant Suppress Prevent repeatedly finding the same neighbor Variant Ignore Ignore repetition on indication that assumptions were violated Attacker connected peers Precision 25 % 54.4 % 50 % 75.7 % 75 % 89.1 % 100 % 98.1 % TODO: Varianten nur erklären, wenn genug Zeit TODO: In Tabelle besser absolute Zahlen? Simplified implementation Send TX without previous INV message, latencies normally distributed with μ = 100 ms and σ = 50 ms Simulation setup 2000 random networks 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

„Double Spend“-Approach with repetitions Experiments in testnet Validation by 30 attacks on own peers (each having eight neighbors) Cost of 99 transactions fees per attack Different methods to analyze data Recall of 60 % with precision of 97 % Recall of 85 % with precision of 74 % Recall of 60 %: 60 % of neighbors have been detected 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

Conclusion Exploit accumulation of transactions Detection of unpredictable connections Cost: low when using variant DS3 Countermeasure: change accumulation implementation Exploit dropping of double spends Detection of connections of specific target Cost: low, good experimental results Countermeasure: not trivial without opening attack surface for DoS attacks Future work Optimization of these approaches Use multiple monitors Include timing information Reduce cost Develop similar approaches Can these approaches be used to infer the topology of the testnet? 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference Prof. Dr. Hannes Hartenstein | DSN Research Group

References [1] Andrew Miller, James Litton, Andrew Pachulski, Neal Gupta, Dave Levin, Neil Spring, and Bobby Bhattacharjee. Discovering bitcoin’s public topology and influential nodes. 2015. [2] T. Neudecker, P. Andelfinger, and H. Hartenstein. Timing analysis for inferring the topology of the bitcoin peer-to-peer network. July 2016. [3] Ethan Heilman et al. “Eclipse Attacks on Bitcoin’s Peer-to-peer Network”. In: Proceedings of the 24th USENIX Conference on Security Symposium. SEC’15. Washington, D.C.: USENIX Association, 2015, pp. 129–144. [4] Giulia C. Fanti and Pramod Viswanath. “Anonymity Properties of the Bitcoin P2P Network”. In: CoRR abs/1703.08761 (2017). 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Backup 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Motivation Attacks become easier with topology information Eclipse attacks [3] Deanonymization [4] 0-confirmation double spends 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Topology Inference Goal: Obtain information about topology of the Bitcoin network Distribution of node degrees Structure of network Are two peers directly connected to each other? Why? Scientific interest Attacks become easier with topology information Eclipse attacks [3] Deanonymization [4] Model for attacker Small number of peers Creates transactions, but needs to pay fees Can connect to all reachable peers and estimate latencies No knowledge of network (like ISP) 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

“Double Spends” – False Positives Peer receives transaction from attacker too late Neighbor is not reachable for attacker 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

„Double Spend“-Variants Variant: Suppress Prevent finding already known neighbors Idea: Create and send… … transactions ti using input i1 … transaction for target using input i2 … transactions for already known neighbors using input i1 and i2 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

„Double Spend“-Variants Variant: Suppress Prevent finding already known neighbors Idea: Create and send… … transactions ti using input i1 … transaction for target using input i2 … transactions for already known neighbors using input i1 and i2 Variant: Ignore Increase precision Idea: If another peer sends the transaction forwarded by the target, ignore this run, because something didn‘t work as expected 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Simulation of „Double Spend“-Approach Setup of simulation: 500 peers in network Simplified implementation of forwarding behavior Send TX without previous INV message, latencies normally distributed with μ = 100 ms and σ = 50 ms 2000 random networks Results for detection of one neighbor: Attacker connected peers True Positives False Positives 125 54,4 % 45,6 % 250 75,7 % 24,3 % 375 89,1 % 10,9 % 500 98,1 % 1,9 % 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Transaction Accumulation – Network Size Detection results scales with network size Simulation of default version, connected to half of the peers in the network 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

Accumulation Results in Testnet Direct connections Sum Unique Validatable Correct (a) Measured latencies, no double spends 49 44 1 (b) Bitcoin latencies, no double spends 58 (c) Measured latencies, three inputs 128 116 3 (d) Measured latencies, three inputs 115 2 (e) Shuffled, three inputs 67 65 (f) Measured latencies, ten inputs 98 86 (g) Measured latencies, three inputs (100) 1241 883 6 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

„Double-Spend“ Comparison of fully and half connected, simulation with 500 peers Fully connected, variants Suppress and Suppress + Ignore 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference

„Double-Spend“ – Variant Count Fully connected, simulation of network of 500 peers 1/14/2019 Exploiting Transaction Accumulation and Double Spends for Topology Inference