New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix embargo timeout in dandelion++ #9295
base: master
Are you sure you want to change the base?
Conversation
I should also mention this does mean in unlucky cases where a blackhole occurs after just one hop, could result in longer delays than with a poisson distribution (where the overwhelming number of values are around 39s). |
This does bring up an interesting point, using the exponential distribution could make it easier to estimate how many hops the transaction did before it reached the black hole. If the attacker keeps track of the time it receives a tx, and the time it takes for the tx to be broadcasted, then it could calculate the probability of that happening for different amounts of hops. For example if the tx gets blackholed after one hop then the average time for that tx to get diffused is 75s whereas a tx that makes it 9 hops will have an average time of 8.3s, so if the tx takes 300s to get diffused then we can say that is much more likely to happen with 1 hops than 9. The paper seemingly doesn't mention this. FalloutThe problem with using the poisson distribution is that it is not memoryless, so nodes earlier in the stem phase are slightly more likely to fluff first under a black hole attack. How much more likely? I don't know exactly but just off the top of my head I can't imagine it being significant. Fluff TimersI feel 1 second is too low, although the previous was 5 seconds it was 2.5 for outgoing connections:
|
I'm wondering whether my parameters are too high - we previously lowered the parameters so that the diffusion came quicker. Should I do the same here? The worst case scenario is more likely and longer than the existing poisson method.
This doesn't reveal the origin IP address though. So I think it's still better to go with the paper here.
Poisson distribution is also considered memoryless - but it may have different properties making it less suitable.
Revert back to 5 seconds? I didn't want to overlap with the blackhole timeout. |
In the past we had a lot of sybil nodes that were intentionally blackholing transactions, a significantly longer average time to diffusion would be bad for user experience. I don't know if these sybil nodes are still there. |
cbff1b8
to
8d86d61
Compare
I think so, especially if we have had problems with black holes in the past. If were to choose a time for which we would want a chosen percentage of txs to be fluffed under, if they were to be immediately black holed, we could find the highest For example if we were to say we want 90% of txs to be fluffed under 60s with I think we could get away with With
True, just wanted to mention.
The time between events in a Poisson process is memoryless, it can be modeled with the exponential distribution, but I don't think the Poisson distribution itself is memoryless.
I think so, I don't think overlapping is too big a concern due to how variable the output of the exponential distribution is. |
8d86d61
to
b6039f9
Compare
New force push has the parameters recommended by @Boog900 . I'm a little worried the new timeout may not be aggressive enough - but I'm leaning towards it being acceptable. |
We could go lower but 8 should be fine, more numbers: Txs fluffed under 180s when immediately black holed:
This means if an attacker managed to black hole every transaction immediately with |
Summary
@Boog900 pointed out that the embargo duration in Dandelion++ was incorrect - it was using poisson distribution instead of exponential distribution. I don't recall why I used poisson distribution, other than it takes an "average" parameter, which I took to mean the average embargo timeout. This is not the same distribution as meant in the Dandelion++ paper.
The primary difference is that the average embargo timeout will drop from ~39s to ~7s. There shouldn't be any loss in privacy as a result of this, because the propagation time to 10 nodes is roughly 1.75s.
Additionally @Boog900 discovered that the paper stated
log
but almost certainly meantln
(which helps bring down the average fluff time too).Fluff probability
Is once again 10%, which should result in longer stem phases. Since the distribution is now much shorter for the embargo timeout, this shouldn't result in longer flood times.
Fallout
I'm not aware of any fingerprinting that can be done on the existing implementation. The randomized duration should still make it difficult to determine which node in the stem-set fluffed first. Perhaps @Boog900 can share some thoughts on this topic.
Fluff Timers
I reduced the average poisson distribution for fluff delay from 5s to 1s. This is an arbitrary change, but was made due to the new reality of much shorter embargo timeouts. @Boog900 thoughts on this portion of the code? Dandelion++ doesn't really specify a randomized flush interval for fluff mode, this comes from inspecting the Bitcoin code.
Poisson Distribution
Poisson is still being used in a few places, but I am not aware of any issues right now. I will dig deeper to see if these need changing:
I'm not aware of these timers violating the Dandelion++ paper (again read above about fluff timers).
Future
I expect some feedback from @Boog900 and possibly others as to the additional changes that need to be made.