[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Bitcoin over Tor isnât a good idea (Alex Biryukov / Ivan Pustogarov story)

Ãyvind Saether:
> http://arxiv.org/pdf/1410.6079v1.pdf
> "Abstract
> âBitcoin is a decentralized P2P digital currency in which coins are
> generated by a distributed set of miners and transaction are
> broadcasted via a peer-to-peer network. While Bitcoin provides some
> level of anonymity (or rather pseudonymity) by encouraging the users to
> have any number of random-looking Bitcoin addresses, recent research
> shows that this level of anonymity is rather low. This encourages users
> to connect to the Bitcoin network through anonymizers like Tor and
> motivates development of default Tor functionality for popular mobile
> SPV clients. In this paper we show that combining Tor and Bitcoin
> creates an attack vector for the deterministic and stealthy
> man-in-the-middle attacks. A low-resource attacker can gain full
> control of information flows between all users who chose to use Bitcoin
> over Tor. In particular the attacker can link together userâs
> transactions regardless of pseudonyms used, control which Bitcoin
> blocks and transactions are relayed to the user and can delay or
> discard userâs transactions and blocks. In collusion with a powerful
> miner double-spending attacks become possible and a totally virtual
> Bitcoin reality can be created for such set of users."
> Interesting quote:
> "Combining it with some peculiarities of how Tor handles data streams a
> stealthy and low-resource attacker with just 1-3% of overall Tor Exit
> bandwidth capacity and 1000-1500 cheap lightweight Bitcoin peers (for
> example, a small Botnet) can force all Bitcoin Tor traffic to go either
> through her Exit nodes or through her peers. This opens numerous attack
> vectors."
> a) Does this paper hold water? b) What is the price of 1-3% of all Tor
> Exit capacity and "1000-1500 cheap lightweight" Bitcoin peers?

I skimmed this paper this morning, and the crux of the attack is the
interplay of the Bitcoin DoS protection mechanisms and the limited
supply of Tor Exit IPs.

Basically, you cause most Bitcoin peers to end up deciding to ban all
Tor Exit IPs except your exits, and then you are able to observe all
Tor+Bitcoin users, and maybe even feed them divergent versions of the
blockchain (assuming you can muster enough proof of work to hit the
difficulty), or easier still: hide certain unconfirmed transactions. The
amount of capacity you have basically governs how quickly you can expect
clients to converge on your exit (after failing with all the other

The paper also points out that some Bitcoin clients were hoping to use
Tor to obtain multiple network perspectives on unconfirmed transactions,
to provide additional confidence that you can accept an unconfirmed
transaction before it hits the blockchain. Obviously, if you are able to
control exits used for this, you can fool such clients into accepting

Personally, I think Bitcoin clients are still much better off
double-checking transactions via Tor than trusting only the local wifi
network, especially for accepting quick, unconfirmed transactions. But
it is useful to know that a naive "dude, just shove it through Tor,
man!" solution to this problem is not the best one.

The countermeasures section at the end is pretty good, though. In
addition to either tweaking or disabling the IP-based rate limiting for
Tor nodes, they also recommend encrypting bitcoin peer protocol traffic
(hard, but should probably be done for lots of reasons), or making use
of Bitcoin peers who also have Tor hidden service addresses available
(easy, and the paper provides a list of these that were found to exist
already in the wild).

One can also imagine that such bitcoin clients could also use a Tor
control port library to enforce that they actually are able to use a
certain number of independent exit families without failure, too. This
was not suggested, but it is possible.

It struck me as a notable work with respect to Tor because it is yet
another (surprising) area where having some kind of anonymous credential
system for proof of sacrifice/scarcity could benefit not only Tor users,
but also the rest of the Internet as well. It is also interesting
because right now, the naive proposal people often make for such systems
is "dude, just use Bitcoin, man!", but clearly we now have a catch-22
here (in addition to the privacy issues with Bitcoin).

Mike Perry

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to