Note: Gossipsub Tor Push does not have a dedicated protocol identifier. It uses the same identifier as gossipsub and works with all pubsub based protocols. This allows nodes that are oblivious to Tor Push to process messages received via Tor Push.">
Note: Gossipsub Tor Push does not have a dedicated protocol identifier. It uses the same identifier as gossipsub and works with all pubsub based protocols. This allows nodes that are oblivious to Tor Push to process messages received via Tor Push." />
<p>A possible design of an anonymity extension to gossipsub is pushing messages through an anonymization network before they enter the gossipsub network.
<ahref="https://www.torproject.org/">Tor</a> is currently the largest anonymization network.
It is well researched and works reliably.
Basing our solution on Tor both inherits existing security research, as well as allows for a quick deployment.</p>
<p>Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model).
Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties.</p>
<p>Tor Push allows nodes to push messages over Tor into the gossipsub network.
The approach specified in this document is fully backwards compatible.
Gossipsub nodes that do not support Tor Push can receive and relay Tor Push messages,
because Tor Push uses the same Protocol ID as gossipsub.</p>
<p>Messages are sent over Tor via <ahref="https://www.rfc-editor.org/rfc/rfc1928">SOCKS5</a>.
Tor Push uses a dedicated libp2p context to prevent information leakage.
To significantly increase resilience and mitigate circuit failures,
Tor Push establishes several connections, each to a different randomly selected gossipsub node.</p>
<h1id="specification">
Specification
<aclass="anchor"href="#specification">#</a>
</h1>
<p>This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively.</p>
<h2id="wire-format">
Wire Format
<aclass="anchor"href="#wire-format">#</a>
</h2>
<p>The wire format of a Tor Push message corresponds verbatim to a typical <ahref="https://github.com/libp2p/specs/tree/master/pubsub#the-message">libp2p pubsub message</a>.</p>
<p>In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes).</p>
<p>Tp-nodes MUST setup a separate libp2p context, i.e. <ahref="https://docs.libp2p.io/concepts/multiplex/switch/">libp2p switch</a>,
which MUST NOT be used for any purpose other than Tor Push.
We refer to this context as Tp-context.
The Tp-context MUST NOT share any data, e.g. peer lists, with the default context.</p>
<p>Tp-peers are peers a Tp-node plans to send Tp-messages to.
Tp-peers MUST support <code>/meshsub/1.1.0</code>.
For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. <ahref="/spec/33/">33/WAKU2-DISCV5</a>.</p>
<p>Tp-nodes MUST establish a connection as described in sub-section <ahref="#connection-establishment">Tor Push Connection Establishment</a> to at least one Tp-peer.
To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to <code>D</code> peers,
where <code>D</code> is the <ahref="https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.0.md#parameters">desired gossipsub out-degree</a>,
with a default value of <code>8</code>.</p>
<p>Each Tp-message MUST be sent via the Tp-context over at least one Tp-connection.
To increase resilience, Tp-messages SHOULD be sent via the Tp-context over all available Tp-connections.</p>
<p>Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push.</p>
<p>Tp-nodes establish a <code>/meshsub/1.1.0</code> connection to tp-peers via <ahref="https://www.rfc-editor.org/rfc/rfc1928">SOCKS5</a> over <ahref="https://www.torproject.org/">Tor</a>.</p>
<p>Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time.</p>
<h3id="epochs">
Epochs
<aclass="anchor"href="#epochs">#</a>
</h3>
<p>Tor Push introduces epochs.
The default epoch duration is 10 minutes.
(We might adjust this default value based on experiments and evaluation in future versions of this document.
It seems a good trade-off between traceablity and circuit building overhead.)</p>
<p>For each epoch, the Tp-context SHOULD be refreshed, which includes</p>
<ul>
<li>libp2p peer-ID</li>
<li>Tp-peer list</li>
<li>connections to Tp-peers</li>
</ul>
<p>Both Tp-peer selection for the next epoch and establishing connections to the newly selected peers SHOULD be done during the current epoch
and be completed before the new epoch starts.
This avoids adding latency to message transmission.</p>
<p>Without sophisticated rate limiting (for example using <ahref="/spec/17">17/WAKU2-RLN-RELAY</a>),
attackers can spam the gossipsub network.
It is not enough to just block peers that send too many messages,
because these messages might actually come from a Tor exit node that many honest Tp-nodes use.
Without Tor Push, protocols on top of gossipsub could block peers if they exceed a certain message rate.
With Tor Push, this would allow the reputation-based DoS attack described in
<ahref="https://ieeexplore.ieee.org/abstract/document/7163022">Bitcoin over Tor isn’t a Good Idea</a>.</p>
<h3id="peer-discovery">
Peer Discovery
<aclass="anchor"href="#peer-discovery">#</a>
</h3>
<p>The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes.
An attacker that controls both the node that responds to a discovery query,
and the node who’s ENR the response contains,
can link the requester to a Tor connection that is expected to be opened to the node represented by the returned ENR soon after.</p>
<p>Further, the discovery mechanism (e.g. discv5) could be abused to distribute disproportionately many malicious nodes.
For instance if p% of the nodes in the network are malicious,
an attacker could manipulate the discovery to return malicious nodes with 2p% probability.
The discovery mechanism needs to be resilient against this attack.</p>
<h2id="roll-out-phase">
Roll-out Phase
<aclass="anchor"href="#roll-out-phase">#</a>
</h2>
<p>During the roll-out phase of Tor Push, during which only a few nodes use Tor Push,
attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages.
Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively.
For the best protection, these contexts should run on separate physical machines.</p>
<h1id="copyright">
Copyright
<aclass="anchor"href="#copyright">#</a>
</h1>
<p>Copyright and related rights waived via <ahref="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>.</p>