diff --git a/standards/application/dandelion.md b/standards/application/dandelion.md index 42aa53d..edab1cb 100644 --- a/standards/application/dandelion.md +++ b/standards/application/dandelion.md @@ -21,8 +21,8 @@ instead of disseminating messages as per usual relay operation. ## Background and Motivation -[Waku Relay](https://rfc.vac.dev/spec/11/), offers privacy, pseudonymity, and a first layer of anonymity protection by design. -Being a modular protocol family [Waku v2](https://rfc.vac.dev/spec/10/) +[Waku Relay](https://rfc.vac.dev/waku/standards/core/11/relay), offers privacy, pseudonymity, and a first layer of anonymity protection by design. +Being a modular protocol family [Waku v2](https://rfc.vac.dev/waku/standards/core/10/waku2) offers features that inherently carry trade-offs as separate building blocks. Anonymity protection is such a feature. The [Anonymity Trilemma](https://freedom.cs.purdue.edu/projects/trilemma.html) @@ -30,9 +30,9 @@ states that an anonymous communication network can only have two out of low bandwidth consumption, low latency, and strong anonymity. Even when choosing low bandwidth and low latency, which is the trade-off that basic Waku Relay takes, better anonymity properties (even though not strong per definition) can be achieved by sacrificing some of the efficiency properties. -44/WAKU2-DANDELION specifies one such technique, and aims at gaining the best "bang for the buck" +WAKU2-DANDELION specifies one such technique, and aims at gaining the best "bang for the buck" in terms of efficiency paid for anonymity gain. -44/WAKU2-DANDELION is based on [Dandelion](https://arxiv.org/abs/1701.04439) +WAKU2-DANDELION is based on [Dandelion](https://arxiv.org/abs/1701.04439) and [Dandelion++](https://arxiv.org/abs/1805.11060). Dandelion is a message spreading method, which, compared to other methods, @@ -61,11 +61,11 @@ Further information on Waku anonymity may be found in our [Waku Privacy and Anon ## Theory and Functioning -44/WAKU2-DANDELION can be seen as an anonymity enhancing add-on to [Waku Relay](https://rfc.vac.dev/spec/11/) message dissemination, +WAKU2-DANDELION can be seen as an anonymity enhancing add-on to [Waku Relay](https://rfc.vac.dev/waku/standards/core/11/relay) message dissemination, which is based on [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md). -44/WAKU2-DANDELION subdivides message dissemination into a "stem" and a "fluff" phase. +WAKU2-DANDELION subdivides message dissemination into a "stem" and a "fluff" phase. This specification is mainly concerned with specifying the stem phase. -The fluff phase corresponds to [Waku Relay](https://rfc.vac.dev/spec/11/), +The fluff phase corresponds to [Waku Relay](https://rfc.vac.dev/waku/standards/core/11/relay), with optional fluff phase augmentations such as random delays. Adding random delay in the fluff phase further reduces symmetry in dissemination patterns and introduces more uncertainty for the attacker. @@ -78,7 +78,7 @@ The Dandelion stem and fluff phases instantiate these concepts. Future stem specifications might comprise: none (standard relay), Dandelion stem, Tor, and mix-net. As for future fluff specifications: none (standard relay), diffusion (random delays), and mix-net._ -Messages relayed by nodes supporting 44/WAKU2-DANDELION are either in stem phase or in fluff phase. +Messages relayed by nodes supporting WAKU2-DANDELION are either in stem phase or in fluff phase. We refer to the former as a stem message and to the latter as a fluff message. A message starts in stem phase, and at some point, transitions to fluff phase. Nodes, on the other hand, are in stem state or fluff state. @@ -92,14 +92,14 @@ are always sent as stem messages. The stem phase can be seen as a different protocol, and messages are introduced into Waku Relay, and by extension gossipsub, once they arrive at a node in fluff state for the first time. -44/WAKU2-DANDELION uses [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) as the protocol for relaying stem messages. +WAKU2-DANDELION uses [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) as the protocol for relaying stem messages. There are no negative effects on gossipsub peer scoring, because Dandelion nodes in _stem state_ still normally relay Waku Relay (gossipsub) messages. ## Specification -Nodes $v$ supporting 44/WAKU2-DANDELION MUST either be in stem state or in fluff state. +Nodes $v$ supporting WAKU2-DANDELION MUST either be in stem state or in fluff state. This does not include relaying messages originated in $v$, for which $v$ SHOULD always be in stem state. ### Choosing the State @@ -114,18 +114,18 @@ corresponding to 10 minute epochs. ### Stem State On entering stem state, -nodes supporting 44/WAKU2-DANDELION MUST randomly select two nodes for each pubsub topic from the respective gossipsub mesh node set. +nodes supporting WAKU2-DANDELION MUST randomly select two nodes for each pubsub topic from the respective gossipsub mesh node set. These nodes are referred to as stem relays. -Stem relays MUST support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/). -If a chosen peer does not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/), +Stem relays MUST support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush). +If a chosen peer does not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush), the node SHOULD switch to fluff state. (We may update this strategy in future versions of this document.) Further, the node establishes a map that maps each incoming stem connection to one of its stem relays chosen at random (but fixed per epoch). Incoming stem connections are identified by the [Peer IDs](https://docs.libp2p.io/concepts/peers/#peer-id/) -of peers the node receives [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) messages from. -Incoming [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) connections from peers that do not support 44/WAKU2-DANDELION are identified and mapped in the same way. +of peers the node receives [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) messages from. +Incoming [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) connections from peers that do not support WAKU2-DANDELION are identified and mapped in the same way. This makes the protocol simpler, increases the anonymity set, and offers Dandelion anonymity properties to such peers, too. The node itself is mapped in the same way, so that all messages originated by the node are relayed via a per-epoch-fixed Dandelion relay, too. @@ -133,7 +133,7 @@ The node itself is mapped in the same way, so that all messages originated by th While in stem state, nodes MUST relay stem messages to the respective stem relay. Received fluff messages MUST be relayed as specified in the fluff state section. -The stem protocol ([19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/)) is independent of the fluff protocol ([Waku Relay](https://rfc.vac.dev/spec/11/)). +The stem protocol ([19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush)) is independent of the fluff protocol ([Waku Relay](https://rfc.vac.dev/waku/standards/core/11/relay)). While in stem state, nodes MUST NOT gossip about stem messages, and MUST NOT send control messages related to stem messages. (An existing gossipsub implementation does _not_ have to be adjusted to not send gossip about stem messages, @@ -161,7 +161,7 @@ this regular forwarding already comprises random delays. ## Implementation Notes -Handling of the 44/WAKU2-DANDELION stem phase can be implemented as an extension to an existing [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) implementation. +Handling of the WAKU2-DANDELION stem phase can be implemented as an extension to an existing [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) implementation. Fluff phase augmentations might alter gossipsub message dissemination (e.g. adding random delays). If this is the case, they have to be implemented on the libp2p gossipsub layer. @@ -182,22 +182,22 @@ The fail-safe mechanism specified in this document (proposed in the Dandelion pa #### Attacker Model and Anonymity Goals -44/WAKU2-DANDELION provides significant mitigation against mass deanonymization in the +WAKU2-DANDELION provides significant mitigation against mass deanonymization in the passive [scaling multi node model](../../informational/adversarial-models.md/#scaling-multi-node). in which the attacker controls a certain percentage of nodes in the network. -44/WAKU2-DANDELION provides significant mitigation against mass deanonymization +WAKU2-DANDELION provides significant mitigation against mass deanonymization even if the attacker knows the network topology, i.e. the anonymity graph and the relay mesh graph. Mitigation in stronger models, including the _active scaling multi-node_ model, is weak. We will elaborate on this in future versions of this document. -44/WAKU2-DANDELION does not protect against targeted deanonymization attacks. +WAKU2-DANDELION does not protect against targeted deanonymization attacks. #### Non-Dandelion Peers Stem relays receiving messages can either be in stem state or in fluff state themselves. -They might also not support 44/WAKU2-DANDELION, -and interpret the message as classical [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/), +They might also not support WAKU2-DANDELION, +and interpret the message as classical [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush), which effectively makes them act as fluff state relays. While such peers lower the overall anonymity properties, the [Dandelion++ paper](https://arxiv.org/abs/1805.11060) @@ -218,7 +218,7 @@ Generally, there are several design choices to be made for the stem phase of a D #### Bound Stem Length -Choosing $q = 0.2$, 44/WAKU2-DANDELION has an expected stem length of 5 hops, +Choosing $q = 0.2$, WAKU2-DANDELION has an expected stem length of 5 hops, Assuming $100ms$ added delay per hop, the stem phase adds around 500ms delay on average. There is a possibility for the stem to grow longer, @@ -233,10 +233,10 @@ We will quantify the resulting loss of anonymity in future versions of this docu #### Stem Relay Selection -In its current version, 44/WAKU2-DANDELION nodes default to fluff state -if the random stem relay selection yields at least one peer that does not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) (which is the stem protocol used in [44/WAKU2-DANDELION](https://rfc.vac.dev/spec/44/). -If nodes would reselect peers until they find peers supporting [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/), -malicious nodes would get an advantage if a significant number of honest nodes would not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19). +In its current version, WAKU2-DANDELION nodes default to fluff state +if the random stem relay selection yields at least one peer that does not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) (which is the stem protocol used in WAKU2-DANDELION. +If nodes would reselect peers until they find peers supporting [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush), +malicious nodes would get an advantage if a significant number of honest nodes would not support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush). Even though this causes messages to enter fluff phase earlier, we choose the trade-off in favour of protocol stability and sacrifice a bit of anonymity. (We will look into improving this in future versions of this document.) @@ -245,7 +245,7 @@ we choose the trade-off in favour of protocol stability and sacrifice a bit of a [Dandelion](https://arxiv.org/abs/1701.04439) and [Dandelion++](https://arxiv.org/abs/1805.11060) assume adding random delays in the fluff phase as they build on Bitcoin diffusion. -44/WAKU2-DANDELION (in its current state) allows for zero delay in the fluff phase and outsources fluff augmentations to dedicated specifications. +WAKU2-DANDELION (in its current state) allows for zero delay in the fluff phase and outsources fluff augmentations to dedicated specifications. While this lowers anonymity properties, it allows making Dandelion an opt-in solution in a given network. Nodes that do not want to use Dandelion do not experience any latency increase. We will quantify and analyse this in future versions of this specification. @@ -254,7 +254,7 @@ We plan to add a separate fluff augmentation specification that will introduce r Optimal delay times depend on the message frequency and patterns. This delay fluff augmentation specification will be oblivious to the actual message content, because Waku Dandelion specifications add anonymity on the routing layer. -Still, it is important to note that [Waku2 messages](https://rfc.vac.dev/spec/14/#payloads) (in their current version) carry an originator timestamp, +Still, it is important to note that [Waku2 messages](https://rfc.vac.dev/waku/standards/core/14/message/#payloads) (in their current version) carry an originator timestamp, which works against fluff phase random delays. An analysis of the benefits of this timestamp versus anonymity risks is on our roadmap. @@ -266,15 +266,15 @@ Note: Introducing random delays can have a negative effect on #### Stem Flag -While 44/WAKU2-DANDELION without fluff augmentation does not effect Waku Relay nodes, -messages sent by nodes that only support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) might be routed through a Dandelion stem without them knowing. +While WAKU2-DANDELION without fluff augmentation does not effect Waku Relay nodes, +messages sent by nodes that only support [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) might be routed through a Dandelion stem without them knowing. While this improves anonymity, as discussed above, it also introduces additional latency and lightpush nodes cannot opt out of this. In future versions of this specification we might -- add a flag to [14/WAKU2-MESSAGE](https://rfc.vac.dev/spec/14/) indicating a message should be routed over a Dandelion stem (opt-in), or -- add a flag to [14/WAKU2-MESSAGE](https://rfc.vac.dev/spec/14/) indicating a message should _not_ be routed over a Dandelion stem (opt-out), or -- introducing a fork of [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/spec/19/) exclusively used for Dandelion stem. +- add a flag to [14/WAKU2-MESSAGE](https://rfc.vac.dev/waku/standards/core/14/message) indicating a message should be routed over a Dandelion stem (opt-in), or +- add a flag to [14/WAKU2-MESSAGE](https://rfc.vac.dev/waku/standards/core/14/message) indicating a message should _not_ be routed over a Dandelion stem (opt-out), or +- introducing a fork of [19/WAKU2-LIGHTPUSH](https://rfc.vac.dev/waku/standards/core/19/lightpush) exclusively used for Dandelion stem. In the current version, we decided against these options in favour of a simpler protocol and an increased anonymity set. @@ -287,11 +287,11 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public - [Dandelion](https://arxiv.org/abs/1701.04439) - [Dandelion++](https://arxiv.org/abs/1805.11060) - [multi-node (botnet) attacker model](../../informational/adversarial-models.md/#multi-node) -- [Waku Relay](https://rfc.vac.dev/spec/11/) -- [Waku v2](https://rfc.vac.dev/spec/10/) +- [Waku Relay](https://rfc.vac.dev/waku/standards/core/11/relay) +- [Waku v2](https://rfc.vac.dev/waku/standards/core/10/waku2) - [d-regular graph](https://en.wikipedia.org/wiki/Regular_graph) - [Anonymity Trilemma](https://freedom.cs.purdue.edu/projects/trilemma.html) - [Waku Privacy and Anonymity Analysis](https://vac.dev/wakuv2-relay-anon). - [On the Anonymity of Peer-To-Peer Network Anonymity Schemes Used by Cryptocurrencies](https://arxiv.org/pdf/2201.11860.pdf) -- [Adversarial Models](https://rfc.vac.dev/spec/45/) -- [14/WAKU2-MESSAGE](https://rfc.vac.dev/spec/14/) +- [Adversarial Models](../../informational/adversarial-models.md) +- [14/WAKU2-MESSAGE](https://rfc.vac.dev/waku/standards/core/14/message)