For almost 15 years, all communication between nodes on the Bitcoin community was transmitted fully within the clear, with none encryption. That modified in 2024 with the adoption of BIP 324, which launched the “v2” transport protocol for communication between nodes. This new protocol options opportunistic encryption, making the visitors unreadable to passive adversaries able to monitoring messages between nodes. Since including assist for it in Bitcoin Core 26.0, and enabling it by default in 27.0, it’s now used for almost all of worldwide Bitcoin P2P visitors.
Taking a step again, a Bitcoin node’s major operate is exchanging items of data which are essentially public: blocks within the blockchain, transactions within the mempool, and IP addresses of different Bitcoin nodes. As a result of this isn’t secret info, it isn’t instantly apparent why encrypting it alongside the way in which could be useful. However on nearer inspection, there’s loads of metadata related to Bitcoin visitors that’s value defending. If a large-scale adversary can see which transaction is relayed when and by which IP deal with, they’ll infer which node was the doubtless originator – and thus creator – of a transaction. Along with that, seeing the connections between nodes themselves could reveal who sure nodes belong to, permitting nodes of particular corporations or miners to be focused for assaults. And for some customers operating nodes in oppressive regimes, it might be undesirable to disclose they’re operating a Bitcoin node in any respect.
Within the P2P protocol as designed by Satoshi, nodes join to one another, and over these connections ship messages like inv (“I have new blocks/transactions for you”), getdata (“give me that block/transaction”), addr (“here is an IP address of another node”), and lots of others. The set of messages and options they assist has modified considerably over time, together with assist for early SPV shoppers with BIP 37, compact block relay with BIP 152, assist for Tor v3 addresses with BIP 155, and dozens of others. However the way in which these messages are encoded into bytes which are despatched over the wire – what we name the transport protocol – had primarily by no means modified since 2009. The one exception to this was the introduction of checksums to the protocol in Might 2010. BIP 324 was the primary change of this nature since then.
Word that regardless of being a quite elementary change to what will be described as a part of the “Bitcoin protocol”, it’s totally elective. It isn’t a consensus change, and didn’t want any coordination or activation mechanism. It’s merely used between particular person nodes that assist it, however when a BIP 324 supporting node talks to a different one that doesn’t, they fall again to talking the previous (“v1”) transport protocol. That is how, with out a lot fanfare not two years after the discharge of shopper software program that permits it by default, the vast majority of communication between Bitcoin nodes wound up utilizing the encrypted v2 transport protocol.
The thought of encrypting Bitcoin visitors was not new. Again in 2016, Bitcoin Core developer Jonas Schnelli proposed BIP 151, which might permit upgrading connections to change them to an encrypted mode. The proposal didn’t make it far, and since that strategy couldn’t conceal the preliminary handshake between two nodes from prying eyes, BIP 324 was proposed in 2019 to as a substitute revamp the transport protocol totally. This extra fashionable strategy as a substitute launched a completely new class of connections which are encrypted from the beginning. Progress on it accelerated when it was picked up by Dhruv Mehta in 2021, and along with Tim Ruffing and myself, was a full proposal that included just a few new options like a totally pseudorandom bytestream, affordances for visitors shaping, and elective extensions. We introduced it on the bitcoin-dev mailing listing in 2022, and after receiving a number of feedback, carried out it over the course of 2022 and 2023. The total function was merged in Bitcoin Core in 2023. After additional testing, it was enabled by default for all connections (with supporting friends) in 2024.
The absolutely pseudorandom bytestream function supplied by the brand new protocol means it reveals no recognizable patterns within the bytes despatched over the wire. For instance TLS, used for communication with safe web sites (“ URLs), encrypts the contents of websites, but not the fact that TLS is being used, or (until 2020 with Encrypted Client Hello, “ECH”) which hostname the location was being requested from. The v1 transport used earlier than BIP 324 despatched a really recognizable mounted first 16 bytes over each connection, making it straightforward for censoring firewalls to dam any reference to that sample. In distinction, the v2 transport has no such sample in any respect; each byte is uniformly random from the attitude of a 3rd celebration, and thus fully unpredictable. Any entity that intends to dam Bitcoin visitors utilizing it could want to dam something that appears random, which could be politically tougher than simply narrowly blocking Bitcoin-like visitors. The toughest a part of making your complete protocol pseudorandom was the truth that in the course of the handshake – earlier than encryption is about up – the nodes must alternate public keys, and public keys aren’t simply random bytes. Solely due to a reasonably fashionable cryptographic approach known as Elligator (2013), and particularly a variant known as ElligatorSwift (2022) that permits encoding elliptic curve public keys in random-looking bytes, was it attainable to keep away from even this sample.
It’s value declaring that as a result of public nature of the Bitcoin community, there are vital limitations to the privateness protections that an encrypted transport layer between nodes can provide. Bitcoin nodes don’t place belief of their friends, and thus do not likely care who they’re speaking to. Bitcoin nodes shouldn’t have identified public keys, which is why the encryption supplied by the v2 transport is opportunistic and non-authenticated; either side simply make up a brand new short-term key for every connection. This implies it’s attainable for energetic adversaries (e.g., your ISP) to carry out a man-in-the-middle assault: speak v2 to either side of the connection, however decrypt and re-encrypt all communication flowing between them, nonetheless permitting spying, and presumably tampering or censoring whereas doing so. Nevertheless, the purpose is that that is considerably dearer to do at scale, in comparison with merely inspecting unencrypted particular person messages like is feasible within the v1 transport. And naturally, since most Bitcoin connections are arbitrarily made to random untrusted nodes, an adversary who desires to spy at scale on different nodes all the time has the choice of simply spinning up a considerable amount of nodes themselves, and getting a big portion of the community to connect with them. Like man-in-the-middle assaults, that is dearer to do at scale than merely inspecting v1 packets.
BIP 324 is thus finest seen not as a privateness enchancment in and of itself, however as half of a bigger effort of elevating prices for large-scale surveillance of the Bitcoin community, with out counting on alternate networks like Tor or I2P, which have their very own trade-offs like elevated latency and denial-of-service danger that will not be acceptable for all nodes on the community. BIP 324 additionally presents numerous options which are as of but unimplemented, like visitors shaping to keep away from revealing details about transactions being relayed simply by observing the sizes of encrypted packets. Hopefully, these will probably be taken benefit of additional within the coming years.
Don’t miss your probability to personal The Core Subject — that includes articles written by many Core Builders explaining the tasks they work on themselves!
This piece is the Letter from the Editor featured within the newest Print version of Bitcoin Journal, The Core Subject. We’re sharing it right here as an early have a look at the concepts explored all through the total situation.
