For almost 15 years, all communication between nodes on the Bitcoin community was transmitted fully within the clear, with none encryption. That modified in 2024 with the adoption of BIP 324, which launched the “v2” transport protocol for communication between nodes. This new protocol options opportunistic encryption, making the visitors unreadable to passive adversaries able to monitoring messages between nodes. Since including help for it in Bitcoin Core 26.0, and enabling it by default in 27.0, it’s now used for almost all of worldwide Bitcoin P2P visitors.
Taking a step again, a Bitcoin node’s major perform is exchanging items of knowledge which might be basically public: blocks within the blockchain, transactions within the mempool, and IP addresses of different Bitcoin nodes. As a result of this isn’t secret data, it isn’t instantly apparent why encrypting it alongside the way in which could be useful. However on nearer inspection, there may be loads of metadata related to Bitcoin visitors that’s value defending. If a large-scale adversary can see which transaction is relayed when and by which IP handle, they will infer which node was the probably originator – and thus creator – of a transaction. Along with that, seeing the connections between nodes themselves might reveal who sure nodes belong to, permitting nodes of particular firms or miners to be focused for assaults. And for some customers working nodes in oppressive regimes, it might be undesirable to disclose they’re working a Bitcoin node in any respect.
Within the P2P protocol as designed by Satoshi, nodes join to one another, and over these connections ship messages like inv (“I’ve new blocks/transactions for you”), getdata (“give me that block/transaction”), addr (“right here is an IP handle of one other node”), and plenty of others. The set of messages and options they help has modified considerably over time, together with help for early SPV shoppers with BIP 37, compact block relay with BIP 152, help for Tor v3 addresses with BIP 155, and dozens of others. However the way in which these messages are encoded into bytes which might be despatched over the wire – what we name the transport protocol – had basically by no means modified since 2009. The one exception to this was the introduction of checksums to the protocol in Could 2010. BIP 324 was the primary change of this nature since then.
Notice that regardless of being a relatively elementary change to what might be described as a part of the “Bitcoin protocol”, it’s solely non-compulsory. It’s not a consensus change, and didn’t want any coordination or activation mechanism. It’s merely used between particular person nodes that help it, however when a BIP 324 supporting node talks to a different one that doesn’t, they fall again to talking the previous (“v1”) transport protocol. That is how, with out a lot fanfare not two years after the discharge of consumer software program that allows it by default, the vast majority of communication between Bitcoin nodes wound up utilizing the encrypted v2 transport protocol.
The thought of encrypting Bitcoin visitors was not new. Again in 2016, Bitcoin Core developer Jonas Schnelli proposed BIP 151, which might permit upgrading connections to change them to an encrypted mode. The proposal didn’t make it far, and since that strategy couldn’t cover the preliminary handshake between two nodes from prying eyes, BIP 324 was proposed in 2019 to as an alternative revamp the transport protocol solely. This extra fashionable strategy as an alternative launched a completely new class of connections which might be encrypted from the beginning. Progress on it accelerated when it was picked up by Dhruv Mehta in 2021, and along with Tim Ruffing and myself, became a full proposal that included a number of new options like a totally pseudorandom bytestream, affordances for visitors shaping, and non-compulsory extensions. We introduced it on the bitcoin-dev mailing checklist in 2022, and after receiving a number of feedback, carried out it over the course of 2022 and 2023. The total function was merged in Bitcoin Core in 2023. After additional testing, it was enabled by default for all connections (with supporting friends) in 2024.
The absolutely pseudorandom bytestream function provided by the brand new protocol means it reveals no recognizable patterns within the bytes despatched over the wire. For instance TLS, used for communication with safe web sites (“https://” URLs), encrypts the contents of internet sites, however not the truth that TLS is getting used, or (till 2020 with Encrypted Consumer Whats up, “ECH”) which hostname the positioning was being requested from. The v1 transport used earlier than BIP 324 despatched a really recognizable fastened first 16 bytes over each connection, making it straightforward for censoring firewalls to dam any reference to that sample. In distinction, the v2 transport has no such sample in any respect; each byte is uniformly random from the angle of a 3rd occasion, and thus fully unpredictable. Any entity that intends to dam Bitcoin visitors utilizing it could want to dam something that appears random, which could be politically harder than simply narrowly blocking Bitcoin-like visitors. The toughest a part of making your complete protocol pseudorandom was the truth that through the handshake – earlier than encryption is ready up – the nodes must alternate public keys, and public keys usually are not simply random bytes. Solely due to a reasonably fashionable cryptographic method referred to as Elligator (2013), and particularly a variant referred to as ElligatorSwift (2022) that enables encoding elliptic curve public keys in random-looking bytes, was it potential to keep away from even this sample.
It’s value declaring that as a result of public nature of the Bitcoin community, there are vital limitations to the privateness protections that an encrypted transport layer between nodes can supply. Bitcoin nodes don’t place belief of their friends, and thus do probably not care who they’re speaking to. Bitcoin nodes should not have identified public keys, which is why the encryption provided by the v2 transport is opportunistic and non-authenticated; each side simply make up a brand new non permanent key for every connection. This implies it’s potential for lively adversaries (e.g., your ISP) to carry out a man-in-the-middle assault: discuss v2 to each side of the connection, however decrypt and re-encrypt all communication flowing between them, nonetheless permitting spying, and presumably tampering or censoring whereas doing so. Nonetheless, the purpose is that that is considerably dearer to do at scale, in comparison with merely inspecting unencrypted particular person messages like is feasible within the v1 transport. And naturally, since most Bitcoin connections are arbitrarily made to random untrusted nodes, an adversary who needs to spy at scale on different nodes all the time has the choice of simply spinning up a considerable amount of nodes themselves, and getting a big portion of the community to hook up with them. Like man-in-the-middle assaults, that is dearer to do at scale than merely inspecting v1 packets.
BIP 324 is thus greatest seen not as a privateness enchancment in and of itself, however as half of a bigger effort of elevating prices for large-scale surveillance of the Bitcoin community, with out counting on alternate networks like Tor or I2P, which have their very own trade-offs like elevated latency and denial-of-service threat that may not be acceptable for all nodes on the community. BIP 324 additionally provides numerous options which might be as of but unimplemented, like visitors shaping to keep away from revealing details about transactions being relayed simply by means of observing the sizes of encrypted packets. Hopefully, these will likely be taken benefit of additional within the coming years.
Don’t miss your probability to personal The Core Concern — that includes articles written by many Core Builders explaining the initiatives they work on themselves!
This piece is the Letter from the Editor featured within the newest Print version of Bitcoin Journal, The Core Concern. We’re sharing it right here as an early take a look at the concepts explored all through the total subject.