For almost 15 years, all communication between nodes on the Bitcoin community was transmitted fully within the clear, with none encryption. That modified in 2024 with the adoption of BIP 324, which launched the “v2” transport protocol for communication between nodes. This new protocol options opportunistic encryption, making the visitors unreadable to passive adversaries able to monitoring messages between nodes. Since including help for it in Bitcoin Core 26.0, and enabling it by default in 27.0, it’s now used for almost all of worldwide Bitcoin P2P visitors.
Taking a step again, a Bitcoin node’s major perform is exchanging items of data which are essentially public: blocks within the blockchain, transactions within the mempool, and IP addresses of different Bitcoin nodes. As a result of this isn’t secret data, it’s not instantly apparent why encrypting it alongside the way in which can be useful. However on nearer inspection, there’s loads of metadata related to Bitcoin visitors that’s value defending. If a large-scale adversary can see which transaction is relayed when and by which IP deal with, they will infer which node was the possible originator – and thus creator – of a transaction. Along with that, seeing the connections between nodes themselves could reveal who sure nodes belong to, permitting nodes of particular firms or miners to be focused for assaults. And for some customers working nodes in oppressive regimes, it might be undesirable to disclose they’re working a Bitcoin node in any respect.
Within the P2P protocol as designed by Satoshi, nodes join to one another, and over these connections ship messages like inv (“I’ve new blocks/transactions for you”), getdata (“give me that block/transaction”), addr (“right here is an IP deal with of one other node”), and plenty of others. The set of messages and options they help has modified considerably over time, together with help for early SPV purchasers with BIP 37, compact block relay with BIP 152, help for Tor v3 addresses with BIP 155, and dozens of others. However the way in which these messages are encoded into bytes which are despatched over the wire – what we name the transport protocol – had primarily by no means modified since 2009. The one exception to this was the introduction of checksums to the protocol in Could 2010. BIP 324 was the primary change of this nature since then.
Observe that regardless of being a quite elementary change to what could be described as a part of the “Bitcoin protocol”, it’s fully optionally available. It’s not a consensus change, and didn’t want any coordination or activation mechanism. It’s merely used between particular person nodes that help it, however when a BIP 324 supporting node talks to a different one that doesn’t, they fall again to talking the outdated (“v1”) transport protocol. That is how, with out a lot fanfare not two years after the discharge of consumer software program that permits it by default, the vast majority of communication between Bitcoin nodes wound up utilizing the encrypted v2 transport protocol.
The concept of encrypting Bitcoin visitors was not new. Again in 2016, Bitcoin Core developer Jonas Schnelli proposed BIP 151, which might enable upgrading connections to change them to an encrypted mode. The proposal didn’t make it far, and since that method couldn’t conceal the preliminary handshake between two nodes from prying eyes, BIP 324 was proposed in 2019 to as an alternative revamp the transport protocol fully. This extra trendy method as an alternative launched a wholly new class of connections which are encrypted from the beginning. Progress on it accelerated when it was picked up by Dhruv Mehta in 2021, and along with Tim Ruffing and myself, was a full proposal that included a couple of new options like a totally pseudorandom bytestream, affordances for visitors shaping, and optionally available extensions. We introduced it on the bitcoin-dev mailing listing in 2022, and after receiving a number of feedback, carried out it over the course of 2022 and 2023. The complete characteristic was merged in Bitcoin Core in 2023. After additional testing, it was enabled by default for all connections (with supporting friends) in 2024.
The totally pseudorandom bytestream characteristic supplied by the brand new protocol means it reveals no recognizable patterns within the bytes despatched over the wire. For instance TLS, used for communication with safe web sites (“https://” URLs), encrypts the contents of internet sites, however not the truth that TLS is getting used, or (till 2020 with Encrypted Shopper Good day, “ECH”) which hostname the positioning was being requested from. The v1 transport used earlier than BIP 324 despatched a really recognizable mounted first 16 bytes over each connection, making it simple for censoring firewalls to dam any reference to that sample. In distinction, the v2 transport has no such sample in any respect; each byte is uniformly random from the angle of a 3rd get together, and thus fully unpredictable. Any entity that intends to dam Bitcoin visitors utilizing it might want to dam something that appears random, which is likely to be politically tougher than simply narrowly blocking Bitcoin-like visitors. The toughest a part of making your complete protocol pseudorandom was the truth that through the handshake – earlier than encryption is about up – the nodes must change public keys, and public keys usually are not simply random bytes. Solely because of a reasonably trendy cryptographic method known as Elligator (2013), and particularly a variant known as ElligatorSwift (2022) that permits encoding elliptic curve public keys in random-looking bytes, was it attainable to keep away from even this sample.
It’s value stating that as a result of public nature of the Bitcoin community, there are important limitations to the privateness protections that an encrypted transport layer between nodes can supply. Bitcoin nodes don’t place belief of their friends, and thus do not likely care who they’re speaking to. Bitcoin nodes shouldn’t have identified public keys, which is why the encryption supplied by the v2 transport is opportunistic and non-authenticated; either side simply make up a brand new non permanent key for every connection. This implies it’s attainable for lively adversaries (e.g., your ISP) to carry out a man-in-the-middle assault: discuss v2 to either side of the connection, however decrypt and re-encrypt all communication flowing between them, nonetheless permitting spying, and presumably tampering or censoring whereas doing so. Nevertheless, the purpose is that that is considerably costlier to do at scale, in comparison with merely inspecting unencrypted particular person messages like is feasible within the v1 transport. And naturally, since most Bitcoin connections are arbitrarily made to random untrusted nodes, an adversary who needs to spy at scale on different nodes at all times has the choice of simply spinning up a considerable amount of nodes themselves, and getting a big portion of the community to connect with them. Like man-in-the-middle assaults, that is costlier to do at scale than merely inspecting v1 packets.
BIP 324 is thus greatest seen not as a privateness enchancment in and of itself, however as half of a bigger effort of elevating prices for large-scale surveillance of the Bitcoin community, with out counting on alternate networks like Tor or I2P, which have their very own trade-offs like elevated latency and denial-of-service danger that will not be acceptable for all nodes on the community. BIP 324 additionally provides a variety of options which are as of but unimplemented, like visitors shaping to keep away from revealing details about transactions being relayed simply by means of observing the sizes of encrypted packets. Hopefully, these shall be taken benefit of additional within the coming years.
Don’t miss your chance to own The Core Issue — that includes articles written by many Core Builders explaining the initiatives they work on themselves!
This piece is the Letter from the Editor featured within the newest Print version of Bitcoin Journal, The Core Difficulty. We’re sharing it right here as an early take a look at the concepts explored all through the total situation.
