Bitcoin and other cryptocurrencies employ privacy at both the blockchain level and network layer. Public blockchains are permanent records of digital transactions, so blockchain privacy implementations focus on obscuring transaction data and anonymizing the identity of senders and receivers.
Privacy-focused cryptocurrencies such as Monero and Zcoin incorporate blockchain-level anonymity features such as Ring CTs and zero-knowledge proofs to make sure that transactions cannot be traced. However, P2P/overlay network communication also plays a vital role in anonymizing interactions across a blockchain network. Both Monero and Zcoin integrate network layer privacy features such as Tor and I2P, but these features also come with prolonged development and other downsides.
The Dandelion protocol is a network layer anonymity solution that was originally proposed in 2017 to help improve on Bitcoin’s P2P network privacy. Its original proposal was subsequently discovered to contain various faults that could lead to its deanonymization over time due to some idealistic assumptions of potential adversaries.
Eventually, an improved version of the Dandelion Protocol was proposed in May earlier this year called Dandelion++. Dandelion++ addresses the concerns with the original protocol and has already been implemented by the research team with a positive response from Bitcoin’s development teams. Dandelion++ seems poised to be included in an upcoming Bitcoin Core release.
What is Dandelion++?
Dandelion++ is a lightweight and straightforward network layer solution with formally guaranteed anonymity that can easily be implemented with existing cryptocurrencies. It explicitly improves upon idealistic assumptions of the original Dandelion proposal and differs from most broadcast communication anonymity protocols in its approach of usage goals and analysis metrics.
To better understand how Dandelion++ works, it is essential to focus on how transactions are broadcast in Bitcoin and how the original Dandelion protocol worked. In Bitcoin, when a user broadcasts a transaction from a node, it is propagated to the nodes connected to that specific node known as its peers. The transaction message is then subsequently propagated in a chain reaction where each node further spreads the message to nodes that they are connected to. This is referred to as Bitcoin’s gossip protocol and is how transactions can reach the majority of nodes in the network very quickly.
Bitcoin now implements a form of broadcast known as diffusion where each node spreads transactions with exponential and independent delays to its neighbors to mitigate against the deanonymization of a user’s IP address. While effective, diffusion has recently been proven in several studies not to provide adequate anonymity protection.
The origin of a transaction message and its IP address (which is not included in a Bitcoin transaction message) can be mapped by third-party observers if they control enough nodes or use a supernode that is connected to a significant number of nodes. They can effectively map the originating address by observing which nodes see the transaction first. The Dandelion++ paper explicitly identifies how a study that used a supernode logged the relayed traffic of all the P2P nodes and observed the patterns of the transaction spreads over time to eventually deduce the source IP address. By linking the IP address with the pseudonym of the sender, a third-party can deanonymize users and link further transactions even if a new public key is used for each transaction.
Dandelion was initially proposed to mitigate these vulnerabilities but relied on theoretical guarantees that did not hold up in practice. The original Dandelion proposal made 3 idealized assumptions:
- All nodes obey the protocol
- Each node generates precisely one transaction
- All Bitcoin nodes run Dandelion
These assumptions clearly did not work in practice and are why Dandelion++ sought to address them. The original Dandelion protocol works in 2 phases:
- Stem Phase
- Fluff Phase
The stem phase is the anonymous phase where the protocol is designed to reduce the possibility of mapping back to the original node’s IP address. In the stem phase, rather than a node broadcasting a transaction to all of its connected peers, it relays the transaction message through a privacy graph to a single random peer based on an algorithm. Subsequently, that node then only transmits the transaction message to another single peer, and the pattern continues until eventually (and randomly) one of the nodes broadcasts the message in the typical format of diffusion to the rest of the network.
This is where the fluff phase begins. Once a single node broadcasts the message using the diffusion method, the transaction message is propagated to a majority of nodes in the network quickly. However, it becomes much more difficult to trace back to the original node since the transaction message was transferred to many individual nodes through a privacy graph before being propagated in a manner that would allow an observer to map it to a single node. Instead, an observer could only map the spread of transactions back to the several nodes where the message was transferred in the stem phase, thus muddling the actual identity of the sender. In effect, this is abstractly similar to how a ring signature obfuscates the actual signer of a transaction.
Image Credit – Giulia Fanti’s Presentation in Lisbon
The Zcoin blog provides an excellent example of how the Dandelion protocol works by using typical high school gossip:
- Kathy: “Pssst, I have a massive crush on Nuwa. Please don’t tell anyone”
- George: “OMG, did you know what Kathy told me? She has a massive crush on Nuwa. I only told you, please don’t tell anyone”
- Alice: “Betty, you won’t believe what Kathy’s best friend, George just told me, Kathy is crushing hard on Nuwa! You’re my best friend so I only told you, please don’t tell anyone okay!”
*BEGIN FLUFF PHASE*
- Blabbermouth Betty: “Oh wow hot news…I have it from good sources that Kathy has a huge crush on Nuwa…Please tell everyone this is so exciting!”
The primary issues with the original Dandelion protocol stem from its underestimation of specific types of adversaries due to assumptions of their limited knowledge. Dandelion++ particularly focuses on making subtle changes to the implementation choices of Dandelion such as the graph topology and mechanisms for forwarding messages.
As a result, these small changes to the algorithm exponentially augment the problem state space for anonymity analysis. Dandelion++ relies on increasing the amount of information that adversaries must learn to deanonymize users.
Dandelion++ notably differs from Dandelion in its stem phase where it passes transactions over intertwined paths known as cables before diffusing the transaction message to the network. The cables can be fragmented, but its intuition in selecting a node to propagate to is still confined to its local neighborhood. This is an important consideration when comparing network-level anonymity solutions like Tor that is an onion routing protocol where clients need global, current network information to determine transaction paths.
Image Credit – Dandelion++ Academic Paper
Both Dandelion and Dandelion++ proceed in asynchronous cycles. Each node advances when its internal clock reaches a certain threshold. For each period, Dandelion++ functions in 4 primary components with slight optimizations:
- Anonymity Graph
- Transaction Forwarding (own)
- Transaction Forwarding (relay)
- Fail-Safe Mechanism
Anonymity Graph uses a random 4-regular graph rather than a linear graph for the anonymity phase. The choice of Dandelion++ relays by nodes is independent of whether or not their outbound neighbors support Dandelion++.
Transaction Forwarding (own) is when every time a node generates a transaction of its own, it forwards the transaction along the same outbound edge in the 4-regular graph. This differs from one of the problematic assumptions in Dandelion where nodes are assumed only to generate one transaction.
Transaction Forwarding (relay) is the moment of probability in the stem phase where a node receives a stem transaction and either chooses to relay the transaction or diffuse it to the network. The choice to diffuse transactions to the network is pseudorandom. Further, a node is either a diffuser or a relay node for all relayed transactions.
Fail-Safe Mechanism is where for each stem phase transaction, each node tracks whether it is seen again as a fluff phase transaction. If not, the node diffuses the transaction.
The slight tweaks to the algorithm in these stages make it drastically more difficult to map IP addresses from observing the spread of transaction messages. The Dandelion++ paper goes on to identify specific attacks that could be used against the original Dandelion protocol including graph-learning attacks, intersection attacks, graph-construction attacks, and black hole attacks. With each attack vector, they demonstrate how Dandelion++ mitigates them with theoretical analysis and simulations.
Dandelion++ does not significantly increase network latency, and its practical feasibility was demonstrated on Bitcoin’s mainnet. It provides a lightweight and effective network layer anonymity tool for reducing the possibility of mapping attacks to deanonymize users. Despite its advantages, Dandelion++ does not explicitly protect against ISP or AS-level adversaries which can use routing attacks to deanonymize users.
Comparing Dandelion++ and Tor
Dandelion++ has some notable advantages over other network anonymity implementations such as Tor. Tor is the most prominent network overlay layer focused on privacy and it uses onion routing to conceal users’ geographic location and IP addresses.
Tor’s integration at the network stack level of cryptocurrency systems is exceedingly challenging. Monero is an excellent example of this as it has taken over four years to implement its Tor-like I2P Kovri project into their network and it is still a work in progress. Many cryptocurrency networks do not have the time nor the technical expertise to integrate this type of functionality.
Users routing their transactions through Tor is also not particularly feasible for mainstream Bitcoin users who are either unaware of the privacy deficiencies of the network or lack the experience to route transactions through Tor properly. Further, Tor can be slow due to limited bandwidth compared to Dandelion++.
The same study that identified some deanonymizing concerns of diffusion broadcasting in Bitcoin also highlights attacks on nodes where they end up rejecting or blacklisting Tor connections. This can lead to deanonymizing transactions and mapping user IP addresses too.
Dandelion++ is a useful improvement over the original Dandelion protocol. Its eventual integration into an upcoming Bitcoin Core release seems likely and should offer significant improvements in Bitcoin’s P2P network privacy. Attack vectors of cryptocurrencies continue to evolve, and so do the solutions to them. Dandelion++ represents another step forward in protecting user privacy in Bitcoin.