Bitcoin Upgrades with Dandelion: The Transaction Privacy Protocol

Could there be privacy at the network layer without TOR?

Electric Dandelion image credit

Hidden to some, but not to others

Mainstream media portrays the crypto crowd as a group of money-laundering, drug-buying, crypto-anarchists that have the power to hide every transaction they make online. Headlines like BITCOIN PRICE IS SO HIGH BECAUSE CRIMINALS ARE USING IT FOR ILLEGAL TRADES” only perpetuate this misconception; the most popular cryptocurrency is as “bullet-proof anonymous” as cash. However, the truth is that a bitcoin transaction can be traced. Companies like Chainalysis are active and raising capital in their effort to help law enforcement agencies around the world detect illegal activity that happens on the blockchain.

The paradox is that at the same time there are 1000’s of engineers trying to figure out how to actually make these transactions truly anonymous. The privacy coin space is filled with plenty of challengers to Bitcoin’s throne, touting the same features in addition to their “unpenetratable stealth” tool set. The 2 areas of intense research in privacy are at the blockchain transaction layer and at the network transmission layer.

Diagram showing how Bitcoin is not completely anonymous (C. Smith/Science)

Monero and Zcash have ways of anonymizing transactions, like Ring Signatures, Stealth addresses, and zk-Snarks. These are the tools used in hiding how much was spent and to who. However, they still require an external service like TOR or I2P to achieve privacy at the network layer to be considered “fully anonymous”.

Although Bitcoin currently doesnt possess any of these anonymous transaction layer features, it might soon get a massive upgrade to its ability to keep its users IP address (and their location) hidden with it’s own built-in network anonymity, Bitcoin Improvement Proposal 156, Dandelion++.

Gossip, Dandelion, and Dandelion++

Before getting into the weeds on Dandelion++ (for those non-botanists that didnt catch the pun), it’s useful to understand how a transaction currently gets broadcasted to the blockchain network and how its predecessor, Dandelion, would handle it too.

And like Antonis Antonopoulos says in this video explanation of Dandelion, the naming is spot-on

Bitcoin (and most decentralized systems) use the Gossip Protocol to send information around the network. The name “Gossip” is actually very apropos.

The most common example of “Gossip” is in a high school or office setting. Steve tells Bill and Bob about the affair he’s been having. Bill starts to share the juicy news with his other colleagues. Sharing continues as the gossip circle grows larger and larger until one hour later, through the help of instant messaging and hallway chitchat, everyone knows that Steve is having an affair. The message was sent around and around, redundantly being shared to the same people over and over, until everyone knows about it.

The way Dandelion takes it one step further, is that Bill tells the first few people not to tell anyone. His colleagues dont want to get him in trouble either, but they cant resist telling others, so they also say “don’t tell anyone” as the message silently travels throughout the office. Eventually, Sally in accounting hears it at the Keurig coffee maker, and everyone knows that Sally is a chatterbox so she starts going into full gossip mode. The message quickly gets announced to the full office network, going around again and again, and everyone knows Steve is having an affair.

So who does Steve get mad at?

In the first scenario, Steve can start his investigations into who it was that shared his secret, asking “Who did you hear that from”, and eventually will find out it was Bill. Bill never told anyone not to share it, and the information breadcrumbs are easy to find. He knows for sure it wasn’t Bob.

However, in the 2nd scenario, Steve can only confrim that Sally found out, but he doesnt know who told her! Because the information was “private” until reaching Sally, Steve can’t know for sure if it was Bill or Bob who gave away his secret in the first place (the origin of the message).

From Giulia Fanti’s Presentation in Lisbon

The 2 phases in Dandelion are referred to as the “stem” (anonymity phase) and the “fluff” (spreading phase).

By delaying the appearance of the transaction to the network, its harder for someone to trace back the origin of the transaction. It’s not impossible, but it requires alot more work. In fact, the level of effort required didnt satisfy the Dandelion creators, Giulia Fanti, Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Bradley Denby, Shruti Bhargava, Andrew Miller and Pramod Viswanath, so they came up with Dandelion++.

Everyone has a Sally within

Dandelion++ improves upon its original concept by adding a few tweaks, chief among them the pseudorandom relay/diffusion choice during the stem-phase. By adding this randomness, every node has the potential to go “Blabbermouth Sally” or stay private, making the routing pattern less predictable and therefore harder for deanonymizers to trace back the original source.

Zcoin, which deserves props for it’s early implementation of Dandelion++, summarizes the update quite nicely.

“Instead of sending transactions to all neighbors, Dandelion++ initially sends them to only one other node. This next node then rolls a dice to decide if it passes it on to just one or all of its neighbors. With the introduction of this element of chance, the propagation pattern now becomes unpredictable, making it infeasible to follow the transaction back to the sender.

To fully appreciate how complex anonymity is, you have to realize that even this proposed upgrade does not bring full anonymity to Bitcoin.

I still like my Bill,Steve,Sally example

Privacy is a state, not a place

Until now, Bitcoin users have had to use the TOR network to achieve network layer privacy, but ”TOR’s poor user experience adds additional burden to the user during an operation that requires extra care. IP anonymity must be built into the protocol” says Pratyaksh Sharma, CTO at Marlin Protocol. “We’re building a framework for all blockchains to save developers from the hassle of perfecting anonymous communication.”

Monero has been working on the Kovri project for more than 4 years now, trying to bake TOR capabilities directly into their network. Dandelion++ has already seen its implementation into one project because of its lightweight and straight-forward integration, benefitting from connectivity and routing decisions made at the local level, unlike TOR’s onion routing, which needs a global and current view of the network to create its transaction paths.

Either way, don’t think that privacy today means privacy tomorrow. As Carnegie Mellon’s Nicolas Christin said in this Wired article, “You have a permanent record of everything taking place. If, down the road, someone finds a vulnerability that can reveal what happened in the past, you may still be at risk. We don’t know what the future holds.”

read original article here