The Stealth Revolution: How Dandelion++ Redefines Anonymity in Crypto

Dandelion++ sets a new standard for privacy tools within the cryptocurrency landscape. Through its unique two-phase process, it promises to obscure the origins of transactions.

The evolution of privacy protocols and processes in the cryptocurrency industry signifies a new shift ensuring user anonymity and transaction confidentiality. From basic encryption methods to more sophisticated systems like CoinJoin, the journey toward perfecting privacy has been complex and innovative. These advancements reflect a growing recognition of privacy as a fundamental right for users in the digital age.

In this scenario, Dandelion++ emerges as an alternative. This privacy protocol was designed to enhance anonymity in blockchain transactions, offering a sophisticated solution to the pervasive issue of traceability and linkage to real-world identities. Dandelion++ sets a new standard for privacy tools within the cryptocurrency landscape. Through its unique two-phase process, it promises to obscure the origins of transactions. Let's go through this privacy protocol, and discuss how it works, why users need this type of privacy, and if it could be a good option for Decred.

Why was Dandelion++ created?

Anonymity plays a crucial role in the world of cryptocurrencies. However, the veil of anonymity that some currencies, like Bitcoin, promise can often be thinner than users might hope. The core issue lies in two main areas: firstly, Bitcoin users are identified through cryptographic pseudonyms, and secondly, every transaction made between these pseudonyms is recorded on a publicly accessible blockchain. If an attacker manages to associate a user's pseudonym with their real identity, they could potentially uncover the user's complete transaction history.

The revelation that transactions can be linked to users' IP addresses with over 30% accuracy has spotlighted a critical vulnerability within the Bitcoin network. In response to this challenge and the broader privacy issues facing Bitcoin users, the Dandelion++ protocol was introduced. This innovation is a strategic move to bolster privacy and anonymity across the cryptocurrency ecosystem. The first step before Dandelion++ was the creation of the original Dandelion protocol.

Bitcoin by itself is not fully anonymous

The first Dandelion protocol works by sending Bitcoin transactions through two main stages to enhance privacy. Think of it as passing a secret note in class but in a very smart way to avoid getting caught.

The Anonymity Phase (Stem Phase): Imagine you want to send a secret note to a friend across the room. Instead of passing it directly or tossing it for everyone to see, you give it to a random person close to you. That person then chooses another random person to pass it to, and this goes on a few times (the exact number of times is left to chance, like rolling dice). This makes it hard for anyone trying to catch the note to know where it started. In Dandelion, this is like passing the transaction information from one computer to another in a specific, hard-to-track path.

The Spreading Phase (Fluff Phase): After the note has been secretly passed around for a while, the last person opens it up and shares the message with everyone in the room, just like how a dandelion seed head bursts open to spread its seeds in all directions. In the digital world, this means the transaction information is finally spread out across the Bitcoin network for all to see, but by this time, it's nearly impossible to trace the transaction back to its original sender.

To keep things extra secure, Dandelion changes up the secret paths very often. This way, even if someone is trying to watch and figure out the pattern, they're only seeing a tiny piece of the puzzle and can't easily track where messages are starting from.

How Dandelion++ works

The Dandelion protocol is analyzed under three perfect-world conditions:

(1) every participant follows the rules, even the bad actors;
(2) each participant sends out just one transaction; and
(3) everyone involved uses Dandelion.

Under these ideal conditions, Dandelion is expected to perform very well in keeping transactions anonymous, with its effectiveness and accuracy described by certain mathematical terms.

However, in the real world, these conditions don't always apply. Our findings show that when these perfect conditions aren't met, Dandelion's ability to keep transactions anonymous might not be as strong as the theory suggests. This depends a lot on how Dandelion is set up in practice.

For instance, if bad actors play around with the network's structure or use certain tactics over many transactions, they might get better at tracing transactions back to their origin. Also, because Dandelion would need to be introduced gradually into the Bitcoin network, there's a chance for attackers to take advantage of this rollout period. Additionally, they could interfere with the spreading of transactions, essentially stopping them from reaching the entire network.

Dandelion++ is an improved version of the original Dandelion protocol, designed to better protect users' privacy when making Bitcoin transactions. Here's how it works, simplified:

Timing (Epochs): Just like Dandelion, Dandelion++ operates in periods called epochs, which last about 10 minutes each. When an epoch ends, changes are made to increase privacy.

Anonymity Graph Changes: Unlike the original Dandelion, which used a simple line for passing transactions secretly, Dandelion++ uses a more complex network structure. Imagine a web where each point (or node) is connected to four others randomly. This web is where transactions are passed around secretly before being made public. Every 10 minutes, the connections change to keep things unpredictable.

How Transactions Are Sent: For Your Transactions: Whenever you make a transaction, it's sent along one of these web connections in secret before going public.

For Transactions You're Passing On: If you receive a transaction from someone else, you either keep passing it along secretly or make it public, based on a coin flip (decided by a mix of your identity and period ).

Fail-Safe Mechanism: There's a safety net to ensure transactions don't get stuck. If a transaction you've passed on doesn't go public within a certain time, you switch to making it public yourself.

Dandelion++ introduces these steps to make it harder for actors to trace transactions back to their origin. The move from a simple line to a complex web for secret passing (the Anonymity Graph change) is particularly important. It means that tracking transactions becomes much more difficult, protecting users from potential privacy breaches. This system's effectiveness, however, comes with trade-offs in terms of complexity and the potential for new kinds of attacks, which the creators of Dandelion++ continue to study and improve upon.

If we use the metaphor of the secret note-passing game in class we can say that Dandelion++ is like an enhanced version of the game. Instead of passing notes in a straight line, this version uses a complex, constantly changing spiderweb pattern, where each student can secretly pass the note to four others. This makes it tough for anyone trying to catch the note to figure out who started it. Whether you're passing your note or one you received, you sometimes decide randomly to share it with everyone or keep passing it secretly. There's also a rule that if a note isn't shared within a certain time, you'll share it yourself to ensure it doesn't get lost. By complicating the path of the note and changing it every round, Dandelion++ improves privacy, although it introduces new complexities and challenges in keeping the game fair and secure.

The technical information about how Dandelion++ works was taken from the article: Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees.

Could it work for Decred?

Decred currently uses as its privacy protocol the Stakeshuffle. This tool mixes multiple transactions in a way that hides who sent money to whom, without needing a third party to hold the coins. This process, which involves a method called DiceMix Light for speed, ensures that no one can trace transactions, although the amounts transferred remain public. To keep transactions private, they're grouped in fixed amounts and any leftover change is carefully mixed again to avoid detection. CSPP mixes transactions every 15 minutes to enhance privacy further.

I talked to Reuben Yeap, Co-Founder & Project Steward of the Firo project, the first crypto project that implemented Dandelion++. In his words, he said that the implementation of the Dandelion++ was not that complicated, but annoying at some times. When talking about the technical part of the protocol on Firo he stated:

"The system essentially functions with two distinct mempools: one dedicated to Dandelion++ transactions and the other for the remainder of the transactions. All inventory commands capable of propagating transactions to other hosts possess corresponding versions specifically designed for use during the Dandelion++ stem phase. Subsequently, transactions disseminate in a standard manner through conventional commands."

When talking about the process of implementation he affirmed:

"Our code was adapted from a pull request submitted to the Bitcoin project, which, at the time, was still under consideration as a proposal. We have made several modifications and improvements to it to suit our specific requirements."

FIRO video explaining the Dandelion++ protocol

Debates in cryptocurrency forums about Dandelion++ implementation highlight several challenges: integrating it into existing systems can be complex, it may affect network efficiency, achieving community consensus is difficult, and there are concerns about balancing privacy improvements with potential increases in latency. When coming to Bitcoin the discussion revolved around 3 main topics:

Complexity in DoS Prevention: The Dandelion++ protocol introduces potential DoS vectors not present in the traditional transaction relay model. The acceptance of transactions into the mempool before the relay introduces complexity in managing and preventing bandwidth and CPU-exhaustion DoS attacks. Implementing safeguards against these attacks without significantly complicating the codebase or reducing network efficiency is a major challenge.

Implementation and Maintenance Overhead: The introduction of a "stempool" or equivalent logic to manage the unique aspects of Dandelion++ transactions adds to the codebase's complexity. This complexity not only pertains to the initial implementation but also to ongoing maintenance, potentially diverting resources from other critical developments.

Questionable Cost-Benefit Ratio: Considering the implementation's complexity and the need for ongoing management to mitigate DoS risks, there's a valid debate over whether the privacy benefits of Dandelion++ justify these costs. While privacy is a crucial aspect of the Bitcoin network, whether Dandelion++ is the most efficient way to achieve this goal is up for debate.

Read more of this discussion here!

Considering the integration of Dandelion++ into Decred's privacy mechanisms, like Stakeshuffle, presents a nuanced challenge. While Dandelion++ could enhance user anonymity by making transaction paths harder to trace, echoing successes seen in projects like Firo, it also brings concerns highlighted by Bitcoin's community discussions. For Decred, known for its commitment to privacy and security, these challenges necessitate careful deliberation to determine if the privacy benefits justify the trade-offs.

The decision to adopt Dandelion++ hinges on balancing enhanced privacy against potential impacts on network efficiency and resource allocation. As such, the Decred community must weigh these factors. Do you believe the added layer of privacy Dandelion++ offers is worth the challenges it introduces?