Dandelions, and a Bright Future for Bitcoin Privacy

If you would rather listen to this read aloud, check out Episode 100 of The Cryptoconomy Podcast here.

What do dandelions have to do with privacy? First, privacy in Bitcoin, in spite of what you may hear from the average journalist, is anything but assured. It is true that addresses can be created quickly under pseudonyms and there is no official “registration” or identity process to join the network. But due to the utterly open and transparent nature of the global digital ledger, it is also a mountain of metadata and historical record keeping, not to mention its immutable. So while you may be able to easily create a pseudonym, it is also not very difficult to connect all transactions under that pseudonym together. And at any point in the tree of transactions and activity, if a third party like a Bitcoin service, exchange, ISP, or online store is able to attach your identity to a specific address, it may be trivial to then discern and connect many of your other transactions and balances as well.

To top it all off, the very first step in transferring bitcoins, the simple act of broadcasting a transaction out onto the network, is a critical point at which identifiable information could connect your real world identity, to your coins. A clever and observant node, doing analysis on the movement of transactions through peers, can often pinpoint the originating IP address, and therefore, the likely owner of the coins. This will be the focus of our discussion.

Privacy at Step One

Privacy is a difficult and complex problem, and on the internet it practically always comes with either a high cost or at the least, some level of inconvenience. Because of this, the vast majority of people dismiss it as a “necessary evil” of the digital world, often never considering exactly how important it is. There have been numerous privacy protocols and transaction types proposed in bitcoin and other cryptocurrencies. Too many to easily count. Yet none are perfect solutions, most have some degree of added costs, and to date, none have managed to “catch on.”

Recently, however, a research paper was released assessing and introducing Dandelion++, a propagation protocol that boasts the most optimal non-encryption, privacy guarantees for broadcasting a transaction. Even in the presence of a widely connected supernode, that is closely monitoring the Peer-to-peer network. Even better, it comes at little cost, doesn’t involve a complex encryption mechanism, has only a minor effect on latency, and requires no alterations to the current bitcoin implementation or consensus rules.

Being barely able to contain my excitement at such claims, I took a dive into the paper and tried to filter through the frustrating math and unfamiliar terms to figure out exactly how Dandelion worked. (The protocol is actually Dandelion++, an improvement to the original Dandelion proposal, but for our purposes we will simplify it to Dandelion) What follows is my translation of the May 28th, 2018 research paper titled Dandelion++ Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees. Before we jump in, however, let’s take a second to cover some of the basics.

What Is Propagation?

This might be obvious to a lot of people reading this (or listening to it), but I think it’s important to clarify before beginning the discussion. The privacy being addressed here is in the process of announcing a transaction to the network. This isn’t about severing the connection between new coins and old addresses, mixing transactions with other users, or obscuring any addresses or balances. When you sign and broadcast a transaction to the network, it gets handed to your immediate peers, then they hand it to their peers, etc. This continues until the entire network has verified and passed on your transaction to every other node on the Bitcoin network. The transaction then is kept in what’s called the “mempool.” The mempool is basically a bus stop for transactions before being added to the blockchain. When a miner finds a block (like a bus arriving every 10 minutes), the transactions crowd into the bus until either it’s full or the bus stop is empty, and then they are delivered off to the blockchain to be immutably recorded forever into the future. Propagation, in this analogy, is the story of how these transactions made it to the bus stop.

screenshot from explorer blockcypher.com

So, what if a node connects to as many other nodes as possible, and listens for transactions on the network? Would they then figure out where the transaction itself was sent from? Turns out that because transactions are broadcast isotropically (a pretentious way of saying “equally in all directions”) this is a real possibility. By utilizing the times in which they receive a transaction and which nodes they received it from, a highly connected node is sometimes able to trace the source of the transaction back to the originating IP address. By doing this, it is possible for them to connect the public key and addresses within a transaction to a person’s real world identity, not by sourcing information from an exchange, not by phishing users to give up their information, but merely by watching the network.

“Recent work has demonstrated P2P-layer anonymity vulnerabilities that allow transactions to be linked to users’ IP addresses with accuracies over 30%”

In addition to this, the snoop conveniently has a blockchain, a transparent and unforgeable history of those coins and every transaction referencing them, that traces them all the way back to when they were mined into existence. This presents quite a problem. Think of it as simply going into a store (or anywhere really) and using your VISA card, and that simple act exposes you to a vulnerability that may allow a random internet user to observe your purchase and then connect it to every transaction you have ever made with that card. This is not exactly the bright future we had envisioned for decentralized money.

Why is Privacy Important?

I hope most people in the Bitcoin community are past the “well if you have nothing to hide, what’s the problem?” level of argumentation on privacy. However, I do want to briefly go over why privacy is so important.

“It’s not that I have something to hide. I have nothing I want you to see.” -Anon

While privacy may make some of the following possible, it isn’t necessarily about protecting against corporations that would sell your data, governments who want to use or control your financial activity, making “nefarious” purchases on the darkweb [obligatory scary voice], or evading taxes. The Bitcoin network is a global and open network built from entirely open source software. This is about simply rebuilding the most basic privacy barriers between yourself and literally anyone on the internet. For the same reason we wouldn’t want to record a video of ourselves every time we take a shit and post it on Youtube, we don’t want the default state of Bitcoin to be that anyone with a node and the motivation could see our purchases, balances, and entire history of our transactions.

And when I say anyone on the internet, I literally mean anyone. Remember, connecting an IP address to a transaction has the possibility of revealing the user’s balances, their real world identity, and their physical location. That’s essentially the equivalent of broadcasting your home address, name, and how much cash savings you have lying around. Not protecting this information, can have horrible consequences.

At the peak of the recent bubble in December 2017, CEO of the bitcoin exchange Exmo Finance, based out of the UK, was kidnapped and held for $1 million ransom to be paid in Bitcoin. Luckily he survived the ordeal, albeit $1 million poorer. Maybe he got a little satisfaction in watching that million lose 70% of its value over the next few months.

In January of this year (2018) Pavel Makushin, a popular Youtuber and cryptocurrency investor had his apartment broken into and was robbed of around $380,000. In February, he was found dead in his apartment, likely the result of suicide.

Also in February, the creator of the cryptocurrency PRISM, Yury Mayorov, was kidnapped, beaten, robbed of 300 bitcoins (~$3 million at the time), $20,000, and 3 iphones.

Also in January, four attackers kicked down the door of a cryptocurrency trader living on a private drive, in a picturesque village in South Oxfordshire, UK, held him and his wife at gunpoint, and forced him to transfer an undisclosed amount of Bitcoin.

These are not the only reports of this kind. Now, we have no reason to assume these people were targeted by IP address sourcing, however, we must assume that these are possible consequences of not closing that vulnerability. This is in addition to snooping corporations that would sell your financial data, and abusive or corrupt governments that would want to control it.

Isn’t Tor the Quick Fix?

First, it might seem simple to merely implement broadcasting over the Tor network, the infamous and widely used privacy focused routing protocol, often referred to as the “darkweb” (usually by people who don’t know much about it). Monero is actually trying to implement Tor routing into the core of their network itself, giving additional privacy at the lowest possible level. So what’s the problem? The Monero team has actually been trying to do this for multiple years, and yet the work remains incomplete. This is because routing over the Tor network requires global and up-to-date information about the network itself. Making it extremely heavy on resources and the client. In addition to cryptographic protocols being difficult to implement even without these added challenges.

I hope the Monero team is able to succeed in this task. But integrating with Tor and many other alternatives, all seem to have their own limits and costs associated with them. Creating undesirable barriers, both with the development and adoption of the tech that’s needed to make good privacy the default, without sacrificing performance.

You Said Something About Dandelions?

As one of my favorite college professors always said, “Let’s get to the meat and potatoes.” Imagine we download our Dandelion wallet and fund it with some Bitcoin. Then we want to send out a transaction to the network, announcing it to all of our peers, in hopes of getting it into the hands of a miner, and included in a block.

Under normal circumstances, a transaction is handed to every connected peer, and is immediately available for query from any node that possesses it. The first thing Dandelion does, is make the initial broadcast private. The transaction is handed off to a specific peer, chosen at random, and is temporarily unavailable for query. It is kept separate from all the other transactions at our public bus stop (the mempool). As the transaction is passed further along, it remains “in the shadows,” only being seen by the peers who directly receive it.

So how do nodes choose this random peer? The dandelion protocol actually picks a temporary “anonymity set” of peers. In the case referenced in the research paper, it is a set of 4 peers, allowing two completely segregated paths for private propagation. Imagine it like being shocked by a bolt of electricity. When the electricity enters from your left leg it travels up the leg, passes your crotch and always exits out the right leg. But if the electricity enters through your left arm, it crosses your chest, and then always exiting the right arm. This remains consistent and the electricity never travels from an arm to a leg. Maybe a little morbid, but hopefully it paints a picture.

Now we have our “anonymity set,” or group of peers we will share transactions with. So for the length of time that this group is active, the same paths are reused. This means a transaction that you make, would randomly pick one of the two exits (the right arm or right leg) and therefore would look identical, to any transaction that you might be relaying for someone else (from the left arm or leg). By creating uniform patterns that all transactions will go through using this set of peers, it eliminates any data that might be used to distinguish one transaction from any other. This stage of private, uniform propagation is referred to as the “Stem” phase.

windows 10 stock image

The Stem

Obviously the transaction can’t stay private forever, eventually we want it to end up at the bus stop with all of the others, we just don’t want people to know how it got there. So how does a Dandelion node know when a transaction should “exit” the stem, to broadcast it publicly? In Dandelion, this second stage, is known as the “Fluff” phase. And the decision to “Fluff” the transaction is made by the age old process, of flipping a coin. Accounting for the fact that Bitcoin hodlers might not use physical money anymore, and therefore wouldn’t have a real coin lying around, the developers made the wise decision of letting the computer do the “flipping” for them. When receiving a transaction from their Dandelion peers, every node plays a little probability game, that gives the transaction a 90% chance of staying private, or “continuing along the Stem.”

This will continue until one of 2 things occurs.

  1. One of the nodes rolls a “Fluff” instead of a “Stem,” therefore immediately broadcasting the transaction publicly, or…
  2. A time delay, determined individually by each Stem node holding the transaction, expires and it is broadcast from there.

This time delay, much like the coin flipping and choosing a set of peers, is also determined probabilistically. This ensures there is no pattern around which node in the stem will expire first. Therefore, preventing the first node that receives the transaction, from always being the first to broadcast it, in the case of a transaction either perpetually riding, or getting lost somewhere along the Dandelion Stem.

With the probability of entering the Fluff stage at 90% for every node, this makes the average Stem on a Dandelion enabled network approximately 10 hops in length. Using the well established principle of 6 Degrees of Kevin Bacon, and accounting for the incredible interconnectivity of the Bitcoin P2P network, this means a transaction from any particular node, could equally end up being broadcast from any other node at any location in the entire bitcoin network.

The Fluff

At some point the transaction is “Fluffed.” When this happens, the transaction returns to normal propagation and is pushed in every direction across the P2P network. This is when it finally appears at the bus stop, without anyone knowing the path it took to get there. One interesting thing about the nodes along the Stem, is that while quietly holding the transaction, they are also continuously checking the network to see if it has been released into the wild. The very second that they see it has reached the public network, every node along the Dandelion Stem immediately broadcasts their copy of it as well.

So rather than sharing the pattern of a normal transaction, spreading across the public network outward from a single point, the transaction takes a quiet path across many nodes and then suddenly bursts from multiple peers simultaneously at different locations all across the Bitcoin network.

image provided by maxpixel.net

Designing the Wind

There are many characteristics of this system that could possibly see it becoming a highly used propagation method across Bitcoin, and possibly other P2P blockchains. I’ll list a number of them here:

  • The Dandelion method has extremely minor consequences to the user experience in the form of latency. While the transaction privately takes 10 hops, this entire process takes only on the order of a few seconds. Ensuring that speed is not heavily sacrificed in order to achieve a high level of protection.
  • The protocol is very lightweight, involves no complicated or unexpected computation, and can be deployed without any changes to the underlying Bitcoin protocol.
  • This has a higher potential to see widespread adoption than what some may think is the more obvious solution of just integrating Tor.
  • It has near optimal privacy for any non-encryption scheme by utilizing the concept of “hiding in the crowd.”
  • Because the anonymity set is chosen at random from a node’s list of whitelisted peers, an adversary will likely have a very difficult time inserting themselves.
  • The anonymity set is also periodically refreshed, starting over the task of any adversary who is trying to map Stems across the network.
  • Because adversaries would be likely to run Dandelion nodes themselves, a lack of version checking (or picking a set regardless of whether they signal Dandelion or not) will result in prematurely ending the stem, but still maintain a level of uncertainty higher than that of standard propagation. This makes it a benefit to privacy (albeit less of one) even during the adoption phase, or with only a portion of the network peers participating.

A Brighter Future for Privacy

Dandelion is by no means an end-all solution to privacy. But what it does do, is work to secure privacy at the very first step a transaction takes onto the Bitcoin network. For me it represents the exciting potential that rather than needing some over-arching, fully obfuscating, encryption protocol that increases the costs of maintaining the network, maybe true privacy is possible through a stack of layered protocols that works to add protections at each individual stage of interacting with the network.

I admit that at one point I was becoming pessimistic about the future of privacy within the Cryptoconomy. I feared we would rebuild the privacy destroying characteristics of the internet, with an immutable history of all transactions to add to the problem. While there were many exciting new developments, I worried they were too bulky or costly to see adoption at the level that the average user would regain the basic right of not broadcasting to the entire world every aspect of their digital lives and financial activity.

It was the Lightning Network that first made me realize there may be simple, lightweight solutions that could go a long way to making the privacy we take for granted in our private homes and with our close friends, a reality in the digital world as well. The fact that a protocol could simultaneously *add* to privacy, while *lowering* the associated costs of transactions, renewed my excitement in this regard.

Privacy is a basic human right. It is indicative of how out of balance our society is today, that governments, corporations, and authoritative institutions can completely take our privacy, and it is of no consequence. But then any attempt to get it back is treated as not only nefarious and suspect, but sometimes even criminal. There is no better future waiting for a society that values authority and control over freedom and equality.

Thanks to the hard work from hundreds if not thousands of individuals, I no longer think Bitcoin has to give up this dream. With John Dilley working to lower the costs of opening channels by standardizing coinjoin for channel opening. nopara73 hard at work on hidden wallet along with others implementing the Zerolink protocol. The Stratis team working on the channel based Tumblebit protocol and the Breeze wallet. The Mimble-Wimble sidechain altering the very idea of how a blockchain is constructed. Schnorr signatures creating uniformity across every type of transaction on the network, making coinjoin, batching, tumblebit, channels, etc practically indistinguishable from one another. Alex Bosworth’s work on submarine swaps, cross chain transactions, making combination on-chain and off-chain payments accessible to everyone. With the guys and gals at Lightning Labs, ACINQ, and Blockstream working to make the Lightning Network the agile, low cost, and privacy benefitting payment network that Bitcoin deserves. Neutrino, MAST, taproot, multiple aggregation technologies, Simplicity, scriptless scripts, confidential transactions, bulletproofs, and so much more from so many hard working developers, too many to name. I think we will soon witness the flood of innovation that Andreas Antonopolous said would be a natural result of this permission-less network.

Maybe, just maybe, we can build a protocol for the world that is truly unbiased, where all peers, transactions, and coins are equal in the eyes of the protocol. No longer subservient to some other individual’s or institution’s subjective opinion of which freedoms, rights, or exchanges they feel someone else deserves. No longer will at least these few basic rights be something we must request from someone with power over us, but maybe something we can reinstitute as the default.

Maybe I’m just being overly idealistic and wanting my particular idea of a utopian world that nearly everyone has their own version of. But I see a trend, I see potential, and I see people building. Like never before, there are thousands of people working together on a shared goal, from so many different angles and perspectives, that just 10 years ago, was the purview of a small group of unknown cypherpunks. There is an enormous amount of work and education that’s needed to get us there, but it no longer feels like a fantasy, rather a very real possibility. And something as basic as a Dandelion, may help us see it through. I hope we can embrace our uncertain future together, and that you will join us on this crazy ass ride.


Don’t forget to check out The Cryptoconomy Podcast for more content and discussion.

Support my work: