About Dandelion and Mimblewimble

Beam Privacy
BEAM Privacy
Published in
5 min readNov 6, 2018

The topic of privacy in the context of cryptocurrencies is often mentioned in various articles and is a point of focus of several different projects. In many cases, however, the word ‘privacy’ serves as an umbrella term for a wide variety of aspects and is often misrepresented or misunderstood.

Privacy in Bitcoin

In Bitcoin, for example, all addresses of users participating in transactions as well as the values of the transactions are completely visible and recorded in the blockchain. It should not have been an issue since addresses themselves are supposed to be anonymous and hence the information that someone sent someone else some number of Bitcoins should not have been by itself enough for any significant breach in privacy of bitcoin users. As it turned out, it is relatively simple to deanonymize an address, thus attaching it to the real world identity of the person controlling it. Once this happens, all transactions made from and to this address become visible and traceable since the beginning of the blockchain and till the very last block. This of course, drastically changes the situation.

Bitcoin can no longer be called private in any meaningful sense of the word. Once the anonymity of an address is broken, the entire transaction history becomes completely accessible.

About Mimblewimble

Knockturn Alley Mimblewimble Spell in Harry Potter — Warner Bros

Mimblewimble is a new and elegant protocol aiming to improve confidentiality of blockchain transactions without compromising scalability. In this protocol, there are no addresses, and all transaction values are hidden behind the ‘blinding factors’ — private keys that encrypt the value of the transaction in the blockchain. Looking at an individual transaction one would only see a series of cryptographic commitments representing inputs and outputs. However, no information could be extracted from this data.

Despite strong confidentiality guarantees, even in Mimblewimble, one can still record all commitments, which are unique, for each received transaction and trace which inputs are transformed to which outputs, thus effectively reconstructing the transaction graph. This can be easily accomplished by adding a node to the network to monitor all transactions as they propagate through the network. This does not, in it of itself, present a significant confidentiality breach since even if specific UTXO was deanonymized, it does not (unlike in Bitcoin) lead to deanonymization of the entire transaction history for this user.

However, research has shown [1,2] that in case of a simple Gossip protocol [3] it is possible to calculate the source IP of the transaction with significant probability (over 30%) which in certain cases might lead to deanonymization of specific IPs. This is achieved by having sufficient amount of ‘attacker’ nodes in the system, or a single node connected to all other nodes, recording IPs of transactions, timing each transaction event and observing the spreading dynamics.

A solution? Dandelion!

Dandelion++[4] is a lightweight protocol proposed by Giulia Fanti et al. designed to mitigate these risks and significantly reduce the probability of origin detection. In their proposal, the process of transaction propagation is subdivided into two phases:

1. Stem phase, in which each node sends the transaction only to one randomly selected peer

2. Fluff phase, in which transaction is sent to all peers, effectively falling back to the Gossip protocol

When drawn as a diagram, the visual process is similar to the appearance of a dandelion with the long stem and fluffy head, hence the name of the protocol.

All transactions start in Stem phase, and each node makes an independent decision whether to continue Stem phase or switch to Fluff by rolling a dice with predefined probability. This makes the chance of an ‘attacker’ node receiving the first relay of the transaction in Stem phase significantly smaller and thus makes detection of the origin IP impractically hard.

In Mimblewimble, due to the specific transaction structure, Dandelion can be further improved by using a so-called ‘transaction offset’ trick, which allows to merge several transactions and irreversibly mix their inputs and outputs. This means that even if a node along the Stem phase is determined as an origin of some transaction, it would not be possible to determine which inputs and outputs it has contained initially.

In general, Dandelion provides a significant improvement to the confidentiality of the P2P layer of any cryptocurrency. In Mimblewimble it is further improved by using some protocol-specific tricks, thus making it even more robust against potential attackers.

References:

[1] Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. 2014. Deanonymization of clients in Bitcoin P2P network.

In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 15–29.

[2] Philip Koshy, Diana Koshy, and Patrick McDaniel. 2014. An analysis of anonymity in bitcoin using p2p network traffic.

In International Conference on Financial Cryptography and Data Security. Springer, 469–485.

[3] https://en.wikipedia.org/wiki/Gossip_protocol

[4] Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees (https://arxiv.org/abs/1805.11060)

--

--