Many people know bitcoin as an anonymous digital currency, one whose privacy features prime it for concealed payments in sketchy recesses of the internet’s dark web.
These same people would likely be surprised to learn that bitcoin is far from anonymous. More pseudonymous than anything, its underlying technology, the blockchain, actually features a number of technical windows through which users could peep another user’s identity. These interested parties, be they analytics companies, governments or anyone with sufficient IT knowledge, can use peer-to-peer network analysis to link a Bitcoin public address to an IP address, allowing them to learn who owns a wallet and who they’re sending their funds to.
In tracing transactions and public addresses back to their users’ IP addresses, these “spies,” also known as “adversaries,” are effectively deanonymizing users. An obvious breach of privacy, the Bitcoin community has long wrestled with solutions to neutralize this problem.
Entering the conversation is Dandelion, a protocol developed by Giulia Fanti along with Shaileshh Bojja Venkatakrishnan, Surya Bakshi, Bradley Denby, Shruti Bhargava, Andrew Miller and Pramod Viswanath, researchers at Carnegie Mellon, MIT and the University of Illinois. If theory can hold up in application, Dandelion would effectively neutralize the peer-to-peer analysis that plays a significant role in compromising user identity.
Whenever someone sends a transaction on Bitcoin’s network, typically, that transaction is broadcasted to multiple nodes until it is picked up by a miner and included in a block.
This broadcasting process is known as diffusion. It begins when the source node, the node that creates the transaction, transmits it to other nodes on the network. Once this node broadcasts the transaction, each of the other nodes that make up the network continues to independently diffuse the transaction by sending it to others with exponential delays.
Presenting Dandelion at the Building on Bitcoin conference in Lisbon, Portugal, Giulia Fanti explained that the source node’s IP address can often be discerned because “diffusion is susceptible to detection.” When collaborating spy nodes receive a transaction, they can engage in peer-to-peer network analysis to retrace its steps through the network.
Basically, by observing the timing of each broadcast and examining the structure of relays, spies can trace — with a high probability that isn’t necessarily foolproof — a transaction back to its source node. From here, the spy has high odds of gleaning the IP address of the transaction sender.
Dandelion aims to abstract the transaction relaying process to make it more complicated for adversaries to trace transactions. This would, in essence, make it nearly impossible to follow the breadcrumb trail that broadcast timings and relay structures lead back to the source node that originally transmitted the transaction.
To achieve this, Dandelion sends the transaction on a random path through a variable number of nodes before the transaction is diffused across the whole network. The random pathway is known as the stem phase of the protocol, as transactions relayed in the stage are shared only between one another, transmitting from one node to the next. The diffusion phase is known as the “fluff phase,” as the transaction is broadcasted to multiple nodes to be spread across the network (visually and in effect, both of these processes replicate a Dandelion’s anatomy, hence the terminology).
Screenshot of the Dandelion structure as illustrated in Fanti’s talk.
In the stem phase, each node essentially has a 50/50 chance to either continue the stem phase by relaying the broadcast to another node or diffuse the transaction to the rest of the network. If passed on, the next node plays the same odds and the transaction is passed along, one by one, until one triggers the diffusion process.
Adding the first transaction phase before diffusion is meant to provide an added layer of anonymity to the transaction broadcasting process. If the network passes the transaction to multiple potential source nodes before diffusion, this should, in theory, obfuscate where a broadcast came from, thereby making it exceedingly difficult to definitively trace a transaction back to its source.
Dandelion’s proposal is considered to be a feasible step toward solving Bitcoin’s anonymity question that doesn’t involve overhauling its code entirely to outfit it with the kind of peer-to-peer network obfuscation tools a coin like Monero is developing, for example.
The team is often asked why it won’t implement the same onion routing that Monero is focusing on. Fanti admitted in her talk that “Monero is addressing the exact same problem [Dandelion] is trying to solve,” but qualified this by stating that “implementing this is actually really time intensive,” as the Monero development team has been working on it since 2014.
Focusing instead on its own ground-up approach, Dandelion has come some way since it was first introduced in 2017. After a peer review of its code found some glaring holes, the team revamped their efforts and re-released a new white paper with an updated method (known as Dandelion++) in May of 2018.
It’s expected that Dandelion will be implemented into a future Bitcoin Core update, though it will not be ready for the forthcoming 0.17.0 release.