Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: ETFbitcoin on October 01, 2018, 05:37:30 AM



Title: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 01, 2018, 05:37:30 AM
Recently i read some Bitcoin improvement idea, but i'm really surprised there are barely any information on news media, medium and this forum. So, i decided to make this thread.

What is Dandelion?
Dandelion is a protocol to prevent IP tracking/nodes which firstly broadcast transaction. Bitcoin protocol don't need to be changed since it's implemented on Bitcoin client, which means no soft/hard-fork required.

Why it's necessary?
Every time a node broadcast a transaction, obviously you sent the transaction to other nodes. That means other nodes know who broadcast the transaction to them.
If there's group/state who wish to track transaction origin, they could run many nodes and connect to as many nodes as they can so they can get the node which broadcast the transaction first.

How it works (simplified) ?
https://raw.githubusercontent.com/dandelion-org/bips/master/bip-dandelion/1-dandelion.png

1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.
2. A node broadcast a transaction to another peer on circuit
3. The next peer randomly decide to :
    A. broadcast the transaction to Bitcoin network (10% chance by default)
    B. Only broadcast to next peer on circuit (back to step 3)

Potential problems
1. Not enough peers to participate, which reduce Dandelion's advantage.
2. While Dandelion bring good privacy improvement, IMO state/group could track to the "anonymity set".

My opinion
Dandelion bring lots of advantage which require no protocol change and user barely feel the disadvantage (such as slightly longer transaction propagation). Bitcoin Core or any clients should implement Dandelion.

Estimated release date
It was planned along with Bitcoin Core 0.17.0 releases, but currently planned released along with 0.18.0.

p.s. this thread might be changed if i realized there's wrong information, find simpler/more accurate explanation or found reliable information source.

Some informations:
1. https://arxiv.org/pdf/1701.04439.pdf (https://arxiv.org/pdf/1701.04439.pdf)
2. https://github.com/dandelion-org/bips/blob/master/bip-dandelion.mediawiki (https://github.com/dandelion-org/bips/blob/master/bip-dandelion.mediawiki)
3. https://t4ch.top/dandelion-a-bitcoin-protocol-to-hide-a-transactions-origin/ (https://t4ch.top/dandelion-a-bitcoin-protocol-to-hide-a-transactions-origin/)
4. https://medium.com/@thecryptoconomy/dandelions-and-a-bright-future-for-bitcoin-privacy-712dbc4b1ec5 (https://medium.com/@thecryptoconomy/dandelions-and-a-bright-future-for-bitcoin-privacy-712dbc4b1ec5)
5. https://bitcoinmagazine.com/articles/anatomy-anonymity-how-dandelion-could-make-bitcoin-more-private/ (https://bitcoinmagazine.com/articles/anatomy-anonymity-how-dandelion-could-make-bitcoin-more-private/)
6. https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki (https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki)
7. https://hackernoon.com/bitcoin-upgrades-with-dandelion-the-transaction-privacy-protocol-ae9647bfbcb2 (https://hackernoon.com/bitcoin-upgrades-with-dandelion-the-transaction-privacy-protocol-ae9647bfbcb2)

This thread is archived at https://archive.fo/mg8oZ (https://archive.fo/mg8oZ)


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 01, 2018, 05:37:45 AM
With this proposal/improvement, i wonder about these things :
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?
2. Would this affect block size/weight limit size increase in future?
3. Is using Tor/I2P/Kovri better/simpler solution?


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Wind_FURY on October 01, 2018, 06:58:22 AM
OP, can you post more information and what your opinion is on the proposal? That would help start the discussion.

Quote
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?

Of course. It will affect the user too. I will not let the payer leave until I see one confirmation if I was the merchant. Hahaha.

Quote
2. Would this affect block size/weight limit size increase in future?

I believe yes, the same as ring signatures? Maybe DooMad can confirm.

Quote
3. Is using Tor/I2P/Kovri better/simpler solution?

Or take features that help in anonymous transactions in an off-chain solution that Bitcoin already has?


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: HeRetiK on October 01, 2018, 08:54:35 AM
3. Is using Tor/I2P/Kovri better/simpler solution?

I think in the long run it would make sense for Bitcoin to inherently support transaction propagation privacy, without relying on external solutions. The more people use such a system, the better it can ensure privacy. High usage can only be ensured by making it part of Bitcoin.

Question is of course the practical relevance of tracking the (physical) source of a transaction. Currently most invasive measures from governmental bodies seem to take part via transaction analysis and following coins until they end up at an exchange or known merchant. However I wouldn't be surprised if the tracking of Bitcoin nodes became if a thing in the future (if that's not the case already).

Obviously the question is what trade-offs there are to be made, especially in terms of propagation times. At a first glance it doesn't seem to introduce any overhead to the blockchain though, as it seems to only affect transaction routing between nodes. Admittedly I have yet to take a closer look though.


Or take features that help in anonymous transactions in an off-chain solution that Bitcoin already has?

If you are referring to LN -- to my understanding Dandelion would improve privacy on a different level. While LN makes transaction analysis much harder, Dandelion obscures the source of on-chain transactions (eg. opening and closing transactions when referring to LN) in terms of network topology (and by extension on a geographical level).


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: DooMAD on October 01, 2018, 09:43:10 AM
Quote
2. Would this affect block size/weight limit size increase in future?

I believe yes, the same as ring signatures? Maybe DooMad can confirm.

It's the first time I've read about it, but my initial understanding based on a cursory glance of the BIP is no.  Whichever Dandelion-compatible client is selected at random to actually broadcast the transaction, it strips out any of the extra information required by Dandelion and just sends a regular Bitcoin transaction.  Definitely slows down propagation a tiny bit, but doesn't appear to impact tx size once the final broadcast is made.  Clever stuff.

That said, it will obviously be slightly more resource intensive for those choosing to use Dandelion.  You'll be maintaining two distinct mempools.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 01, 2018, 12:33:23 PM
With this proposal/improvement, i wonder about these things :
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?

No, in 2 ways.

1st way: Transaction propagation using BIP 156 (i.e. dandelion tx relay) will still be very fast in relative terms, so it won't make any difference in the real world
2nd way: Accepting 0-confirmation transactions will be just as risky (and inadvisable) as they are without dandelion


2. Would this affect block size/weight limit size increase in future?

No


3. Is using Tor/I2P/Kovri better/simpler solution?

It's gonna be easier to use BIP 156, it doesn't require the user to do anything (Tor requires some extra setup). But it won't work 100% of the time for a while yet, as BIP 156 (dandelion) needs compatible nodes on the Bitcoin network for it to work; it's currently planned for inclusion in version 0.18.0. Only 0.18.0+ nodes will be able to propagate transactions the dandelion way (unless it gets backported to older versions, which seems unlikely as it's a new feature), so it will take some time before you can expect every transaction to be relayed using this technique. I imagine the protocol will be implemented so that BIP 156 nodes prefer to relay only to other BIP 156 compatible nodes, but the implementation isn't finished AFAIK.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: lightningslotmachine on October 01, 2018, 12:41:16 PM
This has just been released for ZCoin

https://zcoin.io/plus-plus-privacy-zcoin-integrates-dandelion/ (https://zcoin.io/plus-plus-privacy-zcoin-integrates-dandelion/)


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 01, 2018, 01:49:12 PM
Quote
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?

Of course. It will affect the user too. I will not let the payer leave until I see one confirmation if I was the merchant. Hahaha.

You know most physical merchants accept 0-confirmation for small transaction knowing double-spend attempt isn't cheap.

Transaction propagation is very fast and merchants/users wait few seconds to check if there's any double-spend attempt. If double-spend transaction is broadcasted after first transaction, in almost all cases it will be rejected.

Quote
2. Would this affect block size/weight limit size increase in future?

I believe yes, the same as ring signatures? Maybe DooMad can confirm.

I don't see the correlation between Dandelion and ring signatures. Could you elaborate?

Quote
3. Is using Tor/I2P/Kovri better/simpler solution?

Or take features that help in anonymous transactions in an off-chain solution that Bitcoin already has?

True, but some off-chain solution such as LN still need at least 2 on-chain transaction when open/close channel.

That said, it will obviously be slightly more resource intensive for those choosing to use Dandelion.  You'll be maintaining two distinct mempools.

I certainly didn't think that, but since once the transaction is broadcasted to network, you simply move transaction on stempool to mempool. IMO it has bigger impact on computational resource.

With this proposal/improvement, i wonder about these things :
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?

No, in 2 ways.

1st way: Transaction propagation using BIP 156 (i.e. dandelion tx relay) will still be very fast in relative terms, so it won't make any difference in the real world
2nd way: Accepting 0-confirmation transactions will be just as risky (and inadvisable) as they are without dandelion

After read the sources more, i agree. But transaction propagation could be longer problem if user don't have any existing privacy graph/"anonymity".

This has just been released for ZCoin

https://zcoin.io/plus-plus-privacy-zcoin-integrates-dandelion/ (https://zcoin.io/plus-plus-privacy-zcoin-integrates-dandelion/)

Nice information, dandelion on actual usage would bring lots of interesting information, even though it's improved/modified.

A bit off-topic, looks like Zerocoin-based cryptocurrency currently trending.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: DooMAD on October 01, 2018, 02:40:34 PM
That said, it will obviously be slightly more resource intensive for those choosing to use Dandelion.  You'll be maintaining two distinct mempools.

I certainly didn't think that, but since once the transaction is broadcasted to network, you simply move transaction on stempool to mempool. IMO it has bigger impact on computational resource.

I could be wrong, but since your stempool will handle other peoples' Dandelion transactions, I thought it fair to assume that both stempool and mempool would need to be maintained continuously.  I doubt it will be particularly demanding on your system, though.  I really like the idea.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: achow101 on October 01, 2018, 03:21:46 PM
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?
No. The transaction will take a little bit longer (but likely not noticeably) than it would without dandelion. The effect of this is really just as if you had hesitated a few extra seconds before sending the transaction. There is no difference to these merchants as they will still likely receive the transaction at around the same time the vast majority of the network does. There is no queue.

2. Would this affect block size/weight limit size increase in future?
No. This is not at all related to transaction sizes, transaction formats, or consensus rules. It is purely a network protocol change. It could be deployed right now with no other changes to Bitcoin.

3. Is using Tor/I2P/Kovri better/simpler solution?
With Tor (I'm not super familiar with the others), you could potentially correlate multiple transactions to the same node. AFAIK, with Dandelion, a new circuit is chosen for each broadcast, so it is much harder to correlate multiple transactions. Also, as mentioned earlier, it would be better for Bitcoin to adopt its own privacy protocols rather than relying on external ones. If the privacy protocol was built into the network protocol itself, that would be better than just a few people choosing to use an external privacy method.

That said, it will obviously be slightly more resource intensive for those choosing to use Dandelion.  You'll be maintaining two distinct mempools.

I certainly didn't think that, but since once the transaction is broadcasted to network, you simply move transaction on stempool to mempool. IMO it has bigger impact on computational resource.

I could be wrong, but since your stempool will handle other peoples' Dandelion transactions, I thought it fair to assume that both stempool and mempool would need to be maintained continuously.  I doubt it will be particularly demanding on your system, though.  I really like the idea.

Resource usage won't be that much worse as some tricks can be used. The stempool is a superset of the mempool, meaning that everything in the mempool is also in the stempool. So instead of duplicating everything, you can just maintain a separate stempool only set of transactions. This would take up the approximately the same amount of memory (there's some data structure overhead) as if the node didn't have dandelion since all of the dandelion transactions would have still happened anyways and gone into the mempool.

For CPU usage, it won't be that much more.



Dandelion is BIP 156 (https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki).


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 01, 2018, 03:53:12 PM
1. Would this affect physical merchants who accept 0-confirmation, since transaction propagation will be longer and merchant/user might have wait a bit longer while there's queue?
No. The transaction will take a little bit longer (but likely not noticeably) than it would without dandelion. The effect of this is really just as if you had hesitated a few extra seconds before sending the transaction. There is no difference to these merchants as they will still likely receive the transaction at around the same time the vast majority of the network does. There is no queue.

I thought more hops before broadcast to Bitcoin network which means network delay between nodes and verification time would be noticeable for 0-conf.

2. Would this affect block size/weight limit size increase in future?
No. This is not at all related to transaction sizes, transaction formats, or consensus rules. It is purely a network protocol change. It could be deployed right now with no other changes to Bitcoin.

I only thought that since i thought that would make transaction propagation slower and few people might have concern with propagation when block size/weight limit size increase is needed.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Piggy on October 02, 2018, 04:59:57 AM
One thing that is not clear to me, does this mean a node using Dandelion is also receiving transactions only through it? If so couldn't this cause potential security issues in certain cases? Since you need completely to relay on it and you cannot be 100% sure what is happening on the rest of the network.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 02, 2018, 08:33:40 AM
One thing that is not clear to me, does this mean a node using Dandelion is also receiving transactions only through it? If so couldn't this cause potential security issues in certain cases? Since you need completely to relay on it and you cannot be 100% sure what is happening on the rest of the network.

I'm not sure I totally understand your question, but I think you might be getting the wrong idea.

All dandelion transactions get broadcast in the regular way that Bitcoin nodes do it today. The difference is that your node doesn't broadcast your transactions, you send it to some distant node who then broadcasts your transactions. Dandelion lets you use a different node for broadcasting every new transaction you make. That means your IP address can't be used to link your transactions together.

So there's no added uncertainty about which transactions are waiting to be confirmed, but it does make it uncertain which node sent any of the transactions in the first place.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: C°bra on October 03, 2018, 12:37:12 AM
I don't understand how this can work.  Suppose I automatically generate two dandelion transactions, with some relationship with each other, like parent/child and relay them at the same time.  Not seeing the first transaction makes the second invalid, but if they both relay through dandelion, won't there be situations where the second transaction is seen by the Bitcoin network first and rejected as invalid because the first is still swimming around in dandelion relays somewhere?  Or are both somehow routing through the same route?  ???

Additionally, from what I read, every dandelion ready node can turn any dandelion transaction into a normal Bitcoin transaction and broadcast it.  There isn't anything like onion routing preventing intermediaries from reading what they're sending along in the next hop.  What if you set up a few nodes, but instead of "fluffing" a transaction 10% of the time, you do it 50%.  Doesn't that degrade the overall security assumptions?

Maybe these are stupid questions and I've misunderstood something, but the BIP and overall research feels incomplete.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: achow101 on October 03, 2018, 01:18:37 AM
Suppose I automatically generate two dandelion transactions, with some relationship with each other, like parent/child and relay them at the same time.  Not seeing the first transaction makes the second invalid, but if they both relay through dandelion, won't there be situations where the second transaction is seen by the Bitcoin network first and rejected as invalid because the first is still swimming around in dandelion relays somewhere?
You would have the same problem today. If you relayed both transactions to your peers at the same time, the second would also be invalid because the first hadn't propagated fully yet. The solution to this "problem" is to wait a few seconds before sending the second transaction. With Dandelion, it is easier to tell if the network has heard your transaction because you will get INVs from the rest of your peers (the ones you hadn't sent the tx to) saying that they have your transaction. At that point, you can broadcast the second one.

Or are both somehow routing through the same route?  ???
They could be routed through the same route. For a given inbound connection, all dandelion transactions received from the connection must be sent through the same outbound connection. As the creator of a transaction, you can choose which outbound connection you wish sent your dandelion transaction to. So if you choose the same node as the first one, then your transaction will most likely end up going through the same route. Of course, each node should also be periodically reselecting which outbound node they will send dandelion transactions to for each incoming connection, so it is possible that you will end up with a different route.

Additionally, from what I read, every dandelion ready node can turn any dandelion transaction into a normal Bitcoin transaction and broadcast it.  There isn't anything like onion routing preventing intermediaries from reading what they're sending along in the next hop.  What if you set up a few nodes, but instead of "fluffing" a transaction 10% of the time, you do it 50%.  Doesn't that degrade the overall security assumptions?
What security assumptions?

All that Dandelion guarantees is that an adversary will have a harder time connecting transactions to IP addresses. Even if you have a node that fluffs 100% of the time, this guarantee still holds because it is not you who sent the transaction to the network, it was someone else. So long as you follow the protocol, your transactions will be harder to deanonymize. Furthermore, you don't stick with the same outbound peer forever. You change which peer to relay dandelion transactions to periodically, so eventually you will get an honest node.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Piggy on October 03, 2018, 03:01:51 PM
hiding transaction origin, that is not the meaning of the transparency of public blockchain

Is just about hiding the ip that originated the transaction itself, i don't see anything wrong with that and I suppose if somebody bothered coming up with this solution, means that there have been already cases where people were "triangulated" successfully.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 03, 2018, 04:02:25 PM
hiding transaction origin, that is not the meaning of the transparency of public blockchain

The blockchain was not conceived so that all meta-information about the network would be transparent, only the ledger entries themselves (the ledger never stored IP addresses, that's undesirable if the currency is to be a good one). The transparency is there to prevent double spends and to prove what the inflation rate is. Determining the origin IP of a transaction is not a part of the Bitcoin protocol, and never was. The design goals behind Bitcoin have always been to make the best possible cryptographic currency, which necessarily includes best possible fungibility of units, and which necessarily includes user privacy and anonymity.

Dandelion is simply one new feature that has been making Bitcoin's users more anonyous through making their transactions more private. It's completely consistent with improving Bitcoin's money properties.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: aliashraf on October 03, 2018, 05:20:04 PM
Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 03, 2018, 05:31:39 PM
IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: achow101 on October 03, 2018, 05:35:48 PM
IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?
As mentioned earlier, Bitcoin shouldn't need to rely on an external service in order to have privacy. Privacy should be built into the protocol itself. Using Tor requires having Tor available on your machine and special configuring which most users won't do. However Dandelion is built into the Bitcoin P2P protocol itself so users don't need to do any special configuration to get it to work, the software just works out of the box.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 03, 2018, 05:44:57 PM
IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?

Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you. With a certain proportion of sybil nodes on the Bitcoin network, that information can be used to make more concrete inferences about the owner of addreses. Dandelion pushes up the proportion of sybil nodes needed to make such inferences, probably to a very high number.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 03, 2018, 05:48:46 PM
IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?
As mentioned earlier, Bitcoin shouldn't need to rely on an external service in order to have privacy. Privacy should be built into the protocol itself. Using Tor requires having Tor available on your machine and special configuring which most users won't do. However Dandelion is built into the Bitcoin P2P protocol itself so users don't need to do any special configuration to get it to work, the software just works out of the box.

It is a nobel approach, but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.
And I can't blame them - it's a savage world were living in.

For instance, look at the "coin join" idea - it is at least 6 years old.
But still today the best and only reliable way to anonymize your coins is to push them through a tor mixer service.
Because nobody wants to put his head on providing such services. Or even developing the technology.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 03, 2018, 05:53:32 PM
Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you.
I am not an expert on tor network, but I don't think it is that easy.

if you're not careful the broadcasting server might know that both the transactions came from the same source.
But it won't know your IP.

Just restart your tor node/browser between sending different transactions and you should be fine.
Dark markets have been using Tor since the beginning of bitcoin and nobody ever find them by looking at the tx origin :)


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 03, 2018, 06:16:44 PM
Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you.
I am not an expert on tor network, but I don't think it is that easy.

if you're not careful the broadcasting server might know that both the transactions came from the same source.
But it won't know your IP.

Also not a Tor expert, but the Bitcoin client implies that the tor exit node is the IP your Bitcoin peer communicates with. A Bitcoin peer who receives your relayed transactions presumably receives them from the exit node's IP, which it necessarily knows. The exit node knows the contents of the transaction you relay, but it shouldn't know your real IP, assuming Tor is perfect. Which is obviously not the case.

So your peer does know that the transactions came from the same IP, but maybe other Bitcoin nodes could be using the same exit node simultaneously. For that reason, using Tor is more anonymous than I implied.


Just restart your tor node/browser between sending different transactions and you should be fine.
Dark markets have been using Tor since the beginning of bitcoin and nobody ever find them by looking at the tx origin :)

Right. Dandelion should give you better transaction anonymity than that without having to restart your Bitcoin node between sending each transaction.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 03, 2018, 06:43:44 PM
I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting

some of them don't work through tor, but others do.

I can however understand that someone might have a need to anonymously broadcast new txs in a more systemic way, in which case my method will not be very good for him.
but then, as I say, there are safety concerns of people who'd have to participate in this kind of open source system.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: DooMAD on October 03, 2018, 06:53:23 PM
but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.

I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions. 


Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

We can only provide people with the tools.  We can't force people to use them.  It's up to them how much privacy they want to maintain.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 03, 2018, 06:58:58 PM
but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.

I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions. 

OK then, bring it on.
I'll be happy to see it.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 03, 2018, 07:52:07 PM
I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions.

Schnorr sigs don't add privacy, they just makes it more attractive (because a coinjoin with schnorr aggregated signatures will have effectively cheaper fees than a typical 1 input 2 output transaction). It'd be nice if the Schnorr scheme could allow miners to create blocks that aggregate all separate signatures into one, but I don't know if that's possible/practical.

There are separate proposals to make coinjoins more practical, one of which is particularly attractive (Bustapay). The receiving party in a transaction adds an input to the transaction, which breaks the assumption that inputs are always controlled by the sender. This is actually a really useful way to consolidate your outputs, although this possibly invites a new assumption ("dustiest" input belongs to the receiver). Not as strong an assumption as the status quo, though


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: DooMAD on October 03, 2018, 08:51:56 PM
Schnorr sigs don't add privacy, they just makes it more attractive (because a coinjoin with schnorr aggregated signatures will have effectively cheaper fees than a typical 1 input 2 output transaction). It'd be nice if the Schnorr scheme could allow miners to create blocks that aggregate all separate signatures into one, but I don't know if that's possible/practical.

Oh, I thought aggregating signatures helped with privacy.  Or is that only really effective for multisig transactions?



Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: achow101 on October 03, 2018, 09:10:31 PM
For instance, look at the "coin join" idea - it is at least 6 years old.
But still today the best and only reliable way to anonymize your coins is to push them through a tor mixer service.
Because nobody wants to put his head on providing such services. Or even developing the technology.
CoinJoins and Tor achieve two completely different kinds of anonymity. They are orthogonal to each other. You cannot compare them.

The point of Dandelion is to have privacy by default. It is built into the P2P protocol. Users get privacy without having to think about privacy. OTOH, both Tor and CoinJoins require the user to actively think about and care about their own privacy. That means that most users aren't going to do those things because they don't think about or care about their privacy.

I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting
Good for you. The vast majority of users aren't going to do that because they aren't aware of the privacy implications as you are. The whole reason something like Dandelion is being proposed is to get Privacy into the network protocol itself so that users who don't care about privacy still get privacy anyways.

Oh, I thought aggregating signatures helped with privacy.  Or is that only really effective for multisig transactions?
Schnorr signatures by themselves do not do anything for privacy. But they do allow for things like Taproot and some kinds of multisigs which are better for privacy. But it also depends on what kind of privacy you are talking about because even with those things, people can still know which outputs are yours and how much you are receiving. Furthermore, it does nothing to help with anonymizing the IP address source of a transaction (which is what Dandelion does).


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 04, 2018, 01:33:16 AM
Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.

I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting

some of them don't work through tor, but others do.

I can however understand that someone might have a need to anonymously broadcast new txs in a more systemic way, in which case my method will not be very good for him.
but then, as I say, there are safety concerns of people who'd have to participate in this kind of open source system.


To be fair, both TX broadcasting services and Dandelion have different safety concern. But IMO being open-source and no third-party dependent is more favorable.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: r1s2g3 on October 04, 2018, 07:44:02 AM

1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 04, 2018, 08:41:38 AM

1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.

AFAIK, there's upper limit of participating node and the time to make privacy graph/hamiltonian circuit shouldn't take long time since AFAIK nodes simply select other known Nodes.
If more nodes support Dandelion, creating privacy graph should be easier/faster.

P.S. To be frank, 1st step is most confusing for me.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: piotr_n on October 04, 2018, 10:09:18 AM
CoinJoins and Tor achieve two completely different kinds of anonymity. They are orthogonal to each other. You cannot compare them.
My point was that CoinJoin hasn't really been used in real life, while tor based centralized mixers have. And most likely will be in a future...
If you need to anonymize coins today, you'd rather choose a tor mixed over coin join.


The point of Dandelion is to have privacy by default. It is built into the P2P protocol. Users get privacy without having to think about privacy. OTOH, both Tor and CoinJoins require the user to actively think about and care about their own privacy. That means that most users aren't going to do those things because they don't think about or care about their privacy.

I'm just saying that the coin join idea, despite being very old (and having quite an advanced design by now) has not been delivered to a widely used bitcoin software.
And I'm just worried that Dandelion (or any other privacy enhancing feature) will end up the same way.

Both CoinJoin and Dandelion, in order to actually be practical, should be enabled in a widely used bitcoin software.
Exactly as you say: having it "built into the P2P protocol", so users can get "privacy without having to think about it".



I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting
Good for you. The vast majority of users aren't going to do that because they aren't aware of the privacy implications as you are. The whole reason something like Dandelion is being proposed is to get Privacy into the network protocol itself so that users who don't care about privacy still get privacy anyways.

Yes. However, before Dandelion gets delivers (if ever), it does not hurt to tell people that they already have options to hide transaction origin, had they cared to become aware of the privacy implications.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: aliashraf on October 04, 2018, 11:41:07 AM
Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.
SPV wallets set a Bloom filter with full nodes they connect, this way they expose enough information to every single peer and if one of them happens to be a spy node no matter others have implemented Dandelion or not, user ip is compromised. SPVs can't implement Dandelion as they do not validate/relay transactions.

I think someone should do something about SPVs, they constitute the weakest part of bitcoin, I suppose.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 04, 2018, 12:30:35 PM
Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.
SPV wallets set a Bloom filter with full nodes they connect, this way they expose enough information to every single peer and if one of them happens to be a spy node no matter others have implemented Dandelion or not, user ip is compromised. SPVs can't implement Dandelion as they do not validate/relay transactions.

I think someone should do something about SPVs, they constitute the weakest part of bitcoin, I suppose.

Not all SPV wallets use Bloom Filter. I already mention using Tor (or other secure connection), so spy nodes can't get their actual IP.

But what i mean is adding Dandelion support to SPV wallet (which means also support limited validation and relay Dandelion's transaction) could give user more privacy (if combined with Tor/similar) since spy nodes only can make sure whether a broadcasted transaction from SPV wallet is created by that user/not.
SPV wallet could be configured to connect to different nodes for different purpose (only receive balance/TX info or broadcast TX) to increase privacy/reduce spy attempt as well.

But my idea is a bit complex and probably no SPV wallet developer interested with my idea.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: r1s2g3 on October 05, 2018, 04:37:33 AM

1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.

AFAIK, there's upper limit of participating node and the time to make privacy graph/hamiltonian circuit shouldn't take long time since AFAIK nodes simply select other known Nodes.
If more nodes support Dandelion, creating privacy graph should be easier/faster.

P.S. To be frank, 1st step is most confusing for me.

Thanks for your candid reply, I think I figure it out by combining the below two paragraph from github.
Actually Hamiltonian circuit is not feasible so 2 random Dandelion destinations are taken. More the Dandelion nodes, I guess you get more option to select the 2 random destination or path.


Quote
In an ideal setting, we have found that a Hamiltonian circuit provides near-optimal privacy guarantees. However, constructing a Hamiltonian circuit through the Bitcoin P2P network in a decentralized, trustless manner is not feasible. Thus, we recommend that each node select two Dandelion destinations uniformly at random without replacement from its list of outbound peers. Our tests have shown that this method provides comparable privacy with increased robustness.


Quote
Dandelion does not conflict with existing versions of Bitcoin. A Bitcoin node that supports Dandelion appears no differently to Bitcoin nodes running older software versions. Bitcoin nodes that support Dandelion can identify feature support through a probe message. Obviously, older nodes are not capable of Dandelion routing. If a Bitcoin node supporting Dandelion has no peers that also support Dandelion, then its behavior naturally decays to that of a Bitcoin node without Dandelion support due to the Dandelion transaction embargoes.




source: https://github.com/dandelion-org/bips/blob/master/bip-dandelion.mediawiki


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: bobthegrownup on October 17, 2018, 12:24:37 PM
There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea

https://arxiv.org/pdf/1410.6079.pdf

Dandelion++ is a fantastic step in the right direction because its lightweight and simple to implement


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 17, 2018, 12:48:05 PM
There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea

https://arxiv.org/pdf/1410.6079.pdf

The research on the paper happens somewhere in 2014, where BIP 151 about E2EE (end to end encryption) protocol hasn't used by Bitcoin Core or other client, so some attack/de-anonymization attempt without running full-nodes won't work today.
Besides i think using Tor is still better than connect to bitcoin network directly, especially if government actively monitor/analyze internet traffic or forbid Bitcoin.

Dandelion++ is a fantastic step in the right direction because its lightweight and simple to implement

Care to explain why?


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: gmaxwell on October 19, 2018, 05:05:07 AM
There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea
That paper is very bad advice.  It's just wrong. It complains that regular bitcoin nodes can be triggered to ban tor exits, sure, but tor HS bitcoin nodes do not.  The "bad" outcome they are concerned about is that if you use tor you might find it doesn't work and you need to turn off tor to connect: even if that were a real risk it isn't worse than not using tor at all!


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: bobthegrownup on October 19, 2018, 09:43:37 AM
The research on the paper happens somewhere in 2014, where BIP 151 about E2EE (end to end encryption) protocol hasn't used by Bitcoin Core or other client, so some attack/de-anonymization attempt without running full-nodes won't work today.
Besides i think using Tor is still better than connect to bitcoin network directly, especially if government actively monitor/analyze internet traffic or forbid Bitcoin.

This is great feedback. I am writing on article on Dandelion++ and the whitepaper I shared had shown up in some source material as an argument against TOR.

I'll revise to reflect that this whitepaper is no longer relevant. Thanks again


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 19, 2018, 09:58:18 AM
The research on the paper happens somewhere in 2014, where BIP 151 about E2EE (end to end encryption) protocol hasn't used by Bitcoin Core or other client

BIP 151/end-to-end encryption aren't used in Bitcoin yet, and they also don't provide anonymity to Bitcoin nodes anyway, so there would be no difference in Bitcoin's anonymity even if they were in use.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 19, 2018, 10:27:28 AM
The research on the paper happens somewhere in 2014, where BIP 151 about E2EE (end to end encryption) protocol hasn't used by Bitcoin Core or other client

BIP 151/end-to-end encryption aren't used in Bitcoin yet, and they also don't provide anonymity to Bitcoin nodes anyway, so there would make no difference in Bitcoin's anonymity even if they were in use.

Thanks for the information, i just recheck and it's true. It's used bcoin client and looks like i didn't remember it correctly.

But, can you explain why BIP 151 don't provide anonymity to nodes? Excluding de-anonymization method which require full nodes, AFAIK ISP/government/spy at most only can know that it's Bitcoin full nodes traffic without knowing which transaction/block is being transferred.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: Carlton Banks on October 19, 2018, 11:37:07 AM
But, can you explain why BIP 151 don't provide anonymity to nodes? Excluding de-anonymization method which require full nodes, AFAIK ISP/government/spy at most only can know that it's Bitcoin full nodes traffic without knowing which transaction/block is being transferred.

Traffic encryption (as used in BIP151) only makes your Bitcoin use private, not anonymous. Encryption makes what you send private, not who you are (your identity).

Your IP is the most significant identity information that exists on the Bitcoin network. Tor masks your IP from other Bitcoin nodes, dandelion masks which IP a transaction was sent from first.


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: bobthegrownup on October 19, 2018, 02:31:26 PM
Traffic encryption (as used in BIP151) only makes your Bitcoin use private, not anonymous. Encryption makes what you send private, not who you are (your identity).

Your IP is the most significant identity information that exists on the Bitcoin network. Tor masks your IP from other Bitcoin nodes, dandelion masks which IP a transaction was sent from first.

Thank you for clearing that up -- I didn't take the time to fully understand that BIP151 is about anonymizing at the transaction layer, not at the network layer -- which is the relevant part of this thread



Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: bobthegrownup on October 23, 2018, 11:26:51 PM
Finally finished that article about Dandelion. Would love to have your feedback and please share.

https://hackernoon.com/bitcoin-upgrades-with-dandelion-the-transaction-privacy-protocol-ae9647bfbcb2

Thanks again for the correction on the "Bitcoin on Tor isnt a good idea" whitepaper being incorrect!



Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: ETFbitcoin on October 24, 2018, 04:30:58 AM
Finally finished that article about Dandelion. Would love to have your feedback and please share.

https://hackernoon.com/bitcoin-upgrades-with-dandelion-the-transaction-privacy-protocol-ae9647bfbcb2

Thanks again for the correction on the "Bitcoin on Tor isnt a good idea" whitepaper being incorrect!

Nice article, the example is really easy understand.
You might want to use this link https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki (https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki) on URL text " Bitcoin Improvement Proposal 156" (below 2nd image) rather than GitHub pull request which IMO not useful for reader.

Do you mind if i adding your article link to "Some informations" section on this thread?


Title: Re: [Discussion] Dandelion - A protocol to hide transaction origin
Post by: bobthegrownup on October 24, 2018, 06:42:58 AM
Do you mind if i adding your article link to "Some informations" section on this thread?

Yes, that would be an honor!