Bitcoin Forum
May 21, 2019, 12:03:03 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: [Discussion] Dandelion - A protocol to hide transaction origin  (Read 699 times)
Carlton Banks
Legendary
*
Offline Offline

Activity: 2366
Merit: 1671



View Profile
October 03, 2018, 05:44:57 PM
 #21

IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?

Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you. With a certain proportion of sybil nodes on the Bitcoin network, that information can be used to make more concrete inferences about the owner of addreses. Dandelion pushes up the proportion of sybil nodes needed to make such inferences, probably to a very high number.

Vires in numeris
1558396983
Hero Member
*
Offline Offline

Posts: 1558396983

View Profile Personal Message (Offline)

Ignore
1558396983
Reply with quote  #2

1558396983
Report to moderator
1558396983
Hero Member
*
Offline Offline

Posts: 1558396983

View Profile Personal Message (Offline)

Ignore
1558396983
Reply with quote  #2

1558396983
Report to moderator
Get alert of price pumps/dumps beforehand 74% average Win Rate
reported by our users
TRY NOW!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
piotr_n
Legendary
*
Offline Offline

Activity: 1988
Merit: 1048


aka tonikt


View Profile WWW
October 03, 2018, 05:48:46 PM
 #22

IMHO the technology to hide transaction origin was invented long time ago and by now it is quite advanced already.

Except that it isn't called Dandelion, but Tor.

Why to invent the wheel for the second time?
As mentioned earlier, Bitcoin shouldn't need to rely on an external service in order to have privacy. Privacy should be built into the protocol itself. Using Tor requires having Tor available on your machine and special configuring which most users won't do. However Dandelion is built into the Bitcoin P2P protocol itself so users don't need to do any special configuration to get it to work, the software just works out of the box.

It is a nobel approach, but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.
And I can't blame them - it's a savage world were living in.

For instance, look at the "coin join" idea - it is at least 6 years old.
But still today the best and only reliable way to anonymize your coins is to push them through a tor mixer service.
Because nobody wants to put his head on providing such services. Or even developing the technology.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
piotr_n
Legendary
*
Offline Offline

Activity: 1988
Merit: 1048


aka tonikt


View Profile WWW
October 03, 2018, 05:53:32 PM
 #23

Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you.
I am not an expert on tor network, but I don't think it is that easy.

if you're not careful the broadcasting server might know that both the transactions came from the same source.
But it won't know your IP.

Just restart your tor node/browser between sending different transactions and you should be fine.
Dark markets have been using Tor since the beginning of bitcoin and nobody ever find them by looking at the tx origin Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Carlton Banks
Legendary
*
Offline Offline

Activity: 2366
Merit: 1671



View Profile
October 03, 2018, 06:16:44 PM
Last edit: October 03, 2018, 06:27:44 PM by Carlton Banks
 #24

Tor masks your real IP. But if you send 2 or more transactions from a Tor node, your peers know that they received them first from you.
I am not an expert on tor network, but I don't think it is that easy.

if you're not careful the broadcasting server might know that both the transactions came from the same source.
But it won't know your IP.

Also not a Tor expert, but the Bitcoin client implies that the tor exit node is the IP your Bitcoin peer communicates with. A Bitcoin peer who receives your relayed transactions presumably receives them from the exit node's IP, which it necessarily knows. The exit node knows the contents of the transaction you relay, but it shouldn't know your real IP, assuming Tor is perfect. Which is obviously not the case.

So your peer does know that the transactions came from the same IP, but maybe other Bitcoin nodes could be using the same exit node simultaneously. For that reason, using Tor is more anonymous than I implied.


Just restart your tor node/browser between sending different transactions and you should be fine.
Dark markets have been using Tor since the beginning of bitcoin and nobody ever find them by looking at the tx origin Smiley

Right. Dandelion should give you better transaction anonymity than that without having to restart your Bitcoin node between sending each transaction.

Vires in numeris
piotr_n
Legendary
*
Offline Offline

Activity: 1988
Merit: 1048


aka tonikt


View Profile WWW
October 03, 2018, 06:43:44 PM
 #25

I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting

some of them don't work through tor, but others do.

I can however understand that someone might have a need to anonymously broadcast new txs in a more systemic way, in which case my method will not be very good for him.
but then, as I say, there are safety concerns of people who'd have to participate in this kind of open source system.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
DooMAD
Legendary
*
Offline Offline

Activity: 1974
Merit: 1298


Leave no FUD unchallenged


View Profile WWW
October 03, 2018, 06:53:23 PM
 #26

but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.

I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions. 


Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

We can only provide people with the tools.  We can't force people to use them.  It's up to them how much privacy they want to maintain.

piotr_n
Legendary
*
Offline Offline

Activity: 1988
Merit: 1048


aka tonikt


View Profile WWW
October 03, 2018, 06:58:58 PM
 #27

but as the reality shows the devs are rather reluctant to introduce "privacy" features into bitcoin software.

I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions. 

OK then, bring it on.
I'll be happy to see it.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Carlton Banks
Legendary
*
Offline Offline

Activity: 2366
Merit: 1671



View Profile
October 03, 2018, 07:52:07 PM
Merited by Welsh (4), Foxpup (3)
 #28

I wouldn't say that's fair.  They're introducing this feature for starters, but then Schnorr will bring some more privacy benefits once that's good to go.  It sounds like testing is ongoing with Bulletproofs and Confidential transactions.

Schnorr sigs don't add privacy, they just makes it more attractive (because a coinjoin with schnorr aggregated signatures will have effectively cheaper fees than a typical 1 input 2 output transaction). It'd be nice if the Schnorr scheme could allow miners to create blocks that aggregate all separate signatures into one, but I don't know if that's possible/practical.

There are separate proposals to make coinjoins more practical, one of which is particularly attractive (Bustapay). The receiving party in a transaction adds an input to the transaction, which breaks the assumption that inputs are always controlled by the sender. This is actually a really useful way to consolidate your outputs, although this possibly invites a new assumption ("dustiest" input belongs to the receiver). Not as strong an assumption as the status quo, though

Vires in numeris
DooMAD
Legendary
*
Offline Offline

Activity: 1974
Merit: 1298


Leave no FUD unchallenged


View Profile WWW
October 03, 2018, 08:51:56 PM
 #29

Schnorr sigs don't add privacy, they just makes it more attractive (because a coinjoin with schnorr aggregated signatures will have effectively cheaper fees than a typical 1 input 2 output transaction). It'd be nice if the Schnorr scheme could allow miners to create blocks that aggregate all separate signatures into one, but I don't know if that's possible/practical.

Oh, I thought aggregating signatures helped with privacy.  Or is that only really effective for multisig transactions?


achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1764
Merit: 2377


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
October 03, 2018, 09:10:31 PM
Merited by Welsh (5), Foxpup (2)
 #30

For instance, look at the "coin join" idea - it is at least 6 years old.
But still today the best and only reliable way to anonymize your coins is to push them through a tor mixer service.
Because nobody wants to put his head on providing such services. Or even developing the technology.
CoinJoins and Tor achieve two completely different kinds of anonymity. They are orthogonal to each other. You cannot compare them.

The point of Dandelion is to have privacy by default. It is built into the P2P protocol. Users get privacy without having to think about privacy. OTOH, both Tor and CoinJoins require the user to actively think about and care about their own privacy. That means that most users aren't going to do those things because they don't think about or care about their privacy.

I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting
Good for you. The vast majority of users aren't going to do that because they aren't aware of the privacy implications as you are. The whole reason something like Dandelion is being proposed is to get Privacy into the network protocol itself so that users who don't care about privacy still get privacy anyways.

Oh, I thought aggregating signatures helped with privacy.  Or is that only really effective for multisig transactions?
Schnorr signatures by themselves do not do anything for privacy. But they do allow for things like Taproot and some kinds of multisigs which are better for privacy. But it also depends on what kind of privacy you are talking about because even with those things, people can still know which outputs are yours and how much you are receiving. Furthermore, it does nothing to help with anonymizing the IP address source of a transaction (which is what Dandelion does).

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1764

Use SegWit and enjoy lower fees.


View Profile WWW
October 04, 2018, 01:33:16 AM
 #31

Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.

I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting

some of them don't work through tor, but others do.

I can however understand that someone might have a need to anonymously broadcast new txs in a more systemic way, in which case my method will not be very good for him.
but then, as I say, there are safety concerns of people who'd have to participate in this kind of open source system.


To be fair, both TX broadcasting services and Dandelion have different safety concern. But IMO being open-source and no third-party dependent is more favorable.

r1s2g3
Sr. Member
****
Offline Offline

Activity: 532
Merit: 356



View Profile
October 04, 2018, 07:44:02 AM
 #32


1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.

███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
#1
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
BTC 
  ●
   BTC
  BTC  
.
    ▄▄▄▀▀▀▀
 ▄██▀
███        ▄▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄▄▄
▀███▄▄▄▄▀▀▀                 ▀▀▄▄
  ▀▀▀██████████████████████████▀
   ▄█▄     ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀██▄▄█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀
      ▄  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
      ▀██▄  ▄▀▀▀▀▀▀▀▀▀▀▀▀▄
        ▀█▀██████████████▀▀
         ▀█▄▄ ▄▄▄▄▄▄▄▄▄▄
            █▀▄▄▄▄▄▄▄▄▄▄▀
             ▀▀▄▄▄▄▄▄▄
.
     BTC
  BTC   
  ●
  BTC  
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1764

Use SegWit and enjoy lower fees.


View Profile WWW
October 04, 2018, 08:41:38 AM
 #33


1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.

AFAIK, there's upper limit of participating node and the time to make privacy graph/hamiltonian circuit shouldn't take long time since AFAIK nodes simply select other known Nodes.
If more nodes support Dandelion, creating privacy graph should be easier/faster.

P.S. To be frank, 1st step is most confusing for me.

piotr_n
Legendary
*
Offline Offline

Activity: 1988
Merit: 1048


aka tonikt


View Profile WWW
October 04, 2018, 10:09:18 AM
 #34

CoinJoins and Tor achieve two completely different kinds of anonymity. They are orthogonal to each other. You cannot compare them.
My point was that CoinJoin hasn't really been used in real life, while tor based centralized mixers have. And most likely will be in a future...
If you need to anonymize coins today, you'd rather choose a tor mixed over coin join.


The point of Dandelion is to have privacy by default. It is built into the P2P protocol. Users get privacy without having to think about privacy. OTOH, both Tor and CoinJoins require the user to actively think about and care about their own privacy. That means that most users aren't going to do those things because they don't think about or care about their privacy.

I'm just saying that the coin join idea, despite being very old (and having quite an advanced design by now) has not been delivered to a widely used bitcoin software.
And I'm just worried that Dandelion (or any other privacy enhancing feature) will end up the same way.

Both CoinJoin and Dandelion, in order to actually be practical, should be enabled in a widely used bitcoin software.
Exactly as you say: having it "built into the P2P protocol", so users can get "privacy without having to think about it".



I just use any of the send transaction web pages:
https://en.bitcoin.it/wiki/Transaction_broadcasting
Good for you. The vast majority of users aren't going to do that because they aren't aware of the privacy implications as you are. The whole reason something like Dandelion is being proposed is to get Privacy into the network protocol itself so that users who don't care about privacy still get privacy anyways.

Yes. However, before Dandelion gets delivers (if ever), it does not hurt to tell people that they already have options to hide transaction origin, had they cared to become aware of the privacy implications.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
aliashraf
Hero Member
*****
Offline Offline

Activity: 812
Merit: 622


View Profile
October 04, 2018, 11:41:07 AM
 #35

Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.
SPV wallets set a Bloom filter with full nodes they connect, this way they expose enough information to every single peer and if one of them happens to be a spy node no matter others have implemented Dandelion or not, user ip is compromised. SPVs can't implement Dandelion as they do not validate/relay transactions.

I think someone should do something about SPVs, they constitute the weakest part of bitcoin, I suppose.
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1764

Use SegWit and enjoy lower fees.


View Profile WWW
October 04, 2018, 12:30:35 PM
 #36

Although it is brilliant idea and seems to be helpful for users who run a full node, I afraid it is hardly enough for average users. Typically, they use either online wallets and are totally compromised or spv wallets which disclose the addresses they are interested in, to their (potentially spy) peers  anyway.

I agree, however SPV wallet users can use Tor (or other secure connection) to prevent tracking / reduce information that could be tracked.
Besides AFAIK it's possible to implement Dandelion on SPV wallet since all Dandelion do are make privacy graph and broadcast transaction to other peers in graph or selected nodes which SPV wallet connects to.
SPV wallets set a Bloom filter with full nodes they connect, this way they expose enough information to every single peer and if one of them happens to be a spy node no matter others have implemented Dandelion or not, user ip is compromised. SPVs can't implement Dandelion as they do not validate/relay transactions.

I think someone should do something about SPVs, they constitute the weakest part of bitcoin, I suppose.

Not all SPV wallets use Bloom Filter. I already mention using Tor (or other secure connection), so spy nodes can't get their actual IP.

But what i mean is adding Dandelion support to SPV wallet (which means also support limited validation and relay Dandelion's transaction) could give user more privacy (if combined with Tor/similar) since spy nodes only can make sure whether a broadcasted transaction from SPV wallet is created by that user/not.
SPV wallet could be configured to connect to different nodes for different purpose (only receive balance/TX info or broadcast TX) to increase privacy/reduce spy attempt as well.

But my idea is a bit complex and probably no SPV wallet developer interested with my idea.

r1s2g3
Sr. Member
****
Offline Offline

Activity: 532
Merit: 356



View Profile
October 05, 2018, 04:37:33 AM
 #37


1. Make a privacy graph (few people refers it to hamiltonian circuit or "anonymity set") which contain random peer.

Does it means if more Nodes are participating (More decentralized we become) , protocol will take more time?
As numbers of Node increase,more time will be required to create the  hamiltonian circuit.

AFAIK, there's upper limit of participating node and the time to make privacy graph/hamiltonian circuit shouldn't take long time since AFAIK nodes simply select other known Nodes.
If more nodes support Dandelion, creating privacy graph should be easier/faster.

P.S. To be frank, 1st step is most confusing for me.

Thanks for your candid reply, I think I figure it out by combining the below two paragraph from github.
Actually Hamiltonian circuit is not feasible so 2 random Dandelion destinations are taken. More the Dandelion nodes, I guess you get more option to select the 2 random destination or path.


Quote
In an ideal setting, we have found that a Hamiltonian circuit provides near-optimal privacy guarantees. However, constructing a Hamiltonian circuit through the Bitcoin P2P network in a decentralized, trustless manner is not feasible. Thus, we recommend that each node select two Dandelion destinations uniformly at random without replacement from its list of outbound peers. Our tests have shown that this method provides comparable privacy with increased robustness.


Quote
Dandelion does not conflict with existing versions of Bitcoin. A Bitcoin node that supports Dandelion appears no differently to Bitcoin nodes running older software versions. Bitcoin nodes that support Dandelion can identify feature support through a probe message. Obviously, older nodes are not capable of Dandelion routing. If a Bitcoin node supporting Dandelion has no peers that also support Dandelion, then its behavior naturally decays to that of a Bitcoin node without Dandelion support due to the Dandelion transaction embargoes.




source: https://github.com/dandelion-org/bips/blob/master/bip-dandelion.mediawiki

███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
#1
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
BTC 
  ●
   BTC
  BTC  
.
    ▄▄▄▀▀▀▀
 ▄██▀
███        ▄▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄▄▄
▀███▄▄▄▄▀▀▀                 ▀▀▄▄
  ▀▀▀██████████████████████████▀
   ▄█▄     ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀██▄▄█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀
      ▄  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
      ▀██▄  ▄▀▀▀▀▀▀▀▀▀▀▀▀▄
        ▀█▀██████████████▀▀
         ▀█▄▄ ▄▄▄▄▄▄▄▄▄▄
            █▀▄▄▄▄▄▄▄▄▄▄▀
             ▀▀▄▄▄▄▄▄▄
.
     BTC
  BTC   
  ●
  BTC  
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
███████████
██
██
██
██
██
██
██
██
██
██
██
███████████
bobthegrownup
Member
**
Offline Offline

Activity: 186
Merit: 14


View Profile
October 17, 2018, 12:24:37 PM
 #38

There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea

https://arxiv.org/pdf/1410.6079.pdf

Dandelion++ is a fantastic step in the right direction because its lightweight and simple to implement
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1764

Use SegWit and enjoy lower fees.


View Profile WWW
October 17, 2018, 12:48:05 PM
 #39

There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea

https://arxiv.org/pdf/1410.6079.pdf

The research on the paper happens somewhere in 2014, where BIP 151 about E2EE (end to end encryption) protocol hasn't used by Bitcoin Core or other client, so some attack/de-anonymization attempt without running full-nodes won't work today.
Besides i think using Tor is still better than connect to bitcoin network directly, especially if government actively monitor/analyze internet traffic or forbid Bitcoin.

Dandelion++ is a fantastic step in the right direction because its lightweight and simple to implement

Care to explain why?

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2730
Merit: 2253



View Profile
October 19, 2018, 05:05:07 AM
Merited by Foxpup (2)
 #40

There have been a few mentions of using TOR in this thread and I thought it would be worthwhile to share this whitepaper on why using Bitcoin on TOR is a bad idea
That paper is very bad advice.  It's just wrong. It complains that regular bitcoin nodes can be triggered to ban tor exits, sure, but tor HS bitcoin nodes do not.  The "bad" outcome they are concerned about is that if you use tor you might find it doesn't work and you need to turn off tor to connect: even if that were a real risk it isn't worse than not using tor at all!
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!