Dandelion++ is a privacy improvement developed by researchers out of the University of Illinois. It alters the way transactions propagate through the Monero network in an attempt to make it tougher to connect a transaction, or group of transactions, to a specific IP address.
The Dandelion upgrade was originally designed for Bitcoin, but Monero developers are winning the race to implement it. The code for Dandelion++ has been successfully merged into the Monero code base and will be included in the next release of the Monero client. The upgrade won’t require a hard-fork because it doesn’t change any consensus rules. It’s an optional upgrade for nodes who want to participate.
Like Bitcoin, Monero nodes talk with other nodes using the same TCP/IP (Transmission Control Protocol/Internet Protocol) used by your web browser to access this webpage. Monero wallets communicate with at least one of these nodes for access to the network.
Currently, the Monero node that broadcasts a wallet’s transaction starts a propagation process called “flooding”. The initial node communicates the transaction to all of its peers, all of those peers communicate to all their peers, and so on. Unfortunately, it’s possible to link a transaction to an IP address using the current implementation. Linking isn’t easy and requires some technical sophistication and hard work, but with enough motivation, skill, and resources it can be done.
A team of researchers out of Luxembourg, Australia and Hong Kong showed in late 2019 that one could deploy Monero nodes in order to discover all the nodes in the network, and their interconnections. By mapping out the network topology, the malicious node(s) can determine the origin of a transaction and its IP address by deducing which node(s) see the transaction first.
Dandelion++ is a propagation method used to make this type of transaction to IP address linking close to impossible.
Monero + Dandelion++
The core idea of Dandelion++ is to first route transactions to a random node in an untraceable way, who then randomizes the “flooding” of the transaction. The name Dandelion gives a rough visualization of this idea.
The node trying to broadcast a transaction seeks out one proxy node to broadcast a transaction to. This connection looks like a stem and thus is called the “stem phase”. Next, the proxy node, upon reception of the transaction, broadcasts the transaction in such a way that the flow of information creates a dandelion-like figure. This is known as the “fluff” phase. The stem phase is also called the “anonymity phase” and the fluff phase is also called the “spread phase”. Two different ways of referring to the same process.
The stem phase achieves anonymity through dynamic connectivity, meaning nodes switch connections every few minutes. Each interval of time between switches is called an “epoch”. At the beginning of every epoch, nodes select two new connections at random to relay transactions to. Whenever the node has a new transaction it needs to broadcast, it picks one of the two relay nodes and stays with that node during that entire epoch. After an epoch ends, a new one begins and the node chooses another two nodes to connect with.
In addition to the dynamic switching, every epoch, a node designates itself as a relayer or a diffuser. A relayer will forward transactions it receives to a proxy node (stem or anonymity phase) and a diffuser will start the diffusion process (spread or fluff phase). During the spreading phase the timing of communications between nodes are random, making it hard for malicious nodes to locate the source of the transaction and thus the corresponding IP address.
The last component of Dandelion++ is called the “fail-safe mechanism”. Every node that relays a transaction during the stem phase starts a timer for that transaction. If a certain amount of time passes without the node receiving the transaction by way of the spread phase, it initiates its own spread phase. This mechanism protects the transaction from two things: (1) the transaction being thrown away by malicious nodes that might discard the transaction during the stem phase and (2) it frustrates deanonymization attempts because the source of the transaction hardly ever is the one to “spread” or “fluff” the transaction.
With these mechanisms in place, the result is a fast, efficient, and effective, method for resisting large-scale rule-breaking adversaries from connecting IP addresses to transactions. With the eventual inclusion of Dandelion++ in Monero, a massive dishonest botnet participating in the Monero network cannot reliably link transactions with IP addresses.
The Monero development community continues to improve its already world-class privacy assurances at an incredible pace. We’re proud to support Monero on our platform and look forward to its continued success.