Monero Wine

Dandelion++ and fight with metadata
In previous articles, we looked at how the problem of anonymity and privacy in Monero and other private cryptocurrencies is solved at the blockchain architecture level using RingCTs, Bulletproofs, zk-SNARKs (in Zcash), etc. But besides this, there is also the problem of user deanonymization at the network level, i.e. P2P propagation of a transaction on the network, before it is received by the miner and included in the block.

Monero nodes communicate with peers using the standard TCP protocol. The Monero node that broadcasts a new transaction uses a process called flooding. Any connection between your IP address and the transactions you create makes an information leak, even though you would most likely want to hide even the fact of a Monero transaction. The problem is that it is the flooding of transactions over the P2P network that allows one to associate a Monero transaction with a specific IP address.

Dandelion solution
A special routing mechanism called Dandelion, or BIP (Bitcoin Improvement Proposal) 156, was proposed by a group of authors from Carnegie-Mellon and the University of Illinois in 2017. Initially, the focus was on Bitcoin, but this applies to Monero as well. The idea with Dandelion is to first route transactions to the remote host in a special undetectable way, before initiating flooding.
Dandelion aims to abstract the relaying process to make it more difficult to track transactions. This would in fact make it nearly impossible to trace the transaction back to the origin node that first started the transmission.
The first Dandelion implementation had several significant drawbacks. Motivated by the growing global cryptocurrency analysis market (growing demand for services of Chainalysis, Elliptic and other companies) the authors revised assumptions from their earlier work and a year later developed Dandelion++. Dandelion++ configures Dandelion to protect against large-scale de-anonymization attacks, such as when using a botnet.

Dandelion++ phases
Dandelion++ sends a transaction along a random path through a variable number of nodes before the transaction is propagated across the network.
The stem phase is the anonymous phase in which the protocol reduces the ability to display the IP address of the source node. In the initial phase, the node transmits the transaction message to one random node. The selection is made based on a special algorithm. Subsequently, this node only transmits the transaction message to the other node. This continues until, finally, one of the nodes begins to diffuse the message to the rest of the network.
The fluff phase begins when one node transmits a message using the diffusion method, it quickly spreads to most of the nodes in the network. However, it becomes much more difficult to track down the original node: the first message was transmitted by individual nodes in confidence. The observer can only match the propagation of transactions to multiple nodes where the message was transmitted in the stem phase. The identity of the original sender is confusing. This is similar to how Monero's ring signature protects the anonymity of the wallet that signed the transaction.
There is an additional, complementary part of the Dandelion++ protocol called the fail-safe mechanism. Each node relaying a stem phase transaction starts a timer for each such transaction. If the temp threshold is exceeded and the node does not receive the same transaction back in the fluff phase, it begins its own fluff phase. This is done for two reasons: in this way, the node thwarts attempts to perform deanonymization in time, and also prevents so-called black hole attacks, during which malicious nodes discard transactions in the stem phase, rather than relay them.

Dandelion++ was introduced into the Monero source code in April 2020 via a pull request.

Dandelion++ vs Tor

Dandelion++ has several advantages over other network anonymity implementations such as Tor. Tor uses onion routing to hide users' geographic location and IP addresses, and the thing is that the integration of Tor at the network level is extremely challenging.
Monero is a great example of this, as it took over four years to bring its Tor-like I2P Kovri project into their network and is still ongoing. So using Dandelion++ can be much more convenient for most of the cryptocurrency projects.
From the users' perspective, routing transactions through Tor are also not particularly accessible to mainstream Bitcoin users, who are either unaware of the privacy shortcomings of the network or lack the experience to properly route transactions through Tor. Last but not least, Tor can be relatively slow due to the limited bandwidth compared to Dandelion++.


Dandelion++ represents another step forward in protecting user privacy in the cryptocurrency space. More technologies and protocols will be covered in the future articles.