Anonymity / Mix-nets etc

So I understand, superficially at least, that Dandelion will bring with it significant privacy improvements. I am curious if it is sufficient against a global passive adversary however, and if there are thoughts within this community about using mix-nets to further conceal valuable metadata on the network?

For example, Monero will soon be using an C++ port of I2P called Kovri.

awesome, Monero seems to have an aweful lot going for it. As far as I’m aware, grin is meant to be a simple implementation, nothing fancy. who knows what the future holds. Kovri seems like a really wise move, especially if you want to protect a group of satoshi nakamotos and a group of voldemorts. Makes me think that when gold hits $60k and bitcoin $20k(again) that really the safest option is just to memorize a wallet and use Monero, providing you actually have some worth anything. I’m not an expert however I really like how grin will cut down on blockchain size and help future virtual coin make progress in this area. There’s also bs about making it quantum safe. Oh and yeah, it’s got a little bit of privacy built in. It all moves so fast, I haven’t got a single blockchain address thats worth anything, my only hope is to mine gringots the rest of my life. On one graphics card. :disappointed_relieved: Voldemorts winning…

It’s hard to say what is sufficient against such adversaries, but that’s the type of widespread anonimity attack that Dandelion designed to protect against. It’s worth mentioning that protocols like Tor or I2P just protect your own node, and others not using either can undermine your anonimity. In the case of Dandelion, usage of the protocol also helps others’ anonimity.

1 Like

I have been thinking about it, but no one answered my question on reddit.

I’m assuming transactions can be broken up, a->b can become a-> and ->b; and even if grouped in arbitrary way, so long as it mixed back in for the final big transaction with every part accounted for it would still be valid, i.e. a,c->b,d is made up of a->b and c->d even if added together in 4 parts in arbitrary ways. Is that true devs?


  1. have each user their atomic “true” transactions prepared. (a->a’)

  2. each user generates two temp id’s(1,5) and methods of contract(2 different proxies or tor) and two fake transactions a-> and ->a’. These are the current transaction for the two id’s. The user pretends that their id’s are 100% seperate.

  3. everyone adds some randomness to to give each id a position in a binary tree

  4. starting at the their position on the tree, trade their current fake transaction (a->) with a user on the other side of the leaf (->b’), combining it together into a new fake transaction(a->b’)

  5. repeat 4 until you reach the top of the tree (a->b’) (a,c->b’,d’) (a,b,c,d->a’,b’,c’,d’)

  6. verify that what you got is valid and send it out.

Being part of this requires a linear number of steps; while matching a->a’ probably requires n^2 steps even if you own a big chunk of the network. With enough users it should be at least computationally challenging to demix

Your assumption sounds correct but I’m unclear as to what you’re trying to achieve or what problem you’re trying to solve. We can already trivially aggregate a->b and c->d into (a,b->c,d).

Hiding the existence of a->b from non-pruning nodes like the nsa will definitely run.

If alice and bob both get arrested without wiping their computers( or if just bob is sending money to himself to clog up the nsa data centers and gets arrested, or some scheme to launder tainted outputs) the nsa can use a->b to prove alice sent bob money. If instead there is a massive mix network like I described there may only be evidence that they used the mix network at the same time.

Also as I understand it comboing transactions isn’t that simple, a,c->a’,c’ and b,c->b’,c’ into a,b,c->a’,b’,c’ isn’t simple. I think ideally we don’t want atomic transactions floating around as its an attack vector if there is enough metadata floating around, but nodes will need something clever to not pass atomic transactions around.

My gripe with Monero is that it’s still untested and it can’t scale for toffee. Main reason why we’ve taken our time with privacy on Bitcoin is that particular need for anon and privacy should come second to security. Security and distribution first, then privacy and scaling next. Monero also doesn’t have developers with the technical chops to protect it from quantum computing and when that time comes, Bitcoin stands the best chance of being able to implement the necessary fix and this (I feel) will be the doomsday moment for many cryptocurrencies.

Monero does have advantages over it’s privacy focused competitors which is fiat gateways. They’re still clunky but at least people wishing to bring their Monero to the real world, there are option for them with localmonero as well as other similar platforms. If GRIN really wants to be adopted by those who need it most (in a fiat world) then it needs services where it can easily transacted to paper money and vice versa. it’s just not going to work having FIAT - BTC - GRIN. Identify is ruined in the first hop. It can only be FIAT - GRIN P2P until we live in a post fiat world/society.

Your gripe with Monero is extremely off-topic. Let’s keep the discussion technical.

I am also concerned that we cannot rely on pruning for privacy since we should assume that there are nodes that simply archive everything that they see. Hiding metadata is a must.

Then follow closely Dandelion relay and aggregation for transactions.