Hi all,We're writing with an update on the Dandelion project. As a reminder, Dandelionis a practical, lightweight privacy solution that provides Bitcoin users formalanonymity guarantees. While other privacy solutions aim to protect individualusers, Dandelion protects privacy by limiting the capability of adversaries todeanonymize the entire network.Bitcoin's transaction spreading protocol is vulnerable to deanonymizationattacks. When a node generates a transaction without Dandelion, it transmitsthat transaction to its peers with independent, exponential delays. Thisapproach, known as diffusion in academia, allows network adversaries to linktransactions to IP addresses.Dandelion prevents this class of attacks by sending transactions over a randomlyselected path before diffusion. Transactions travel along this path during the"stem phase" and are then diffused during the "fluff phase" (hence the nameDandelion). We have shown that this routing protocol provides near-optimalanonymity guarantees among schemes that do not introduce additional encryptionmechanisms.Since the last time we contacted the list, we have:- Completed additional theoretical analysis and simulations- Built a working prototype- Built a test suite for the prototype- Written detailed documentation for the new implementationAmong other things, one question we've addressed in our additional analysis ishow to route messages during the stem phase. For example, if two Dandeliontransactions arrive at a node from different inbound peers, to which Dandeliondestination(s) should these transactions be sent? We have found that somechoices are much better than others.Consider the case in which each Dandelion transaction is forwarded to aDandelion destination selected uniformly at random. We have shown that thisapproach results in a fingerprint attack allowing network-level botnetadversaries to achieve total deanonymization of the P2P network after observingless than ten transactions per node.To avoid this issue, we suggest "per-inbound-edge" routing. Each inbound peer isassigned a particular Dandelion destination. Each Dandelion transaction thatarrives via this peer is forwarded to the same Dandelion destination.Per-inbound-edge routing breaks the described attack by blocking an adversary'sability to construct useful fingerprints.This iteration of Dandelion has been tested on our own small network, and wewould like to get the implementation in front of a wider audience. An updatedBIP document with further details on motivation, specification, compatibility,and implementation is located here:We would like to thank the Bitcoin Core developers and Gregory Maxwell inparticular for their insightful comments, which helped to inform thisimplementation and some of the follow-up work we conducted. We would also liketo thank the Mimblewimble development community for coining the term "stempool,"which we happily adopted for this implementation.All the best,Brad Denby <bdenby@cmu.edu>Andrew Miller <soc1024@illinois.edu>Giulia Fanti <gfanti@andrew.cmu.edu>Surya Bakshi <sbakshi3@illinois.edu>Shaileshh Bojja Venkatakrishnan <shaileshh.bv@gmail.com>Pramod Viswanath <pramodv@illinois.edu>