Grin core developer parses Mimblewimble "vulnerabilities": non-fundamental flaws, Grin is safe

On November 18th, Ivan Bogatyy, a researcher at Dragonfly Capital, a blockchain investment fund, wrote that the privacy of the Mimblewimble agreement is fundamentally flawed, and that only 96% of Grin can be discovered in real time by paying $AWS a week for AWS. The exact address of the transaction originator and payee. Ivan Bogatyy said the issue is inherent to Mimblewimble and he believes there is no way to fix it, which means that in terms of privacy, Mimblewimble should no longer be considered a viable alternative to Zcash or Monero. This article shows the exact method of performing an attack on the Mimblewimble protocol. In the real test of Grin, the success rate of uncovering transaction flow information is 96%.

Shortly thereafter, one of Mimblewimble's key implementations, Daniel Lehnberg, the core developer of the Grin project, rebutted with other interested parties and pointed out that there is no “fundamental flaw” in the privacy of the Mimblewimble agreement, as described by Ivan Bogatyy in the article. The attack on Mimblewimble / Grin is a misunderstanding of known limitations.


The following is the full response from the Grin developer:

Editor's Note: There is no “fundamental flaw” in the privacy of the Mimblewimble Agreement. The "attack" previously described on Mimblewimble / Grin is a misunderstanding of a known limitation. Although the article provided some interesting numbers about network analysis, the results presented did not actually constitute an attack, nor could it support the sensational claims made by the article.

Today, Ivan Bogatyy, a researcher at Dragonfly Capital, a blockchain investment fund, published an article called Breaking Mimblewimble's Privacy Model. The authors assert that they somehow "broken" Mimblewimble and Grin's privacy model.

The authors claim that the "attacks" were well documented and discussed the linkability of the transaction graph input and output. This is no stranger to anyone on the Grin team or anyone who has studied the Mimblewimble agreement. Grin acknowledged the ability to link output on the chain in the Privacy Primer released on its public wiki in November 2018 before the main network was launched. The issue included the "flashlight attack" proposed by Ian Mier, which we listed as one of the open research questions.

In fact, many of the statements, including the title of this article, are inaccurate. From a higher perspective, this article is not so subtle to read, it seems to be eye-catching. However, the conclusions of this paper contain many logical leaps that have not been confirmed by the network analysis exercises described.

The Grin team has always admitted that Grin's privacy is far from perfect. As part of our constantly improving privacy protection goals, transactional linkability is a limitation we have been hoping to alleviate, but it does not “break” Mimblewimble, nor is it a “fundamental flaw” that can invalidate Grin's privacy protection.

In addition to refuting this article piece by piece, we also point out the main problems in this study and its conclusions.

1) Mimblewimble has no address

The most fundamental privacy benefit of Mimblewimble is that the research and related articles have the most fundamental problem: Mimblewimble does not have an address such as a possible bitcoin wallet. Participants realize value exchange by adding a one-time output to the transaction, and are not presented to the identifiable "address" of the blockchain network or blockchain data at any time.

2) Unable to link to an address that does not exist

For this, the researchers in this article seem to have taken an inconsistent approach. The github repository attached to the article states:

"There is no address, only UTXO hidden as a Pedersen comitment."

Subsequently, the article draws the following scenario:

“For example, I am a law enforcement officer. I know that an address belongs to a supplier on the dark market. When you send a Grin coin to the Coinbase exchange, Coinbase will associate your address with your name.”

The article continues:

“Or, an authoritarian government knows that an address belongs to a different political person. You send a small donation to the dissident.”

It is unclear how law enforcement officers know an address that does not exist at all, or how Coinbase links non-existing addresses to the owner's name. Or in this regard, how a hegemonic government can link a non-existent address to a different political figure.

We must assume that the author simply confuses the transaction output (TXO) with the address, but the two are not the same thing. And, as we've covered in detail, it's not news to link TXO.

3) The number is 95.5% close to 100%. But it doesn't make much sense.

The detailed information about this actual experiment in the article is called "attack." The so-called "sniffer nodes" collect transactions broadcast from the nodes, which are part of the stem and fluff stages of the Dandelion protocol. Authors are able to collect 95.5% of transactions on the web during a specific time period. In addition to being able to know that "Output A is spent on Output B", it is not clear what exactly is determined here, or what the author can do with this information.

4) Only the transaction chart does not display information about the party…

Although it is best to avoid leaking the transaction graph during the transaction, the map alone does not necessarily reveal the output of the sender and receiver. Without the amount, it is difficult to distinguish between the change output and the receiver output. Even if this article does not attempt to actually do this, this will be an interesting area for future research.

5)… The author doesn't seem to realize this

The Github repository provided in the article is written to:

"What we found is the transaction map: Who pays to whom the record"

But this is not the case.

Let us give a concrete example. Alice has established a deal with Bob (possibly via TOR, grinbox or direct file exchange). She then broadcasts the transaction to the network through a host node (eg, using wallet713).

In this example, the "sniffer node" of the monitoring network will not find any information about Alice, and of course will not find out who pays to whom. "Flashlight Attack" is an active attack in which an opponent is participating in the transaction building process. The network analysis activity in that article was passive and this was established.

6. The title of the article is misleading and nothing is "broken"

The title of the article is "Breaking Mimblewimble's Privacy Model." Mimblewimble's privacy model does not cover the issue of preventing transaction output from being linked by monitored nodes.

in conclusion

The privacy you get will never exceed the size of the anonymous set.

Grin is a minimal cryptocurrency designed to protect privacy, scalable and fair. It's far from perfect, but it implements the same security model as Bitcoin, which by default enables better privacy and requires less data to be retained. It does all this without having to be trusted, without ICO or pre-digging.

However, Grin is still very young and has not yet reached its full potential. Internet usage has remained low for 11 months on the main online line. Of the most recent 1000 blocks, 22% contain only one transaction (and 30% does not contain transactions), which means that their inputs and outputs are slightly linkable. This situation will not change until the network usage increases, but this still does not mean that the identity of the sender and receiver will be revealed.

Teamwork can help with privacy research

As a contributor to Grin, we are happy to see an interest in the project. Our community welcomes scientific analysis and review of Grin's protocols and code bases, but also hopes to have some rigor. In fact, if we are asked, we can even provide help.

An article published by Dragonfly Capital researchers asked Haseeb, Oleg, Elena, Mohammed and Nader to review their work, but unfortunately they did not ask anyone in the Grin community to participate, or to provide something they wanted to publish (friendly) Feedback. If they do, we may not respond to this and will only improve the quality of the work. In a tweet, the author of the article wrote:

“Importantly, I respect the Grin community and core developers very much, and they have helped a lot in answering my questions.”

It sounds like they contacted us when we published the article, but on our Gitter channel or Keybase, we didn't see anything about the author. Both parties missed the opportunity to conduct high quality research.

This article co-author: David Burkett, Jasper, @joltz, Quentin Le Sceller, Yeastplume.


Li Qiwei, the founder of the Litecoin project, which also uses Mimblewimble's privacy technology, responded on Twitter.

This limitation of the MimbleWimble protocol is well known. MW is basically a secret transaction with an extended advantage and a certain degree of unlinkability. For better privacy, users can still use CoinJoin (CJ) before the broadcast, and because of CT (Confidential Transactions) and aggregation, CJ and MW also run well. Compared to BTC / LTC, CJ on MW is much easier to use.

1. MW has CT, so all quantities are hidden, so there is no need to decide on a uniform output size;

2. Use aggregation in MW without signing the final CJ ​​transaction. Therefore, you cannot refuse a service by not signing it. As of now, Ivan Bogatyy has issued a correction article saying that the privacy of the Mimblewimble agreement is not fundamentally flawed.