Last night, an article by Ivan Bogatyy, a researcher from Dragonfly Capital, about Mimblewimble and Grin sparked a lot of discussion, claiming that his attack method could track the "address" of Grin senders and recipients in real time at very low cost. Therefore, he believes that Mimblewimble's privacy model is bad.
So, does the problem it says exist? In fact, let's leave the "address" problem aside. This is actually a limitation of the Mimblewimble protocol that the Grin development team clearly pointed out at the end of 2018 (before the launch of the Grin main network).
Grin is implemented as a MimbleWimble, which uses a transaction format called Secure Transaction (CT) to hide the identity of the sender and receiver, so it is actually that it has no public amount and address information.
- Which company likes to hire people the most? Which jobs are most popular? 2019 Blockchain Overseas Recruitment List
- Survey: 61 dark net payment status, who is favored outside of Bitcoin
- One-week regulatory review | German law allows banks to trade cryptocurrencies, changes in Asian law
- Increase the number of docking exchanges and switch to new blockchains, USDT market share still leads
- Understanding Zk-stark of Zero Knowledge Proof Algorithm-Arithmetization
- 6 pictures tell you about the development status of the Asian cryptocurrency market
The information that a Grin transaction has includes:
- Input: can usually be thought of as a reference to past output;
- Output: A 33-byte fuzzy data set called a commit, which encodes the amount and ownership, and a proof that the amount is not negative;
- Proof that the sum of the input and output plus the cost matches (ie no new currency is created);
In addition, Grin also used a technology called Dandelion relay to make IP address-based attacks unreliable.
In general, Grin has a good privacy protection in terms of address, amount, IP address, and additional data embedded in the transaction, but it is true in both the "input and output links" and the "transaction exists". There are limits.
(Figure: privacy features currently implemented by Grin)
That is to say, in terms of privacy, the current Grin is not as good as Monroe and Zcash (but the advantage of using Mimblewimble is that it has good scalability, while other privacy coins are usually very bloated).
For those who are listening to the network, it is possible to build a transaction graph and bring the entities together.
For example, Ian Miers, a postdoctoral fellow at Cornell Technologies and one of Zerovac's papers, published an article on privacy protocols in February of this year, which mentioned an attack called Flashlight .
And it concludes that confidential transactions (CT), invisible addresses, or Dandelion technology cannot provide comprehensive or perfect privacy protection. These technologies cannot solve the Flashlight attack problem, and they also appreciate the honesty of the Grin development team. Because it mentioned the limitations of the agreement at the outset, and did not advocate that its agreement is completely private.
Since the problem exists, is there a corresponding solution?
As of now, the Grin development team is exploring the use of a technology called Dandelion++ to alleviate this problem, but it also mentions that this solution is not sufficient to completely solve the linkability problem of the above-mentioned chain output.
In addition, the plan given by Liteco coin founder Charlie Lee is:
“For better privacy, you can use CoinJoin before the broadcast transaction. The cooperation between CJ and MW is very good.”
At present, reducing the linkability of the output on the chain is one of the major research directions that the Grin development team is exploring.
In general, the Mimblewimble protocol does have short-board issues in terms of privacy, but this level of privacy protection is sufficient for ordinary people, and the use of Mimblewimble's Grin is not the same, the development behind it. From the very beginning, the team recognized and announced the shortcomings of the agreement and explored the corresponding solutions, which is worth learning.