How difficult is protecting privacy? Even anonymous coins may leak your secrets

In the world of Harry Potter, when you need to stop someone from revealing your secret plan or gibberish in a duel, there is a handy spell called Mimblewimble, also known as "Tie The curse of the tongue. " This is also the name of a privacy technology for cryptocurrencies.


The first currencies to use Mimblewimble were Grin and Beam-both launched in January. But an independent researcher demonstrated an attack that sparked a debate about the privacy of its underlying protocol. Mimblewimble supporters say the problem can be solved. But Mimblewimble's limitations-and the vulnerabilities of Zcash and Monero in recent weeks-remind us how difficult it is to protect privacy in the digital currency space.

The problem with Mimblewimble is not enough people

Privacy coins were born because people realized that Bitcoin has no secrets at all. It is widely believed that Bitcoin transactions are private, but police and criminals have long known that this is a wrong idea. All bitcoin transaction data is public and open for everyone to analyze; coupled with some strategic subpoenas, it is very easy for cryptocurrency exchanges to collect personal data of customers and figure out who is who.

This process has grown into a big business. Federal procurement data shows that agencies such as the FBI and the Department of Homeland Security now spend millions of dollars a year buying software to help track the people behind the transactions. Therefore, the dark web has largely turned to privacy coins, hoping to remain hidden.

This is a difficult task. Take Mimblewimble as an example. Its privacy comes from collecting a large number of transactions into a single, unpredictable package. This makes it difficult for perpetrators to analyze specific transactions.

Another component used by Grin and Beam, called Dandelion (dandelion), ensures that transactions are aggregated before they are broadcast to other nodes in the network. (The “stem” that connects the nodes appears first, where the transaction will be merged, and then the “flower”. When the transaction is actually broadcast, “dandelion” appears.)

But former Google engineer Ivan Bogatyy said that this protocol is flawed because an attacker can build a node that listens to other nodes. Such "supernodes" will almost always block transactions before aggregation, and can be used to discover who has traded between them.

The attack revealed a known limitation of Mimblewimble, said Giula Fanti, a professor at Carnegie Mellon University and one of the designers of Dandelion:

"I think the average user may be more surprised than anyone who actually uses the technology."

She added that part of the problem is that these two currencies have not been used by more people. More transactions means faster aggregation, making it harder for supernodes to find specific transactions from them. Fanti noted that this principle applies to many anonymous technologies, which often rely on hiding themselves in the crowd.

Grin developers say this type of attack is not that scary. Grin's development team stated that they are well aware that Mimblewimble's privacy model does not address this issue and have been working to find a solution. Beam said that they have mitigated this problem by using induced transactions that make aggregation more efficient.

Andrew Miller, a professor at the University of Illinois and a member of the Zcash Foundation's board of directors, points out, however, that proving theoretical attacks are low-cost and practical is still useful. "It changed the status quo," he said. "It doesn't even take much effort. It shows how common this problem is given the current size of the network."

Side channel attacks could compromise privacy

Florian Tramer, a cryptographic researcher at Stanford University, said that as a relatively young agreement, Mimblewimble cannot yet provide the same privacy protections as Zcash and Monroe. He added that they existed longer and relied on field-proven cryptographic technologies such as ring signatures and zero-knowledge proofs.

"The big issue to solve in this area is that our expectations for privacy come from different technologies."

Even so, privacy issues remain tricky, according to Tramer. He recently published a series of attacks against Monroe and Zcash that are striking because they don't even require the use of complex cryptography. He added:

"This is an area where people put a lot of effort. But when you look at these systems from a more macro perspective, you realize that keeping things anonymous and private is more than just keeping things anonymous. It is much more difficult to correct password problems. "

In this case, Tramer and his colleagues developed a "side channel attack" that targeted the interaction between a private wallet and a public-facing network. Because the details of the transaction are encrypted, the wallet needs to check if every transaction it sees is related to itself.

Tramer's team found that the wallet performs different password checks based on the answers to the questions. Opponents can learn a lot by paying attention to nuances in timing and behavior. Using technology developed by Tramer, an attacker can discover the payee of any anonymous transaction on the network and locate the IP address of the computer holding the private key of the public address.

These vulnerabilities have been notified to Monroe and Zcash, and Tramer said he is happy to see the two teams fix the vulnerabilities soon. Monero's fix is ​​quite simple, because its design has tried to separate the wallet from the network; overlap is actually a loophole that must be filled.

Zcash has a more difficult problem because the wallet and network processes are interconnected. This is partly a native problem of the network, including adding privacy technology to Bitcoin, rather than starting from scratch. This attack is made possible in part because the client was not built with privacy and anonymity in mind. This is very clear to the Zcash team, Tramer said.

These issues have been resolved, and for now, privacy coins remain far more anonymous than Bitcoin transactions, which can be monitored and tracked for years after the fact. Miller said the community will need to pay close attention to other types of side-channel attacks, especially if the purpose is related to privacy coin applications. For example, using Zcash, Monroe, or Grin to pay for online services can create new questions about what types of information are leaked when you interact with the application.

Tramer said:

"This is a new type of attack, but I think people are starting to pay attention to it. Privacy-centric currencies have a solid cryptographic foundation. However, to keep a low profile, the key is how to use them in practice."