Mimblewimble's privacy restrictions do exist, and how to solve it is the focus

Last night, an article by Ivan Bogatyy, a researcher from Dragonfly Capital, about Mimblewimble and Grin sparked a lot of discussion, claiming that his attack method could track the "address" of Grin senders and recipients in real time at very low cost. Therefore, he believes that Mimblewimble's privacy model is bad.

So, does the problem it says exist? In fact, let's leave the "address" problem aside. This is actually a limitation of the Mimblewimble protocol that the Grin development team clearly pointed out at the end of 2018 (before the launch of the Grin main network).

Grin is implemented as a MimbleWimble, which uses a transaction format called Secure Transaction (CT) to hide the identity of the sender and receiver, so it is actually that it has no public amount and address information.

The information that a Grin transaction has includes:

  1. Input: can usually be thought of as a reference to past output;
  2. Output: A 33-byte fuzzy data set called a commit, which encodes the amount and ownership, and a proof that the amount is not negative;
  3. Proof that the sum of the input and output plus the cost matches (ie no new currency is created);

In addition, Grin also used a technology called Dandelion relay to make IP address-based attacks unreliable.

In general, Grin has a good privacy protection in terms of address, amount, IP address, and additional data embedded in the transaction, but it is true in both the "input and output links" and the "transaction exists". There are limits.

88

(Figure: privacy features currently implemented by Grin)

That is to say, in terms of privacy, the current Grin is not as good as Monroe and Zcash (but the advantage of using Mimblewimble is that it has good scalability, while other privacy coins are usually very bloated).

For those who are listening to the network, it is possible to build a transaction graph and bring the entities together.

For example, Ian Miers, a postdoctoral fellow at Cornell Technologies and one of Zerovac's papers, published an article on privacy protocols in February of this year, which mentioned an attack called Flashlight .

56

And it concludes that confidential transactions (CT), invisible addresses, or Dandelion technology cannot provide comprehensive or perfect privacy protection. These technologies cannot solve the Flashlight attack problem, and they also appreciate the honesty of the Grin development team. Because it mentioned the limitations of the agreement at the outset, and did not advocate that its agreement is completely private.

Since the problem exists, is there a corresponding solution?

As of now, the Grin development team is exploring the use of a technology called Dandelion++ to alleviate this problem, but it also mentions that this solution is not sufficient to completely solve the linkability problem of the above-mentioned chain output.

In addition, the plan given by Liteco coin founder Charlie Lee is:

“For better privacy, you can use CoinJoin before the broadcast transaction. The cooperation between CJ and MW is very good.”

6

At present, reducing the linkability of the output on the chain is one of the major research directions that the Grin development team is exploring.

In general, the Mimblewimble protocol does have short-board issues in terms of privacy, but this level of privacy protection is sufficient for ordinary people, and the use of Mimblewimble's Grin is not the same, the development behind it. From the very beginning, the team recognized and announced the shortcomings of the agreement and explored the corresponding solutions, which is worth learning.

Reference materials:

1. https://github.com/mimblewimble/docs/wiki/Grin-Privacy-Primer

2, https://www.zfnd.org/blog/blockchain-privacy/#flashlight

3, https://github.com/mimblewimble/docs/wiki/Grin-Open-Research-Problems#7-reducing-linkability-of-outputs-on-chain

4, https://twitter.com/SatoshiLite/status/1196504546479968256

5, https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

Korean or Korean? Bittrex Dreams New York

In June 2015, the New York Financial Services Department (NYDFS) became the first pioneer to develop a regulatory fra...

Opinion

Vitalik said he has never sold ETH for personal gain, we took stock of his personal and charitable wallets

Even if Vitalik Buterin occasionally sells some ETH, it will not have a significant impact on the long-term developme...

Blockchain

OKEx CEO Jay Open Letter: The decision to launch Jumpstart is really tough

Yesterday, the dust settled. The participation rules of our Utility Token sales platform OK Jumpstart were officially...

News

The currency circle "剿匪": the fund is checked, the exchange is full, and the "catch" has just begun.

Text | Pizza Recently, the People’s Daily, Xinhua News Agency, CCTV and other authoritative media have focused...

Blockchain

IEO re-burns the ring of rich dreams, how long can the dozens of income myths go?

There is no doubt that IEO is the hottest word in the currency. Since January 3 this year, the company announced the ...

Opinion

Unveiling SBF's Defense Draft of up to 250 pages I did what I believed was right.

In the draft, SBF traced his development history, from his childhood in Palo Alto to the penthouse apartment he purch...