For all cryptocurrency has done to raise awareness of privacy, it seems to have spurred more projects than workable coins.
Grin, launched in January 2019, is one such privacy initiative facing tough questions as the excitement around its Mimblewimble adaptation has not lived up to recent empirical scrutiny.
Ivan Bogatyy, researcher at investment fund Dragonfly Capital, dropped a Medium bombshell last Monday, disclosing an “attack” capable of identifying 96 percent of the active senders and receivers on the grin network through the employment of “sniffer nodes.”
As the smoke cleared, one question emerged: What is privacy in crypto, anyway?
Gathering praise from the likes of ethereum co-founder Vitalik Buterin, litecoin creator Charlie Lee and others, Bogatyy detailed grin’s structural issues – issues, he claims, stemming from Mimblewimble itself.
Dreams of anonymity
Mimblewimble – the much-heralded privacy protocol created in 2016 – anonymizes transactions through batching inputs per block, like a CoinJoin. After mixing the numbers associated with a sender in a pool of similar transactions, equivalent values are spit out on the other side as unidentifiable outputs.
Styled a confidential transaction (CT), this process typically works pretty well once it scales to a large enough anonymity set, wherein the sheer number of inputs shields the knowledge about the outputs after a mixing. In CT, the amount and public addresses are never exposed, mainly because addresses don’t exist in the Mimblewimble universe, just transaction inputs and outputs.
The first two cryptocurrencies based on Mimblewimble launched in January 2019: grin and beam. But, for both coins, “transaction graphing” remains a problem.
A well-connected sniffer node can sit on either side of the CoinJoin in what is called “linking.” Built on the same peer-to-peer (P2P) network as bitcoin, nodes communicate changes to the ledger from one to another and a sniffer can pick out how transactions move by being well-connected to its peers. In fact, Bogatyy said it only took 200 of the 3,000 current peers on the grin blockchain to flesh out 96 percent of transaction sender and receiver addresses at the small cost of a $60 per week subscription to Amazon Web Services.
This issue was well known beforehand, however.
The Grin Foundation’s Open Research Problems page on GitHub publicly cited the problem as a point for future research along with analysis from Token Daily’s Mohamed Fouda over a year ago. Moreover, grin has never promised full anonymity, but only CT with the possibility of adding anonymity features down the road.
So what’s all the fuss about?
To Bogatyy, the research is about correcting public misunderstandings about privacy coins. But to Mimblewimble developers, the piece amounted to a smear.
“While some technical experts guessed that the vulnerability likely exists, I don’t think anyone knew the extent,” Bogatyy said in an email. “Before I ran the experiments, I couldn’t know myself it would be 96 percent.”
“I think Grin devs are very competent and don’t overpromise, but the public perception diverged from the technical fundamentals and followed the legend a little too much,” Bogatyy said.
The promise of privacy coins
All privacy coins aren’t created equal. Rather, a privacy coin is one iteration of a subjective vision of privacy externally limited by what distributed protocols are physically capable of accomplishing.
In the case of Mimblewimble, CT is not much more than bitcoin with throw-away public addresses plus hidden transaction amounts, according to zcash co-founder and cryptographer Ian Miers.
“But we all know intuitively what privacy means: if you pay your psychiatrist or purchase a series of banned books from an online market, no one learns you saw a doctor and no one is going to kick down your door and search your house for illicit books,” Miers said in an email.
But in the world of public blockchains, where transaction data can be viewed and verified by all participants, there’s a catch.
“Because we all know cryptocurrency has a privacy issue, outsiders latch onto anything and hype it out of proportion,” Miers said.
Grin’s version of Mimblewimble is joined by others, namely beam, which Bogatyy also addressed in his research.
Noting the trouble with transaction graphing long ago, beam developers have implemented numerous amendments to Mimblewimble, including decoy outputs to break linkability, according to beam developer Guy Corem.
That’s why he’s taking issue with Bogatyy’s research.
“Beam and Grin developers were aware of transactions linkability from way before mainnets launched,” Corem said in a Telegram message. “[Bogatyy] didn’t look at Beam’s implementation. For example, in his technical write-up, he wrongfully stated that the decoys aren’t being spent.”
Decoy improvements or not, Bogatyy remains unimpressed. Following transactions through whisper nodes remains too easy even with the added protections, Bogatyy said.
“Ultimately, the best version of decoy-heavy Mimblewimble would look like a worse version of Monero,” Bogatyy said on his GitHub page. (It should be noted that no privacy coins are listed in Dragonfly’s portfolio.)
To grin developers, Bogatyy’s views are far off the mark.
Writing in a Medium post, grin developer Daniel Lehnberg said Bogatyy confused basic points such as transaction outputs versus addresses in the Mimblewimble system, misstated grin’s original privacy claims and did not contact grin developers while saying he did.
“Other than that ‘Output A spends to Output B’, it’s less clear what exactly is being identified here or what else the author is able to accomplish with this information,” Lehnberg wrote. “While it would be desirable to avoid leaking the transaction graph, the graph alone doesn’t necessarily reveal sender and receiver outputs.”
But, as Miers points out, you can still trace grin transactions regardless if they have addresses or not.
“It’s like you have a map of some part of New York City but you just don’t which part because all the street names are missing. But the moment someone tells you the name of one intersection on the map, you can work out the rest,” Miers said. “The attack on Grin created this map with blank streets. You need one more step to give out the names, but that is the easy part.”
Furthermore, once you know a transaction’s beginning and end points, it doesn’t matter to anyone how much you spent, just that you spent it somewhere.
“So the world will learn you paid Pornhub or bought a lambo, but they won’t directly know for how much,” said Miers. “It isn’t useful unless it’s combined with much stronger privacy technology.”
As ethereum’s Buterin noted on Twitter, privacy depends on the number of users in an anonymity set: The more users mixing funds, the safer the funds pulled from the pool.
But it’s different for grin due to the nature of its protocol, which natively doesn’t have addresses like bitcoin to match transactions to, grin’s Lehnberg wrote on Medium:
Grin is still very young and has yet to reach its full potential. Eleven months into mainnet, there is low network usage. In the last 1000 blocks, 22% contained only a single tx (and 30% contained no tx), meaning their inputs and outputs are trivially linkable. This won’t change until there’s greater network usage, but it still does not imply that sender and receiver identities are revealed.
Reviewing Bogatyy’s research, Lehnberg said he is skeptical of how he was able to “uncover who paid who in the Grin network,” as Bogatyy claimed on GitHub. Grin’s development team has only gone so far as to say the issue could reveal “entities,” not individuals.
“It’s one thing to say, ‘oh this theoretical attack is really straightforward and easy to carry out,’ it’s another to actually do it,” Lehnberg said on Telegram.
“Grin is a project that shows a lot of promise, but right now it isn’t accurate to call it a privacy coin or even a privacy project,” Miers said.