Mimblewimble privacy model can be broken, says Dragonfly Capital researcher

, Author: Ivan Bogatyy, reprinted with authorization by Odaily.

Compiler: Zhan Juan

"$60 per week in AWS can discover the exact address of 96% of Grin transactions. Clearly, Mimblewimble by itself is not powerful enough to provide robust privacy protection."

Written by: Ivan Bogatyy, researcher at Dragonfly Capital, a blockchain investment fund, previously served as general partner at MetaStable Capital, a blockchain investment fund

Compiler: Zhan Juan

Mimblewimble's privacy features are fundamentally flawed. For just $60 a week in AWS, I was able to discover the exact originator and recipient addresses of 96% of Grin transactions in real time.

Over the past two years, Mimblewimble has grown in popularity as an emerging lightweight privacy protocol. Mimblewimble was invented in 2016 by a hacker who went by the pseudonym Tom Elvis Jedusor, who tossed a text description of the protocol in an IRC chat and disappeared. Since then, some of Mimblewimble's most famous applications include the so-called "fair release" privacy coin Grin, the VC-backed Tari and BEAM projects, and some people even consider integrating it into Litecoin.

A few researchers have hypothesized about possible privacy weaknesses in Mimblewimble. My contribution is to demonstrate the precise method of performing the attack, prove its feasibility on a live network, and measure its effectiveness. In real world tests on Grin, I found a 96% success rate in uncovering transaction flow information. Therefore, it is now clear that Mimblewimble cannot be expected to provide robust privacy protection.

Here is a technical in-depth look at Mimblewimble implementation attacks, including open source code, reproducible data, and technical FAQs. In what follows, I'll provide a high-level intuitive explanation of linkability, how it can be attacked, and what it means for privacy techniques.

secondary title

What is linkability?

It is very important to understand what this attack means and does not mean.

This attack didn't let us figure out the exact amount people were getting paid. Mimblewimble successfully obfuscates payment amounts using plain elliptic curve cryptography (Pedersen Commitment). But this attack does allow us to find out who is paying whom. In other words, it allows us to link transactions and confirm payment flow.

Why is this a big problem? Might need an explanation.

Suppose Coinbase knows that an address belongs to a Venezuelan named Daniel, and you, a US user, want to exchange cash on Coinbase. But after uncovering the obfuscated transaction graph, Coinbase knows that you received money from Daniel, even though they don't know how much you received. Based on OFAC (Office of Foreign Assets Control) policy regarding Venezuela, Coinbase will close your account.

Exchanges of course know a lot about transaction graphs, since they have the KYC information of users who are exchanging crypto for fiat.

As another example, suppose an authoritarian government knows that a particular address belongs to a political dissident. You donated a small sum of money to this dissident. Later, when you send money to your local exchange using the Mimblewimble protocol, that exchange will share your transaction data with the government. Because the government can see the whole picture of the deal, they now know that you supported a political dissident.

This type of attack is impossible in Zcash. Because Zcash is "unlinkable", in other words, every Zcash transaction has a huge anonymity set. An anonymity set is essentially a set of transactions from which your transaction cannot be discerned. Think of it like mixing into the crowd: the larger the anonymity set, the larger the "crowd" your transactions will be mixed into.

In Zcash, the anonymity set for each transaction includes all coins that are shielded. From an information-theoretic point of view, this is the greatest possible anonymity.

In Monero, the anonymity set for each transaction is the set of all (trusted) decoy transactions. While the Monero client allows you to specify the size of the decoy set, the current default is 11. Monero has its own issues with security sampling decoys, but I think it's mostly doable, depending on the trade-offs.

To be clear, I don't mean to accuse Grin. I have a lot of respect for the Grin community and core developers, who have been extremely helpful in listening to my questions.

So, in Mimblewimble, how to "de-anonymize" the transaction graph?

I noticed that despite encrypting the payment amount, Mimblewimble still leaves a linkable transaction graph. But the protocol designers are aware of this, so Mimblewimble uses two main techniques to combat linkability: the first is full-block cut-through aggregation, and the second is Dandelion ).

Sounds okay, right? There's just one problem: this CoinJoin has to be built one transaction at a time. Since transactions are constantly being created and broadcast from various places, unraveling CoinJoins is trivial if you run a sniffer node to fetch all transactions before the passthrough aggregation is complete. Any sniffer node can detect the network and record the original transaction before each transaction is aggregated. It is actually very easy to archive all the messages you detect in the P2P network.

wait, really? that's it?

The Grin team actually proposed another line of defense: the Dandelion Protocol. Dandelion is a network technology developed by researchers at CMU (Carnegie Mellon University) that attempts to obfuscate the originator of a transaction.

Typically, in cryptocurrencies like Bitcoin, the originator of a transaction simply announces their transaction loudly to all peers, which then spreads rapidly through the P2P network. But in Dandelion Protocol, the broadcast of every transaction begins with a secret game of telephony. The initiator only quietly publishes the transaction to one peer, and this peer quietly publishes it to another peer, so the chain is transmitted. After a few random hops, the last peer announces the transaction as in Bitcoin. But this peer is so far away from the originator that it is impossible for any observer to tell who is the beginning of the chain.

This is very useful for obfuscating a trader's IP. But the Dandelion Protocol also has a second function in Grin: it happens to defeat sniffer archive nodes. Because each transaction starts from a Dandelion chain, as long as two transactions cross in its Dandelion chain, they will be aggregated earlier. If this happens, by the time the transactions are broadcast to all observers, the sniffer nodes will already be unable to disassemble them. They have been mixed (CoinJoined).

By default, each Grin node connects to 8 other peers. But by skyrocketing the number of peers, I can connect my sniffer node to every other node in the network. Assuming I'm online long enough, eventually nearly every node will connect to me, making me a supernode.

Once I become a super node, it is very likely that the dandelion path of any transaction will pass through me. I can basically catch it before the transaction aggregates: the only impossible case is that two transactions already intersect on the dandelion path before I see them. If I see one of these transactions before they are aggregated, I can use some simple algebra to unpack them.

In the attack I launched, I was able to connect 96% of the transactions, and I only connected 200 nodes out of a total of 3,000 nodes in the Grin network. If I spend a little more money, I can easily connect to 3,000 nodes to split almost any transaction. I also don't need to be a single supernode to do this; the same attack can be achieved by spinning up 3,000 nodes with unique IPs, each connected to only one peer. The attack is equally effective as long as I sniff all transaction data and dump it into a central master database.

secondary title

So is Mimblewimble still alive?

It depends. I believe that Grin has no clear path to unlinkability, as currently envisioned. Just increasing the dandelion factor, as I discuss in this technical article, is not enough to defeat an ambitious attacker.

But besides linkability, Mimblewimble still has unique value! It supports pass-through aggregation, an efficient compression technique for full nodes, and effectively hides the amount of transactions. If you need higher privacy you can combine Mimblewimble with other protocols that obfuscate the transaction graph, for example in Ethereum 9¾ it combines Mimblewimble with a Zerocash-style commitment invalidator scheme.

But it is clear that Mimblewimble by itself is not powerful enough to provide robust privacy protection.