“For $60 per week AWS can find the exact address of 96% of Grin transactions. It’s clear that Mimblewimble is not powerful enough on its own to provide robust privacy.”
Ivan Bogatyy is a researcher at Dragonfly Capital, a blockchain investment fund, and was previously a General Partner at Blockchain investment fund MetaStable Capital
Mimblewimble’s privacy features are fundamentally flawed. For a $60 per week AWS fee, I can discover the exact addresses of 96% of Grin transaction originators and recipients in real time.
This problem is inherent to Mimblewimble and I don’t think there is any way to fix it. This means that when it comes to privacy, Mimblewimble should not be seen as a viable alternative to Zcash or Monero.
Over the past two years, Mimblewimble has grown in popularity as an emerging lightweight privacy protocol. Mimblewimble was created in 2016 by a hacker using the pseudonym Tom Elvis Jedusor, who dropped a written description of the protocol in an IRC chat and disappeared. Since then, Mimblewimble’s best-known applications have included Grin, a so-called “fair publish” privacy token, the VC-backed Tari and BEAM project, and some are even considering integrating it into Litecoin.
Some researchers have hypothesized about Mimblewimble’s possible privacy weaknesses. My contribution is to demonstrate precise methods of executing attacks, demonstrate their feasibility on a real-time network, and measure their effectiveness. In my real-world test of Grin, I found a 96% success rate in uncovering transaction flow information. Therefore, it is clear that Robust privacy protection cannot now be expected from Mimblewimble.
Here is an in-depth technical look at the attack on Mimblewimble, including open source code, reproducible data, and technical FAQ. Below, I’ll provide a high-level, intuitive explanation of linkability, how to launch an attack, and what it means for privacy technologies.
What is linkability?
It is very important to understand what this attack does and does not mean.
This kind of attack does not give us the exact amount of money people receive. Mimblewimble successfully obfuscated payment amounts using plain elliptic curve encryption (pedersen promises). But this kind of attack does allow us to find out who pays whom. In other words, it lets us link transactions together and confirm payment flows.
Why is this a big problem? I might need to expand a little bit.
Let’s say Coinbase knows that an address belongs to a Venezuelan named Daniel, and you, as an American user, want to exchange cash on Coinbase. But after uncovering the mix-up, Coinbase knew that you had received money from Daniel, even though they didn’t know how much. Based on OFAC policy regarding Venezuela, Coinbase will close your account.
Exchanges will of course know a lot about the trade charts because they have KYC information about the users who exchanged cryptocurrencies for fiat coins.
Another example is if an authoritarian government knows that a particular address belongs to a political dissident. You made a small donation to the dissident. Later, when you send money to your local exchange using the Mimblewimble protocol, the exchange shares your trading data with the government. Because the government has full access to the transaction chart, they now know that you supported a political dissident.
This type of attack is impossible with Zcash. Because Zcash is “unlinkable,” in other words, every Zcash transaction has a huge anonymous set. An anonymous set is essentially a set of transactions from which your transactions cannot be distinguished. Think of it as blending into the crowd: the larger the anonymous set, the larger the “crowd” your transactions will blend into.
In Zcash, the anonymous set for each transaction includes all coins that have been protected by a barrier. From an information theory point of view, this is as anonymous as possible.
In Menlo Coins, the anonymous set of each transaction is the set of all (trusted) decoy transactions. Although the Menlo Coin client allows you to specify the size of the decoy set, the current default value is 11. The Monroe coin has its own issues with sampling bait safely, but I think it’s basically viable, depending on how you choose.
One would have expected Mimblewimble’s anonymous set to look something like this:
But in reality, it looks like this:
This reduces the anonymous set of Mimblewimble to just one address.
To be clear, I’m not blaming Grin. I have great respect for the Grin community and core developers, who have been extremely helpful after listening to my questions.
Grin still offers a more robust privacy model than Bitcoin or other non-private coins, since the amount of transactions is securely encrypted. But compared to Zcash or Monroe Coin, Mimblewimble provides a weaker privacy model in the strictest sense, making it inadequate for many practical privacy use cases.
A high-level overview of the attack
So how does “de-anonymising” transaction charts work in Mimblewimble?
I noticed that despite encrypting the payment amount, Mimblewimble still left a linkable transaction chart. But protocol designers are aware of this, so Mimblewimble uses two main techniques to combat linkability: The first is full-block cut-through aggregation, and the second is Dandelion.
The idea behind Block pass-through is that as transactions accumulate within a block, they aggregate into a single “super-transaction”. This “super-trade” is basically like a giant CoinJoin — essentially, all inputs and outputs are thrown into a giant bucket, where it’s not easy to determine who paid whom. Just a bunch of inputs turned into a bunch of outputs, and the amounts got blurred.
Doesn’t sound wrong, does it? There’s just one problem: the CoinJoin must build one transaction at a time. Since transactions are constantly being created and broadcast from different places, unlocking CoinJoin is simple if you run a sniffer node to get all the transactions before the pass-through aggregation is complete. Any sniffer node can detect the network and record the original transaction before it is aggregated. It is very easy to archive all the messages you detect in a P2P network.
Wait, really? That’s it?
The Grin team actually came up with another line of defense: the Dandelion protocol. Dandelion is a network technology developed by researchers at CMU that attempts to obscure who initiates a transaction.
Typically, in cryptocurrencies like Bitcoin, the originator of the transaction simply shouts out their transaction to all their peers and then spreads it quickly through P2P networks. But in the Dandelion agreement, the broadcast of every deal began with a secret game of telephone. The originator quietly posts the transaction to one peer, which in turn quietly posts it to another, and so on. After a few random hops, the last peer announces the transaction as in Bitcoin. But the peer is so far from the initiator that it is impossible for any observer to tell who is at the beginning of the chain.
This is useful for confusing the IP of the trader. But the Dandelion protocol has a second function in Grin: it happens to defeat the sniffer archive node. Because every transaction starts with a dandelion chain, as soon as two transactions cross in their dandelion chain, they are aggregated earlier. If this happens, the sniffer node will no longer be able to disassemble the transactions when they are broadcast to all observers. They have been CoinJoined.
This is Grin’s primary defense against linkability against sniffer nodes. But there is an easy way to crack it.
By default, each Grin node connects to eight other peers. But by multiplying the number of peers, I can connect my sniffer node to all the other nodes in the network. Assuming I stay online long enough, eventually almost every node will connect to me, making me a supernode.
Once I am a supernode, there is a good chance that the dandelion path of any transaction will pass through me. I could pretty much catch a trade before it converged: the only way it would be impossible is if the two trades had already intersected on the dandelion path before I saw them. If I see one of these transactions before they converge, I can unpick them using some simple algebra.
Of my attacks, I was able to connect 96% of the transactions, and I only connected 200 out of 3,000 nodes in the Grin network. If I spend a little more money, I can easily connect to 3,000 nodes to break down almost all transactions. I don’t need to be a single supernode to do this; The same attack can be implemented by starting 3,000 nodes with independent IP, each connected to only one peer. I just sniff all the transaction data and dump it into a central master database, and the attack is just as effective.
So can Mimblewimble be saved?
It depends. I believe there is no clear path to unlinkability for Grin, as currently envisaged. As I discuss in this technical article, simply raising the dandelion factor is not enough to deal with an ambitious attacker.
But beyond linkability, Mimblewimble still has unique value! It supports straight-through aggregation, which is an efficient compression technique for full nodes and can effectively hide the amount of a transaction. If you need a high level of privacy, you can combine Mimblewimble with other protocols that obscure transaction diagrams, such as Ethereum 9¾, which combines Mimblewimble with a Zerocash-style promise nulliator scheme.
But clearly, Mimblewimble is not powerful enough on its own to provide robust privacy protection.
Bitcoin is 11 years old, but cryptocurrencies are still in their infancy. Not long ago, devastating bugs were found in both Zcash and Menlo coins. That’s to be expected — most of the interesting technologies are still in the basic science stage.
But that’s the way science advances: we come up with new theories and keep knocking them down until what’s left has stood the test of time.
Thanks to Haseeb Qureshi for his great help with this article and his assistance in animating the anonymous episode. Thanks also to Oleg Ostroumov, Elena Nadolinksi, Mohamed Fouda, Lucas Ryan and Nader al-Naji for reviewing the first draft of this article. Thanks to Jake Stutzman (NEAR Protocol) for the diagram of the Dandelion Protocol and block collection.
Source link: mp.weixin.qq.com