Why “Breaking Mimblewimble’s Privacy Model” will not work with Beam

Published in

BEAM Privacy

5 min readNov 19, 2019

TL;DR: The “Breaking Mimblewimble Privacy Model” attack will not be effective on Beam — Beam’s decoy outputs make it much harder to build the transaction graph. Upcoming Lelantus-MW will make building the transaction graph virtually impossible even against more sophisticated attacks.

We would like to give our feedback on the article recently published by Ivan Bogatyy, claiming that there is no privacy in Mimblewimble. The article made some waves, and we would like to thank Ivan for his work and research.

However, we believe that some members of our community were needlessly concerned, so we want to address the presented issues — which were known and discussed in depth in the past — and explain how Beam already mitigates them.

What does the attack actually do

The system Ivan built collects logs from several “sniffer” nodes connected to the Grin network, and analyzes them.

When analyzing the logs, the author is looking for transactions that have only one kernel. In Grin, having one kernel indicates that a transaction was not merged with any other transactions, and thus the inputs of this transaction are linked to its outputs. With enough such links, it is possible to build a transaction graph that connects between different wallets and use this graph, for instance, to prove a financial connection between two known parties.

Ivan’s work does not actually build a transaction graph, it demonstrates that building such graph may be possible — there is quite a long way from finding linked inputs and outputs to building the actual transaction graph to actually establishing a link between specific peers.

The attack also does not reveal any user identities such as IP address, neither does it reveal the amounts transacted.

Why does it work in Grin

The reason for a large amount of such one-kernel transactions being broadcast to the network is that Grin network is not saturated and there are not enough transactions to be merged in the stem phase of Dandelion protocol.

As the usage grows, the anonymity will improve, but currently, as Ivan has shown it, the anonymity set is very low.

How Beam is different

While based on the same Mimblewimble protocol, Beam’s implementation of Dandelion has an important privacy improvement over Grin’s.

Early on in the project we identified the potential transaction linkability in Mimblewimble and thought about ways to mitigate it.

Already in September 2018 Valdo published a technical paper on transaction linkability and how Beam is tackling it. The paper describes the concept of decoy (aka Dummy) UTXOs. Note that the feature was implemented in Beam before mainnet launch and the mechanism was discussed with Grin’s devs, which decided not to implement it.

How do those dummies work? At every step of the Dandelion Stem Phase, Beam nodes check whether the merged transactions (might be only one transaction) have at least 5 outputs.

If not, decoy outputs are added to the merged transactions, making sure that the number of outputs is at least 5.

You can view Beam blockchain explorers here or here and see that every block that has at least 2 kernels (meaning blocks that has at least one transaction which isn’t coinbase only) has at least 7 outputs (coinbase, fee, payee’s, 4 dummies).

Each one of the dummy outputs has a value of zero, but it is completely indistinguishable from regular outputs — all outputs look like random numbers.

At a later stage (a randomly chosen block height for each output), the node adds dummy UTXOs as inputs to a random transaction, most likely belonging to a different user, thus spending them and removing them from the blockchain, but also creating a relation between users that are in fact unrelated. Hence the “decoys” name.

It’s important to note that since those decoy outputs are eventually spent, the mechanism doesn’t create any permanent clutter on the blockchain.

Why the attack will be much harder to implement on Beam?

If a similar exercise were to be run on Beam, the researcher would probably still find a lot of transactions with a single kernel. While Beam network processes about 60% more transactions than Grin (averaged over the past 30 days), it is still not enough to guarantee that two or more real transactions “meet” always while in the Stem phase. However, because of the dummy outputs, such single-kernel transactions will not be useful for discovery of the transaction graph.

Decoys in Beam make building the transaction graph a probabilistic task, with the probability of a link between two wallets decaying exponentially with the growth of the number of hops.

As Ivan wrote in his explanatory tweet:

https://twitter.com/IvanBogatyy/status/1196441085221855233?s=20

It would not be true for Beam — even if transactions are not aggregated with others, they still have an anonymity set of at least 4 decoy outputs (it’s a configurable number).

Next step: Lelantus-MW

Decoy outputs in Beam increase the anonymity set, and make building a transaction graph using a technique described by Ivan much harder, but still possible to some extent. Other more sophisticated active attacks were also described by others, like Ian Miers’s flashlight attack.

Therefore, we implemented Lelantus-MW and will activate it soon.

Lelantus-MW will dramatically increase the anonymity set (100K outputs) and will make it almost impossible to build the transactions graph if the user chose to use Lelantus-mw transactions from time to time.

Read more about Lelantus-MW here and here.

And it ends with a challenge

We would like to challenge Ivan to perform an analysis on the Beam network to try to establish provable links between a meaningful number of wallets. Finding transactions with one kernel won’t really work here.