On Linkability of Mimblewimble

Tokendaily.com have recently published an article called ‘Mimblewimble: The Good and the Bad’ by Mohamed Fouda. The author claims that there are many articles that “have already highlighted the advantages of Mimblewimble without shedding enough light on the downsides” and sets out to discuss whether the protocol can indeed deliver on the ‘perceived privacy guarantees.’ It is always a good idea to carefully examine the pros and cons of any technology, especially such an important one as a confidential cryptocurrency. Due to the technical nature of the field, most people would always appreciate a thoughtful and fair analysis, especially one written in the language that could be understood without having to dive too deep into the infinite depths of cryptography and engineering. However, the paper shows several mispresented issues and that request some clarification.

Mimblewimble provides scalable privacy by default

Mimblewimble is an elegant solution for building a scalable, confidential cryptocurrency which ensures complete confidentiality without bloating the blockchain size. Each MW transaction consists of inputs and outputs in which the value is encrypted using a technique called Confidential Transactions. Also, unlike most other existing solutions, in MW transactions are created interactively by both the sender and the receiver which allows avoiding recording any address in the blockchain. The combination of these two mechanisms prevents potential attackers from extracting any information from the blockchain.

The scalability in Mimblewimble is achieved by implementing transaction cut-through which allows nodes to remove all intermediate transactions, thus significantly reducing the blockchain size without affecting its validation. It is important to note that cut-through is not in any way related to privacy. Each node may independently decide to store all received transactions and not perform the cut-through at all, which will result in this specific node spending more disk space on storing the entire blockchain, but will in no way affect the confidentiality of the protocol. Cut-through is purely a scalability feature resulting in MW blockchain being on average three times smaller than Bitcoin (and fifteen times smaller than Monero, even after the recent Bulletproofs upgrade) given the same amount of transactions.

Protecting against deanonymization attacks

Even though the Mimblewimble blockchain itself cannot be used for deanonymization attacks since it does not contain any addresses, it could still be possible to attack the network on a P2P level. For example, one could create a malicious node that will connect to all other nodes in the network, record all transactions and use this information to build a UTXO graph using the fact that most Pedersen Commitments within transaction inputs will have unique values. Research has shown [1,2] that in cases when simple Gossip protocol [3] is used, it would be possible to detect with high probability the IP address of the transaction origin node by recording and analyzing the times in which transaction was received from each connected node. This information can be then combined with additional data collected out of the chain to mount low-cost, large-scale deanonymization attacks.

Dandelion, [4] provides a solution for the above-mentioned problem which replaces standard Gossip implementation with a different P2P protocol. Instead of immediately broadcasting each transaction to all peers, the transaction is first sent through a series of randomly selected peers (stem phase) and only then diffused to the entire network (fluff phase). When drawn as a diagram, this schema resembles a dandelion flower, hence the name of the protocol. Each succeeding node independently decides whether to continue the stem phase or switch to fluff phase by rolling a dice with predefined probability.

Unlike some other mixing solutions (like the one used in Monero cryptocurrency) all commitments used in the stem phase have roughly the same age, thus limiting the ability to deconstruct the mix using age distribution [5].

In Mimblewimble, due to the transaction structure, it is possible to further improve on this solution by non-interactively merging transactions along the stem phase using the trick called ‘kernel offset.’ Once transactions are merged, it is not possible to determine which input originally belonged to which transaction. To make sure minimal anonymity set is maintained even in the case where there are not enough stem phase transactions available, each node can add dummy inputs which are later removed without affecting the validity of the blockchain [6]

Dandelion is currently supported in both existing Mimblewimble implementations, Grin and Beam, but only Beam supports adding Decoy dummy inputs and outputs if needed.

The issue of linkability on IP level is relevant to all private cryptocurrencies and would require additional research and review from both academia and practitioners. Dandelion provides an effective defense against large-scale deanonymization attacks and is based on rigorous scientific research.

To conclude, new research and developments in the privacy domain still need to be conducted. Mimblewimble’s projects are on the cutting-edge of this approach which will allow to develop, innovate, embrace, and productize new solutions making Mimblewimble’s implementations in general and Beam in particular, a robust and reliable privacy coin.


References:

[1] Biryukov, Alex, Dmitry Khovratovich, and Ivan Pustogarov. “Deanonymisation of Clients in Bitcoin P2P Network.” Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security — CCS ’14 (2014): n. pag. Crossref. Web.

[2] Philip Koshy, Diana Koshy, and Patrick McDaniel. 2014. An analysis of anonymity in bitcoin using p2p network traffic. In International Conference on Financial Cryptography and Data Security. Springer, 469–485.

[3] Demers, Alan; Greene, Dan; Hauser, Carl; Irish, Wes; Larson, John; Shenker, Scott; Sturgis, Howard; Swinehart, Dan; Terry, Doug (1987–01–01). “Epidemic Algorithms for Replicated Database Maintenance”. Proceedings of the Sixth Annual ACM Symposium on Principles of Distributed Computing. PODC ’87. New York, NY, USA: ACM: 1–12. doi:10.1145/41840.41841. ISBN 089791239X.

[4] Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees

https://arxiv.org/abs/1805.11060

[5] An Empirical Analysis of Traceability in the Monero Blockchain https://arxiv.org/pdf/1704.04299/

[6] https://github.com/BeamMW/beam/wiki/Transaction-graph-obfuscation