Factual inaccuracies of “Breaking Mimblewimble’s Privacy Model”

Daniel Lehnberg
Nov 18, 2019 · 6 min read

TL;DR: Mimblewimble privacy is not “fundamentally flawed”. The described “attack” on Mimblewimble/Grin is a misunderstanding of a known limitation. While the article provides some interesting numbers on network analysis, the results presented do not actually constitute an attack, nor do they back up the sensationalized claims made.

Image for post
Image for post

An article titled “Breaking Mimblewimble’s Privacy Model” has been making the rounds today, in which the author asserts that they have somehow ‘broken’ Mimblewimble and Grin’s privacy model.

The “attack” that the author claims to have made is the well-documented and discussed transaction graph input-output-linkability problem. This is not new to anyone on the Grin team or anyone who has studied the Mimblewimble protocol. Grin acknowledged the ability to link outputs on chain in a Privacy Primer published on its public wiki in November 2018, before mainnet was launched. This problem encompasses Ian Mier’s “Flashlight attack”, which we have listed as one of our Open Research Problems.

Numerous claims, including the title of the article itself, are factually inaccurate. On a high level, the article reads as a not-so-subtle take down piece that claims an attention-grabbing result. The conclusion of the article however, contains many logical leaps that are not substantiated via the network analysis exercise that is described.

The Grin team has consistently acknowledged that Grin’s privacy is far from perfect. While transaction linkability is a limitation that we’re looking to mitigate as part of our goal of ever-improving privacy, it does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless.

Rather than provide a point-by-point refutation of the article, we would like to point out the major issues we have with the research and its conclusions.

1) Mimblewimble does not have addresses

2) It’s not possible to link addresses that do not exist

“There are no addresses, only UTXOs hidden as Pedersen commitments.”

Subsequently, the following scenarios are painted:

“Say I’m law enforcement, and I know that an address belongs to a vendor on a darknet market. When you send your Grin coins to Coinbase, Coinbase links your address with your name.”

The medium article continues:

“Or say an authoritarian government knows that a certain address belongs to a political dissident. You send that dissident a small donation.”

It’s unclear how law enforcement would know anything about a non-existent address, or how Coinbase could link an address that does not exist to a name. Or for that matter how an authoritarian government would be able to link a non-address to a political dissident.

We have to assume that the author conveniently confused transaction outputs (TXOs) with addresses, but these are not the same. And, as we’ve already detailed, the fact that TXOs can be linked is hardly news.

3) The number 95.5% is close to 100%. It also doesn’t mean much

4) The transaction graph alone does not reveal information about the transacting parties…

5) …and the author doesn’t seem to be aware of this

“what we uncover is the transaction graph: the record of who paid whom”

But that’s not how this works.

Let’s take a concrete example. Alice builds a transaction with Bob, perhaps via TOR, via grinbox, or via direct file exchange. Then, she broadcasts this transaction to the network via a hosted node, for example using wallet713.

In this example, a “sniffer node” monitoring the network would not uncover any information about Alice, and certainly not a record of who paid whom. The “Flashlight attack” is an active attack where an adversary is participating in the transaction building process. The network analysis exercise in this article is passive, and would not be enough.

6. The headline is misleading, nothing is being broken here

In conclusion

You never achieve greater privacy than the size of your anonymity set

Yet, Grin is still very young and has yet to reach its full potential. Eleven months into mainnet, there is low network usage. In the last 1000 blocks, 22% contained only a single tx (and 30% contained no tx), meaning their inputs and outputs are trivially linkable. This won’t change until there’s greater network usage, but it still does not imply that sender and receiver identities are revealed.

Privacy research is helped by collaboration

The author of the paper had Haseeb, Oleg, Elena, Mohammed, and Nader review their work, yet unfortunately, did not take the opportunity to let anyone in the Grin community do the same and offer (friendly) feedback on what they were about to publish. Doing so might have prevented this response, and could only have improved the quality of the work. In a tweet, the author of the article writes:

“Importantly, I have great respect for the Grin community and core developers, who have all been tremendously helpful in answering my questions.”

It almost sounds as they’ve approached us here with the article, yet none of us have any recollection of encountering the author or this work in our Gitter channel or in Keybase. This was a missed opportunity to produce better quality research.

Co-authored by:
David Burkett, Jasper, @joltz, Quentin Le Sceller, Yeastplume.

This article’s format and opening paragraphs are inspired by Tony Arcieri’s post “Factual inaccuracies of “Facebook Libra is Architecturally Unsound”.

Grin is built by a friendly open source community that is welcoming to new contributions, suggestions, and improvements. If you’re reading this and you’re a researcher or engineer, you may want to take a look at our Open Research Problems and see if there’s anything you might be interested in helping with. Come and say hi on Gitter or Keybase.

Grin & Mimblewimble

Covering the Grin project & Mimblewimble protocol

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store