For all cryptocurrency has done to raise awareness of privacy, it seems to have spurred more projects than workable coins.
Grin, launched in January 2019, is one such privacy initiative facing tough questions as the excitement around its Mimblewimble adaptation has not lived up to recent empirical scrutiny.
Ivan Bogatyy, researcher at investment fund Dragonfly Capital, dropped a Medium bombshell last Monday, disclosing an âattackâ capable of identifying 96 percent of the active senders and receivers on the grin network through the employment of âsniffer nodes.âÂ
As the smoke cleared, one question emerged: What is privacy in crypto, anyway?
Gathering praise from the likes of ethereum co-founder Vitalik Buterin, litecoin creator Charlie Lee and others, Bogatyy detailed grinâs structural issues â issues, he claims, stemming from Mimblewimble itself.
Mimblewimble â the much-heralded privacy protocol created in 2016 â anonymizes transactions through batching inputs per block, like a CoinJoin. After mixing the numbers associated with a sender in a pool of similar transactions, equivalent values are spit out on the other side as unidentifiable outputs.
Styled a confidential transaction (CT), this process typically works pretty well once it scales to a large enough anonymity set, wherein the sheer number of inputs shields the knowledge about the outputs after a mixing. In CT, the amount and public addresses are never exposed, mainly because addresses donât exist in the Mimblewimble universe, just transaction inputs and outputs.
The first two cryptocurrencies based on Mimblewimble launched in January 2019: grin and beam. But, for both coins, âtransaction graphingâ remains a problem.
A well-connected sniffer node can sit on either side of the CoinJoin in what is called âlinking.â Built on the same peer-to-peer (P2P) network as bitcoin, nodes communicate changes to the ledger from one to another and a sniffer can pick out how transactions move by being well-connected to its peers. In fact, Bogatyy said it only took 200 of the 3,000 current peers on the grin blockchain to flesh out 96 percent of transaction sender and receiver addresses at the small cost of a $60 per week subscription to Amazon Web Services.
This issue was well known beforehand, however.
The Grin Foundationâs Open Research Problems page on GitHub publicly cited the problem as a point for future research along with analysis from Token Dailyâs Mohamed Fouda over a year ago. Moreover, grin has never promised full anonymity, but only CT with the possibility of adding anonymity features down the road.Â
To Bogatyy, the research is about correcting public misunderstandings about privacy coins. But to Mimblewimble developers, the piece amounted to a smear.Â
âWhile some technical experts guessed that the vulnerability likely exists, I donât think anyone knew the extent,â Bogatyy said in an email. âBefore I ran the experiments, I couldnât know myself it would be 96 percent.â
He said the goal of his research is to make the âtechnical knowledge more accessible.â
âI think Grin devs are very competent and donât overpromise, but the public perception diverged from the technical fundamentals and followed the legend a little too much,â Bogatyy said.
All privacy coins arenât created equal. Rather, a privacy coin is one iteration of a subjective vision of privacy externally limited by what distributed protocols are physically capable of accomplishing.Â
In the case of Mimblewimble, CT is not much more than bitcoin with throw-away public addresses plus hidden transaction amounts, according to zcash co-founder and cryptographer Ian Miers.Â
âBut we all know intuitively what privacy means: if you pay your psychiatrist or purchase a series of banned books from an online market, no one learns you saw a doctor and no one is going to kick down your door and search your house for illicit books,â Miers said in an email.
But in the world of public blockchains, where transaction data can be viewed and verified by all participants, thereâs a catch.
âBecause we all know cryptocurrency has a privacy issue, outsiders latch onto anything and hype it out of proportion,â Miers said.
Grinâs version of Mimblewimble is joined by others, namely beam, which Bogatyy also addressed in his research.Â
Noting the trouble with transaction graphing long ago, beam developers have implemented numerous amendments to Mimblewimble, including decoy outputs to break linkability, according to beam developer Guy Corem.Â
Thatâs why heâs taking issue with Bogatyyâs research.
âBeam and Grin developers were aware of transactions linkability from way before mainnets launched,â Corem said in a Telegram message. â[Bogatyy] didnât look at Beamâs implementation. For example, in his technical write-up, he wrongfully stated that the decoys arenât being spent.â
Decoy improvements or not, Bogatyy remains unimpressed. Following transactions through whisper nodes remains too easy even with the added protections, Bogatyy said.
âUltimately, the best version of decoy-heavy Mimblewimble would look like a worse version of Monero,â Bogatyy said on his GitHub page. (It should be noted that no privacy coins are listed in Dragonflyâs portfolio.)
To grin developers, Bogatyyâs views are far off the mark.
Writing in a Medium post, grin developer Daniel Lehnberg said Bogatyy confused basic points such as transaction outputs versus addresses in the Mimblewimble system, misstated grinâs original privacy claims and did not contact grin developers while saying he did.
As it relates to transaction graphing, Lehnberg called the 96 percent figure irrelevant.Â
âOther than that âOutput A spends to Output Bâ, itâs less clear what exactly is being identified here or what else the author is able to accomplish with this information,â Lehnberg wrote. âWhile it would be desirable to avoid leaking the transaction graph, the graph alone doesnât necessarily reveal sender and receiver outputs.â
But, as Miers points out, you can still trace grin transactions regardless if they have addresses or not.
âItâs like you have a map of some part of New York City but you just donât which part because all the street names are missing. But the moment someone tells you the name of one intersection on the map, you can work out the rest,â Miers said. âThe attack on Grin created this map with blank streets. You need one more step to give out the names, but that is the easy part.â
Furthermore, once you know a transactionâs beginning and end points, it doesnât matter to anyone how much you spent, just that you spent it somewhere.
âSo the world will learn you paid Pornhub or bought a lambo, but they wonât directly know for how much,â said Miers. âIt isnât useful unless itâs combined with much stronger privacy technology.â
As ethereumâs Buterin noted on Twitter, privacy depends on the number of users in an anonymity set: The more users mixing funds, the safer the funds pulled from the pool.
But itâs different for grin due to the nature of its protocol, which natively doesnât have addresses like bitcoin to match transactions to, grinâs Lehnberg wrote on Medium:
"Grin is still very young and has yet to reach its full potential. Eleven months into mainnet, there is low network usage. In the last 1000 blocks, 22% contained only a single tx (and 30% contained no tx), meaning their inputs and outputs are trivially linkable. This wonât change until thereâs greater network usage, but it still does not imply that sender and receiver identities are revealed."
Reviewing Bogatyyâs research, Lehnberg said he is skeptical of how he was able to âuncover who paid who in the Grin network,â as Bogatyy claimed on GitHub. Grinâs development team has only gone so far as to say the issue could reveal âentities,â not individuals.
âItâs one thing to say, âoh this theoretical attack is really straightforward and easy to carry out,â itâs another to actually do it,â Lehnberg said on Telegram.
While the two sides may disagree over the technicals, Miers remains positive about Mimblewimble but characterizes grin as only a footnote in privacy coinsâ history.
âGrin is a project that shows a lot of promise, but right now it isnât accurate to call it a privacy coin or even a privacy project,â Miers said.Â
