In a Medium blog post published on Nov. 19, Grin core dev Daniel Lehnberg argued that the so-called breakage did not go beyond the already-acknowledged privacy limitations of the coin’s protocol and relied on a passive attack vector that would be insufficient to glean actionable data.
Some basics of Grin’s protocol
Lehnberg’s post does not consist of a point-by-point takedown of the original article, which was published yesterday by Ivan Bogatyy, a researcher at United States-based Dragonfly Capital Partners.
Instead, it targets what it deems to be the purportedly unsubstantiated logical leaps and factual inaccuracies used by Bogatyy to corroborate his claim.
As previously reported, Grin’s protocol “Mimblewimble” is a variant of the cryptographic protocol known as Confidential Transactions, which uses cryptographic primitives known as “Pedersen commitments.”
These obfuscate sensitive transaction data rather than showing plaintext transaction values and can, therefore, prevent double-spending while improving privacy. They allow for the use of basic arithmetic using public parameters to validate transactions, while the correspondent transaction input and output values remain unknown variables.
The protocol notably does not use wallet addresses or public keys, only inputs and outputs. Because of this, each sender must contact a receiver via a private channel in order to construct a transaction.
Supplemental privacy features
As outlined in Cointelegraph’s coverage yesterday, Bogatyy had focused on the use of a default, supplemental feature to MimbleWimble called CoinJoin, which creates small “anonymity sets” by combining encrypted inputs into a single large transaction in such a way as to make it is difficult to distinguish which inputs are paying which outputs.
Bogatyy also claimed to have conducted a successful “attack” on a supplemental feature called “Dandelion” that is used by Grin to reduce the chance of so-called “spy nodes” recording transactions before cut-through, while they are still in an unconfirmed transaction pool (or “mempool”).
While the limitations of Grin’s overall privacy model — which is significantly more complex than space permits to outline here — are known, Lehnberg’s critique of Bogatyy’s research rests on what he judges to be key “inconsistencies.”
These include the implication that it would be possible for law enforcement to link intercepted data to a user address — when, as Lehnberg states, addresses do not exist within Grin’s privacy model at all. He adds:
“We have to assume that the author conveniently confused transaction outputs (TXOs) with addresses, but these are not the same. And, as we’ve already detailed, the fact that TXOs can be linked is hardly news.”
Lehnberg’s critique of Bogatyy’s claims continues to address several further points, with his central line of argument — details aside — resting on the statement that:
“The Grin team has consistently acknowledged that Grin’s privacy is far from perfect. While transaction linkability is a limitation that we’re looking to mitigate as part of our goal of ever-improving privacy, it does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless.”
In October, the Litecoin Foundation published two new draft proposals that pave the way toward integrating MimbleWimble in order to establish privacy features for the Litecoin (LTC) network.