Breaking MimbleWimble - Reading Assignment

Read a silly ‘takedown’ of MimbleWimble that created lots of Twitter drama in 2019. Answer the questions and post your answers below:

1. What is a ‘sniffer node’?
2. Which pieces of information can be determined by a supernode? Which pieces cannot?
3. What % of live nodes did the author connect with?
4. What single potential solution is mentioned? Can you think of another?
5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?

1. Sniffer nodes are nodes used to “monitor” the blockchain and the various transactions in order to read through mixing techniques such as CoinJoin. They are able to check information throughout the network before it can be mixed or aggregated, providing relevant information about transactions.
2. They can be used to gather information about transactions so that it would be possible to disaggregate linked transactions around the Dandelion. It is not possible to see the single transactions once they have already been aggregated in a previous node.
3. 6,67% (divide the 200 peers he connected with by the 3000 total peers)
4. It mentions Ethereum 9 3/4 which is a protocol that obscures the transaction graph. Maybe it could be useful to implement a method that allows shielded transactions, so that it would not be possible to find specific information about who was the sender and who was the receiver.
5. I think it was a well-defined, rational and aware answer to the article. It is explicitly mentioned that Grin (and MimbleWimble) is a young project which has yet to prove its own potential, while also showing that the community which backs it up is open and amicable. I hope their project will prove its worth and will be able to grow and mature over time. Clearly there are issues to be solved, but it is not different from the situation which other projects (think about Bitcoin as well) had to face at the beginning of their evolution. And, more importantly, these issues are already known, which is a good starting point.

1.A sniffer node can observe the network and take note of the original transactions before they get aggregated and a sniffer node that picks up all transactions before cut-through aggregation is finished, it’s trivial to unwind the CoinJoin.

2. A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity.

3.He was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network. 6,67% (divide the 200 peers he connected with by the 3000 total peers.

4. He suggested that combining Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

5.Grin’s privacy is far from perfect. While transaction linkability is a limitation that theyre looking to mitigate as part of their goal of ever-improving privacy, it does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless. Grin and MimbleWimble is still very young and has yet to reach its full potential. Scientific analysis and scrutinizing of Grin’s protocol and codebase is something that are welcome in the community.

• What is a ‘sniffer node’?

A sniffer node picks up all transactions before cut-through aggregation is finished. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated. It’s pretty straightforward if you just archive all messages you observe in the P2P network.

• Which pieces of information can be determined by a supernode? Which pieces cannot?

The origin of a transaction

• What % of live nodes did the author connect with?

15%

• What single potential solution is mentioned? Can you think of another?

Combine MimbleWimble with another protocol that obscures the transaction graph, such as in Ethereum 9 3/4 (which combines MimbleWimble with a Zerocash-style commitment-nullifier scheme).

• Read Grin’s Response:

https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9.

Would you add anything to it?

I don’t think I would anything to their response to the article. They have assured their community members that they weren’t approached and would have welcomed the collaboration with one another if they were asked to. This is what being a part of community is and how it grows.

1. A sniffer node can just observe the network and take note of the original transactions before they get aggregated.
2. All of the inputs and outputs are tossed into one giant bucket, with no easy way to determine who paid who within that bucket. Single transactions can’t be seen once they have been added to the bucket.
3. 96%
4. Couldn’t find an answer
5. Honestly, no.

1. A sniffer node can just observe the network and take note of the original transactions before they get aggregated.
2. A supernode can determine the origin of a transaction. It is however not possible to see the single transactions once they have already been aggregated in a previous node.
3. 6.67 % of live nodes (200 peers he connected with divided by total of 3’000 peers).
4. The single potential solution mentioned would be to combine MimbleWimble with another protocol that obscures the transaction graph. For example, Ethereum 9 ¾ : this combines MimbleWimble with a Zerocash-style commitment-nullifier scheme.
5. No, I don’t think I will add anything.

1. A ‘sniffer node’ captures and stores IP packets for traffic/content analysis
2. broadcast transactions (txinputs, txoutputs, txkernel(signature, excess_pub_key, fee, lockheigh)), blockdata mined, other protocol packets like neighbor node addresses. Cannot conclude where(IP) the txinput Alice comes from or the new txout Bob goes to (IP), due to Dandelion protection, also all tx real values are not seen only P.commitments and also no wallet from Alice or Bob Grin addresses can be seen.
3. 200/3000 ~ 6.66 %
4. transaction aggregation before reaching the sniffer makes impossible for the sniffer to unlink inputs and outputs if a single-transaction from the block data using set intersection. Decoy aggregation of fake inputs and outputs (of zero value coins) at the 1st starting/original transaction building.
5. Yes, they were really polite, I would add a request to access the study claims of 96% tracking of linkage with claimed supposedly ‘executed’ sniffer packet analysis, and also a request to change the title to a more correct one like 'proving a still unclaimed MW security property".

1. A sniffer node can monitor the network and take note of the original transactions before they get aggregated.
2. All of the inputs and outputs are tossed into one giant bucket, with no easy way to determine who paid who within that bucket. Single transactions can’t be seen once they have been added to the bucket.
3. 96%
4. To combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾.
5. Even though it remains young, the solution is not perfect: the right seeds have been sown.

1-A sniffer node encounters a transaction before it is aggregated, it is able to to link inputs and outputs, it can discover the origin and destination of transaction.

2- A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity. The only only way a supernode cannot catch a transaction before it is aggregated is if two transactions both intersect in their Dandelion path before it sees either of them.

3- 96%

4- Combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

5- There are a lot of misinformation in the artucle about breaking mimblewimble. With time Grin will become more untifragile.

1. What is a ‘sniffer node’?
   A sniffer node observes the network and picks up the transactions before the aggregation in CoinJoin is finished, therefore able to spy on individual transactions.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   A supernode can see transactions on the Dandelion path before they are aggregated by not after.

3. What % of live nodes did the author connect with?
   200/3000 = 6.67%

4. What single potential solution is mentioned? Can you think of another?
   Mimblewimble could be combined with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

5. Read Grin’s Response. Would you add anything to it?
   Some parts of the original article seem to be misleading.

• What is a ‘sniffer node’?
  • A node that participates like any other node, but with the main goal not being validating and broadcasting but picking up transactions before cut-through aggregation is finished, thereby unwinding the coinjoin.
• Which pieces of information can be determined by a supernode? Which pieces cannot?
  • Sender and receiver. Amount cannot.
• What % of live nodes did the author connect with?
  • 6.7%
• What single potential solution is mentioned? Can you think of another?
  • Author suggest that you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).
• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
  • Key takeaway is that MW is not broken at all, but it is just young and in development.

• What is a ‘sniffer node’?
  A sniffer node can just observe the network and take note of the original transactions before they get aggregated.

• Which pieces of information can be determined by a supernode? Which pieces cannot?
  each Grin node connects to 8 other peers. But by jacking up the number of peers, he can connect his sniffer node to every other node in the network. Assuming he stays alive long enough, eventually almost every node will connect to him, making him a “supernode”.

• What % of live nodes did the author connect with?
  He was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network.

• What single potential solution is mentioned? Can you think of another?

• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?
  It looks like the article is “no news” for the grin team. the article gives new perspective for the first article…

1. What is a ‘sniffer node’?
A sniffer node is a node that picks up transactions and the information therein before cut-through aggregation starts.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
A supernode can determine the sender and receiver of a transaction prior to cut-through aggregation; however, a supernode cannot discover IP addresses or transaction amounts.

3. What % of live nodes did the author connect with?
The author connected with 96% of live nodes.

4. What single potential solution is mentioned? Can you think of another?
The single solution the author mentioned was to combine MimbleWimble with another protocol that obscures the transaction graph. Another obvious solution would be to implement ring signatures.

5. Read Grin’s Response. Would you add anything to it?
Excellent response! I would have left an open task: with the ease in which you “broke” MimbleWimble, I encourage you to do it again and attack it like a stress test or white-hat hacker. Write another article displaying your evidence that something malicious actually occurred. Show the damage of linking addresses in a protocol that doesn’t use addresses.

• What is a ‘sniffer node’?
  A peer in the network that can pick up transactions by just observing the network.

• Which pieces of information can be determined by a supernode? Which pieces cannot?
  TX inputs and outputs. Amounts cannot be determined.

• What % of live nodes did the author connect with?
  ~7% (200 out of the 3000 nodes in the GRIN network).

• What single potential solution is mentioned? Can you think of another?
  Combine mimblewimble with another protocol that obscures the transaction graph.
  The author says that his “spying” system does not work if:

“Therefore, the only way that I cannot catch a transaction before it is aggregated is if two transactions both intersect in their Dandelion path before I see either of them .”

Maybe nodes could add some kind of “dummy” transaction to force this aggregation.

• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
  A Grin block explorer analysis. And more elaboration on the network expected growth (in transactions) for the upcoming months/years.

1. a sniffer node, is a node "sniffing a network of nodes. It is used to bserve all transactions in order to read through transaction mixing, like coinjoin. It is looking to understand and link transactions before they get aggreagated
   2.a supernode is connected to all the other nodes. it can determone the orgin of the transaction and how many nods the transactions connected to
2. he connected to 200 nodes of a possible 3000 nodes so 6.67%
   4.he mentions combing mimble wimble with ethereium 9.3/4. i can not think of another
3. no but I have a question. in btc, or moero, a utxo is also am address that was already used. we link it to a person, because generally the person bought the currency on an exchange. so why would it not be same with a transaction output?

A sniffer node is an active node that connects to many, many other nodes and watches transactions in order to plot transaction graphs.

Supernodes can determine linkability.- what inputs correspond to which outputs. They still cannot determine amounts, as those are hidden behind Pedersen commitments.

200 out of 3000, or about 7%

One suggested solution is to combine MimbleWimble with another protocol that does obscure the transaction graph. Another one…? Just HODL !!!

I would add that MimbleWimble adds some very useful features to the privacy of transactions, is a young protocol, and that some of these shortcomings of MimbleWimble apply to most privacy coins as well and many are dealt with in other ways in other implementations, such as Beam.

Q1: A sniffer node is one that observes the market and takes notes of TXs before they are aggregated in order to de-anonymize them and gain info.

Q2: They can connect to all the other nodes in order to try and read TXs before they enter the fluff phase

Q3: He connected to 200 nodes out of the total 3,000 just under 7%

Q4: He suggested combining Mimblewimble with another protocol such as ETH 9 3/4 in order to help hide the TX graph.

Good question -

Because, for any number of reasons, the inputs of a transaction might not actually be related to those outputs.

Let’s say
tx1 ( input: Binance, output: Alice )
tx2 ( input: Alice, output: Bob )
tx3 ( input: Bob, output: Alice )

You’re saying tx1 output and tx2 input are linked. That’s correct, though they can be ‘mixed’ in a ring signature like Monero.

But tx2 output isn’t necessarily linked to tx2 input. Maybe Bob is a mixer service, or maybe there’s a coinjoin… Etc.

There’s also

1. Sniffer nodes are nodes used to “monitor” the blockchain and the various transactions in order to read through mixing techniques such as CoinJoin. They are able to check information throughout the network before it can be mixed or aggregated, providing relevant information about transactions.

2. They can be used to gather information about transactions so that it would be possible to disaggregate linked transactions around the Dandelion. It is not possible to see the single transactions once they have already been aggregated in a previous node.

3. 6,67% (divide the 200 peers he connected with by the 3000 total peers)

4. It mentions Ethereum 9 3/4 which is a protocol that obscures the transaction graph.

5.No