Breaking MimbleWimble - Reading Assignment

Privacy Coins - Ultimate Course
#21
  1. Sniffer nodes pickup transactions through the whole network to disaggregate the blocks
  2. can determine who send who, not how much was sent
  3. 200 peers out of 3000 = 6.67%
  4. combine Mimblewimble with a Zerocash-style commitment-nullifier scheme to obscure the transaction graph. Decoy zerocoin outputs aggregated at the orginating broadcast.
  5. They pretty much debunked the claims that were made and would have to agree with the position that improvements on privacy are made compared to bitcoin’s privacy in a scalable manner on chain, yet without the need for trusted setup and high tx cost, and by default. The known limitations were no news for the development team, which the writer could have known, had he just asked. Seems like he preferred to write a clickbait article or spread FUD, though he kept some politeness as well.

Question:
The only thing that I do wonder, which is not entirely clear: although UTXOs aggregated in 1 block can be linked by deaggregation. However, if an observer would sniff multiple blocks, could he then even link UTXOs from different blocks. To my understanding, since MW uses One Time UTXOs, it would be impossible to link previous transactions from previous blocks to a UTXO from a certain block. Which basically means that only if the identity of both sides in 1 and the same transaction are unveiled, would it be useful information, however there is no way of retrieving a transaction graph of the history based on that information. Is this a correct understanding?

1 Like
#22

  • What is a ‘sniffer node’?
    Is a node "sniffing a network of nodes. It is used to observe all transactions in order to read through transaction mixing, like coinjoin. It is looking to understand and link transactions before they get aggreagated

  • Which pieces of information can be determined by a supernode? Which pieces cannot?
    TX inputs and outputs. Amounts cannot be determined.

  • What % of live nodes did the author connect with?
    ~7% (200 out of the 3000 nodes in the GRIN network).

  • What single potential solution is mentioned? Can you think of another?
    Combine mimblewimble with another protocol that obscures the transaction graph.

  • Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?

1 Like
#23

  1. A “sniffer node” is a node that is set up to monitor network activity in order to identify users of the network and connect them to their transactions.

  2. A supernode can see all the transaction information broadcast on the network, but because of the blinding factors and Pedersen Commitments, cannot gain any useful information about particular transactions, and due to Dandelion, cannot collect useful IP data.

  3. He connected to about 6.6% of nodes to perform the “attack”.

  4. He recommends a system that combines Mimblewimble with a Zerocash-like system that obscures the transaction graph, mentioning Ethereum 3/4.

  5. I think its worth noting the difference in style and tone between the two articles. When I read the part where the GRIN writers admitted that 30% of GRIN blocks currently contain NO transactions at all, I was impressed by how truthful and humble they are about their project and how soft spoken the tone of the piece was in relation to the self-important and sensational feel of the supposed revelation of Mimblewimble’s flaw was. This leads me to feel that the members of the GRIN team are more trustworthy than the conductor of the “attack”.

1 Like
#24

I think you have it right – disaggregating a transaction in one block just links to some output from a previous block, but that output has been aggregated as well. If you were sniffing at the time of the previous tx, you may make another connection. But once transactions are posted, the connection can’t be reconstructed from what’s on-chain.

3 Likes
#25

Ah so in fact when sniffing continuously, it would be possible to make connections continuously as well. I was under the impression that links between transactions between different blocks (even if disaggregated), weren’t even possible; only if transactions happened within the same block. Thanks for clearing that up.

1 Like
#26

  1. What is a ‘sniffer node’?
    A node connected to the network whose main objective is collect data/metadata in order to get conclusions or information about the transactions and the participants in that network (amount, identities, …).

  2. Which pieces of information can be determined by a supernode? Which pieces cannot?
    Transactions in the Dandelion paths.
    Transactions that both intersect in their Dandelion paths before the supernode sees either of them.

  3. What % of live nodes did the author connect with?
    200 of 3000, that is 6,67%.

  4. What single potential solution is mentioned? Can you think of another?
    Combine Mimblewimble with another protocol that obscures the transaction graph.

  5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?
    I like the transparency and the sincerity of Grin´s team.
    By the way, it was last article on Medium from Ivan Bogatvy. Dragonfly Research keeps on publishing some interesting articles.

1 Like
#27

Good find! They do indeed.

1 Like
#28

1 - What is a ‘sniffer node’?

A sniffer node picks up all transactions before cut-through aggregation is finished, it’s trivial to unwind the CoinJoin. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

2 - Which pieces of information can be determined by a supernode? Which pieces cannot?

Super nodes can view transactions before cut-through aggregation is finished, but the amount sent cannot be viewed.

3 - What % of live nodes did the author connect with?

During the attack the attacker was able to link 96% of all transactions, while only connecting to 200 peers out of the total 3000 peers in Grin’s network.

4 - What single potential solution is mentioned? Can you think of another?

The author mentioned asingle solution that combines MimbleWimble with another protocol in order to obscure the transaction graph.
A ring signatures implementation may also be used.

5 - Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?

Grin’s response was that its privacy is work in progress. Grin is aware that transaction linkability is a limitation, they are researching a solution to improving their privacy. Their solution will not ‘break’ Mimblewimble, nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features ineffective. They recognize that Grin and MimbleWimble are in their infancy and are yet to reach their full potential. Further scientific analysis and inspection of Grin’s protocol and codebase is welcomed within the community.

1 Like
#29
  1. Sniffer node is a node that can effectively can see transactions before the coinjoin and determine who sent who money.
  2. transaction participants can be determined - values cannot be
  3. 15%
  4. " It allows cut-through aggregation, which is an effective compaction technique for full nodes, and efficiently hides transaction amounts. If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme."
  5. It has been a well thought answer and indepth marking the issues in the article beforehand.
2 Likes
#30

  1. A sniffer node is a node that observes the network and records all transactions on that network.

  2. A supernode can see all transactions and then break each transaction down to its individual components. If 2 transactions intersect on their paths then the super node cannot break these down.

  3. 200

  4. By using a Bitlaundry.

  5. Yes I would have asked him to provide evidence of is attack. Grin has already called him out on not having contacted them even though he has said he did so why not also challenge him on his attack.

1 Like
#32

#4 check again (or scroll up :slight_smile: )

1 Like
#33

#1 - What is a ‘sniffer node’?
A node set up by an attakcer to uncover information before MW cut-through is performed

#2 - Which pieces of information can be determined by a supernode? Which pieces cannot?
Inputs and Outputs

#3 - What % of live nodes did the author connect with?
6,667%

#4 - What single potential solution is mentioned? Can you think of another?
Expanding the Dandelion factor

#5 - Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?

1 Like
#34

  1. A sniffer node spies and observer the network and consequently could detect the original transaction before they get into a mixer (CoinJoin)

  2. A supernode can monitor the transaction (originator) or better to say sender and receiver) but not the spend amount and IP address.

  3. To around 6,7 %

  4. Combine Mimblewimble protocol with other protocols such as Ethereum 9¾ (Aim: Obscuring transaction graph). Maybe there is a possibility to prevent that a supernode could exist. Not allowing to connect to more than XX number of peers/Nodes. The number of course should be chosen by experts. It should be also possible with RingCT

5.I think it was a very honest answer. In my opinion everything was clearly stated without given any false promises. Maybe he should write question which the “hacker” should give an answer for(for example what information did he found out, so the attacker give more detailed information about what he actually could find out).

1 Like
#35

Use something that obscures the transaction graph as in Etherium 3/4. Could you put this through a laundry or have I missed the point?

1 Like
#36

That’s right - okay I see where you were coming from with BitLaundry, makes sense now.

#37
  1. What is a ‘sniffer node’?

A sniffer node that picks up all transactions before cut-through aggregation is finished, it’s trivial to unwind the CoinJoin. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

  1. Which pieces of information can be determined by a supernode? Which pieces cannot?

Super nodes can view transactions before aggregation is finished, but the IP/amount sent cannot be viewed.

  1. What % of live nodes did the author connect with?

96%

  1. What single potential solution is mentioned? Can you think of another?

To combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

  1. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?

No.

1 Like
#38

image
image659×644 158 KB

1 Like
#39

1. What is a ‘sniffer node’?
A sniffer node observes the network and takes note of the original transactions before they get aggregated.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
The origin of a transansaction can be determined. But when inputs & outputs are pooled, there isn’t really a way to determine who paid whom; Once an individual transactions has been added to the pool, it can’t be singled out/ determined.

3. What % of live nodes did the author connect with?
6.67%

4. What single potential solution is mentioned? Can you think of another?
Combine Mimblewimble with another protocol such as Ethereum 9 3/4 (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

1 Like
#40

  1. What is a ‘sniffer node’?
    A sniffer node logs all intermediary transaction gossiping data, including not-yet-aggregated transactions. Using this data, you are able to trace transactions.

  2. Which pieces of information can be determined by a supernode? Which pieces cannot?
    All of the (origin)inputs and outputs, the txkernal (signature, excess_pub_key, fee, lockheigh) etc.

  3. What % of live nodes did the author connect with?
    96%

  4. What single potential solution is mentioned? Can you think of another?
    Mentioned solution is to combine MimbleWimble with another protocol.

  5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
    Difficult to add something :slight_smile:

1 Like
#41

• A sniffer node is an observer that picks Tx before the cut-through aggregation is finished.
• A Supernode will be able to see where the payment is coming from and where it is going, as well as IP addresses. The only piece it cannot see is amounts or if 2 transaction intersect each other in their Dandelion path before the supernode sees them, according to the article.
• He claims to have connected to 200 nodes and linked 96% of Tx.
• To combine Mimblewimble with another protocol that obscures the transaction graph.
• I found it hard to believe that a full team of developers would overlook something so easy to accomplish to break Mimblewimble, specially when you have Grins and Beams team collaborating and exchanging ideas.

1 Like