Breaking MimbleWimble - Reading Assignment

The author was only connected to about 6.7% of nodes, but was able to link 96% of txs.

• What is a ‘sniffer node’?
  It observes the timings of each transaction and is able to correlate each sender and receiver before the cut through aggregation occurs.

• Which pieces of information can be determined by a supernode? Which pieces cannot?
  Can deaggregate the transactions if caught before mixed. Amounts are still shielded however

• What % of live nodes did the author connect with?
  6.7% (200)

• What single potential solution is mentioned? Can you think of another?
  combining Mimblewimble with another protocol that obscures the transaction graph, e.g. Ethereum 9 3/4. Could you set up a tx batch timing delay where a certain number of transaction are sent to the node at once? Just a guess

• MimbleWimble’s anonymous wallet address feature doesn’t allow the sniffer nodes to gather any useful information whatsoever. And with the input and output values shielded, i don’t see value in deaggregating the OWAS.
  Correct me if I’m wrong

1. Sniffer node serves as a distant observer for the network and takes note of transaction before aggregation.
   2.Which pieces of information can be determined by a supernode? Which pieces cannot?
   A supernode determines origin of transaction, but not single transaction post-aggregation.
   3.What % of live nodes did the author connect with?
   15%
   4.What single potential solution is mentioned? Can you think of another?
   Combine MimbleWimble with another protocol that has a commitment-nullifier scheme.
2. Nothing to add.

actually it was just 6%, but could link more than 96% of txs.

. Its a node that does not only implement the network protocol but listens to network traffic with the aim of extracting informations.

. It could link transaction inputs and outputs. It cannot link it to a common address since no address exists in the MW scheme. The node cannot make accurate assumption about the ip addresses originating the transactions’

. About 7%.

. Obscuring the transaction graph (ie. by using a protocol such as Ethereum 93/4). Another way would be to increase the anonymity set by having more users.

. A privacy coin does not exist. What exist are more (or less) private coins.

1. What is a ‘sniffer node’?
A sniffer node is a network node that is used to track the sender and receiver of a transaction before it is mixed or aggregated.
2. Which pieces of information can be determined by a supernode? Which pieces cannot?
As per the initial article, if the supernode is selected as part of the dandilion phase, then it would be able to track the source and target IPs.
3. What % of live nodes did the author connect with?
200 of 3000 = 6.6%
4. What single potential solution is mentioned? Can you think of another?
Ethereum 9¾ which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme
5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?
Yes. As a rebuttal, it was well structured, but I think it would really help to cement the points with a detailed example. Something which explains 1) how money can be sent without addresses, 2) what information gets stored on chain, 3) what sender and receiver information is stored vs discarded, etc. Providing the viewpoint of the original article and contrasting it with the correction would really help people grasp the difference.

1.What is a ‘sniffer node’?
A node used to detect if mixing is being done on the blockchain.
2. Which pieces of information can be determined by a supernode? Which pieces cannot?
A supernode can determine the transactions in an aggregation if it sees them before they’re aggregated. However, if two transactions intersect in their Dandelion path before the supernode sees them then it can’t disaggregate them

3.What % of live nodes did the author connect with?
The author connected with 6.67% of live nodes
4. What single potential solution is mentioned? Can you think of another?

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
   I think the response covers that they are far from perfect and like most cryptocurrencies can take steps towards improving things overall. I would not have anything further to add.
   

1. What is a ‘sniffer node’?
   A ‘sniffer node’ can observe the network and take note of the original transactions before they get aggregated.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   The supernode can find the link between inputs and outputs but not the amounts.

3. What % of live nodes did the author connect with?
   Around 6,6%

4. What single potential solution is mentioned? Can you think of another?
   Combining MimbleWimble with another protocol is a mentioned potential solution.

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?
   Nothing to add from my side.

1. watches the network for the original transactions
2. the link between the inputs & outputs, but not the amounts
3. 6.6%
4. by combining another protocol
5. seem like there might be some turf wars going on

1.- A node that can be useful to extract transaction information before it gets aggregated and therefore anonymized.

2.- A supernode has access to any transaction that enters fluff phase.

3.- Around 6.67% (200 out of 3000 nodes)

4.- Combining protocols, since not everything is apparently lost in mimblewimble, it does some things right like hiding amounts but another protocol could cover their flaws. Not really, I think its either forking the protocol (which can be hard) or merging it with another protocol.

5.- I think it is a pretty solid answer so, no.

1. A ‘sniffer node’ observes the network and take note of the original transactions before they get aggregated. So a sniffer node that picks up all transactions before cut-through aggregation is finished, by archiving all messages observable in the P2P network, will allow the user to unwind the “super-transaction” i.e. basically one giant CoinJoin.
2. The pieces of information which can be determined by a supernode are transactions on the Dandelion. If the supernode user sees either transaction before they’re aggregated, they can use simple set subtraction to disaggregate them. Therefore, the only way that they cannot catch a transaction before it is aggregated is if two transactions both intersect in their Dandelion path before the supernode sees either of them.
3. Out of a total number of 3000 live nodes in Grin’s network the author connected with 200 of them. So 200/3000 x 100 = 6.666…7%
4. The single potential solution mentioned is to combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme). If it is possible another way would be to implement “Stealth Addresses” as used by Monero to provide a way to hide a transaction’s destination.
5. It appears, according to the GRIN team, that numerous claims, including the title of the article itself, are factually inaccurate. Also in all fairness the team does state that it has consistently acknowledged that Grin’s privacy is far from perfect. While transaction linkability is a limitation that they are looking to mitigate as part of their goal of ever-improving privacy, it does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless.

• What is a ‘sniffer node’?
  A node which is being used to monitor the transaction throughout as an act of surveillance as opposed to acting as a validator.

• Which pieces of information can be determined by a supernode? Which pieces cannot?
  Those data not yet aggregated

• What % of live nodes did the author connect with?
  6.66%

• What single potential solution is mentioned? Can you think of another?
  -Combining it with another protocol to obscure the transaction graph (I believe Tari does this with Monero)
  -I would say a time lock, Beam has it, but I’m not sure if Grin does too

Tari is a merge mined sidechain for Monero, it doesn’t increase privacy of the main chain.

Oh yes, that’s right, thanks!

1. Sniffer nodes are meant to check information throughout the network before it is mixed and aggregated, in order to gain information on transactions involved in mixers like CoinJoin.
2. A supernode is a node connected to all other nodes, making it able to see any transaction being aggregated in the fluff phase (unless two transactions both intersect in their Dandelion path before the supernode catches them).
3. he claims he was able to “link 96% of all transactions while only connected to 200 out of 3000 peers”
4. He recommended combining MW with another protocol like Eth 9 3/4, “which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme”.
5. I don’t think so. They went over all the fallacies in the article and identified the sensationalization of the headline.

A sniffer node observes the network and take note of the original transactions before they get aggregated. It’s pretty straightforward if you just archive all messages you observe in the P2P network.

A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity.

96%

Combine Mimblewimble with a Zerocash-style commitment-nullifier scheme. I think we need to add protocols that works for CoinJoin.

Like the author says, Mimblewimble has a way to go still.

• What is a ‘sniffer node’?

A node that picks up all transactions before cut-through aggregation is finished, it’s trivial to unwind the CoinJoin.

• Which pieces of information can be determined by a supernode? Which pieces cannot?

Able to the originator and the destination, Cannot see the amount of the transaction.

• What % of live nodes did the author connect with?

96%

• What single potential solution is mentioned? Can you think of another?

If you want strong privacy, you can always combine MimbleWimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines MimbleWimble with a Zerocash-style commitment-nullifier scheme).

• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?

About the article I do not have enough knowledge. My opinion is the article proved Ivan Bogatyy did not do the proper research before he wrote the article and was either looking for 5 minutes of fame or was trying to put down Grin and MimbleWimble.

1.) Node that observes the Network
2.) Sender and Receiver. Not: Amount & IP-Address
3.) 200|3000 = 6,6%
4.) Combine Mimblewimble with another protocol
5.) The problem was already known and publicly discussed.
There aren’t addresses in Mimblewimble.
You can see trx but not who exactly is sending trx
Wihtout amounts you dont know what’s recipient Output and whats change Output

1. A sniffer node is a node participating in a peer2peer network whose intention is to collect information about the other participants.

2. A supernode cannot retrieve amounts, or likely even differentiate between other-party recipients and change outputs. They can identify inputs and outputs.

3. 6.66%

4. Author of original post suggests combining MW with another protocol such as Ethereum 9 3/4. I’m not sure that’s entirely necessary as per the Grin Response, the sniffer is not actually tracking addresses but merely inputs and outputs. If I understand correctly, new transactions are created not from new addresses but by proving knowledge of blinding factors used in previous pederson committments. Can those be linked? I’m unsure. Time to do more homework.

5. Not at the moment. Very well stated response.

1. They are nodes used as a monitor of the blockchain and the tx on it inn order to read thru mixing techniques like CoinJoin
2. They recieve each tx that enters the fluff phase before merging it with other tx to anonymize the process
3. 6,67% (divide the 200 peers he connected with by the 3000 total peers)
4. Suggested combinning Mimblewimble with a protocol that hides the tx graph such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme)
5. It is clear that there are problems to solve but the participation and collaboration at the time does not look like an option but hopefully in the future we can homologate ideas and technologies finding the best and transparent way to help final users