Breaking Mimblewimble’s Privacy Model

Was not able to find any reference to this article of Ivan Bogatyy on the forum so I decided to start this discussion.

The question is straightforward: Would Grin community accept the lack of privacy (linkability with amount obfuscation) or some workaround could be found?


This is a major issue, however it is definitely not news. In fact, finding out ways to mitigate this has been a priority for a while.


Does this problem get better as the network becomes more popular?

  • when more nodes exist in total, it’s more difficult to run a supernode
  • when more transactions are sent per minute, it’s more likely that one will be cut through in stem phase before it arrives at a supernode

More difficult yes, but absolutely not difficult enough. Privacy needs to exist against powerful adversaries (e.g. CIA, NSA) who have the budget to run six gorillion nodes.


A few grin developers and community members co-authored a response to this article.


Hmm. Judging by the response of the price of Grin today - down ca. 17% as of a few seconds ago - there appear to be a lot of folks who weren’t fully au fait with this vulnerability, notwithstanding that the author of the article seems to have bigged up his claims of breaking the privacy model. Maybe someone with sufficiently deep technical understanding should explain why even given the potential for linkability between inputs and outputs, this doesn’t necessarily mean the actual originator of a transaction could ever be identified?

1 Like

You don’t know if the coins still belong to the same person after a transaction.

But often it does mean this. Grin is not private, and the response to yesterday’s article proves exactly why we need to be more vocal about this fact. We intend for it to be private sometime soon, and we have several paths we could take to get there, but as is, it’s transparent AF. The only thing hidden are amounts.


Ivan Bogatyy writes in Response to lehnbergs article:

Right now, if Alice purchases Grin on an exchange and later uses it to shop on a darknet market, a sniffer node will capture a precise, undeniable trail of commitments (starting at the KYCed exchange commitment and ending on the darknet market) that incriminates Alice. Alice would not expect that, because she thinks Grin is “private” and further, public block explorers can’t show that link, only the special sniffer nodes can. This is the key point.

I consider this a serious issue, that being “no big deal” because it was known to some cryptographers all along is not really comforting.
In the Thread Why are you interested in Grin? many replies are about being interested in Grin because it’s “privacy”. Privacy is a key aspect of financial freedom, thus im glad to see that Devs like @david are addressing it ( Yo Dawg, I heard you like CoinJoins)


OK, but IP addresses are not uncovered with the sort of probing carried out by the sniffer nodes described in Bogatyy’s article - correct?

I actually recall discussion of the existence of this whole issue during discussions at Grincon0 about this time last year in Berlin during or after an address about Dandelion by lesceller… it’s as if someone has gone out and shown something to be the case that deeply embedded people were so aware of, they weren’t bothered to demonstrate it. Deeply embedded people, but not everyone… The important takeaway may be not so much that this deficit has been shown in practice but that there is a need to for more/better education of potential Grin community members/users/investors/adopters.


Correct, IP address is not leaked.

Totally agree about lack of education. There were a lot of inflated expectations among casual grin users.


Actually it is not that easy, I think

You can not confirm Alice spend on darknet market easily.
Because it’s not bitcoin address, only if the commitment darknet market received spent on some kyced market.

You can’t confirm Alice spent money on the darknet with Bitcoin either if the darknet site generates new addresses for each transaction. However, they may not be cautious enough and link their different addresses in the future, at which point you would be incriminated. Same goes for Grin.

ELI5 What sort of ideas for rendering it private, a brief enumeration?

Dandelion tweaks for increasing stem phase aggregation, adding decoy inputs and outputs, improving input selection, using coinjoin servers, payment channel hubs, etc. Mimblewimble is unique, and offers many possibilities. We’ve just got to figure out which combinations lead to the best outcome and tradeoffs.


Could you elaborate on the decoy inputs/outputs idea? This sounds intriguing.

There was some discussion in keybase channel grincoin.teams.node_dev#research

That channel is closed to the public I’m pretty sure.

No - that channel is completely open to anyone who wants to join.

Ah, I confused it with What a headache to navigate Keybase teams.