Grin Wallet Anonymity

Wallets interact over http. Is it possible to identify participants in a transaction because of this?

An interesting (and kind of subtle) point here is the communication involved in interactively generating the transaction is “out-of-band” from the actual Grin protocol/network.

Once a transaction has been constructed and signed there are various things that can be done to minimize the surface area for identifying where it came from. It needs to be pushed to the Grin network for a miner to pick up, but this can involve layers of misdirection and timing delays etc.

The transaction itself provides zero identifying information about any of the participants.

Example -
Parties A and B could interact (completely offline, in some unspecified way) to construct and sign a transaction (A sends B some Grins). The transaction could then be handed to party C to push to the Grin network.
Nothing in the transaction would identify any of A, B or C.
C could wait for some arbitrary amount of time before pushing this transaction to the network (say an hour, to obscure when the transaction actually happened). C could also batch this transaction with a bunch of other transactions to further obscure it.
The api call C makes to push the transaction to the Grin network could potentially be observed by someone on the network (public wifi network for example). But there would be nothing in this network traffic that would identify A or B (only C making the api call itself).
Additionally if C was a miner on the Grin network they could feasibly include the transaction in a block without this transaction ever appearing on the network (there would be no api call pushing the transaction to the network to observe). The only thing any other node would see would be the individual inputs, outputs and transaction kernel (and nothing to associate them with each other).


Check out this BIP, which I think addresses exactly this concern.

From the abstract:

Dandelion is a new transaction broadcasting mechanism that reduces the risk of eavesdroppers linking transactions to the source IP.

Dandelion transaction propagation proceeds in two phases: first the “stem” phase, and then “fluff” phase. During the stem phase, each node relays the transaction to a single peer. After a random number of hops along the stem, the transaction enters the fluff phase, which behaves just like ordinary flooding/diffusion. Even when an attacker can identify the location of the fluff phase, it is much more difficult to identify the source of the stem.

This has the nice effect that even if you control many nodes, if you see a new transaction coming from a peer, it doesn’t necessarily mean that the transaction originates from that peer, it might be a few hops along the initial “stem”, and have originated from another node.

Currently you can construct a raw bitcoin transaction offline and propagate to the network through various ways. The point is that is not practical for the average user and many times you need to trust a third party to propagate your transaction. Grin needs some network encryption imo and Dandelion is interesting.

Perhaps the grin network could be layered entirely ontop of monero’s kovri project such that the grin network doesn’t even use location based addressing at all.

Possible to transfer GRIN offchain via Opendime-esque technology for local transactions? Trusting C seems to be a move away from a true P2P value transfer and wouldn’t be viable for most.