Hi. Just read this article about Grin: MimbleWimble: The Good and The Bad - Token Daily, but I’m confused because it says:
“When MW transactions are published to the unconfirmed TX pool, the TX inputs and outputs are still visible… it is possible and probably easy for anyone to keep a recording of all the transactions from the unconfirmed transaction pool. This data could be used to build detailed transaction graphs of the network.”
From my recollection of reading the Grin docs and watching the crypto presentations by Andrew Poelestra this statement is incorrect, but I’m not an expert so I thought it would be better to just come here to ask you guys. Is it possible for someone to log data on the network and reconstruct the tx graph? Thanks 
Yes, it is possible to learn the transaction graphs, by just listening to new transactions that are broadcasted over the network. However this is somewhat mitigated by the implementation of the Dandelion protocol, where transactions are aggregated during the stem phase before they are broadcasted to the whole network (fluff phase). Exactly how much aggregation we can expect is hard to say right now, and is also dependent on a lot of variables, such as the number of nodes, tx/sec and some of the timers.
In addition, I expect that some companies will offer transaction aggregation services, which will guarantee a level of aggregation before network wide publish.
Thanks for the reply!
So then if I understand you correctly… someone could log the entire tx graph, but it would be of little relevance because:
- inputs and outputs are only used once and then cut through (rather than tied to an account like Ethereum)
- tx are propagated through the network via Dandelion making it ~ impossible to tell where they originated while also preserving IP anonymity
- Schnorr signatures are used to create Confidential Transactions that make it impossible to tell how much was spent
Is that correct?
inputs and outputs are only used once and then cut through
Yes, they look like random curve points. As an example, this recent block contains some transactions. It just a bunch of kernels, inputs and outputs. There are no addresses
tx are propagated through the network via Dandelion making it ~ impossible to tell where they originated while also preserving IP anonymity
Yes and even stronger, because there is aggregation along the stem, it will become harder for other parties to see which parts belonged to the same transaction. This aggregation is a special feature for MW, that is not possible with a Dandelion implementation for other currencies like Bitcoin.
Schnorr signatures are used to create Confidential Transactions that make it impossible to tell how much was spent
Yes, although Schnorr signatures are not critical for CT to work.
Great! Thanks for explaining that further
Not to get too into the weeds, but if someone were to log all the tx:
- currently they would be able to learn little to nothing.
- if they had a quantum computer that could break the elliptic curve crypto, then they might be able to decrypt some things like tx amounts, but they would still be left with a coinjoined network that somewhat resembles how Monero looks today, which would make it hard (but not impossible) to correlate tx by matching inputs and outputs or using other data analysis techniques laid out in the various papers on monero tx analysis (also not sure if there are quantum algorithms that can work through ring signatures and produce correlations with a high probability).
Is that ~ correct?
No; Pedersen commitments are only computationally binding. A quantum computer could open any output to any amount they like. But they cannot know the commited amount.
Oh great! So worst case scenario Grin has to hardfork to upgrade to quantum secure functions, but the chain is not retroactively broken in privacy or security?
Also regarding hard forks, how does that work? Can anyone take a snapshot of Grin, roll a sidechain, and then keys that unlocked utxos on one will unlock them on the other… or are there other considerations to take into account as well?
Oh great! So worst case scenario Grin has to hardfork to upgrade to quantum secure functions, but the chain is not retroactively broken in privacy or security?
Yes, once grin#2007 is in, we can switch to ElGamal commitments (that are QC proof) at any point in the future. For now it is preferred to stick with Pedersen commitments, because they save space (both in the commitments and the proof), but if we have enough suspicion that QCs are a thing we can activate a fork that requires inputs to reveal the ElGamal commitment and a proof.