To understand this attack, you have to understand anonymity sets. Every privacy coin works by "hiding" your transaction within an anonymity set. Think of this like the crowd that your transaction is indistinguishable from.
-
-
Prikaži ovu nit
-
So far there have been 3 approaches to privacy in cryptocurrencies: Zcash, Monero and Mimblewimble/Grin. In Zcash, your anonymity set is all the shielded transactions (theoretical maximum)pic.twitter.com/Jht8bc9T64
Prikaži ovu nit -
In Monero, you get to pick your own anonymity set of size 10-25 from any existing on-chain UTXOs. The UTXOs you hide behind are called "decoys".pic.twitter.com/aNQnsNLLX3
Prikaži ovu nit -
In Mimblewimble, all the transactions in a block are aggregated into one big CoinJoin. So it was believed that your anonymity set is all the transactions that ended up in the same block.pic.twitter.com/RZFTXFnzcU
Prikaži ovu nit -
My attack catches 96% transactions before they can be aggregated with others for anonymity. So in reality, there is no one in their anonymity set!pic.twitter.com/mkMhSxYh5B
Prikaži ovu nit -
How does it work? By running a rogue node tweaked to save all intermediary transaction gossiping data. That's it! ~96% transactions can be caught in the raw that way.pic.twitter.com/MCmRnMxJW7
Prikaži ovu nit -
Of the remaining transactions, some can be traced by subtracting other transactions we traced before. If we have seen the merge of TX(A+B) and also TX(A), we can trace TX(B) too.pic.twitter.com/WZs3v2MrFG
Prikaži ovu nit -
So why can't we trace 100%? The reason is nuanced and technical: Dandelion. A small minority of transactions get merged while traveling on stem-paths, before most nodes could see them.pic.twitter.com/IcTtgdJB9N
Prikaži ovu nit -
Still, it is likely possible to trace more than 96% by running a network of nodes, or a single supernode. That way, the attacker inserts themselves into most stem-paths.pic.twitter.com/iOuypYiDU1
Prikaži ovu nit -
Importantly, I have great respect for the Grin community and core developers, who have all been tremendously helpful in answering my questions. But we also need to be realistic about how much privacy Mimblewimble grants.
Prikaži ovu nit -
The devs were aware that such an attack was theoretically possible (e.g. this Reddit thread I started a year ago). But now it is proven viable and efficient.https://www.reddit.com/r/Mimblewimble/comments/91cvyl/mimblewimble_transactions_linkable_by_any/ …
Prikaži ovu nit -
To dig further, check out the technical deep-dive, complete with open-source code to reproduce the attack, data collected, and a technical FAQ:https://github.com/bogatyy/grin-linkability …
Prikaži ovu nit -
Thanks to
@hosseeb for major help in putting together this write-up and for the anonymity set illustrations. Additional thanks to@OlegOstroumov@leanthebean@MohamedFFouda@LucasRyan@nadertheory for reviewing drafts of this post.Prikaži ovu nit -
And a huge thanks to
@JStutzman from@NEARProtocol for the Dandelion and block aggregation illustrations – he's the reason@NEARProtocol posts have the nicest figures
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.