Breaking MimbleWimble - Reading Assignment

• What is a ‘sniffer node’? A sniffer node picks up all transactions before cut-through aggregation is finished.
• Which pieces of information can be determined by a supernode? Which pieces cannot? A supernode can Dandelion path for any transaction. Which means any two transactions that crosses in a Dandelion chain can be aggregated. The pieces that cannot are the transaction that were not seen prior to aggregate.
• What % of live nodes did the author connect with? 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network
• What single potential solution is mentioned? Can you think of another? Mimblewimble still has unique and valuable properties! It allows cut-through aggregation, which is an effective compaction technique for full nodes, and efficiently hides transaction amounts. If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph
• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it? No, except to not always accept an article at face value. Similar to learning blockchain in three months. Can be a little misleading.

1. What is a ‘sniffer node’?

• A node which observes blockchain and keeps record of the transactions.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?

• As a node, I can see which other node from what IP address sent the transaction, and where I sent it to.
• That means, if a supernode connected to all other nodes of the network, it could see all transactions come and go.

3. What % of live nodes did the author connect with?

• The author connected to 200 out of 3000 nodes in the network, which is 6,(6)%.

4. What single potential solution is mentioned? Can you think of another?

• Author mentions combining MimbleWimble with other protocols.
• Maybe the number of peers that a node can connect to could be limited, thus limiting the ability to observe a large part of the blockchain.

5. Read Grin’s Response. Would you add anything to it?

• The main point of the response is that the author is linking transaction outputs instead of addresses.
• If there was a supernode connected to all other nodes (Dandelion doesn’t help much anymore), wouldn’t it be possible to see which IP addresses send and receive which transactions?

Dandelion was implemented with the intentionn to hide the origin of the tx. But its not completely reliable, due to the fact you mention. They might choose to use a different implementation of dandelion like dandelion+ which is more secure.

1. Sniffer node can observe the network and take note of the original transactions before they get aggregated

2. It does not allow us to see the amounts people are getting paid but we can see who paid who
   .

3. He was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network

4. Combining Mimblewimble with another protocol that obscures the transaction graph.

5. People who don’t know the intricacies of Mimblewimble, will believe the author. Once you really try and learn about it, it will make sense. Certainly MimbleWimble is not perfect and has its issues but it is still young and in development.

A sniffer node is a node in the system that does not validate transactions or mine coins, instead it is a monitoring bot that aggregates information about transactions and patterns and tries to connect the two to determine links or breaches in the privacy features.In this example, an attacker would attempt to “be the first node” that receives transactions and can obtain this information before it has been aggregated with other transactions. The author assumes at some point a supernode scenario could be employed, in that the node or nodes used to gather the information used to facilitate the attack would at some point become peers with all or nearly all the other nodes in the ecosystem. As the first receiver of TX date, that node would know certain information and technically be able to ascertain an idea of who might be sending to whom. Such data as the sender originating tx id, the senders partial signature and possibly the IP address. The supernode would not be able to determine the transaction amounts or the change given.The author claims to have "connected to 200 of the 3000 nodes present at the time, which is .0666
Assuming that Beam actually did have a privacy issue, the author presents incorporating and additional protocol that hides the transaction graph. Personally i think several things are actually true. #1 The sniffing seems to undo privacy by collecting information about senders and receivers through linking. This is not possible. The only identifying factors of any of the broadcast information is the sender and or receivers “connection to the coin or coins being spent”. Most of this info is obscured through blinding factors and commitments. Secondly, there is no connection to formal addresses or wallets. Secondly, the protocol hides transaction amounts. Even the creation of change, similar to Bitcoin, is obfuscated and further clouds the purported transaction trail.Thirdly, the only real traceable information stored on the blockchain which could be used in linking is the commitments to the transactions. These are boolean, true or false…Thirdly, this attack vector is not feasible. If it were, however, my primary suggestion would be to limit and randomize the interaction of nodes with peer nodes, as to further obfuscate and origins or trails. Aside from this, some other type of scheme to potentially increase the anonymity set such as the use of decoys could be useful and quite easy to implement in just a few lines oif code.
I think Grin’s response was pretty darn good. I would have love it if Grin would have proposed a “bug Bounty” challenge to this guy. The Beam protocol has very simply and elegantly solved a great number of issues in the realm of privacy by nimbly combining pedersen commitments with blinding factors, schnorr signatures, Dandelion tx population to validators, and eloquently building on past principles of other privacy coin projects in order to create a safe, secure, private environment for value to be exchanged. They recognize that their solutions are not perfect and seek to innovate in the future to reinforce any current weaknesses and anticipate future challenges in the field of secure private blockchain transactions.

1. Sniffer node can observe the network and take note of the original transactions before they get aggregated
2. It does not allow us to see the amounts people are getting paid but we can see who paid who
   .
3. He was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network
4. Combining Mimblewimble with another protocol that obscures the transaction graph.
5. People who don’t know the intricacies of Mimblewimble, will believe the author. Once you really try and learn about it, it will make sense. Certainly MimbleWimble is not perfect and has its issues but it is still young and in development. Was funny to see him write about tracking addresses and the rebut go into how there are no addresses to track

1.sniffer node that picks up all transactions before cut-through aggregation is finished, it’s trivial to unwind the CoinJoin. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated
2. upernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity.
3.200/3000 = 6.67%
4. Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme
5. I guess the Bogatyy should have approached Grins team first with all his alleged attacks and that would be more fruitful toward increasing privacy of MW protocol than going public.

1. A sniffer node, or packet sniffer, captures and stores IP packets for content analysis.

2. The sender and receiver, but not the amount.

3. 6.67%

4. Combining MimbleWimble with another privacy protocol. Perhaps hashing sender and receiver before broadcast.

5. Nope

What is a ‘sniffer node’?
Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

Which pieces of information can be determined by a supernode? Which pieces cannot?
A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity.*

What % of live nodes did the author connect with?
200 peers out of the total 3000 peers in Grin’s network

What single potential solution is mentioned? Can you think of another?
If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
  more proof of 96% traking link

1. It picks up all transactions before cut-through aggregation is finished. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

2. A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity. The only only way a supernode cannot catch a transaction before it is aggregated is if two transactions both intersect in their Dandelion path before it sees either of them.

3. 96%

4. If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾

5. Good response. Personally, I would like if they did more improvements and testing to improve security and then put out results in a new article, with evidence of their findings with viable solutions.

The author was connected to 200 nodes out of 3000, but was able to link 96% of txs.

1. A sniffer node is a malicious node which listens for transactions as they are aggregated

2. A supernode can determine the transactions in an aggregation if it sees them before they’re aggregated. However, if two transactions intersect in their Dandelion path before the supernode sees them then it can’t disaggregate them

3. The author connected with 6.67% of live nodes

4. The author suggests combining Mimblewimble with another protocol that obscures the transaction graph such as Ethereum 9 3/4

5. So turns out Grin already knows about this and has long acknowledged it as the transaction graph input-output-linkability problem

thank you. learned so much during this week doing this course.

1.) What is a ‘sniffer node’?
A sniffer node can just observe the network and take note of the original transactions before they get aggregated.

2.) Which pieces of information can be determined by a supernode? Which pieces cannot?
A supernode is connected to every other node and will instantly get any transaction that enters fluff phase, before it can be merged with other transactions for anonymity.

3.) What % of live nodes did the author connect with?
He was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network.

4.) What single potential solution is mentioned? Can you think of another?
If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

5.) Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?
No!

1. Sniffer nodes are nodes used to “monitor” the blockchain and the various transactions in order to read through mixing techniques such as CoinJoin. They are able to check information throughout the network before it can be mixed or aggregated, providing relevant information about transactions.
2. They can be used to gather information about transactions so that it would be possible to disaggregate linked transactions around the Dandelion. It is not possible to see the single transactions once they have already been aggregated in a previous node.
3. 6,67% (divide the 200 peers he connected with by the 3000 total peers)
4. It mentions Ethereum 9 3/4 which is a protocol that obscures the transaction graph. Maybe it could be useful to implement a method that allows shielded transactions, so that it would not be possible to find specific information about who was the sender and who was the receiver.
5. I think it was a well-defined, rational and aware answer to the article. It is explicitly mentioned that Grin (and MimbleWimble) is a young project which has yet to prove its own potential, while also showing that the community which backs it up is open and amicable. I hope their project will prove its worth and will be able to grow and mature over time. Clearly there are issues to be solved, but it is not different from the situation which other projects (think about Bitcoin as well) had to face at the beginning of their evolution. And, more importantly, these issues are already known, which is a good starting point.

1 A sniffer node is a kind of bugging device that “listens” to the traffic from another node. By recording the traffic the sniffer may reveal who is sending to who.
2 Any transaction that did not intersect with another transaction prior reaching the supernode.
3 6.67%
4 A combination of Mimblewimble and a Zerocash-style commitment-nullifier scheme.
It seems like the network is too small with too few transactions to be properly mixed up.
5 As someone said: Any documented bug, is a feature.

1. it’s a node that picks up all transactions before cut-through aggregation is finished
2. sender, receiver. NOT the amount
3. 6.7%
4. combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme)
5. could argue that it’s not broken but still under development

• What is a ‘sniffer node’?

Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

• Which pieces of information can be determined by a supernode? Which pieces cannot?

Sender and Receiver not the amount.

• What % of live nodes did the author connect with?

6.7%

• What single potential solution is mentioned? Can you think of another?

If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

• Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it?

1. What is a ‘sniffer node’?
   Is a node that observes the network and picks Tx before they are mixed or aggregated to another nodes. In order words, he can link sender’s and receiver’s.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   It can be determined the origin of the transaction and Neighbour nodes can linked to it. The author explains that he couldn’t get info if two transactions both intersect in their Dandelion path before I see either of them.

3. What % of live nodes did the author connect with?
   6.67% (200 of 3000 total), with 96% accuracy transactions.

4. What single potential solution is mentioned? Can you think of another?
   Solution is to combine Mimblewimble with another protocol that obscures the transaction graph, like Ethereum 9¾.

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?
   No, but it will always be a cat vs rat race when security is an issue.

1. A sniffer node - observes the network and takes notes of the original transactions before they get aggregated

2. A supernode can catch a transaction before it is aggregated. It is also catches IP connected to every single NODE in the dandelion. You would be unable to see a single transaction once they have been aggregated

3.200 peers out of the 3000 in the network (Math for %: 15)

4.Make the Dandelion bigger can slow down attackers.