Grin Privacy Primer

This document should be accurate up to Grin's mainnet and first hard fork. More privacy-enhancing techniques are likely to be introduced as Grin matures

When thinking about the level of privacy a system grants, it's most useful to start with what information it leaks. The evaluation of that leakage should not be restricted to information about yourself or a hypothetical user, but also systemically what can be learned about how the system is used. For example, if one can find that half of the purchases done with a cryptocurrency are directed toward Amazon, it's easy to see that asking Amazon for its internal records would likely be very useful to find out more.

On one end of this spectrum, no current blockchain system can hide that a transaction occurred. So information like relative activity can be derived fairly accurately for all blockchains. On another end of information leakage, the current top 2 cryptocurrencies reveal almost all there is to know: amounts, source, destination, origin IP, etc. Their pseudonymous nature helps, but most resourceful actors can see beyond pseudonyms (think of how much your IP address protects you from privacy invasion when you're online: very little).

In this document, we will separate what information Grin does not reveal from what still leaks. And in doing so, progress from strongest to weakest privacy properties.

Privacy Enhancing Techniques

Confidential Transactions

Grin, as a MimbleWimble implementation, natively uses a transaction format called Confidential Transactions (CT). By "natively" here we mean that in Grin, CTs aren't just an extension of another transaction format that helps hiding amounts. CTs are all that Grin can do. As we will see, this has beneficial privacy implications.

A Grin transaction has very few pieces of information:

• Inputs, which can be mostly seen as references to past outputs.
• Outputs that are just a 33 bytes blurb called a commitment, encoding the amount and ownership, and an associated proof that the amount isn't negative.
• A proof that the sum of inputs matches the sum outputs plus the fee (no new money creation).

The commitments used in Grin are called "perfectly hiding", meaning that barring any bug, it can be shown that the amounts embedded in them can never be deduced. There are also no addresses, ownership is ensured through a single-use key.

Confidential Transactions allow the Grin chain to exist without any transferred amount or explicit ownership.

Uniformity

3 points from the previous section may be a little more subtle but have very important privacy benefits:

1. All transactions are confidential.
2. Transactions hold very little information.
3. All transactions look like some random bits put together.

As all transactions are confidential, there are no non-confidential transactions that can reveal information about the confidential ones. As transactions hold very little information, there is also very little opportunity for wallets or people to degrade privacy guarantees. And as everything looks like random bits, statistical analysis without additional information is impossible.

Dandelion Relay

Another piece of information that commonly leaks is the IP address that originally sent a transaction. In a peer to peer network this can be hard to find directly as transactions are relayed, but over multiple transactions statistical analysis is feasible. And from an IP address, one can further deduce location, the type of software used, etc.

In most cryptocurrencies today, transactions are sent by just "fluffing" them all around, sending them to all the peers one is connected with. Dandelion is a technique to add a "stem" phase prior to fluffing, where you delegate the fluffing to another peer randomly chosen in the network, over multiple hops. This makes it impossible to deduce a reliable IP address, and renders statistical analysis on provenance impractical.

In addition, while transactions are being sent over the stem, there is a chance to aggregate them with other transactions as if they were a single one, obscuring some of the coupling between inputs and outputs. However it remains to be seen how much practical privacy can be gained from aggregation, as effective aggregation depends on having many other transactions

Cut-through

Cut-through is another technique inherited from MimbleWimble. As the name indicates, it lets the protocol cut-out inputs and outputs from the blockchain as they're being spent. This is very effective for scalability, as large parts of the data that traditionally needs to be stored by a blockchain forever can be removed. But it also provides a smaller privacy benefit.

While cut-through can technically be done on transactions before they're included in a block, it's unlikely to provide tangible privacy benefits at that level, transactions don't typically get spent that fast. However, as time goes on, a spent output becomes less and less likely to be known by any node on the network. In fact, most nodes will delete a spent output after a week. One can of course archive those spent outputs, but after a few years, how many archives with a given output will still be available?

Information Leakage

In the previous sections, we've identified multiple sources of information that a blockchain is typically involved with:

• Addresses
• Amounts
• Relations between inputs and outputs
• IP addresses
• Additional data embedded in transactions
• Existence of a transaction

Checked boxes are where Grin shines, while unchecked ones will require improvements.

Transaction Existence

Grin is likely one of the blockchains that, over time, offers the best "right to be forgotten" guarantee. However there are improvements possible, particularly in redefining what exactly is a transaction and further blurr the lines between a grouped set of inputs and outputs and an overall state change.

Inputs and Outputs Linking

While aggregation provides benefits, and the absence of useful information in either inputs or outputs complicates analysis drastically, there are techniques that can exploit linking to erode privacy guarantees. Practically, they all need to rely on having participated in a transaction "close to" the ones that need to be analyzed in order to gain additional information. By sending "tainted" outputs and follow them when they move over multiple transactions, information can still leak as these outputs can be followed after one hop, or statistically over multiple hops.

This is an area where more improvements from the Grin team can be expected, after mainnet is released.

Conclusions

Privacy is complex and information leakage surprisingly easy. Privacy-preserving systems need to be extremely strong to ensure just reasonable amounts of protection. And they often fail in practice due to being too cumbersome to use, forcing people to revert to convenience.

Beyond all the privacy preserving mechanisms exposed in this document and the shortcomings and improvements we foresee, Grin is committed to long term privacy protection. As such, we will continue pushing research and development so Grin remains the state of the art for practical cryptocurrency privacy.