-
Notifications
You must be signed in to change notification settings - Fork 85
Grin Privacy Primer
This document explores Grin's protocol privacy as it is now and up to mainnet. It does not cover privacy implications of building transactions with another party
When thinking about the level of privacy a system grants, it's most useful to start with what information it leaks. The evaluation of that leakage should not be restricted to information about yourself or a hypothetical user, but also systemically what can be learned about how the system is used. For example, if one can find that half of the purchases done with a cryptocurrency are directed toward Amazon, it's easy to see that asking Amazon for its internal records would likely be very useful to find out more.
On one end of this spectrum, no current blockchain system can hide that a transaction occurred. So information like relative activity can be derived fairly accurately for all blockchains. On another end of information leakage, the current top 2 cryptocurrencies reveal almost all there is to know: amounts, source, destination, origin IP, etc. Their pseudonymous nature helps, but most resourceful actors can see beyond pseudonyms (think of how much your IP address protects you from privacy invasion when you're online: very little).
In this document, we will separate what information Grin does not reveal from what it does. And in doing so, progress from strongest to weakest privacy properties.
Grin, as a MimbleWimble implementation, natively uses a transaction format called Confidential Transactions (CT). By "natively" we mean that in Grin, CTs aren't just an extension of another transaction format that helps hide amounts. CTs are all what Grin does. As we will see, this has beneficial privacy implications.
A Grin transaction has very few pieces of information:
- Inputs, which can be mostly seen as references to past outputs.
- Outputs that are just a 33 bytes blurb called a commitment, encoding the amount and ownership, as well as an associated proof that the amount isn't negative.
- A proof that the sum of inputs matches the sum outputs plus the fee (no new money creation).
The commitments used in Grin are called "perfectly hiding", meaning that barring any bug, it can be shown that the amounts embedded in them can never be deduced. There are also no addresses. Ownership is ensured through a single-use key.
Confidential Transactions allow the Grin chain to exist without any transferred amount or explicit ownership revealed.
3 points from the previous section may be a little more subtle but have very important privacy benefits:
- All transactions are confidential.
- Transactions hold very little information. In particular, they do not hold any script.
- All transactions look like some random bits put together.
As all transactions are confidential, there are no non-confidential transactions that can reveal information about the confidential ones. As transactions hold very little information, there is also very little opportunity for wallets or people to degrade privacy guarantees. Since everything looks like random bits, statistical analysis without additional information is impossible.
Another piece of information that commonly leaks is the IP address that originally sent a transaction. In a peer to peer network this can be hard to find directly as transactions are relayed, but over multiple transactions statistical analysis is possible. From an IP address, one can deduce location, the type of software used, etc.
In most cryptocurrencies today, transactions are sent by just "fluffing" them all around, sending them to all the peers one is connected with. Dandelion is a technique to add a "stem" phase prior to fluffing, where you delegate the fluffing to another peer randomly chosen in the network, over multiple hops. This makes it impossible to deduce a reliable IP address, and renders statistical analysis on provenance impractical.
In addition, while transactions are being sent over the stem, there is a chance to aggregate them with other transactions as if they were a single one, obscuring some of the coupling between inputs and outputs. However it remains to be seen how much practical privacy is gained from aggregation, since it depends on having many other transactions
Cut-through is another technique inherited from MimbleWimble. As the name indicates, it lets the protocol cut-out inputs and outputs from the blockchain as they're being spent. This is very effective for scalability, as large parts of the data that traditionally needs to be stored by a blockchain forever can be removed. But it also provides a smaller privacy benefit.
While cut-through can technically be done on transactions before they're included in a block, it's unlikely to provide tangible privacy benefits at that level: transactions don't typically get spent that fast. There is an exception however for larger exchanges or merchant services, as they may be able to aggregate and cut-through their transactions significantly by batching them.
In addition, as time goes on, a spent output becomes less and less likely to be known by any node on the network. In fact, most nodes will delete a spent output after a week. One can archive those spent outputs, but after a few years, how many archives with a given output will still be available?
In the previous sections, we've identified multiple sources of information that a blockchain is typically involved with:
- Addresses
- Amounts
- Inputs and outputs linking
- IP addresses
- Additional data embedded in transactions
- Transaction existence
Checked boxes are where Grin shines, while unchecked ones will require improvements.
Transaction aggregation provides benefits, and the absence of useful information in either inputs or outputs complicates analysis drastically. However, there are techniques that can exploit linking between inputs and outputs to erode privacy guarantees. Practically, they all need to rely on having participated in a transaction "close to" the ones that need to be analyzed in order to gain additional information. By sending "tainted" outputs and following as they move through multiple transactions, information can still leak as these outputs can be followed after one hop, or statistically over multiple hops.
This is an area where more improvements from the Grin team can be expected in the future, after mainnet is released.
Grin is likely one of the blockchains that, over time, offers the best "right to be forgotten" guarantee. However there are improvements possible, particularly in redefining what exactly is a transaction and further blur the lines between a grouped set of inputs and outputs and an overall state change.
Privacy is complex and information leakage is surprisingly easy. Privacy-preserving systems need to be extremely strong to ensure reasonable amounts of protection. Unfortunately, they often fail in practice simply because they are cumbersome to use, causing people to revert to convenience.
Beyond all the privacy preserving mechanisms and future improvements outlined in this document, Grin is committed to long term privacy protection. As such, we will continue pushing research and development so Grin remains the state of the art for practical and usable cryptocurrency privacy.
Basics
- Getting Started
- User Documentation
- MimbleWimble
- FAQ
- Planned releases (Roadmap)
- Code of Conduct
Contributing
- Contributing Guide
- Code Structure
- Code coverage and metrics
- Code Reviews and Audits
- Adding repos to /mimblewimble
Development
Mining
Infrastructure
Exchange integrations
R&D
Grin Community
Grin Governance
Risk Management
Grin Internals
- Block Header Data Structure
- Detailed validation logic
- P2P Protocol
Misc