An article was published today in The Block, based on five questions I had answered to a journalist. The questions being what they were, they demanded quite long answers. Journalists being journalists, only a handful of statements were selected and included in the article, to fit a particular narrative. For those that are interested in reading the full answers, I publish them here verbatim.
I welcome you to challenge anything of what I write here, please let me know in this thread if there’s anything you disagree with, and why.
1 Ivan agreed that Mimblewimble doesn’t have addresses, but say that commitments are equivalent to addresses, except that the former hide transaction amounts. How do you respond to this?
I’m sorry, but that’s like saying that humans are just as good as birds at surviving jumps from cliffs, except that humans do not have wings. Hiding transaction amounts is crucial in order to make different output commitments look more like oneanother. Anyone who’s researching transaction linkability will be able to tell you as much. This does not mean that you get perfect privacy by hiding amounts, but without this, you wouldn’t be getting any privacy whatsoever.
Ivan also conveniently assumes here that Bitcoin addresses would never be reused, when we know that this is not a realistic assumption to make. It’s a feature of the protocol, and everybody from exchanges to invididuals use it today, trading off their collective on-chain privacy against convenience and usability.
Grin prevents all this on the protocol level by not having on-chain addresses in the first place. You remove one area of possible user or service error altogether. And the entire network benefits from this as a result.
2 Can you say more about “the number 95.5% is close to 100%, but it also doesn’t mean much”? What exactly does it mean? Ivan seems to say that a combination of the knowledge “output A spends to output B” and KYC will lead to a scenario of “authoritarian government knows who is sending money to dissident” - how would you respond to this?
First of all, let’s be clear about one thing: No matter who you are, if you are worried about protecting your identity, do not give a copy of your passport to an exchange. Similarly, don’t open a bank account in your name in the belief that you can use it to transact anonymously.
Second, with regards to Ivan’s work, he connected to nodes in the network and was able to gather a list containing close to all of the transactions on the network in the period. Great. Every full node on the network already sees 9X% deaggregated transactions in its mempool, and very very few transactions today are meaningfully aggregated at all. If he had asked any Grin developer, he would have learned that this would be possible. We have said as much since 2018, before Grin launched. This so called “attack” adds little to nothing beyond what running a couple of nodes on the network would do, so it’s a mystery to me what exactly it is that’s supposed to have been broken here.
Third, only having this list of grin transactions, is of no use. This should hopefully be obvious by reading Ivan’s work, as he is not able to do anything with the data he obtains. But, on the other hand, if an attacker transacts repeatedly with a specific target and this target then transacts with an exchange that the attacker controls, which the target has given their KYC details to, then they might be able to identify the target. It’s worth noting that any decoy-based protocol would be vulnerable to this, including Monero. This is not a trivial attack to carry out, and if you adhere to my first point above, it would not work. But perhaps most importantly, it requires a lot of effort by a strong adversary to uncover a single target this way, and it is not possible to attack 95.5% of the network passively.
3 Vitalik said on twitter that "If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets (eg. as done with ZK-SNARKs) are truly robustly secure.” How do you respond to this? https://twitter.com/VitalikButerin/status/1196468111995756544
ZK-SNARKs are really cool, but they are still very experimental, come with different security assumptions, and scale badly compared to Mimblewimble. That said, the scientific community is currently making dramatic progress in zero knowledge research, and this will undoubtedly lead to strong privacy improvements over time.
4 Are you taking any follow up steps to improve the privacy model of Grin after these blog posts?
We are constantly working on improving Grin’s privacy-preserving abilities. But we take a long-term view when we decide about adding features, being conscious of Grin’s two other, equally important design goals: Scalability and Minimalism. For example, when we considered whether to add decoy outputs, concerns about how effective they actually would be, combined with the impact it would have on the size of the UTXO set, meant that they were not seen as a slam-dunk for Grin’s needs.
Discussions on how to best reduce output linkability are ongoing in the Grin community. We also have it listed as an Open Research Problem, and finding the best-fit answer is a constant high priority item. But no solution will be integrated until the team is fairly certain that a particular approach is the right one. So in this aspect, we’re choosier than some other projects about when and how we add features. If this means longer project time-frames, so be it. There is no company with investors expecting a return, so we can afford to take our time and do things right.
Also note that this is only one aspect of Grin’s privacy preserving features, and there are many other areas where privacy improvements are coming at a faster pace. For instance, our upcoming 3.0.0 release will allow users to send and recieve payments via hidden services over the TOR network, which we believe will be a compelling privacy feature. You can graph as many transactions as you like, but you’ll still not find the recipient of a payment unless you’ve also compromised TOR, or if they compromise themselves in the ways described above.
So yes, we’re always looking at ways to improve Grin’s privacy and scalability. Ivan’s article is a reminder of some of the already well-known challenges we have outstanding, but it does not affect our priorities. We’re proactive, not reactive.
Another question: do you agree that current protocol will reveal transaction graph? Ivan told me he was essentially worried that Grin is more like bitcoin than other privacy tokens - do you think this is a fair assertion?
Yes of course the current protocol can reveal the transaction graph. This is a known limitation which we have been stating publicly since 2018.
I agree with Ivan, Grin is more like Bitcoin than other privacy coins. It was launched fairly, it has no pre-mine, there is no dev tax, and it relies cryptographic assumptions that have been battle-tested.
However, there are also a lot of important differences: Grin achieves better privacy with less data kept on chain and less data required to do a full sync, all with the same security. There is no trade-off here, you get more with less.