On the Confidentiality of Amounts in Grin
Suyash Bagad, Saravanan Vijayakumaran
Indian Institute of Technology, Bombay
Crypto Valley Conference on Blockchain Technology, 2020
MimbleWimble
No addresses, No amounts!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Provides Privacy, Scalability and Fungibility
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
First implementation by
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7413020/grin-grin-logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7413025/Beam_logo_circle.png)
A Blockchain protocol relying on Homomorphic Commitments
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Hides amounts using Pedersen Commitments
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Outputs in Grin
Each output on Grin blockchain is a Pedersen Commitment
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Pedersen Commitments are homomorphic, perfectly hiding and computationally binding
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
For an amount \(a \in \{0,1,\dots,2^{64}-1\}\) and blinding factor \(k \in \mathbb{F}_q\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
where \(G,H \in \mathbb{G}\) such that DL relation between them is unknown
Given an output \(P \in \mathbb{G}\) it is infeasible to find the amount it commits to
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Each output comes with a range proof proving \(a \in \{0,1,\dots,2^{64}-1\}\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
A Grin Block
Block height Kernel offset |
Inputs | Outputs |
Reg. Transaction #2 |
Inputs | Outputs |
Reg. Transaction #1 |
Inputs | Outputs |
- |
Coinbase Transaction |
Dandelion
Block height Kernel offset |
Inputs | Outputs |
|
Cut-through
Block height Kernel offset |
Inputs | Outputs |
|
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7414995/cross.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7414995/cross.png)
Block added to Blockchain!
More on a Grin Block
Block height Kernel offset |
Inputs | Outputs |
|
Fees |
Kernel Excesses |
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7415055/curly_brackets.png)
RTO
$$ \sum_{i=1,2,4}O_i+ \left(\sum_{i=1,2} f_i\right) H - \sum_{i=1}^{4}I_i = \sum_{i=1,2}X_i + k_{\text{off}}G$$
A block contains \(n\) kernels, \(n =\) #Transactions
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Each kernel contains fee and a kernel excess
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Coinbase fee \(f_{\text{cb}} = 0\), mining reward \(r = 60\) grin
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Each kernel also contains a Schnorr signature proving that \(X_i = x_iG\) for some \(x_i \in \mathbb{F}_q\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Block validation check:
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Main Idea
Block height |
Inputs | Outputs |
|
Fees |
Block height |
Inputs | Outputs |
|
Fees |
Block height |
Inputs | Outputs |
|
Fees |
General strategy: Compute number of donor coinbase outputs!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Grin Blockchain as a DiGraph
We define a directed graph \(G = (V,E)\) such that
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Nodes \(V = V_{\text{bl}} \cup V_{\text{cb}}, \) where \( V_{\text{bl}} \) are blocks and \(V_{\text{cb}}\) are coinbase outputs
Edges \(E = E_1 \cup E_2\) where
\(E_1 = (v_1, v_2) \in V_{\text{cb}} \times V_{\text{bl}} \) if coinbase output \(v_1\) is spent in block \(v_2\)
\(E_2 = (v_1, v_2) \in V_{\text{bl}}^2 \) if at least one RTO in block \(v_1\) is spent in block \(v_2\)
\(16\)
\(1493\)
\(18\)
\(1489\)
\(1514\)
\(1504\)
\(h_1\)
\(h_1\)
\(h_2\)
\(h_2\)
\(h_3\)
\(h_3\)
Flow Upper Bounds
A vertex \(c \in V_{\text{cb}}\) in \(G\) is called a donor of a block \(b \in V_{\text{bl}}\) if there is a directed path from \(c\) to \(b\) in \(G\).
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
\(1499\)
\(16\)
\(1482\)
\(1469\)
\(1458\)
\(1481\)
\(1489\)
\(1495\)
\(1493\)
\(18\)
\(1479\)
\(38\)
\(33\)
\(9\)
\(5\)
\(7\)
Subgraph for \(h=1499\), \(G^{(h)} = (V^{(h)}, E^{(h)})\) where \(V^{(h)} = V^{(h)}_{\text{bl}} \cup V^{(h)}_{\text{cb}}\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
$$ \therefore \ \mathcal{A}(O^{h}) \le 7r + \sum_{b \in V_{\text{cb}}^{(h)}} f_b - \sum_{b \in V_{\text{bl}}^{(h)}} f_b $$
Results
Analysis for RTOs in 612,102 blocks (till March 17th, 2020)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
\(\text{Flow ratio of RTO (FR)} = \frac{\text{Flow upper bound of RTO}}{\text{Trivial upper bound of RTO}}\)
For gauging effectiveness of flow upper bounds, we compute and plot
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7416797/ratio_compact_cvcbt20.png)
\(\text{Block height}\)
\(\text{Flow ratio}\)
\(88\%\) blocks have \(FR > 0.9\),
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
\(6.6\%\) blocks with \(h>10^5\) have \(FR < 0.5\)
Results
Unspent RTOs depict the current state of the Blockchain (Fig. 2)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7416797/ratio_compact_cvcbt20.png)
\(\text{Block height}\)
\(\text{Flow ratio}\)
Jagged pattern in Flow ratio is observed in Fig. 1, Why?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
\(983\) URTOs have upper bound less that \(1800\)
\(\text{Flow ratio}\)
\( \% \text{ of URTO set}\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7416886/utxo_hist_cvcbt20_trans.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
\(95\%\) of \(110,149\) URTOs have \(FR > 0.9\)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Figure 1
Figure 2
Conclusion
Amounts in very few RTOs found to be in a narrow range
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Confidentiality of most URTOs is preserved, however...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Transaction structure could reveal some information about amounts inspite of perfectly hiding commitments
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Transaction volume increase might strengthen amount confidentiality
Linkability in inputs and outputs could be leveraged for tighter bounds
Would be interesting to design such analysis for Beam, Monero,...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7417564/todo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7417564/todo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7417564/todo.png)
Related Work
Listening to ~600 peer nodes, transactions could be traced to their origin before they are aggregated
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Ivan Bogatty claimed to have traced 96% of all Grin transactions
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7445765/supernode.gif)
Image credits: https://github.com/bogatyy/grin-linkability
Related Work
A. Kumar et al. demonstrated 3 attacks on traceability of inputs in Monero transactions, showing that In \(87\%\) of cases, the real output being redeemed can be identified!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Idea#1: \(65\%\) transactions have 0 mix-ins as of Feb, 2017!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Idea#2: An input being spent in a ring is the one with the highest block height, where it appeared as a TXO.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7445869/Screenshot_from_2020-06-09_02-05-53.png)
Image credits: https://eprint.iacr.org/2017/338.pdf
Related Work
M\( \ddot{o} \)ser et al. presented traceability analysis of Monero similar and concurrent to that of Kumar et al's work
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Proposed a novel Binned Mixin Sampling strategy as a counter-measure
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
Characterised Monero usage based on user-behaviour
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7412913/grin_transparent_logo3.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1332362/images/7453636/Screenshot_from_2020-06-11_01-01-00.png)
https://arxiv.org/pdf/1704.04299.pdf
References
A. Poelstra, "MimbleWimble" [Online], Available:
T. P. Pedersen, "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", in Advances in Cryptology - CRYPTO '91, Springer, 1992, pp. 129-140.
M. Möser, et al. “An Empirical Analysis of Traceability in the Monero Blockchain”. Proceedings on Privacy Enhancing Technologies (2018)
"Linking 96% of Grin transactions" [Online], Available:
A. Kumar, C. Fischer, S. Tople and P. Saxena, "A traceability analysis of Monero’s blockchain", European Symposium on Research in Computer Security – ESORICS 2017, pp. 153-173, 2017.
Thank you!
Happy to answer any questions!
On the Confidentiality of Amounts in Grin
By Suyash Bagad
On the Confidentiality of Amounts in Grin
This is an example.
- 477