On the Confidentiality of Amounts in Grin
Suyash Bagad, Saravanan Vijayakumaran
Indian Institute of Technology, Bombay
Crypto Valley Conference on Blockchain Technology, 2020
MimbleWimble
No addresses, No amounts!
Provides Privacy, Scalability and Fungibility
First implementation by
A Blockchain protocol relying on Homomorphic Commitments
Hides amounts using Pedersen Commitments
Outputs in Grin
Each output on Grin blockchain is a Pedersen Commitment
Pedersen Commitments are homomorphic, perfectly hiding and computationally binding
For an amount \(a \in \{0,1,\dots,2^{64}1\}\) and blinding factor \(k \in \mathbb{F}_q\)
where \(G,H \in \mathbb{G}\) such that DL relation between them is unknown
Given an output \(P \in \mathbb{G}\) it is infeasible to find the amount it commits to
Each output comes with a range proof proving \(a \in \{0,1,\dots,2^{64}1\}\)
A Grin Block
Block height Kernel offset 
Inputs  Outputs 
Reg. Transaction #2 
Inputs  Outputs 
Reg. Transaction #1 
Inputs  Outputs 
 
Coinbase Transaction 
Dandelion
Block height Kernel offset 
Inputs  Outputs 

Cutthrough
Block height Kernel offset 
Inputs  Outputs 

Block added to Blockchain!
More on a Grin Block
Block height Kernel offset 
Inputs  Outputs 

Fees 
Kernel Excesses 
RTO
$$ \sum_{i=1,2,4}O_i+ \left(\sum_{i=1,2} f_i\right) H  \sum_{i=1}^{4}I_i = \sum_{i=1,2}X_i + k_{\text{off}}G$$
A block contains \(n\) kernels, \(n =\) #Transactions
Each kernel contains fee and a kernel excess
Coinbase fee \(f_{\text{cb}} = 0\), mining reward \(r = 60\) grin
Each kernel also contains a Schnorr signature proving that \(X_i = x_iG\) for some \(x_i \in \mathbb{F}_q\)
Block validation check:
Main Idea
Block height 
Inputs  Outputs 

Fees 
Block height 
Inputs  Outputs 

Fees 
Block height 
Inputs  Outputs 

Fees 
General strategy: Compute number of donor coinbase outputs!
Grin Blockchain as a DiGraph
We define a directed graph \(G = (V,E)\) such that
Nodes \(V = V_{\text{bl}} \cup V_{\text{cb}}, \) where \( V_{\text{bl}} \) are blocks and \(V_{\text{cb}}\) are coinbase outputs
Edges \(E = E_1 \cup E_2\) where
\(E_1 = (v_1, v_2) \in V_{\text{cb}} \times V_{\text{bl}} \) if coinbase output \(v_1\) is spent in block \(v_2\)
\(E_2 = (v_1, v_2) \in V_{\text{bl}}^2 \) if at least one RTO in block \(v_1\) is spent in block \(v_2\)
\(16\)
\(1493\)
\(18\)
\(1489\)
\(1514\)
\(1504\)
\(h_1\)
\(h_1\)
\(h_2\)
\(h_2\)
\(h_3\)
\(h_3\)
Flow Upper Bounds
A vertex \(c \in V_{\text{cb}}\) in \(G\) is called a donor of a block \(b \in V_{\text{bl}}\) if there is a directed path from \(c\) to \(b\) in \(G\).
\(1499\)
\(16\)
\(1482\)
\(1469\)
\(1458\)
\(1481\)
\(1489\)
\(1495\)
\(1493\)
\(18\)
\(1479\)
\(38\)
\(33\)
\(9\)
\(5\)
\(7\)
Subgraph for \(h=1499\), \(G^{(h)} = (V^{(h)}, E^{(h)})\) where \(V^{(h)} = V^{(h)}_{\text{bl}} \cup V^{(h)}_{\text{cb}}\)
$$ \therefore \ \mathcal{A}(O^{h}) \le 7r + \sum_{b \in V_{\text{cb}}^{(h)}} f_b  \sum_{b \in V_{\text{bl}}^{(h)}} f_b $$
Results
Analysis for RTOs in 612,102 blocks (till March 17th, 2020)
\(\text{Flow ratio of RTO (FR)} = \frac{\text{Flow upper bound of RTO}}{\text{Trivial upper bound of RTO}}\)
For gauging effectiveness of flow upper bounds, we compute and plot
\(\text{Block height}\)
\(\text{Flow ratio}\)
\(88\%\) blocks have \(FR > 0.9\),
\(6.6\%\) blocks with \(h>10^5\) have \(FR < 0.5\)
Results
Unspent RTOs depict the current state of the Blockchain (Fig. 2)
\(\text{Block height}\)
\(\text{Flow ratio}\)
Jagged pattern in Flow ratio is observed in Fig. 1, Why?
\(983\) URTOs have upper bound less that \(1800\)
\(\text{Flow ratio}\)
\( \% \text{ of URTO set}\)
\(95\%\) of \(110,149\) URTOs have \(FR > 0.9\)
Figure 1
Figure 2
Conclusion
Amounts in very few RTOs found to be in a narrow range
Confidentiality of most URTOs is preserved, however...
Transaction structure could reveal some information about amounts inspite of perfectly hiding commitments
Transaction volume increase might strengthen amount confidentiality
Linkability in inputs and outputs could be leveraged for tighter bounds
Would be interesting to design such analysis for Beam, Monero,...
Related Work
Listening to ~600 peer nodes, transactions could be traced to their origin before they are aggregated
Ivan Bogatty claimed to have traced 96% of all Grin transactions
Image credits: https://github.com/bogatyy/grinlinkability
Related Work
A. Kumar et al. demonstrated 3 attacks on traceability of inputs in Monero transactions, showing that In \(87\%\) of cases, the real output being redeemed can be identified!
Idea#1: \(65\%\) transactions have 0 mixins as of Feb, 2017!
Idea#2: An input being spent in a ring is the one with the highest block height, where it appeared as a TXO.
Image credits: https://eprint.iacr.org/2017/338.pdf
Related Work
M\( \ddot{o} \)ser et al. presented traceability analysis of Monero similar and concurrent to that of Kumar et al's work
Proposed a novel Binned Mixin Sampling strategy as a countermeasure
Characterised Monero usage based on userbehaviour
https://arxiv.org/pdf/1704.04299.pdf
References
A. Poelstra, "MimbleWimble" [Online], Available:
T. P. Pedersen, "NonInteractive and InformationTheoretic Secure Verifiable Secret Sharing", in Advances in Cryptology  CRYPTO '91, Springer, 1992, pp. 129140.
M. Möser, et al. “An Empirical Analysis of Traceability in the Monero Blockchain”. Proceedings on Privacy Enhancing Technologies (2018)
"Linking 96% of Grin transactions" [Online], Available:
A. Kumar, C. Fischer, S. Tople and P. Saxena, "A traceability analysis of Monero’s blockchain", European Symposium on Research in Computer Security – ESORICS 2017, pp. 153173, 2017.
Thank you!
Happy to answer any questions!
On the Confidentiality of Amounts in Grin
By Suyash Bagad
On the Confidentiality of Amounts in Grin
This is an example.
 453