## On the Confidentiality of Amounts in Grin

Indian Institute of Technology, Bombay

Crypto Valley Conference on Blockchain Technology, 2020

# MimbleWimble

Provides Privacy, Scalability and Fungibility

First implementation by

A Blockchain protocol relying on Homomorphic Commitments

Hides amounts using Pedersen Commitments

# Outputs in Grin

P = kG + aH

Each output on Grin blockchain is a Pedersen Commitment

Pedersen Commitments are homomorphic, perfectly hiding and computationally binding

For an amount $$a \in \{0,1,\dots,2^{64}-1\}$$ and blinding factor $$k \in \mathbb{F}_q$$

where $$G,H \in \mathbb{G}$$ such that DL relation between them is unknown

Given an output $$P \in \mathbb{G}$$ it is infeasible to find the amount it commits to

Each output comes with a range proof proving $$a \in \{0,1,\dots,2^{64}-1\}$$

# A Grin Block

 Block height Kernel offset
k_{\text{off}} \in \mathbb{F}_q
 Inputs Outputs
h
I_1,
O_1, O_2, O_3
 Reg. Transaction #2
 Inputs Outputs
I_3, I_4, I_5
O_4
 Reg. Transaction #1
 Inputs Outputs -
O_{\text{cb}}
 Coinbase Transaction
I_2

Dandelion

 Block height Kernel offset
 Inputs Outputs
I_1
k_{\text{off}} \in \mathbb{F}_q
h
I_2
I_3
I_4
I_5
O_{\text{cb}}
O_1
O_2
O_3
O_4

Cut-through

 Block height Kernel offset
 Inputs Outputs
I_1
k_{\text{off}} \in \mathbb{F}_q
h
I_2
I_3
I_4
O_{\text{cb}}
O_1
O_2
O_4
I_5 = O_3!

# More on a Grin Block

 Block height Kernel offset
 Inputs Outputs
I_1
k_{\text{off}} \in \mathbb{F}_q
h
I_2
I_3
I_4
O_{\text{cb}}
O_1
O_2
O_4
 Fees
f_{\text{cb}}, f_1,f_2
 Kernel Excesses
X_{\text{cb}},X_1,X_2

RTO

$$\sum_{i=1,2,4}O_i+ \left(\sum_{i=1,2} f_i\right) H - \sum_{i=1}^{4}I_i = \sum_{i=1,2}X_i + k_{\text{off}}G$$

A block contains $$n$$ kernels, $$n =$$ #Transactions

Each kernel contains fee and a kernel excess

Coinbase fee $$f_{\text{cb}} = 0$$, mining reward $$r = 60$$ grin

Each kernel also contains a Schnorr signature  proving that $$X_i = x_iG$$ for some $$x_i \in \mathbb{F}_q$$

Block validation check:

# Main Idea

 Block height
 Inputs Outputs
I_1^{h_3}
h_3
I_2^{h_3}
O_{\text{cb}}^{h_3}
O_1^{h_3}
O_2^{h_3}
O_3^{h_3}
 Fees
f_{h_3}
 Block height
 Inputs Outputs
I_1^{h_2}
h_2
O_{\text{cb}}^{h_2}
O_1^{h_2}
O_2^{h_2}
 Fees
f_{h_2}
 Block height
 Inputs Outputs
I_1^{h_1}
h_1
O_{\text{cb}}^{h_1}
O_1^{h_1}
 Fees
f_{h_1}
I_2^{h_1}
\mathcal{A}(I_{1}^{h_2}) = \mathcal{A}(O_{cb}^{h_1}) = r+f_{h_1} \ \implies \ \mathcal{A}(O_{1}^{h_2}) + \mathcal{A}(O_{2}^{h_2}) = r+f_{h_1} - f_{h_2}
\therefore \quad \mathcal{A}(I_{1}^{h_3}) + \mathcal{A}(I_{2}^{h_3}) \le 2r + f_{h_1}
\mathcal{A}(I_{1}^{h_3}) = \mathcal{A}(O_{\text{cb}}^{h_2}) = r+f_{h_2}, \quad \mathcal{A}(I_{2}^{h_3}) = \mathcal{A}(O_{2}^{h_2}) \le (r+f_{h_1}-f_{h_2})
\therefore \quad \mathcal{A}(O_{1}^{h_3}) + \mathcal{A}(O_{2}^{h_3}) + \mathcal{A}(O_{3}^{h_3}) \le 2r + f_{h_1} - f_{h_3}
\therefore \quad \mathcal{A}(O_{j}^{h_3}) \le 2r + f_{h_1} - f_{h_3} \quad \forall j=1,2,3

General strategy: Compute number of donor coinbase outputs!

\therefore \quad \mathcal{A}(O_{j}^{h_3}) \le (r+f_{h_1}) + (r+f_{h_2}) - (f_{h_2}+f_{h_3}) \quad \forall j=1,2,3

# Grin Blockchain as a DiGraph

We define a directed graph $$G = (V,E)$$ such that

Nodes $$V = V_{\text{bl}} \cup V_{\text{cb}},$$ where $$V_{\text{bl}}$$ are blocks and $$V_{\text{cb}}$$ are coinbase outputs

Edges $$E = E_1 \cup E_2$$ where

$$E_1 = (v_1, v_2) \in V_{\text{cb}} \times V_{\text{bl}}$$ if coinbase output $$v_1$$ is spent in block $$v_2$$

$$E_2 = (v_1, v_2) \in V_{\text{bl}}^2$$ if at least one RTO in block $$v_1$$ is spent in block $$v_2$$

$$16$$

$$1493$$

$$18$$

$$1489$$

$$1514$$

$$1504$$

$$h_1$$

$$h_1$$

$$h_2$$

$$h_2$$

$$h_3$$

$$h_3$$

# Flow Upper Bounds

A vertex $$c \in V_{\text{cb}}$$ in $$G$$ is called a donor of a block $$b \in V_{\text{bl}}$$ if there is a directed path from $$c$$ to $$b$$ in $$G$$.

$$1499$$

$$16$$

$$1482$$

$$1469$$

$$1458$$

$$1481$$

$$1489$$

$$1495$$

$$1493$$

$$18$$

$$1479$$

$$38$$

$$33$$

$$9$$

$$5$$

$$7$$

Subgraph for $$h=1499$$, $$G^{(h)} = (V^{(h)}, E^{(h)})$$ where $$V^{(h)} = V^{(h)}_{\text{bl}} \cup V^{(h)}_{\text{cb}}$$

$$\therefore \ \mathcal{A}(O^{h}) \le 7r + \sum_{b \in V_{\text{cb}}^{(h)}} f_b - \sum_{b \in V_{\text{bl}}^{(h)}} f_b$$

# Results

Analysis for RTOs in 612,102 blocks (till March 17th, 2020)

$$\text{Flow ratio of RTO (FR)} = \frac{\text{Flow upper bound of RTO}}{\text{Trivial upper bound of RTO}}$$

For gauging effectiveness of flow upper bounds, we compute and plot

$$\text{Block height}$$

$$\text{Flow ratio}$$

$$88\%$$ blocks have $$FR > 0.9$$,

$$6.6\%$$ blocks with $$h>10^5$$ have $$FR < 0.5$$

# Results

Unspent RTOs depict the current state of the Blockchain (Fig. 2)

$$\text{Block height}$$

$$\text{Flow ratio}$$

Jagged pattern in Flow ratio is observed in Fig. 1, Why?

$$983$$ URTOs have upper bound less that $$1800$$

$$\text{Flow ratio}$$

$$\% \text{ of URTO set}$$

$$95\%$$ of $$110,149$$ URTOs have $$FR > 0.9$$

Figure 1

Figure 2

# Conclusion

Amounts in very few RTOs found to be in a narrow range

Confidentiality of most URTOs is preserved, however...

Transaction structure could reveal some information about amounts inspite of perfectly hiding commitments

Transaction volume increase might strengthen amount confidentiality

Linkability in inputs and outputs could be leveraged for tighter bounds

Would be interesting to design such analysis for Beam, Monero,...

# Related Work

Listening to ~600 peer nodes, transactions could be traced to their origin before they are aggregated

Ivan Bogatty claimed to have traced 96% of all Grin transactions

# Related Work

A. Kumar et al. demonstrated 3 attacks on traceability of inputs in Monero transactions, showing that In $$87\%$$ of cases, the real output being redeemed can be identified!

Idea#1: $$65\%$$ transactions have 0 mix-ins as of Feb, 2017!

Idea#2: An input being spent in a ring is the one with the highest block height, where it appeared as a TXO.

Image credits: https://eprint.iacr.org/2017/338.pdf

# Related Work

M$$\ddot{o}$$ser et al. presented traceability analysis of Monero similar and concurrent to that of Kumar et al's work

Proposed a novel Binned Mixin Sampling strategy as a counter-measure

Characterised Monero usage based on user-behaviour

https://arxiv.org/pdf/1704.04299.pdf

# References

A. Poelstra, "MimbleWimble" [Online], Available:

T. P. Pedersen, "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", in Advances in Cryptology - CRYPTO '91, Springer, 1992, pp. 129-140.

M. Möser, et al. “An Empirical Analysis of Traceability in the Monero Blockchain”. Proceedings on Privacy Enhancing Technologies (2018)

"Linking 96% of Grin transactions" [Online], Available:

A. Kumar, C. Fischer, S. Tople and P. Saxena, "A traceability analysis of Monero’s blockchain", European Symposium on Research in Computer Security – ESORICS 2017, pp. 153-173, 2017.