Even Privacy-Focused Cryptocurrency Can Spill Your Secrets

From a Harry Potter-themed protocol to high-profile coins, cryptocurrency is often not quite as private as it seems.
Man obscured by coins
Illustration: Sam Whitney; Getty Images

In the Harry Potter universe, there’s a handy spell for when you need to stop someone from spilling your secret plans or shit-talking during a duel. It’s called Mimblewimble, otherwise known as the tongue-tying curse. It’s also the name of a privacy technology designed for cryptocurrencies—because, well, somebody’s gotta keep crypto weird.

The first coins to use Mimblewimble—distinct efforts called Grin and Beam—both launched in January. But arguments have since erupted over how private that underlying protocol actually is, after an independent researcher demonstrated an attack he says leaves its privacy model fundamentally crippled. Mimblewimble advocates say there are potential fixes. But Mimblewimble’s limitations—as well as vulnerabilities in Zcash and Monero, detailed in recent weeks—are a reminder of just how hard it is to guarantee privacy in the realm of digital money.

Private Lives

Privacy coins are a reaction to the realization that bitcoin isn’t private at all. Popular perception holds bitcoin as clandestine, but both the cops and the robbers are well past that. All bitcoin transaction data is public and open to all for analysis; combine that with some strategic subpoenas to get the personal data cryptocurrency exchanges are required to collect on their customers, and it’s pretty trivial to untangle who’s who. Doing so has become a big business. Federal procurement data indicates agencies like the Federal Bureau of Investigations and the Department of Homeland Security now spend millions annually on software to help track down the people behind transactions. So the dark web has largely turned to privacy coins in the hopes of staying concealed.

That turns out to be a tall order. Take Mimblewimble, which gets its privacy in part by gathering lots of transactions into a single, inscrutable package. That makes it harder for a snooper to parse which transaction is which. An additional component used by Grin and Beam, called Dandelion, helps ensure this aggregation occurs before the transactions are broadcast to other nodes in the network. (First comes a “stem” of linked nodes, where the transactions are meant to combine, followed by the “flower,” when the transactions actually broadcast, hence Dandelion.) But former Google engineer Ivan Bogatyy says the protocol is flawed because an attacker could set up a node that listens in on all the others. Such a “supernode” would almost always snag transactions before aggregation, stem or no stem, and could be used to uncover who paid whom.

The attack demonstrates a known limitation of Mimblewimble, says Giulia Fanti, a professor at Carnegie Mellon and one of the Dandelion designers: “I think maybe it was more surprising to general users than the people who are actually working with the technology.” Part of the problem, she adds, is that the Harry Potter coins just aren’t used enough yet. Presumably, more transactions would mean faster aggregation, making it more difficult for the supernode to sniff out transactions that remain loose from the herd. That principle is true for a lot of anonymity tech, Fanti points out, which often rely on hiding yourself within a crowd.

The Harry Potter coin developers claim the attack isn’t so dire. Grin’s developer team says it's well aware that Mimblewimble’s privacy model doesn’t cover it, and has been working on solutions. Beam says it already mitigates the problem by using decoy transactions that make aggregation more effective.

But it’s still useful to demonstrate that a theoretical attack is also cheap and practical, notes Andrew Miller, a professor at the University of Illinois who also serves as a board member at Zcash Foundation. “It changes the conversation," he says. "It didn’t even take a huge effort. It showed how widespread the problem is given the current scale of the network.”

Side Channel Blues

As a relatively young protocol, Mimblewimble doesn’t yet offer the same privacy guarantees as the methods used by Zcash and Monero, says Florian Tramer, a cryptography researcher at Stanford. They’ve been around longer, he adds, and rely on battle-tested cryptographic techniques like ring signatures and zero-knowledge proofs.

“The big question to address in this space is the expectations of privacy we have from different technologies,” Tramer says.

Even then, privacy remains tricky, according to Tramer. He recently published a set of attacks on Monero and Zcash that were notable because they didn’t even need to target the fancy cryptography those coins use. “That’s the part people have put a lot of effort in,” he adds. “But when you look at the bigger picture, how these systems interact with each other, you realize that keeping things anonymous and private is much, much harder than just getting the cryptographic aspects right.”

In this case, Tramer and colleagues developed so-called side channel attacks that homed in on the interactions between wallets, which are private, and the public-facing networks. Because the details of transactions are encrypted, a wallet needs to check whether each transaction it sees was meant for it or not. Tramer’s team based their attack on the observation that wallets perform different cryptographic checks depending on the answer to that question. An adversary can learn a lot by paying attention to those subtle differences in timing and behavior. Using the techniques Tramer developed, an attacker could uncover the payee for any anonymous transaction in the network, and locate the IP address of a machine that holds the private keys for a public address.

Those vulnerabilities were disclosed to Monero and Zcash, and Tramer says he’s happy with how quickly both teams patched them. The Monero fix was fairly simple because the design already tried to keep the wallet and network separate; the overlap was essentially a loophole that had to be closed. Zcash had a trickier problem because the wallet and network processes are linked by design. That’s partly an artifact of the network’s origins, which involved adding privacy technologies on top of bitcoin, rather than building from scratch. “Part of this attack was made possible by building on top of a client that wasn’t built with privacy and anonymity in mind. This is something the Zcash team is well aware of,” Tramer says.

Those problems are fixed, and for now, the privacy coins are still far more anonymous than bitcoin transactions, which can be surveilled passively and traced years after the fact. Miller says the community will need to keep a close eye on other types of side channel attacks, especially if the aim is to make privacy coins useful. Using your Zcash or Monero or Grin to pay for online services, for example, could usher in new headaches over what kinds of information gets leaked when you interact with an application.

“This type of attack is fairly new,” Tramer says. “But I think people are starting to pay attention.” Privacy-centric coins have a solid cryptographical foundation. Yet staying concealed comes down to how they’re used in practice.


More Great WIRED Stories