This document explores Grin's protocol privacy as it is now and up to mainnet. It does not cover privacy implications of building transactions with another party.

When evaluating the level of privacy a system grants, one of the first points to consider is what information is being leaked through its use. The evaluation of that leakage should not only be restricted to information about yourself or a hypothetical user, but also what can be learned systemically about how the system is being used. For example, if one can find that half of the transactions in a particular cryptocurrency involve Amazon as a transacting party, it is easy to see why asking Amazon for its internal payment records would be useful in order to find out more.

On one end of this spectrum, no current blockchain system can hide that a transaction has occurred. So information such as relative activity can be derived fairly accurately for all blockchains. On another end of information leakage, the current top two cryptocurrencies reveal almost all there is to know about a transaction: amounts, source, destination, origin IP, etc. Their pseudonymous nature helps, but resourceful actors can see beyond pseudonyms (think of how much your IP address protects you from privacy invasion when you're online: very little).

In this document, we will separate what information Grin does not reveal from what it does. And in doing so, progress from strongest to weakest privacy properties of the system.

Confidential Transactions

Grin, as a MimbleWimble implementation, natively uses a transaction format called Confidential Transactions (CT). By "natively" we mean that in Grin, CTs are not just an extension of another transaction format that helps hide amounts: Grin uses CTs for all transactions. As we will see, this has beneficial privacy implications.

A Grin transaction has very few pieces of information:

• Inputs, which can be mostly seen as references to past outputs.
• Outputs that are just a 33 bytes blurb called a commitment, encoding the amount and ownership, as well as an associated proof that the amount isn't negative.
• A proof that the sum of inputs matches the sum outputs plus the fee (no new money creation).

The commitments used in Grin are called "perfectly hiding", meaning that barring any bug, it can be shown that the amounts embedded in them can never be deduced. There are also no addresses. Ownership is ensured through a single-use key.

Confidential Transactions allow the Grin chain to exist without any transferred amount or explicit ownership revealed.

Uniformity

3 points from the previous section may be a little more subtle but have very important privacy benefits:

1. All transactions are confidential.
2. Transactions hold very little information. In particular, they do not hold any script.
3. All transactions look like some random bits put together.

As all transactions are confidential, there are no non-confidential transactions that can reveal information about the confidential ones. As transactions hold very little information, there is also very little opportunity for wallets or people to degrade privacy guarantees. Since everything looks like random bits, statistical analysis without additional information is impossible.

Dandelion Relay

Another piece of information that commonly leaks is the IP address that originally sent a transaction. In a peer to peer network this can be hard to find directly as transactions are relayed, but over multiple transactions statistical analysis is possible. From an IP address, one can deduce location, the type of software used, etc.

In most cryptocurrencies today, transactions are sent by just "fluffing" them all around, sending them to all the peers one is connected with. Dandelion is a technique to add a "stem" phase prior to fluffing, where you delegate the fluffing to another peer randomly chosen in the network, over multiple hops. This makes it impossible to deduce a reliable IP address, and renders statistical analysis on provenance impractical.

In addition, while transactions are being sent over the stem, there is a chance to aggregate them with other transactions as if they were a single one, obscuring some of the coupling between inputs and outputs. However it remains to be seen how much practical privacy is gained from aggregation, since it depends on having many other transactions

Cut-through

Cut-through is another technique inherited from MimbleWimble. As the name indicates, it lets the protocol cut-out inputs and outputs from the blockchain as they're being spent. This is very effective for scalability, as large parts of the data that traditionally needs to be stored by a blockchain forever can be removed. But it also provides a smaller privacy benefit.

While cut-through can technically be done on transactions before they're included in a block, it's unlikely to provide tangible privacy benefits at that level: transactions don't typically get spent that fast. There is an exception however for larger exchanges or merchant services, as they may be able to aggregate and cut-through their transactions significantly by batching them.

In addition, as time goes on, a spent output becomes less and less likely to be known by any node on the network. In fact, most nodes will delete a spent output after a week. One can archive those spent outputs, but after a few years, how many archives with a given output will still be available?

In the previous sections, we've identified multiple sources of information that a blockchain is typically involved with:

Checked boxes are where Grin shines, while unchecked ones will require improvements.

Inputs and Outputs Linking

Transaction aggregation provides benefits, and the absence of useful information in either inputs or outputs complicates analysis drastically. However, there are techniques that can exploit linking between inputs and outputs to erode privacy guarantees. Practically, they all need to rely on having participated in a transaction "close to" the ones that need to be analyzed in order to gain additional information. By sending "tainted" outputs and following as they move through multiple transactions, information can still leak as these outputs can be followed after one hop, or statistically over multiple hops.

This is an area where more improvements from the Grin team can be expected in the future, after mainnet is released.

Transaction Existence

Grin is likely one of the blockchains that, over time, offers the best "right to be forgotten" guarantee. However there are improvements possible, particularly in redefining what exactly is a transaction and further blur the lines between a grouped set of inputs and outputs and an overall state change.

Privacy is complex and information leakage is surprisingly easy. Privacy-preserving systems need to be extremely strong to ensure reasonable amounts of protection. Unfortunately, they often fail in practice simply because they are cumbersome to use, causing people to revert to convenience.

Beyond all the privacy preserving mechanisms and future improvements outlined in this document, Grin is committed to long term privacy protection. As such, we will continue pushing research and development so Grin remains the state of the art for practical and usable cryptocurrency privacy.