A recent article entitled “Breaking MimbleWimble’s privacy model” published by Ivan Bogatyy has been causing a stir as the author claims of a “new attack” that ‘traces 96% of all (MimbleWimble) sender and recipient addresses in real time’. The attack costs $60/week of AWS (Amazon Web Services) something that leads Bogatyy to conculde that:
“Mimblewimble’s privacy is fundamentally flawed.” (and) “should no longer be considered a viable alternative to Zcash or Monero when it comes to privacy.”
The problem is that no MimbleWimble (MW) developer has ever claimed the protocol was private or that it was on par with an asset such as Monero in this regard, as such Bogatyy’s article engages in a false equivalence fallacy. The concerns raised were already known to those working on the project. David Burkett, a member of the Grin++ team who is helping lead the Litecoin MW implementation, weighed in via twitter, to address the situation:
“Really awesome write-up, but none of this is “news”. I’m actually surprised only 96% was traceable. There are a number of ways to help break linkability in Grin, but none are implemented and released yet. As I always say, don’t use Grin if you require privacy — it’s not there yet.”
A counter article from Daniel Lehnberg, a Grin developer, was later published to provide further clarification and dispel the factual inaccuracies and sensationalised claims:
“This is not new to anyone on the Grin team or anyone who has studied the Mimblewimble protocol. Grin acknowledged the ability to link outputs on chain in a Privacy Primer published on its public wiki in November 2018, before mainnet was launched. This problem encompasses Ian Mier’s “Flashlight attack”, which we have listed as one of our Open Research Problems.” “TL;DR: Mimblewimble privacy is not “fundamentally flawed”. The described “attack” on Mimblewimble/Grin is a misunderstanding of a known limitation. While the article provides some interesting numbers on network analysis, the results presented do not actually constitute an attack, nor do they back up the sensationalized claims made.”
Litecoin creator Charlie Lee followed in a tweet of his own stating:
“This limitation of MimbleWimble protocol is well known. MW is basically Confidential Transactions with scaling benefits and slight unlinkability. To get much better privacy, you can still use CoinJoin before broadcasting and CJ works really well with MW due to CT and aggregation.”
The main appeal of MW and the reason the Litecoin Core team are looking to implement support for it, has primarily been its ability to provide network fungibility, future scalability and ‘greater’ (not complete) privacy.
Fungibility is derived from the inclusion of confidential transactions (CT) whereby the value sent over the network is hidden yet verifiable. This means when interacting with other people on the network they wont be able to look back and know how much Litecoin you own. Scalability on the other hand comes from the massively pruneable nature of the protocol and the fact that, when paired with extension blocks, the Litecoin network will have a blocksize increase without the need for a contentious hard fork.
MW offers only pseudo-privacy and this is what Bogatyy’s article discusses. By snapshotting transactions before they undergo the coin joining process it is still possible to track network participant interactions. Users can privately coinjoin using a trusted party before broadcasting, however, this introduces a third party who may then later sell that data on, so it’s far from an ideal solution.
Coinjoins combined with confidential transactions however, does provide an adequate level of privacy over the current situation. The average user does not have the time, resources or know how to setup such a tracking system. This does not mean privacy is not to be pursued, for one, MW doesn't actually use addresses, instead value is transferred by adding one-time outputs to a transaction. In turn providing greater privacy as it becomes impossible to re-use addresses.
One good take away is that it is unlikely incumbent exchanges will delist Litecoin due to regulatory issue people have raised and hopefully more people will begin to understand the nature of MW. Full fungability is still a goal to aim for going forward and is somthing Lee awknowledges stating:
“There’s a lot of work to be done. Privacy and fungability will be an ongoing battle.”