Response to "Breaking Mimblewimble privacy model" article

Chris Dev

//
November 19, 2019

Yesterday, right around the time MWC announced our listing on Hotbit, a researcher posted the following medium article:

https://medium.com/dragonfly-research/breaking-mimblewimble-privacy-model-84bcd67bfe52

In the article he claims to have broken Mimblewimble's privacy model and presents what he did to break it. I responded in Telegram/Discord and in an interview with Andy Hoffman, but wanted to write up a quick summary on this.

First of all, the grin developers had a great detailed explanation of a number of issues and questions about this researcher's methods:

https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9

But beyond those questions, the main issue I have with the article is that this researcher is presenting information that has been well known and understood as if it is something new. Since grin (and all the Mimblewimble based coins including MWC) are not yet used very much, there are very few transactions per block, and many cases either 1 or 0 transactions per block. Thus, given its current low usage, linking sender to recipient is relatively easy. As one grin developer noted, it's surprising that he couldn't link 100% of transactions at this point. As more transactions are made on these networks, it will be harder and harder to link though. At scale, as with Bitcoin's ~ 2000 transactions per block linking will be much more difficult.

Even though there are a lot of things that could be done to improve the linkability in Mimblewimble based coins, one reason we have stated Mimblewimble is not a prviacy coin (as we did in our last article): https://www.mwc.mw/mimble-wimble-coin-articles/part-1-of-4-mimblewimble-mwc-scalability is because it will probably never compete with Monero on privacy. While Monero transactions are very hard to link to one another, it comes at an expense. Monero is around 10X less scalable than a Mimblewimble based blockchain and so it will likely always be relegated to a very specific use case.

And while the cost of making those EXTREMELY private transactions in Monero will be high, we think Mimblewimble, being less linkable than Bitcoin, still having no amounts that are publicly known as the author of the medium post acknowledged, and being more scalable than traditional blockchains has a lot of value.