This is part 2 of the 4 part series on MWC and Mimblewimble on privacy.
Today's topic is privacy. Thus far, Mimblewimble has, in essence, been typecast into the role of "privacy coin". We made the point in the last article that Mimblewimble should not be thought of as a privacy coin, or at least not solely as that. We see Mimblewimble as more of an overall upgrade to the blockchain and an inevitable future direction for blockchains to move in, in particular if they are trying to improve the use case of money. It's truly a quantum leap in terms of technology and that is why we started the series with the article on scalability, which as we have seen, has massive implications to the price of transactions, which consequently is the most important factor consumers use to choose between competitors. In this article, we cover privacy.
Mimblewimble has very formidable privacy attributes. In short, they are that all amounts are encrypted and only known to the parties involved in a transaction (and only to the extent of the size of the transaction taking place) and there are no addresses to track the flow of the cryptocurrency. Transactions only involve inputs and outputs that appear random except to the parties of a transaction. In this article we will discuss how the privacy works and how it compares to other privacy blockchain protocols. One important factor to weigh is not only how the privacy characteristics behave in the current nacent state of privacy coins that are used today, but also how will they behave at scale, as in with the same volume or greater than Bitcoin has today. While there are many privacy coins, we will focus this article on Zcash and Monero and we will also compare to currently available privacy techniques used in Bitcoin today.
Privacy in Mimblewimble has two main aspects: 1.) There are no addresses, 2.) All amounts are encrypted. To briefly understand how privacy works in Mimblewimble, each block has a set of inputs and a set of outputs. Each transaction includes 1 or more inputs and one or more outputs. At the block level, there is no way to link inputs and outputs to a particular transactions. You can think of each block as a large CoinJoin (described later) where there is no way to correlate where funds are coming from or where they are going. Amounts are also unknown. Basically, at scale, a block would just look like a bunch of gibberish to anyone trying to analyze it. Now, we will compare Mimblewimble to several other crytpocurrencies. There was recent medium post where a researcher showed a method to link transactions in Grin, but as we responded, grin is used very infrequently right now and at scale linking would be more difficult. In addition, even though the headline of the paper was "Breaking Mimblewimble", the researcher did mention ways around these limitations, one of which (Coinshuffle) is on our roadmap. The researcher also conceded that the amounts of transactions are unknown and that's a very important aspect.
First, let's discuss Zcash. This same analysis can apply to a number of other coins that based on the Zcash code base. This would include ZClassic and ZenCash as well. All of these coins use an encryption technology known as ZK-SNARKS (or Zero-Knowledge Succinct Non-Interactive Argument of Knowledge). The first thing to note about this class of coins is that they use a different set of cryptographic functions than Bitcoin, while Mimblewimble uses the same ECDSA cryptographic functions and BulletProofs which uses the same logarithmic cryptographic assumption that Bitcoin uses. Bottom line is that Mimblewimble uses cryptography that's a lot closer to Bitcoin than the Zcash family. ZK-SNARKS also require what's known as a "trusted setup". That means the developers of Zcash along with some outside volunteers were required to destroy certain random numbers they used in the setup. If the developers did not properly do this, they might be able to compromise the system for instance by creating unlimted zcash coins for themselves silently. Mimblewimble has no trusted setup. In addition, in Zcash, privacy is only optional and thus far, almost no users are using the privacy features. Since very few users are using it the size of what's known as the "anonymity set" is very small. This is generally the problem with what we call "opt-in privacy". Very few users will use it and those that do stick out like a soar thumb. This is why in cryptography, generally mandatory privacy, as is the case with Mimblewimble, is preferred in cryptographic systems.
Next Monero. Monero is a very good privacy coin. It uses a technology known as Ring-CT (or Ring Confidential Transactions). The ring refers to the ring signatures that are used as part of the transactions. One of the best parts of Monero is that it has an anonymity set that crosses different blocks. That means that if I get coins in block a, and anyone in my ring set spends coins in block b, the network doesn't know if it's me spending them or another user. This provides good privacy even if there are few transactions per block. In Mimblewimble, the anonymity set includes all transactions in a block only. There is no possibility of future decoy transactions in another block. Some would argue this makes Monero more private than Mimblewimble, but given large scale use (like the volume in Bitcoin blocks for instance) the anonymity set of Mimblewimble may be sufficient to offer the same level of anonymity set in Monero or at least close enough. Even at lower volumes it's a massive improvement over the legacy blockchains. The main benefit of Mimblewimble over Monero though is its scalability. It is roughly 10 times more scalable than Monero which was covered in the last article.
Finally, we cover privacy techniques currently available in Bitcoin. The main technique used in Bitcoin today is a technique known as CoinJoin. A CoinJoin occurs when multiple users work together to create a single transaction that includes the inputs and outputs of all the parties to the transactions. You can picture this is an organized way for a group of people to each put a $10 bill into a hat, mix the bills around and have each of the participants pull out a different $10 bill. That way no one knows whose bill is whose. This technique has certain drawbacks. The biggest one being that the users of a CoinJoin system are dependent on there being other people who want to join at any given time. If no one else wants or needs to do a CoinJoin and has the same available funds that you have it doesn't happen. This is particularly problematic if you have large amounts of coins that you want to mix. That's why CoinJoin will never be a solution to things like the whale alerts (alerts of large Bitcoin movements) that we see frequently on twitter. In addition, you must trust that the other parties to your Coinjoin are not trying to deanonymize you. For instance, I may show up to do a Coinjoin and there may be other participants that want to join with me, but what if those participants are actually malicious users trying to track all CoinJoin transactions? Also, if at any point later one of the users who was part of the CoinJoin does something to mess up his anonymity (like move all of his coins to a single address), that part of the anonymity set is lost.
So, in summary Mimblewimble offers very formidable privacy. And while this may not be quite as strong as Monero (and the other coins in the crypto note family), Monero suffers from scaling issues and that's one of the areas that Mimblewimble excels at. This may be the reason that the Monero developers are working Mimblewimble sidechain: https://twitter.com/fluffypony/status/1084524086741602304?lang=en to Monero.
Regarding the bigger picture at this point, we've discussed the two key features that will make transactions on MWC dramatically cheaper and dramatically more private than legacy blockchains. The next article in the series will cover fungibility, which is really an extension of the privacy offered by Mimblewimble.