Addressing Claims of Breaking Mimblewimble's Privacy Model
Yesterday, right around the time MWC announced our listing on Hotbit, a researcher posted the following Medium article:
Breaking Mimblewimble's Privacy Model
In the article, he claims to have broken Mimblewimble's privacy model and presents what he did to break it. I responded in Telegram/Discord and in an interview with Andy Hoffman, but wanted to write up a quick summary on this.
Grin Developers' Response
First of all, the Grin developers had a great detailed explanation of a number of issues and questions about this researcher's methods:
Factual Inaccuracies of Breaking Mimblewimble's Privacy Model
Issues with the Article's Claims
Beyond those questions, the main issue I have with the article is that this researcher is presenting information that has been well known and understood as if it is something new. Since Grin (and all the Mimblewimble-based coins including MWC) are not yet used very much, there are very few transactions per block, and many cases either 1 or 0 transactions per block. Thus, given its current low usage, linking sender to recipient is relatively easy. As one Grin developer noted, it's surprising that he couldn't link 100% of transactions at this point. As more transactions are made on these networks, it will be harder and harder to link though. At scale, as with Bitcoin's ~2000 transactions per block, linking will be much more difficult.
Mimblewimble's Privacy vs. Scalability
Even though there are a lot of things that could be done to improve the linkability in Mimblewimble-based coins, one reason we have stated Mimblewimble is not a privacy coin (as we did in our last article): Mimblewimble Scalability is because it will probably never compete with Monero on privacy. While Monero transactions are very hard to link to one another, it comes at an expense. Monero is around 10X less scalable than a Mimblewimble-based blockchain and so it will likely always be relegated to a very specific use case.
The Value of Mimblewimble
While the cost of making those EXTREMELY private transactions in Monero will be high, we think Mimblewimble, being less linkable than Bitcoin, still having no amounts that are publicly known as the author of the Medium post acknowledged, and being more scalable than traditional blockchains, has a lot of value.