Mimblewimble privacy broken: A super simple explainer
Get a simple explanation of how Grin's Mimblewimble privacy does, and doesn't, work.
Mimblewimble is the name of a cryptocurrency privacy protocol, named after the tongue-tying spell from Harry Potter. It combines many individual privacy techniques in an effort to create a system for completely private cryptocurrency transactions, and there are several cryptocurrencies that now use Mimblewimble. The most prominent are Grin and Beam.
Now, researchers have said they can link 96% of Mimblewimble transactions for as little as $60 a week.
Mimblewimble privacy in simple
The first thing to understand is that in cryptocurrency, privacy means you can't see the origin or the destination of a transaction. This is because the trail, and the ability to "follow the money", is what makes it possible to identify cryptocurrency users.
For example, if you want to see whether someone's buying illicit pro-democracy propaganda (or drugs) on the Internet, you can start by looking at the drug dealer's wallet address, which is public, and then following incoming transactions until you find a wallet address that can be tied to a real-world identity, such as a wallet from a cryptocurrency exchange that requires user verification.
So, when someone says a cryptocurrency is "anonymous" or "private", what they really mean is that it hides the transaction trail and prevents observers from linking the senders and receivers in transactions.
The way Mimblewimble does this is essentially by bundling transactions. So when someone tries to follow the money, all they see is that a lot of people sent money to a bundle and that a lot of people got money out of that bundle.
You know who sent money to a bundle, and you know who got money out of a bundle, but you can't prove that one specific wallet sent money to another specific wallet.
To prevent people from building a trail based on transaction volumes (e.g. this sender put 0.75 coins into the bundle and that receiver got 0.75 coins out of the bundle), Mimblewimble also encrypts transaction volumes.
In theory, this combination should provide a strong level of privacy. In practice, there are some relatively easy ways for observers to get around it.
Mimblewimble's vulnerability in simple
Researchers have found that they can bust Mimblewimble's privacy system with one simple trick. It essentially involves catching transactions before they even reach the bundle by keeping a close eye on the entire network.
This is possible because Mimblewimble needs to wait until it has enough transactions to make a sufficiently large bundle and because transactions can't cross the blockchain instantly.
Picture each user as a hole on a pegboard. When someone sends a transaction, it comes out of a hole. For the blockchain to work, all the other holes need to be able to see and verify all the transactions that are flying around.
In the case of Bitcoin, each transaction is directly broadcast to all the other holes as it's made, so everyone can see where it comes from.
But in the case of Mimblewimble, the transactions fly up into the sky and form a bundle before they're broadcast, so you can't tell where each transaction originated. To defeat this, researchers simply set up "sniffer nodes" that specifically spot transactions as soon as they emerge from the holes, instead of waiting for them to be bundled and broadcast.
But this alone isn't enough because, for an extra measure of security, Mimblewimble also uses the "dandelion protocol". With the dandelion protocol, transactions burrow between holes before being fired off to the big bundle in the sky. This defeats efforts to track transactions as soon as they emerge.
However, a sufficiently comprehensive system of sniffer nodes can also track the way transactions burrow between holes.
This is because, with the dandelion protocol, transactions pass through multiple holes before emerging. If you're watching all the holes, you can see the transactions as they pass through each one and deduce their starting point based on that.
The catch is that you need to have enough sniffer nodes to make sure you're watching all of the holes for burrowing transactions. As such, the real question isn't how private Mimblewimble is. It's how much it costs to maintain a sufficiently comprehensive network of sniffer nodes.
And the answer is, it's pretty cheap. The researchers found that for only $60 per week of cloud hosting services, they could catch and identify the original source of 96% of Grin (a Mimblewimble cryptocurrency with an ~$32 million market cap) transactions, effectively de-anonymising it.
Why only 96%?
There are some transactions that will evade detection under this sniffer node surveillance system. Specifically, transactions that run into each other while burrowing in their dandelion phase will get bundled up and then launched to the main bundle together.
So, if they encounter each other and get bundled before a sniffer node spots them, an observer can't see the original source of the transaction. That's what happened to the 4% of transactions that evaded detection in this study.
There's no reason, other than cost, that someone can't set up a more comprehensive set of sniffer nodes to catch more transactions.
Can it be fixed?
By itself, Mimblewimble cannot confer a high level of privacy, and some of the cryptocurrencies that use it in its current form have no clear way forwards.
"Grin, as currently envisaged, has no clear path to unlinkability," they say. "It's clear that Mimblewimble on its own is not strong enough to confer robust privacy."
On the bright side, certain elements of the Mimblewimble privacy protocol remain useful, they say. For example, its system for encrypting transaction volumes could be applied elsewhere.
This mix and match approach is par for the course for cryptocurrency privacy schemes. Mimblewimble began life as an assembly of several different privacy elements originally proposed for Bitcoin. Even if Mimblewimble doesn't go all the way, certain parts of it might live on in future projects.
Counter-intuitively, Grin and Beam prices haven't really responded too strongly to this development. But that's also par for the course. Monero isn't really private either, but the markets don't seem to mind.
Going forwards, it's reasonable to assume that this issue will never be fixed and that it will never have any discernible impact on Grin prices, as it's being used purely for speculation rather than anonymity.
In some ways, this is perfect. Collectively, we've always been happy to ignore the erosion of digital privacy in favour of profit or convenience. This appears to be no exception.
Disclosure: The author holds BNB and BTC at the time of writing.