TL;DR: Mimblewimble’s privacy is fundamentally flawed. Using only $60/week of AWS spend, I was able to uncover the exact addresses of senders and recipients for 96% Grin transactions in real time.
The problem is inherent to Mimblewimble, and I don’t believe there’s a way to fix it. This means Mimblewimble should no longer be considered a viable alternative to Zcash or Monero when it comes to privacy.
In the last two years, Mimblewimble has grown in popularity as an up-and-coming, lightweight privacy protocol. Mimblewimble was invented in 2016 by a pseudonymous hacker known as Tom Elvis Jedusor, who dropped a text description of the protocol into an IRC chat and then disappeared. Since then, Mimblewimble was most famously implemented in the “fair launched” privacy coin Grin, the VC-backed projects Tari and BEAM, and is even being considered for integration into Litecoin.
Several researchers have hypothesized a possible privacy weakness in Mimblewimble. My contribution is to demonstrate the precise way to perform an attack, prove its viability on a live network, and measure its efficacy. In live testing on Grin, I was able to unmask the flow of transactions with a 96% success rate. Therefore, it’s now clear that Mimblewimble should not be relied upon for robust privacy.
Here is a more technical deep-dive into this attack, complete with open-source code to reproduce it, data collected, and a technical FAQ. What follows in this article will be a high-level, intuitive explanation of linkability, how the attack works, and what it means for privacy tech.What is linkability?
It’s important to understand what this attack means and what it doesn’t mean.
This attack does not let us determine the amounts that people are getting paid. Mimblewimble successfully obfuscates payment amounts using vanilla elliptic curve cryptography (Pedersen commitments). What this attack does let us do is determine who paid who. In other words, it le...