The Litecoin MimbleWimble proposal is about fungibility, not privacy.

adminDecember 10, 2023

A recent article titled “Breaking MimbleWimble’s Privacy Model” published by Ivan Bogatyy made a splash as the author claimed a “new attack” that would ‘track 96% of all (MimbleWimble) sender and recipient addresses in real time’. It aroused me. Since the attack cost Amazon Web Services (AWS) $60 per week, Bogatyy concluded:

“Mimblewimble’s privacy protections are fundamentally flawed.” (and) “It should no longer be considered a viable alternative to Zcash or Monero when it comes to privacy.”

The problem is that none of the MimbleWimble (MW) developers have ever claimed that this protocol is private or in this respect equivalent to assets like Monero. Bogatyy’s article engages in a false equivalence fallacy. The concerns raised were already known to those involved in the project. Joining us is David Burkett, a member of the Grin++ team who is helping lead the Litecoin MW implementation. To resolve the situation via Twitter:

“This is a really cool article, but none of this is “news.” I was surprised to learn that only 96% were actually traceable. There are several methods to help you disconnect from Grin, but none of them have been implemented or released yet. As I always say, if you need privacy, don’t use Grin. Grin is not yet available.”

A counter-article by Grin developer Daniel Lehnberg was later published to provide further clarification and dispel factual inaccuracies and sensational claims.

“This is nothing new to anyone on the Grin team or anyone who has studied the Mimblewimble protocol. Grin acknowledged the ability to link the chain’s output in a Privacy Primer published on a public wiki in November 2018, before the mainnet was launched. This problem includes Ian Mier’s “Flashlight Attack”, which we list as one of our open research problems. “Summary: Mimblewimble’s privacy protections are not “fundamentally flawed.” The “attack” described for Mimblewimble/Grin is a misunderstanding of a known limitation. “The article provides some interesting numbers on network analysis, but the results presented do not actually constitute an attack and do not support the sensational claims.”

Litecoin founder Charlie Lee followed suit. own tweet:

“These limitations of the MimbleWimble protocol are well known. MW is essentially a confidential transaction with scalability benefits and some disconnection capabilities. You can use CoinJoin before broadcast for much better privacy, and CJ works really well with MW due to CT and aggregation.”

The main appeal of MW, and the reason the Litecoin Core team wanted to implement support for it, was primarily its ability to provide network fungibility, future scalability, and scalability. ‘greater than’ (Not complete) Privacy.

Fungibility is derived from the inclusion of Confidential Transactions (CTs) where the value transferred over the network is hidden but verifiable. This means that when you interact with other people on the network, they won’t be able to look back and know how much Litecoin you own. Scalability, on the other hand, comes from the massively cleanable nature of the protocol and the fact that when combined with expansion blocks, the Litecoin network increases block size without the need for a controversial hard fork.

MW only provides physician privacy protection, and this is what Bogatyy’s article discusses. It is possible to track network participant interactions by taking snapshots of transactions before they go through the coin join process. Users can coinjoin privately through a trusted party before broadcasting, but this is far from an ideal solution as it introduces third parties who may later sell that data.

However, CoinJoin combined with confidential transactions provides an appropriate level of privacy for the current situation. The average user doesn’t have the time, resources, or know how to set up such a tracking system. This does not mean that privacy is not sought. MW does not actually use addresses, but instead transfers value by adding a one-time output to the transaction. As a result, reusing addresses becomes impossible, providing greater privacy.

One good thing is that it is unlikely that existing exchanges will delist Litecoin due to the regulatory concerns raised by people and hopefully more people will start to understand the essence of MW. Full fungibility is still a goal moving forward, something Lee admits: