[Cryptography] cryptography Digest, Vol 93, Issue 1
John Tromp
john.tromp at gmail.com
Sun Jan 3 13:21:04 EST 2021
> Wasn't Mimblewimble’s privacy model totally broken?
>
> https://medium.com/dragonfly-research/breaking-mimblewimble-privacy-mod
> el-84bcd67bfe52
No; it just confirms what is shown in
https://forum.grin.mw/t/scalability-vs-privacy-chart
It shows that MW while hides amounts and addresses, it leaves the
input-output links of transactions exposed in the mempool of nodes on
the network.
So the author discovered that some transaction had
208a6035b28c98edc...d1d4842cfd5df622
3430826d8a383a798d3...c5c7272163bfac31
as input utxos and
082546fc926e4563...63ae6ae0522e3166
080a2e01ab56b28d...e64b513847e9cfe1
as output utxos. These are random curve points, i.e. of the form
random_blinding_factor * G + value * H.
He has no idea where this transaction originated from or what wallets
own these utxos
or who the transacting parties are. He just knows inputs spent and
outputs created, as random curve points.
Yet he manages to totally misrepresent this by claiming:
"I was able to uncover the exact addresses of senders and recipients"
"What this attack does let us do is determine who paid who."
Of course he later explains that you need lots of additional
information to make use of these input-output links. Such as exchanges
knowing the identities of anyone who makes a deposit.
If "an authoritarian government knows that the same person sent a
dissident a small donation",
then that person is in trouble.
Yeah, no kidding. That doesn't make MW "completely broken".
Ian Miers can provide similar contrived examples showing that Monero
is not private either.
regards,
-John
More information about the cryptography
mailing list