MimbleWimble

Attacks

Ivan's Linkability attack against Grin

Ivan Bogatyy

Breaking Mimblewimble’s Privacy Model @Medium

Response by BEAM Medium

The attack leverages one-kernel transaction (i.e., not merged with any other transactions, and thus the inputs of this transaction are linked to its outputs)

Possible in Grin, especially because there are not enough transactions now

Beam: Decoy (aka Dummy) UTXOs

Wiki

At every step of the Dandelion Stem Phase, Beam nodes check whether the merged transactions (might be only one transaction) have at least 5 outputs.

If not, decoy outputs are added to the merged transactions, making sure that the number of outputs is at least 5.

Auditability

BEAM

Wallet audit

Wiki, Article (Japanese)

Extensions

PRCash: Fast, Private and Regulated Transactions for Digital Currencies

Karl W¨ust, Kari Kostiainen (ETH Zurich), Vedran Capkun (HEC Paris), and Srdjan Capkun

FC'19

Commitment-based Mimblewimble transactions

Regulation scheme: Receiving limit w/ ZKP

Limit the total amount of money that any user can receive (spend) anonymously within an epoch.

To exceed the limit, a receiver must reveal his identity to the regulator by encrypting it with the regulator’s public key

Better performance in creating a transaction than Zcash (nrryuya.icon > Light client friendly also?)

Creation of a typical transaction and associated proofs takes > 0.1 seconds

Verification of 1000 transactions per second is possible (4 validators with 25 quad-core servers each)

Applications

Ethereum 9¾: Send ERC20 privately using Mimblewimble and zk-SNARKs @ethresear.ch, 2019.9. Wanseob-Lim

Tutorials

Grinで作るAtomic Swapとアウトプットへのタイムロック条件の適用