Discover more from Tilman’s Newsletter
Why the Mimblewimble Protocol makes other Privacy Coin Protocols obsolete.
When evaluating the different blockchain protocols, it is not just a question of data protection on the one hand, but also of decentralization and scalability on the other. When it comes to the data protection granted by a system, it is necessary to consider what information leaks out through its use. No current blockchain system can hide that a transaction has taken place. Therefore, information such as relative activity can be fairly accurately inferred for all blockchains. Typically, each blockchain records addresses, amounts, linking inputs and outputs, IP addresses, and data embedded in transactions.
Monero, the oldest private and anonymous blockchain, uses the CryptoNote protocol based on Elliptic Curve Cryptography (ECC), a well-understood and proven cryptography. Ring signatures are used in a way where a user can create a transaction and automatically use the output of other similar transactions on the blockchain to form the input for a ring signature transaction, making it unclear which input belongs to the person performing the transaction, up to a maximum "anonymity set" of 11 potential transactors. Combined with confidential transactions, amounts are also hidden and are collectively referred to as Ring Confidential Transactions (RingCT). Another feature of this protocol is the use of stealth addresses, which protects the privacy of the recipient.
RingCT has limitations in terms of practical ring size, as the size of a transaction grows linearly with the ring size. Monero has a blockchain nearly three times the size of Bitcoin Core relative to usage and workload, with dramatically lower usage. This means that the ring size cannot be increased arbitrarily without further decreasing the scalability, which is already limited by the expensive procedure, and thus the anonymity per transaction is limited by the number of inputs in the ring. The real transaction link is still hidden somewhere on the blockchain, and there are methods to limit the range of possibilities, such as the Flashlight, Overseer, and Tainted Dust attacks.
On August 31 2020 CipherTrace announced that it has developed tools for the U.S. Department of Homeland Security (DHS) to track transactions of notoriously difficult-to-trace privacy coin Monero (XMR). CipherTrace exploits among other weaknesses of Monero the so called EABE-attack, that was discussed years before in the Monero community, but was or could never be fixed by the developers.
(If you want to dive deeper into Monero's problems, you can read and watch more about Breaking Monero.)
Pirate Chain uses the ZeroCash protocol, which is based on so-called zk-SNARKs. With high computing power required, this theoretically has the best anonymity since all transaction links between addresses are removed and transaction amounts are hidden. As with Monero, this anonymity is also at the expense of scalability. However, a complicated, trustworthy setup is required, which clearly goes against the spirit of cryptocurrencies not to be dependent on the honesty of a third party. Faulty implementation or leakage of trusted setup parameters can lead to the counterfeiting of coins without the additional coins ever being detected.
Use is made of a relatively new cryptography based on less standard cryptographic assumptions, Knowledge-of-Exponent-Assumption (KEA). A complicated and difficult-to-understand structure of this experimental cryptography has been described as "moon math," meaning that very few people can understand and validate it because of its complexity. Unlike established cryptographic techniques, the security of zk-SNARK is based on variants of KEA for bilinear groups.
In the case of ZCash, which is also based on the ZeroCash protocol, a flaw was active for a period of over two years before it was patched. There is no way to determine if this flaw was exploited before patching. Also, the vulnerability was not discovered by numerous cryptography experts, researchers, third-party auditors, and third-party engineering teams that initiated new projects based on the ZCash code. This shows how complicated and opaque even to specialists the mathematics behind the ZeroCash protocol is and what undiscovered bugs may still occur.
The blockchain size is many times larger compared to Bitcoin for the same usage and workload. The complexity of the computation required to generate a shielded transaction prevents low end hardware from participating, which goes some way to explain the fact that <2% of ZCash transactions are private, with most being fully transparent just like Bitcoin Core.
EPIC Cash uses the Mimblewimble (MW) protocol, based on a simple, lightweight cryptographic construction that, like CryptoNote, relies on the Elliptic Curve Cryptography (ECC). Using Pedersen commitments and Schnorr signatures, MW hides all transaction values and combines all transactions into one large transaction so that it appears in a block as one huge transaction with many inputs and many outputs. Through another feature called "cut-through," the blockchain is cleaned of redundant and unneeded data after each block and compressed. This results in huge savings in storage space and a better scalability.
Compared to the Bitcoin blockchain, a Mimblewimble blockchain has a size of only about 10% for the same usage and workload, which enables application possibilities on cell phones, such as full node wallet and mining, which in turn leads to a significant increase in decentralization.
A frequently mentioned disadvantage (which on the other hand can also be seen as an advantage, since no transactions can be lost to a wrong address) is that an interaction between receiver and sender is required, since public addresses do not exist. But even this problem has already been elegantly solved by David Burkett's one-way transactions in Mimblewimble, which is implemented in Litecoin's Mimblewimble Extension block sidechain and makes interactivity unnecessary.
To prevent network monitoring that can reveal details about how transactions are connected, Dandelion++ (obfuscates the digital paths of a transaction), CoinJoin (transactions are bundled together to obfuscate the relationships between transaction partners), and confidential transactions are used. Additionally, the Tor network, I2P and VPN can provide further operational privacy and security.
While the CryptoNote protocol (Monero) and the Mimblewimble protocol (EPIC Cash) rely on simple, well-understood and proven cryptography, the ZeroCash protocol (Piratechain and ZCash) is based on novel experimental cryptography, which can only be understood and checked for errors by a few and, moreover, still requires a trusted setup. Besides the bloated blockchains of Monero and Piratechain with poor scalability, the blockchain of EPIC Cash has the advantage of being very small, light and highly scalable, which makes it useful for mobile applications. The anonymity of the MW protocol, unlike Monero, ZCash and Piratechain, is a byproduct of the protocol, which does not need to be achieved with additional extensive computing operations, high memory requirements and a diminished scalability.
The supposed disadvantages of the Mimblewimble protocol, such as the need for interaction between the receiver and the sender and the ease of creating a transaction graph with sniffer nodes, have already been successfully solved.
As for any problem, it is true for blockchain protocols that the simplest solution is preferable to all others, if in addition it offers even more advantages such as high scalability and better decentralization. Mimblewimble is the only protocol that achieves privacy with scalability and is the protocol of choice not only when it comes to privacy and anonymity but also because of its far-reaching advantages in scalability and application flexibility, thanks to its small blockchain.
Thanks for reading Tilman’s Newsletter! Subscribe for free to receive new posts and support my work.