In the Harry Potter universe, there’s a handy spell for when you need to stop someone from spilling your secret plans or shit-talking during a duel. It’s called Mimblewimble, otherwise known as the tongue-tying curse. It’s also the name of a privacy technology designed for cryptocurrencies—because, well, somebody’s gotta keep crypto weird.

The first coins to use Mimblewimble—distinct efforts called Grin and Beam—both launched in January. But arguments have since erupted over how private that underlying protocol actually is, after an independent researcher demonstrated an attack he says leaves its privacy model fundamentally crippled. Mimblewimble advocates say there are potential fixes. But Mimblewimble’s limitations—as well as vulnerabilities in Zcash and Monero, detailed in recent weeks—are a reminder of just how hard it is to guarantee privacy in the realm of digital money.

Private Lives

Privacy coins are a reaction to the realization that bitcoin isn’t private at all. Popular perception holds bitcoin as clandestine, but both the cops and the robbers are well past that. All bitcoin transaction data is public and open to all for analysis; combine that with some strategic subpoenas to get the personal data cryptocurrency exchanges are required to collect on their customers, and it’s pretty trivial to untangle who’s who. Doing so has become a big business. Federal procurement data indicates agencies like the Federal Bureau of Investigations and the Department of Homeland Security now spend millions annually on software to help track down the people behind transactions. So the dark web has largely turned to privacy coins in the hopes of staying concealed.

"Keeping things anonymous and private is much, much harder than just getting the cryptographic aspects right." Florian Tramer, Stanford University

That turns out to be a tall order. Take Mimblewimble, which gets its privacy in part by gathering lots of transactions into a single, inscrutable package. That makes it harder for a snooper to parse which transaction is which. An additional component used by Grin and Beam, called Dandelion, helps ensure this aggregation occurs before the transactions are broadcast to other nodes in the network. (First comes a “stem” of linked nodes, where the transactions are meant to combine, followed by the “flower,” when the transactions actually broadcast, hence Dandelion.) But former Google engineer Ivan Bogatyy says the protocol is flawed because an attacker could set up a node that listens in on all the others. Such a “supernode” would almost always snag transactions before aggregation, stem or no stem, and could be used to uncover who paid whom.

The attack demonstrates a known limitation of Mimblewimble, says Giulia Fanti, a professor at Carnegie Mellon and one of the Dandelion designers: “I think maybe it was more surprising to general users than the people who are actually working with the technology.” Part of the problem, she adds, is that the Harry Potter coins just aren’t used enough yet. Presumably, more transactions would mean faster aggregation, making it more difficult for the supernode to sniff out transactions that remain loose from the herd. That principle is true for a lot of anonymity tech, Fanti points out, which often rely on hiding yourself within a crowd.

The Harry Potter coin developers claim the attack isn’t so dire. Grin’s developer team says it's well aware that Mimblewimble’s privacy model doesn’t cover it, and has been working on solutions. Beam says it already mitigates the problem by using decoy transactions that make aggregation more effective.

But it’s still useful to demonstrate that a theoretical attack is also cheap and practical, notes Andrew Miller, a professor at the University of Illinois who also serves as a board member at Zcash Foundation. “It changes the conversation," he says. "It didn’t even take a huge effort. It showed how widespread the problem is given the current scale of the network.”

Side Channel Blues

As a relatively young protocol, Mimblewimble doesn’t yet offer the same privacy guarantees as the methods used by Zcash and Monero, says Florian Tramer, a cryptography researcher at Stanford. They’ve been around longer, he adds, and rely on battle-tested cryptographic techniques like ring signatures and zero-knowledge proofs.