![](\"https:\/\/media.wired.com\/photos\/5dd87f8b1470db00086869e9\/master\/pass\/Privacy-Coins_-110052547.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Gregory Barber| Date: Mon, 25 Nov 2019 13:00:00 +0000<\/strong><\/p>\n From a Harry Potter-themed protocol to high-profile coins, cryptocurrency is often not quite as private as it seems.<\/p>\n In the Harry Potter<\/em> universe, there\u2019s a handy spell for when you need to stop someone from spilling your secret plans or shit-talking during a duel. It\u2019s called Mimblewimble<\/em>, otherwise known as the tongue-tying curse. It\u2019s also the name of a privacy technology designed for cryptocurrencies\u2014because, well, somebody\u2019s gotta keep crypto weird.<\/p>\n The first coins to use Mimblewimble\u2014distinct efforts called Grin and Beam\u2014both launched in January. But arguments have since erupted over how private that underlying protocol actually is, after an independent researcher demonstrated an attack he says leaves its privacy model fundamentally crippled<\/a>. Mimblewimble advocates say there are potential fixes. But Mimblewimble\u2019s limitations\u2014as well as vulnerabilities in Zcash and Monero<\/a> detailed in recent weeks\u2014are a reminder of just how hard it is to guarantee privacy in the realm of digital money.<\/p>\n Privacy coins are a reaction to the realization that Bitcoin isn\u2019t private at all. Popular perception holds Bitcoin as clandestine, but both the cops and the robbers are well past that. All bitcoin transaction data is public and open to all for analysis<\/a>; combine that with some strategic subpoenas to get the personal data cryptocurrency exchanges are required to collect on their customers, and it\u2019s pretty trivial to untangle who\u2019s who<\/a>. Doing so has become a big business. Federal procurement data indicates agencies like the Federal Bureau of Investigations and the Department of Homeland Security now spend millions annually on software to help track down the people behind transactions. So the dark web has largely turned to privacy coins in the hopes of staying concealed.<\/p>\n "Keeping things anonymous and private is much, much harder than just getting the cryptographic aspects right."<\/p>\n Florian Tramer, Stanford University<\/p>\n That turns out to be a tall order. Take Mimblewimble, which gets its privacy, in part, by gathering lots of transactions into a single, inscrutable package. That makes it harder for a snooper to parse which transaction is which. An additional component used by Grin and Beam, called Dandelion, helps ensure this aggregation occurs before the transactions are broadcast to other nodes in the network. (First comes a \u201cstem\u201d of linked nodes, where the transactions are meant to combine, followed by the \u201cflower,\u201d when the transactions actually broadcast, hence Dandelion.) But former Google engineer Ivan Bogatyy says the protocol is flawed because an attacker could set up a node that listens in on all the others. Such a \u201csupernode\u201d would almost always snag transactions before aggregation, stem or no stem, and could be used to uncover who paid whom.<\/p>\n The attack demonstrates a known limitation of Mimblewimble, says Giula Fanti, a professor at Carnegie Mellon and one of the Dandelion designers. \u201cI think maybe it was more surprising to general users than the people who are actually working with the technology.\u201d Part of the problem, she adds, is that the Harry Potter coins just aren\u2019t used enough yet. Presumably, more transactions would mean faster aggregation, making it more difficult for the supernode to sniff out transactions that remain loose from the herd. That principle is true for a lot of anonymity tech, Fanti points out, which often rely on hiding yourself within a crowd.<\/p>\n The Harry Potter coin developers claim the attack isn\u2019t so dire. Grin\u2019s developer team notes they\u2019re well aware<\/a> that Mimblewimble\u2019s privacy model doesn\u2019t cover it, and have been working on solutions. Beam says it already mitigates the problem<\/a> by using decoy transactions that make aggregation more effective.<\/p>\n But it\u2019s still useful to demonstrate that a theoretical attack is also cheap and practical, says Andrew Miller, a professor at the University of Illinois who also serves as a board member at Zcash Foundation. \u201cIt changes the conversation. It didn\u2019t even take a huge effort. It showed how widespread the problem is given the current scale of the network.\u201d<\/p>\n As a relatively young protocol, Mimblewimble doesn\u2019t yet offer the same privacy guarantees as the methods used by Zcash and Monero, says Florian Tramer, a cryptography researcher at Stanford. They\u2019ve been around longer, he says, and rely on battle-tested cryptographic techniques like ring signatures and zero-knowledge proofs. \u201cThe big question to address in this space is the expectations of privacy we have from different technologies,\u201d he says.<\/p>\n Even then, privacy remains tricky, Tramer adds. He recently published a set of attacks<\/a> on Monero and Zcash that were notable because they didn\u2019t even need to target the fancy cryptography those coins use. \u201cThat\u2019s the part people have put a lot of effort in,\u201d he says. \u201cBut when you look at the bigger picture, how these systems interact with each other, you realize that keeping things anonymous and private is much, much harder than just getting the cryptographic aspects right.\u201d<\/p>\n In this case, Tramer and colleagues developed so-called side-channel attacks that homed in on the interactions between wallets, which are private, and the public-facing networks. Because the details of transactions are encrypted, a wallet needs to check whether each transaction it sees was meant for it or not. Tramer\u2019s team based their attack on the observation that wallets perform different cryptographic checks depending on the answer to that question. An adversary can learn a lot by paying attention to those subtle differences in timing and behavior. Using the techniques Tramer developed, an attacker could uncover the payee for any anonymous transaction in the network, and locate the IP address of a machine that holds the private keys for a public address.<\/p>\n