Mimblewimble doesn't provide very strong privacy protections. Indeed, to a first approximation all it hides is transaction value. The aggregatable transactions only provide privacy if you assume they are generated, fully formed from nothing. Which isn't true. If they are passed around the network and things are aggregated in, than anyone observing the networking will see exactly what went in and what didn't. IF you pass them to a trusted party, well then you have a centralized party you trust for privacy.
You have a choice: use a trusted party (obviously bad) or pass around partial aggregates and have someone add on to them ( this is the standard proposal). Problem is, you can trivially attach to almost every full node and observe those transactions as they get broadcast around. Its not NSA level attacks, I know at least 2 blockchain analysis companies that do this in Bitcoin today.
So, against that attacker, which already exists and is live today, mimblewimble seeming provides almost no privacy.
Everything in a MimbleWimble chain, and even at the transaction broadcast level, look like sorted sets of uniformly random curve points. There are no amounts as you point out, but there are no addresses either.
If Alice gives you a coin and then you spend it to Bob, what stops Alice and Bob from identifying that they delt with the same person? This isn't an issue of addresses or values, but the transaction graph. The only thing that hides that in mimblewimble is aggregate transactions. But again, they don't hide it if you see them assembled. To such an attacker , the transaction graph is entirely intact.
The transaction graph (apart from private aggregation) is intact to an attacker who has seen all transactions being broadcast, but can then only relate outputs that they themselves have been involved in (like Alice and Bob in your example) to real world identities. This is the great advantage of having no addresses.
This is a cool project. Thanks for sharing the link. I'll totally buy/mine some GRIN when it comes out.
Things I like so far:
1) Solves privacy and scaling in a single elegant stroke.
2) Inventors seem to be anonymous. I didn't try too hard to identify them but Tom Elvis Jedusor is the French name of Lord Voldemort. This is an important feature for privacy focused coins and for cryptocurrency as a political statement (not just as a technology).
3) The website, by eschewing flashy web2.0 design and and buzzwords, clearly sets itself apart from the typical "lets get rich quick" coin. Although I am disappointed the white paper isn't done in LaTeX.
Reasons I'm skeptical (perhaps you can address these):
1) Missed the boat on first mover advantage. Monero seems to solve the privacy problem good enough. Perhaps it is unreasonable to expect people to completely swap over to a new coin whenever there's an advance in tech. Especially when word of the new coin has to spread through grass roots instead of a centralized mechanism.
2) Elliptic curve crypto is vulnerable to quantum computers. IMO this is a ticking time bomb.
3) Expanding on point 2, bitcoin intentionally made a habit of layering "proven" crypto methods on top of each other. Eg both SHA256 and RIPEMD160 hash functions are used so that if a weakness is found in one hash the other is still ok. So far as I can tell mimblewimble has a single point of failure (elliptic curve cryptography).
> Reasons I'm skeptical (perhaps you can address these):
1) Monero may have first mover advantage in the privacy realm, but at the cost of prunability. Grin not only avoids that cost but further improves prunability beyond bitcoin. To me the first mover advantage will always belong to bitcoin, which will likely adopt privacy improving features in the long term.
2+3) Indeed; when evidence appears of quantum computers becoming feasible at breaking EC crypto, current blockchains will need to adopt post-quantum crypto methods of signing transactions, and migrate existing balances. Since EC crypto is more heavily ingrained into Grin, it may have a much harder time than the more modular bitcoin design, or even find it impossible to do so. I'm not aware of any post-quantum equivalent to Pedersen commitments.
My hope is that quantum computer development runs into insurmountable barriers...
>current blockchains will need to adopt post-quantum crypto methods of signing transactions, and migrate existing balances.
That's sort of true. Bitcoin is mostly quantum safe. The only vulnerability is that a quantum computer could deduce a private key and change a transaction during the brief (~1 hour) window when the transaction is pending. Quantum computers would have get to ~660*10^6 quantum gates per second before this becomes feasible (roughly a clock cycle of 660 MHz in classical terms). The first quantum computers will likely be slower than this.
The bitcoin ledger itself is quantum safe because addresses are hashes of public keys rather than just naked public keys. QC won't significantly speed up hash inversion thus a QC won't be able to steal funds out of an arbitrary address.
This is what I mean by bitcoin "layering the crypto" so as not to have a single point of failure. Sure bitcoin could have just used public keys as addresses. Instead it choose to use hash's of keys seemingly for no reason. Some of the facets of Satoshi's design are so genius that we only learn their purpose years later.
>My hope is that quantum computer development runs into insurmountable barriers...
ehhh maybe the GRIN devs should think about this now rather than later.
> The bitcoin ledger itself is quantum safe because addresses are hashes of public keys rather than just naked public keys.
This is true of later addresses, but in early times, addresses were naked public keys, and tons of bitcoins are thus vulnerable to slow quantum computers.
I could have sworn that hashing the pub key was all the way back in the whitepaper. In any case are any "naked pub key" coins still left unspent? I'd reckon that if they are actively owned by someone than that person can forward to a secure address when QC becomes practical and if they are "lost" then who cares if someone with a QC comes and claims them?
[0] http://mimblewimble.cash/