“Mimblewimble, which prevents your opponent from accurately casting their next spell. ”
Few ideas within crypto have garnered as much attention as the MimbleWimble proposal. It gets its name from the incantation of the Tongue Tying Curse in the Harry Potter universe, a spell used to prevent speaking on a certain topic. MimbleWimble is a novel protocol that works to improve privacyand scalability for its users.
It was first proposed to the #bitcoin-wizards IRC channel on August 1st, 2016by pseudonymous author Tom Elvis Jedusor (Voldemort’s real name in the French Harry Potter). The original proposal is a succinct one. MimbleWimble takes the main architecture of Bitcoin, removes script, adds Confidential Transactions and the idea of cut-through and the result is a highly compressible and opaque blockchain.
Since the release of the initial proposal, many engineers and researchers have come forward to contribute. Notably, Andrew Poelstra, a talented researcher and developer from Blockstream, dug in, digested the ideas, and wrote this position paper back in October 2016 that solidifies the original ideas and offers an argument for security.
Current state of affairs
MimbleWimble was created as an idea for improving scalability and privacy within Bitcoin. Due to the level of modification and tradeoffs involved, it’s not currently politically or technologically feasible to include on Bitcoin proper. However, it may be possible to implement as a sidechain in the future. A sidechain is a separate blockchain that utilizes its own consensus (possibly via merged mining), but not its own token. Instead it uses the bitcoin currency via a two-way peg.
Since it’s unlikely to be incorporated into Bitcoin anytime soon, two teams have started efforts to launch standalone implementations. Another pseudonymous developer with a name from the Harry Potter universe, Ignotus Peverell, is leading the development of Grin, an open source grassroots effort not dissimilar to Bitcoin itself. Another project, Beam, has taken an approach more similar to Zcash, with a formally organized company and a founders reward to fund development and reward the creators. Beam is led by Alexander Zaidelson, an entrepreneur based in Israel.
I’ll go over some of the decisions and tradeoffs made in the two implementations a bit later. First, let’s explore the MimbleWimble concept itself.
How does it work?
Cryptography, while generally trusted, is usually only empirically correct. Most cryptography is not proven to be correct. Confidence is gained by lasting a long time without being broken by security researchers. Cryptography relies on assumptions that certain computations are difficult enough that they are practically impossible. Bitcoin depends on the discrete log problem and cryptographic hashing. The beauty of Bitcoin is that it involves only relatively simple cryptographic assumptions that have decades of research. Those primitives being the discrete log problem and cryptographic hashing.
One of the advantages of MimbleWimble or Monero over something like Zcash is that it depends on the same simple cryptographic primitives as Bitcoin. If the discrete log problem and hashing assumptions hold, then Bitcoin and MimbleWimble are secure. MimbleWimble combines these relatively simple cryptographic primitives in very sophisticated ways and the result is a system that is quite complex, yet elegant at its core. It takes a fairly deep understanding of cryptography to fully wrap your head around everything that’s going on. Nevertheless, I will endeavor to give a peek under the hood.
Discrete Log Problem
Cryptography is built on the idea that certain operations are easy to compute in one direction, and near impossible to compute in the other direction. The discrete log problem is an important example of this and is one of the most fundamental assumptions. It allows innovations like public key cryptography and signatures to work and be highly efficient.
The discrete log problem comes from discrete mathematics, a branch of math that deals with a limited set of values. The allowable values are limited to a well defined set of discontinuous numbers or points, rather than real numbers. Boolean algebra is an example where the possible values are only zero and one. Math over the set of whole numbers or integers are also examples of discrete math.
Like Bitcoin, MimbleWimble relies on elliptic curve cryptography (ECC). In ECC, math operations are defined over a range that is the set of points that satisfy a specifically chosen elliptic curve. Elliptic curves look something like this when plotted.
credit Nick Sullivan
This math is called group theory and it is a form of abstract algebra. It uses familiar mathematical operations such as addition and subtraction. Points can also be multiplied and divided by integers, also known as scalars in this context. However, the effect of these operations is defined by the curve rather than the arithmetic we’re familiar with. Points can be added, subtracted and multiplied easily with standard computers. However, division is very difficult, and brute force is the only currently known way (note: this may become easy with quantum computers, but that’s likely years away and we will have ample notice). The fact that multiplication is easy but division is difficult is the property we need to build powerful cryptography.
In Bitcoin and MimbleWimble, public keys are derived from private keys. The protocol chooses a point on the elliptic curve and typically labels it H or G. This is called a generator point. The private key is actually just a whole number (a scalar) chosen at random from a very large set (on the order of 2¹²⁸ or greater). The generator point is multiplied by the chosen scalar to give the public key. The fact that this multiplication is considered extremely difficult to reverse is what allows these systems to operate. Reversing multiplication is also known as taking a logarithm, hence the name discrete log problem.
To learn more about elliptic-curve cryptography and the related discrete log problem, Nick Sullivan, the head of cryptography at Cloudflare, wrote a fantastic post on the topic.
A cryptographic hash function takes an arbitrarily large amount of data called the input and “digests” it into a fixed length string of data called a hash. For this reason it is also sometimes called a digest. For a hash function to be a cryptographic hash function, the output must be completely unpredictable and unrelated to the input. A small deviation in the input should result in a completely different hash. This unpredictability is what allows these functions to be secure. Most importantly, it should not be possible for an attacker to find an input that corresponds to a hash from another input. This property is known as collision resistance.
Bitcoin uses the RIPEMD-160 function to generate an address from a public key and SHA-256 for its proof-of-work function. In MimbleWimble, hashing is used to create outputs which in fact are cryptographic commitments (see Confidential Transactions below). These commitments do not reveal a destination address on the chain, but are only spendable when a user has possession of a private key.
Both implementations of the MimbleWimble protocol use hashing as the proof-of-work consensus mechanism. If the hash functions chosen were broken, an attacker may have the ability to predictably generate small hash values allowing them to overwhelm the network with easily found blocks.
Homomorphic encryption is a very cool technique that allows mathematic operations on encrypted numbers. If this sounds crazy, you’re right, it is. It turns out multiplication is rather hard to get right in a homomorphic encryption scheme. Thus, fully homomorphic encryption systems include tremendous overhead and are quite slow. However, we can get quite interesting results with systems that are merely additively homomorphic. Additively homomorphic meaning that addition and subtraction are preserved over encrypted values.
The ability to check whether two separate summations result in equal values turns out to be tremendously powerful. As we’ll see, MimbleWimble leans heavily on this additively homomorphic property to continuously verify that the sum of the inputs equals the sum of the outputs without needing to know the values themselves.
Confidential Transactions (CT) was originally proposed by Greg Maxwell, former CTO of Blockstream and prolific cryptographer, to aid the privacy of Bitcoin transactions. It uses a Pedersen Commitment scheme which replaces plaintext unspent transaction outputs (UTXOs) values with cryptographic commitments. UTXOs represent individual piles of unspent money on the Bitcoin blockchain, an alternative approach to account balances. A cryptographic commitment binds the user to a chosen value without revealing what that value is. This means if and when the time comes for the user to reveal the chosen value, they cannot change their mind about the value as only the original value will satisfy the mathematics involved.
This approach is called a commitment scheme, and has two phases; commit and reveal. The really cool part is that only recipients of a confidential transaction need to learn what the value actually is. Pedersen commitments follow the additive homomorphic property and therefore allow us to check that the sum of the inputs equals the sum of the outputs within a transaction. Transactions can be validated without knowing the amount transacted — a big win for privacy.
There’s one wrinkle that must be dealt with, and that’s negative values. If it were possible to create a commitment to a negative value, then it would be possible to effectively print money by creating two outputs such as 10 BTC and -10BTC and then later ignoring the -10BTC output. Confidential Transactions deals with this with a technique called a range proof. A range proof is a cryptographic argument that the commitment satisfies a certain range. In CT, this proves that the committed value is positive without revealing anything else about the value. The range proof is actually the largest part of a CT output, but is essential for ensuring the money supply does not undergo significant inflation.
MimbleWimble uses the Confidential Transactions scheme for bookkeeping on its blockchain. There are no observable values on MimbleWimble, only cryptographic commitments and range proofs. The homomorphic additive property ensures that the total money supply in the system can be continuously checked without having amounts be visible.
CoinJoin is another technique invented by Greg Maxwell. CoinJoin allows users to combine their transactions together so that the transaction graph becomes a bit more obfuscated. The transaction graph reveals who is a party to a transaction and can reveal information about relationships between different users and the history of a coin. It is sometimes assumed that if multiple inputs are spent, they must belong to the same user’s wallet. If enough people use CoinJoin, this breaks the assumption that multiple inputs to a transaction are from the same user, which is a boon for privacy. CoinJoin is a nice technique, but it has the significant drawback of requiring cooperation or interaction amongst the participants since every input owner must sign the entire combined transaction to authenticate it. It’s not possible for transactions to be combined in an offline or asynchronous manner.
There has been significant research on allowing a non-interactive CoinJoin. One technique implements a scheme called One Way Aggregate Signatures (OWAS) and has promise, but involves more complex cryptographic assumptions, specifically pairing cryptography. Ethereum founder Vitalik Buterin has written an explainer on pairing cryptography — the main idea is that it introduces operations that require a one-to-one mapping between points on two elliptic curves. Greg Maxwell discusses the non-interactive CoinJoin proposal in this bitcointalk thread in 2016.
MimbleWimble avoids the need for more complicated security assumptions, and instead relies only on the same elliptic curve cryptography assumptions already utilized within Bitcoin. It also allows for non-interactive combination of transactions. This is one of the main reasons to get excited about MimbleWimble. In fact, the protocol combines all transactions at the block level automatically.
Simplified visualization of cut-through
As just mentioned, MimbleWimble collapses all transactions within a block into a single block-wide transaction. The structure and transaction boundaries are removed. If a transaction is spending a very fresh (unconfirmed) input, then it is possible to completely remove the intermediary outputs without affecting the validity of the chain.
For the technically minded, please note that the cut-through does not remove all vestiges of the intermediary transactions. Each transaction does leave what’s known as a transaction kernel that must be stored forever to be able to properly validate the chain. The transaction kernels are what actually prove ownership over the inputs and allow the math to work to validate the transactions and the overall chain.
Tying it together
The MimbleWimble protocol combines the above into a specification for a blockchain suitable for simple payments. It uses a modified version of Confidential Transactions so that the balances are stored as cryptographic commitments rather than publicly visible amounts. Transaction structure is removed within each block, and the blocks are validated as a whole.
Interestingly, the system does away with addresses, and instead outputs are actually commitments that can only be spent by people with knowledge of a particular parameter used to create the commitment. This parameter is known as a blinding factor and was originally included in Confidential Transactions purely for privacy. In a clever modification, MimbleWimble uses the blinding factor as the private key that authorizes the spending of an output. These blinding factors are now fundamental to authentication, and must not be shared.
Affects of MimbleWimble
MimbleWimble is a stripped down blockchain protocol suitable for simple payments. Since it removes addresses, senders and receivers must cooperate via a secure and private medium to create transactions before broadcasting a transaction to the network. This is significantly different from address based systems where it is easy to receive money while offline and without a private communication channel.
Amounts are obscured and it is difficult for third parties to decipher what is happening without extensive outside knowledge. Transaction cut-through is a boon to privacy as well, but only helps privacy when the transactions occur within the same block.
The consolidation of transactions within a block helps privacy as well, especially against casual onlookers. However if a spy node receives transactions individually, they can begin to compile a forensics database that associates inputs with outputs, possibly linking them to IP addresses. This information could later be used to possibly deanonymize parts of the chain later with learned information.
Both implementations of MimbleWimble utilize a proposal called Dandelion a network routing proposal originally created for Bitcoin that creates plausible deniability. It passes transactions around via several hops and, in MimbleWimble, later aggregates them randomly before they are sent to miners for inclusion into a block. This will make it much harder for spy nodes to learn about what’s happening.
MimbleWimble’s privacy may be worse than both Monero and Zash. Confidential Transactions reliably obscures the amounts, but the transaction graph is only hidden as well as the user can find simultaneous transactions to combine theirs with. Both Monero and Zcash offer stronger cryptographic concealment of the graph at the base layer and do not require contemporaneous transactions.
MimbleWimble does not feature significant improvements in tx/s over existing cryptocurrencies. Confidential Transactions offers privacy benefits, but requires significant resources. Combining individual transactions at the block level removes a small amount of bandwidth overhead.
The biggest benefit is for new nodes joining the network. Recall that the chain is validated by continuously checking whether the total input and output sides of the equation balance. Because of this, it is possible to prune matching inputs and outputs and still check that the chain validates. This means that when new nodes want to join the network, they may be able to download just the relevant subset of historical inputs and outputs. Existing nodes are also able to reclaim a bit of disk space, but this is something that other cryptocurrencies can also do fairly easily.
Bootstrapping with less data is not an idea unique to MimbleWimble. While MimbleWimble has an elegant scheme for this, Bitcoin could adopt things like UTXO commitments and offer similar levels of pruning limiting the disk requirement.
Grin vs Beam Comparison
Grin and Beam are two separate implementations of the MimbleWimble protocol set to launch in late Q4 2018 or early Q1 2019. They are very different in their approaches. Beam is structured as a product of a company, while Grin is an open source community effort. Both projects have chosen a similar block time.
The other main difference between the projects lies in their monetary policy. Some Grin supporters believe that its true purpose is to be a Bitcoin testnet. The linear monetary policy with no reduction in inflation reflects that Grin does not necessarily see their token as needing to be a scarce store of value, and may be happy to see more active circulation. Beam has a hardcoded supply cap and a team incentivized with Beam tokens, so they have made choices more appropriate for an increasing token value.
The MimbleWimble protocol is quite dense. One post is certainly not going to do the topic justice. Here are some extra resources to help you learn more.
Introduction to MimbleWimble and Grin from the Grin team
Grin block explorer (testnet as of 11/26/2018)
Disclaimer: Jordan Clifford is a Managing Director of Scalar Capital Management, LLC, an investment manager focused on cryptographic and blockchain related assets. Scalar Capital holds positions in some of the aforementioned cryptoassets. At the time of posting, Beam and Grin are not yet operational.