Mimblewimble: the good and the bad

via token

No matter how long you have been in the crypto space, you probably have come across “MimbleWimble” which is a winking reference to the tongue-tying spell from Harry Potter. But, what is MimbleWimble in crypto exactly? And what’s magical about it?

MimbleWimble, or MW in short, is an approach that was proposed by an anonymous developer to improve the privacy features of Bitcoin. Some people really liked the idea of MW and saw it as a simple and reasonably effective way to achieve transaction privacy. However, because the MW approach required significant changes to Bitcoin, it was largely dismissed by the Bitcoin community. Since then, MW did not see significant discussion or development until it came to the front page of crypto with Grin.

Grin is a cryptocurrency project that tries to achieve multiple goals. These goals include fair launch with no initial premine, ASIC-resistance, long-term monetary policy and finally transaction privacy through the implementation of MW. Grin also has the secret sauce of having an anonymous founder. Other projects are also working to implement MW as their chosen privacy technique like Beam Privacy. Many articles have already highlighted the advantages of Mimblewimble without shedding enough light on the downsides. In this article, I discuss if MW can deliver the perceived privacy guarantees. I also compare MW, on a high-level, to other privacy techniques like zk-SNARKs.

How does MimbleWimble achieve transaction privacy

Cryptocurrencies utilizing MimbleWimble use Bitcoin’s unspent transaction output (UTXO) model. To make a transaction private, three pieces of information need to be hidden: the sender information (TX inputs), the receiver information (TX outputs) and the transaction amount. Hiding this information is a fairly complex task when you deal with public ledgers like the Bitcoin blockchain. For example, Bitcoin transactions by default do not hide any of these pieces of information. Achieving Bitcoin transaction privacy through the hiding of the TX amount was proposed using a technique known as Confidential Transaction (CT). It is also possible to use CoinJoin to hide the sender and receiver addresses among multiple other addresses.

Main fields of a Bitcoin transaction that need to be obfuscated to create a private transaction

MimbleWimble improves upon some of these concepts to achieve privacy. First, MW hides the TX amount by changing how the transaction is created and structured. In Bitcoin, a user creates a transaction by determining the receiver address and the transaction amount, signing the transaction and broadcasting it to the whole network. In MW, to hide the TX amount, both the sender and receiver have to work together to craft the transaction before it is broadcasted to the network.

The sender/receiver of a transaction commits to spending/receiving a specific TX amount. The amount is then obfusticated by using the private key as a blinding factor. The result is a transaction with a hidden amount that still can be verified by the network as a valid transaction. The transaction is then broadcasted to the network with a new multi-signature that is derived from the private keys of the two parties of the transaction. The broadcasted transaction would only show that a single or multiple UTXOs were spent to create new UTXOs. For further details about this process, I recommend reading this excellent explanation by the Grin team.

Simplified diagram showing the main differences between Bitcoin and MimbleWimble transactions

When a MimbleWimble TX is broadcasted to the pool of unconfirmed transactions, it still contains the information of the inputs, that were spent in the TX, and the outputs. This information can be seen by anyone on the network. For this reason, MW requires an additional step to try to hide this information. This step is called the transaction cut-through. In the simplest form, if Alice sent Bob some money and then Bob used this money to pay Charlie, the MW block can be organized in a way to completely remove Bob. The block would instead have a transaction that shows that Alice has sent money to Charlie. Bob’s transactions would simply disappear. A person inspecting the latest version of the public ledger would not know that Bob transacted with either Alice or Charlie. As the transaction cut-through goes on, it can preserve the privacy of many users.

Advantages of MimbleWimble

MimbleWimble allows for a number of advantages. First, it allows for better privacy for users by hiding transaction amounts and avoiding the use of publicly visible addresses. Second, the use of transaction cut-through further improves the privacy and allows for smaller blocks and smaller blockchain data size in general. When network nodes are not required to store significant amounts of data, it would be easier for nodes to join the network. In turn, this would lead to a better distributed network and allow for better scalability.

Where MimbleWimble comes short

Using the very simple introduction of how MW works, there are a number of apparent shortcomings.

  1. There is a need to have some form of communication between the sender and receiver to arrange for the transaction to be signed by both parties. This makes sending transactions a little bit more complicated compared to Bitcoin. It could also require TX participants to be online for the TX to occur.

  2. The way the MW transactions are crafted makes it more difficult to create multi-party transactions as multiple parties have to communicate to craft the TX.

  3. When MW transactions are published to the unconfirmed TX pool, the TX inputs and outputs are still visible. Miners are required to create the transaction blocks in a way that allows transaction cut-through to hide some of this information. The confirmed block will have a smaller number of inputs and outputs mixed together in a way that makes it more difficult to recognize the sides of a specific transaction. However, it is possible and probably easy for anyone to keep recording all the transactions from the unconfirmed transaction pool. This data could be used to build detailed transaction graphs of the network.

Many governments and infosec companies like Chainalysis have incentives to perform this kind of data keeping and analysis. In fact, it can be very profitable to have data that most people think is impossible to have. The privacy guarantee of MimbleWimble, in this case, is equivalent to using Bitcoin with generating a new address for each new transaction (with the added advantage of hiding the TX amount). Indeed, this can make it more difficult to trace transactions but it is not impossible to do this kind of analysis.

Example of a transaction graph that can be built by tracing the MimbleWimble transactions

Comparison with other privacy-maintaining techniques

To have a clear picture of why MimbleWimble privacy guarantees are weaker than that of other popular privacy coins, it is important to compare MimbleWimble to other privacy approaches. Zcash and Monero are the most well-known privacy coins available today. They use two different approaches to achieve privacy.

Zcash shielded transactions

In my opinion, Zcash shielded transactions have the highest privacy guarantees among privacy coins. I’m not the only one who thinks so. Without diving into many technical details, it is possible to simplify Zcash shielded transactions as encrypted transactions. The encryption occurs before the transaction leaves your wallet and it hides all the important information of the transaction. However, by using zk-SNARKS zero-knowledge proofs, it is still possible for the network to verify the transaction and make sure the sender actually owns the transmitted coins. The main issue with Zcash was that it is a computationally expensive task to generate Zcash shielded addresses. This issue was improved by the sapling update that was activated on October 29th. Sapling significantly reduces this computational complexity and allows better adoption of the Zcash shielded transactions.


Monero uses Ring Confidential Transactions and stealth addresses to hide the important pieces of information in a transaction. Ring signature is used to hide the sender signature among other irrelevant signatures. The TX amount is hidden through the confidential transaction (CT) technique. In fact, MW hiding of the TX amount is a modification of the CT technique. Finally, stealth addresses allow the receiver’s address to be only visible to parties involved in the transaction. Monero transactions used to be large in size and expensive to use. Recently, Monero hard forked to use a proof mechanism known as Bulletproof which helped to reduce the TX size and cost significantly.

In conclusion, transaction privacy is a complicated issue and improving transaction privacy comes with the cost of increasing transaction complexity and size. MimbleWimble has some interesting privacy features and it is exciting to see it implemented in Grin and Beam. Both teams are striving to show that MW can achieve an interesting balance between simplicity and privacy. Although I think that MW privacy guarantees, in the current state, are lower than Zcash and Monero, this may change in the future. It may be possible with additional developments to the MW protocol to reach a privacy level comparable to Monero. However, it may not be possible to achieve the privacy guarantees of Zcash shielded transactions without encryption.


Thanks @john. This was an excellent read. I’m following Beam (and Grin to some extent) for privacy aspect. I did not know about the MimbleWimble’s short coming. Specifically about the “unconfirmed TX pool”. As you say some agency can gather all the date from the pool and continuously analyse the chain to pinpoint the transfers.
I know way to little about this but i have seen that in Beam wallet you can have addresses that are temporary. But if that info (+IP’s ?) is already recorded from the unconfirmed TX pool i guess its not that private after all.
Would be great if this article was updated to reflect the new updates. Maybe there has been some improvement. I will also ask in Beam channel for more information.

1 Like

I talked about the shortcomings in Beam in regard to this article and got this feedback:
In short:

dandelion and sbbs.

A bit longer explanation:

yeah. I think the commentary in that article was probably accurate for the mimblewimble protocol as it was at that time, but many other things were implemented to make Beam what is was at launch. i like to describe dandelion in laymans terms inasmuch that it is a form of a DAG - yet pruned… and in that ‘movement of assets’ there is extra obfuscation where transactions are not linear, and thus cannot be seen as a single output. The SBBS system allows secondary obfuscation as it is simply like a ‘velcro wall’ where the asset comes together after the obfuscated transport through the network. Of course, all in laymans terms as i understand it - I would not profess to be able to dissect the code for further analysis and the article author would likely argue with my terminology.

each personal Beam wallet has a velcro wall upon which transactions stick… you just need to put the wall in the right place, at the right time

From what i understand its not possible to simply record all transactions unconfirmed TX pool to identify sender/receiver. But your welcome to go to teams discord channel for more discussion.

1 Like

· YEN · YouTube · 10 Days of Bitcoin ·