Last Tuesday at 04:01:26 UTC, the Grin mainnet went live. Grin is a cryptocurrency, but unlike most, it is not based on the Bitcoin protocol. Instead, Grin uses Mimblewimble, which was first proposed in 2016. Mimblewimble is an important development because it improves both privacy and scalability, two concerns that are normally at odds with each other.
On August 2, 2016, a user calling himself Tom Elvis Jedusor posted a .onion link to the Bitcoin developers IRC channel. The link went to a hidden Tor site that contained a single document entitled “Mimblewimble,” dated July 19, 2016. In that document, Jedusor described a blockchain implementation that would function in a radically different manner than the Bitcoin blockchain.
Jedusor borrowed his name from the French translation of Voldemort’s name in the Harry Potter series, Tom Marvolo Riddle. The .onion top-level domain can be accessed only from within the Tor network, which is a global network specifically designed to obfuscate a user’s IP address. “Mimblewimble” in the Harry Potter universe is the tongue-tying curse, a spell which prevents a person from speaking about something. Mimblewimble’s creator clearly sought to hide his identity, much like Satoshi Nakamoto, whose identity still remains a mystery.
In Bitcoin and most cryptocurrencies, transactions are public. Anyone can view blocks and see the sender, receiver, time, and amount of each transaction, and only pseudonymous wallet addresses protect user identities. Privacy coins like Monero obscure the details of transactions in order to better protect users, but because of the additional cryptography involved, private transactions are typically larger than public transactions. All other factors being equal, private transactions increase the size of the blockchain more quickly than public transactions, and the additional blockchain data increases the computational and storage requirements of nodes on the network. The Bitcoin blockchain is currently almost 200 gigabytes, and while the cost of data storage continues to decrease, starting a new node requires downloading and verifying the entire blockchain, a process that may take days depending on hardware. The computational and storage needs of private transactions are the reason that privacy and scalability are usually at odds with each other.
Mimblewimble, however, cleverly addresses both simultaneously. Jedusor created Mimblewimble by extending Gregory Maxwell’s confidential transactions to the entire blockchain. A confidential transaction encrypts transaction amounts with a blinding factor. Conceptually, a blinding factor is like multiplying both sides of an equation by the same value. The blinding factor hides the transaction amount but still allows the network to verify that no new coins have been created. The inputs and outputs still balance correctly. Jedusor also used confidential transactions to create a noninteractive form of Maxwell’s CoinJoin (coin mixing), effectively bundling transactions together to obscure their details to observers. Every mimblewimble transaction looks like a random point on an elliptic curve. The protocol enforces privacy by default without the need to build confidentiality on top of a transparent blockchain.
By using another idea from Maxwell, transaction cut-through, Jedusor drastically reduced the size of a Mimblewimble blockchain. Transaction cut-through works on the idea that an input to a new transaction was once an output from another transaction. Imagine that Alice sends one coin to Bob and that Bob then sends that coin to Charlie. Alice’s input becomes an output to Bob, but that output becomes Bob’s input to Charlie. Since Bob’s unspent coin has now been spent, Bob can be subtracted from both the output and input sides. All that remains of his interaction is some signature data that prevents anyone other than Bob from approving the transaction to Charlie. Transaction cut-through allows most blockchain data to be deleted. The size of the blockchain scales mainly with the number of unspent transaction outputs (UTXOs) rather than the number of total transactions, drastically reducing the amount of data stored. The Beam developers estimate that their Mimblewimble blockchain will be about a third to 10% of Bitcoin’s blockchain size given an equivalent amount of use.
Extending the idea further, Alice’s original coin had some history, but all of the outputs in that history were consumed by new inputs when the coin was transferred. Only the coin’s origin, its coinbase transaction, remains, so the Mimblewimble protocol continually erases a coin’s history without affecting proof of ownership. The lack of history ensures that Mimblewimble coins are truly fungible. All coins are indistinguishable from one another.
Mimblewimble is not without its drawbacks. Connections between transactions are still clear, even though they all appear random. Whether an attacker could glean some useful information from a Mimblewimble blockchain seems unlikely at this point, but it is still an unknown. Also, attackers would likely retain the data discarded by transaction cut-through in the hope that it could one day be decrypted. Quantum computers may someday become a threat, but Grin already has a plan for quantum resistance.
Also, Bitcoin has a simple yet robust scripting language that allows functions like multisignature wallets (wallets that require multiple keys to use) and off-chain payment channels like the Lightning Network. Jedusor had to eliminate scripts from Mimblewimble in order to make the protocol work. However, Andrew Poelstra and others have worked on emulating scripts in Mimblewimble (“scriptless scripts”). Developers for both Grin and Beam seem confident that many of the useful scripting features in Bitcoin can be implemented in some fashion in the Mimblewimble protocol.
Beam and Grin should be commended for pushing the state of the art forward. Meanwhile, Monero and Zcash continue to improve both scalability and privacy, and David Chaum’s Elixxir may have a solution for transaction speed. As the cryptocurrency space matures, I expect that privacy and scalability will continue to grow in importance.