Mimblewimble is an extremely lightweight blockchain protocol that can implemented as both an upgrade to Bitcoin or an independent chain. By taking elliptic-curve cryptography several steps further than Bitcoin, Mimblewimble builds upon a number of techniques such as Confidential Transactions, CoinJoin, and One-way Aggregate Signatures and strips down blockchains of all unnecessary data to bring unprecedented scalability and absolute anonymity
On August 2, 2016, a certain Tom Elvis Jedusor posted a link to a paper called Mimblewimble on a bitcoin research channel. Both the name of the author and the title of the paper are references to Harry Potter book series by J. K. Rowling. Tom Elvis Jedusor is the name of Lord Voldemort in the French adaptation, while Mimblewimble is the Tongue-Tying Curse that forbids the target person to tell a certain secret or to incantate. The name of the paper does make sense, as Tom’s proposal offers a seemingly magical solution for privacy issues as well as scalability.
Andrew Poelstra of Blockstream further elaborated the original Mimblewimble paper and published his own version, in which he added further scaling improvements. According to Poelstra’s calculations, Tom’s protocol could reduce a 100Gb blockchain down to only 15Gb. Poelstra claims that his proposition takes this a step further shrinking the blockchain to less than a megabyte.
A few days later someone by the name Ignotus Peverell started a Github project called Grin. These two names are also taken from the Harry Potter books. Ignotus Peverell is the inventor of the Cloak of Invisibility, a magical artefact that renders the wearer invisible, which is quite a suiting name. Grin is a reference to the Gringotts Wizarding Bank. Grin and Beam are the actual implementations of the Mimblewimble protocol.
Mimblewimble is a blockchain protocol that approaches scaling in a way that no other previously proposed solution does. Some chains, for example, sacrifice decentralization by introducing masternodes and coordinators. Others implement first-layer solutions like sharding or second-layer remedies like payment channels, which entails architectural complexities. Mimblewimble, in contrast, offers a stipped back protocol by cutting out all non-essential data.
As we already know, making a transaction requires previously received transaction outputs as an input of a new transaction. Imagine, Alice sends Bob 1 coin, Bob then gives it to Carol, and Carol transacts it to David. The Bitcoin protocol would need to store all the details about each transaction. The Mimblewimble blockchain would record it as Alice sending a coin to David with Bob and Carol approving the transaction. Thus, Mimblewimble cuts out Bob’s and Carol’s transactions, as those are now irrelevant, and the intermediary users are now only authorizers of the Alice-to-David transaction.
What makes it possible is that the fact the total number of coins is always known. Only coinbase transactions create new coins. Note that by ‘coinbase transactions’ I mean transactions by which new coins are minted and rewarded to miners. So each coin has a transaction path from the miner that minted it to the last owner. When verifying a transaction, Mimblewimble makes sure that the sum of the inputs equals the sum of outputs. If I send you 2 coins, you should receive 2 coins as well. Also I need to create a rangeproof that proves that the sum of my inputs is greater than zero. If it wasn’t for the rangeproof, I could ‘send’ you -5 coins, thus creating 5 new coins for myself out of thin air.
Mimblewimble, like Bitcoin, approaches public-key cryptography through elliptic-curve cryptography (ECC). ECC’s main principle is the fact that given a large number it is very hard to calculate its factors. It is easy to multiply, say, 312 by 89, but it is incredibly hard to figure out these numbers if the only thing we are given is the product, 27,768. ECC applies this principle to much larger numbers.
An elliptic curve is a large set of number belonging to a certain curve on a coordinate plane. ECC cryptography creates a public key by multiplying the private key by a point on an elliptic curve. This is why you can publish your public key without fearing that someone figures out your private key.
In Mimblewimble, however, there are no public keys or addresses. Two transacting users only need to find a medium such as e-mail or any type of protocol really to exchange bits of information. During this interaction, the recipient creates a destination for the sender to send the funds to. No one, aside the two transacting parties, will be able to use that data.
The Mimblewimble network validates transactions without knowing their amounts. The only thing it must know is that the difference of the sum of inputs and the sum of outputs equals zero. This is achieved by multiplying both the total input amount and the output amount (which are the same) of the transaction by a certain point on an elliptic curve. To further reinforce the security of the system, Mimblewimble uses Pedersen Commitments. A Pedersen Commitment adds another number called a blinding factor to the equation. The blinding factor is a public key multiplied by a point on another elliptic of the same group. The blinding factor both authorizes the transaction and makes it nearly impossible to calculate the amount of funds sent.
CT, OWAS and CoinJoin
Mimblewimble builds on Confidential Transactions, a trick that obfuscates transactions with only the involved parties knowing how much money was sent. However, Confidential Transactions still show transacting parties and the fact that a transaction took place. However, having neither addresses nor amounts, Mimblewimble makes it hard to figure out even if something happened or not. In doing so, Mimblewimble makes its coins absolutely fungible. In addition, Mimblewimble leverages another method called One-way Aggregate Signatures which in turn have been advanced from CoinJoin to merge several transactions into one, thus obfuscating all the inputs and outputs inside a block.
Such a compact way of storage has its drawbacks mainly in the form of limited flexibility. As such Mimblewimble cannot currently support second-layer solutions such as Lightning Network. The protocol does not allow for scripting and therefore smart contracts are much harder to implement. It is also very difficult to perform cross-chain atomic swaps on Mimblewimble, but Beam claims to have found a way.
Grin is a minimal implementation of the Mimblewimble protocol. Currently, Grin is only on testnet and largely an experimental project. It is entirely community-driven project and there will be no ICO or pre-mine. The funding for Grin development is obtained through community donations. Grin uses Cuckoo Cycle proof-of-work algorithm which is claimed to be highly ASIC-resistant.
Beam was announced just a few months ago with its position paper published June 16 2018. Like Grin, Beam will not hold an ICO or pre-mine coins. The development of Beam is backed by a treasury, emitted from every block during the first five years.
Original Mimblewimble paper by Tom Elvis Jedusor
Mimblewimble followup paper by Andrew Poelstra
Mimblewimble presentation by Andrew Poelstra
Introduction to Grin by Ignotus Peverell
JIC: Pottermore, to make out all those easter eggs