MimbleWimble | An Answer to Scalable Blockchain Privacy
Achieving blockchain privacy and fungibility without sacrificing throughput has been a notoriously difficult challenge. Privacy enhancing upgrades such as zk-SNARKS and Confidential Transactions typically result in lower transaction capacity and higher transaction costs.
MimbleWimble, an alternative blockchain design, promises to surmount this challenge. The Harry Potter named design came into the public light in 2016 when Tom Elvis Jedusor released it on a developer website. Since then, researchers and developers from different blockchain projects have contributed to its development. Several teams are currently looking to bring MimbleWimble blockchains into public usage.
Let’s have a look at what’s under MimbleWimble’s hood.
Alternative Blockchain Design
MimbleWimble’s design is significantly different from UTXO blockchains like Bitcoin. For a start, there are no addresses and no scripting language, the rudimentary programming language used in Bitcoin.
In Bitcoin transactions, old outputs sign new outputs. All these outputs have their own uniquely scripted public keys. Users prove they have the funds they are claiming by signing transactions with their private key.
Whereas, in MimbleWimble, we do away with scripting altogether. Instead, outputs have their own corresponding public keys. A grand multi-signature key, also known as an excess value, is calculated by subtracting all the inputs of a transaction plus the transaction fee from all the outputs. By proving the value equals zero, it verifies that no new coins have been minted while simultaneously not revealing any transaction amounts. Furthermore, it negates the need for and the storage of all the output keys that nodes deal with. This massively reduces the amount of data that transactions take up in blocks and the total size of the blockchain.
The protocol uses blinding factors and Pedersen schemes to obfuscate transaction values. In combination, these features cryptographically ensure that only the sender and receiver in a transaction know the amounts exchanged. When transacting, the recipient generates this blinding factor and shares it only with the sender.
A MimbleWimble transaction contains just inputs, outputs, and a multi-signature key. Inputs simply reference previous outputs. Outputs are like transaction amounts but also contain the blinding factors and range proofs. Finally, the multi-signature key acts as a signature and verifies that senders bear the assets they are claiming.
There are no new cryptographic assumptions in MimbleWimble, rather just an innovative redesign of how transactions and blocks are structured. As such, the underlying cryptographic assumptions are well tested. However, just like Bitcoin, MimbleWimble is vulnerable to advances in quantum computing.
Achieving Privacy with Scalability
MimbleWimble is able to offer near-total privacy without making significant scalability tradeoffs. Transaction amounts, as well as senders and receivers, are all kept hidden.
Typically, privacy-focused blockchains, such as Monero and Zcash, have much lower throughput and higher fees than less private projects.
In effect, with MimbleWimble nodes are maintaining updated summaries between transactions. This mechanism differs from, say Bitcoin, in which they store and validate every transaction signature back to the genesis block. The result of this is that, despite the privacy-enabling cryptography, MimbleWimble blockchains can be of similar size and transaction capacity as Bitcoin.
Despite solving the dilemma of privacy and scalability, MimbleWimble does have two notable disadvantages.
One of the biggest downsides to MimbelWimble is that it removes the scripting language altogether. This reduces any blockchain functionality beyond simple value transfer and monetary purposes. This functionality reduction means that second layer protocols like the Lightning Network will be far harder to integrate.
It is possible, however, to replicate some of the functionality currently offered by scripts through multi-signatures and timelock transactions, both of which are still possible with MimbleWimble. Andrew Poelstra, a Bitcoin developer, has stated that further smart contracting functionality is achievable through the combination of Bulletproofs and Scriptless Scripts.
Unfortunately, MimbleWimble has the same vulnerabilities to quantum computing advances as current UTXO blockchains.
The protocol relies on elliptic curve cryptography (ECC) for both its privacy and coin issuance controls. Quantum computing could theoretically break ECC, undermining the protocol altogether.
It is important to note, though, that developers should be able to preempt any such advances before they take effect. Furthermore, the ramifications would affect most blockchain projects in some way, and it is likely that quantum-secure changes will occur before we reach this point. In fact, according to Poelstra, most of MimbleWimble can be updated with quantum-secure primitives. However, further work is necessary to find satisfactory quantum secure range proofs.
There are a few projects actively working on full MimbleWimble implementations. Bitcoin and Litecoin developers are looking at ways to benefit from MimbleWimble’s innovations without sacrificing the existing UTXO design.
Grin is an open-source, non-commercial project developing its own MimbleWimble blockchain. Their focus is on providing a private and scalable cryptocurrency. There is no hard cap, and the inflation rate is significant for the first few years of existence. This stops the coin from being a strong store of value. Instead, it intends to be a medium of exchange, i.e. a currency.
Beam is another project delivering a MimbleWimble blockchain. Unlike Grin, Beam has more of a commercial background. Transactions include a block reward that goes to its foundation, much like how Zcash operates. Beam has a less inflationary model than Grin, with a hard cap on total supply, positioning itself more as a privacy-enabled store of value as much as a medium of exchange.
The Litecoin development team are actively considering MimbleWimble as part of a softfork upgrade in 2019. Due to the scripting limitations, among other factors, the team is contemplating integrating the protocol via extension blocks to run alongside the existing Litecoin blockchain. This strategy would allow for the retention of the current Litecoin blockchain and its associated advantages while offering the ability to leverage the privacy of MimbleWimble on demand.
In fact, the Litecoin Foundation and Beam are working together on further development.
Since MimbleWimble entails an entirely different way to structure transactions, blocks developers cannot simply add it to UTXO blockchains like Bitcoin without sacrificing the existing design.
However, it is possible to create MimbleWimble blockchains as sidechains, which can interact with Bitcoin via two-way pegs. This would allow you to interact between the two blockchains, using each one for their respective use cases. This choice would likely be between superior privacy/fungibility and more complex smart contracting functionality with greater security.
ABOUT THE AUTHOR
ABOUT THE AUTHOR
Ben is a crypto asset analyst, writer & investor who has been involved in the crypto market since April 2017. He currently writes a free biweekly newsletter at https://www.stateofthecrypto.com/ where he discusses technological and financial trends in the industry. He is also building his own cryptocurrency focused company. Ben specialises in writing about privacy & scalability developments, macroeconomic events, and valuation models for crypto assets. He is sceptical of much of the ICO & ‘new generation platform’ space, preferring the ‘hard money’ coins above all else.