Mimble Wimble

In cryptocurrencies, privacy and scalability are often tradeoffs. Coins such as Monero and Z-cash offers enhanced privacy but, the cost of heavy cryptography operations and the need to store all the relevant data poses a challenge in scalability. Thus, Private transactions involve a lot more cryptography and are heavy to store on the Blockchain. But a recent development in the Blockchain space named ‘MimbleWimble’ has the potential to offer scalability and privacy without compromising on either side.

In 2016, a user going by the name Tom Elvis Jedusor dropped a link to a whitepaper in an IRC chat. The link contained a text file titled “MimbleWimble”. In short, it is a new way of creating a Blockchain which is private by default and also scales. The solution has the potential to scale Bitcoin while adding to its privacy too.

There are a couple of interesting facts about MimbleWimble that are also becoming part of every discussion on it. The term itself is a reference to a tongue-tying spell from the Harry Potter series. And the name of its creator, Tom Elvis Jedusor is actually the name of Voldemort, the evil character from the same series. Just like Satoshi Nakamoto (creator or Bitcoin), Tom Elvis is also not a true identity but a pseudonym (from the French version of Harry Potter).

After Tom Elvis posted the document, it started to go a little viral. Soon, Andrew Poelstra, a developer from Blockstream did a presentation on MimbleWimble. Later, on the same IRC channel, a person by a pseudonym “Ignotus Peverell” announced that (s)he is working on an implementation of MimbleWimble called Grin. Ignotus Peverell is another reference from the Harry Potter movie.

Why MimbleWimble is a big thing?

In the current implementation of the Bitcoin core, the method to verify the integrity of the Blockchain is cumbersome. The verifiers need to run all the transactions chronologically from the genesis block to reach the current state of the Blockchain. Each input to a new transaction is linked to the output from a previous transaction using cryptography. The whitepaper on MimbleWimble mentions that “At the time of this writing, there were nearly 150 million transactions committed in the Blockchain, which must be replayed to produce a set of only 4 million unspent outputs.”.

To understand how MimbleWimble transaction work, we’ve to understand how Bitcoin’s current unspent transaction model, also referred to as UTXO. When you send Bitcoins around, it’s actually not just balances going from one user to another. Every transaction is made up of a bundle of inputs and associated bundle of outputs, which go from one person to another. So, when you are sending one Bitcoin to someone’s public address, your wallet software is actually bundling up a bunch of inputs that you received from previous transactions to make up that one Bitcoin which you can send. It’s not just the matter of subtracting one from your balance and then adding it to someone else’s. When the wallet software is bundling up these multiple inputs and sometimes there are hundreds of inputs. Each different input has a unique ID. To make sure everything is cryptographically secure, the wallet software has to go through and individually sign each one of those inputs using the private key. This gets computationally heavy because we are creating a lot of signatures that go into the next transaction. This also gets worse over time as more user join the network and with this, we end up with a very heavy Blockchain in terms of data storage.

The data related to every new transaction is added onto the Blockchain, which is not prunable. And if the nodes decide not to verify the integrity of the older transactions from the very beginning, they have to download all that signature for all the input and outputs. If not validated repeatedly, the hackers will get incentivized to go back in history and alter previous transactions. Along with that, the resulting “transaction graph” reveals a lot of information. Its analysis makes the Blockchain non-private and even dangerous for people to use. The privacy issues can be solved with the recently proposed “Confidential Transactions” and “CoinJoin”. These solutions are good, but they make the problem of scalability even worse.

Elliptic Curve Cryptography

MimbleWimble as a solution sounds magic, but there is a lot of cryptography going behind it. Before we get down to explaining the MimbleWimble, let’s understand how Elliptic Curve cryptography works. Every user has two keys (think of them as passwords or signatures). One is a private key (private signature) and another one is a public key. A private key, as the name suggests, is private to its owner and we use the public key of the receivers to sign transactions and send them. The receiver then uses his corresponding private key to redeem the coins.

The Elliptic curve is fancy math, which outlines a curve (mathematically) with pre-defined points. When we multiply a private key with a point (numerical value) on that curve, it produces the corresponding public key (wallet address). So, it is possible for a user to create his or her public key using their own private key but the same process cannot run backward.

How does MimbleWimble work?

MimbleWimble is a design for a Blockchain-based ledger that is very different from Bitcoin. It can be implemented as a sidechain, or as a soft-fork into Bitcoin (as an extension block) too. It proposes a solution, that instead of creating a number of signatures, we create only one multi-signature for all those inputs and outputs.

Here is what’s happening behind the scene when two parties are involved in a transaction. The process subtracts all the outputs from the inputs and we end up with a point on Elliptic Curve which corresponds to a public key. This public key is actually a multi-signature public key for all the parties involved in that transaction. Producing that signature means it was signed by all the parties involved in that transaction.

In other words, instead of storing inputs and outputs for each transaction, MimbleWimble combines the transactions across block (a block contains some transactions) using some glue data. So when the outputs are created and destroyed, it is the same as if they never existed. Here, to validate the entire chain, users only need to know when money entered into the system and the final unspent output (balance) along with the stored multi-signature, rest is prunable.

Another important difference in the MimbleWimble transactions is that there are actually no addresses in the system. You don’t need to specify a public key somewhere as you do in Bitcoin. Here, the two participating parties that are sending money to one another need to share something called ‘Binding Factor’. This whole process in encapsulated as no addresses are shared in public, that maintains the privacy because just the involved parties know what’s going on. This kind of transaction is called ‘Confidential Transaction’ (link this to COSS Wallet’s blog on CT). The binding factor is a shared secret which encrypts all the input and outputs taking part in that transaction.

Advantages of MimbleWimble

The entire setup makes MimbleWimble a private transaction, ensuring the user’s privacy. The biggest advantage is that it makes Blockchain very lightweight in terms of storage. The validation process is similar to Bitcoin as it ensures that no money is printed out of thin air. It also checks that any inputs have been signed by the owners of those inputs. At the end of the transaction, we are left with a compact header that it cryptographically verifies that all the inputs and outputs add up to zero. This occupies a lot less space because we do not need to publicly store all the input/output data along with the signatures. The MimbleWimble will only store these light headers and the rest of the data is prunable. The nodes only need to download the history of all these headers in order to verify the nodes. This design claims that it can reduce the size of Bitcoin Blockchain which is currently at around 200 GB down to 70 GB.

Potential limitation

Unlike Bitcoin, where people send their public addresses and you can send them money whenever you want, in MimbleWimble there are no addresses in the system. Both parties have to share the binding factor to communicate before the transaction. Essentially, two parties online at the same time can only facilitate the transaction.

The implementation of MimbleWimble in form is currently running in a Testnet and we are yet to see its full potential. How the network propagation, theoretical loopholes, or other issues will lead the way for further upgrades in this solution. MimbleWimble is really unique technology as it offers privacy and scalability without trading off one for another.