An introduction to Grin

After more than two years in development, on 15 January 2019, the Grin mainnet will come online. This article tries to be a primer to understand how Grin works, how it came to be, its monetary policy and every other detail that you may need to get a basic understanding.


At about 04:30 UTC on the morning of August 2nd, 2016, an anonymous person using the name Tom Elvis Jedusor signed onto a Bitcoin research IRC channel, dropped a document hosted on a Tor hidden service[Jed16], then signed out.

Mimblewimble — Andrew Poelstra [PDF]

The document introduced MimbleWimble, an elegant solution to some of Bitcoin’s privacy and scaling problems explained in less than 1,500 words. Interestingly MimbleWimble built upon another anonymous paper that showed up in a similar fashion a few years earlier, the one introducing one-way aggregate signatures (OWAS).

Mimblewimble is a design for a cryptocurrency whose history can be compacted and quickly verified with trivial computing hardware even after many years of chain operation.

Mimblewimble — Andrew Poelstra [PDF]

While the solution seemed brilliant and not extremely complex for it to be implemented, it did require a major overhaul of the Bitcoin code, and a potentially hard fork. A hard fork means that the new blocks would not be accepted by the old nodes, which would make this upgrade non backwards compatible. While the hard fork could be avoided, it did increase significantly the complexity of the project.

Introducing mimblewimble into bitcoin in a backwards-compatible way would be a difficult exercise. It may not be impossible, but it would be hard. I think the way if people were experimenting with this, I would expect it to be an experimental separate chain or sidechain. In a sidechain we would not introduce a new cryptocurrency but it would be a separate chain. There are some downsides to mimblewimble. In particular, it does not have a scripting language.

Pieter Wuille on The Crypto Show Podcast

So the idea of integrating MimbleWimble in Bitcoin was discarded, favoring a layer-2 or a sidechain solution. However, developers soon realized that it would be much easier to develop an independent blockchain based on MimbleWimble, and thus Grin was born.

Grin is an open source software project that implements a MimbleWimble blockchain and fills the gaps required for a full blockchain and cryptocurrency deployment.

Introduction to MimbleWimble and Grin

MW is just a blockchain format and protocol that provides good scalability, privacy and fungibility by relying on strong cryptographic primitives. While it makes some compromises by ditching the scripting language that is prevalent in most blockchains, thanks to “cryptographic trickery”, many contracts that in Bitcoin would require a script can be achieved with Grin using properties of Elliptic Curve Cryptography. So far, the following solutions have been proposed or implemented:

  • Multi-signature transactions.
  • Atomic swaps.
  • Time-locked transactions and outputs.
  • Lightning Network.

All these implementations fall under what are known as scriptless scripts, a way to encode smart contracts into digital signatures. The thing with scriptless scripts is that we are still at very early stages of research or development, so their true potential is still being explored.


While Grin is certainly scalable in some senses, it probably doesn’t allow many more transactions per second (tps) than Bitcoin or Ethereum. Jasper van der Maarel, one of Grin developers commented that it will probably allow 10tps. This limitation is only for the base layer, and implementing a solution such as Lightning Network would allow to increase the number of tps by various orders of magnitude.

So when we say that Mimblewimble is an scalable solution we are referring mostly to the fact that fully validating transactions is very simple, as opposed to Bitcoin or Ethereum where you have to download the whole blockchain which grows at a pace of 20–50GB yearly.

Monetary Policy

Unlike Bitcoin, the number of Grincoins that will ever come into existence is not limited. Grin is designed to have a block every 60 seconds on average, and with every block 60 new Grincoins are minted. So on average, a new Grincoin will be minted every second forever. Since there will be an ever growing stock of Grincoins out there, the 1 coin/s will represent a smaller and smaller part of the total coins in circulation, and therefore the inflation rate will approach 0. Visually it looks this way.

Chart pulled from this public Google Sheet

Like bitcoin, this design is highly inflationary at the beginning and deflationary in the long run, since inflation will tend to zero and coins become accidentally inaccessible all the time. Another similarity with bitcoin is that it won’t be premined, this is, the initial supply of the coin will be zero.

A good writeup on Grin’s monetary policy.

Grin’s high early inflation will mean that the stock-to-flow ratio starts out extremely low, incentivizing spending rather than HODLing. This encourages use as a medium of exchange, which can create network effects and also increase churn, potentially creating a wider wealth distribution. It also discourages speculation. Early Grin holders will be diluted significantly, so it’s more rational to spend Grin than to save it. Early on, Grin’s utility value will be in using it, rather than just accumulating it.

Indeed, if we take a look at the first 10 years, we see how inflation starts really aggressive, 400% yearly, but it ends up dropping to 9% in 2029. Grin’s inflation schedule looks similar to Bitcoin’s or Ethereum’s.

Grin Supply 2019-2029

And if you want to dig really deep into the monetary properties and model of Grin, I am pretty sure that these are the most comprehensive articles out there:

How can I get Grincoins?

Grin is not doing an ICO, there is no founders reward, or any other scheme to enrich its developers. Everybody that is interested in acquiring some grincoins will get the chance to mine it after launch. The initial supply will be 0.

Instead of mining, you will also be able to buy them on an exchange. Initially, the only exchange that will have Grin listed will be However, since initially the supply of grincoins will be very low, we recommend waiting a few months until the hype has died down and the number of coins in circulation has increased.

Mining Grin

Grin will feature two separate proof-of-work (PoW) mechanisms in its first 2 years. The “primary” one is Cuckatoo, a variant of Cuckoo Cycle designed to be ASIC friendly (AF), as explained here. And an ASIC Resistant (AR) complementary one called Cuckaroo, aimed at GPU miners, which is also another variant of the Cuckoo Cycle algorithm.

Cuckatoo (AF), will start out getting only 10% of the reward at launch, linearly climbing up to 100% after 2 years. At that time the developers hope that there will be ASIC designs from multiple manufacturers engaged in competition. On the other hand, Cuckaroo (AR) will start out getting 90% of rewards at launch, dropping linearly over the course of 2 years down to 0%.

The mainnet will launch with two small variations: cuckAToo31+ and cuckARoo29.

If you are interested in mining, here are some mining stats for different GPUs:


Other cool technology implemented in Grin

Taken from this post:

  • Schnorr Sigs / MuSig / AggSig: A different signature scheme from ECDSA that, as far as Grin is concerned, provides multi-signatures, smaller signature sizes and improves security. But most importantly, it paves the way for certifiable transactions and scriptless scripts.
  • Certifiable transactions: As-is, MimbleWimble transactions have a security flaw where the receiver can claim the funds were never received and the sender can’t prove they were. The certifiable transactions protocol fixes this.
  • Bulletproofs: Confidential transactions require the inclusion of what is called a range proof. Unfortunately, until bullet proofs, range proofs could be very large (~5kb). Bulletproofs make range proofs much smaller (~700 bytes), faster to verify in batches and could enable further zero-knowledge proofs.
  • Scriptless scripts: MimbleWimble can’t allow Bitcoin-style scripts. In theory this should be very limiting. But in practice, leveraging Schnorr signatures, we can re-introduce multiple types of smart contracts. Including the basis for lightning network and…
  • Atomic swaps: One type of scriptless script that allows exchanging Grincoins with other cryptocurrencies trustlessly.
  • Merkle Mountain Range (MMR) and TXO commitments:. Every grin block, using a Merkle-like structure optimized for performance, commits to the full TXO set. This enables fast sync as well as Merkle proofs. And by pruning the structure, a unique representation of the UTXO set.
  • Merkle proofs: MMRs allow grin and any wallet to uniquely prove the existence and (un)spentness of any output. This is useful in a variety of protocols, and especially for light clients.
  • Compact blocks: Most chains send a transaction twice: when it’s created and inside a block. Compact blocks eliminate the redundancy, making blocks a lot smaller.
  • Confidential Assets: Extension to Confidential Transactions that would allow multiple asset types to be tracked on the same blockchain, including other cryptocurrencies like bitcoin. Confidential Assets don’t just hide the amounts and participants involved in a transaction, but also the asset itself.

Grin, Monero or Zcash, which one is better?

They all have different approaches to privacy. Monero’s privacy is based on ring signatures and like Grin, it’s private by default. Zcash is based on “zero-knowledge proofs”, which are implemented in Grin too, but it does so, through optional (non-mandatory) “shielded transactions” which use zk-SNARKs for privacy. They all have some pros and some cons, but so far, their privacy has been holding up, so time will only tell if all 3 will be able to get along, or if one of them will end up turning into a clear winner.


After 2 years in development Grin will launch on 15 January 2019. Grin is an implementation of MimbleWimble, a technology that allows good scalability, privacy and fungibility. Grins main focus is privacy, since both transaction and their amounts are obfuscated. Grin won’t have an ICO, its initial supply will be 0, and its inflation rate will be 1 Grincoin per second for perpetuity. Only time will tell, but given the interest that Grin has arouse in the cryptocurrency community, it islikely that it will become a popular privacy coin.

Bonus: Let’s get a bit technical

If you have made it so far, you probably have gained a base level of understanding of the project, and you can stop reading here. However if you want to dig a bit deeper into the technical details behind MimbleWimble and Grin, there is an excellent post on the Grin Github. Unlike Bitcoin, Grin doesn’t use a set of public addresses, instead the transactions include the following:

  • A set of inputs, that reference and spend a set of previous outputs.
  • A set of new outputs that include:
  • A value and a blinding factor (which is just a new private key) multiplied on a curve and summed to be r.G + v.H.
  • A range proof that shows that v is non-negative.
  • An explicit transaction fee, in clear.
  • A signature, computed by taking the excess blinding value (the sum of all outputs plus the fee, minus the inputs) and using it as a private key.

And a transaction between two parties consists of an exchange of private keys and information, which can happen online or offline. The difference is that with most cryptocurrencies you can move money between address without the receiving address accepting it, while with Grin, both parties need to agree to enter in the transaction. Since there are no addresses, for now, IP addresses are being used to established communications between two wallets that want to enter into a transaction. This is how a transaction looks like:

~/.grin$ grin wallet -p XXXXX send -d “http://XX.XX.XX.XX:13415” 23.00

Another interesting thing is that validators can validate the transaction without ever seeing the amount that is being transferred. Instead of checking that x amount of coins has been transferred from address A to address B, they just make sure that a transaction happened and that Inputs — Outputs = 0 (ignoring fees for simplicity).

Originally published at on January 12, 2019.