MimbleWimble/Grin
(Originally posted 4/30/17 on Coindesk, updated here)
When I became involved in Bitcoin in 2013, its potential seemed endless. It was heralded as a possible solution for micropayments, remittances, microfinance, parking meters, email spam, etc. Many women, myself included, believed in Bitcoin as a means to address world problems of poverty by providing access to capital for the remaining ¾ of the world.
As time passed, I became discouraged that many needed use cases did not come to fruition. Anything involving micropayments in Bitcoin has been eliminated. Start-ups attempting to build companies with those business models have died. The most popular use case for Bitcoin is a store of value. It’s not to say that isn’t immensely useful: in the growing number of countries with devaluating currencies, Bitcoin is an attractive alternative. Bitcoin has had an indelible impact as a groundbreaking technology. But it’s disheartening that it seems to have stalled in doing much more. Even with the help of second layer protocols such as Lightning, there are fundamental issues that will likely never be solved. And the vitriol constantly surrounding the Bitcoin community desperately calls for a Patronus Charm.[1]
This is why MimbleWimble caught my interest.
As a brief background, the original MimbleWimble white paper was placed by someone called Tom Elvis Jedusor (Voldemort’s French name in J.K Rowling’s Harry Potter book series) on a Bitcoin research channel in July 2016. Tom’s white paper “Mimblewimble” (a tongue-tying curse used in The Deathly Hallows) was a blockchain proposal that could theoretically increase privacy, scalability, and fungibility.
At the end of 2016, someone named Ignotus Peverell (the original owner of the invisibility cloak, if you know your Harry Potter characters) started a Github project called “Grin” and began turning the MimbleWimble paper into something real. Andrew Poelstra, a mathematician at Blockstream, presented on this work in January 2017 at Stanford University’s Blockchain Protocol Analysis and Security Engineering 2017 conference. Ignotus posted a technical Introduction to MimbleWimble and Grin in early 2017.
It took me a bit to wrap my head around MimbleWimble/Grin. I will attempt to explain why what it proposes — privacy, freedom of choice, equal access, fungibility, and sustainable growth over time — are so important.
Privacy matters, a lot. One of the most important rights we have is the right to privacy. It’s our right to “keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity.[2]
I consider privacy extremely important. It’s very apparent how valuable it is when you lose it or when someone violates it. Physical trespass of privacy is often preceded by online privacy violations. Events, such as Congress granting ISPs (Internet Service Providers) the right to sell your personal information — browsing habits, app usage history, purchasing habits, location data — and Facebook’s privacy fiasco are very concerning. As Luke Mulk from Brave elegantly wrote, “your digital data trail is the evidence of your human presence online. Your data is valuable, private, and most important, it’s yours.”[3]
If we cannot rely on our legislature to protect our constitutional rights (can we rely on them for anything anymore?), technology needs to intercede to make it harder to put your privacy up for sale. Privacy extends to what to share publicly about what we buy or whom we donate to. These transactions should not be open for the world to see. Women, especially those trying to escape repressive social or economic conditions, have a dire need to stay anonymous.
That’s a fundamental flaw in Bitcoin: every transaction and address balance is available for the world to watch and track. There are some things you can do to hide your transaction, such as tumbling, but you need to go out of your way to use them and they are breakable. Privacy oriented cryptocurrencies like Monero and ZCash improve privacy significantly. Monero has adopted ring confidential transactions. ZCash leverages a technology called Snarks to build private transactions, which is a huge improvement. However, it still requires a lot of extra resources to build a confidential transaction, so most users still issue their transactions “in the clear” (clear vs shielded counts).
MimbleWimble/Grin is natively private. There are no ring signatures or zero-knowledge proofs on top of a transparent Bitcoin-like transaction. In a MimbleWimble/Grin transaction all values are fully obscured. There are no re-usable or identifiable addresses. Every transaction looks the same to an outside party.
The two properties verified in a MimbleWimble/Grin transaction are:
- No new money is created
- The parties sending money must prove ownership of their keys
To verify the first property, you must demonstrate that the sum of outputs minus the inputs equals zero to prove no new funds were created. To verify the second property, the transacting parties must legitimately prove their public and private keys exist to authorize the transaction.
MimbleWimble/Grin uses a blinding element to obscure all values — transaction amounts and keys — while holding true basic mathematical facts. The blinding element relies on multiplying and adding secret factors to obscure real values. For example, let’s say I have a transaction with these amounts:
(1) 17 + 12 = 29
The balanced equation shows no new money was created, complying with the first property of not creating any new money. The equation remains true if I apply a secret blinding number (e.g.11) to all terms:
(2) 17*11 + 12*11 = 29*11
Without knowing my secret number 11, you would have a hard time guessing what the original transaction values are in this equation:
(3) 187 + 132 = 319
In equation (3), I’ve managed to keep both the actual transaction values and blinding number private while still allowing others to verify I have not created new money in my transaction.
(For more detail on blinding factors, see box at end of this post.)
Freedom of choice. By obscuring all values, MimbleWimble/Grin provides full privacy and gives you the choice of what to reveal. It’s similar to donor levels in various non-profits. You’ll see the range a donation was made for, but you don’t necessarily know the exact donation amount. Both the donor and the non-profit know exactly how much was donated, but no one else needs to know. This “right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.” [2]
Equal access. Another aspect of Bitcoin that disturbs me greatly is there is little opportunity left for an average person to participate in securing the network. The requirement of a highly specialized and monopolized chip for Bitcoin mining — the ASIC — virtually eliminates anyone from becoming a Bitcoin miner, whose primary responsibility is validating transactions and placing them into blocks. The Bitcoin mining community is heavily centralized and this has greatly contributed to Bitcoin’s woes.
The ability to grow over time while still providing equal opportunity to participate are key tenets of Ignotus’ “Grin” implementation of MimbleWimble. Grin uses a Cuckoo Cycle proof-of-work designed to be ASIC resistant so that anyone who wants to try mining can buy widely-available GPU cards. This helps democratize access.
Ability to grow over time. Another way to safeguard equal access over time is to ensure the blockchain network doesn’t get dragged to a standstill when transaction volume increases. This was the core issue in the Bitcoin block-size debate: there were more transactions than can fit into a 1Mb block. As long as there’s a restrictive size limit, there will be a capacity issue. A dirty little secret is that to get around scalability issues, almost all payment processors and exchanges do off-chain transactions. Which begs the question: why bother using a cryptocurrency with blockchain? It’s a slippery slope.
Increasing usage will increase transaction volume. So how do you ensure that a block size can continue to accommodate volume increases? By streamlining each block.
The principle is similar to simplifying equations. If there are terms that are identical on both sides of an equation, you can cut them:
(8) 2+y = x+2
(9) 7+3+5+4+2+y = x+7+3+5+4+2
Both equations (8) and (9) simplify to:
(10) y = x
MimbleWimble/Grin maintains that if an output spends an input, you no longer have to keep them because they cancel each other out. This greatly cuts down the amount of data you have to store and process. The only data that nodes keep is unspent outputs and block headers. Instead of thinking of blockchain capacity in terms of number of transactions, MimbleWimble/Grin is designed to grow with the number of users. The streamlined blocks make growth sustainable over time as the transaction data set does not continue to get bigger. This increases privacy since transaction data gets removed and it also enables fungibility.
Fungibility. Fungibility is the ability for equal units to be interchangeable. Let’s say I give you a dollar — either as a coin or a paper note. The Federal Reserve prints the paper dollar and the US Mint produces the coin dollar, but both are equal in value. Neither is lesser or greater than the other and you can chose to use a dollar coin or bill interchangeably. This is a key characteristic of currency: equal units must be interchangeable, or fungible. The US Dollar is fungible. Bitcoin is not.
The Bitcoin blockchain keeps every single input and output forever and so each coin carries a legacy. It’s similar to equation (9) above. Another dirty little secret is that when picking which transactions to process — in addition to the fee — payment processors, miners, and exchanges will look at the inputs (i.e. 7+3+5+4+2) to assess the quality of the transaction. The consequence is one bitcoin is not fungible with another. The most valued bitcoins are called “coinbase” which are the ones created when a block is found. They are newly minted and “clean” and some parties pay a premium to buy them. This creates a hierarchy in coin quality. The consequence is if you receive bitcoins that have inputs that are tainted (e.g. they have been used in a dark market), spending them may become increasingly difficult.
In MimbleWimble/Grin, because the (7+3+5+4+2) inputs and outputs are all discarded when spent, each coin is exactly equal to the other. In other words, Grin coins are interchangeable and fungible.
Conclusion:
Imagine what a universally accessible, private, scalable and fungible digital coin could do. Since Grin’s introduction, its developers have enabled capabilities such as Lightning, Schnorr signatures, bulletproofs, Dandelion relay, “scriptless scripting”, and atomic swaps. All these greatly increase the probability of the Grin blockchain being able to address a multitude of use cases that have not been possible with the existing set of blockchains. At the very least, Grin coin may actually fulfill the promise of digital cash.
To learn more about Grin and participate in its genesis, see: https://github.com/ignopeverell/grin.
References:
[1] Patronus Charm: “a pure, protective magical concentration of happiness and hope.” https://www.pottermore.com/writing-by-jk-rowling/patronus-charm
[2] Yael Onn, et al., Privacy in the Digital Environment, Haifa Center of Law & Technology, (2005) pp. 1–12
[3] Brave blog. https://blog.brave.com/their-connection-your-data/
