The Wizard And Marvelous Dr. Maxwell

This article was originally published on The Daily Chain, 31st December 2020.

“There are no addresses. There are no amounts.”

Mimblewimble

If any cryptocurrency besides Bitcoin has cypherpunk credentials, it’s Grin.

If any cryptocurrency besides Bitcoin has cypherpunk credentials, it’s Grin.

Its underlying protocol, Mimblewimble, is a landmark privacy protocol which, combined with Grin’s economic policy, makes a peer-to-peer electronic cash system viable.

In the simplest terms, Mimblewimble performs two magic tricks.

The first trick is to take all the transactions being broadcast and squish them together, so that one block is one transaction. In Bitcoin all transactions are “atomic” and cannot be squished. CoinJoin can be used, but this still requires sender and receiver to interact.

The second trick is to obliviate (delete) blockchain data. Rather than verify every single block when syncing, we can do some more squishing. If an unspent amount in one block is spent in a subsequent block, that data can now be safely discarded from the blockchain. In Mimblewimble a blockchain can shrink in size.

Furthermore, the magic of Mimblewimble requires no scripting when sending transactions as Bitcoin does. Instead, it relies solely on digital signatures. Mimblewimble is a simple and elegant stroke of cryptographic genius.

All the quotes in this article, save the two explicitly attributed to Ignotus Peverell, are taken from the Mimblewimble paper, created on the 19th of July, 2016.

Tom Elvis Jedusor

Just like Bitcoin, Grin’s story starts with a whitepaper.

In the case of Grin, a link posted in the #bitcoin-wizards IRC channel in 2016 pointed to a text file hosted on a TOR hidden service.

Entitled “MIMBLEWIMBLE”, the paper is penned by anonymous author Tom Elvis Jedusor, aka Voldemort in the French translation of Rowling’s tale of wizards and witchcraft.

I call my creation Mimblewimble because it is used to prevent the blockchain from talking about all user's information.
Tom Elvis Jesdusor

Jedusor starts by describing the problems with Bitcoin. He talks about having to replay every single transaction to verify the blockchain state (syncing), and points out the inefficiency of such a paradigm.

It would be better if an auditor needed only to check data on the outputs themselves, but this is impossible because they are valid if and only if the output is at the end of a chain of previous outputs, each signs the next. In other words, the whole blockchain must be validated to confirm the final state.

Then he frowns upon the atomic and transparent properties of transactions in Bitcoin, which are so easily tracked by specialized forensics companies.

Add to this that these transactions are cryptographically atomic, it is clear what outputs go into every transaction and what emerges. The "transaction graph" resulting reveals a lot of information and is subjected to analysis by many companies whose business model is to monitor and control the lower classes.This makes it very non-private and even dangerous for people to use.

The wizard elaborates on “transaction graphs” which tie Bitcoin transactions together, and even describes Bitcoin as “dangerous for people to use”.

The "transaction graph" resulting reveals a lot of information and is subjected to analysis by many companies whose business model is to monitor and control the lower classes. This makes it very non-private and even dangerous for people to use.
An example of a Bitcoin transaction graph

Then follows a brief rundown of the privacy advancements since Nakamoto launched Bitcoin:

  • Gregory Maxwell’s CoinJoin: Multi-party bitcoin transactions used to obfuscate sender and receiver.
  • Nicholas van Saberhagen’s CryptoNote: Ring-signature transactions used to obfuscate the amounts sent and received.
  • Shen Noether’s RingCT (confidential transactions): A combination CoinJoin and CryptoNote used to obfuscate sender, receiver, and amount sent. (see Monero)
  • Dr. Yuan Horas Mouton’s One-way aggregate signatures (OWAS): used to obfuscate sender, receiver and amount by merging all transactions in a block into one single transaction.
  • Blockstream’s Confidential Transactions (not to be confused with Noether’s confidential transactions), an interactive implementation of OWAS which uses a “blinding factor” to obfuscate amounts sent. Adam Back, Gregory Maxwell and Andrew Poelstra were all involved in its development.

Tom Elvis Jedusor then points out the weaknesses in these approaches. CoinJoin is “interactive” and not enforced by default, CryptoNote outputs must be stored forever, and Noether’s Confidential transactions are too big (in bytes) and just add to the size problem.

These solutions are very good and would make Bitcoin very safe to use. But the problem of too much data is made even worse. Confidential transactions require multi-kilobyte proofs on every output, and van Saberhagen signatures require every output to be stored for ever, since it is not possible to tell when they are truly spent.

He proceeds to cite a lesser known paper by Dr. Yuan Horas Mouton, and claims that Mouton fixes these problems by making transactions “freely mergeable” using a new primitive called “one-way aggregate signatures” (OWAS).

OWAS had the good idea to combine the transactions in blocks. Imagine that we can combine across blocks (perhaps with some glue data) so that when the outputs are created and destroyed, it is the same as if they never existed.

The problem with OWAS, however, is that it uses cryptographic techniques not approved in academic circles and is consequently considered risky.

Dr. Maxwell's CoinJoin has the problem of needing interactivity. Dr. Yuan Horas Mouton fixed this by making transactions freely mergeable.

Voldemort’s magic was to make a similar system for creating and destroying coins as if “they never existed”, but by utilizing cryptographic methods already used by Bitcoin, namely Elliptic-curve cryptography (ECC).

Since Mimblewimble coins are effectively created and destroyed in transactions that are merged in a single transaction which forms (the body of) a block, there is no longer a chain of outputs to replay when syncing. The blockchain is pruned of extraneous historical UTXO data in a process called Cut-through.

We can imagine now each block as one large transaction. To validate it, we add all the output commitments together, then subtracts all input commitments

The paper itself is very short and contains several grammatical mistakes which could be attributed to Jedusor not being a native English speaker. Clearly the implication is that the author is French, although this could be a misdirection like Satoshi being Japanese.

Despite the deceptively haphazard nature of the document, the ideas within it were so compelling that Andrew Poelstra, a mathematician and applied cryptographer at Blockstream, gravitated towards them immediately.

Poelstra has contributed to privacy solutions in Bitcoin like CoinJoin and Confidential Transactions and seized upon the ideas in the paper by publishing a more “precise” version in October 2016.

In fact, the Confidential Transactions developed by Blockstream were inspired by OWAS, and Mimblewimble was inspired, in turn, by Confidential Transactions. The former adopts an interactive approach and Mimblewimble a non-interactive approach with a randomly generated blinding factor, meaning all transactions in Mimblewimble are confidential by default.

Now, we have used Dr. Maxwell's Confidential Transactions to create a noninteractive version of Dr. Maxwell's CoinJoin, but we have not seen the last of marvelous Dr. Maxwell! We need another idea, transaction cut-through

For a time there was talk of integrating Mimblewimble into Bitcoin, or adding it as an experimental sidechain. This is hardly surprising since Jedusor has, in many ways, remade Bitcoin using technology that Bitcoin developers and Blockstream researchers have created.

Reasons later explained by Pieter Wuille prevented this from happening. These boil down to technical difficulties. And of course, Blockstream had their own offering in Confidential Transactions as a federated sidechain called Liquid, so this may have impacted motivation.

MimbleWimble with Andrew Poelstra (2016)

Grin

Nevertheless, shortly after Poelstra’s paper was published another character from Harry Potter appeared. Ignotus Peverell released the first partial implementation of Mimblewimble, and posted a technical introduction to Grin in March 2017.

In October 2017 Peverell published “Mimblewimble for Bitcoiners”, a succinct document describing Grin’s differences. Quoting from that document:

1. There are no addresses.2. There are no amounts.3. 2 transactions, one spending the other, can be merged in a block to form only one, removing all intermediary information.The 2 first properties mean that all transactions are indistinguishable from one another. Unless you directly participated in the transaction, all inputs and outputs look like random pieces of data (in lingo, they’re all random curve points).Moreover, there are no more transactions in a block. A Grin block looks just like one giant transaction and all original association between inputs and outputs is lost.
Ignotus Peverell

Although they share similar cypherpunk roots, Grin is radically different to Bitcoin and was probably inspired by shortcomings Satoshi is unlikely to have foreseen.

Shortcomings like poor privacy. A transparent ledger now under such vigilant analysis only gifted hackers can escape scrutiny. Or Bitcoin’s unwieldy database, highly centralized mining, slow confirmation times, and fees so high a banker might blush.

Yet perhaps the most radical difference rests with the emission model. Grin has no fixed supply, and has no halving period. It’s one Grin every second, forever. This is not as unusual as many think since these days as many prominent cryptocurrencies (for example, Monero and Ethereum) plan on some kind of tail emission after the main supply is mined or minted.

Unlimited supply also protects Grin from ponzi accusations; no advantage is bestowed on early miners. No pyramidal distribution can be inferred.

Computer scientist John Tromp provided Grin a Proof-of-Work system called Cuckoo Cycle, aimed at both ASICs and GPUs with the intention of helping to decentralize mining. Tromp told The Daily Chain:

“The emission of 1 grin per second allows one to think of time as value. when something costs an hour of Grin (3600 Grin), that represents one hour of mining in Grin’s lifetime. Grin is as scarce as time itself, and is the most literal interpretation of time=money.”

John Tromp, December 2020

Whether Bitcoin can still be secured when miners receive transaction fees and no block reward is unknown. Bitcoin is increasingly considered a store-of-value (like gold), and not a peer-to-peer currency as was originally laid out in the Satoshi paper.

Grin had a fair launch with no ICO, premine, or mining tax. The fairness of its launch creates challenges. Funding good development doesn’t come cheap, although Grin has managed till now. The project doesn’t have a massive budget to throw at marketing, although with such great fundamentals it may not need it long-term.

Since its launch Grin and its community have made huge advancements in research and security, greatly improved the code, and released many wallets including full-nodes for mobile devices.

Felix Felicis

The crypto scene is currently enraptured by DeFi. While an important fields for exploration (and farming), it’s only a matter of time before the hype abates.

When it does we will be left with the same problems. Bitcoin which struggles to scale and offers poor privacy, and Ethereum with its ad hoc approach to smart contracts (like gas) and a total supply still less than twice of that it started with in 2016 (implying very poor distribution, and centralization of wealth).

With an unlimited supply and strong privacy, Grin can perhaps fulfill the original intention of creating a peer-to-peer electronic payment system, and not a hyper-volatile “store-of-value”. Since its 2019 genesis around 60 million Grin have been mined. Many projects have supplies in excess of one billion tokens. For Grin one billion coins would take about 31 years to mine, at which time annual inflation would sit around 3%. A community member commented, “I’d just like to say that the numbers are not really important here, for instance we could say we have billions nanogrins, but it doesn’t really matter in the end, what matters is the ratio at which the supply changes.”

Voldemort’s magic excited members of #bitcoin-wizards as much, or more, than any since Satoshi’s original whitepaper. Even though his exceptional spells have not graced a Bitcoin sidechain, he lives on in Grin and other Mimblewimble coins.

His identity may remain a mystery, but his teachers do not.

The “marvelous” Gregory Maxwell vehemently denies any involvement with Mimblewimble or Grin, and insists he is not Tom Elvis Jedusor, better known as Tom Marvolo Riddle, or He Who Must Not Be Named.

The Immutable Network (DARA), founder. Immutable builds free blockchain products and platforms to fight censorship and stop data loss. Also a journalist/writer.