A slimming down of the bitcoin protocol called Mimblewimble generates a blinding factor that can prove ownership of bitcoins, making private keys unnecessary, and offering a solution to the need to balance bitcoin privacy against fungibility while also improving scalability, according to a white paper that appeared mysteriously on a bitcoin research site authored by a person using a pseudonym, according to Nasdaq.
Privacy and fungibility are at odds in bitcoin because anyone can trace transactions over the blockchain, and as the number of transactions increases, the verification cost can become a centralizing force.
A white paper by Tom Elvis Jedusor, a pseudonymous name taken from Harry Potter, presents a way to alter the bitcoin protocol that could improve privacy and fungibility while offering more scalability. The name of the proposal, called Mimblewimble, also comes from Harry Potter.
Mimblewimble is based on Confidential Transactions, a privacy feature developed by Bitcoin Core developer Gregory Maxwell that is deployed on Blockstream’s Elements Alpha sidechain. Confidential Transactions allows senders to encrypt bitcoin amounts in transactions. Transactions have information that only receivers can decrypt.
Utilizing a cryptographic technique known as Pedersen Commitment, anyone can do the math on the encrypted amounts. As transactions are sent, bitcoin nodes can subtract these values on the receiving side. If the two sides cancel out at zero, the combined outputs and inputs are equal, and no bitcoins are created.
Mimblewimble uses this technique, but with the receiver generating the blinding factor. This blinding factor, a primary deviation from the bitcoin protocol, proves ownership of the blinded bitcoins. Private keys, public keys, and addresses are no longer in play.
A series of cryptographic techniques proving ownership of the blinding factor is Mimblewimble’s closest equivalent to bitcoin cryptographic signatures. The full extent of these techniques are not discussed in this article.
An important factor is that the mathematical maneuvers introduce a “dummy output.” Where transaction outputs typically indicate the conditions by which a receiver can spend the bitcoins, the dummy outputs are random numbers ensuring that only the person that created the blinding factor can spend the bitcoins in the real outputs.
CoinJoin is another technique behind Mimblewimble that Maxwell proposed. This method allows users to bundle transactions together, scrambling inputs and outputs. This can obfuscate which bitcoins got sent from which address, destroying the assumption that all inputs are from the same user.
Mimblewimble, along with a fix from Andrew Poelstra, a mathematician, takes the concept further and eliminates the transactions when a new block is made. Mimblewimble blocks consist of three lists: one of new outputs, one of inputs (referring to old outputs), and one of cryptographic signatures made with the dummy outputs.
All nodes can use the output and input lists, and verify that no bitcoins were made, utilizing the Pedersen Commitment scheme. The dummy output signatures prove all transactions were valid. Serving as “stamps of approval,” the dummy output signatures add up mathematically only if the entire transaction does.
It is never revealed which inputs spent bitcoins to which outputs, nor how many bitcoins got spent. Hence, there is no way to trace funds. Mimblewimble thereby supports both privacy and fungibility.
Mimblewimble also offers scalability.
Spending bitcoin takes an output from a prior transaction and makes it an input of a new one. If an older transaction is not valid, a new one that relies on it is not valid either. To validate all transactions on the bitcoin network, nodes have to know all transactions that have taken place, which is currently around 80 gigabytes.
With Mimblewimble, there is no history per coin. Every coin has a block in which it was created. After that, the value becomes part of the Unspent Transaction Output (UTXO), which defines all outputs storing coins and can be spent at any time.
To verify new transactions, nodes do not have to care about prior transactions. They only have to care that specific outputs are valid.
Nodes can easily establish the validity of outputs. They only require the block headers of all blocks, which serve as a block index without the transaction data and the dummy output signatures. Both of these data sets are compact. Other transaction data – nearly the entire blockchain – can be discarded.
If CoinJoin and Confidential Transactions were used from the beginning of bitcoin, nodes would require more than a terabyte of data operate. With Mimblewimble, they would require closer to 120 gigabytes. Even more interesting is the fact that where the blockchain has to grow with time, the Mimblewimble data set does not. It actually can contract if fewer outputs store more bitcoins.
In its current form, Mimblewimble is not very compatible with the bitcoin protocol. For it to work, script has to be removed from transactions. There would not be room for a full set of bitcoin features such as time-locked transactions that are used for the Lightning Network and other things, such as atomic swaps for cross-blockchain interoperability.
But Mimblewimble might be a solution for a privacy-focused sidechain allowing bitcoin users to lock bitcoins into a particular output on the blockchain and push coins to the Mimblewimble chain. Users could transact privately and freely on this sidechain as long as they wish until a new owner wants to return funds back to the bitcoin blockchain by unlocking the original output.
The burden of maintaining the sidechain would be very manageable. It could unload a lot of data from the bitcoin blockchain, thereby improving scalability, even for those not using Mimblewimble.
Sidechains are not typically viewed as a scaling solution, but Mimblewimble offers one.
Featured image from Shutterstock.