Andrew Poelstra of Blockstream has presented a new Bitcoin network scalability solution dubbed Mimblewimble on the first day of Scaling Bitcoin conference in Milan.
Authored by “Tom Elvis Jedusor” (Voldemort’s name in the French versions of the book), the Harry Potter references in the paper don’t stop there. The proposal itself, posted to chat channels in August 2016, is named “Mimblewimble»” after a tongue-tying curse meant to render an opponent silent.
Mimblewimble offers a radical reduction of bitcoin protocol to enhance confidentiality and malleability of transactions along with providing more options for the network’s scalability as compared to the existing architecture.
«I’m here to present Mimblewimble. It’s not my idea, it belongs to the Dark Lord,” — said Andrew Poelstra. “Mimblewimble is a design for a Blockchain, it could be implemented into Bitcoin as a softfork or a sidechain. Also, in principle, Lightning Network could be put on top of it».
The developer community has earlier suggested that Mimblewimble could solve several major problems in Bitcoin ecosystem.
Mimblewimble is based on confidentiality features of Bitcoin, including Confidential Transactions, which is a function mostly developed by Gregory Maxwell of Bitcoin Core and Blockstream. Currently it is also deployed on Elements Alpha, Blockstream’s sidechain solution.
Confidential Transactions enables the sender to encrypt the amount of bitcoins sent with random string numbers (so-called “blinding factors”), while the transactions incorporate data that enables the receiver to decrypt the amount. Using a cryptographic trick called the Pedersen Commitment, bitcoin nodes may extract the encrypted amount at the input from the encrypted amount at the output, and if the two sides cancel out to zero, it means no bitcoins were created out of thin air.
One may say that Mimblewimble turns the trick on its head, as it is the receiver that generates the random string, while no private keys or addresses are involved in the process.
Another function that had inspired Mimblewimble’s creator is CoinJoin also developed by Gregory Maxwell, which is a way to mix transactions to make their tracing more difficult.
Mimblewimble goes a bit further and gets rid of transactions altogether while creating a new block. As a result, the block consists of three lists instead of transactions: new inputs, new outputs, and cryptographic signatures. Using Pedersen’s scheme, all nodes may use the lists of inputs and outputs to confirm that the bitcoins in question did not come out of the blue. As the process does not disclose the exact outputs and inputs involved, nor it reveals the amount of coins spent, there is no way to trace the movement of funds.
The solution may also solve some scalability issues in Bitcoin. Presently, there are lots of transactions connected to each other, as bitcoin spending uses the previous transaction’s output as the new one’s input. It means that in case of the previous transaction’s invalidity, the new transaction will also become invalid. For that reason, noes have to know all transactions in the network to validate new ones. Currently, the overall amount of data required for that purpose exceeds 80 GB.
Mimblewimble does not require one to know all that, as it lacks the very history of transactions. A coin is not assigned to any particular block where it had been initially mined. It becomes a part of a combined set of unspent transaction outputs (UTXO) incorporating all outputs storing some coins. Theoretically, they may be spent at any time.
MimbleWimble origin: A guy came from the future to correct the course of history before we fill every bit of storage with blockchain data
— Sergio Demian Lerner (@SDLerner) October 8, 2016
Thus, nodes don’t have to know the entire history of prior transactions to verify a new one. All they have to know is that particular outputs are genuine. Moreover, nodes may ascertain authenticity of outputs with relative ease: they need only block headers and formal signatures of outputs to do that. Both solutions are very compact in terms of data size. All other transaction data, or, in essence, the entire blockchain, may be discarded.
As compared to other anonymity techniques, the advantages of this solution are obvious. If Confidential Transactions and CoinJoin were used in Bitcoin from the very beginning, nodes would require over one terabyte of data to operate normally, while Mimblewimble requires mere 120 GB. Moreover, if blockchain expands further, which seems inevitable, Mimblewimble may allow one to shrink the data array required for its operation. It just means that a bigger amount of bitcoins would be stored at a lesser number of outputs.
Mimblewimble in its present form may be not quite compatible with Bitcoin’s protocol as it requires scripts to be removed from transactions. As a result, it leaves no room for other bitcoin functions like time-locked transactions (also applied in Lightning Network).
This, however, doesn’t make the entire solution useless. It may become a perfect solution for sidechains focusing mostly on confidentiality issues. Andrew Poelstra also believes the solution may be implemented as an altcoin, while other developers could make their proposal as well.
Mimblewimble’s updated presentation is available here.