- MimbleWimble
- Proposed anonymously in IRC by Tom Elvis Jedusor
- Private by default
- Massively prunable
- Relies solely on elliptic curve cryptography
- No scripting
- MW transactions consist of:
- Inputs (reference to old outputs)
- Outputs (confidential transactions + range proofs)
- Kernel: outputs - inputs - fee, and signature
- Every kernel should be a commitment to 0, since outputs - inputs - fee should = 0
- A node storing the chain can aggressively prune all "cut through" transactions, then just block headers, and kernels
- Grin
- Oct 20 2016, "Ignotus Peverell" began the first implementation of MimbleWimble
- Principles: simple, private, scalable
- Consists of more than just MimbleWimble
- Other Grin building blocks:
- Merkle Mountain Ranges
- Created by Peter Todd
- A Merkle Tree that can grow dynamically
- Logarithmic inclusion proofs
- In Grin:
- Stores kernels, outputs, and rangeproofs
- Enables fast sync
- Accumulator for the UTXO set
- Allows unique proofs of the existence & unspent-ness of any output
- Proof of work
- In 2016, no real alternatives to PoW (PoS was experimental)
- John Tromp's Cuckoo Cycle was chosen by Ignotus:
- Simple design (spec is only 42 lines)
- Memory bound
- Initially believed to be ASIC resistant due to memory requirements
- Come August 2018, secret ASIC mining on day 1 seemed plausible
- Realized that ASICs could not be avoided (following Zcash and Monero ASICs)
- Would compromise fair distribution
- Lead to mining centralization
- Decided to switch to dual PoW
- Primary PoW: Cuckoo Cycle, which is ASIC friendly
- Secondary PoW: Equihash, but with higher memory requirements to target GPUs (7gb+)
- Secondary PoW would be tweaked every 6 months
- John Tromp adapted Cuckoo Cycle to be both ASIC-friendly and ASIC-resistant
- For ASICs: Cuckatoo31+ - 2^31 edges or more
- Simplifies ASIC design
- Can be mined on 11GB CPU initially
- 10% of rewards at launch, linearly increases to 100% in 2 years
- For GPUs: Cuckaroo29 - 2^29 edges
- Can be mined on 5.5GB
- Continually tweaked to maintain ASIC resistance for 2 years
- 90% of rewards at launch, linearly decreasing to 0 in 2 years
- This encourages a competitive market for ASICs by the time ASIC mining matures
- For ASICs: Cuckatoo31+ - 2^31 edges or more
- Switch commitments
- Quantum computers are expected to break confidential transactions
- Can introduce a safety switch into confidential transactions
- Later require user to reveal an ElGamal commitment to spend the output
- Iterated over several attempts to create a good scheme for switch commitments
- Merged a final version in Dec 2018
- Community
- Organic growth since 2016
- Attracted by fairness of the new coin
- Nonprofit nature
- Experimental protocol
- Many community projects
- Mining pools
- Alternative implementation
- Open source mining software (with "fair mining license")
- Open source block explorer
- Mobile and desktop wallets
- Grin conferences (Grincon0, GrinconUS)
- Organic growth since 2016
- Merkle Mountain Ranges
- Launched on January 15
- Full Grin node
- Command line wallet w/ REST API
- Integrated Stratum Server
- Future Work
- Near future:
- Atomic swaps
- Relative locks (timelocks, that is)
- Flyclient
- Dandelion++
- Research (far future):
- Vaults/covenants
- RSA Accumulators
- Scriptless Scripts
- BLS signatures
- Near future:
- FlyClient
- Created by Loi Luu, Benedikt Bunz, Mahdi Zamani (2017)
- Store the Merkle Mountain Range root in the block header to quickly check blockchain validity
- Enables light clients and allows full nodes to quickly identify longest chain
- Already stored in block headers in Grin! But not yet being used.
- RSA Accumulators
- Boneh, Bunz, Fisch (2018)
- In Grin: replace the Merkle Mountain Range with an RSA Accumulator
- Nice because:
- Removes the Merkle Mountain Ranges (kernel, header, outputs) for a more compact structure
- Constant size regardless of total state
- Cons:
- Different security assumptions (RSA), not quantum-resistant
- Requires trusted setup (need to generate an unknown RSA modulus)
- BLS Signatures
- Boneh, Lynn, Shacham
- Pros:
- Non-interactive kernel aggregation
- Simpler multisigs
- Cons:
- Breaks scriptless scripts
- Slower to validate than Schnorr
- Different security assumptions
Created
February 3, 2019 02:26
-
-
Save Haseeb-Qureshi/fddc7d82960aead8d2351684c42c9619 to your computer and use it in GitHub Desktop.
Building Mimblewimble/Grin, an implementation for privacy and scalability (SBC19)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment