Connect with us


How Mimblewimble Could Make Bitcoin Work Better




Mimblewimble claims to use a new cryptographic protocol that could revolutionize the way bitcoin works, making it more scalable and private.

// -- Discuss and ask questions in our community on Workplace.

The protocol generates a blinding factor that can prove ownership of bitcoins, making private keys unnecessary, and offering a solution to the need to balance bitcoin privacy against fungibility while also improving scalability, according to a white paper that appeared mysteriously on a bitcoin research site authored by a person using a pseudonym.

The author refers to himself as “Tom Elvis Jedusor,” a name taken from the Harry Potter novels.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Bitcoin’s Verification Challenge


Bitcoin is the first widely used financial system for which all the necessary data to validate the system status can be cryptographically verified by anyone, the white paper notes.

It accomplishes this by storing all transactions in a public database called “the blockchain.” Someone who wants to check this state has to download the whole chain and replay each transaction, checking each one as they go.

It would be easier if an auditor only had to check data on the outputs themselves, but this is not possible since they are only valid if the output is at the end of a chain of prior outputs. The whole blockchain has to be validated to confirm the final state.

Considering that the transactions are cryptographically atomic, the outputs that go into and emerge from every transaction are very clear. The “transaction graph” that results reveals a lot of information and is subjected to analysis by numerous companies whose business model is to monitor and control the lower classes.

This makes it very non-private and even dangerous to use.

Proposed Solutions

Some solutions to this have been proposed, Jedusor notes. Greg Maxwell discovered how to encrypt the amounts so that the graph of the transaction is faceless but still validates the sums. Maxwell also produced CoinJoin, a system for bitcoin users to combine interactively transactions, confusing the transaction graph.

Nicolas van Saberhagen developed a system to blind the transaction entries, further clouding the transaction graph. Shen Noether combined the two approaches to obtain the “confidential transactions” of Maxwell and the “darkening” of van Saberhagen.

These solutions would make bitcoin safe, Jedusor observes. But too much data can make things worse. Confidential transactions require multi-kilobyte proofs on every output. van Saberhagen signatures require every output to be stored forever, as it is not possible to truly tell when they are spent.

Maxwell’s CoinJoin needs interactivity. Yuan Horas Mouton fixed this by making transactions freely mergeable, but he had to use pairing-based cryptography which can be slower and harder to trust. He called this “one-way aggregate signatures” (OWAS).

OWAS combined the transactions in blocks. It could be possible to combine across blocks (perhaps with some glue data) so that when the outputs are created and destroyed, it is as if they never existed, Jedusor notes.

Then, to validate the entire chain, users only need to know when money enters the system (new money in each block as in bitcoin or Monero or peg-ins for sidechains) and final unspent outputs. The rest can be removed and forgotten.

Confidential transactions hide the amounts and OWAS to blur the transaction graph by using less space than bitcoin to enable users to verify the blockchain.

Mimblewimble prevents the blockchain from referencing all of a user’s information, Jedusor observes.

Confidential Transactions

The first step is to remove bitcoin Script. It is too powerful, so it is impossible to merge transactions using general scripts.

Instant transaction

Maxwell’s Confidential Transactions are enough (after some small modification) to authorize the spending of outputs and also to make combined transactions without interaction. This is identical to OWAS, enabling the relaying nodes to take some transaction fee or the recipient to change the transaction fee. Bitcoin cannot do these additional things.

In Confidential Transactions work, the amounts are coded by the following equation: C = r*G + v*H.

C is a Pedersen commitment, G and H are fixed nothing-up-my-sleeve elliptic curve group generators, v is the amount, and r is a secret random blinding key.

Attached to this output is a rangeproof proving that v is in [0, 2^64], so the user cannot exploit the blinding to produce overflow attacks, etc.

To validate a transaction, the verifier will add commitments for all outputs, plus f*H (f being the transaction fee that is given explicitly) and subtracts all input commitments. The result must be 0, proving no amount was created or destroyed overall.

To create such a transaction, the user has to know the sum of the values of r for commitments entries. Therefore, r-values (and their sums) serve as secret keys. If the r output values are made known only to the recipient, an authentication system exists. Unfortunately, by keeping the rule that commits all to add up to zer0, this is impossible since the sender knows the sum of all his r values, and therefore knows the recipient’s r values sum to the negative of that.

Instead, the transaction is allowed to sum to a non-zero value,  k*G, and require a signature of an empty string with this as key, proving its amount component is zero.

The transactions can have as many k*G values as they want, each with a signature, and sum them up during verification.

Creating Transactions

To create transactions, the sender and recipient do the following:

1) The sender and recipient agree on the amount to send. Call this b.

2) The sender creates a transaction with all inputs and change output(s), and gives the recipient the total blinding factor (r-value of change minus r-values of inputs) along with the transaction. The commitments sum to r*G – b*H.

3) The recipient chooses random r-values for his outputs, and values that sum to b minus fee, then adds these to the transaction (including range proof). Now the commitments sum to k*G – fee*H for some k that only the recipient knows.

4) The recipient attaches the signature with k to the transaction, and the explicit fee.

Creating transactions like this supports OWAS already. To demonstrate this, consider two transactions that have a surplus k1*G and k2*G, and the attached signatures with these. Then combine the lists of inputs and outputs of the two transactions, with both k1*G and k2*G to the mix, and it is again a valid transaction. From the combination, it is not possible to know which outputs or inputs are from which original transaction.

Because of this, the block format changes from bitcoin to this information:

1) Explicit amounts for new money (block subsidy or sidechain peg-ins) with whatever else data this needs. For a sidechain peg-in, it may reference a bitcoin transaction that commits to a specific excess k*G value.

2) Inputs of all transactions.

3) Outputs of all transactions.

4) Excess k*G values for all transactions.

Each is grouped together because it does not matter what the transaction boundaries are originally. In addition, lists 2, 3 and 4 should be coded in alphabetical order, since it is quick to check and prevents the block creator from leaking any information about the original transactions.

The outputs are now identified by their hash, rather than their position in a transaction that could easily change. Therefore, it should be banned to have two unspent outputs equal at the same time to avoid confusion.

Merging Transactions

Maxwell’s Confidential Transactions has already been used to create a non-interactive version of his CoinJoin. Another idea is needed. A non-interactive version of this is created to show how it is used with several blocks.

Each block can be seen as one large transaction. To validate it, add the output commitments together, then subtract the input commitments, k*G values, and the explicit input amounts times H. The transactions from two blocks can be combined to form a single block, resulting again in a valid transaction.

The difference is that output commitments have an input commitment equal to it, where the first block’s output is spent in the second block. Both commitments can be removed and still have a valid transaction. There is not even the need to check the rangeproof of the deleted output.

The extension of this idea, all the way from the genesis block to the latest block, shows that each non-explicit input is deleted with its referenced output. All that remains are the unspent outputs, explicit input amounts and every k*G value.

The entire mess can be validated as if it were one transaction by adding all unspent commitments output, subtracting the values k*G, validating explicit input amounts (if there is anything to validate) and subtracting them times H. If the sum is zero, the complete chain is good.

When a user downloads the chain, the following data is needed from each block:

1) Explicit amounts for new money (block subsidy or sidechain peg-ins) with whatever else data this needs.

2) Unspent outputs of all transactions, along with a merkle proof that each output appeared in the original block.

3) Excess k*G values for all transactions.

Bitcoin currently has about 423000 blocks, totaling around 80GB of data on the hard drive to validate everything. The data represents around 150 million transactions and 5 million
unspent, non-confidential outputs.

Each unspent output on a Mimblewimble chain is around 3Kb for rangeproof and Merkle proof. Each transaction adds around 100 bytes: a k*G value and a signature.

The block headers and explicit amounts are negligible. Added together this is 30Gb – with an obscured transaction graph and a confidential transaction.

Also read: Mimblewimble: A stripped down version of bitcoin improves privacy, fungibility and scalability 

Questions and Intuition

The following questions arise.

Q: If you delete the transaction outputs, the user cannot verify the rangeproof and may be a negative amount is created.

A: This is acceptable. For the entire transaction to validate, all negative amounts must have been destroyed. Users have SPV security only that no illegal inflation happened in the past, but the user knows that at this time, no inflation occurred.

Q: If you delete the inputs, double spending can happen.

A: In fact, this means someone may claim that unspent output was spent in the old days. But this is impossible, otherwise the sum of the combined transaction could not be zero.

An exception is that if the outputs amount to zero, it is possible to make two that are negatives of each other, and the pair can be revived without anything that breaks. So to prevent consensus problems, outputs 0-amount should be banned. Just add H at each output.

They all amount to at least 1 at present.

Future Research

Here are some questions that cannot be answered at the time of this writing.

1) What script support is possible? One would need to translate script operations into some discrete logarithm information.

2) Users are required to check all k*G values when in fact all that is needed is that the sum is of the form k*G. Instead of using signatures, is there another proof of discrete logarithm that could be combined?

3) There is a denial-of-service option when a user downloads the chain. The peer can give gigabytes of data and list the wrong unspent outputs. The user will see that the results do not add up to 0, but cannot tell where the problem is.

For now, maybe the user should just download the blockchain from a Torrent or something where the data is shared between many users and is reasonably likely to be correct.

Images from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

1 Comment

1 Comment

  1. Ade

    September 4, 2016 at 11:25 pm

    Is that you Dr Satoshi ?

You must be logged in to post a comment Login

Leave a Reply


Bitcoin’s Record-Breaking Rally Continues as Prices Cross $8,100



Bitcoin surged to new highs on Sunday, as the world’s largest crypto by market cap continued to generate bids following the cancellation of Segwit2x.

// -- Discuss and ask questions in our community on Workplace.

BTC/USD Price Levels

The value of a single bitcoin reached a daily high of $8,110.59, its best level on record. At press time, BTC/USD was valued at around $8,002 for a gain of 4%.

With the gain, bitcoin’s market cap now exceeds $133 billion. That’s roughly $100 billion greater than Ethereum, the market’s second most valuable cryptocurrency.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Bitcoin has added more than $1,100 over the past five sessions. It was down around $5,600 just one week ago.

Bitcoin Cash (BCH), a digital currency alternative that broke away from the original blockchain Aug. 1, was down 5.1% at $1,185. BTC and BCH locked horns earlier this month after the Segwit2x hard fork was abandoned.

$10,000 and Beyond?

Institutional clearing platform LedgerX has initiated its first long-term bitcoin futures option, which is set to expire Dec. 28, 2018. In setting up the option, LedgerX is assuming a price of $10,000 at the time of expiration. That’s a 25% premium on current levels.

Investors who buy the option are essentially saying they believe prices will exceed $10,000 by the time of expiration.

Bitcoin is being helped by growing institutional demand for the digital currency, as hedge funds, day traders and other mainstream investment outfits look to access this burgeoning asset class. CBOE and CME Group have each announced plans to integrate bitcoin into more conventional investment vehicles in the coming months.

The rush of institutional money into bitcoin is a sure sign that the digital asset class is becoming too big to ignore. The value of all cryptocurrencies in circulation has already exceeded $230 billion, with more than a dozen coins valued at $1 billion or more. Nine others have a market cap of $500 million or greater.

Coinbase Responds

The rise of institutional capital has also compelled Coinbase to introduce a custodial service targeted at account holders with more than $10 million in assets. This service targets hedge funds and other institutions that have remained largely on the sidelines of the crypto revolution.

In a recent blog post, Coinbase CEO Brian Armstrong announced that the new service will launch sometime next year.

“When we speak with these institutions, they tell us that the number one thing preventing them from getting started is the existence of a digital asset custodian that they can trust to store client funds securely,” Armstrong wrote.

In addition to maintaining the minimum $10 million asset requirement, institutions must pay a $100,000 setup fee to gain access tot he Custodial program. In response, institutional investors will receive assurance that their assets are secure.

The Coinbase Custody website lists broad support for bitcoin, Ethereum (ETH) and Litecoin (LTC), as well as ERC20 tokens. The ERC20 protocol has emerged as the favorite for startups launching initial coin offerings (ICOs), a controversial crowdfunding model that has already overtaken early stage venture capital.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock. 

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Continue Reading


Long-Term Cryptocurrency Analysis: Bitcoin Flirts with $8000 as Altcoin Bull Persists



Bitcoin’s swift recovery was the main topic of the week, as the most valuable coin not just regained its steep losses, but hit a marginal new high towards the end of the period. The entire segment is experiencing capital inflows as the total value of the coins climbed above $230 billion for the first time ever after finally leaving the vicinity of the $200 billion mark.

// -- Discuss and ask questions in our community on Workplace.

BTC breached the $8000 level before turning slightly lower on Friday, but despite the severely overbought daily chart, it is still trading near its all-time highs. As the long-term picture still suggests a deeper correction, investors should wait with opening new positions and traders should also control position sizes here. Key support levels are found at $7700, $7000, and $6700, while the recent key break-out level at $5000 still hasn’t been re-tested.

BTC/USD, Daily Chart Analysis

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Dash is still the most bullish altcoin from a technical standpoint, despite this week’s short-term correction, as the coin is trading above its prior all-time high, and this weekend, it looks ready to test the break-out high near $500. Support levels are still found at $400, $360, and $330, and as the long-term picture is approaching overbought territory, investors should only hold on to their positions here.

DASH/USD, Daily Chart Analysis

The other major altcoins are also mostly in bullish setups, with some of them already in the latter stages of this cycle, like Monero and IOTA, but elsewhere in the segment, there are still opportunities for both traders and investors. Let’s see the detailed long-term view.


Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Continue Reading


Technical Analysis: Litecoin and NEO Jump as Bitcoin Trades near $8000



The cryptocurrency segment continued its bullish run, as the total value of the coins climbed above $230 billion for the first time ever, while Bitcoin also posted marginal new highs. The most valuable currency is still overbought regarding the long-term picture, and we continue to expect a deeper correction in the coming period, despite the recent strong rally. Support levels are still found $7700, $7000, and $6700 while the $8000 level is ahead as a major obstacle.

// -- Discuss and ask questions in our community on Workplace.

BTC/USD, 4-Hour Chart Analysis

Litecoin has been the most active major besides Bitcoin, as it rallied strongly after breaking out above the key $64 resistance and it breached the next target at $75 before heading below $70 again. The coin remains in bullish long- and short-term patterns, and we expect a move above the major resistance zone ahead with the next target found at $82.50.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Litecoin/USD, 4-Hour Chart Analysis

NEO is showing strength in the second half of the session, while Monero is recovering well from a short-term dip, similarly to IOTA and Ethereum Classic. Ethereum continues to represent stability in the segment, while Ripple failed to build up momentum so far after yesterdays spike higher. With still most of the altcoins being in bullish setups, let’s see the short-term charts.


Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Continue Reading