Skip to content

Instantly share code, notes, and snippets.

@Haseeb-Qureshi

Haseeb-Qureshi/mimblewimble.md

Created February 3, 2019 02:26
Show Gist options
  • Save Haseeb-Qureshi/fddc7d82960aead8d2351684c42c9619 to your computer and use it in GitHub Desktop.
Save Haseeb-Qureshi/fddc7d82960aead8d2351684c42c9619 to your computer and use it in GitHub Desktop.
Download ZIP
Building Mimblewimble/Grin, an implementation for privacy and scalability (SBC19)
Raw
mimblewimble.md

Building Mimblewimble/Grin, an implementation for privacy and scalability

Speaker: Quentin Le Sceller

  • MimbleWimble
    • Proposed anonymously in IRC by Tom Elvis Jedusor
    • Private by default
    • Massively prunable
    • Relies solely on elliptic curve cryptography
    • No scripting
  • MW transactions consist of:
    • Inputs (reference to old outputs)
    • Outputs (confidential transactions + range proofs)
    • Kernel: outputs - inputs - fee, and signature
      • Every kernel should be a commitment to 0, since outputs - inputs - fee should = 0
    • A node storing the chain can aggressively prune all "cut through" transactions, then just block headers, and kernels
  • Grin
    • Oct 20 2016, "Ignotus Peverell" began the first implementation of MimbleWimble
    • Principles: simple, private, scalable
    • Consists of more than just MimbleWimble
  • Other Grin building blocks:
    • Merkle Mountain Ranges
      • Created by Peter Todd
      • A Merkle Tree that can grow dynamically
      • Logarithmic inclusion proofs
      • In Grin:
        • Stores kernels, outputs, and rangeproofs
        • Enables fast sync
        • Accumulator for the UTXO set
        • Allows unique proofs of the existence & unspent-ness of any output
    • Proof of work
      • In 2016, no real alternatives to PoW (PoS was experimental)
      • John Tromp's Cuckoo Cycle was chosen by Ignotus:
        • Simple design (spec is only 42 lines)
        • Memory bound
        • Initially believed to be ASIC resistant due to memory requirements
      • Come August 2018, secret ASIC mining on day 1 seemed plausible
      • Realized that ASICs could not be avoided (following Zcash and Monero ASICs)
        • Would compromise fair distribution
        • Lead to mining centralization
      • Decided to switch to dual PoW
        • Primary PoW: Cuckoo Cycle, which is ASIC friendly
        • Secondary PoW: Equihash, but with higher memory requirements to target GPUs (7gb+)
        • Secondary PoW would be tweaked every 6 months
      • John Tromp adapted Cuckoo Cycle to be both ASIC-friendly and ASIC-resistant
        • For ASICs: Cuckatoo31+ - 2^31 edges or more
          • Simplifies ASIC design
          • Can be mined on 11GB CPU initially
          • 10% of rewards at launch, linearly increases to 100% in 2 years
        • For GPUs: Cuckaroo29 - 2^29 edges
          • Can be mined on 5.5GB
          • Continually tweaked to maintain ASIC resistance for 2 years
          • 90% of rewards at launch, linearly decreasing to 0 in 2 years
        • This encourages a competitive market for ASICs by the time ASIC mining matures
    • Switch commitments
      • Quantum computers are expected to break confidential transactions
      • Can introduce a safety switch into confidential transactions
        • Later require user to reveal an ElGamal commitment to spend the output
      • Iterated over several attempts to create a good scheme for switch commitments
      • Merged a final version in Dec 2018
    • Community
      • Organic growth since 2016
        • Attracted by fairness of the new coin
        • Nonprofit nature
        • Experimental protocol
      • Many community projects
        • Mining pools
        • Alternative implementation
        • Open source mining software (with "fair mining license")
        • Open source block explorer
        • Mobile and desktop wallets
        • Grin conferences (Grincon0, GrinconUS)
  • Launched on January 15
    • Full Grin node
    • Command line wallet w/ REST API
    • Integrated Stratum Server
  • Future Work
    • Near future:
      • Atomic swaps
      • Relative locks (timelocks, that is)
      • Flyclient
      • Dandelion++
    • Research (far future):
      • Vaults/covenants
      • RSA Accumulators
      • Scriptless Scripts
      • BLS signatures
  • FlyClient
    • Created by Loi Luu, Benedikt Bunz, Mahdi Zamani (2017)
    • Store the Merkle Mountain Range root in the block header to quickly check blockchain validity
    • Enables light clients and allows full nodes to quickly identify longest chain
    • Already stored in block headers in Grin! But not yet being used.
  • RSA Accumulators
    • Boneh, Bunz, Fisch (2018)
    • In Grin: replace the Merkle Mountain Range with an RSA Accumulator
    • Nice because:
      • Removes the Merkle Mountain Ranges (kernel, header, outputs) for a more compact structure
      • Constant size regardless of total state
    • Cons:
      • Different security assumptions (RSA), not quantum-resistant
      • Requires trusted setup (need to generate an unknown RSA modulus)
  • BLS Signatures
    • Boneh, Lynn, Shacham
    • Pros:
      • Non-interactive kernel aggregation
      • Simpler multisigs
    • Cons:
      • Breaks scriptless scripts
      • Slower to validate than Schnorr
      • Different security assumptions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment