Mimblewimble: A non-technical guide to cryptocurrency privacy
Learn about the meaning behind the jargon and why privacy cryptocurrencies are so challenging.
- Mimblewimble combines several individual privacy features.
- Each of these features adds a different facet of privacy.
- Hiding user info while ensuring a system can still verify the correctness of a transaction is difficult.
Mimblewimble is a bundle of cryptocurrency privacy features that have been assembled in a unique way. The end result is that when you use a Mimblewimble-based cryptocurrency, your transactions are completely private to everyone except you and the recipient.
The transaction values are invisible, the recipient is unknown and it's impossible to track people down by following a transaction record. At the same time, it shows signs of being a relatively lightweight and practical privacy protocol.
Where Mimblewimble began
Mimblewimble is the name of the tongue-tying magic spell from the Harry Potter series.
Mimblewimble creator, the pseudonymous Tom Elvis Jedusor (it's Voldemort's given name in the French translation of the Harry Potter series) said it was a suitable name because in both worlds Mimblewimble is designed to prevent the revealing of secrets.
The protocol is a response to the unique challenges of facilitating private, anonymous transactions on a public blockchain.
The problem is that public blockchains require a network, typically via its miners, to verify users' transactions. To verify these transactions, a miner must automatically confirm details such as whether a user actually has the coins they're trying to send, and who they're sending it to. Basically, the "correctness" of a transaction has to be verified to keep a network running as it should.
The question is how can miners verify transactions without actually knowing any of the details of the transactions they're verifying?
A lot of extremely clever work was needed to solve this seemingly impossible problem, and different privacy protocols have emerged as a result. To date, the most widely used privacy protocols are Zerocoin (as used in Horizen, Zcash and others), CryptoNote (as used in Monero) and now Mimblewimble.
How Mimblewimble works
Picture a cryptocurrency transaction as unlocking and walking through a door.
The door is the receiving wallet (a public wallet address), while your private key is the key used to unlock that door. The doors can only be unlocked by whoever has the key. The end result is that cryptocurrency is safe even though it's public for the same reason your house is safe even though it's sitting on the street – the doors are locked.
The challenge is finding a way for the network to successfully observe people unlocking and coming and going from all the houses, without anyone actually being able to see it.
Two key ingredients
There are two key ingredients for enabling people to actually unlock doors and walk into houses on the blockchain.
The first ingredient is "public key cryptography." This is the technique of safely matching private keys with public addresses to unlock doors, without the keys being stolen or copied.
The second ingredient is blockchain technology. When first deployed, it created ways of reliably programming unbreakable rules into this kind of system. For example, "you must have the right key to enter a house" and "you can't break in through a window."
With these two key ingredients, public key cryptography and blockchain, you now have the foundation of cryptocurrency: a system where people can use keys to unlock doors, aka send cryptocurrency transactions.
The problem is the network still needs to verify the correctness of transactions. Essentially, it needs a way to watch people unlock doors and walk through them, so they still need some way of seeing who's unlocking and walking through doors to keep this system working. But to keep things private, this observation needs to be programmed entirely into the blockchain back end and secured in a way that prevents people from reverse-engineering details such as wallet addresses or transaction values from it.
Mimblewimble combines three techniques to solve this problem:
- Confidential Transactions: These conceal who and when someone walks through a door (conceals transaction value and individual coins).
- CoinJoins: These conceal who unlocks a door (conceals public addresses).
- Dandelion: This conceals where the door is (conceals the sender of a transaction).
All were proposed for bitcoin, but never really implemented.
This system was first devised by bitcoin developer Adam Back then refined into a more usable form by Gregory Maxwell.
It essentially breaks up a single transaction into multiple parts while sending them through, as well as hiding the real values of each part of a transaction.
The reason miners can still verify that someone has all the money they're trying to send, and that they haven't broken up a transaction into parts that are equal to more money than they have, is because it's based on a system of "homomorphic encryption" with the use of "blinding factors."
- Homomorphic encryption: This is an algorithm for splitting numbers (such as the value of a transaction) into multiple parts in a way that the parts will always be equal to the whole.
- Blinding factors: This is a system that throws random numbers into the mix to conceal the values of each part of the homomorphically encrypted transaction.
Put them together and you have a system where the values of each transaction and the histories of individual coins are hidden from public view, while the system is still able to guarantee the correctness of transactions.
Observers cannot see the value of transactions because they only get those blinding factors, but the system can still verify the correctness of transactions by reverse-engineering the homomorphic transactions based on how much money it "knows" was being sent.
This protects privacy by hiding the values of individual transactions. It also protects privacy by breaking transactions down and making it much more difficult to track individual transaction histories.
It's now almost impossible to prove that someone was sending or receiving tainted cryptocurrency because it's almost impossible to tell one transaction apart from each other. This prevents people from tracking transaction histories.
Confidential Transactions were never implemented in bitcoin.
CoinJoin is a system of cooperative anonymity first proposed by Gregory Maxwell. It essentially groups multiple transactions into a single transaction to hide the details of who sent what.
Say three people named A, B and C want to individually send money to three people respectively named X, Y and Z.
If they each just sent the money without CoinJoin, anyone could see that A sent money to X, B sent money to Y and C sent money to Z.
But with CoinJoin, you'd only be able to see that A, B and C sent money to X, Y and Z. You can't tell who sent how much to whom. In its initial form, CoinJoins were simply done as agreements between multiple bitcoin users who wanted to mutually benefit from improved privacy and who would meet in chat rooms to organise it.
CoinJoins were then made safer and easier with purpose-built tools such as specially designed wallets that could programmatically group the transactions of users without them needing to cooperate.
But these were still informal arrangements, subject to problems such as needing to trust that the other party wasn't recording details of your joined transaction. With traditional CoinJoins, the FBI (for example) could quickly build a database of suspect transactions simply by posing as a CoinJoin counterpart.
To solve this, effective CoinJoins would need to be built into a cryptocurrency at ground level in a way that all users are automatically CoinJoining.
Mimblewimble accomplished this with a system utilising "one way aggregate signatures" (OWAS), an evolution suggested in 2013 by the presumably pseudonymous Horas Yuan Mouton. It basically has the result of bundling up all the transactions that are being sent on a block into one big transaction, while still ensuring that the right amount ends up with the correct recipients.
How One Way Aggregate Signatures work
Signatures are how cryptocurrency transactions are signed by users. So if Bob wants to send Jane 2 BTC, he would sign a message saying "take 2 BTC from Bob and give 2 BTC to Jane."
This message is broadcast to the blockchain, and the blockchain gets it done.
But with OWAS, that message is split into its two separate parts:
- "Take 2 BTC from Bob"
- "Give 2 BTC to Jane."
And both are broadcast to the blockchain separately. This severs the transaction trail between Bob and Jane. The reason these can still be verified for correctness is because Bob has signed both messages, so the blockchain can see that everything's in order.
The "aggregate" part of OWAS comes into play with other blockchain users. Bob isn't the only person sending a transaction on that block, so his signatures and signed messages are all aggregated with other users, and bundled into one big transaction which can itself still be verified as correct because all the signatures in it are correct.
The "one way" part refers to the fact that this big aggregated signature cannot be reverse engineered into its separate senders. In the end, you can tell that Bob sent 2 BTC, and you can tell that Jane received 2 BTC, but you can't say that Bob sent 2 BTC to Jane.
CoinJoins were used in bitcoin, but it was never built in on the protocol level using Mouton's OWAS.
Dandelion is a solution to the problem of being able to guess the physical location of a transaction sender. It was first assembled by a joint team of seven researchers from Carnegie Mellon, MIT and the University of Illinois.
It's possible to make an educated guess at a sender's identity because although the blockchain is global, its users and nodes still have some kind of physical real-world location, and network latency (as an effect of the real-world distance between users) will affect how quickly network nodes are able to detect a transaction.
The end result is that whenever someone sends a bitcoin transaction, it ripples through the network. A transaction hits the closest nodes first and then further nodes a bit later.
Observers with the right know-how and the right equipment are able to watch these ripples as they emerge from specific transactions. Eventually, with enough observation, it's possible to deduce the real-world location of a user based on recurring ripple patterns.
Dandelion is a way of solving this problem on the protocol level. It works by bouncing a transaction from the initial sender to a semi-random node before it begins propagating across the network.
The end result is essentially that the ripples which might give away someone's location will be appearing semi-randomly and will no longer have much bearing on the actual location of the sender.
It's called Dandelion because when you chart the path of a transaction made with dandelion, it looks like a dandelion. First, the transaction bounces to another node (forming the stem) and then it explodes into the fluffy bulb when other nodes start propagating the transaction.
It can still be verified for correctness because the initial transaction is still just as good.
The researchers who discovered Dandelion briefly implemented it in a small set of test nodes on the bitcoin network, but it was never implemented on the protocol level.
Put it all together and you get Mimblewimble
A lot of ingredients have gone into Mimblewimble, each of which was devised and improved on by different researchers. All of them were also originally devised for bitcoin, but for various reasons never made it into bitcoin at the protocol level.
The pseudonymous Mimblewimble creator, Tom Elvis Jedusor, was the one who first managed to put all of these developments together into a workable form. As you can imagine, this wouldn't have been easy given how some of these improvements might have confounded the others.
The end result is a system for allowing almost completely anonymous and untraceable transactions, where almost no information whatsoever can be gleaned from the blockchain but transactions still process smoothly.
Disclosure: At the time of writing, the author holds ETH.
- Phil Wilson: Satoshi Nakamoto was Craig Wright, Dave Kleiman and I
- Hybrid public-private blockchains in the real world – Part 2
- eToro launches 8 brand new stablecoins with eToroX exchange
- Bitcoin SV melts under the spotlight. Delistings, lawsuits and fraud accusations
- 23 highlights from the Ethereum core developer Q&A at EDCON 2019