\def\hs{\hspace{0.4 cm}} \documentclass{beamer} \usetheme{Warsaw} \usecolortheme{crane} \setbeamertemplate{footline}[page number] \beamertemplatenavigationsymbolsempty \title{Mimblewimble: Private, Massively-Prunable Blockchains} \author{Andrew Poelstra} \institute{\texttt{grindelwald@wpsoftware.net}} \date{November 21, 2016} \usepackage{amsfonts,amsmath,latexsym,color,epsfig,graphicx,multirow,rotating} \begin{document} \frame{ \maketitle } \frame { \frametitle{History} \begin{itemize} \item <1-> 04:30 UTC, August 2nd, 2016: ``Tom Elvis Jedusor'' posts a .onion link to a text file on IRC, titled MIMBLEWIMBLE and dated July 19. \item <2-> Next morning: myself and Bryan Bishop verify it's actually just text and rehost it. \item <3-> Following week: discussion on Reddit with Greg Sanders and others leads to understanding Mimblewimble's trust model, and hints that the new crypto has merit. \item <4-> September: myself and Avi Kulkarni develop an extension, ``sinking signatures'', to greatly improve its scaling properties. \item <5-> October 8th: released a paper showing Avi's and my work for Scaling Bitcoin Milan \end{itemize} } \frame { \frametitle{History} \begin{itemize} \item <1-> At 23:47 UTC, October 20, ``Ignotus Peverell'' appeared on IRC announcing a project to implement MimbleWimble. \item <2-> A few minutes later, Bryan Bishop called me to tell me to join the conversation. I pointed out that aggregate signatures give space savings on top of the Voldemort scheme, even without new crypto. \item <3-> Other Harry Potter characters arrived over the next few weeks; the project continues to move forward. Though I've been involved with the project, I have not contributed any code. \item <4-> I am not Ignotus Peverell. \end{itemize} } \frame { \frametitle{What is Mimblewimble?} \begin{itemize} \item <1-> Mimblewimble is a design for a blockchain-based ledger that is very different from Bitcoin. \item <2-> It can be implemented as a sidechain, or softforked into Bitcoin (as an extension block). \item <3-> In Bitcoin transactions, old outputs sign new outputs; outputs have ``script pubkeys'' that are independent of each other. In Mimblewimble transactions, outputs have only EC pubkeys, and the difference between new outputs' keys and old ones' is multisigned by all transacting parties. \item <4-> Mimblewimble transactions are inherently scriptless. \end{itemize} } \frame { \frametitle{Mimblewimble Transactions} A Mimblewimble transaction is the following data: \begin{itemize} \item <1-> Inputs (references to old outputs). \item <2-> Outputs: confidential transaction outputs (group elements, which blind and commit to amounts), plus rangeproofs. \item <3-> Excess: difference between outputs and inputs (group element), plus signature (for authentication and to prove non-inflation) \end{itemize} } %% Illustration of two-transaction merge and cutthrough \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-1.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-2.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-3.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-4.png} \end{center} } \frame { \frametitle{Mimblewimble Blocks} Blocks consist of: \begin{itemize} \item <1-> A merkle tree of transaction inputs. \item <2-> A merkle tree of transaction outputs and rangeproofs. \item <3-> A list of excess value(s) and signature(s) \end{itemize} } %% Illustration of full blockchain merge and cuttthrough \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-1.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-2.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-3.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-4.png} \end{center} } \frame { \frametitle{Trust Model: Transactions} A transaction is valid if: \begin{itemize} \item <1-> It is non-inflationary (total input amount equals total output amount) \item <2-> The owner of the input(s) has signed off on it. \item <3-> \includegraphics[scale=0.06]{tx-wide.png} \end{itemize} } \frame { \frametitle{Trust Model: Blockchain} It should be verifiable that \begin{itemize} \item <1-> A transaction, once committed to a block, cannot be reversed without doing enough work to rewrite the block (and all its descendants). \item <2-> The current state of all coins reflects zero net theft and inflation. \item <3-> \emph{The exact historical sequence of transactions does not need to be publicly verifable.} \item <4-> \includegraphics[scale=0.06]{tx-wide.png} \end{itemize} } \frame { \frametitle{Trust Model: Block Verification} It is possible to verify the blockchain with only the following data: \begin{itemize} \item <1-> Block headers \item <2-> Unspent outputs from each block \item <3-> Excess values and signatures. \item <4-> Rangeproofs for the above (witness data) \item <5-> Full blocks near the tip should be kept to handle reorgs \item <6-> In Bitcoin there are 150 million transactions and 40 million unsigned transaction outputs: 21.6Gb of historic data, 2Gb of UTXOs and 100Gb of UTXO rangeproofs. \end{itemize} } \frame { \frametitle{Next Steps} \begin{itemize} \item <1-> Development, development, development! \item <2-> Nail down chain parameters \item <3-> Sidechain / asset support \item <4-> More crypto ;) \end{itemize} } \frame { \frametitle{Open Problems} \begin{itemize} \item <1-> Unconditionally sound commitments and rangeproofs \item <2-> Smaller rangeproofs? Aggregation of rangeproofs? \item <3-> Peer-to-peer protocol that can handle transaction merging \item <4-> Quantum resistance \end{itemize} } \frame { \frametitle{~} \begin{center} Thank You ~\\~\\ Andrew Poelstra \texttt{} \end{center} } \end{document}