\def\hs{\hspace{0.4 cm}} \documentclass{beamer} \usetheme{Warsaw} \usecolortheme{crane} \setbeamertemplate{footline}[page number] \beamertemplatenavigationsymbolsempty \title{Mimblewimble: Private, Massively-Prunable Blockchains} \author{Andrew Poelstra} \institute{\texttt{grindelwald@wpsoftware.net}} \date{January 27, 2016} \usepackage{amsfonts,amsmath,latexsym,color,epsfig,graphicx,multirow,rotating} \begin{document} \frame{ \maketitle } \frame { \frametitle{What is Mimblewimble?} \begin{itemize} \item <1-> Mimblewimble is a design for a blockchain-based ledger that is very different from Bitcoin. \item <2-> In Bitcoin transactions, old outputs sign new outputs; outputs have ``script pubkeys'' that are independent of each other. In Mimblewimble transactions, outputs have only EC pubkeys, and the difference between new outputs' keys and old ones' is multisigned by all transacting parties. \item <3-> These outputs, or ``transaction kernels'', are the only thing that needs to be retained in the blockchain. \item <4-> Mimblewimble outputs (and inputs) are inherently scriptless. \end{itemize} } \frame { \frametitle{History} \begin{itemize} \item <1-> 04:30 UTC, August 2nd, 2016: ``Tom Elvis Jedusor'' posts a .onion link to a text file on IRC and disappears \begin{center} \includegraphics[scale=0.33]{majorplayer.png} \end{center} \item <2-> Next morning: myself and Bryan Bishop verify it's actually just text and rehost it. \item <3-> Following week: discussion on Reddit with Greg Sanders and others leads to understanding Mimblewimble's trust model, and hints that the new crypto has merit. \item <4-> October 8th: paper shows Avi Kularni's and my work extending/formalizing this; presented at Scaling Bitcoin Milan \end{itemize} } \frame { \frametitle{History} \begin{itemize} \item <1-> At 23:47 UTC, October 20, ``Ignotus Peverell'' appeared on IRC announcing a project to implement MimbleWimble. \item <2-> A few minutes later, Bryan Bishop called me to tell me to join the conversation. I pointed out that aggregate signatures give space savings on top of the Voldemort scheme, even without new crypto. \item <3-> Other Harry Potter characters arrived over the next few weeks; the project continues to move forward. Though I've been involved with the project, I have not contributed any code. I am certainly not Ignotus Peverell. \item <4-> January 17th, 2017: I meet with Ethan Heilman of TumbleBit fame. We go back and forth on Lightning, ZKCP, etc., and discover a powerful new primitive to get all these things on MimbleWimble. \item <5-> The next day, Ruben Somsen messaged me on Reddit explaining how to get non-expiring bidirectonal channels. \end{itemize} } \frame { \frametitle{Mimblewimble Transactions} A Mimblewimble transaction is the following data: \begin{itemize} \item <1-> Inputs (references to old outputs). \item <2-> Outputs: confidential transaction outputs (group elements, which blind and commit to amounts), plus rangeproofs. \item <3-> Kernel: algebraically, difference between outputs and inputs (group element); morally a multisignature key for all transacting parties. \item <3-> Kernel signature: the kernel must sign itself to prove that the transaction is honestly constructed; by signing other blockchain-enforced data we can add additional functionality (e.g. locktimes). \end{itemize} } %% Illustration of two-transaction merge and cutthrough \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-1.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-2.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-3.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.09]{onetx/onetx-4.png} \end{center} } %\frame { % \frametitle{Mimblewimble Blocks} % Blocks consist of: % \begin{itemize} % \item <1-> A merkle tree of transaction inputs. % \item <2-> A merkle tree of transaction outputs and rangeproofs. % \item <3-> A list of kernel(s) and their signature(s) % \end{itemize} %} %% Illustration of full blockchain merge and cuttthrough \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-1.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-2.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-3.png} \end{center} } \frame{ \frametitle{Mimblewimble Transactions} \begin{center} \includegraphics[scale=0.06]{8txes/8txes-4.png} \end{center} } \frame { \frametitle{Scaling: Real Numbers} \begin{itemize} \item <1-> In Bitcoin there are 150 million transactions with about 350 million outputs, and 45 million of which are unspent. \item <2-> This takes about 100Gb of space on disk today; with CT this would be over 1Tb! \item <3-> MimbleWimble gives us CT and requires storing: ~15Gb of transaction kernels, headers etc.; 2Gb of unspent outputs, and 100Gb of UTXO rangeproofs. \item <4-> In pre-segwit Bitcoin, none of this is separable ``witness data'' which can be dropped in exchange for trust. In MW the rangeproofs are, leaving less than 20Gb of normative blockchain space. \end{itemize} } %\frame %{ % \frametitle{Trust Model: Transactions} % A transaction is valid if: % \begin{itemize} % \item <1-> It is non-inflationary (total input amount equals total output amount) % \item <2-> The owner of the input(s) has signed off on it. % \item <3-> \includegraphics[scale=0.06]{tx-wide.png} % \end{itemize} %} \frame { \frametitle{Trust Model: Blockchain} It should be verifiable that \begin{itemize} \item <1-> A transaction, once committed to a block, cannot be reversed without doing enough work to rewrite the block (and all its descendants). \item <2-> The current state of all coins reflects zero net theft and inflation. \item <3-> \emph{The exact structure of each individual transaction does not need to be publicly verifiable.} \end{itemize} } \frame { \frametitle{Claim or Refund} \begin{itemize} \item <1-> MimbleWimble supports Information $\Leftrightarrow$ Money \item <2-> Kernels sign not only themselves; but also (optionally) a locktime and a hash. A valid transaction must include the preimage of this hash. \item <3-> To do a hash-locktimed transaction, buying party sends coins to a 2-of-2 multisig output, conditioned on the seller signing a transaction to return the money at a later block. \item <4-> The buyer then signs a transaction sending the money to the seller, signing the hash she wants the preimage to. \item <5-> The seller, to complete the transaction and take the coins, must reveal the preimage. \item <6-> This primitive is the basis of: cross-chain atomic swaps, ZKCP's, Lighting Channels, TumbleBit, and more. \end{itemize} } \frame { \frametitle{Secret Atomic Swaps} \begin{itemize} \item <1-> For atomic swaps, we are exchanging a signature on one transaction for a signature on another. \item <2-> This can be done algebraically such that the two signatures are not related in a publicly verifiable way (and is deniable) \item <3-> Since the locktimed transaction never touches the blockchain unless something goes wrong, the default case is that the atomic swap is indistinguishable from any other transaction. \end{itemize} } \frame { \frametitle{Next Steps} \begin{itemize} \item <1-> Development, development, development! \item <2-> Wallet support: multisig rangeproofs, triggers, secret atomic swaps, etc. \item <3-> ValueShuffle \end{itemize} } \frame { \frametitle{Open Problems} \begin{itemize} \item <1-> Smaller rangeproofs? Aggregation of rangeproofs? \item <2-> Peer-to-peer layer that avoids monitoring (ValueShuffle?) \item <3-> Quantum resistance \end{itemize} } \frame { \frametitle{~} \begin{center} Thank You ~\\~\\ Andrew Poelstra \texttt{} \end{center} } \end{document}