Bitcoin and MimbleWimble

[OmegaStarScream]

I recently came across an article about Litecoin implementing MimbleWimble which I believe was planned for BTC for a couple of years now.

So I'm curious, do you guys have any information about when to expect this upgrade and whether there are some other (maybe better) privacy protocols on the work?

And for those who are unfamiliar with MimbleWimble:

Moreover, Mimblewimble combines cryptographic protocols such as Confidential Transactions (CTs), CoinJoin, Dandelion, and Cut-Through to achieve a higher level of security and anonymity. In general, these protocols help conceal transaction information.

[1714934952]

1714934952

[1714934952]

1714934952

[1714934952]

1714934952

[ABCbits]

I recently came across an article about Litecoin implementing MimbleWimble which I believe was planned for BTC for a couple of years now.

So I'm curious, do you guys have any information about when to expect this upgrade and whether there are some other (maybe better) privacy protocols on the work?

Here's short version of what i know, CMIIW.

1. There's no MimbleWimble implementation proposal on Bitcoin network[1].
2. Dandelion has some weakness and it's pull request was rejected[2] due to security concern[3]. Dandelion succeed by Dandelion++, but there aren't many serious discussion about implementing it[4].
3. PLTC (which aimed to replace HLTC by using Taproot) is still on early draft[5] and i don't expect it'll be ready in this year.
4. BIP 151[6] which aim to encrypt connection between nodes has been withdrawn and it's implementation on Bitcoin Core has been stopped[7]. It's successor (BIP 324) still in WIP[8].

[1] https://bitcoin.stackexchange.com/a/112302
[2] https://github.com/bitcoin/bitcoin/pull/13947#issuecomment-513858189
[3] https://bitcoin.stackexchange.com/a/81504
[4] https://github.com/bitcoin/bitcoin/issues/20203
[5] https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-December/003377.html
[6] https://github.com/bitcoin/bips/blob/master/bip-0151.mediawiki
[7] https://github.com/bitcoin/bitcoin/pull/14032#issuecomment-901069838
[8] https://github.com/bitcoin/bips/pull/1024

[Pmalek]

If we take into consideration that Litecoin was the first blockchain to experiment with and introduce improvements such as the Lightning Network or Segwit, we could see the same thing with MimbleWimble if and when it gets added. It's all just theory and doesn't have to mean anything, but I remember reading opinions of some Bitcoiners who said that Litecoin is nothing more than just a way to test new technologies that will eventually be introduced to Bitcoin if it goes well. And history often repeats itself.   

[dkbit98]

So I'm curious, do you guys have any information about when to expect this upgrade and whether there are some other (maybe better) privacy protocols on the work?

I don't think we are ever going to see MimbleWimble implementation integrated into Bitcoin, even if it has better privacy than in current Bitcoin blockchain.
I remember someone found a flaw in this protocol so it never gained much popularity with Bitcoin developers, and I don't consider Litecoin devs serious according to their very low github activity.
That being said, I would love to see something similar that would improve Bitcoin privacy and kill all privacy altcoins, but I think it's not going to happen any time soon.

[pooya87]

I don't really have knowledge about MimbleWimble protocol but regarding it having flaws I have to say Grin[1] is an altcoin that was built using this protocol and has been running for about 2 years. I don't really see it added to Bitcoin though.

[1] https://github.com/mimblewimble/grin

[larry_vw_1955]

I don't really see it added to Bitcoin though.

Not unless they want to make bitcoin the new monero.

[Wind_FURY]

I recently came across an article about Litecoin implementing MimbleWimble which I believe was planned for BTC for a couple of years now.

So I'm curious, do you guys have any information about when to expect this upgrade and whether there are some other (maybe better) privacy protocols on the work?

And for those who are unfamiliar with MimbleWimble:

Moreover, Mimblewimble combines cryptographic protocols such as Confidential Transactions (CTs), CoinJoin, Dandelion, and Cut-Through to achieve a higher level of security and anonymity. In general, these protocols help conceal transaction information.

I believe it's currently released, and it's ready for signalling for activation by the miners.

After two years of development, Litecoin (LTC) has finally launched its highly anticipated Mimblewimble upgrade, opening the door to more privacy-oriented transactions on the network.

https://cointelegraph.com/news/litecoin-is-finally-launching-its-major-mimblewimble-upgrade

My personal belief, leave the Bitcoin blockchain alone, but implement some privacy features on top, in an offchain layer like the Lightning Network.

I don't really see it added to Bitcoin though.

Not unless they want to make bitcoin the new monero.

Those other coins' developers are working for Bitcoin ser. The Core Developers will decide what implementations to use for the advancement of the protocol.

[ABCbits]

I remember someone found a flaw in this protocol so it never gained much popularity with Bitcoin developers, and I don't consider Litecoin devs serious according to their very low github activity.

Are you referring to misleading article which claim Grin MimbleWimble is broken[1]? While some of details is true, it's misleading article[2][3].

I don't really see it added to Bitcoin though

Not unless they want to make bitcoin the new monero.

Even with MimbleWimble, Bitcoin can't beat Monero in terms of privacy. Bitcoin would need to implement additional technology such as Ring Confidential Transaction (RingCT) with Bulletproof or zkSNACKs and make it mandatory. But since it require hard fork and massively increase transaction size, i doubt anyone would support it.

[1] https://medium.com/dragonfly-research/breaking-mimblewimble-privacy-model-84bcd67bfe52
[2] https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9
[3] https://github.com/mimblewimble/docs/wiki/Grin-Privacy-Primer

[vjudeu]

and make it mandatory

Nonstandard would be enough. In Segwit, you have uncompressed keys as nonstandard and almost nobody uses that.

But since it require hard fork

There is no need for any hard fork. You would have new address type (or new opcodes in TapScript, that would be more likely). Then, when old transaction types would be nonstandard (or even more expensive, that could work as in Segwit), any typical user will vanish in a huge set of users, if there would be more people than in altcoins, it would be good enough, even if some miner could make a transaction in some old style.

[vjudeu]

But how would soft fork main backward compatibility when RingCT which use multiple input as decoy?

One Taproot address and a new opcode (that can be one of existing OP_SUCCESS opcodes) can solve that. For example: you can choose some H as some public key, where nobody knows the private key. Then, you can create "r*G+v*H" as your Taproot address. You can accumulate inputs by aggregating Taproot public keys. Later, you can spend by script and reveal your "v*H", then your script would be your "r*G". So, your v-value can be your amount in satoshis, and your r-value can be your public key (or even another Taproot address, if it would be possible to make it recursive somehow, we have MAST, so it may be possible).

So, you would send your coins to "r*G+v*H" Taproot address, you would reveal your "v*H", and "r*G" would be inside your TapScript.

[n0nce]

Personally, I always appreciate any privacy improvements in any software. However, in Bitcoin it's tricky, because better privacy through encryption always leads to larger transactions, inherently. Even if you encrypt lots of things, transaction size or amounts already give away information. For complete security, every transaction would hence also need equal size, which is unviable. We already have issues with transactions size and block size.

After all, improved privacy was an essential idea of Bitcoin from the start. Whenever I see people receiving Bitcoin donations and getting their wallets confiscated, it definitely makes me think 'what did we do wrong', to be honest! The blockchain simply creates this dilemma between being easy to decentralize (run with small storage and computing power) but anonymous (need more storage).

For now, LN remains the simplest way to get (and retain) privacy; as both sender and receiver. However I'll follow MimbleWimble development and see where it leads to.

[garlonicon]

better privacy through encryption always leads to larger transactions

It depends. If you have pure Pedersen Commitments, just as ECDSA public keys in the above form, "r*G+v*H", then it actually leads to smaller transactions. You have single Taproot address as your output, so it is smaller. You can reveal some amount "v*H", subtract your "r*G", and then it would take the same size, no matter if there is a single person or hundreds of people moving funds from one key to another.

Range proofs are heavy, but we don't need to have it from the start. We can use explicit amounts in satoshis and make it first as a simplified CoinJoin that takes less space, then we can start thinking about hiding amounts if it would be needed (and then some tricks like zero satoshis would probably be needed anyway).

Also, you can take Taproot and Schnorr signatures as an example that it is possible to hide some things and you will have smaller transactions, because if something is "encrypted", there is no need to always "decrypt" everything.

[dkbit98]

Are you referring to misleading article which claim Grin MimbleWimble is broken[1]? While some of details is true, it's misleading article

I don't remember the exact source and I think was reading several reviews and watching videos that showed flaws in their protocol.
It's obvious that adding MimbleWimble or anything else would increase transaction size and that would increase transaction fees a lot.

For now, LN remains the simplest way to get (and retain) privacy; as both sender and receiver. However I'll follow MimbleWimble development and see where it leads to.

I agree with that and I think there are much more potential for improving privacy of LightningNetwork than doing it for Bitcoin mainnet, however weird that may sound.
I don't really know who is working on MimbleWimble and I don't even know who to follow 

[Wind_FURY]

But how would soft fork main backward compatibility when RingCT which use multiple input as decoy?

One Taproot address and a new opcode (that can be one of existing OP_SUCCESS opcodes) can solve that. For example: you can choose some H as some public key, where nobody knows the private key. Then, you can create "r*G+v*H" as your Taproot address. You can accumulate inputs by aggregating Taproot public keys. Later, you can spend by script and reveal your "v*H", then your script would be your "r*G". So, your v-value can be your amount in satoshis, and your r-value can be your public key (or even another Taproot address, if it would be possible to make it recursive somehow, we have MAST, so it may be possible).

So, you would send your coins to "r*G+v*H" Taproot address, you would reveal your "v*H", and "r*G" would be inside your TapScript.

Can anyone confirm if that's possible, or is it above our qualification/Bitcoin knowledge. Hahaha.

But let's pretend my stupid brain thought it understood all that, and thought it can confirm that all the information is correct, why isn't the network doing it? Because probably a Core developer would disagree?

[tromp]

Even with MimbleWimble, Bitcoin can't beat Monero in terms of privacy. Bitcoin would need to implement additional technology such as Ring Confidential Transaction (RingCT)

Monero's RingCT (and ZCash' zkSNARKs) scale poorly since you never know when outputs are spent, so you have to treat all outputs as your UTXO set.

[Wind_FURY]

Even with MimbleWimble, Bitcoin can't beat Monero in terms of privacy. Bitcoin would need to implement additional technology such as Ring Confidential Transaction (RingCT)

Monero's RingCT (and ZCash' zkSNARKs) scale poorly since you never know when outputs are spent, so you have to treat all outputs as your UTXO set.

Ser, is it possible to implement one of MimbleWimble, RingCT, or zKSNARKS in an offchain layer to build a version of the Lightning Network that protects privacy? I believe Bitcoiners' freedom to transact will someday be threatened. We might need to be equipped more through software.

[vjudeu]

Can anyone confirm if that's possible, or is it above our qualification/Bitcoin knowledge. Hahaha.

That's not difficult to understand. What I described is exactly the same what you have in Grin, except that coin amounts are known. Just imagine a huge CoinJoin, where you have only public keys as inputs and only public keys as outputs: then you can simplify things just like in Grin. And because we have Taproot, you can always spend by key or spend by script, so you are not limited only by paying to public keys, you can pay to any TapScript.

why isn't the network doing it? Because probably a Core developer would disagree?

There are some ongoing discussions on mailing lists, because it seems that enabling some features would also enable Drivechains (and as we know, sidechains can be used to enable any feature, so people are trying to handle this with care, just to not allow something strange by mistake).

i'm only sure small part of it is possible

Only small part is possible right now, without any consensus changes. But things like MimbleWimble can be reached by a soft-fork (even better: that could be Taproot-based soft-fork). For example, you can form any spendable TapScript and use some unspendable public key. Then, you can send coins to some Taproot address, where nobody can spend them by key, only spending by TapScript is possible.

Don't forget MimbleWimble also reduce bloat since it perform batching on all transaction on each block.

Exactly. If you have a transaction with single Taproot input and single Taproot output that can handle the whole network of MimbleWimble users, it has the same size, no matter if you have one user or hundreds of users. Also, in this case you always know which input should be used, because it is the same input for all users, it is shared between all of them, the only catch is making a signature in a non-interactive way, just by collecting messages in P2P network and mixing everything into a small, single transaction, moving MimbleWimble sidechain forward, just by producing a valid signature. And only for that reason, a new opcode is needed (it would not be if we would have OP_AMOUNT constraint on destination and a huge MAST tree).

Monero's RingCT (and ZCash' zkSNARKs) scale poorly since you never know when outputs are spent, so you have to treat all outputs as your UTXO set.

But that can be expressed as a single Taproot address that will handle the whole network of MimbleWimble users.

Ser, is it possible to implement one of MimbleWimble, RingCT, or zKSNARKS in an offchain layer to build a version of the Lightning Network that protects privacy?

It is possible now in a signet-sidechain way (also called a federation). The main problem is the centralization of mining in such case. Introducing MimbleWimble on-chain can solve that, because then you no longer need any federation, just because each key of each user is used to form a shared key for the whole network. Basically, MimbleWimble is a huge 1-of-N multisig, where you can move only your coins and detach your key from that network. It is somewhat possible to implement MimbleWimble entirely off-chain right now (based on N-of-N multisig), but then the number of offchain transactions can explode exponentially, that's another reason why we have 2-of-2 multisig in LN (and also another reason why things like SIGHASH_ANYPREVOUT are needed).

So, to sum up: enabling some opcodes that are actively discussed on mailing lists can lead us to the situation where it would be possible to do more things that developers expected.

[Wind_FURY]

Even with MimbleWimble, Bitcoin can't beat Monero in terms of privacy. Bitcoin would need to implement additional technology such as Ring Confidential Transaction (RingCT)

Monero's RingCT (and ZCash' zkSNARKs) scale poorly since you never know when outputs are spent, so you have to treat all outputs as your UTXO set.

Ser, is it possible to implement one of MimbleWimble, RingCT, or zKSNARKS in an offchain layer to build a version of the Lightning Network that protects privacy? I believe Bitcoiners' freedom to transact will someday be threatened. We might need to be equipped more through software.

Lightning Network basically update HTLC state on each transaction, so i don't see how it's possible to implement MimbleWimble, RingCT, or zKSNARKS. But it's possible if you implement in on side-chain or on-chain.

Or a Drivechain? https://www.drivechain.info/

Paul Sztorc, the developer, continues his campaign for it. https://twitter.com/Truthcoin

He has a theory that if Drivechain was implemented in Bitcoin, there would be no need for development in altcoins because different Drivechains will have different features, like all the different features in altcoins. I believe he started Drivechain during 2018.

[tromp]

there would be no need for development in altcoins because different Drivechains will have different features, like all the different features in altcoins.

You can't have arbitrary features on side-chains.
Most importantly, you cannot have a change in emission.
E.g. a fair one, like 1 per second forever.

[garlonicon]

You can't have arbitrary features on side-chains.

Actually, you can. Without consensus changes, you have a federation, so that only some people can mine. After implementing Drivechain BIP's, you can have any chain, including regular Proof of Work chains (with merged mining they are stronger than ever).

Most importantly, you cannot have a change in emission.

That's quite simple, any sidechain can have any rules, so you don't have to use 1:1 peg. You can use 1:1000 peg, you can change proportions in any possible way. Also you can have things like premine, because why not. Also, if you want to have a federation, you can do literally everything, because from the mainchain point of view, it is just some address shared by all validators that are moving Bitcoins from here to there.

E.g. a fair one, like 1 per second forever.

Every sidechain is communicating with the mainchain once per three months (and doing a huge peg-in and peg-out every time). So, you have four travels per year, but for the rest of the time, the sidechain is living its own life. You can have one second per block, because why not. Everything will be consolidated and pushed to the mainchain once per three months, no matter what rules you have on your sidechain.

Also, the most important point is that some coins are federations, so they have validators. That means, they can be pegged into Bitcoin right here, right now. And they are not. Why?