Grin is an upcoming cryptocurrency project focused on privacy, scalability, and fungibility that is built by implementing a MimbleWimble blockchain with some various optimizations. MimbleWimble is a fascinating stripped down blockchain protocol proposed by Tom Elvis Jedusor in July 2016 and has gained traction among many Bitcoin and privacy proponents.
Grin is an open-source project that offers a refreshing list of things that it will not do, many of which are contrary to the ongoing developments in the cryptocurrency market. To understand Grin and how it works, it is vital to first understand MimbleWimble and its advantages.
What is MimbleWimble?
Initially proposed in 2016 by Tom Elvis Jedusor and subsequently revised by Adam Poelstra a few months later, MimbleWimble is a blockchain protocol that mixes several innovative technologies to radically change how transactions are constructed in Bitcoin and reduce the size of the blockchain.
MimbleWimble primarily addresses two areas:
As a result of its inherent privacy, MimbleWimble (and subsequently Grin) have strong fungibility.
Transactions in MimbleWimble are opaque but can still be validated appropriately despite there being no addresses and the amounts transacted are entirely hidden. MimbleWimble relies on the properties of Elliptic Curve Cryptography (ECC) to structure transactions based on the verification of zero sums and possession of private keys.
Verifying transactions with Mimblewimble requires that the sum of transaction outputs minus the sum of the inputs is always equal to zero. This is accomplished using Confidential Transactions that prove a double-spend or creation of new funds did not occur with a transaction while concurrently obfuscating the actual amounts in the transaction. MimbleWimble derives their concept for this from Confidential Transactions (CTs) by Greg Maxwell.
Ownership proof in MimbleWimble relies on blinding factors which are essentially the private keys of the users and excess values that are part of the transaction kernel. This blinding factor can be leveraged to prove ownership of the value in a transaction without revealing its values.
There are no addresses in MimbleWimble, however. Instead, two wallets communicate with each other to exchange data where the recipient creates and sends an address to the sender. Only the participants can see this data and the information is not reusable by outside parties. The participating parties don’t even need to be online at the same time.
Further, the blocks in the blockchain do not list separate transactions (even if they are obfuscated – i.e., Monero), rather they are aggregated into a single transaction with mixed inputs and outputs. Viewing a block would provide no insights into a specific transaction. Transactions in MimbleWimble are effectively a non-interactive variant of CoinJoin that cannot be separated from each other.
To summarize, nodes can verify the authenticity of transactions without revealing the values being transferred, there are no addresses, and no identifiable information in a transaction.
The approach that MimbleWimble takes to scalability is much more direct than more complicated layer two solutions or increasing on-chain throughput capacity. Instead, MimbleWimble relies on eliminating old and unnecessary transactions on the blockchain to improve efficiency.
Specifically, the protocol removes spent inputs on the blockchain over time by aggregating intermediary transactions together so that the size of blockchain is drastically reduced. The protocol uses a method called cut-through. A MimbleWimble transaction consists of the following components:
- Set of inputs that reference and spent a set of previous outputs
- A set of new outputs (Pedersen Commitments)
- Transaction Kernel which contains a kernel excess and the transaction signature.
In a MimbleWimble block, cut-through transactions are only represented by their transaction kernel, and all outputs look the same because they are just large numbers that are impossible to differentiate. According to the MimbleWimble introduction on the Grin Github:
“Similarly to a transaction, all that needs to be checked in a block is that ownership has been proven (which comes from transaction kernels) and that the whole block did not add any money supply (other than what’s allowed by the coinbase). Therefore, matching inputs and outputs can be eliminated, as their contribution to the overall sum cancels out…..Note that all transaction structure has been eliminated and the order of inputs and outputs does not matter anymore. However, the sum of all outputs in this block, minus the inputs, is still guaranteed to be zero.”
As a result, it is impossible to tell which input is matched with which output while still preserving the ability to validate the transactions within a block. Nodes can further validate blocks by cross-referencing the sum of money created through mining with the total supply.
The type of pruning afforded by MimbleWimble allows for the protocol to become much more scalable, with users able to quickly sync with the network. Importantly, the whole chain state can be validated similar to a full node, even if no users retain the majority of the historical blockchain data.
What is Grin?
Grin is a cryptocurrency implementation of MimbleWimble designed to provide privacy, fungibility, and scalability. Describing Grin from a technical perspective contains substantial overlap with the previously mentioned MimbleWimble, so it is best to emphasize other components such as consensus and monetary policy.
Grin retains the privacy and fungibility features of MimbleWimble where there are no addresses, transactions amounts, and transactions can be merged removing all intermediary information. Further, blocks in Grin — like MimbleWimble — contain no transactions and the block just looks like one big transaction.
All spent outputs in Grin can also be safely removed, allowing a drastically reduced blockchain size. Users can download and verify the blockchain significantly faster than other cryptocurrencies. As a result, Grin can scale with the number of users rather than the number of transactions.
Grin’s Cuckoo Proof-of-Work Consensus
Grin does not implement a flashy new consensus mechanism like proof of stake to achieve consensus. Instead, it goes back to the bread and butter of PoW using the Cuckoo Cycle algorithm.
Cuckoo style PoW was selected to mitigate against the Bitcoin-style “hardware arms-race” by making it ASIC resistant. Cuckoo Cycle is a memory-bound algorithm, making it viable for CPUs and increasing its decentralization.
The difficulty of mining in the network is based on the current hash power and is designed to average a fast block time of around 60 seconds. You can find extensive information on Cuckoo Cycle PoW in the white paper by John Tromp and Grin mining on the Grin Github.
Grin’s Dandelion Implementation
Grim implements the Dandelion Protocol to increase its network layer privacy through its improved transaction message propagation method. The Dandelion Protocol helps protect against several recent attack vectors elucidated in academic papers about deanonymizing users by mapping IP addresses based on how a transaction message spreads from its origin.
Grin uses a slightly modified version of Dandelion to aggregate transactions that fits with the transaction merging of MimbleWimble.
Monetary Policy of Grin
An interesting component of cryptocurrencies that has developed recently is monetary policy. Grin aims to be more of a currency for transacting than a store of value, currently different from Bitcoin. In doing so, it has created a monetary possible that is designed to make the currency’s value more stable.
Grin uses a linear supply schedule of inflation where the overall supply is unlimited, and the model encourages spending rather than hodling. Grin’s inflation rate starts high and subsequently falls to below 10 percent after a decade and to eventually to near-zero. The block reward is fixed over time.
Myles Snider offers an excellent analysis of the potential implications of Grin’s monetary policy.
Current Status of the Project
Grin released its Testnet V4 pre-release last month, and the cryptocurrency is expected to launch sometime in 2019. Grin has flown under the radar compared to more high-profile projects in the mainstream despite integrating some of the most cutting-edge technologies in the industry.
Quietly, there is significant anticipation around Grin from privacy proponents and other Bitcoin supporters. MimbleWimble is a relatively well-known concept when it comes to the more technical aspects of cryptocurrencies, and Grin’s use of the MimbleWimble protocol gives it some compelling potential.
Grin is also compatible with Schnorr signatures that can produce multi-signature outputs. Schnorr signatures are widely considered to be the best cryptographic signature, and their integration with Bitcoin is supposed to occur in 2019.
Technical components aside, Grin’s monetary policy also is intriguing considering the consequences its structure may have on the use of the cryptocurrency as more of a currency than a store of value.
Grin is open to contributions from developers and is definitely worth watching as it continues to evolve.