Universal is recreating Gringotts Bank
Inside Gringotts Bank Universal Studios

It's not surprising that you haven't heard too much about the secretive blockchain Grin (a reference to Gringotts Wizardly Bank from Harry Potter); for a start, the people behind the project use identities of Harry Potter characters.

Blockstream mathematician Andrew Poelstra states for the record that he is not a pseudonymous member of the group - however the Grin blockchain is one direction that the "scriptless" privacy innovation Mimblewimble is headed.

Born from Blockstream's Confidential Transactions technology, Mimblewimble maintains that if a transaction output is spent, you no longer have to keep it because the spend cancels out the receive.

Despite this, verifiers are still able to authenticate ownership of keys to authorise transactions, and show the sum of outputs minus the inputs equals zero and no new money has been created.

Mimblewimble uses the Confidential Transactions "blinding" key as an authentication key for spending the outputs as well, and removes the ability to use arbitrary scripts, since these cannot be cancelled in this way.

This leads to a big reduction in functionality, as the different, alternative ways to spend a coin on Bitcoin are boiled down to only doing transfers that are from some group to another group or from a person to another person.

But you are left with a beautiful symmetry: inputs and outputs can't be changed without invalidating the balancing equation and nobody can produce a balancing transaction without knowing the blinding keys.

Poelstra said: "If one transaction spent an output of the other, then in those two equations you'd have the same term on both sides and you can just delete them outright. And you retain the correct authentication in that the owners of those outputs definitely had to be involved to have spent those coins. But there is no longer any need to see or validate that those coins actually existed, which is really quite something."

He said that if there was a blockchain that supported Mimblewimble, then to verify the whole chain you don't actually need any transaction inputs at all; you only need to know the currently unspent outputs and the entire history is basically compressed into these single signatures that were hanging off the Confidential Transactions.

"There's no longer this whole history of every transaction. You have one signature per transaction the validators have to check and then they just check that the current set of unspent outputs minus all the coins ever minted or pegged-in or whatever, equals zero."

Anything that supports Confidential Transactions would support Mimblewimble. However, it's not something that you could use tomorrow, notes Poelstra, because there isn't wallet support for it. He is looking forward to the Grin blockchain and has proposed a design to the maintainers which they accepted to allow soft forking in digital assets including a Bitcoin peg.

"The Grin blockchain will initially just have the Grin currency on it and also a test currency I think. Then later on we can add Bitcoin to that and the bitcoins and the test coins and the Grin coins will all be indistinguishable to outside observers so we get to share this privacy. This project is moving forward. I'm not the guy to ask about timelines, but to me it seemed like this is 18 months out before there is anything that the wider ecosystem could use."

When he began writing a Mimblewimble paper for Scaling Bitcoin 2016, Poelstra was really excited by the compression property it could bring to Bitcoin. "I got it down to, like, if you have a million blocks, then to verify the chain you would need to verify something like 10,000 signatures. Period. No matter how many transactions were in those blocks originally. So I was able to compress Bitcoin's then 80 gigabyte blockchain into like 1MB plus the set of unspent outputs, which were very large."

After a period of frustration at so much compression for the history but a large set of unspent outputs hanging off it, he decided to go in a different direction: "scriptless scripts".

Deleting the scripts from Confidential Transactions sacrifices functionality, and in particular there was worry that you wouldn't be able to do Lightning on top of Mimblewimble. At this point Poelstra realised that it would be possible to sort of bolt on a script system. "When you prove that the outputs minus inputs equals zero, what you are actually getting is an encrypted version of zero, which acts like a multi-signature key belonging to every transactor," he said.

"This is where these extra signatures come from and this is why you have still got authentication even when you are like mixing and matching - even if the inputs and outputs cancel out and are deleted, the signature from that party will still be there hidden inside of the multi-signature. That's how you preserve this.

"I realised that if you make these signatures also sign some script conditions then you can get some simple stuff; you can do a simple version of Lightning like this. At some point along the line, we noticed that you can do a lot of script-like things just with ordinary signatures."

For something like atomic swaps, where parties time lock coins and reveal the preimage of some hash on each blockchain, scriptless scripts uses the difference between signatures. Using the Schnorr signature type, it's possible to verify that you have a difference of two signatures, to prove the difference between a signature on this transaction and a signature on that transaction, with this key and that key; and you can verify this without knowing the actual signatures. The signatures themselves are just random values so knowing the difference between them you can't tell what they are.

Poelstra said: "If you have a difference, and now if I tell you one, you know the other. This is what happens. If 'A' signs to take his coins, I read his signature off the blockchain and I add that to the difference and now I've got his signature on the other chain. So now I am copying literally the signature out, translating the signature from one blockchain into a signature on the other blockchain and using that to take my coins. Now we have got an atomic exchange.

"But it's an atomic exchange, where what lands on the respective blockchains is just signatures. There is no additional space required for this and there's not even anything linking the two transactions. Anybody can take the difference of two signatures - the real magic was that 'A' gave me that difference before I'd signed anything. So it's all in the timing basically."

Poelstra said he has since figured out how to link transactions even on chains that are using different elliptic curves, such as Bitcoin and Monero, which is something he plans to publish imminently. He has also found a way to chain multiple transactions together like Lightning channels.

A Lightning payment channel uses a hash and preimage that has to be exposed by everybody to take their payments. There is the same routing story with scriptless scripts, but now instead of a hash it's actually a discrete logarithm. The signatures are set up so that the publication of a signature will reveal a discrete logarithm to somebody who knows some external information, and so you get the linkage that way.

Asked how a Mimblewimble sidechain would compare with the Bitcoin blockchain, Poelstra said: "It would absolutely be smaller for future verifiers. Because you can delete all of the spent outputs, you can delete all of the inputs when you're verifying the chain after the fact. So in real time it's the same size as Bitcoin plus Confidential Transactions, so it's a bit bigger. The analogy would be that you are still facing the firehose, it just evapourates very quickly."