If you haven’t yet read Part 1 of this series, we recommend checking it out. Part 1 discusses the origins and reception of MimbleWimble (a protocol that promised to bring Bitcoin scalability and anonymity) and Grin, an open source network and coin launched in January 2019 to test the protocol.
Part 2 here explains Grin’s technical side. How does it achieve the anonymity and scalability it promises? You’ll learn about confidential transactions, CoinJoin, Cuckoo Cycle, how to mine Grin, its controversial monetary policy, and more.
This section is based on this lecture in which Andrew Poelstra from Blockstream explains confidential transactions at length. Start around minute 5. We also recommend the developers' "Introduction to MimbleWimble and Grin".
Andrew Poelstra explains MimbleWimble transactions
How do confidential transactions make for higher privacy?
What makes MimbleWimble privacy-based is that it uses a derivation of confidential transactions as its sole authentication mechanism. This system is an improvement on Bitcoin's UTXO model; it relies on random values called blinding factors to encrypt transaction amounts, making them unknown to anybody but the sender and receiver.
Confidential transactions were devised primarily by Gregory Maxwell from Blockstream. In this system, the amounts of a transaction are replaced with homomorphic commitments (called Pedersen commitments), which consist of the transaction amount plus a random blinding factor, used to encrypt the amount. To produce a transaction, you need to know the sum of its inputs' blinding factors (which will equal the sum of the output’s blinding factors), each of which should be kept secret. On the other hand, cryptocurrency transaction verifiers only need to check that the sum of the inputs equals the sum of the outputs (i.e. that no coins were created nor destroyed) to know that a transaction is valid; they don't need to know what the amounts were. There's even no need for addresses, and in fact, these are nonexistent in MimbleWimble – another way in which it ensures privacy.
But how does the MimbleWimble protocol prevent sender and receiver from figuring out each others' blinding factors? By adding a kernel – an unspendable 0-valued output – to each crypto transaction. Since the kernel is really a sum of the blinding factors from each participant multiplied by a generator (G), the kernel also acts as a multisignature key for the transaction participants. The sum of the inputs minus the sum of the outputs must equal the kernel.
However, since none of these elements (inputs, outputs, kernels) actually sign each other, you can combine the input and output sets of multiple transactions to get a single transaction with multiple kernels; this non-interactive combination of unrelated transactions is called CoinJoin, and it’s ultimately what makes MimbleWimble a scalability solution.
How does CoinJoin help scalability?
CoinJoin, then, is a mechanism through which transactions sent by different unrelated users can be combined into one, making it hard for outside parties to figure out who was the intended recipient for each crypto transaction. It’s clear that this helps with anonymity, but, how does this system also make MimbleWimble a lightweight protocol?
Imagine 4 participants in a blockchain ecosystem, Ana, Bill, Clara and Dan. If Ana sends cryptocurrency to Bill, this transaction will be recorded in a block. If Bill later sends some crypto to Clara, data referencing both transactions (Ana to Bill and Bill to Clara) will now be stored in the next block. If Clara then sends some to Dan, the most recent block now contains the records of these three transactions (Ana to Bill to Clara to Dan). By now the blockchain is quite heavy.
MimbleWimble sheds a lot of this weight. To paraphrase economist and Bitcoin maximalist Tuur Demeester, MimbleWimble's main focus is on conserving the integrity of transactions and preventing double-spending attacks, rather than on storing the details of all the chain's transactions going back. Coming back to the example, if Dan now wants to make a cryptocurrency transaction, all that transaction verifiers really need to know in order to prevent double-spending is that the coins exist and are spendable; the details of who had them in the transactions spanning between Ana (the original owner), and Dan (the final recipient) can be omitted.
MimbleWimble uses CoinJoin to aggregate all crypto transactions, and then deletes the input and output data of the transactions that happened between the first and the last. However, it leaves all the kernels of those transactions intact. Thus, the chain is suddenly much lighter, nodes are cheaper to run, the info necessary to avoid double-spending is preserved, and transaction amounts are unknowable and untrackable.
Cuckoo Cycle and Equihash algorithm
Grin uses an alternative proof-of-work system developed by John Tromp in 2015, called Cuckoo Cycle.
The Grin team claimed back in August 2018 that ASICs are a centralizing market and not fully reliable, but also admitted they are unavoidable. So it was decided that Grin would use two separate proof-of-work algorithms in its first two years: Cuckatoo31+, which is optimized to be ASIC-friendly, and the complementary Cuckaroo29, which is ASIC-resistant, allowing GPUs to compete. The proof-of-work balances mining rewards between the two every 24 hours.
When questioned about this on a forum in September 2018, Tromp explains:
"Originally Cuckoo Cycle was designed to make memory latency a bottleneck. Now, many years later, we realize that the SRAM that Cuckoo Cycle makes excellent use of (needing an order of magnitude less than the DRAM needed for efficient mining) is quite affordable in ASICs. We expect ASICs to have a large efficiency advantage over GPUs."
The Grin team recommends a GPU with “over 3.7 GB of very fast DRAM (…) like the 1080TI”.
Early miners of both Grin and Beam coins are using the Nvidia GTX 1080 Ti and the Nvidia RTX 2080 Ti. Check the Grin forum for updated discussion on this matter. You can check the implementation for a standalone Grin miner here, and some official mining stats here.
The Grin mining pool GrinMint was released by BlockCypher after CEO Catheryne Nicholson expressed her disgust towards VCs and investors trying to fund private ASICs for Grin coin, something which would, in her words, “destroy the ecosystem before it has a chance to develop and is so self-serving, while riding off the backs of people who have done all the work.” Soon after launch, Grinmint has announced a 2.5% fee for their mining pool, 0.5% of which is dedicated to the Grin's development fund.
Grin’s block reward is 60 Grins per block, and one block is created per minute – so, each second, one Grin is created. As the team states, this monetary policy is “it's likely to stay that way forever, meaning that the supply inflation rate stays constant.”
Though many commentators have questioned this decision, the inflation rate does not worry Grin coin; in fact, it was purposefully designed to discourage hoarding and whales, and improve distribution. “Constant emission could provide enhanced supply/demand certainty for all types of crypto users, and allow transparent and natural pricing,” reads their monetary policy page.
With every ongoing year, the overall dilution of Grin will be smaller. In 10 years dilution will be less than 10%, and in 25 years, Grin coin’s inflation will be 4%, the same as Bitcoin in 2018.
Users have expressed confusion regarding Grin’s TPS. Grin’s block explorer does not refer to this metric, and online users have cited vastly different numbers. The fact is, since Grin network merges multiple transactions into one (read “How does Grin work?”), TPS as a metric makes little sense for them. Focus is placed instead on target mean block time, which is 1 block per 60 seconds. The size is limited by transaction "weight", rather than amount of cryptocurrency transactions, though there is also a hard cap on the order of tens of MB.
For the crypto community it is refreshing (and strange) to see an open-source cryptocurrency with a monetary policy and internal structure that goes against the altcoin current. Focus on hoarding-resistance, planned inflation, no scripting, and experimental scalability methods – Grin coin is like a wonderful crypto toy for any old-school cryptography engineers left out there among the investors and business people.
Thank you for reading,
The Coin360 Editorial Team
We want to thank Trusted Volumes analytics team for their help with some technical details in How does Grin work section.