Abstract
Mimblewimble is an electronic cash system proposed by an anonymous author in 2016. It combines several privacy-enhancing techniques initially envisioned for Bitcoin, such as Confidential Transactions (Maxwell, 2015), non-interactive merging of transactions (Saxena, Misra, Dhar, 2014), and cut-through of transaction inputs and outputs (Maxwell, 2013). As a remarkable consequence, coins can be deleted once they have been spent while maintaining public verifiability of the ledger, which is not possible in Bitcoin. This results in tremendous space savings for the ledger and efficiency gains for new users, who must verify their view of the system.
In this paper, we provide a provable-security analysis for Mimblewimble. We give a precise syntax and formal security definitions for an abstraction of Mimblewimble that we call an aggregate cash system. We then formally prove the security of Mimblewimble in this definitional framework. Our results imply in particular that two natural instantiations (with Pedersen commitments and Schnorr or BLS signatures) are provably secure against inflation and coin theft under standard assumptions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
This functionality was introduced in Bitcoin Core v0.11, see https://github.com/bitcoin/bitcoin/blob/v0.11.0/doc/release-notes.md#block-file-pruning.
- 3.
- 4.
Commitments are actually never publicly opened; however the opening information is used when spending a coin and remains privy to the participants.
- 5.
An earlier, anonymous version of the paper used the name one-way aggregate signature (OWAS), see https://bitcointalk.org/index.php?topic=290971. Composite signatures are very similar to aggregate signatures [BGLS03].
- 6.
- 7.
- 8.
Since inputs must be coins that already exist in the system, their range proofs are contained in the kernels of the transactions that created them.
- 9.
A transaction fee can easily be added to the picture by making its amount f explicit and adding fH to the transaction excess. For simplicity, we omit it in this paper.
- 10.
If \(\mathbf {E}\) in a transaction \(\mathsf {tx}\) consists of a single element, it must be \(E=\mathsf {Exc}(\mathsf {tx})\), so E could be omitted from the transaction; we keep it for consistency.
References
Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in Bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_4
Back, A.: Bitcoins with homomorphic value (validatable but encrypted), October 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=305791.0
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S&P 2018, pp. 315–334 (2018)
Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better—how to make Bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_29
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: S&P 2014, pp. 459–474 (2014)
Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: ACM CCS 2008, pp. 449–458 (2008)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mixcoin: anonymity for Bitcoin with accountable mixes. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_31
Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73420-8_37
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33
Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of Mimblewimble. Cryptology ePrint Archive, Report 2018/1039 (2018). https://eprint.iacr.org/2018/1039
Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of bloom filters in lightweight Bitcoin clients. In: ACSAC 2014, pp. 326–335 (2014)
Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_29
Heilman, E., Alshenibr, L., Baldimtsi, F., Scafuro, A., Goldberg, S.: TumbleBit: an untrusted Bitcoin-compatible anonymous payment hub. In: NDSS (2017)
Jedusor, T.E.: Mimblewimble (2016). https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.txt
Koshy, P., Koshy, D., McDaniel, P.: An analysis of anonymity in Bitcoin using P2P network traffic. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 469–485. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_30
Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_5
Maxwell, G.: CoinJoin: Bitcoin privacy for the real world, August 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=279249.0
Maxwell, G.: Transaction cut-through, August 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=281848.0
Maxwell, G.: Confidential Transactions (2015). https://people.xiph.org/~greg/confidential_values.txt
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-cash from Bitcoin. In: S&P 2013, pp. 397–411 (2013)
Meiklejohn, S., et al.: A fistful of Bitcoins: characterizing payments among men with no names. In: Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008). http://bitcoin.org/bitcoin.pdf
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Poelstra, A.: Mimblewimble (2016). https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Ruffing, T., Moreno-Sanchez, P., Kate, A.: CoinShuffle: practical decentralized coin mixing for Bitcoin. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 345–364. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11212-1_20
Ron, D., Shamir, A.: Quantitative analysis of the full Bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_2
Ruffing, T., Thyagarajan, S.A., Ronge, V., Schröder, D.: Burning zerocoins for fun and for profit: a cryptographic denial-of-spending attack on the zerocoin protocol. IACR Cryptology ePrint Archive, Report 2018/612 (2018)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Saxena, A., Misra, J., Dhar, A.: Increasing anonymity in Bitcoin. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 122–139. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44774-1_9
Sompolinsky, Y., Zohar, A.: Bitcoin’s security model revisited (2016). Manuscript http://arxiv.org/abs/1605.09193
van Saberhagen, N.: CryptoNote v 2.0 (2013). Manuscript https://cryptonote.org/whitepaper.pdf
Acknowledgements
The first author is supported by the French ANR EfTrEC project (ANR-16-CE39-0002) and the MSR-Inria Joint Centre. The second author is supported by ERC grant 639554 (project aSCEND).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Fuchsbauer, G., Orrù, M., Seurin, Y. (2019). Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11476. Springer, Cham. https://doi.org/10.1007/978-3-030-17653-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-17653-2_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17652-5
Online ISBN: 978-3-030-17653-2
eBook Packages: Computer ScienceComputer Science (R0)
