Summary of the report:
Summary of the report:
secondary title
Text content
In Bitcoin, the full node needs to download the complete historical ledger data of about 160GB to guarantee the unspent transaction output UTXO set to ensure that there are enough UTXO in the output address in each transaction to meet the transaction conditions. They need to check close to 150 million transactions submitted to the blockchain to get close to 4 million unspent transaction outputs. It is precisely because of the need to check all historical transaction data that the threshold for becoming a Bitcoin full node has been greatly increased, and lowering the threshold for a full node is crucial to ensuring the decentralization of the blockchain. The size will continue to increase over time. In the short-term future, it will be difficult for ordinary personal computers to support the operation of Bitcoin full nodes. Is there a way that the full node does not need to download all the historical ledger data, but still can guarantee the legitimacy of the UTXO set and the security of the blockchain?
In addition, the privacy and anonymity of existing Bitcoin is not as good as imagined. UTXO-based model is adopted to record the transfer of unspent transaction output. Since the address and transfer amount are public, complex data analysis Technology, it is possible to analyze the identities of the transaction parties corresponding to the address based on these transfer histories, and the privacy of users and the anonymity of transactions may therefore be threatened.
In fact, these shortcomings of Bitcoin do have optimization methods, which can not only reduce the historical ledger that needs to be downloaded from 160GB to 50GB, significantly reduce storage space and bandwidth usage, but also provide stronger privacy. This powerful technology It is Mimble-Wimble.
Its original white paper was released in 2016. The technical name and author are full of magical colors. Mimble-Wimble is a spell in "Harry Potter". Like Satoshi Nakamoto, the author adopted the pseudonym Tom Elvis Jedusor (Voldemort in French title in Harry Potter), disappeared after dropping the white paper. Shortly after the release of the white paper, a developer named Ignotus Peverell (also a character in Harry Potter) began to try to implement Mimble-Wimble in code on Github, and mathematicians from Blockstream also discussed this technology at international conferences , the developers have released several testnets so far.
In Mimble-Wimble, the reasons why privacy and scalability are guaranteed come from the following three points:
1. There is no address in the blockchain, and the recipient must build a new transaction witness for each transfer.
2. The transaction amount is also hidden.
3. Transactions in intermediate states can be merged, and less information makes tracking more difficult, merging means that if among all the transactions to be packaged into the block, first A transfers money to B, and then B transfers a certain amount of money to C, then there is no need to record all these two transactions, only need to record A transfer Give C how much money, merge the intermediate state of the transaction, and attach B’s signature at the same time, which can not only ensure the security of the transaction but also ensure that there is no double spending, while reducing the size of the UTXO set and significantly reducing the space required for block storage.
Mimble-Wimble relies on elliptic curve cryptography (ECC). In ECC, a very large number k is usually selected as the private key. If H is a point on the elliptic curve, then k*H is used as the corresponding public key. The properties of elliptic curves guarantee that it is difficult to deduce the private key k from the public key, because division of the curve points is very difficult. Based on this property, the actual transaction amount can be hidden in the transaction as follows:
Assuming that the amount of the transaction is v, when the node verifies that the output of the transaction is equal to the input, it is equivalent to verifying v1+v2=v3. This formula is equivalent to multiplying the left and right sides of the equation by point H on the elliptic curve, that is, verification is required :
v1*H+v2*H=v3*H,
Although it is difficult to deduce the actual transaction amount in this way, due to the limited set that can be tried, it is still possible for the attacker to deduce the value of v1. Therefore, introduce the second elliptic curve point G and the private key r, and represent any input and output value in the transaction as r*G+v*H. Due to the nature of the elliptic curve, neither r nor v can be derived. Then The equation to be verified becomes:
r1G+v1H+r2G+v2H=r3G+v3H,
And it is required that r1+r2=r3, so that the actual amount of the transaction is well hidden. In an actual transaction, only the two parties know the amount of the transaction, the information seen by the nodes of the blockchain is an encrypted number, and only the private key r is known to itself. In order to verify that the output of the transaction is equal to the output, and to protect the sender's private key from being cracked by the receiver, the sender needs to choose an excess value and add it to his own private key. Only the two can be seen from the receiver's perspective. and only you know the real private key value, you only need to verify when verifying that the sum of the transaction output is equal to the input, and the trader knows the excess value (the way to prove that he knows it is to use it to construct the ECDSA signature). Therefore, the excess value is equivalent to the private key of a transaction, and double spending can be prevented through UTXO verification.
Summarize:
Summarize:
To sum up, the main advantage of Mimblewimble is that while providing strong privacy, the required storage space is small and the scalability is high. Since there is no need to store the blockchain of the entire transaction history, by merging transactions in the intermediate state, only the source and current state of a certain currency need to be stored, and each historical transaction only needs to store about 100 bytes of transaction kernel. Compared with other blockchains, it saves a lot of space, and also makes the amount of information that needs to be synchronized and transmitted very small when new nodes need to join the network. But it deletes the script of Bitcoin, and the calculation in the encryption process takes a certain amount of time, so the block generation time is about 1 minute. At the same time, some information interaction between the two parties is required during transaction verification, which may limit certain transaction functions.
references:
references:
[1] About the blockchain, "UTXO Commitment is expected to completely solve the problem of large block storage" http://t.cj.sina.com.cn/articles/view/2696852533/a0beb43500100agcv
[2] Antonio Madeira, What is Mimble-Wimble, https://www.cryptocompare.com/coins/guides/what-is-mimblewimble/
[3] Mimble-Wimble white paper, https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.txt
[4]Gary Yu,Introduction to Mimble-Wimble and Grin,https://github.com/mimblewimble/grin/blob/master/doc/intro.zh-cn.md#transaction-conclusion
