My hope when the topic first came up was that any privacy solution would be closely tied to lightning, both to enhance lightning's own privacy features, and to encourage normal regular use by all. If people are using lightning mostly for speed and for all kinds of transactions, mostly legit, the adoption of privacy tied to it becomes more friendly and consumer protective. If the only transactions using the sidechain are black or gray market, then use of it will become suspicious in and of itself and everyone will be more reluctant to use it all for fear of blacklisting of their coins. IMO, we have to prioritize tying privacy use as close to lightning as possible, perhaps make it a default extra hop in the course of opening and closing every channel.
An opt-in solution like this is almost necessary. It doesn't eliminate the risk of delisting, but it does soften the approach. There's little sense in forcing confrontations this early, and while zec which has a similar opt in model (transparent addresses and zero knowledge addresses) was delisted by coinbase uk (apparently at the insistence of one bank partner self-regulating), it has been embraced by gemini which is literally advertising how regulation friendly they are all over new york. Opt in privacy is a good compromise and moves the ball meaningfully down the field.
But one way to offset the downsides of opt in privacy is to make it easy and normal to use. Tying a fungibility solution to the lightning network and making it a software default on the most used wallets could help a critical mass of transactions acquire fungibility and provide some herd immunity as the sidechain is used by all inconspicuously, and possibly increase the value of litecoin directly to bitcoin users as a source of privacy through atomic swaps in addition to testing the solution for possible future addition to bitcoin.
As mentioned by ssvb1 and coblee in another comment, this could be accomplished by UX in software, automatically handling the extra hops behind the scenes. A wallet could by default swap to mwLTC before swapping back to open a channel, and could swap to mwLTC after closing, just a few extra confirmations on the low time pressure act of opening/closing a channel. But I'm not sure how that integration happens or who does it. I don't think it happens without some pressure, the community has to expect and communicate the desire for these to be tied together closely somehow, preferably before lightning is a huge source of transactions on the network. It's less controversial and less work to make it more private now than after everyone is already using it.
Whatever works to exchange cheap, hidden and final, keys to the Bitcoin POW chain utxos, will win the race for fungible e-currency. LTC, MW, LN you name it, they all will have at the end this purpose. Bitcoin POW needs not much fancy new crypto at all, if used as final accepted ledger to the state of the interim subchain balances.
hidden output amounts ("confidential transactions") by default.
partial history pruning (spent outputs can be deleted from historical blocks while still allowing third parties to sync to your node and verify your data).
note: there is still unpruned data: the signatures and kernels must remain forever present and are not aggregatable. Relative and absolute timelocks are often kept in kernels, and must be present as well (which is why it's good design to keep them in the kernels) in order to maintain assurances of time, which are necessary for higher layer support.
It has these drawbacks:
no opt-in public onchain outputs (unblinded outputs have a signing key of 0 which is trivial to sign). Fixable by moving funds to a non-extension block.
quantum break implies infinite inflation (reversible homomorphic encryption lets anyone figure out the private keys and values, and falsify values). Fixable by burning the entire extension block in case of quantum break (i.e. don't keep your savings there).
"normal" non-MimbleWimble confidential transactions let us trade off between leaking historical data (which is dangerous since historical information may still land users in trouble later -- recent history is still history) or burning due to infinite inflation.
Questions 1 and 2 need clarification.
\>Can one go in and out of the extension block or is it just one way?
Yes you can go both ways.
\>Can full nodes verify the supply limit? I'd imagine if there was inflation inside the extension block full nodes would not see it?
Full nodes won't be able to verify the supply limit. But one advantage of EB is that the supply limit will never exceed 84 million on the canonical chain. Bad news is that if there's inflation, it's possible you'll be stuck with it in the EB side.
\>What is the impact on full nodes? Are they forced to download extension blocks as well?
Old nodes don't need to DL extension blocks. This is why it's a soft fork.
1) If this soft fork does not get consensus from all miners what happens? Do extension blocks create anyone-can-spend utxos?
2) If miners change rules of EBs can my node enforce the rules somehow? Exclude Eblocks that are not valid?
3) If there ever was inflation everyone should quit EBs in order to make sure right? So if that doesn't happen we could have a permanent inflation. If EB coins have same value like on-chain coins that means they get dilluted unless inflation is proved, right?
In plain english: MW enables a sidechain, pegged to the regular mainchain to move value between users without the amounts (or addresses?) being revealed. Imagine Alice wants to send some ltc to Bob but she doesn't want others to see how much she will send. Alice "teleports" an undisclosed amount of ltc via the extention blocks sidechain then teleports them back to Bob. Block explorers won't see this transaction, only the transaction that begins the teleportation (sent to the anyone-can-spend address). Correct?
Imo mimblewimble will help make ltc more globally accessible because you will have a form of privacy (but not to private).Unlike Facebook's coin where the government was saying is it's not private enough. So ltc should be looking like a diamond in the dirt.
MimbleWimble is just a mechanism used to solve the issue of fungibility. At the moment, Bitcoin transactions are not fully fungible, meaning you can discriminate between different BTC coins and we've see this happen many times in the industry. For example, recently U.S. OFAC had sanctioned three Chinese nationals and their cryptocurrency addresses (Bitcoin/Litecoin addresses) due to concerns of money laundering. MimbleWimble allows fully private transactions so that every coin is essentially the same so you cannot discriminate between coins.
The proposal of implemeting MimbleWimble via extension blocks just means that you can opt-in for fully private transactions, without changing the main-chain at all. So if you don't really care for private transactions, you can still use the main-chain as it is with fully public transactions. It's a win-win situation.
The higher the price goes, the more fungible Bitcoin becomes, because the more scarce it will be. Imagine yourself in a desert. An ISIS member offers you water. Will you say no just because of what he did/supports? Same logic here. Only you lose by rejecting money or business and not considering that coin perfectly good. At some point someone who accepts it will take it. You lose a client and eventually marketshare. Same is not true for other not so volatile assets, but with Bitcoin this is the simple truth. At some point all bitcoins will have been on criminal hands. Just like every euro and every dollar has. At some point disputing their value because of their history is futile because 1 Bitcoin will forever be 1 Bitcoin and it will be possible to be sent across the network regardless of governments or businesses. You're the only person that you can lock outside bitcoin.
Edit: Just like gold. How many people have not died in the past because every ounce of gold in Bank of England? You don't see banks rejecting gold for those crimes, do you? Think of the Jewish gold in SwissBank that was was left unclaimed. It's exactly the same thought process. Right now Bitcoin is at 8K but one day when one is worth 1M, maybe people will start to change those policies. We cannot change the way they think. We can only create a way to think.
They could. But if they sell their coins to you and you deposit them on any regulated exchange and their chain analysis software says "guys, this is shady" you're fucked and your account is going to be locked and you're gonna be in for a long adventure of explaining a lot of questions. Some of these exchanges will just lock your account, won't tell you shit and have fun, gg, well played. Technically if it were ever proven that you bought these coins willingly you're fucked even more, there's criminal liability iirc. And if you unknowingly transact with these addresses or mix your coins with them or whatever that liability will stick like glue one way or another, possibly forever, be sure to never attach those addresses to any KYC info that could identify you. If FATF will ever get their suggestion of implementing travel rule you'll be nuked from orbit and blacklisted everywhere on every exchange that has an address and isn't some low profile den that could exit scam any second and it will happen simulatenously and probably last forever.
MimbleWimble is just a mechanism used to solve the issue of fungibility. At the moment, Bitcoin transactions are not fully fungible, meaning you can discriminate between different BTC coins and we've see this happen many times in the industry where the U.S. OFAC had sanctioned three Chinese nationals and their cryptocurrency addresses. MimbleWimble allows fully private transactions so that every coin is essentially the same. The proposal is an interesting one and I would recommend reading into "Extension Blocks" and how it would work in practice.
Let us know if you have any questions!
Awesome, but with the implementation of MW will LTC be under the same amount of scruitny as Monero? And be, potentially delisted from exchanges due to its privacy feature? Wouldnt this be considered a downside?
Mimblewimble is an interesting protocol in that a transaction is drafted, then agreed to by recipient, then published to nodes by a random walk. This is my impression of how GRIN. Works. UTXO state is maintained, but transactions that lead to present UTXO set are not recorded in the blockchain. The data savings in terms of space in block is significant.
I'm not sure how side chain Mimblewimble implementation relates/differs.
GRIN still has a blockchain, and the size of the private transactions are still much larger than current bitcoin transactions, so there is no effective space savings or scaling improvement.
Compared to CT though, yes, its a space savings improvement.
why do we want privacy on Bitcoin in the first place? I think one of the biggest virtues of bitcoin is exactly the fact that it's public. It's a public ledger just like real estate with the writing of history in stone from the first to the last transaction. If we add privacy, then we essentially change that whole idea and this valuable history record that we've been accumulating in the blockchain no longer bares any value
How much money is in your bank account and what bank do you use?
That's basically the problem with transparent chains. If you send me funds I can see how much you have left over (change address). That means if you buy something from me I can see your balance for the next time we do business I can see how much you have in your address and set my price accordingly. This can be done automatically because when you buy from me you give me an identifier (email) and the transaction gives me all the details to know at least one of your addresses. From that I can see your change address, log it, and the next time you come to my site I can check your email against my database and lookup your change address, check how much is in there and adjust my prices up accordingly because I know exactly how much you have.
because i don't want all of the companies i do business with to know how much money i have in my account nor do i want all of them to be able to track how much i spend at each other's diff places of business. no reasonable business person wants their suppliers to know how much they are paying someone else! There is this concept called PRIVATE FINANCIAL DEALINGS. and it's basically the cornerstone of economics.
maybe there's a thing wrong with those. Why should we bring that bad part of economics into crypto? I personally don't feel comfortable with financial dealings that are private. It seems like someone is moving around parts of the fiat distribution that can potentially swing the market without full disclosure. The great thing about bitcoin being public is that no longer does a bank or institution claims to be liquid without being instantly discredited or asked to prove. More - there is finally proof that you own whatever you own - and it is public. Available to the eyes of the poor and the rich alike.
If ever we have private transactions going on, the beginning won't have been private at all, so that seems highly unfair for the early adopters. I'm not one, but I like equality.
No no no no
Criminals can know your financial affairs in a public system.
Privacy is a right.
Fuck equality. That’s a myth. The world isn’t equal. What you want is fairness. And in a private system FAIRNESS is baked into the system. In a public system surveillance is baked into the system which means you can be controlled. Public record of private citizen’s finances is the antithesis of a free society
In a private by default system you can always opt to make some transactions public. Like public officials. Or corporate earnings. But you can’t make privacy optional or then it makes people suspect of the private transactions.
How do you feel if someone asks you to post your bank records & cc statements online ?
Anyhow, you won’t see any widespread use of BTC until privacy is the norm. All you will see is centralized HODL in exchanges, where ironically, it is private - except for the exchange. So we are just back to banks holding your money. Only now the bank is called Coinbase and if that happens Bitcoin failed because it’s no better — in fact worse — than a centrally controlled fiat due to inefficiency.
wake up. Bitcoin is already inefficient af. And if the market cap goes up, then much more inefficient it will become. Higher price => more miners => more nodes to broadcast to. In the beginning you could transact even for free. The more adoption it faced, the more inefficient it became. Both in dollars and in satoshies. I love the idea, but the exact reason I'm discussing it is so that my hope does not die.
I don't need to post anything online. It works under pseudonym. It's already there. The maximum anyone can do is accuse me of having that pseudonym. But ultimately, the only way that it is mine undeniably is if I sign something with the corresponding private key. Until then it's all rumours. And doing that is my decision.
When you have private transactions, you lose the trail of where money traveled to since it was mined. That's a bad thing. You lose fairness and transparency.
You really haven’t studied the deeper cryptographic mathematics of how privacy can work while preserving audit capabilities that the supply has not been inflated have you?
If you can prove a transaction is valid and that it has not spent coins that do not exist WITHOUT REVEALING the amounts of those transactions or the addresses of the parties involved you can deduce that no new coins have been created artificially.
The math is way more complex than that. But if you want to know more google it.
Other coins already implement this feature. I’m saying bitcoin should too.
Oh yes I did study it. I know about validating transactions without revealing either participants or amounts. https://www.reddit.com/r/Bitcoin/comments/dlhpal/litecoin_improvement_proposal_3_mimblewimble_via/f4usuqf?utm_source=share&utm_medium=web2x here I explain my views on the privacy market. One that we shouldn't be trying to solve by adding n-th layer tools to the protocol before we have perfected it to a point where transactions happen without prohibitive fees while keeping security, integrity and availability of the overall network.
Privacy is always reversible. Sometimes with more sometimes with less effort. Why do you bother having your money private if you've been taped since you left home until you arrived? Make Bitcoin fast and cheap to use and then we can build atop so you can finally have your privacy (only in transactions) lol which is pointless because you're basically creating a tunnel where an attacker cannot see inside but everything at both ends is (in most cases) completely unprotected and open to the naked eye. Shocker: Everyone cares about privacy but nobody takes measures to keep theirs in their networks and devices. And understandably. It doesn't impact your near future in any way. And that happens to be mostly where we live.
Two points I would remind you:
1. The internet was not built with privacy and security on the base layer. So now we have eons of privacy and data security issues to deal with as we try to patch this thing after the fact. This is an ass backwards way to do things. Email, is clear text and it has every fucking bank balance sent to you every month. All your purchases. Who you correspond with. Etc. as a consequence of this lack of privacy there is a huge market for data brokers to sell your information and hackers stealing your data. It’s a fucking mess. Had privacy been built into the core protocol everyone would be in charge of their own data and the internet would not be such a massive surveillance tool.
2. Aside from Mimble Wimble. Which is a nice patch. What are your thoughts on a PURE privacy crypto such as Monero which as privacy by default thus ensuring fungibility? Monero achieves both privacy while also remaining auditable. If they can do it BTC can do it too.
Thought experience. Most bitcoin is used for "hodl" Imagine the market cap goes to 2 Trilion over night. People "hodling" will all try to sell and simply clog the network. Imagine you want to use your money because you ran into an emergency. How will you ever sell it or use it under these conditions? If you have it but you can't use it, then that's as good as not having. Which leads us back into square one. Centralized Hodl. And we both agree that's worse than banks. I believe that scalability is a much more serious problem than privacy. Privacy is a social construct. There are degrees or privacy. But can you ever truly be private? The truth is: you don't know. It depends how much effort a third party is willing to put in order to trace back your footsteps. If someone i.e. a government wants to track you, you better believe they're not going to look at your blockchain life. They're going to look straight at your door. Your phone, your radio even. Even sound outputs may be used as terrible microphones - most people have no idea and most people don't need to be engineers either. Most people are boring and not worth being looked at. The economics of privacy will never be extinguished. How valuable are you to get looked into? As long as you're somewhat valuable to get looked into, that market will exist.
tldr: Stop trying to solve markets. Start trying to solve scalability and making our coin usable.
I’m more concerned about casual parties I come into contact with knowing my financial affairs than I am with governments. Although depending on the government they alarm me as well.
Privacy is an important component of fungibility. Without it some coins can be blocked and tainted by governments which reduces the value of your coinage.
If the goal is financial freedom from centralized banks and a fully autonomous Trustless / permissionless system of financial security then privacy is essential for fungibility.
Otherwise, you basically just want Libra. A centrally controlled regulated money supply with lower fees than visa.
please refer to this comment where I explain how the fungibility gets solved as the market cap of bitcoin moves up. [https://www.reddit.com/r/Bitcoin/comments/dlhpal/litecoin\_improvement\_proposal\_3\_mimblewimble\_via/f4uu768?utm\_source=share&utm\_medium=web2x](https://www.reddit.com/r/Bitcoin/comments/dlhpal/litecoin_improvement_proposal_3_mimblewimble_via/f4uu768?utm_source=share&utm_medium=web2x) and by all means do counter my views. I'd love to know what you think.
ps: I don't think that libra is uniquely bad. Would I trade all my bitcoin for libra? Lol no.. Is libra probably easier to use than bitcoin and a nice on-ramp free of all the hassle from shit exchanges? yes and yes
How much money do you have? Do you feel uncomfortable by this question?
Imagine how uncomfortable you'd feel if I wouldn't have to ask it, but just google it. More, if the financial history of your whole life would be easily accessible by anyone. Sure your grandma wouldn't mind you purchasing that pack of marihuana that one time when you were in uni. Even more dangerous when your financial history has false positive records in it. You can even get into jail because a blockchain analysis artist made an incorrect assumption, or that guy who's still into your girlfriend intentionally set you up to trick blockchain analysis.
Adam I have 2 questions:
1. Aren't you afraid that EB potential inflation would dilute on-chain coins because they would be priced equally? Everyone would have to exit to verify inflation something that would not happen.
2. Isn't a concern the higher minimum requirements for running a fully validating node that would have to verify EBs as well?
You can use shitcoins to buy weed man... Bitcoin to store your savings. Then, if people can google my spendings at any point in time, all that I ever did until now is already on record, so really I'm not the one who you should be making that question to. Look at it like realestate or houses... You buy it and everyone know that the piece of land is yours, and it also works the other way around - it's yours because everyone knows you own it and you always owned it since you payed for it. Same thinking goes on bitcoin.
Then Bitcoin works under pseudonym - there won't ever be a point you can "just google it" because all that you have will be names provided by some centralised source. That is easily attacked and that is easily impersonated and therefore not worthy of the same level of trust that you put on an entire blockchain. IE - "I do believe this address has this Bitcoin because it's verifiable" vs "I suspect this person has this much Bitcoin because the source is somewhat trustable."
I never stated they shouldn't. I just stated that Bitcoin shouldn't be the protocol for that. Maybe some second layer or third layer solution sure.
Edit: But again the problem with layers is that you lose valuable history on the chain
what history? it should be opaque and all it should show is that there was a block and the entire block is encrypted but it's valid. only the participants in the transaction should be able to read the details.
Dandelion is one solution to this, where only nodes that participated in a particular dandelion sequence would know which kernel was associated with their output.
Even if that mechanism was compromised (say by a sybil attacker that gets involved in most dandelion sequences), that only allows associating the kernels with their outputs. That compromises the fungibility of that output, but doesn't reveal any other info (payment amount, sender, nor recipient).
Yes - you can index the initial transactions, which consist of input commitments and output commitments. Which could later on get combined in a block where you dont see any ownership.
But the commitments in itself reveal nothing, no amount, no address or if its a change output, etc
It's not supposed to be better, this is not in competition with lightning, nor does it prevent lightning. It's supposed to be better than litecoin's current block format because it has far better privacy characteristics and slightly better scalability (maybe 2-3 times better).
Correct. Yet extension blocks have an inherrent risk if I remember correctly to split the network. So is adding a functionality that can be achieved with second layer worth the risk? Don't get me going with talking about full nodes impact.
Since the MimbleWimble / Extension Blocks Proposal draft has just been released I'm genuinely interested in your technical insight because this privacy implementation might (hopefully) soon be integrated into the bitcoin protocol.
Wouldn't this be solved by just moving coins from MW back to LTC canonical block via a Peg-Out transaction and opening a LN channel? If yes, then it's just an extra channel setup step, which can be done automatically by wallet applications.
Are you friendly with or do you ever chat with Android Poelstra from blockstream? I'd love to see bitcoin devs taking a more direct interest in Litecoin development to aid in our long term viability for when you perhaps take more steps away beyond divestment, and I think he in particular would be interested in the rollout and integration of mw on a chain so closely tied to Bitcoin.
Engaging him might help normalize bitcoin devs seeing and working on litecoin as a test market for bitcoin. Is that a crazy thought?
Reading the LIP specification, it states that after pruning, the size of a MW tx is around 331 bytes, is this the size of the whole tx?
If so, that's great! just \~30% more than a regular 1 input 1 output SW tx.
Is there a catch to it or that's really it?
So the transaction size itself is a lot larger than 331. It just gets cut down after confirmation. That means the transaction that gets broadcast is large and the block that gets propagated is large, but IBD is small.
There are some disadvantages such as synchronous transactions meaning both parties need to be online. But there are some work around to this.
So I just wanted to make something clear. The 331 refers to peg in transactions. MW to MW txns are smaller at an average of 110 bytes after cut through.
But MW tps are limited by the size of txns once they are broadcast, not by what’s left in the blockchain. For grin, their size is 1.5 mb and it’s about 10 tps.
And this is only a blocksize increase for MW transactions.
There is a whole lot to go through but I'll give it a go as a huge MW fan;
The proposal is adding MimbleWimble as an extension block, kinda like a linked separate blockchain but tricking your node to think the in- and outputs are just regular on-chain tx. The upgraded MW node will recognize LTC transactions, in- and out to MW extension blocks and MW to MW transactions. Regular LTC nodes will only see LTC as we do today but you will be able to validate the amount pegged into the MW extension block.
MW itself can be explained as linking spends and making it into excess value instead of a whole ledger of inputs and outputs. Each TX still has a digital signature so it's considered valid but a lot of data will essentially be deleted creating privacy *and* being more efficient as apposed to other privacy proposals like CT (confidental transactions) which would heavily *increase* the Litecoin blockchain growth/size. However there are downsides like not having the scripting available (which we use for Bolt in the lightning network) and the requirements for interactivity.
Which is why the proposal is for it being in extension blocks, making private transaction optional and keeping the benefits of a transparent ledger the regular LTC blockchain has. As a user you can expect it to behave like LN, adding LTC to the extension block first and being able to use MW than after (peg-in and out)
So it's planned as a opt-in softfork a year from now and can be signalled support for by miners at 75%.
The idea of sidechains in general is to avoid the volatility of having many altcoins while keeping the benefits of other technology available. Sure in practice hopping into beam would be the same effect but wouldn't the whole ecosystem be better if we could all root for the same coin to keep your wealth safe and just enjoy the tech that we prefer in the end? (Sure this might also mean the death of LTC too)
My understanding of MW is that you can't tell who spent an output from each block. If that understanding is correct, is there concern that an opt-in sidechain isn't as efficient? What are some other advantages of doing it this way?
MW works by combining transactions, if Alice sends a coin to Bob and than Bob sends it to Charlie it than it checks excess value instead of inputs and outputs but still keeping the signature so the tx is still valid. Doing this for the whole block makes transacting *more* efficient not less. It gives the benefit of privacy and making it more efficient.
Good question! It's similar to the phonetic alphabet (Alpha, Bravo, Charlie, Delta etc) used in the military. It's nothing official but just became a commen archetype in cryptology. [Here is the wiki page on it](https://en.m.wikipedia.org/wiki/Alice_and_Bob)