Hacker News new | past | comments | ask | show | jobs | submit login
Grin – A private and lightweight mimblewimble blockchain (grin-tech.org)
358 points by grincoin 3 months ago | hide | past | web | favorite | 243 comments

Does Grin do something concrete and useful?

I ask this question because someone on HN reminded me of this great 2001 article from Joel "Nostramdamus" Spolsky on Blockchain Astronauts:

> Don't let Architecture Astronauts Scare You https://www.joelonsoftware.com/2001/04/21/dont-let-architect...

> When you go too far up, abstraction-wise, you run out of oxygen. Sometimes smart thinkers just don’t know when to stop, and they create these absurd, all-encompassing, high-level pictures of the universe that are all good and fine, but don’t actually mean anything at all.

> These are the people I call Architecture Astronauts

> The Architecture Astronauts will say things like: “Can you imagine a program like Napster where you can download anything, not just songs?” Then they’ll build applications like Groove that they think are more general than Napster, but which seem to have neglected that wee little feature that lets you type the name of a song and then listen to it — the feature we wanted in the first place. Talk about missing the point. If Napster wasn’t peer-to-peer but it did let you type the name of a song and then listen to it, it would have been just as popular.

What's the equivalent for Grin of "that wee little feature that lets you type the name of a song and then listen to it" ?

The product is anonymous/private payments at a distance, without a central trusted party — ie the holy grail of the cypherpunks, although grin only approaches this ideal.

The reason Napster made more sense than a single central server is that what it was doing was explicitly violating copyright law. At the time, there was no real possibility of licensing music for distribution online, even in a pay per song model. The only reason RIAA/etc caved and allowed both download services and streaming services was the success of early private services.

This is like questioning why Silk Road needed all the infrastructure when you could just list your illegal drugs for sale on eBay.

I think it's incredibly naive to believe that the main problem of cryptocurrency today is the lack of privacy. The ease of which you can launder crypto is the main obstacle against it's widespread integration into the financial system. Sure, a Bitcoin transaction might leak an address, an amount or an IP. So what? Coupling Tor with a trusted coin tumbler, any serious criminal can hide his tracks, so if cryptocurrency is to become just as good as "money in the bank", then he is home free. Grin proposes to optimize that further and provide similar levels of anonymity to average users who don't really ask for it - talk about missing the point.

The wholly grail of cryptocurrency today is not optimizing anonymity but gaining legitimacy and working as a payment system parallel to national currencies while complying with the complex regulations around KYC and criminal and terrorist financing. These are vigorously enforced in any first world nation, for sound, historic reasons.

The wholly grail is to opt out of government surveillance while maintaining social responsibility and capacity to root out bad actors. This will probably require a mixed, technological, institutional and regulatory response if it is ever to be realized.

Abstracting the real world away and hiding in your little cryptographic fantasy governed only by math and not people will leave you with speculative playmoney in the best case and a dangerous can of worms in the worst.

I disagree with his almost completely. When you pay someone with Bitcoin, the receiver knows your wallet and can look up your balance and every transaction you have ever made. That’s crazy. People may not realize the implication at first but they will. Imagine mainstream scenario and vendor behavior: you pay once, they know you are rich and adjust the price next time around. Or your insurer trawls your purchase history and adjusts your premiums because you eat fast food. etc. A certain amount of privacy when paying is absolutely essential for mainstream adoption.

As for legitimacy. If people used crypto for payments without ever converting to fiat, absolutely no “on high” institution or state can confer legitimacy. It’s irrelevant.

And as for money laundering and terrorism. Give me a break. The existing financial system is gamed all the time by nation states, the wealthy with shell companies and tax havens and the biggest ‘coin’ in all these activities is the USD. These laws are vigorously enforced entirely selectively and usually politically. I’d rather it was simply impossible.

As for bad actors, these exist now and always will, that doesn’t mean you stop the rest of the world having access to tools to move value how they want and avoid state run monetary policy. The world’s elites and mega corps do this now already.

> gaining legitimacy and working as a payment system parallel to national currencies while complying with the complex regulations

This is an impossible requirement. Every country has different, subjective, fluctuating, and often vague regulatory requirements. Not decentralized platform could ever comply.

The reason crypto hasn't taken hold is simply that it doesn't scale. When enough people use it, the system grinds to a halt. Newer cryptos, like Monero have made some big steps recently, but there's still a long long long way to go for scalability.

> This is an impossible requirement. Every country has different, subjective, fluctuating, and often vague regulatory requirements. Not decentralized platform could ever comply.

We first need to acknowledge the need to comply with the spirit of these regulations and allow some features that national operators can build on to create legal solutions.

There is a commonality here and there is a international convergence towards similar regulations. Sure, some countries with particular draconian legislation could still reject crypto, but there could exist a workable compromise in most other countries.

I reject this idea that we need to go Full Monty: from one end of the spectrum (no privacy, complete state control over money and banks) to the other end, financial anarchy.

> I reject this idea that we need to go Full Monty: from one end of the spectrum (no privacy, complete state control over money and banks) to the other end, financial anarchy.

It's not going towards "anarchy" unless you're defining it to mean "there is no one from a government agency involved."

A market is a regulatory mechanism: prices via arbitrage transmit information about supply and demand directing actors to devote their efforts to alleviate scarcity. And cryptocurrencies by design have mechanisms that help enforce contracts which is directly regulatory.

Beam allows for both - fully transparency and auditability of tx's by revealing a certain audit key (not sure if this is the jargon for it). So merchants can use it to allow a government agency or their accountant to audit their books.

And excellent anonymity, privacy and fungibility of its token, enabled by the large set of txs that do not reveal their audit key.

You may reject the idea, but I don't see how it can be anything _other_ than what you describe as "financial anarchy".

You either trust national governments and their KYC and AML laws, or you trust the crypto network and _its_ governance. That is the whole point, as stated by Satoshi.

If your crypto complies with some least- or greatest-common-denominator of government laws (as they apply to their national currencies), then what is the point?

The point was not that cryptocurrencies should be state run, rather that the social values embedded in their algorithmic regulation should respect a wider set of social values and accommodate applications that can comply with typical national legislation resulting from those values. See your brother comment for an alternate perspective, cryptocurrency already embed regulatory frameworks that reflect social values, for example, the need to control inflation or the need for financial privacy.

If the decentralized governance rejects on principle that money laundry is a social problem, then society through it's various forms of governance might reject the currency, just as it would reject say, a hyperinflationary currency.

This is what I mean to say by "going full-crypto-Monty": there is a strong tendency in the community to reject some important social values without debate and to try to enforce a political perspective on how society should work by circumventing the legitimate venue where these political debates are fought. The more the problem is asserted, the more crypto people double-down on their utopian narrative and invent new technical measures to circumvent any social control, such as this here.

I like what I'm seeing in terms of governance experimentation with DCR's Politeia, Dash (failure but they had some good ideas) and XTZ. The BTS/EOS world (especially EOSForce in Asia) has some interesting stuff too.

I'm naturally "full crypto-Monty" and find it hard to connect with people who identify more with today's political model.

Can you point me to some thinking you respect about how to blend various governance venues (crypto and physical/political)? Thanks ahead

I respect your position that "going full-crypto-Monty" may cause a crypto currency to be rejected by a society that values some rules, like anti-money-laundering.

But crypto currencies were borne out of a distrust for banks and government money policy, like inflation.

In my view, the fallacy was/is that by putting trust "in the network", these policies could be avoided, not duplicated. But that's impossible: crypto currencies merely shift trust to the network operators (who, for financial gain, become increasingly consolidated), and to the maintainers of the code, who ultimately determine the rules.

Maybe the point is that with a diversity of currencies, there is a diversity of policy choice. But that only increases the exchange problem, which defeats the purpose of a currency (that is, being widely accepted).

Aside from playing with consensus algorithms to get the hash from GPUs rather than FPGA/ASIC, can you point me to innovative thinking in this area?

Which projects (or, rather, their communities) are doing the most interesting stuff around achieving widespread distribution? I agree with you that this is essential for any crypto to truly become viable as money. If Bitcoin has won the store of value battle at least for now, then that leaves the medium of exchange game wide open and it won't be ABC/SV.

> The wholly grail of cryptocurrency today is not optimizing anonymity but... complying with the complex regulations around KYC and criminal and terrorist financing.

What the... That’s not the goal of cryptocurrency according to its creators. The goal is, as you stated later, “to opt out of government surveillance”, which is incompatible with the former. You’re contradicting yourself.

There is a contradiction between privacy and law enforcement only if you think in rudimentary, white/black extremes.

Why don't you allow for shades of gray, workable anonymity that protects most regular people yet can be lifted by law enforcement in a auditable and costly process that rules out mass surveillance? Why can't we have crypto-banks that know you identity yet can't freeze your assets, only atest to them when compelled so by law? Can you mathematically prove such constructs are not possible? Is there a possibility they could serve society's needs better than either the current banking system or the Bitcoin-style hodge-podge?

Please explain how you can have anonimity if it can be lifted by law enforcement.

The selling point of cryptocurrencies is not being beholden to the whims of a government.

You can have limited anonymity and the option of hiding into the crowds.

To give a very crude example, a FBI backdoor key established in the genesis block could allow them to publish into the blockchain a personal information fetch request that is public and has a public field that the agency is expected to populate with relevant court order number. They could of course issue requests without that field, but in that case everyone could see their behavior and laws could be passed to make it illegal.

A further refinement would be to request a financial bond before the operation is executed. This bond could increase exponentially, guaranteeing the backdoor cannot be abused for mass surveillance and is employed for limited, high profile cases.

The "whims of a government" are often the expression of strong social forces that exist for a reason. Rejecting any form of social governance is an Utopian political construction at it's core, masquerading here as technology.

There are so many problems with your proposal it's hard to know where to begin.

I'm going to guess you're American. It might be news to you, but the rest of the world (and many Americans) don't want to be subjected to the United States government and its inane laws. You might love your government and think it does no wrong, but we don't. And it has a terrible track record.

Moreover, what are you going to do when the inevitable happens and this "supersecret backdoor key" is leaked? Your system is a ticking time bomb.

> They could of course issue requests without that field

Your "field" is useless then.

> but in that case everyone could see their behavior and laws could be passed to make it illegal.

Then what would be the point of allowing it in the first place?

> The "whims of a government" are often the expression of strong social forces that exist for a reason.

"Strong social forces" doesn't mean "good social forces". You have an incredibly naive view of how governments work if you think otherwise.

Those are straw-men against a conceptual example intended to show that a trade-off is possible. All the problems you rise have solutions in a practical system, you could issue the key to an international organization such as the INTERPOL, treaties could be set-up beforehand so only lawful use of the field is permitted, key revocation is a thing etc.

Or you could move away from a centralised governance altogether and have a stake voting system where the actual users decide to de-annonimize a particularly user. Or we can imagine a weak form of privacy where cooperation among your trading partners can reveal more and more information, a al e-cash with blind signatures, where a double spend reveals your identity.

In short, the question is if "absolutely private money transfers" are something we need and want, not if there are technical ways to gradually weaken privacy in a socially controlled fashion.

> All the problems you rise have solutions in a practical system

Hand-waving is not a valid way to address fundamental problems with your proposal.

> you could issue the key to an international organization such as the INTERPOL

Interpol? Haha, no thanks [1]. You also haven't addressed the key being leaked, which would destroy your proposed system.

> treaties could be set-up beforehand so only lawful use of the field is permitted

Yeah, that tends to work very well in the real world.

> key revocation is a thing

So who can revoke this supersecret magic key, and under what conditions? If you don't specify that, this statement is as good as meaningless.

> a stake voting system where the actual users decide to de-annonimize a particularly user

Which “actual users”? Literally everyone?

You're going to have to explain the details of your proposed deanonimization system because as it stands it's completely vague.

[1] https://en.wikipedia.org/wiki/Interpol#Criticism

I'm not proposing a practical system, I'm asserting that such a system is reasonable to exist. Unless, of course, you can prove there are fundamental issues that preclude it. The imperfect nature of international law and institutions is not such an issue, but again a way stick one's head in the sand and abstract the real world away: "see, human institutions are always corrupted, so let's circumvent them and algorithmically dictate our worldview that rejects money laundry is a real problem". What could possibly go wrong?

> I'm asserting that such a system is reasonable to exist.

When every known system that meets your criteria fails, the onus is on you to show that such a system can succeed.

> The imperfect nature of international law and institutions is not such an issue

Relying on a demonstrably unreliable system, particularly where enormous power is concerned, is absolutely a fundamental issue.

> our worldview that rejects money laundry is a real problem

This is a straw man. It's like saying that anyone who doesn't believe the government should have cameras in people's homes rejects terrorism as a real problem. We're talking about tradeoffs.

I'm the one talking about trade-offs, you are of the position that any algorithmic feature designed to weaken anonymity in certain well defined scenarios is tantamount to "cameras in people's homes".

Well, Bitcoin is more traceable than Monero or Grin so there you go, a handy example of an (unintentional) trade-off that seems to work without the sky falling. It's absolutely reasonable that an intentionally designed system could achieve a more favorable trade-off, with better privacy for regular folk and less for well defined, exceptional circumstances.

What you're proposing (giving a government entity a "backdoor key") goes far beyond anything Bitcoin does.

Dusk is trying to walk this line

“Dangerous can of worms” is the goal, although understates the level of danger and utility. https://www.activism.net/cypherpunk/crypto-anarchy.html

Well Bitcoin is completely unsuitable for handling transactions for many reasons (transaction time, energy consumption, just to name a few). Btw. until you are going through internet devices (routers) with your transactions government surveillance is there, so it does not solve that either. The reason why even security aware people think that cryptocurrency guys are nuts is exactly this reason, you think that you can outsmart an adversary that has unlimited resources (at least compare to you). If you look at recent developments in Australia you would understand that you cannot do anything against a government than vote the right people into power and apply pressure to politicians to end unlimited surveillance that is granted with laws like the Patriot Act.

"Coupling Tor with a trusted coin tumbler, any serious criminal can hide his tracks"

They absolutely cannot. Their tracks are in the the NSA database in Utah. Tor is great for one thing mark yourself suspicious so it is easier to track you down.




TL;DR version for the inpatient

"It all depends on who you are trying to protect yourself from. The biggest forces of surveillance in the world are not governments, but private corporations: Google, Facebook, Twitter, Yahoo, Amazon, eBay, Apple — companies whose core business runs on the surveillance and profiling of every person that comes into contact with their platforms. Everything that you communicate on the Internet gets sucked up and filed away — not by the NSA, but by Google and Facebook. Tor does nothing to protect people from that. Tor does not prevent Google from scanning your emails or recording your search history. Tor does not prevent Google from tracking your location via your Android phone, creating and saving a detailed day by day map of where you go and what you do. Tor works to an extent. If you an individual trying to hide from the NSA or the FBI or the FSB, Tor might give you some measure of protection — if you are very technically savvy — but it is a limited sort of protection. It does not protect users against corporate surveillance. But it does provide a false sense of privacy. That is why Silicon Valley companies like Google and Facebook support Tor: it sells a version of privacy — privacy from the government — that does not threaten their own surveillance business models."

I wouldn’t call anonymous payments “the holy grail of the cypherpunks”. If anything that probably has more to do with secure anonymous communication generally than something specific like payments which only a subset of the cypherpunk space ever cared about.

Money is speech, but financial transactions are the primary communications which actually affect the world, and the only kind which governments have gone completely insane to try to restrict at any scale historically, as well as the only kind which were particularly challenging to accomplish with non cryptographic means, but at a distance, in 1988-1992 (and on to today.). All other communications can be a subset of financial transactions.

> All other communications can be a subset of financial transactions.

Sending personal letters, or photos of a dissident demonstration are financial transactions?

If you can send a payment instruction, you could send a 0-value transaction textual message. Ability to do true anonymous electronic cash implies the ability to do everything else.

Grin leaves no room for adding any publicly visible message to your transaction.

Beam is incorporating a BBS system that presumably could be used for secure communications as well (ow how could it be secure for setting up a tx?).

Won't Grin have to do something similar that would support secure messaging in order for users to build txs in a secure and easy way?

I'd say if u can send Grin via email/mobile easily cause of no scripting and it is truly digital cash that is private censoroship-resistant/decentralized p2p distributed ledger then this is big

This is exactly my thought process. Specailized frameworks - like Napster as specifically a song sharing platform in your example was successful because it coupled architecture with a real life usecase. Architect/Engineers see this and think a generic version is far supieror from a mechanical point. On paper, that is true (e.g. scaling or market reach) but it presents a viability-of-use problem that you end up constantly trying to adjust to the massive wide variety of usecases.

According to some other comments that wee little feature is the act of actually transferring money. Apparently you can't just send and receive money easily, you have to do it by sending files to the other person. Sounds insane, doesn't it? But your comment about the song name typing really made me laugh and think about this.

Oh, this is fantastically cool. This is what cryptos should be. Real anonymity, no greed, no speculation, just good math. I love it.

That said, the "no amounts" thing is very confusing. Do they mean to say that the amounts aren't public? Because as far as I can tell, there definitely _are_ amounts. From the repo: "The block reward is currently set at 60 grin" - that's an amount, right? Someone's account is credited with 60 grin. I can then send 20 of those 60 grin to someone else, who can send them on and so on.

Furthermore, the look-forward to quantum computing is great, and not common enough in new projects.

From their "Grin for Bitcoiners" article [0]:

    There are 3 main properties of Grin transactions that make them private:

        - There are no addresses.
        - There are no amounts.
        - 2 transactions, one spending the other, can be merged in a block to form
          only one, removing all intermediary information.

    The 2 first properties mean that all transactions are indistinguishable from
    one another. Unless you directly participated in the transaction, all inputs
    and outputs look like random pieces of data (in lingo, they're all random
    curve points).

    Moreover, there are no more transactions in a block. A Grin block looks just
    like one giant transaction and all original association between inputs and
    outputs is lost.
So I think "No more amounts" is simply trying to say that the concept of a globally-accessible transaction on the blockchain with a verifiable transaction amount is now gone. Now it's just blocks, which can be many transactions coalesced together. From later on that page "It's as if when Alice gives money to Bob, and then Bob gives it all to Carol, Bob was never involved and his transaction is actually never even seen on the blockchain." It is not trying to say that this currency is not countable or something like that (how would that even work?)

[0] https://github.com/mimblewimble/grin/blob/master/doc/grin4bi...

>It is not trying to say that this currency is not countable or something like that (how would that even work?)

Yeah, that's what I thought at first, as well as some other people. I thought that maybe each person creates their own "currency" - maybe all the transactions are just sending files? The people trading determine the currency - a rare (e)book? Photographs?

I feel like it'd be very useful to make this clearer. "No amounts" is a very different statement than "no public amounts".

So s/There are no amounts/Transaction amounts aren't public


It does have amounts but the amounts aren't public. They are hidden behind a blinding factor using a technique called Confidential Transactions (CT) [0].

[0]: https://elementsproject.org/features/confidential-transactio...

It's going to be speculated on as soon as exchanges list it.

It is, until the speculators understand that this has been severely discouraged in the economic model, and then it will have a liquidity problem.

There is a cascading effect from modeling out speculation that they do acknowledge and don’t care about.

That is called vision.

And delusion.

But I said the same thing about bitcoin being stupid in 2009 here.

> severely discouraged in the economic model

Do you mean the fact that there's a fixed continuous rate of new coin production? Because as they point out in the Grin for Bitcoiners page that's still a continuously decreasing inflation rate (as a percentage of all coins).

Grin uses homomorphic cryptography and non-cooperative coinjoin giving it great privacy. The amounts are not public and look only like random 256bits to someone that does not have the private key.

How is speculation a be thing? Healthy dose of speculators is needed for healthy markets. Speculators create liquidity and help pricing things. Without speculators, in general, world would be a lot worse.

They say that it scales mainly with number of users, and per-transaction data is minor. But they also say it's 100 bytes per transaction, so with 10 tx/sec you get 31 gigabytes per year, just for the transaction data.

That's not as much of a storage improvement as I expected from mimblewimble. By comparison, a simple ETH transfer on Ethereum takes 109 bytes: https://ethereum.stackexchange.com/questions/30175/what-is-t...

They do say they could optimize Grin's transaction storage further but don't quantify that. Does anyone here know what the potential is?

Talking about per-transaction data in mimblewimble is tricky because as different points in a transactions lifecycle it can change in size.

1. Each transaction comes with a value called a kernel, this kernel is constant size in the size of the transaction. It does not change with the number of inputs and outputs of a transaction.

2. Mimblewimble lets parties non-interactively merge transactions. So if you have 100 transactions you can merge them together and have only 1 really big transaction and 1 kernel.

3. In mimblewimble you only need to keep kernels and unspent outputs to prove to someone just joining the network that all the rules have been followed (fixed coin supply, all transactions where correctly authorized). Over time you can throw away most of that big merged transaction, as it's outputs get spend and just keep the kernel.

In theory each block should be one big transaction. Thus the size of blockchain grows with the number of unspent outputs and the number of blocks, but not the size of those blocks. This also makes validating the blockchain much faster and under certain circumstances may have privacy benefits.

Mimblewimble it is an important step on the path to scalable blockchains.

> 2. Mimblewimble lets parties non-interactively merge transactions. So if you have 100 transactions you can merge them together and have only 1 really big transaction and 1 kernel.

Non-interactively merging transactions doesn't combine the kernels into 1. So a block ends up with all the kernels of all the original transactions.

Hi John, thanks for pointing this out. I would edit my comment to reflect the fact that Grin does not allow non-interactive kernel merging but has edit locked that comment.

>Non-interactively merging transactions doesn't combine the kernels into 1.

In theory Mimblewimble should support non-interactive kernel merging unless intentionally disabled. There are a bunch of reasons not to allow non-interactive kernel merging such as kernel locktimes, griefers adding spam transactions to your transaction, etc...

Even if non-interactive kernel merging is disabled you can still interactively merge kernels using say CoinShuffle++ and you should to save on the number of kernels.

> Mimblewimble should support non-interactive kernel merging unless intentionally disabled.

It's not intentionally disabled. We'd love for Dandelion nodes and miners to be able to merge kernels. But unfortunately that's not possible with the Schnorr signatures and secp256k1 curve we're using.

The page mentions future optimization, what do you think is achievable?

Lots is possible with fancier crypto. BLS signatures allow non-interactive aggregation, making storage size truly independent of historical transactions, but require faith in less well researched pairing-based crypto. RSA accumulators are discussed in another comment. Right now, Grin's design is conservative, relying on the same security assumptions as Bitcoin. The one crucial difference is that money supply is fully verifiable in Bitcoin, while Grin allows undetected inflation if the ECDLP (Elliptic Curve Discrete Log Problem) gets broken.

Aha, so even though there are 100 bytes per transaction, you can merge all the transactions in the block so it's actually just 100 bytes per block (plus unspent outputs). Nice.

No, it's still 100 bytes per tx. See reply to parent.

7 billion people X 1 wallet of fully merged TXs X 100b / tx = 652 GB

They only store outstanding UTXOs, not the whole transaction history

> This means that the Grin blockchain scales with the number of users (unspent outputs), not the number of transactions. At the moment, there is one caveat to that: a small piece of data (called a kernel, about 100 bytes) needs to stay around for each transaction. But we're working on optimizing that as well.


How do these numbers compare to, say, a credit card transaction?

I don't think that matters because other people's credit card transactions aren't stored in a blockchain that you download.

they do prune transaction storage

I read the tech spec and it amazes me that there are people who can come up with this stuff. Completely obvious in hindsight. From the crib notes[1]:

> Grin's emission rate is linear, meaning it never drops.

This sounds more like a real currency, although, without limited supply this thing won't be going to the moon. The deflationary nature of cryptocurrencies thus far has been my main criticism as their viability of currencies (inflation encourages spending, which increases liquidity).

[1]: https://github.com/mimblewimble/grin/blob/master/doc/grin4bi...

Pretty much everyone with knowledge of mainstream (non-Austrian) economics came up with the idea of non-deflationary cryptocurrency (keynescoins) around 10 years ago. That's how you can tell that everyone who says "it's about payments/adoption/etc not speculation" is lying because why would they make it deflationary.

Also, fixed linear emission is pretty much the second worst possible monetary policy and I think it's basically a way to have plausibly deniable deflation. If Grin adoption follows an S-curve then 50%/year emission won't be noticeably different from 0%. (And if it doesn't follow an S-curve then it has failed anyway.)

A 50% emission rate is incredibly high. Any linear emission rate will tend towards 0% as the number of coins in circulation gets larger and larger (assuming none are accidentally lost).

Deflationary money can theoretically work, its just that instead of having the vendor adjust menu prices every year for inflation, consumers would have to discount their purchases. For instance, during the 2017 boom, I noticed friends often paid each other for dinner with Ethereum at large discounts.

Obviously this isn't price efficient, and the mental calculus isn't a great user experience, but it can work. We would just live in a much more frugal society which saved a little more. We could have lower defaults as we underconsume. A credit system probably wouldn't work however as we're destroyed the concept of time value of money.

Imagine a thirsty tourist in a desert might be unwilling to part with his Bitcoin for a meal, but willing to do so for a bottle of water as his instantaneous discount rate for water is far higher at that point in time and state.

Whether a coin is inflationary or deflationary is a little more nuanced than simple changes in money supply, and has to do with whether these changes are unanticipated and how users form inflation expectations. Imagine if Satoshi's account suddenly awoke and moved, only to burn those coins in another address. There would be momentary hysteria and selloffs, before inflation expectations readjusted back to before.

You'll see that price levels are relatively indeterminate without strong commitments to target inflation rates. In that sense a bank may be better than a non-sovereign currency at maintaining price stability.

> A credit system probably wouldn't work however as we're destroyed the concept of time value of money.

This is spot on and is the main problem. This destroys all lending, which prevents various forms of capital investment - the cornerstone of economic growth.

Like it or not, inflation is a key component to any currency. ...and as you said, increasing the money supply doesn't even guarentee inflation - but contracting it absolutely spells deflation - which is death.

Ideally a "better" cryptocurrency would detect the velocity of money within its own blockchain, and calculate the appropriate amount of inflation (or even deflation) to keep the scarcity of currency stable.

If you imagine that a currency is like blood in a body, then as the body grows (or shrinks), the blood volume must adjust accordingly. Fundamentally, the function of currency is not to save - it is to spend.

Thanks for the commentary. Do you think any cryptocurrency has applied effective monetary policy that addresses the issues described elsewhere in thus thread? Do you think token curated registries might be a reasonable context to explore game theory and monetary policy in a more iterative and experimental fashion?

I think stablecoins are a good idea but curiously (not really) no one accepts them for payments.

I wasn't aware of token curated registries but after skimming the paper (seems to be something like a prediction market?) I don't understand the connection to monetary policy.

Too many game theoretic attacks with stablecoins - still unproven.

Ethereum's issuance is also linear, and has been since 2014. https://blog.ethereum.org/2014/04/10/the-issuance-model-in-e...

Not really a fair comparison, (1) Ether has a finite supply and they have not decided how many coins they will print (it is "an area of active research" ), and (2) they gave themselves a bunch of coins on day zero ("12 Million.. were created to the development fund, most of it going to early contributors..") and (3) they crowdsaled the rest of it on day 1... Grin isn't doing any of these things.

(quotes from https://www.ethereum.org/ether )

Not true. There's a time bomb in the Ethereum protocol that makes mining more difficult over time. This slows the issuance (and the whole blockchain).

During Ethereum's life, the block reward has been reduced, and the time bomb has been delayed. This is in itself an example of how blockchains depend on an initial human consensus. The Ethereum Foundation is overseeing Ethereum's monetary policy, and the miners mostly approve of it. This is not a bad thing (decentralization != anarchy).

The time bomb has nothing to do with issuance. Its stated purpose is to force the chain to go to POS, but they simply fork it further in the future every time it comes up, and the miners can (and should, for their own profit) continue to do so forever.

The primary benefit of a linear emission rate, as far as I’m concerned, is that it doesn’t depend on fees completely taking over from the block reward in order to provide adequate security against a 51% attack. It’s currently unknown whether a fee market will be stable over the long run in bitcoin, and this means there isn’t as much of an incentive to limit the block size for purely security purposes (there are other good reasons to limit the block size though), in addition to block sizes being harder to change once the network is running.

I think the argument being made is that linear emission is, in the long run, as insufficient as zero emission since it's an ever decreasing portion of the total money supply.

It really needs to be inflationary.

With a linear emission rate, the relative inflation percentage drops pretty substantially year over year. 100% year 1, 50% y2, 33% y3, etc etc.

At a certain point the inflation rate drops below that of fiat currency. Pretty smart IMO

I think if anything the emission rate should increase over time. Unfortunately most crypto currencies seem to be encouraging holding them as an "investment" instead of actually using them as a currency.

And over time, what was an O(n) emission rate becomes O(n!)

> Unfortunately most crypto currencies seem to be encouraging holding them as an "investment" instead of actually using them as a currency.

Are you suggesting any of the top 5 cryptos are encouraging HODL besides Bitcoin?

Currency and money are not the same thing.

> non-negligible amount of coins gets lost or destroyed every year.

This is an interesting point I had never considered before.

Assuming that a mainstream crypto currency would lose a constant percentage of its coins each year (seems reasonable), any mainstream crypto currency with less than an exponential growth rate will eventually hit a steady state of coins in existence.

You fit in perfectly in their camp then. They beleive that if it’s deflationary, then it’s not interesting.

That said, they intend for grin to be used in 50 to 100 years. Verbatim. Do you want to wait that long?

Have a read of the Bitcoin Standard. It's a must read for anyone that really wants to understand Bitcoin's economic model

I'm totally sold on privacy as a critical feature of currency long-term, and that mixes in bitcoin alone are insufficient. Pretty cool to see two mimblewimble projects launching (beam + grin) which seem to have made some different tradeoffs.

Dandelion seems like the weak link from a privacy perspective under a reasonable attacker scenario, though, although it could easily be replaced.

What are the main differences between beam and grin?

Grin, academics and early bitcoiners second attempt at digital cash.

Community funded. Pure mine. Rust, inflationary economics, cuckoo cycles. No governance, but that is debatable. Small team making decisions. What is that?

Beam, entrepreneur team. Had a presalethat allowed them to put devs on the project full time and blow past Grin in material output. It’s not a “pre-sale” but it is. They pay back the investors through splitting the block reward (founder’s reward) over the first five years. Then spin that into a foundation, C++, cuckoo cycles.

Give Beam a chance before you say it’s a scam. They are good people. I don’t agree with what people are saying about them, despite disagreeing with their approach. Talk to them before making up your mind. They have sound arguments that founder’s will understand, and ideologues like me disagree with.

> Community funded. Pure mine. Rust, inflationary economics, cuckoo cycles. No governance, but that is debatable. Small team making decisions. What is that?

Somebody has to do the work to bootstrap and develop the network. Whom do you expect to govern the project? Governance meetings are public, bi-weekly, in the Gitter Lobby chat, you are free to join.

Also since I am into nitpicking, economics are inflationary for the first couple of decades gradually switching to deflationary (1 grin per second forever).

I agree grin is more philosophically pure, and that the beam approach is more effective. Neither is a scam. I’m pretty familiar with the challenges in the nonprofit foundation/decentralized model.

I don’t think the monetary/inflation model sufficiently differs between the two to make a real difference. For a payments system, I’d rather see higher inflation, or at least a subsidiary token with higher information, but none vs linear isn’t a big difference, and any of these can probably work, as long as it is predictable.

As long as they are making decent decisions, no one deeply cares about governance (yet). Maybe they will in the future, but for going from 0 to something used by people, I don’t think it has ever been a top concern.

One of the two will probably win, but that will likely be determined by:

1) merchant/user/developer adoption (which all feeds on itself, and has a bunch of factors — marketing, toolchain, etc

2) exchange support, with three tiers — “any exchange”, a “big exchange”, and (depending on the user) “my preferred exchange” (coinbase or binance for many)

3) lack of fucking up in unrecoverable ways

4) (as yet unsubstantiated) the first really good mobile wallets on android and iOS

5) killer initial applications (which might just be regular user to user anonymous payments, but could be something new)

6) maybe: erc-20 type functionality to support other kinds of assets

The other competitor for both is if an existing base layer adopts MW. If BTC or ETH (or maybe XTZ or EOS or something) adopted it overnight, that would probably remove the market for a new MW token.

While Grin uses Cuckoo Cycle (to be precise, one variant aimed at ASICs and another aimed at GPUs, in a dual-PoW setup), Beam uses an Equihash variant for Proof-of-Work.

Monero is fairly advanced in terms of privacy implementations

The Network effect is already there. And you can mine Attention with Monero today. https://after-dark.habd.as/module/toxic-swamp/

When thinking about a cryptocurrency, there are a bunch of different attack surfaces (to name a few):

* client (wallet)

* network from client to node (network)

* node

* network node to node (consensus)

* ledger

Each one has a different attack surface and threat model. Mimblewimble is a neat solution to the ledger, at rest, threat model. I still think zcash is the king right now when it comes to privacy, but obviously mimblewimble is a cool approach to scaling. It’s a really fascinating space.

When you compared ZCash and MimbleWimble, you forgot to mention that the latter doesn't need a trusted setup like the former needed.

The trusted setup is the major problem with Zcash, but it’s much more private than MW (assuming you believe the setup).

I’m not gonna spend a lot of time arguing on here, but I think it’s worth closely studying these systems as they’re fascinating. All anonymity focused systems have tradeoffs, just like more commonly understood distributed systems.

The big privacy concern I see with MW is the exchange of blinding factor, and there are some arbitrarily good solutions to that if you make other tradeoffs.

With ZCash I'm willing to trust the trusted setup (even if it was imperfect); the issue is that people don't actually use shielded addresses/privacy protecting transactions much.

The biggest privacy issue with grin is it doesn't hide the transaction graph. See their own write up[0] which offers a very good and nuanced privacy discussion. This means, for example, you can be tracked by colluding vendors. Or can be identified when trying to accept payments anonymously.

I don't think blinding factors are as much of an issue.

Zcash setup doesn't matter for privacy. The larger issue is as you said, adoption of private transactions.


RSA accumulators is an active area of research that will help with unlinking inputs and outputs, see the grin forum thread for more discussion:


It really doesn't help with that unless you use a completely different protocol and assume trusted setup. At which point, just use zcash, it will have smaller and faster to verify transactions. Trust me, I've been working with RSA accumulators for privacy in Bitcoin since 2011.

Ah, I didn't see how the blinding factor was being used (the code is actually easier to understand than the paper). This has approximately the same linkability as monero, inferior to zcash (complex) or chaumian tokens (hyper-efficient, but centralized per-currency, although currencies can be permissionless).

Why can’t you just do self to self transactions before/after each external transaction, and split/aggregate to standardized values (to start, let’s assume the entire system only allows payments of exactly 100 units each).

Self to self txs could help obscure the tx graph when held at Dandelion nodes ready to aggregate with any other tx passing through the stem.

Standardizing values makes no sense since amounts are already invisible.

Let’s assume Alice is an antagonist coordinating with Carol to unmask bob.

How many self to self tx does bob need to do to hide from Alice and carol?

I believe it depends on how much of the network the adversary can monitor, and high a confidence Alice/Carol need in Bob’s identity to take action. If the action is “subject him to additional off-chain scrutiny”, the bar is presumably lower than “criminal conviction or assassination solely on this evidence”.

The more I learn about MW the less suitable it seems for my goals.

I think Alice and Carol need knowledge of 2 tx with Bob to coordinate a common ancestor; that's it.

If you imagine the ledger like a deck of cards, there is probably a point where all txo's are shuffled (and we can likely make a conjecture that after N shuffles, the position of any txo is unknown, it's just hard to gauge how many shuffles we need to do for real privacy guarantees. If you want 6 sigma privacy, you might need to wait a very long time).

There is no need for exchange of blinding factors.

The mailing list message https://lists.launchpad.net/mimblewimble/msg00091.html explains how any possible multi-party transaction can be done safely without exchanging blinding factors.

Zksnarks is an incredible pile of research. It’s actually stunning.

Out of band blinding factor transfer is interesting, also relay/mix nets are interesting. I think it’s all a super cool area that’s worth studying closely.

Privacy of Zcash doesn't depend on the setup, only the soundness (preventing people from creating money out of thin air)

Privacy of zcash depends entirely on the setup.

Please reread the paper.

I work with SNARKs on a regular basis. Soundness depends on the setup; zero-knowledge is unconditional.

What's the trusted setup with zcash?

A group of people came up with the initial parameters (some random numbers). If they kept these numbers, they’d be able to anonymously, silently print unlimited amounts of zcash coins, and no one would know.

Interesting, are you aware if there's research on a trustless way to create a trusted setup? Basically a way to generate these random number without others knowing and to prove they no longer exist?

Monero doesn't need a trusted setup as well!

This is a very well-known blockchain project that people in the industry have been watching, so I’m happy it has surfaced here without the usual “blockchain is 110% useless” commentary HN is known for. It is a very interesting experiment.

> the usual “blockchain is 110% useless”

Are there any projects that you consider to be a success that currently use a distributed blockchain?

I suspect like most people my skepticism comes not from the inherent technology but in all actual deployments so far.

A system that solves scaling, doesn’t appear to be a questionable pyramid scheme, and had even a few of the advantages of the existing financial system would be welcomed.

> Are there any projects that you consider to be a success that currently use a distributed blockchain?

Would you object to me saying "bitcoin" (edit: I should be clear that I'm primarily referring to market value and making money for those involved with this one)?

It's morally ambiguous at best, but what about "dark net markets"?

Or if we just don't worry about morality, "cryptolockers"?

Of course the latter two are really just consequences of us having a reasonable secure and (seemingly) anonymous currency. The fact that bitcoin enabled them perhaps says more about the state of the rest of the world than bitcoin itself.

I would probably object to Bitcoin counting.

Its original notion was "peer-to-peer electronic cash". As best I can tell, there's almost no significant legal use beyond speculation. [1] Even prominent Bitcoin advocates have admitted it isn't a good currency. [2] Illegal use is self-limiting; if Bitcoin becomes mainly known as the crime currency, it'll be truly screwed, as governments everywhere will further crack down on conversion and use, driving off investors, developers, business partners, etc.

I think it's especially obvious how much it's failed as e-cash when you compare it with M-Pesa, an African e-money system. [3] It started just a year before Bitcoin, but does something like 100x the transaction volume and is wildly popular in a number of countries.

[1] E.g., https://www.nytimes.com/2018/04/16/nyregion/new-york-today-l...

[2] E.g., https://avc.com/2017/08/store-of-value-vs-payment-system/

[3] https://en.wikipedia.org/wiki/M-Pesa

Bitcoin is the most transparent form of money invented and in circulation. That's why a number of studies you can find online place criminal activity quite low. Who wants a trackable currency vs dollars?

It's a very interesting thing to call it "money". It's ... not. Not unless you want to call every scarce good money. This has bene rehearsed many a time over the years. It's too volatile but be usable as a unit of account, it's not backed by a nation state and it can't be used to create credit. These are all important functions of money and Bitcoin has none of it.

And no, it's not a Ponzi scheme either, it's a new kind of scam: https://prestonbyrne.com/2017/12/08/bitcoin_ponzi/

not being controlled by any government and not being able to create it out of thin air for credit is a feature not a bug. but if you are calling bitcoin scam in 2019 I don't think we can have a rational argument.

It's a feature for a very small number of people with a quasi-religious aversion to government-backed money. It's also a feature for criminals. But both historically and currently, the great majority of people seem to quite like currencies backed by well-run governments.

for criminals see the root of the comment you are commenting on. fact: it's not popular among them.

Not being controlled by a government is a feature for all criminals. Bitcoin has other issues that make it less popular for criminals, though.

I don't get the sequence of your thought. Not being controlled by a government is a feature of a global currency such as the IMF currency. Or Gold. Do you think a global currency not controlled by one entity is good for criminals? Why? How?


> The SDR serves as the unit of account of the IMF and some other international organizations.

> The SDR is neither a currency

And gold is not a currency either. It's a scarce good, nothing less nothing more.

It was an example.

> not being controlled by any government

That's not the same as "not being backed by". Uncle Sam seems to be doing a pretty good job of asserting his control over it[0], while the Fed isn't guaranteeing it. Worst of both worlds, isn't it?

[0] https://www.coindesk.com/goodbye-fungibility-ofacs-bitcoin-b...

> not being able to create it out of thin air for credit is a feature not a bug.

Credit predates capitalism by thousands of years and noone has shown any sort of working economy running without credit.

that's why it's an experiment of course

it's a scam nothing more, come now. https://prestonbyrne.com/2017/12/08/bitcoin_ponzi/

it's an opinion that needs hours to debunk. All I need to say is that he includes a quote from Naval. Lol. Naval is a big proponent of bitcoin and blockchain. Talk about getting facts wrong.

WaPo already in 2015 summarized it thusly:

> So the Bitcoin faithful have tried to not only convert people, but also convince them to martyr themselves, financially-speaking, for the crypto cause. It goes something like this. - Hey, do you want to hear about the future? It's a digital currency called Bitcoin that lets you spend or move your money online without paying any fees. - Sounds great. How does it do that? - Well, Bitcoin saves you money by making transactions irreversible. - So ... if I get scammed, I got scammed? There's nothing I can do about it? - Yes. - Okay, but is it at least easy to use? - The thing is, I don't actually use it. I just hoard it. I'm waiting for some greater fools to push up the price by using theirs. - Oh. - Yeah. So you should buy some Bitcoins and use yours. - I'll get back to you on that.

If you subscribe to the hodl mantra and advocate for Bitcoin, this is exactly what you do...

If you bought bitcoin in 2015 and hodled you would have 2000% profit now. Don't even go there.If you give dollars IRL to a scammer you don't get it back. There are so many false and useless claims with these narratives. Just make an opinion on your own or if you want to only listen to "important" people listen to the people that invested in Facebook and built all the Silicon Valley (Winklevoss, Draper, Andressen Horowitz, Wozniak, Jack dorsey, YC etc etc etc). Their opinion matters.

You'd have 2000% profit today; you had a lot more in 2017 and within a year or two you will lose it all.

it's always like that with any breaking the status quo technology. either make it big or break. it doesn't matter if you think this particular technology will fail. it doesn't make it a scam. your government even and your congress (I suppose you are american) believes it's not a scam since you can pay taxes in it. Hey, is something that you can pay taxes with a currency? No? Why?

The amount of transactions is much higher, but the amount of money being moved is much lower. The highest number I could find for yearly transaction amount in mPesa was 3.7 Trillion Kenyan shilling, which is about 36 billion$. Compared to that, bitcoin moved value for over 400 billion$ in 2018.

I agree with you that the mPesa transactions are much more likely to be transactions for goods and services, but I don't think Bitcoin can be counted as an abject failure just yet.

Your valuation number for Bitcoin is driven by a speculative bubble, so it's not a fair comparison. And, "electronic cash" should have a lot of small transactions. That Bitcoin is mainly large transactions is a sign it's a bad cash replacement.

I agree that Bitcoin won't be counted as a failure yet, but I think that's part of the problem. As a hypothesis, Bitcoin apparently isn't falsifiable. Consider the Fred Wilson article linked above, where a Bitcoin advocate admitted that it wasn't a good payment system. But he immediately declares it a store of value. Now that we've had it crash by 80%, it's pretty clear that it's bad for that too. If there isn't a new consensus answer to the question, "what is Bitcoin good for," then its advocates just shift to the possible shining future based on hope and potential. And note how its distributed, peer-to-peer promise has quietly drained away.

Bitcoin can apparently never fail. And I think that's part of what guarantees its failure. Nobody expects an early product to be perfect. But good products evolve and expand to better serve users. As it became clear Bitcoin was not very good for its stated purpose, it could have changed and grown. But speculation was too profitable, so it got stuck in a very deep rut. If some blockchain currency becomes actually useful, I suspect it would be one of the hundreds of competitors. But given that none of them seem to be delivering real-world economic value either, I'm not optimistic.

> there's almost no significant legal use beyond speculation

Citing an article about a guy trying to use it exclusively is a bit odd as a source for "almost no use".

The big payment processors process up to over a billion dollars of completely normal white market payments per year. That's likely mostly enthusiasts, but still a decent chunk to make a profitable business or two from, and very far from "almost no use".

"Cash" has a very specific meaning from those interested in private currencies, which has nothing to do with how well adopted it is. It means something that is a transfer of value (and not an IOU), that is fungible, with private transactions between parties. Bitcoin is questionable on the latter but pretty good on the former. The white paper must be understood in this context.

The fact that Bitcoin has value at all is an astounding success, compared to what most other casuals observers (myself included) thought about it.

> The big payment processors process up to over a billion dollars of completely normal white market payments per year.

I would love to see your data for that.

But "big payment processors" are definitely the opposite of "peer-to-peer electronic cash". We already had big payment processors. Those are much more efficient.

> fact that Bitcoin has value at all is an astounding success

It strikes me as a pretty uninteresting kind of success. Tulip bulbs and Beanie Babies both had very high valuation for a while. But in the long term, prices generally fall back to what's sustained by use.

> Would you object to me saying "bitcoin"

For me, the jury is still out, cf tulip bubble.

> of us having a reasonable secure and (seemingly) anonymous currency

I'd object to that on the basis that most crypto-currencies have a public ledger, and I believe deanonymization is already somewhat effective and also only just in its infancy. I would not want to have committed anything to the blockchain that I wasn't happy for the world to know. I believe this is solvable in future innovations, but appears to be far from widely deployed. The linked post appears to be a possible solution.

Also I think the whole tainted coins concept, where a government marks transactions emanating from a wallet, and all linked transactions after that, is going to be a much much bigger deal than people think. It seems very unlikely to me that companies like Coinbase won't have to maintain a blacklist at some point in the future if they want to stay on the good side of regulators, which will lead to all sorts of turbulent effects.

Not the OP but giving cartels an anonymous payment channel doesn't sing 'success' to me, personally.

Like I guess they found a niche market. Maybe it will be a success in a post-national world where banks and sovereign debts aren't able to serve our needs, but until then it all feels like LARPing to me.

Cartels already have anonymous payment channels, which Bitcoin is not.

> giving cartels an anonymous payment channel

Bitcoin is not anonymous, this is a big misconception. It is pseudonymous at best. US dollars are anonymous.

Aaand there it is. I do agree that the skepticism of blockchain projects is not unwarranted given the extreme bubble that occurred and the lack of actual use in the industry, but I do agree with the previous comment that it’s a nice change to be able to talk about this stuff without so much negativity. I haven’t made any money from blockchains, but they are still super interesting from an implementation perspective.


Personal attacks are not contributions here

Saying that someone's argument doesn't seem to be well-rooted is far from a personal attack.

The only answer is bitcoin. The rest are scams highjacking the technology to sell pseudoscience and vaporware. See Ethereum


There is nothing to invest, this isn’t an ico

How does Grin compare to using Blackbytes on the Byteball directed acyclic graph (DAG)? https://medium.com/byteball/private-textcoins-6a2288d80757

It's not just privacy that appealing about Grin, it's designed to scale based on usage. Grin is designed so that its network doesn’t get dragged to a standstill when transaction volume increases. This was the core issue in the Bitcoin block-size debate: there were more transactions than could fit into a 1Mb block. As long as there’s a restrictive block size limit, there will be a capacity issue. A dirty little secret is that to get around scalability issues, almost all payment processors and exchanges do off-chain transactions. Which begs the question: why bother using a cryptocurrency with blockchain? It’s a slippery slope. Increasing usage will of course increase transaction volume. To ensure that a block size can continue to accommodate volume increases, you have to streamlining each block by trimming transactions. MimbleWimble/Grin maintains that if an output spends an input, you no longer have to keep them because they cancel each other out. This greatly cuts down the amount of data you have to store and process. The only data that nodes keep is unspent outputs and block headers. Instead of thinking of blockchain capacity in terms of number of transactions, MimbleWimble/Grin is designed to grow with the number of users using cut-through. The streamlined blocks make growth sustainable over time as the transaction data set does not continue to get bigger. This increases privacy since transaction data gets removed and it also enables fungibility. That's the scalability answer Grin brings, in addition to privacy by default.

You're very much wrong, Grins innovation is not removing the hard block size limit, that many other coins don't have.

There's nothing stopping Bitcoin scaling to 100MB blocks with today's hardware, the problem is long term blockchain growth, and validation times, that sort of thing.

Grins innovation is the entire blockchain is can be shrunk using algebraic reduction, unlike other cryptocurrencies that scale linearly with total transaction amount, Grin only saves unspent transactions and a small proof of the total history of the coin since it's mining date.

This means that a 100GB ledger could be reduced down to 100s of MB of its size, and be a just as provably secure as the original unreduced ledger.

This was released recently https://medium.com/@CryptoProfG/grin-money-explained-4-explo...

— Exploring Grin’s Monetary Model: Grin’s monetary model gives it medium of exchange and store of value features; community, demand and usage have to do the rest

Check out the charts at the bottom BTC USD gold & Grin vairous comparisons

If it doesn't allow people to speculate (no ICO, no mining), how would people be interested to use it? (bootstraping)

Note: I don't know anything about blockchain.

It isn't that there is no mining, they stated that there is not pre-mining, so no mining before the tech is released. This is a regular hype technique used by shit coins in the past (ditto to the ico method).

They have a mining tool that runs on OSX and Linux 64 on their GitHub.

The premise is that they want it to be an actual currency as opposed to a glorified stock option.

Yeah, it is a pipe-dream. To be useful you need to be able to buy/sell it - which means going to exchanges. Once you are on exchanges you are a volatile asset or a "glorified stock option" and a part of unregulated gambling platform.

Exchanges are not just to gamble. Imagine you start using MimbleWimble in your daily life: e.g. you're a freelancer and you decide you want to get paid in Grin. At some point you will need to convert your Grin to fiat currency just to do some typical purchases that are usually not possible to pay with crypto (e.g. rent? groceries?). For this, you need an exchange. It's not gambling, it's a temporary necessity.

Yeah yeah yeah, how can you be on an a crypto exchange and not be a gambling asset? And what is this "temporary" remark? As I said - it is a pipe dream.

> Imagine you start using MimbleWimble

With that name, nope, never.

MimbleWimble is a protocol, not a coin. Grin, though I'd still say it's a bit funny sounding, is acceptable. The backstory of how it was released and why it's called MimbleWimble is pretty cool.

Grins are mined by finding 42-cycles in random bipartite graphs with billions of nodes.

So many people have it all figured out for "why cryptocurrencies fail" but your question is exactly why bitcoin and crypto succeed.


People fill threads up with reasons why they think bitcoin and cryptos fail even when year after year their opinions are proven wrong by the market.

> Grin has no amounts and no addresses.

So how do I pay somebody?

It looks like you'll have to transfer a few files back and forth manually (sneakernet style).

Alternatively it looks like you can expose your wallet over HTTP and others can send tokens to your API endpoint.


Payments are interactive like credit cards. They require that either both parties are online or that there is some hosted bulletin board that will hold transactions data until you come online.

Credit cards have addresses and they aren't online. Simply knowing the number on a card is sufficient to withdraw from it.

My understanding of how Credit cards work:

1. Alice has a secret called a credit card number.

2. To pay Bob she shares this secret with Bob.

3. Bob then contacts the credit card company and asks to transfer funds from Alice's account to Bob's account. This is authorized using the secret that Alice gave to Bob.

If Bob or some party acting on his behalf Alice can not receive this secret from Alice Bob can't get paid by Alice. As you point out if Alice gives the credit card secret to Bob, Bob can withdraw funds from Alice's account while she is offline. This is exactly the same in Mimblewibble. If you give a third party your Mimblewibble secret that third party would be granted the ability withdraw your funds while you are offline.

Internet transactions, right now, yup.

'normal', customer-present transactions are more involved. They involve Bob sending a set of transaction data to Alice's card, which the card then signs with an embedded private key, so that Bob can't just keep asking for more.

Unless you still use magnetic stripes. I'm looking at you USA...

This is exactly the same as bitcoin and addresses but in reverse. Also a lot less secure

Using something like wallet713 & grinbox, it becomes simple, see demo here: https://github.com/vault713/wallet713

(Disclosure: I work on the project.)

Out of interest I built the client, and ran `grin` and it says "mainnet not ready yet - use floonet". Does that mean it's in some kind of "test mode" where the "grins" are not real? How do things change over to mainnet?

Mainnet launch is Jan 15. Testnet mode until the genesis block is mined.

Is floopnet testnet?

Yes, floonet is the testnet.

As many other things in Grin (the name itself derives from http://harrypotter.wikia.com/wiki/Gringotts_Wizarding_Bank), the testnet name is Harry Potter inspired: http://harrypotter.wikia.com/wiki/Floo_Network

As far as I understood, the transactions must be build interactively between sender and receiver. This would mean that you could only send grin to people how are online. Is this correct? And if so, is this going to change?

That isn't correct, but it's an easy conclusion to draw.

What this means is that both parties must participate in a transaction. With Bitcoin, and hence with most blockchains, you can send to an address; that address can be a cold wallet, or could not exist at all, in which case your cybercoins are gone.

With MimbleWimble both parties must participate (interact) to form a transaction, but this can happen asynchronously.

In other words, both parties must be online, but not necessarily at the same time.

Without having a semantic debate, I think the point is that since there are no static addresses, parties cannot send money in a one-way transaction. Every transaction must have a handshake. Those two people could be in person, or online, but they don't need to be connected to the grin network until either wants to post the transaction.

> you can send to an address; that address can be a cold wallet, or could not exist at all

I don't think this is accurate since the other party must participate.

I think you probably missed the beginning of that sentence, which was contrasting e.g. Bitcoin with the MimbleWimble approach.

The difference between 'both parties must be online at the same time' (true of, say, a phone call) and 'both parties must participate, even if it's during different weeks' is a substantive difference, I only wished to indicate that MW requires the latter, not the former.

> This would mean that you could only send grin to people how are online. Is this correct?

No. interactive != online. You can exchange information over any comms method, i.e. email, carrier pigeon, message in a bottle, or... Grinbox: A a federated transaction relay specifically designed to facilitate grin transaction building. It supports asynchronous message delivery. (Disclosure: I'm part of the team building it.)

Best way to try it out in action is via https://github.com/vault713/wallet713

An update on what else we're up to https://medium.com/vault713/hello-from-vault713-6f7b01d9abec

I can't really see how it's better than Monero. From their website:

Monero uses ring signatures, ring confidential transactions, and stealth addresses to obfuscate the origins, amounts, and destinations of all transactions.

My understanding, which may be incorrect:

The "anonymity set" of a monero transaction is just the number of fake values created in it. This is a fairly small number. If you're willing to put the effort in, you can trace all of them.

For MW, the the anonymity set is either "all users of system" (if you don't believe in a global network observer) or "all users of system who exchanged parameters in a given set".

In addition to this, Monero has the same "linearly growing blockchain history" scaling problem that bitcoin does. fluffypony has floated the idea of a mimblewimble sidechain for Monero.

Grin is less private but more scalable.

Grin is different private. I wouldn't say it's less private. The fact that you can submit a truncated set of transactions, can in some cases provide far more privacy than Monero.

Much more scalable than Monero as you do not need to store the blockchain only the UTXO set

(Shameless plug:) Those of you who care to follow the project can subscribe to https://grinnews.substack.com for weekly updates.

The two main reasons imo why Grin is important are not only the privacy, which is well covered here, but also the on-chain scaling implications.

We won't know till it's actually used, but there could be orders of magnitude greater on chain scalability for this BTC while retaining proof of work...

This is a major accomplishment and both Grin and Beam are major steps forward for crypto.

"We won't know till it's actually used" - haha, which in crypto world means NEVER

There is some discussion on their forum on how to set the appropriate difficulty for the genesis block, and how to estimate the number of miners that will be around at the beginning. Good reading: https://www.grin-forum.org/t/genesis-block-message/250

More up-to-date discussion at https://github.com/mimblewimble/grin/issues/2121

One thing I don't see from the mainpage, who is the actual intended audience that will facilitate adoption?

All I see is 'everyone' and well that's rather vague.

What's the actual value statement other than anonymity? Because being more efficient at the same thing seems of marginal value if the same thing does not have significant demand otherwise...

Because it is cool cryptography! Grin isn't a company. In this case it seems better to build something like this and see who uses it rather than attempting to convince strangers on the internet that they need it for X, Y, and Z reasons.

Thanks for the clarification, it does seem to have some interesting potential if a good use cases arises

It was sarcasm

I really don't understand many people's view on cryptocurrency. It looks they think anonymity is most important feature of cryptocurrency. This is ridiculous. There are already too much anonymity in fiats. The principle of cryptocurrency should be the contrary: transparency.

Money with no real privacy is not money, it's a tool of oppression. Any state actor, warlord or a powerful entity can enforce their will if the ledger can be visibly connected to real people. Making you a slave to any system they want to create. A person with no real freedom. Taking into consideration the totalitarian direction world is headed (US, China, etc.), I don't see how having more transparent form of money is a good thing for the ordinary people.

Without anonymity, any transactions you make can be linked across time, giving any onlookers a clear history of your financial habits. Would you be okay with having your bank history plastered across the web for anyone to see?

Also, even if you don't care for your personal privacy, anonymity is important for fungibility of the currency. Cash is mostly fungible, whereas something like Bitcoin might not be in the future.

> Would you be okay with having your bank history plastered across the web for anyone to see?

I used to think the answer to this question was obviously "no", but then Venmo happened, and I learned that some people like the 'social network' feature of it.

Which I find appalling, but tastes differ, I guess.

People have different needs for privacy.

For example, you don't want your colleagues learning how much you earn, nor does your employer. In a centralized banking system there is a level of privacy because the employer trusts the bank won't divulge the information because they have legal requirements and a reputation. When you take away the central party, now everyone can learn what everyone else gets paid. Without an equivalent level of privacy, very few people will ever consider using Bitcoin for payroll.

People also do not want their lives monitored so they can be sold advertisements or be forced to behave in certain ways by their peers. It's none of an employer's business what their employees spend their money on after they have been paid for work. Increasingly, we are seeing some employers make judgements about the people they pay because they do not share the "correct" political thinking of the employer. The whole thing is becoming absurd.

Transparency of the ledger is what is important. You need to know that somebody didn't make money out of thin air, or double-spend. If you can do this while keeping the actual transaction data private, most people would rather have private transactions if given the choice.

Fiat doesn't have a great deal of anonymity from law enforcement. For most people, nearly everything but small transactions can be known. Even cash can be traced from ATM->Person->Shop->Bank. The notes have unique ID codes, and the biggest denomination of note (say, a $100 bill) usually goes straight from bank to bank with only the 2 people between the transaction, because these are not issued directly as change. You can be sure the bank makes a record of every note and who withdrew/deposited it. Moving large amounts of money through the fiat system is extremely difficult, unless you're a bank. The banks have a monopoly on the ability to launder large amounts of money, and they certainly make use of it!

> you don't want your colleagues learning how much you earn

Public servants have their salaries public in many parts of the world. There is something to be said for transparency.

Some places even have all tax information public so this information is accessible on literally everyone.

> Law enforcement

And 6000 data brokers.

The issue with cryptcurrency is it's twitter for your bank account. Everything you do is public to everyone. Imagine there was a database where given the serial number on a $20 bill, you could look up everywhere it's been ( and watch where it goes).

That's cryptocurrency. The database is the blockchain. Anonymity is essential to make sure anyone, including your boss or ex boyfriend cannot stalk you with your payments. Once we ensure that ( I.e. we get the privacy of the existing banking system), then we can talk about what the gov should and shouldn't see.

IMNSHO cryptocurrency is not about transparency or privacy, it's about avoiding counterparty-risk.

Exactly - like cash. It's cash for the internet.

agree. But as an invention, the main duty of crptocurrency should be to fix the shortcoming of fiat. The main shortcoming of fiat is opaque.

Fungibility is fundamental to money.

One dollar should have the same value as any other dollar.

If I had to verify every dollar I accepted wasn't used in illegal activities, then it would undermine the fundamental principle of equal value units, the coins linked to the WannaCry hack are now less valuable because they're blocked by several exchanges, if you're unlucky enough to accept those coins then you're stuck with coin that is accepted in a lot less places.

There's a reason why the "gold standard" was in a soft metal that could be easily reshaped and melted to fit standardised units and didn't corrode or "break" lowering its value, and not diamonds or gems, where each crystal has unique collection of properties, and thus market values, imagine having to have an assessor to be on standby check the value of every one of your customers gems or bitcoins.

It's also fundamental that you should be able to go to a local coffee shop every day without the threat of being mugged by someone who saw your bitcoin wallet amounts, and your tx sending money to the coffeeshop enter the tx pool just as you buy a coffee.

I disagree, the main issue of fiat is centralization (which means single point of issuance and thirdparty intervention). Bitcoin solves both beautifully.

Centralization is not so bad. In fact, most fiat currencies are better than most cryptocurrencies.


It depends on the purpose of the information. It can be anonymous when privacy is important, and public when it needs total transparency.

Having never heard of "mimblewimble" before, I though I was going to see a parody cryptocoin riffing on how oversaturated the market is combined with how ridiculous some buzzwords are.

How does Grin protect against double spend? What keeps two valid transactions spending the same coins from both being accepted?

Like Bitcoin, Grin checks that inputs are in the UTXO set, and removes them from this set. Beyond that, a double spend would also invalidate the check that sum of coinbases equals sum of UTXO.

The coins are public but with a hidden monetary value. When you spend one you explicitly identify it and include it in a transaction that produces a new coin. After they are broadcast there are ways of compressimg individual transactions together, but this doesn't change the double spend protections.

Ok, it's a first inplementation of mimblewimble, but we're still talking about MINING/PoW.. That's a pity

Looks like uses some same techs as Monero. (Confidential Transactions, no amount, no address)

It's mathematically different from Monero, and is thought to be significantly more secure. It also has some very interesting properties like allowing the blockchain to be represented in a totally different way, using only a tiny amount of data.

It is not thought to be significantly more secure. It runs on the same cryptographic assumptions as monero, but with a de novo implementation that hasn’t received very much review.

It's thought to be less susceptible to tracability analysis than Monero.

[1] https://arxiv.org/pdf/1704.04299/

[2] https://eprint.iacr.org/2017/338.pdf

Fundamentally incompatible with anything resembling AML, no? North Koreans rejoice!

Kind of like physical cash - which is what crypto is. It's odd that people think any form of cash would "conform to AML" - an impossible requirement for anything decentralized.

It's like saying tires don't conform to speed limits.

You have to move physical cash. And they have dogs at airports just for finding it.

amazing how you keep avoiding to talk about the other mw implementations. simply amazing.

How does one get mainnet grin?

You can't until the release on Jan 15th

Mainnet launch is Jan 15.

Can anyone please tl;dr what's so special about Grin and how it achieves that?

It may scale really, really well "The state a given node in a MimbleWimble blockchain needs to maintain is very small (on the order of a few gigabytes for a bitcoin-sized blockchain, and potentially optimizable to a few hundreds of megabytes)."


Also, anonymous transactions.

Downside: you cannot "send coins to an address" as in bitcoin, you must have interaction with the other party to create a transaction.

It's worth expanding on that downside: the interaction can be asynchronous, it's not a requirement that the two parties be online at the "same time" or even in the same week.

In other words, less of a downside than it may seem, but it is a real shortcoming since it precludes sending to the equivalent of a cold wallet.

How would an asynchronous transaction work? If you're posting your side of the transaction publicly, doesn't that expose you to a MITM or spoofing attack?

No, the handshake requires the two public keys engaging in the transaction, no one else can complete it.

They can be MITMed by an attacker spoofing the identity, but this is no different from a MITM inserting a different BTC address into a communication stream.

Doesn't this just mean adoption is easily farmed out to various communication protocols that do it better? (Signal, Whatsapp, Telegram, Threema). Basically handing them a ready-made drop-in cryptocurrency system ?

Hurts anonymity if you have to do peer to peer transfers of the file, plus you have issues around resending/etc. (payments are somewhat different from other messages). Even with IM-based exchange, I'd probably use something else and then pass a message instead.

The wallet already supports interacting through keybase.

Any regular centralized system doesn't need any of this, they can do just fine with mature, stable, very well understood and crazy fast RDBM systems.

How does that work in practice?

Do payments take place over a tcp connection? How do you find your payment peer?

The wallet exposes an interface that allows different 'plugins' to be implemented. Right now you can exchange slates (the transaction data) via http, file or keybase. It is possible to build plugins that use any communication channel (Telegram, Signal, email etc)

Anonymous transactions, small block chain (scales with number of unspent outputs, not transactions), achieved by commutative and associative properties of addition over Elliptical Curve Cryptography.

Grin gives strong anonymity guarantees but maintains most of the other public verification properties of a traditional blockchain like Bitcoin. It also includes some cool scalability optimizations to the Bitcoin-style of blockchain.

Anonymity is maintained with a cool trick called a blinding factor, where a secret value is drummed up for each transaction and used to obfuscate the data that is publicly displayed on the blockchain. Combining that with range proofs allows all involved parties to verify that the transaction was completed for the specified amount, and that no money was created out of thin air.

Scalability is boosted with transaction cut-through - a neat trick that lets unnecessary “intermediate” transactions get eliminated when a miner assembles a block. This means that nodes on the network can store the entire chain state really efficiently because all you need to know are the total coins in circulation, the UTXO set, and the kernels for each transaction.

I can’t do the whole thing justice in this tl;dr, so read the technical explanation here for more info if it piques your interest:


Grin hides the transaction amount and provides some transaction relationship obfuscation depending on how powerful your adversary is. I think Grin is cool and I'm very supportive of it, but much more work needs to be done to understand the anonymity provided especially against active attacks.

"Without censorship or restrictions."

Great so fraud is a built in feature.

I call censorship and unrestricted control over my funds a form a fraud :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact