What is Mimblewimble and how does it work, what are Grin and Beam and should you invest in these new technologies or not?


Mimblewimble (MW) is on everyone’s lips right now, but only very few really understand how the technology works. This is always dangerous, especially if you invest your hard-earned money in something. Here I’d like to explain Mimblewimble in a simple way, show you the differences between Beam and Grin, and help you decide if it’s worth investing or not. I will not make this too technical, but keep it simple. In the crashcourse cryptography series, I really go deep into the cryptographic details ( https://www.youtube.com/playlist?list=PLjwO-iVuY1v1kxWtOsqKEuXDB4ijXSHIk). So much in advance: MW has long been something that thrills me deeply, because it is a new approach to old problems – but let’s take a deeper look. And one more thing, just because I’m talking about MW does not mean that I do not like other privacy coins like Monero – quite the contrary.

What is Mimblewimble?

MW is a new protocol for creating a censorship-resistant digital money system that offers 100% privacy.

What problem does Mimblewimble solve?

If you compare MW with Bitcoin, Monero or other Privacy Coins, you see:

Bitcoin: 100% transparency, entire blockchain visible

Monero: Top Cryptography (I also talk about it in my crashcourse cryptography) – but MW allows for much better storage.

How does a new protocol work?

For a transaction in Bitcoin, you have to know the following:

  1. From (Public address signed with Sender Private Key)
  2. To (public address)
  3. Number (UTXO – Unspent Transaction Output)

Bitcoin does not have an account system, but a UTXO system (unlike, for example, Ethereum). If you compare this with banknotes, then each bill would be a UTXO. If you get 1 x 1 Dollar bill, 1 x 10 Dollars and 1 x 100 Dollars, you can, without knowing how much you have in total (111 Dollars), simply look at the bills received and spend them. You know that you can spend 1 x 1 Dollars, 1 x 10 Dollars, 1 x 100 Dollars again. In Bitcoin they are called Unspent Transaction Outputs. If you use them, they are “Spent”. A wallet does nothing else in Bitcoin other than represent the grand total, by adding together all the UTXOs associated with your private keys. Ethereum, uses an account system where UTXOs are not added together, but the account balances are updated with each block as a new “state”. Of course you can divide UTXOs with digital money , which you can not do with a 1 Dollar bill. A UTXO can be divided into smaller parts – cutting a bill into two, would not work.

Bitcoin saves the entire history of all froms and tos. This update history is called a blockchain. It is growing steadily in size and will be just under 200 GB at the beginning of 2019. In addition, a list of all UTXOs will is stored to make it easier for Nodes to ascertain whether a transaction uses a valid UTXO or not. This list currently contains around 50 million UTXOs in Bitcoin and is about 3 GB in size.


The reason why all this is stored in Bitcoin and most other cryptocurrencies is because it can relatively well guarantee the following three things:

  1. Nobody can create coins out of thin air
  2. Only the recipient can also send his coins
  3. No double-spending possible

However, if you manage the three things differently, you do not need the entire history (ie the blockchain), and above all else you have three enormous advantages:

  1. Complete privacy, because no transparency exists anymore.
  2. Fungibility of coins. Each coin is the same as another.
  3. Better scaling, since only about 2% of the data needs to be saved (actually it is a bit more, because of range proofs – more on that soon).

Monero and other Privacy Coins solve this in their own ways. In August 2016, a new proposal came along in a similar mysterious way as Bitcoin in 2008. This new protocol is much more memory-efficient than any other coin till now (though I’d like to point out that Monero’s Beryllium Bullets have become enormously efficient and I am a fan of Monero.) This new protocol is called Mimblewimble.

The story about Mimblewimble:

●        In August 2016, an anonymous user named Tom Elvis Jedusor, which is the real name of Voldemort in the French translation of the Harry Potter series, posted a white paper into a Bitcoin Developer IRC Chat: https://scalingbitcoin.org/papers/mimblewimble.txt

●        First, everyone was skeptical and ignored the paper. But Andrew Poelstra, a core developer at Blockstream, took the time to look at it and was thrilled about the new approach. He posted his analysis in a new white paper in October 2016: https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf In addition, he made a few lectures, which you can see for example here: https: / /www.youtube.com/watch?v=aHTRlbCaUyM

●        The name Mimblewimble comes from a spell in the Harry Potter series known as the “Tongue Twister” that leaves its victim speechless.

●        It is important to mention here that similar to Bitcoin, Mimblewimble did not create anything new, but combined already existing concepts such as OWAS (One-Way Aggregate Signatures), Confidential Transactions (CTs) and CoinJoin (CJ) , which were already described by Bitcoin Core Developers years ago. We will discuss some of them in a simplified way.

●        Initially it was still thought that you can upgrade Bitcoin with MW, but this is not so easy due to the lack of a scripting language in MW – so it is more likely to integrate MW as a sidechain.

●        MW is therefore to be understood as a protocol – the implementation of which is currently being attempted by two projects: Grin and Beam – but more on that later.

Mimblewimble Cryptography ELI5:

As I said, here we go to ELI5 “Explain it like I am 5”, the mathematically detailed variant will be discussed in crashcourse cryptography ( https://www.youtube.com/playlist?list=PLjwO-iVuY1v1kxWtOsqKEuXDB4ijXSHIk). Unlike other protocols, Mimblewimble has NO addresses – because there is no blockchain either. You can not see any transaction amounts. If you look at a Mimblewimble Tx, an unknown person sends an unknown amount of coins to another unknown person. And the whole MUST work like that:

  1. No new coins can be created, although outsiders can not see how much has been sent.
  2. Clearly, the new stranger must be the only one who can send his coins, and no one else – without an outsider seeing who it is.
  3. Nevertheless, no double spend may occur and nobody is allowed to create coins.

Probably you are like: Whaaaaatttt? Mind Blown, right? 🙂 Anyone who hears this for the first time will probably wonder how this could possibly work. Three concepts allow this for MW to happen:

  1. CoinJoin
  2. Confidential Transactions
  3. Dandelion

Let’s talk about all three in a simplified way.

Coin Join:

A Mimblewimble transaction needs three things:

  1. Sender private key = From – but secret.
  2. Recipient private key = To – but secret.
  3. UTXO of the sender = number of coins – but secret.

By the sender signing the Tx, a Tx hash results. Instead of integrating this single hash into a blockchain like Bitcoin does, it is coinJoin-ed at MW (a concept defined by Gregory Maxwell and similar to Schnorr signature: https://bitcointalk.org/index. php? topic = 279249 ) with other Tx hashes. By multiplying them to a MW block, which is called CoinJoin, a Tx can be clearly demonstrated to exist within a block, the back-calculation from the block to a Tx is not possible however. This gives MW a scaling advantage: instead of storing all the Tx hashes in a block, all you have to do is save the final hash. This reduces used space by a lotl

Next it has to be solved, how everything from sender, receiver and amount remains secret to an outsider.

Confidential Transactions

Confidential Transactions work on the basis of Pederson Commitments: http://diyhpl.us/wiki/transcripts/gmaxwell-confidential-transactions/ In simple terms, things can be deleted if they result in 0. As an example, it is not important for outsiders to know how many coins have actually been sent, but rather it is important to know that NO NEW coins have been created. Mathematically simplified, one can say:

Old UTXO minus New UTXO must be 0. So no coins were destroyed or created.

Taking this simpler in mathematics, one can say that it is not even important for an outsider to know who the receiver and sender are, as long as they know it themselves.

This works through a Blinding Factor, which obscures the appearance to the outside, but allows everyone who knows the Blinding Factor, to know the transaction.

In simple terms, a Tx ID, which corresponds to a number, is created by the transaction described in CoinJoin. However, you can only create the number if the inputs are equal to the outputs (ie no coins have been created or destroyed) and if you know the blinding factor. For example, at A x B = 119, you have to know in a simplified way what A and B are. There is only one solution. You have to play around here for a long time: 7 x 17 = 119. If you manage to calculate the numbers correctly for MW, outsiders can assume that no coins have been created and the sender has actually been allowed to send the coins without them to know details.

Anyone who has paid attention, however, will notice that theoretically it would have been possible to multiply 1 x 119. So certain numbers may not be used in MW. Therefore Rangeproofs are needed. One has to prove via mathematical calculations that you have NOT used certain numbers, otherwise you could cheat. Without Range Proofs, for example, one could say:

Old UTXO: 5

New UTXO-A: 10

New UTXO-B: -5

An outsider does not see the individual UTXOs, he only sees: That the old UTXOs (5) are the same size as the new ones (10-5 = 5), even though new (1×10) coins were created. Range proofs are so incredibly important to MW, because this is the only way to make sure that everything is done correctly without knowing the details from the outside.

Extra credit:

To go in this a bit deeper without getting really complicated, one can imagine that one must be able to calculate the following:

(A + UTXO old – UTXO new) x B = 119

If I know A and B, I can only solve the equation by UTXO old and UTXO being the same size – because then the two cancel each other out and I have:

(A + 0) x B = 119

And I can solve A x B = 119. But this is Extra Credit – we’ll be deepening this in the cryptography crash course.

Once a UTXO is spent, you no longer need to save it at MW. It is enough to save the new UTXOs. This is a huge difference from traditional blockchains, where the entire history is stored. This allows an enormous saving of space to about 2% of its size. However, since the rangeproofs have to be saved too, the MW Blockchain is about 5% as big as Bitcoin.

How is Double Spend prevented? Since the history is not stored at MW, but only the current state of UTXOs, the parties who transact with each other must be online to ensure that a UTXO is not used twice. This would be quite impractical and so the wallets take this over in the MW protocols. The third method to increase privacy at MW is Dandelion.


Dandelion will be discussed only briefly. Dandelion allows for outsiders not to see who sends a Tx to the network by delaying Tx forwarding. This is not really a cryptographic problem, but rather a network problem. One can think of it as if a transaction is blown away from the sender like a dandelion is blown apart. Some parts fly faster, some slower. It is therefore not clear to an outsider who sent what to whom.

These are all great benefits, but what about the downsides?

MW disadvantages:

  1. MW does not have a scripting language like Bitcoin does. That means logic (Lightning, etc.) is not that easy to integrate. However, people at Blockstream are working on things like scriptless scripts. This is also a hurdle to integrate MW directly with BTC.
  2. Theoretically, participants must be online at the same time in a transaction to sign everything and avoid double spending. However, wallets solve this in a simple way.
  3. Range proofs are extremely expensive to calculate. That will not change.
  4. From a regulatory point of view, MW, like all other privacy coins, will always be questionable. What are complete privacy coins used for? This is a topic that I discuss in “Cryptocurrencies Explained Simply”: https://amzn.to/2DCoHhe   
  5. At MW you have to fully trust its difficult cryptography. There is no auditing possible because everything stays secret and there is no blockchain history.
  6. New technologies always make it difficult for exchanges and wallets to integrate and use them. This brings us to the next point: MW is only the protocol, so the mathematical idea – the implementation of which then happens via projects – of which there are currently (early 2019) two.

Grin Vs. Beam:

startedQ4 2016 / Q1 2017Q1 2018
backgroundCommunity project started by Ignotus Peverell (Unknown pseudonym from Harry Potter)Israeli company
financingCommunityPart of the Mining Rewards
Philosophy comparison“Linux”“Apple / Microsoft”
programming languageRustC ++
LaunchSecond, shortly after Beam.First: early 2019
MiningAsic resistant: Cuckoo CycleAsic resistant: Equihash
CapNo capCap at 263m coins

Investing – Yes or No – And in what ?:

As with any coin, you have to ask yourself the following three questions:

  1. Is there a clear use case that solves a real-world problem?
  2. How good is the UX (usability) – how good are the wallets, etc.
  3. How big is the network – the value of most coins correlates with the actual network (users, exchanges, applications, etc …)

Much of this depends on the team and that is completely contrary in the two: Community work with Grin Vs. Company work with Beam. From today’s point of view, one can not make a clear statement here, even though Beam is currently slightly ahead. So, if you want to invest in MW and you do not have a definite opinion which one is better here, invest in both coins.

One important point, however: both coins have mining from scratch – meaning there is currently an enormous inflation. The mining reward goes down exponentially as in BTC, but especially at the beginning, there can be quite a high selling pressure.

I have bought some of both coins and I see this as a long-term safeguard against strong regulation towards Bitcoin. What you do – you have to decide for yourself. Let me know in the comments below!

Do you have any questions? Something unclear? Feedback? Or just a “thank you”? I’m always looking forward to your comment.

Please share this article so more people understand MW and give me a thumbs up.

Furthermore, if you do not follow me on social media yet, here are the main channels:

Twitter: http://twitter.com/julianhosp

Instagram: http://instagram.com/julianhosp

YouTube: http://youtube.com/julianhosp

DE Facebook: http://facebook.com/groups/kryptoganzeinfach

EN Facebook: http://facebook.com/groups/cryptofit

If you’re new to cryptocurrency, read my book “Cryptocurrencies Explained Simply”: https://amzn.to/2DCoHhe

Until next time,


Dr. Julian Hosp (www.julianhosp.com) is a world renown blockchain expert. He co-founded a Singapore based company that has received over 100M USD in funding. Prior Julian was a 10-year professional athlete and a medical doctor.

He is the author of several bestsellers such as „Cryptocurrencies simply explained” and “Blockchain 2.0 – more than just Bitcoin”, which have been translated into 15 languages and has sold over 100,000 copies: www.cryptofit.community

He was named one of the world’s top Blockchain and Cryptocurrency experts and also works in blockchain groups with the European Union on topics such as regulation, social impact and economics.

As a Speaker of the Washington Speakers Bureau, he is frequently invited to global tech and entrepreneur events as well as government summits around the world and he is also a regular commentator in the media on current blockchain trends, the future of cryptocurrency and best practices.