Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble

  • Georg FuchsbauerEmail author
  • Michele Orrù
  • Yannick Seurin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11476)


Mimblewimble is an electronic cash system proposed by an anonymous author in 2016. It combines several privacy-enhancing techniques initially envisioned for Bitcoin, such as Confidential Transactions (Maxwell, 2015), non-interactive merging of transactions (Saxena, Misra, Dhar, 2014), and cut-through of transaction inputs and outputs (Maxwell, 2013). As a remarkable consequence, coins can be deleted once they have been spent while maintaining public verifiability of the ledger, which is not possible in Bitcoin. This results in tremendous space savings for the ledger and efficiency gains for new users, who must verify their view of the system.

In this paper, we provide a provable-security analysis for Mimblewimble. We give a precise syntax and formal security definitions for an abstraction of Mimblewimble that we call an aggregate cash system. We then formally prove the security of Mimblewimble in this definitional framework. Our results imply in particular that two natural instantiations (with Pedersen commitments and Schnorr or BLS signatures) are provably secure against inflation and coin theft under standard assumptions.


Mimblewimble Bitcoin Commitments Aggregate signatures 



The first author is supported by the French ANR EfTrEC project (ANR-16-CE39-0002) and the MSR-Inria Joint Centre. The second author is supported by ERC grant 639554 (project aSCEND).


  1. [AKR+13]
    Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in Bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). Scholar
  2. [Bac13]
    Back, A.: Bitcoins with homomorphic value (validatable but encrypted), October 2013. BitcoinTalk post.
  3. [BBB+18]
    Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S&P 2018, pp. 315–334 (2018)Google Scholar
  4. [BBSU12]
    Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better—how to make Bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012). Scholar
  5. [BCG+14]
    Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: S&P 2014, pp. 459–474 (2014)Google Scholar
  6. [BCJ08]
    Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: ACM CCS 2008, pp. 449–458 (2008)Google Scholar
  7. [BGLS03]
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). Scholar
  8. [BLS01]
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). Scholar
  9. [BNM+14]
    Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mixcoin: anonymity for Bitcoin with accountable mixes. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014). Scholar
  10. [BNN07]
    Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007). Scholar
  11. [DDO+01]
    De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). Scholar
  12. [FOS18]
    Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of Mimblewimble. Cryptology ePrint Archive, Report 2018/1039 (2018).
  13. [GCKG14]
    Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of bloom filters in lightweight Bitcoin clients. In: ACSAC 2014, pp. 326–335 (2014)Google Scholar
  14. [Gro06]
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). Scholar
  15. [HAB+17]
    Heilman, E., Alshenibr, L., Baldimtsi, F., Scafuro, A., Goldberg, S.: TumbleBit: an untrusted Bitcoin-compatible anonymous payment hub. In: NDSS (2017)Google Scholar
  16. [Jed16]
  17. [KKM14]
    Koshy, P., Koshy, D., McDaniel, P.: An analysis of anonymity in Bitcoin using P2P network traffic. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 469–485. Springer, Heidelberg (2014). Scholar
  18. [LMRS04]
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004). Scholar
  19. [Max13a]
    Maxwell, G.: CoinJoin: Bitcoin privacy for the real world, August 2013. BitcoinTalk post.
  20. [Max13b]
    Maxwell, G.: Transaction cut-through, August 2013. BitcoinTalk post.
  21. [Max15]
    Maxwell, G.: Confidential Transactions (2015).
  22. [MGGR13]
    Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-cash from Bitcoin. In: S&P 2013, pp. 397–411 (2013)Google Scholar
  23. [MPJ+13]
    Meiklejohn, S., et al.: A fistful of Bitcoins: characterizing payments among men with no names. In: Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)Google Scholar
  24. [Nak08]
    Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008).
  25. [Ped92]
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). Scholar
  26. [Poe16]
  27. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). Scholar
  28. [RMK14]
    Ruffing, T., Moreno-Sanchez, P., Kate, A.: CoinShuffle: practical decentralized coin mixing for Bitcoin. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 345–364. Springer, Cham (2014). Scholar
  29. [RS13]
    Ron, D., Shamir, A.: Quantitative analysis of the full Bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013). Scholar
  30. [RTRS18]
    Ruffing, T., Thyagarajan, S.A., Ronge, V., Schröder, D.: Burning zerocoins for fun and for profit: a cryptographic denial-of-spending attack on the zerocoin protocol. IACR Cryptology ePrint Archive, Report 2018/612 (2018)Google Scholar
  31. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  32. [SMD14]
    Saxena, A., Misra, J., Dhar, A.: Increasing anonymity in Bitcoin. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 122–139. Springer, Heidelberg (2014). Scholar
  33. [SZ16]
    Sompolinsky, Y., Zohar, A.: Bitcoin’s security model revisited (2016). Manuscript
  34. [vS13]
    van Saberhagen, N.: CryptoNote v 2.0 (2013). Manuscript

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Georg Fuchsbauer
    • 1
    • 2
    Email author
  • Michele Orrù
    • 1
    • 2
  • Yannick Seurin
    • 3
  1. 1.InriaParisFrance
  2. 2.École normale supérieure, CNRS, PSLParisFrance
  3. 3.ANSSIParisFrance

Personalised recommendations