Skip to main content

Towards a Formally Verified Implementation of the MimbleWimble Cryptocurrency Protocol

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12418)


MimbleWimble is a privacy-oriented cryptocurrency technology which provides security and scalability properties that distinguish it from other protocols of its kind. We present and briefly discuss those properties and outline the basis of a model-driven verification approach to address the certification of the correctness of an implementation of the protocol.


  • Cryptocurrency
  • MimbleWimble
  • Idealized model
  • Formal verification
  • Security

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-61638-0_1
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-61638-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)


  1. 1.

    The methodology proposed in this work also applies to the Beam implementation:

  2. 2.

    For simplicity, fees are left aside.

  3. 3.

    When dealing with global states, \(valid\_state\) is validChain.

  4. 4.

    Given a state s, a transaction t and an error code ec, \({ ErrorMsg (s,t,ec)}\) holds iff error ec is an acceptable response when the execution of t is requested on state s.

  5. 5.


  6. 6.

    From now on we will refer to Pîrlea and Sergey model simply as PS.


  1. Anderson, J.: Computer Security technology planning study. Technical report, Deputy for Command and Management System, USA (1972)

    CrossRef  Google Scholar 

  2. Barthe, G., Dupressoir, F., Grégoire, B., Kunz, C., Schmidt, B., Strub, P.-Y.: EasyCrypt: a tutorial. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 146–166. Springer, Cham (2014).

    CrossRef  Google Scholar 

  3. Bartzia, E.-I., Strub, P.-Y.: A formal library for elliptic curves in the coq proof assistant. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 77–92. Springer, Cham (2014).

    CrossRef  Google Scholar 

  4. Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations. Technical report MTR-2547, vol. 1, MITRE Corp., Bedford, MA (1973)

    Google Scholar 

  5. Bertot, Y., Castéran, P., (informaticien) Huet, G., Paulin-Mohring, C.: Interactive theorem proving and program development: Coq’Art : the calculus of inductive constructions. Texts in theoretical computer science. Springer, Berlin, New York (2004). Données complémentaires

  6. Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D.: Set-based models for cryptocurrency software. CoRR, abs/1908.00591 (2019)

    Google Scholar 

  7. Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D.: Towards a formally verified implementation of the mimblewimble cryptocurrency protocol. CoRR, abs/1907.01688 (2019)

    Google Scholar 

  8. Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS 2016, pp. 91–96. ACM, New York (2016)

    Google Scholar 

  9. Blanchet, B.: CryptoVerif: a computationally sound mechanized prover for cryptographic protocols. In Dagstuhl seminar “Formal Protocol Verification Applied”, October 2007

    Google Scholar 

  10. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, Cape Breton, Nova Scotia, Canada, pp. 82–96. IEEE Computer Society (2001)

    Google Scholar 

  11. Buterin, V.: Critical update re: Dao vulnerability, June 2016

    Google Scholar 

  12. Cristiá, M., Rossi, G.: A decision procedure for restricted intensional sets. In: de Moura, L. (ed.) CADE 2017. LNCS (LNAI), vol. 10395, pp. 185–201. Springer, Cham (2017).

    CrossRef  Google Scholar 

  13. Cristiá, M., Rossi, G.: Solving quantifier-free first-order constraints over finite sets and binary relations. J. Automated Reasoning 64, 295–330 (2019).

    MathSciNet  CrossRef  MATH  Google Scholar 

  14. Cristiá, M., Rossi, G., Frydman, C.: log as a test case generator for the test template framework. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM 2013. LNCS, vol. 8137, pp. 229–243. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  15. Dénès, M., Hritcu, C., Lampropoulos, L., Paraskevopoulou, Z., Pierce, B.: Quickchick: Property-based testing for coq. In: The Coq Workshop (2014)

    Google Scholar 

  16. Korsell, E., Mueller, P., Schumann, Y.: Spectrecoin., June 2019

  17. Fanti, G.C., et al.: Dandelion++: lightweight cryptocurrency networking with formal anonymity guarantees. CoRR, abs/1805.11060 (2018)

    Google Scholar 

  18. Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019).

    CrossRef  Google Scholar 

  19. Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  20. Gibson, A.: An investigation into confidential transactions (2018).

  21. Grin Community. Grin: Open Research Problems (2020).

  22. Grin Team. Privacy Primer, November 2018.

  23. Grin Team. Dandelion++ in Grin: Privacy-Preserving Transaction Aggregation and Propagation, July 2019.

  24. Grishchenko, I., Maffei, M., Schneidewind, C.: A semantic framework for the security analysis of ethereum smart contracts. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 243–269. Springer, Cham (2018).

    CrossRef  Google Scholar 

  25. Hirai, Y.: Defining the ethereum virtual machine for interactive theorem provers. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 520–535. Springer, Cham (2017).

    CrossRef  Google Scholar 

  26. Miers, I.: Blockchain Privacy: Equal Parts Theory and Practice, February 2019.

  27. Idelberger, F., Governatori, G., Riveret, R., Sartor, G.: Evaluation of logic-based smart contracts for blockchain systems. In: Alferes, J.J.J., Bertossi, L., Governatori, G., Fodor, P., Roman, D. (eds.) RuleML 2016. LNCS, vol. 9718, pp. 167–183. Springer, Cham (2016).

    CrossRef  Google Scholar 

  28. Jedusor, T.: Introduction to MimbleWimble and Grin (2016).

  29. Jedusor, T.: Mimblewimble (2016).

  30. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017).

    CrossRef  Google Scholar 

  31. Letouzey, P.: A new extraction for coq. In: Geuvers, H., Wiedijk, F. (eds.) TYPES 2002. LNCS, vol. 2646, pp. 200–219. Springer, Heidelberg (2003).

    CrossRef  MATH  Google Scholar 

  32. Luu, L., Chu, D., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Weippl, E., Katzenbeisser, S. Kruegel, C., Myers, A., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October, 2016, pp. 254–269. ACM (2016)

    Google Scholar 

  33. Maxwell, G.: Confidential transactions write up (2020).

  34. Metere, R., Dong, C.: Automated cryptographic analysis of the pedersen commitment scheme. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 275–287. Springer, Cham (2017).

    CrossRef  Google Scholar 

  35. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system, March 2009. Cryptography Mailing list at

  36. Pîrlea, G., Sergey, I.: Mechanising blockchain consensus. In: Proceedings of CPP 2018, pp. 78–90. ACM, New York (2018)

    Google Scholar 

  37. Poelstra, A.: Mimblewimble, October 2016.

  38. The Coq Dev. Team. The Coq Proof Assistant Reference Manual - V. 8.9.0 (2019)

    Google Scholar 

  39. Venkatakrishnan, S.B., Fanti, G.C., Viswanath, P.: Dandelion: Redesigning the bitcoin network for anonymity. CoRR, abs/1701.04439 (2017)

    Google Scholar 

  40. Wanseob-Lim. Ethereum 9 3/4: Send ERC20 privately using Mimblewimble and zk-SNARKs, September 2019.

  41. Wood, G.: Ethereum: A secure decentralised generalised transaction ledger eip-150 revision (759dccd - 2017–08-07) (2017). Accessed 03 Jan 2018

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Carlos Luna .

Editor information

Editors and Affiliations


A Excerpt of a Z Model of a Consensus Protocol

The following are some snippets of a Z model of a consensus protocol based on the model developed by Pîrlea and Sergey [36]. For reasons of space we just reproduce a little part of it.

The time stamps used in the protocol are modeled as natural numbers. Then we have the type of addresses (Addr), the type of hashes (Hash), the type of proofs objects (Proof) and the type of transactions (Tx). Differently from Pîrlea and Sergey’s modelFootnote 6 we modeled addresses as a given type instead as natural numbers. In PS the only condition required for these types is that they come equipped with equality, which is the case in Z.

figure a

The block data structure is a record with three fields: prev, (usually) points to the parent block; txs, stores the sequence of transactions stored in the block; and pf is a proof object required to validate the block.

figure b

The local state space of a participating network node is given by three state variables: as, are the addresses of the peers this node is aware of; bf, is a block forest (not shown) which records the minted and received blocks; and tp, is a set of received transactions which eventually will be included in minted blocks.

figure c

The system configuration is represented by two state variables: Delta, which establishes a mapping between network addresses and the corresponding node (local) states (in PS this variable is referred to as the global state); and P, a set of packets (which represent the messages exchanged by nodes).

figure d

Packets are just tuples of two addresses (origin and destination) and a message.

figure e

The model has twelve state transitions divided into two groups: local and global. Local transitions are those executed by network nodes, while global transitions promote local transitions to the network level. In turn, the local transitions are grouped into receiving and internal transitions. Receiving transitions model the nodes receiving messages from other nodes and, possibly, sending out new messages; internal transitions model the execution of instructions run by each node when some local condition is met. Here, we show only the local, receiving transition named RcvAddr.

figure f

As can be seen, RcvAddr receives a packet (p?) and sends out a set of packets (ps!). The node checks whether or not the packet’s destination address coincides with its own address. In that case, the node adds the received addresses to its local state and sends out a set of packets that are either of the form (p?.2, aConnectMsg) or \((p?.2,a,AddrMsg~as')\). The former are packets generated from the received addresses and sent to the new peers the node now knows, while the latter are messages telling its already known peers that it has learned of new peers.

B Excerpt of a \(\{log\}\) Prototype of a Consensus Protocol

In this section we show the \(\{log\}\) code corresponding to the Z model presented in Appendix A. \(\{log\}\) code can be seen as both a formula and a program [13]. Thus, in this case we use the code as a prototype or executable model of the Z model. The intention is twofold: to show that passing from a Z specification to a \(\{log\}\) program is rather easy, and to show how a \(\{log\}\) program can be used as a prototype. The first point is achieved mainly because \(\{log\}\) provides the usual Boolean connectives and most of the set and relational operators available in Z. Hence, it is quite natural to encode a Z specification as a \(\{log\}\) program.

Given that \(\{log\}\) is based on Prolog its programs resemble Prolog programs. The \(\{log\}\) encoding of RcvAddr is the following:

figure g

As can be seen, rcvAddr is clause receiving the before state (LocState), the input variable (P), the output variable (Ps) and the after state (LocState_). As in Prolog, \(\{log\}\) programs are based on unification with the addition of set unification. In this sense, a statement such as LocState = [as,As]/Rest (set) unifies the parameter received with a set term singling out the state variable needed in this case (As) and the rest of the variables (Rest). The same is done with packet P where _ means any value as first component and addrMsg(Asm) gets the set of addresses received in the packet without introducing an existential quantifier.

The set comprehensions used in the Z specification are implemented with \(\{log\}\) ’s so-called Restricted Intentional Sets (RIS) [12]. A RIS is interpreted as a set comprehension where the control variable ranges over a finite set (D and As).

Given rcvAddr we can perform simulations on \(\{log\}\) such as:

figure h

in which case \(\{log\}\) returns:

figure i

That is, \(\{log\}\) binds values for all the free variables in a way that the formula is satisfied (if it is satisfiable at all). In this way we can trace the execution of the protocol w.r.t. states and outputs by starting from a given state (e.g. S) and input values (e.g. |[_,this,addrMsg(a1,a2)]), and chaining states throughout the execution of the state transitions included in the simulation (e.g. S1 and S2).

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D. (2020). Towards a Formally Verified Implementation of the MimbleWimble Cryptocurrency Protocol. In: , et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61637-3

  • Online ISBN: 978-3-030-61638-0

  • eBook Packages: Computer ScienceComputer Science (R0)