Response to Litecoin's Mimblewimble Extension Block proposal

Chris Dev

October 23, 2019

Earlier this week, The Litecoin foundation, announced two LIPs (Litecoin Improvement Proposals) which were co-written by Litecoin founder Charlie Lee . Both proposals relate to Mimblewimble. LIP-0002 and LIP-0003. While it's great that Mimblewimble is getting discussed more, we don't think these proposals are a viable approach and definitely don't think that Bitcoin should follow suit with this approach.

Before we talk about why this is not a good proposal, let's talk a little about what extension blocks are. Extension blocks are a sidechain-like layer in which miners add additional transactions that are not counted as part of the main-chain blocks in Litecoin. They have been discussed for years and have been mentioned in the context of Mimblewimble as well. Most of the discussion in this article will apply directly to Sidechains as well and this is applicable since Monero has implemented a sidechain version of Mimblewimble called TARI. To make it simple, you can kind of think of sidechains or extension blocks as a separate blockchain that runs in parallel with the mainchain that users can send coins into and out of with a one to one peg. This separate blockchain can have its own set of rules that are different from the mainchain as in this proposal where the extension blocks implement a Mimblewimble protocol.

To understand why this proposal doesn't do anything to improve Litecoin, you first have to take a step back and try to understand what use cases cryptocurrencies fulfill. While, there have been many ideas marketed throughout the cryptocurrency space like Etheruem - the world computer, or Ripple - real time settlement network for banks, the only thing Bitcoin is actually being used for is an immutable ledger (or money). So, every proposal to Bitcoin (and Litecoin which fulfills a role as Bitcoin's testnet) should be looked at with that use case in mind. The question should be asked: does this proposal make Litecoin a better money? The answer in this case is undeniably "no".

The reason we say that is because, as we have mentioned in numerous articles, the reason that Mimblewimble is a better blockchain protocol is because it has superior properties of money to legacy blockchain protocols. Specifically it has better fungibility and portability (aka scalability) than legacy blockchains. The improved fungibility is achieved by removing addresses and amounts from the protocol all together. There is no opt-in privacy about it. Everything is private. No one can tell the difference between two outputs by looking at the publicly available data on the blockchain so no blacklisting is possible. The improved portability is achieved through the fact that old transactions can be deleted, unlike in legacy blockchains. This results in a smaller amount of data required to validate transactions (analysis shows about a 3 to 1 rate of compression or more would be expected in Bitcoin). This will result directly in lower fees (cheaper transaction fees means it's more easy to transact - aka more portable) with the same level of decentralization. So, why won't this extension blocks version of Mimblewimble make Litecoin (or Bitcoin) a better money? Because an extension block implementation is by definition opt-in. Even the first paragraph in the LIP states, "Users can opt-in to using MW by moving their coins in and out of the EB through an integrating transaction." This is similar to the way Zcash works, except since it will be even more difficult to use than Zcash, which allows the use of two different transaction types from within the wallet. So, we should expect the usage of this Mimblewimble extension block to be less than Zcash which has an extremely low level of usage of private addresses, as of 2018 only about 0.36% of zcash transactions were fully private. In addition, most of the amounts that go into the extension block will be low so since you can see the amounts going in and out, a large amount would stick out like a soar thumb.

In addition to not materially improving the fungibility of Litecoin, this proposal is likely to increase the amount of data required in initial block download because the extension blocks are required in addition to the mainchain's own blocks. In the expected state of full blocks (should Litecoin be used at capacity), extension blocks will be additional data required. So, Litecoin will actually be less scalable than before under this proposal.

So, if the goal is to make Litecoin a better money (or to test a proposal that would make Bitcoin a better money), we don't think this proposal will do that. Mimblewimble has the potential to make a blockchain a much better money, but it is a layer 1 technology. Unfortunately, there's no benefit to these layer 2 proposals that actually make a blockchain a worse money when put under scrutiny. We think over time, people will come to understand why we have said that Bitcoin will likely require a hard fork to implement Mimblewimble unless someone comes up with a way to incorporate Mimblewimble into the base layer of Bitcoin via soft fork. By the way, we don't think that it's beyond hope that a soft fork approach will be found as with Segwit, it was initially thought to require a hard fork, but developers came up with a proposal to do it as a soft fork. Maybe the same is possible with Mimblewimble? Extension blocks or sidechains are not the soft fork that we're talking about though. Any viable solution would need to allow for mandatory privacy at the base layer of the blockchain and allow for the deletion of old transactions on the main chain as Mimblewimble is designed.

If Litecoin wants to avoid a hard fork or a soft fork which makes Mimblewimble transactions mandatory at the base layer, they should probably consider other solutions that already exist in Bitcoin and Litecoin. For example, CoinJoin would be far simpler to implement (since there are already implementations for both Bitcoin and Litecoin) and work much better than this extension block proposal. Users can already mix coins in an opt-in way today.

So, in summary, I think Charlie Lee may be guilty of wanting to play with a really cool technology without thinking about how it affects or improves user experience. As an engineer, I understand the temptation to do that and I think if everyone does this analysis themselves, they will realize that Mimblewimble needs to be implemented at the base layer of a blockchain in order to achieve the benefits that it promises.

This is part of the goal of MWC. In a sense, we are taking the Bitcoin addresses that registered for the airdrop and giving them the corresponding Mimblewimble based coins in the new blockchain. Something similar could be done in any blockchain. Essentially the UTXOs of Bitcoin (or other blockchains) can always be installed into any other program including a Mimblewimble based blockchain. We are testing that out and maybe we'll learn something so that one day the entire Bitcoin UTXO set can be installed into a Mimblewimble based chain. Ultimately the market will always decide which chain has the highest value and UTXOs are portable, luckily. It's truly an exciting time and we're glad to be on the cutting edge and hope that others can learn from what we're doing.