“Mimblewimble” is a short (6-page) paper uploaded anonymously to a Bitcoin research IRC chat by the pseudonymous author Tom Elvis Jedusor (a French translation of Voldemort) on July 19, 2016. It proposes a radical redesign of the Bitcoin UTXO model using Confidential Transactions and a technique called cut-through to build a blockchain with:

• No addresses (transactions are negotiated interactively between sender and receiver)
• Hidden amounts (Pedersen commitments)
• A compact blockchain (spent UTXOs are prunable without affecting security)

The name Mimblewimble is a Harry Potter spell that ties a target’s tongue — metaphorically silencing the blockchain’s transaction data.

> PDF hosting: The original Mimblewimble paper is at download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf. The technical elaboration is Andrew Poelstra’s “Mimblewimble” at download.wpsoftware.net/bitcoin/wizardry/mimblewimble-orig.pdf.

---

Publication and Context

Tom Elvis Jedusor’s identity has never been established. After the paper appeared, Andrew Poelstra (Blockstream cryptographer) expanded the mathematical treatment in October 2016, making the Mimblewimble design more rigorous. Poelstra’s version clarified how Mimblewimble transactions achieve security without a scripting language.

Two projects implemented Mimblewimble in production:

• Grin (launched January 2019): Community-driven, no premine, no company
• Beam (launched January 2019): Company-backed, with a founder’s reward

---

Core Design: Confidential Transactions

Confidential Transactions (CT) were proposed by Adam Back in 2013 and formalized by Greg Maxwell using Pedersen commitments. A Pedersen commitment to a value v is:

$$C = r cdot G + v cdot H$$

Where r is a blinding factor (random secret), G and H are elliptic curve generator points. This:

• Hides v (without knowing r, you can’t determine v from C)
• Is still additive: C1 + C2 = (r1+r2)·G + (v1+v2)·H
• Value conservation: inputs – outputs = 0 means the commitment difference proves no inflation

A transaction is valid if:

$$sum C_{inputs} – sum C_{outputs} = 0 pmod{curve}$$

No addresses appear, no individual amounts are visible — yet the network can verify no new money was created.

---

Transaction Cut-Through: Chain Compactness

The key innovation enabling Mimblewimble’s compactness:

In standard Bitcoin, once a UTXO is spent, it’s referenced in the next transaction’s inputs. Both the spent UTXO and the spending transaction remain in the chain forever.

In Mimblewimble, cut-through works as follows:

• If output A is created in transaction 1 and spent in transaction 2, both can be combined into a single merged transaction with A’s commitment canceling out
• Result: spent intermediate outputs are eliminated entirely
• The “body” of the blockchain can be summarized as just unspent outputs (UTXOs) + a compact set of kernel data (proof that equations balance)

This dramatically reduces blockchain size. A Mimblewimble chain that has processed thousands of transactions can be represented almost as compactly as its current UTXO set.

Range proofs: To prevent negative-value outputs (which would violate conservation), Mimblewimble includes Bulletproof range proofs — zero-knowledge proofs that v ≥ 0, without revealing v.

---

No Addresses

Mimblewimble has no addresses. Transactions are constructed through an interactive protocol:

1. Sender proposes a transaction draft
2. Receiver contributes their blinding factor (choosing their output commitment)
3. Neither party can forge the other’s contribution
4. The final transaction is broadcast to the network

This is a significant UX difference from Bitcoin/Ethereum — you cannot send to an address while the recipient is offline. Implementations use one-time payment addresses as workarounds.

---

Sections of the Original Paper

Section	Content
Transactions	The CT-based transaction model; no addresses
Blocks	Cut-through applied to whole blocks
The Blockchain	Cut-through across the full chain history
Kernels	Per-transaction signature commitments
Summary	Privacy + scalability properties

---

Reality Check

Mimblewimble’s privacy is meaningful but has limitations:

• Transaction graph leakage: A 2019 paper by Ivan Bogatyy demonstrated that by connecting to many Grin nodes simultaneously and watching transactions propagate before aggregation, ~96% of Grin transactions could be linked to specific IP addresses and de-anonymized. The CoinJoin-like aggregation only works after transactions reach the mempool.
• Interactive transactions: The requirement for both sender and receiver to be online to construct a transaction creates UX friction.
• No scripting: Mimblewimble cannot support arbitrary smart contracts; its expressiveness is limited to simple value transfers.

---

Legacy

Mimblewimble is a significant cryptographic achievement — it solved the “bloated blockchain” problem for private transactions elegantly. Bulletproofs (first deployed in Grin) have been adopted by Monero to replace its earlier range proof system, reducing Monero transaction sizes significantly. Scriptless scripts, a related concept from Andrew Poelstra, enable limited smart contract functionality within the Mimblewimble model.

---

Related Terms

• Grin Whitepaper
• Confidential Transactions
• Pedersen Commitment
• CryptoNote Whitepaper
• Privacy Coin

---

Research

• Jedusor, T.E. (2016). Mimblewimble. download.wpsoftware.net.

— The 6-page original paper. Dense but readable; the cut-through and CT construction are in Sections 2–3.

• Poelstra, A. (2016). Mimblewimble (expanded). download.wpsoftware.net.

— Rigorous expansion of the cryptographic proofs; essential companion to the original.

• Bogatyy, I. (2019). Breaking Mimblewimble’s Privacy Model. Medium.

— Empirical demonstration of transaction graph linkability via node-level monitoring.