People tend to forget Bitcoin is a monetary experiment where nobody controls the printer and the total supply over time converges to a certain value. There's no good reason not to try a different model of supply e.g. a supply function that emulates a clock. An asset like this could be named TIME and a coin could represent a second that passed in real life. Valuing time as money would make for an interesting experiment.
That's not the only difference. As tromp said, if someone figured out the discrete log of H, they could inflate Monero and nobody would be able to tell. If someone inflated Bitcoin, everyone would notice immediately.
The protocol you linked is noninteractive. The user simply creates an onion-based transaction and sends it to the service. The service collects these and creates a single joint transaction which includes your output.
One thing I didn’t understand… if the kernel set grows for every new utxo, then is it possible to match a previous utxo with a newly added utxo by repeatedly trying kernels until you find the one that works for the pair?
every transaction comes with one (or sometimes multiple) kernels.
it also comes with a scalar offset, that gets summed when merging transactions together, making it impossible invert the merging (unless you saw the original txs, e.g. in the mempool).
Monero has some strong points, but it's actually LESS decentralized than Bitcoin. A Monero confidential transaction is 1.5kb while a Bitcoin transaction which is only around 300 bytes. For the argument of decentralization, it doesn't matter that it doesn't blind the amounts or add decoys inputs, the 5x size of a transaction itself means that the chain is much bigger than Bitcoin under the same load which makes it less decentralized due to much higher storage requirements for a full node. It's also much slower to verify the history because of all the rangeproofs that need to be validated for all outputs that have been ever created.
It seems to me the threat model of Rust is a magnitude safer than that of Bitcoin under assumption that Bitcoin was to become a global store of wealth. Toxicity acts as a shield to protect against social attacks from the big players which may try to, in some way, capture control of the network or influence its direction. And there are very good incentives to try and do that. It's also why it's important for the protocol to ossify over time and become even more conservative. Rust, as well as the vast majority of open source communities, doesn't really need that these levels of toxicity to survive in the long run because the attack vectors aren't on the same level (although still very important to deflect attacks because there are other incentives in play). At least it seems to me to be this way, I'll gladly listen to a counter-argument.
There's also something to be said about extreme design simplicity and resilience to change. Bitcoin is already really good at this, but when the system design is so simple that any change looks invasive, it ossifies even sooner and makes changes even less likely. Removing opportunities for discussion (e.g. scripting support and opcode discussions) also removes opportunity for conflicts regarding a protocol feature. Simpler design may come at the cost of slightly less expressivity, but at the benefit of being naturally more resilient to change.
Bitcoin can be thought of as a clock, but the unit that is being transfered can't be thought as time because for it to be mappable to time, you need a linear function and Bitcoin's emission is exponential because of the halvings.
For what it's worth, I agree with you that Grin's emission scheme is the 'correct' one.
The effect of adding one coin to a pool of coins, on a steady schedule, results in inflation along a logarithmic curve. Inflation is about how much money is created relative to how much exists, so the second minute of Grin is 100% inflation, the third minute is 66%, and so on.
Also, people lose their cybercoins. It might average out that Grin hits a steady state, or even deflates a bit, depending on how frequently people or corporations lose their keys, die without heirs, send to a nonexistent address, and so on.
But even without this, the mining reward remains consistent even as overall inflation becomes negligible. Inflation never stops, but it does hit a point where it may as well have.
Bitcoin, by contrast, is guaranteed to be deflationary, and in fact the property that everyone holding BTC gets a permanent bump in asset value every time a bit of the ledger is lost strikes me as... moderately hazardous to the health of those who hold large allocations of the ledger.
I don't think this has much bearing on the article though, just wanted to tip the hat to another Grin respecter.
I'm glad you mentioned this. Indeed, there are two different things. First is the linearity of blocks and the second is the linearity of the emission of units with which we transact. Bitcoin has the former, but does not have the latter. You can't unambiguously say "I'm going to buy an hour of Bitcoin" because this hour depends on _when_ you plan on buying them - the emission over any time interval (including one hour) changes over time due to the halvings. This is why I think coins with a constant emission (especially Grin where 1 coin is emitted every second) can bring to life the saying "time is money" because money becomes time. There is no difference between calling your 100 Grins "100 Seconds" and buying an hour of Grin. So yes, you're correct that the article talks about the "block time", but I think this can be pushed further where you not only have a global clock for events, but your unit of money is time itself.
P.S. I prefer thinking of a blockchain as a "drunk" clock, because of the variance that comes with the finding of a valid PoW. It might sway a bit left and right, but it mostly goes in the straight line in the end.
Thanks for linking the Grin article! Now you've sent me on a rabbit hole reading about different emission strategies and ideas. (I follow Beam development, so I love to read about both projects).
Doesn't the consistent emission of Grin depend upon the number of users and transactions also rising at the same consistent rate? Can we really count on that like we can count on the ticking of time?
Glad to hear that. In Grin, each block creates 60 coins. The time to mine a block is set to be 1 minute on average, so it will average out as 60 coins each minute and hence 1 coin per second. This won't be _exact_ of course due to the variance in block times so you definitely can't count on that - just like you can't count on Bitcoin getting exactly 24*6 blocks each day. But these systems are defined such that if the blocks start coming in too fast, they make them come slower and if they are coming in too slow, they make sure to make the puzzle easier to solve so the blocks can come faster. I think this follows the models they have good enough.
That does seem like a cool feature. It just requires a bit of a mindset change.
Compared with gold, yes you can estimate when new gold is unearthed, but at the same time, there is a theoretical limit to the total amount of gold in the ground, right?
I don't think Grin does this but you can adjust the emission schedule based on the clock time (Sia does) so that the number of total coins produced on a given date is within a very tight bound of its expected amount, regardless of how much the hashrate has changed.
It's a stepped linear emission that mimics an inverse exponential emission. You can even see it in that chart if you expand it. Between the halving periods the emission is constant.
If you zoom in enough, you won't see these exponential steps. If you were able to zoom out completely, you'd see _only_ the exponential function. Bitcoin's emission is an exponential function (dropping exponentially), the fact that there is some time period between these exponential steps does not make it non-exponential. This would have been obvious if the halvings were every 30 minutes, but it's much less obvious when the "in-between step interval" is 4 years.
The block subsidy is constant between halvings. And is thus a step function.
But "emission" refers to cumulative block subsidies. And thus is piecewise linear, with 34 pieces of exponentially decreasing slope, the last one ending up flat.
A little over a year ago I heard of a technology called Mimblewimble. I skimmed over some explanations and somewhat understood what it was trying to achieve. I've been in the space a few years and I've not been this excited about any other project in the space. It was without a doubt the single most interesting idea I've encoutered. By far. I soon joined the community and continued learning about its inner workings. During the learning process, I soon realized that there are very few in the Grin community, and outside of it, that understand the underlying idea. This was surprising to me because unlike all the alternative technologies that aim to improve privacy, Mimblewimble, specifically the Grin implementation, was designed to be extremely simple. In fact, I'd argue that it's the only technology that has a simpler design than Bitcoin!
I'm convinced the idea stands out among all the other ideas in the space (at least the ones I've seen). It's very hard to find a design that fits this nicely together. A few days ago, I've decided to write a short series of posts that try to present the idea to the wider audience. In order to reach the average crypto Joe, I avoided talking about the underlying cryptographic primitives because they would only confuse people. They're also not important to understand the idea underneath.
Most privacy technologies make certain tradeoffs and Mimblewimble is one of them, but I promise you that if you take the time and try to understand it, you'll at the very least learn something new and appreciate the idea.
I hope you guys enjoy the read and if you find it interesting, consider joining the Grin communication channels.
Thanks for writing this; it definitely helped me understand MimbleWimble better. Unfortunately Grin looks fairly dead and scalability improvements in Zcash may eliminate Grin's remaining benefits.
You must be looking in the wrong places to think Grin is dead. Grin is about to undergo a significant upgrade in its 4th pre-planned hardfork [1] in about 2 weeks, has an active forum [2], and live chat groups [3] in addition to telegram and discord channels, and a weekly newsletter [4].
Meanwhile, Zcash is far from challenging Grin's benefits of lacking a mining tax (recently extended from the original 4 years to 8 years), having a simple long term viable emission, relying on far simpler and better understood cryptography, and an order of magnitude smaller chainsize for the same amount of transactions.
Not to mention that about 99% of all ZCash transactions lack any privacy, and still rely on a trusted setup to prevent hidden inflation.
It seems easier for Grin to reduce input-output linkability and thereby erode ZCash' single remaining benefit.
I'm glad you found it useful! I wouldn't say Grin is dead, the early years were designed to be tough on the price. There's definitely places where it can improve, especially in the usability. I know that Grin can do a few tricks e.g. accumulate the kernels into a single point after they have been validated, the caveat though is that this does not improve initial sync and a node doing so can't seed new nodes. But it allows for running a fully validating node on a mobile for many years.
Could you explain a bit the Zcash scalability improvements?
