Simple Money

Simple emission

1 coin per second forever. Simply fair. Simply disinflationary. Decentralize the wealth.

Simple block interval

One minute. 60 seconds. 60 coin subsidy.

Simple consensus

Proof of Work. Most cumulative difficulty wins.

Simple protocol

In (pure) Mimblewimble, outputs are Pedersen commitments r*G+v*H
combining value v and blinding factor r into a single curve point.
The blinding factor serves both to hide the value and to control ownership.

Simple audit

Σ unspent-outputs = Σ kernel + offset * G + height * 60e9 * H
Each kernel is a provable commitment to 0 (as is offset * G)
height * 60e9 is the expected number of nanocoins emitted in height blocks.

Simple PoW algorithm

Cuckatoo Cycle. Find a 42-cycle in a huge random graph. Instantly verifiable in 42 lines of code.

Simple Difficulty Adjustment

diff’ = diff * 4-hours / (4-hours - 60-seconds + last_block_time)

Simple mixing

CoinSwap can non-interactively mix thousands of self spends each day or hour.

Simple scripting

No scripts, aka scriptless scripts.
Supports nearly all Bitcoin script functionality, with none of the complexity:
multi-signatures, atomic swaps, discreet log contracts, bidirectional payment channels, etc.

Simple implementations

Small Rust and C++ codebases.

Simple security

Complexity is the enemy of security. Keep it simple to keep it secure.

Isn’t it simpler to say the audit is

Σ outputs - Σ inputs = Σ kernel + offset*G

where we add an artificial input that prints height * 60e9 coins from thin air? Then it becomes obvious that a chain audit and a transaction audit are the same thing.

Perhaps the fact that all transactions are an interactive multisig between all the participants is also simpler because there’s no logical branching. Though that’s on the wallet level.

P.S. I tried to compress some of this info grin_tldr.md · GitHub as I think it’d make a cool tshirt content

That becomes a little nontrivial to explain, if you want to describe both in one equation. In general, balancing a transaction is a lot easier than balancing the entire history, so I wanted to emphasize that even the latter is simple in Grin. If histories are balanced, then necessarily, transactions (essentially, their derivative) are as well.

Looking quickly at it, it seems the quotes may help with formatting. Here’s the difference:

code block

No scripts, aka scriptless scripts.
Supports nearly all Bitcoin script functionality, with none of the complexity
multi-signatures, atomic swaps, discreet log contracts, and bidirectional payment channels, etc.

quote block

No scripts, aka scriptless scripts.
Supports nearly all Bitcoin script functionality, with none of the complexity
multi-signatures, atomic swaps, discreet log contracts, and bidirectional payment channels, etc.

I thought multi-sig (as in multiple devices, not multiple parties) wasn’t possible in grin

Multiple wallets sharing the same seed (which is not called multi-sig) is possible, with some restrictions. E.g. they wouldn’t be able to share payment channels, or other things that require temporary wallet state. Signing a tx on one device that you initiated on another might not be supported. Or overlapping different txs, as both wallets might try to spend the same inputs (less of an issue with late locking).

I removed occurences of the name Grin, so as to make the text more suitable for posting on other forums, as I did for example at [1].
Hopefully this will intrigue people and they may be delighted to learn that such a wonderful thing already exists.

[1] Recipe for Simple Money

This is what most people think of when they think of “multi-sig”. For that reason, we should probably remove that or clarify the language a bit. Wouldn’t want to mislead.

If we are talking about both parties needing to approve a transaction before it completes, maybe there is a better term for that. Contract-based transfers to reduce mistakes?

I think you may have that mixed up trab. I believe multi sig in common usage refers to a wallet or transaction that requires multiple keys.

Correct, but didn’t Tromp just say that a multi-sig wallet is not possible with Grin right now? Or did I read that wrong?

You can do a multisig today on grin, in fact each transaction is a multisig (two keys sign each transaction, sender and receiver). Using the same seed on different devices has some limitations - because not everything is on-chain, eg. if you start SRS on device1 (first step) then you can’t simply decide to do the last step on device2 since device2 doesn’t have this “pending contract/transaction” (or whatever you want to call that) in its DB, so it won’t work (unless wallet would implement some “share” mechanism). So you can use multiple devices for on-chain stuff, but all steps of transaction building process must be done on the same device. Also if you do a transaction on device1 then you won’t have its payment proof on device2 (even if they both use the same seed because that’s “local” data, it’s not on the chain). What does a multi-sig wallet mean? You can do utxo’s which require multi-sig from different owners but in grin the current limitation is that you need to get all of the signatures (n of n), you can’t have 3 of 5 multi-sig for example.

The thing that is not possible is threshold multisig. Right now multisig exists, but all keys must participate in every transaction

Where did you get that idea? I’ve never even heard of that interpretation.

https://en.bitcoin.it/wiki/Multi-signature

Thank you!! Yes that is probably what I was thinking of.

That interpretation is right on the top of the page you just linked, no?

I’m not sure it will end up being decisive, but to me it is important. I really think that grin is the most fair (least scammy) cryptocurrency in existence. Happy to be here