Mimblewimble

Bitcoin allows a single UTXO to be spent to many distinct outputs, each associated with a different address. To spend a UTXO a user must provide a signature, or more precisely a scriptSig, that enables the transaction SCRIPT to evaluate to true [BMC+15]. Apart from the validity of the scriptSig, miners verify that the transaction spends previously unspent outputs, and that the sum of the inputs is greater than the sum of the outputs.

Jedusor [Jed16] realized that a Pedersen commitment to 0 can be viewed as a public key and that for a valid confidential transaction the difference between outputs, inputs and transaction fees must be 0.

A prover constructing a confidential transaction can therefore sign the transaction with the difference of the outputs and inputs as the public key. This small change removes the need for a scriptSig which greatly simplifies the structure of confidential transactions.

Poelstra [Poe] further refined and improved Mimblewimble and
showed that these improvements enable a greatly simplified blockchain in which all spent transactions can be pruned and new nodes can effciently validate the entire blockchain without downloading any old and spent transactions. Using aggregatable signatures, the blockchain can be compressed to a small subset of the block-headers as well as the remaining unspent transaction outputs and the accompanying range proofs. Mimblewimble also allows transactions to be aggregated before sending them to the blockchain.

A Mimblewimble blockchain only grows with the size of the UTXO set.

参考资料：
[1] 论文《Bulletproofs-Short Proofs for Confidential Transactions》