Litecoin Confidential Transactions Coming to Mobile Wallets

The litecoin development team continues to work on Litecoin MWEB which offers privacy and confidential transactions for litecoin payments. This upgrade also makes Litecoin fungible, which is a major downside of Bitcoin currently.

David, Loshan and Charlie Lee agreed on a design to support light client mobile wallets such as Cake Wallet, Exodus, Litewallet, etc. Currently, there is only one client that supports Litecoin MWEB and this is the Litecoin Core software. Many users keep their litecoin in self-custody hardware wallets like Trezor, Ledger and use mobile light client wallets for litecoin payments. Hence, the importance of getting Litecoin MWEB features integrated in these everyday usage wallets.

The team has proposed the following design outline for the Light clients:

1. Download and verify all headers for the longest chain. Headers can be requested from peers using getheaders messages, which will be returned in headers messages using the process described here 1.

2. Download and verify the HogEx transaction and MWEB header for the most recent block. This data can be requested using a getdata message with type MSG_MWEB_COMMITMENT, which will be returned in the following 3 messages:

• merkleblock - Contains the hash of the HogEx transaction, and enough to validate that it is the correct transaction according to the block’s tx merkle root.

• tx - The serialized HogEx transaction.

• mwebheader - The serialized MWEB header.

The light client shall validate that the hash of the HogEx transaction in the tx message matches the hash in the merkleblock message, and that it’s the last transaction committed to by the merkle root of the block. It shall then validate that the pubkey script of the first output contains the HogAddr, which shall consist of <OP_8><0x20> followed by the 32-byte hash of the MWEB header. Finally, it shall validate that the blake3 hash of the MWEB header matches the hash contained in the HogAddr.

3. Download and verify the UTXO leafset bitmap. The leafset can be requested using a getdata message with type MSG_MWEB_LEAFSET. Verify that the hash of the bitmap matches the leafset_root value in the MWEB header.

4. Download the compact UTXOs and PMMR parent hashes. These can be requested piecemeal from multiple peers in parallel using getmwebutxos messages. As compact UTXOs are downloaded and verified to belong to the longest chain, wallets can check to see if they own the outputs using the process described in LIP-0004 (Output Identification). Any UTXOs determined to not belong to the wallet may simply be discarded.

NOTE: A compact UTXO is an unspent MWEB output sans the rangeproof. When designing MWEB, we chose to hash them in a way where we would only need the hash of the rangeproof to verify the output hash, meaning light wallets can avoid downloading the nearly 1KB rangeproof for each UTXO.

The team will initiate a Litecoin Improvement Proposal (LIP) for review and then the work start on the P2P protocol changes necessary to support the design.

If you would like to follow along with the design and work along-side the development team please join the telegram channel here:

https://t.me/MWEB_Testnet