An Overview of Privacy in Cryptocurrencies
“I see privacy as a way to prevent signaling concerns from encompassing all of our activity, and creating spheres where we are free to optimize for our own happiness and just our own happiness, and not what other people think about us.” — Vitalik Buterin
It’s no secret that privacy is an important topic in cryptocurrencies these days. Neither companies nor individuals want to publish all of their information onto a public blockchain that can be arbitrarily read without any restrictions by one’s own government, foreign governments, family members, coworkers, or business competitors.
There’s currently lots of experimentation and research going into various approaches to privacy on blockchains, but we haven’t seen a comprehensive overview of the category. In this piece we’ll cover the latest experimentation and research in four areas of the privacy landscape: 1) privacy coins, 2) smart contract privacy, 3) privacy infrastructure, and 4) privacy research.
Privacy (or lack thereof) in Bitcoin
Bitcoin was originally developed as a pseudonymous cryptocurrency that maintained privacy as long as real-world identities couldn’t be linked to Bitcoin addresses. Due to the public nature of the Bitcoin blockchain, however, it quickly became clear that it was possible to identify individuals based on usage patterns of certain addresses and transactions. In addition, nodes leak their IP addresses when broadcasting transactions.
In 2013, Meiklejohn et. al. successfully identified clusters belonging to online wallets, merchants, and other service providers. Nowadays, services such as Chainalysis and Elliptic deanonymize blockchains to detect money laundering, fraud, and compliance violations.
In response to the erosion of Bitcoin privacy, tumbler services, such as CoinJoin, were created to improve anonymity in Bitcoin. In CoinJoin, users jointly create transactions that permute ownership of their coins, making each user anonymous within a set. This process is then repeated among different users to grow the anonymity set. Tumbler services have historically been used by criminals to mix identifiable Bitcoin with other funds in order to obscure the trail back to the fund’s original source.
Yet CoinJoin has its flaws. The privacy of CoinJoin relies of the anonymity set being huge. But in practice there are only 2–4 participants on average per CoinJoin transaction, and thus researchers were able to deanonymize 67% of CoinJoin transactions. Later improvements upon CoinJoin inspired the design of better cryptocurrency tumblers such as TumbleBit, but TumbleBit has limitations as well.
Privacy Coins
Given the lack of privacy in Bitcoin and no immediate plans to improve its privacy at the protocol level, several new cryptocurrencies have emerged to support private transactions.
Zcash is built by a strong team of academic cryptographers using zk-SNARKs. The original groundbreaking idea of zero-knowledge proofs was developed in 1985 by Goldwasser, Micali, and Rackoff. zk-SNARKs, developed by Eli Ben-Sasson et al. in 2015, is an improvement on zero-knowledge proofs by enabling someone to succinctly and non-interactively prove that he/she knows something without revealing what the information is. zk-SNARKs provide the technical underpinning for many privacy-related projects and can also compact the size of blockchains using a technique called recursive composition.
Currently the Zcash team is working on Sapling, a performance upgrade to the network that will improve the performance and functionality of shielded (encrypted) transactions, and is scheduled to activate in October 2018. Sending shielded transactions is computationally expensive given that roughly 85% of Zcash transactions are still sent in the clear, so Sapling will hopefully increase the number of shielded transactions.
Monero is another privacy coin that uses ring signatures instead of zk-SNARKs. Currently the Monero team is building Kovri to enable privacy-preserving packet routing so that users can hide their geographical locations and IP addresses. Anonymizing users’ network traffic will greatly increase the security of the Monero network and protect users from being arrested or physically harmed for using Monero.
Zcash and Monero are often compared to each other. Both communities are led by big Twitter personalities — Zooko Wilcox for Zcash and Riccardo “fluffypony” Spagni for Monero — but unlike how Zcash is backed by a company and a foundation, Monero only has an organic community of core developers. Both projects even had flaws in their anonymity that have since been fixed — researchers were able to associate 69% of Zcash shielded transactions with founders/miners as well as deanonymize 62% of all Monero transactions.
Yet both projects are fundamentally taking very different approaches to privacy with different sets of tradeoffs, and so far there hasn’t been a clear case for why one project will win over the other in the long-term. In my view Zcash and Monero will continue to coexist like Coke and Pepsi.
Mimblewimble is a new privacy-focused blockchain project that is based on Bitcoin’s design. On July 19, 2016, “Tom Elvis Jedusor” dropped the whitepaper into a Bitcoin research channel and disappeared. Later, “Ignotus Peverell” started a Github project called Grin and began turning the Mimblewimble paper into a real implementation. Andrew Poelstra of Blockstream presented the work at the 2017 Stanford BPASE Conference, after which Grin began getting lots of mainstream attention. Grin’s third testnet has been released, and the mainnet is expected to debut in early 2019.
Mimblewimble/Grin is an improvement upon confidential transactions and CoinJoin from Bitcoin. Key features include no public addresses, complete privacy, and a compact blockchain. There has been a lot of excitement around Grin mining lately since Grin coins, like Bitcoin, can only be created through PoW mining. Grin uses the Cuckoo Cycle PoW algorithm, which was originally designed to be ASIC-resistant but is now considered to be ASIC-friendly.
Overall, Grin combines the social features that make Bitcoin so powerful — anonymous founder, leaderless development team, PoW consensus, no ICO, no on-chain governance — with technical improvements over Zcash and Monero. Unlike Bitcoin, Grin’s overall supply is unlimited and its monetary policy is a linear supply schedule, meaning that inflation is very high early on but gradually approaches (without reaching) zero over time. Early inflation incentives spending rather than speculating after the network is launched. While perpetual inflation doesn’t make Grin an ideal store of value, it avoids the instability of Bitcoin once Bitcoin’s block reward disappears and miners only earn transaction fees.
Grin’s novel monetary policy avoids the controversial Zcash Founder’s reward where 20% of newly minted ZECs are given to the project developers in the first four years. The size of the MimbleWimble blockchain also scales with the number of users rather than the number of transactions, avoiding the UTXO set scaling problem with Monero’s ring signatures.
Other interesting privacy coins that are relatively early in their development include MobileCoin and BEAM.
Privacy in Smart Contracts
Privacy in smart contracts is different than privacy in payments since smart contracts publicly contain program code. Unfortunately, program obfuscation is proven to be impossible, and as a result smart contracts currently lack both confidentiality (hiding payment amounts) and anonymity (hiding the identities of senders and recipients).
In my view strong demand for smart contract privacy will come when enterprise businesses are ready to build dApps at scale and need to hide their customers’ activity; right now there isn’t much downside to everyone seeing the usage of dApps like CryptoKitties. This may be similar to how the Internet first launched using HTTP for basic websites and then later introduced HTTPS for websites that needed encrypted web traffic for activities like e-commerce.
In the case of Ethereum, Zether is an ongoing research by Benedikt Bünz at Stanford on a private payment mechanism that is fully compatible with Ethereum and can provide both confidentiality and anonymity to Ethereum smart contracts. Zether will be implemented as an Ethereum smart contract and will use minimal amounts of gas. Zether is also versatile in that it can add provable privacy to common applications such as payment channels.
Keep is another project building a privacy layer for Ethereum by creating off-chain containers for private data. This allows contracts to manage and use private data without exposing the data to the public blockchain.
While privacy is the #2 priority for Ethereum right now after Casper, the Ethereum Foundation has been slow to implement Casper and the risk is that privacy won’t become a core feature in Ethereum until many years later. If privacy in smart contracts becomes something the crypto community desperately needs in the meantime, then new privacy smart contract platforms will emerge to fill this void, similar to how Zcash and Monero emerged for private payments instead of Bitcoin. Enigma, Origo, and Covalent are all new smart contract platforms that are trying to implement privacy natively into the blockchain.
Oasis Labs is another exciting privacy project building out Ekiden, a new smart contract platform that separates smart contract execution from the underlying consensus mechanism. The smart contracts run inside an isolated piece of hardware (such as Intel SGX) called a secure enclave. The enclave acts like a black box, keeping the computation private from other applications. It also generates a cryptographic proof that the program was executed correctly, and the proof is then stored on the blockchain. By decoupling smart contract execution from consensus, Ekiden is compatible with different underlying blockchains including Ethereum.
Privacy Infrastructure
In addition to privacy coins and private smart contracts, there are other important privacy infrastructure projects for the Web 3 stack that are worth mentioning.
Orchid is attempting to build a better version of Tor where users earn tokens from renting out their extra bandwidth to be relayers inside the Orchid network. The problem with Tor is that there are only around 6000 relay nodes and under 2000 bridge nodes, so the Chinese government can just blacklist all relay and bridge nodes and thus prevent its citizens from accessing Tor. Using token economics to incentivize lots of people to become relayers makes it more difficult to block Orchid without subsequently blocking large portions of the Internet.
BOLT is building a private payment channel that uses blind signatures and zero-knowledge proofs to hide participants when they open, transact, and close the payment channels. The initial payment channel is being built on top of Zcash but will be able to interoperate with Bitcoin and Ethereum.
NuCypher is building a decentralized key management system using proxy re-encryption to provide the same functionality as HTTPS. Proxy re-encryption is a type of public-key encryption that allows someone to transform ciphertexts from one public key to another without learning anything about the underlying message.
Starkware is implementing zk-STARKs in various blockchains including Ethereum. The advantage of zk-STARKs over zk-SNARKs is that it doesn’t require a trusted setup, although the cryptographic proof sizes become much larger.
Privacy Research
Academic research in cryptography is what drives innovation in privacy. Privacy research mainly falls under the topics of zero-knowledge, multiparty computation, and fully homomorphic encryption.
In addition to zk-SNARKs and zk-STARKs, Bulletproofs are a new form of short non-interactive zero-knowledge proofs. Like zk-STARKs, Bulletproofs require no trusted setup, but verifying Bulletproofs is more time consuming than verifying zk-SNARK proofs. Bulletproofs are designed to enable efficient confidential transactions in cryptocurrencies and shrink the size of the proof from over 10 KB to 1–2 KB. If all Bitcoin transactions were confidential and used Bulletproofs, then the total size of the UTXO set would be only 17 GB, compared to 160 GB with the currently used proofs.
Multiparty computation allows a group of people to jointly compute a function over their inputs without each person revealing their own input. An example is when Alice and Bob want to find out who owns more Bitcoin without each person revealing how much Bitcoin he/she owns. Unfortunately, the current limitation of multiparty computation is that it’s extremely inefficient to use in practice.
Fully homomorphic encryption allows someone to compute on encrypted data. It was an open problem in cryptography for several decades until 2009 when Craig Gentry, a Stanford PhD student, used lattices to construct the first fully homomorphic encryption scheme. An example when this is useful is if Bob wants to perform arbitrary computations, such as training a machine learning model, on Alice’s data without Alice having to reveal her plaintext data. Fully homomorphic encryption, like multiparty computation, is still very theoretical right now and too inefficient to use in practice.
So what?
Overall, privacy is one of the most exciting areas of cryptography research right now, and there is much work to be done on optimizing the efficiency of these theoretical techniques to be practical to use in the real-world. Research labs, such as the Stanford Center for Blockchain Research, are actively making progress in this field and it will be exciting to see what major breakthroughs will happen over the next few years.
The benefit of cryptocurrencies is that it provides a direct application for the latest privacy research. Many of the privacy techniques used in coins, smart contracts, and infrastructure were only invented a few years ago. Given how fast this space is moving, privacy will continue to be more and more integral to the design of crypto projects.
About the author: Richard works at 1confirmation, an early-stage crypto venture fund based in San Francisco. Sign up for the 1confirmation newsletter and don’t hesitate to reach out on Twitter.
