How do they do it? Crypto anonymization technologies overview

Many of those who use Bitcoin, Ethereum or other popular cryptocurrencies are often concerned about them being too transparent. Using a block explorer, anyone can tell how many coins are stored in your wallet, where you get them from and what transactions you make. Despite the controversy surrounding anonymous tokens, the reason behind them is hard to dismiss. As Monero lead maintainer Riccardo Spagni put it in his Twitter, “What if I simply don’t want the cashier at the grocery store to know my account balance and spending habits?”

But how exactly anonymous altcoins shield users’ data? Let’s take a look at the technological aspects of crypto anonymity, and make a brief overview of the most popular solutions’ pros and cons.

Today, there are about a dozen blockchains offering various degrees of anonymity. With some of them, all transactions are completely obscure, while others allow users to choose whether they want to make a transaction traceable. Some blockchains only hide the addresses involved in a transaction, while others conceal its amount as well.

All currently existing anonymization technologies used in crypto can be divided into two groups: those based on mixing or combining payments from multiple spenders into a single transaction, and those using polynomials to verify transactions. To understand how different approaches to anonymity in crypto evolved over time, let’s start with one of the pioneering solutions in the area.

Mixing-based solutions

CoinJoin

CoinJoin does not exactly make transactions anonymous, but it makes tracking spenders and recipients more difficult. Nevertheless, the solution was one of the first attempts to make Bitcoin transactions more confidential so we decided to include it in our review.

CoinJoin is based on a simple idea: what if users could combine their payments into a single transaction? Imagine Arnold Schwarzenegger and Barack Obama making two payments, one to Charlie Sheen and another to Donald Trump. If the payments come as parts of a single transaction, it becomes harder to identify which of the parties, Arnold or Barak, is financing Trump’s election campaign.

Figure 1. CoinJoin transaction scheme

The method is impressively simple and it does not require a modification to the underlying protocol, so it can be easily applied to many blockchains. Dash blockchain, for instance, still uses a mixing protocol based on the same solution, with some add-ons to make it more secure.

Unfortunately, the original method’s main advantage — its simplicity — implies its greatest disadvantage, which is weak security. Over time, certain tools were developed to identify CoinJoin transactions within the network and detect relationships between the parties by comparing the amounts of coins being spent and generated. One example of such a tool is CoinJoin Sudoku.

Pros:

  • Simplicity

Cons:

  • Proven vulnerability to hackers

Monero

The first association to come to mind when one hears “anonymous cryptocurrency” would be Monero. The altcoin is said to be a hard nut to crack even for special services:

Previously, we’ve published a detailed overview of the Monero protocol, so now we’ll just highlight its main features.

Figure 2. Monero transaction scheme

In the Monero protocol, each output being spent in a transaction is randomly mixed with at least 11 (at the time of writing) other outputs, thereby complicating the transaction graph and increasing the computational complexity for anyone trying to track it. The mixed outputs are signed with a ring signature, which ensures that the tokens are being sent by their owner but makes it nearly impossible to determine which one of the involved parties he or she is.

To conceal the recipients’ identities, each newly generated coin uses a one-time address, which makes it computationally infeasible for a third party to associate any given output with a public address (it would require breaking the participants’ encryption keys). Since September 2017, Monero also supports the modified Confidential Transactions (CT) protocol, which conceals the number of transfers as well. And recently, the developers have moved from Borromean range proofs to a new type of signatures called Bulletproof, significantly reducing the size of the transaction.

Pros:

  • A time-tested solution
  • Relative simplicity

Cons:

  • Slow proof generation and verification compared to ZK-SNARKs and ZK-STARKs
  • Not resistant to decryption using quantum computers

MimbleWimble

MimbleWimble (MW) was originally developed as a scalable solution to make Bitcoin transactions confidential, but eventually became an underlying protocol for two independent cryptocurrencies, Grin and BEAM.

Figure 3. MimbleWimble transaction scheme

MW is remarkable in that it does not have public addresses at all, and in order to make a transaction, users exchange outputs directly, virtually making it impossible for a third party to identify payers and payees.

Simply put, within an MW block, there are no transactions at all, only outputs that are being generated and spent. No transactions — no problems!

To conceal the input and output values, MW relies on a rather widely used protocol proposed by Greg Maxwell in 2015 — Confidential Transactions (CT). With CT, the exact values are encrypted, and the system instead deals with so-called commitments, cryptographic messages related to certain inputs and outputs.

Verifying transactions requires that the sum of transaction outputs minus the sum of the inputs, including commission, is always equal to zero. As the network doesn’t reveal the values being transferred, all outputs in a given block look the same, so instead the protocol uses the said commitments as variables — the approach known as “commitment to zero”.

To make sure that the values in question are not negative, the original CT scheme uses Borromean range proofs, which are notoriously large (about 6 KB per output). In order to reduce the block size, the developers have recently decided to shift to another proof protocol, Bulletproofs.

To prevent transactions from being deanonymized before they are combined together, the Dandelion protocol is used, which uses a chain of proxy nodes of random length that send the transaction to each other before it is actually distributed to all participants, making it harder to track.

Pros:

  • A lightweight blockchain
  • Relative simplicity

Cons:

  • Slow proof generation and verification compared to ZK-SNARKs and ZK-STARKs
  • Scripts and multi signatures are hard to implement
  • Not resistant to decryption using quantum computers

Zerocoin

Zerocoin protocol was proposed by Johns Hopkins University professor Matthew D. Green as a way of making Bitcoin transactions anonymous. It is different from the solutions we described above in that it does not just combine multiple transactions into one by mixing. Instead, Zerocoin allows users to “burn” their coins using a special type of transactions known as Zerocoin Mint, and then redeem an equivalent number of coins that appear with no prior transaction history, pretty much like newly mined coins. The network uses zero-knowledge proofs to guarantee that users indeed destroyed their coins without revealing what specific coins has been “burnt”. That means that parties can make completely anonymous transactions by simply exchanging these proofs when payers first “burn” their coins and than payees use the generated proof to redeem the same amount in brand new tokens.

Image credits to steemit.com

Zerocoin protocol, which to date has been implemented in altcoins such as PIVX и Zcoin, boasts an impressive anonymity set and it can be easily modified to be used with various blockchains, but these advantages are not without some drawbacks. Namely, Zerocoin requires a one time trusted setup to create a set of initial keys that are used in proof generation. Due to the specifics of Zerocoin Mint scheme, knowledge of these two keys would allow a third party to create coins out of thin air. Still, even in such case, the anonymity of Zerocoin transactions wouldn’t be compromised.

Pros:

  • High confidentiality
  • Relative simplicity

Cons:

  • Requires a trusted setup

Polynomial-based solutions

ZK-SNARKs

The name of this experimental technology unfolds as Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. It builds on the work of Zerocoin and was first implemented in Zcash as the Zerocash protocol.

As the name implies, a zero-knowledge proof is a method by which one party can prove to another party that they know the value of a certain variable without revealing any information apart from the fact that they possess such knowledge. In crypto sphere such methods are used, for instance, to prove that the number of coins generated in a transaction does not exceed the number of coins that were spent without revealing the exact amount being transferred.

ZK-SNARKs use very complicated cryptography and it will take more than one article to describe even its basic principles (on the official Zcash website there are by now 7 articles devoted to the matter). Therefore, today we limit ourselves to only a brief overview of the technology.

Figure 4. ZCash transaction scheme

With the use of algebraic polynomials, ZK-SNARKs prove that the payers own the coins they spend and that the amount of coins spent does not exceed the number of coins generated.

The Zerocash protocol was developed as a way to reduce the proof size and increase verification speed. In a sense, it was a success: according to Zcash CEO Zooko Wilcox, currently its proof size is 200 bytes only, and it can be generated in a matter of seconds and verified in just 10 milliseconds.

However, Zerocash requires a trusted setup that is even more complicated than that of Zerocoin and is ironically referred to as The Ceremony. The procedure, currently involving six people, is necessary to guarantee that no party will retain the private keys used in the proof generation (also known as “toxic waste”), otherwise, anyone knowing it could possibly generate unlimited Zcash. You can watch the setup ceremony on YouTube.

Pros:

  • Small proof size
  • Rapid verification
  • Relatively fast proof generation

Cons:

  • Requires a very complicated trusted initial setup
  • “Toxic waste”
  • Relatively complex technology
  • Not resistant to decryption using quantum computers

ZK-STARKs

Yet another acronym, meaning Zero-Knowledge Scalable Transparent ARguments of Knowledge». The new method was designed to address the shortcomings of ZK-SNARKs, such as complicated trusted initial setup, “toxic waste”, vulnerability to decryption using quantum computers and relatively slow proof generation. (The latter problem, however, has been by now solved for ZK-SNARKs as well.)

Like their predecessors, ZK-STARKs also use polynomial-based proofs. The technology does not imply using complicated cryptography for private keys, instead relying on hashing and information transfer theory. While this makes ZK-STARKs resistant to quantum algorithms, the solution does have its own drawbacks, namely its large proof size, which can be in hundreds of kilobytes.

At the moment, ZK-STARKs have yet to be implemented in any cryptocurrency, and can be found only as source code on GitHub, although the developers’ plans for the technology go far beyond blockchain (in their white paper, the authors give an example of using their solution to verify the presence of a DNA sample in the police database). In order to facilitate its adoption, StarkWare Industries was created, which at the end of 2018 raised $36 million of investment from big-name players in the industry.

You can read more about how ZK-STARK is arranged in the series of posts by Vitalik Buterin (part 1, part 2, part 3).

Pros:

  • Resistant to decryption using quantum computers
  • Relatively fast proof generation and validation
  • No “toxic waste”

Cons:

  • Complexity
  • Large proof size

Summary

The rise of blockchain and the growing demand for anonymity contribute markedly to the development of cryptographic tools. In just a few years zero-knowledge proofs, a branch of cryptography conceived in the mid-1980s, has been replenished with new rapidly developing solutions.

The latest advancements rendered CoinJoin obsolete while opening new perspectives for MimbleWimble. Of course, Monero remains an unshakable colossus guarding our privacy. The Zerocoin protocol spawned a number of promising cryptocurrencies and continues its evolution. And SNARKs and STARKs, despite certain drawbacks, have chances to become leaders in the area. It is possible that in the coming years, many of the features that we pointed out as “cons” of many of the technologies mentioned above will become irrelevant.