Comparing privacy coins is hard!

Privacy might seem like a simple matter. You just keep things to yourself, right?

But it isn’t always that simple. Whenever we go about our lives, we “leak” information. When we do our daily commute, people see us along the way, and we leak location-based data to them. If they notice us a few times, they can learn that we probably live and work nearby. The cashier at the local grocery store knows that we can’t control our chocolate addiction.

Google and George Orwell — 1984
And in today’s connected world, large corporations can track pretty much everything we do online.

Privacy in cryptocurrencies is even more complex. The way cryptocurrencies work is that every action requires sharing information with every other user. You might think Bitcoin is anonymous because you don’t have to use your name, but even though addresses don’t have a real-world identity, you can still learn a lot from looking at some Bitcoin transactions and the relationship between them.

Team BEAM believes the privacy issue is fundamental for cryptocurrencies going forward. We’re willing to adopt a didactic strategy when it comes to various privacy-related trade-offs (there’s no perfect solution!). And the reason why is that we still believe in our crazy world, arguing, debating, and fighting for our truth is important, essential, and vital.

Oops.

House — Fox

So here’s a story. On BEAM’s website, we recently published a comparison table, comparing BEAM’s features to other cryptocurrencies. What we wanted to achieve was quite simple from our point of view: to help visitors quickly gauge what makes BEAM special, and decide if they wish to learn more or not. But there’s a whole world between what we wish and what we get.

However, we quickly got some serious, interesting, and predominantly constructive pushbacks on our social media channels. For example:

We wouldn’t have used the word deceptive there, but we get the point, seriously. Sometimes when you try to explain yourself, you try to simplify. But here, we simplified too much, left out a lot of singular and important details, and ended up with a comparison that ignores the complexities of the situation.

How could we fix this wrong impression? The solution was written on the wall, or actually on a Reddit thread. Let’s proceed to a more in-depth look into this comparison, and also let’s give other coins and approaches the attention they deserve. This is by no means a comprehensive review however, and should only serve as a stepping stone for you, the reader, to begin your own research.

Bitcoin

Bitcoin
The big guy.
The coin to rule’em all.
A lot of us think of Bitcoin as “anonymous.” It isn’t really (we’ll see why), but it does have a lot going for it in the way of privacy.

For example, all modern Bitcoin wallets will generate a unique receiving address for you whenever you get a payment. This makes it harder for others to link different transactions from the same entity.

Some other major cryptocurrencies, like Ethereum, have most wallets by default using just a single address forever. This means that whenever you send a friend $5 worth of Ethers, they learn your address, and since you’re only using one, they can view your entire financial history: tokens you owned, and how much, when did you got them and when you sold them. Not good! Try this next time someone sends you an ETH transaction…

From Friends — ABC

We’ll get back later to this important point: defaults matter. There’s not much standing in the way of Ethereum wallets from generating unique addresses for every ETH transaction, but they don’t and that’s usually not the default. With Bitcoin, it is the default, and that improves the privacy of all Bitcoin users.

Bitcoin also scales better than other coins like Monero and Zcash. It’s not perfect by any means, but it’s still possible to run a Bitcoin node on cheap hardware and internet connections. This is important because when you use your own Bitcoin node, you don’t need to use a third-party server that will know about your addresses. The more people use their own nodes, the more private Bitcoin is for everyone! And this is a postulate.

Some other things people do to improve their privacy by using Bitcoin. Each of them has their own tradeoffs (remember, nothing is perfect), but none of them are enabled by default:

  • Centralized Mixing — basically you can use a third-party like an exchange or a mixing service. You will send them some coins, and they will send back the same account, from another stash of coins. For anyone looking from the outside, the two transactions won’t appear to be connected at all. However, you must trust that the third party service won’t keep logs and publish them at some point — this will enable them to snitch on you! They can also steal your coins by just avoiding sending them back. Lastly, the third-party service must have a lot of liquidity (many bitcoins sitting idle waiting for mixing).
  • Tumblebit — this has various “modes.” The simplest one is basically a trustless version of centralized mixing. It is still run by a single server, but you don’t have to trust that server with your privacy or with the safety of your funds. Win! That’s great, but the third party must still maintain a lot of liquidity, and their operation might be illegal in some territories, making things tricky. This might be why it’s hard to find Tumblebit services in the wild these days.
  • CoinJoin — with CoinJoin, multiple users get together to create a single transaction that combines many inputs and outputs. Think of inputs as “where the money is from,” and outputs as “where the money is going.” The coins to fund a transaction can come from multiple sources, or inputs, and can go to multiple targets, or outputs. If Alice, Bob, and Carol all get together to create one transaction funded with 3 inputs, one for each, with a size of 1 BTC, and that transactions have 3 outputs that go to Carol, Alice, and Bob (random order), to new addresses that no one else knows… Well, it would be hard to tell which output belongs to who! But, the problem is that Alice, Bob, and Carol must all be online together, and must all meet somehow to create the CoinJoin transaction. There are some tools to automate this, like JoinMarket and WasabiWallet, but it’s not yet easy to use, and it can take quite a while to find partners for the CoinJoin. Another big problem is that all amounts in the CoinJoin transaction must be equal. If they aren’t, and say Alice puts in 1 BTC, Bob puts in 2 BTC, and Carol puts in 3 BTC, it would be easy to look at the size of the outputs and figure out which output belongs to which user. So either you look for partners who happen to want to mix the same amount of coins as you do, or you try to hide the amounts……
  • Confidential Transactions — This is a method proposed for Bitcoin, but not implemented yet (with no clear roadmap either). It allows hiding the amounts in a transaction. You could be sending 0.01 BTC or 1000 BTC and no one would know. This helps CoinJoin a lot as well. Unfortunately, it is hard to tell when, and if, it will be available in Bitcoin. It is available on some other privacy coins though…
  • Lightning network — this isn’t the place to go in-depth on lightning, but we’ll just say it can help with privacy as well. Since it moves many transactions off-chain, most network participants are not aware of them, so better privacy can be achieved. It is not perfect, and some actions may leak information (for example, opening and closing channels on-chain). But it is a step forward!

While these features are all great, most bitcoin users probably don’t use them. They’re not on “by default,” and using them requires some expertise. Privacy is improved for everyone as more people take care to protect it — because you can hide in a larger group of people. If you’re the only one protecting your privacy and anonymity, you’ll stick out from the crowd! That’s why we believe there’s room for specialized “privacy coins.”

If you want to read more on these and other current and future privacy features for Bitcoin, try this article by Bitcoin Magazine.

Zcash

Zcash is a coin based on “zkSNARKs,” a new-ish scheme that allows hiding pretty much everything about transactions. We won’t explain how it works here, but it can hide amounts, inputs and outputs perfectly, only revealing metadata like transaction times and transaction fees.

The are three main problems with Zcash:

  • Privacy isn’t on by default. “Shielded transactions” are bigger and slower to generate than transparent transactions, so they are off by default, and most wallets don’t support them at all. This might improve with time, but right now only a small percentage of Zcash transactions are shielded, and that hurts everyone’s privacy.
  • “Moon math” — zkSNARKs are new and few people understand them deeply. They didn’t receive as much review as simpler schemes used by other coins, so there are concerns that some bugs still lie there somewhere. That said, Zcash has been going on without fail for a while now.
  • Trusted setup — zkSNARKs require a special permissioned secret key to set the entire system up. If this key leaks, anyone who gets a hold of it can subvert the entire system, creating new coins out of thin air, in a way that’s undetectable, slowly destroying the coin’s ecosystem. The Zcash foundation has a few mitigations in place to try and prevent this event from occurring, but it’s still a real threat.

Monero

Monero uses Stealth addresses (which can optionally be used in Bitcoin as well) for hiding outputs, Confidential transactions (remember those?) to hide amounts, and Ring Signatures to hide inputs.

Ring signatures work by obscuring the true inputs of a transaction inside a pool of unrelated inputs. Unlike CoinJoin, this doesn’t require anyone else to be online at the same time. But you do get a potentially smaller set of inputs to hide in. Read more on this other article by Bitcoin Magazine.

Monero is, unfortunately, notoriously hard to scale. It currently isn’t anywhere near as popular as Bitcoin, but if it was, its chain would be huge and perhaps unmanageable.

That being said, all Monero transactions are private by default; there’s no way to disable the privacy features. This is a huge plus and makes Monero potentially a better choice for privacy than Bitcoin and Zcash.

Mimblewimble: BEAM and Grin for now

We saved the best for last :)

Mimblewimble bursts into the scene as an anonymous white paper dropped on an IRC chat room. It seems to elegantly pack some of the best lessons learned in a decade of blockchains. Here are some benefits:

  • Amounts are hidden with confidential transactions
  • Transactions are lightweight: they consist of just a number for the input, another number for the output, and (almost) nothing else
  • Cut-through: When blocks are created, if a transaction is spending outputs from another transaction in that same block, the outputs from the spent transaction and the inputs from the spending transactions can be removed from the block! When the next block is mined, the two blocks can be cut-through in the same way, until the entire chain has been cut-through! This not only saves space, but it also means that we end up with a chain that is composed only of unspent outputs, so the chain information can’t be used to link transactions! Essentially, this gets the same benefits as CoinJoin, but without requiring users to be online at the same time, and with a much larger anonymity set (all outputs)!
  • And since this is all integral to how the system works, privacy is on by default!

This allows creating coins that aren’t just lightweight, but also very private. We can further improve upon them with innovations from things like Bitcoin:

  • For example, one drawback of Mimblewimble is that, while a cut-through blockchain doesn’t retain enough information to link transactions, this information does exist when the transaction is first created (before cut-through) and being broadcasted to miners for inclusion in a block. If miners (or someone else) record this information and store it, they can later attempt to use that to link transactions. One approach to mitigate this problem is using CoinJoin when generating a transaction, to obscure the links between inputs and outputs before ever broadcasting the transaction. Team BEAM is working on a solution that improves upon this concept, and we will share more in the future.
  • We can also use Lightning with Mimblewimble to further move transactions off-chain, with the privacy and scalability benefits that come with that. BEAM is committed to making this a reality soon.

You can learn more about Mimblewimble by reading Grin’s introduction, and our own ELI12.

Keep it together, folks!

We believe “privacy by default” is critical to allow real privacy benefits for everyone. But we also understand that there more Bitcoin users who take care to take the steps to protect their privacy, than the entire Mimblewimble userbase together! This might have something to do with how no Mimblewimble coins launched yet…

We intend to continue to learn and adapt from privacy-related innovations in the cryptocurrency space, and we believe Mimblewimble and BEAM have a lot to offer in return. We’ll deploy a large-scale implementation that includes Confidential Transactions, Bulletproofs, Signature Aggregation, Dandelion, and a whole other host of technologies, and our experience will be useful for other communities, even if they won’t be interested in using BEAM :)

Sure, the cryptocurrency space is competitive. But we can, and should, learn from each other along the way and push out shared goals, together.

We strive to continue to contribute educational resources on privacy concepts in cryptocurrencies. We hope to make them short, sweet and digestible, like this great gem from a Grin developer, who explains Mimblewimble in one tweet:

We tried to keep this post from getting too long, and to provide explanations that aren’t too complex. If you liked them, please like and share this. If you think our explanations are lacking, please let me know below!

And before we leave you to your own personal life, let’s meditate together my favorite Allen Ginsberg’s quote: “Follow your inner moonlight; don’t hide the madness.”

Have a question? Want to share with Team BEAM some ideas and solutions, what are you waiting for?

Join our developer community: Gitter

Telegram: t.me/BeamPrivacy

Reddit: reddit.com/r/beamprivacy/

Twitter: twitter.com/beamprivacy

Discord: discord.gg/BHZvAhg