The Privacy Chain Landscape
In the first segment of this three-part series, we discussed the overall importance of anonymity and privacy to blockchains’ impact on the world: “Why Privacy and the Future of Blockchains Go Hand in Hand.” Having established the need for anonymity to blockchains and its key function as a way to ensure fungibility, we now move our focus to those very blockchains that aim for privacy to their users. Our next stop after this discussion will then be to the a new, novel approach to solving privacy and scalability called Mimblewimble.
We will discuss three major and established privacy coins, or at least coins that market themselves based on privacy: Monero, Zcash, and Dash. Each of these coins has differing levels of privacy, and therefore fungibility.
Monero is arguably the strongest of the privacy coins with respect to overall features and the ways it ensures privacy. Monero’s blockchain uses a combination of stealth addresses and confidential ring transactions (ringCTs). Stealth addresses are essentially randomly-generated single-use addresses that are created for the sender so that no address can be linked back. This means that we have no idea who else has sent coins to the recipient as both recipient and sender are masked. Linkability between transactors therefore is severed. RingCTs only require that the inputs and outputs of a transaction basically equal each other (sum of the input amounts is the same as the sum of the output amounts). As a result, it can dispense with the very information it needs to arrive at that answer — as long as we know these things equal out, we know what equaled them out (the cryptographic proof is true). In addition, RingCT inputs and outputs across multiple transactions can be joined in such a way that plausible deniability can be ensured.
Monero has a large and active community and has responded innovatively to improve its protocol — ie with RingCT. Along with Zcash, it offers some of the highest levels of privacy of any known chain and has the most cryptographically secured network.
Identifiability has been ‘baked into’ the chain — before RingCT implementation, roughly 200,000 transactions took place which remain identifiable. These transactions remain identifiable and can be linked to others. In addition, while RingCT+Stealth Addresses is a very robust way to ensure privacy, it is by no means perfect. Researchers have noted that simple tricks allow an observer to identify some of the decoy mixins used to cover for a real coin being spent via stealth addresses. This exploit allowed them, prior to a fix by Monero, to spot the real coins 90% of the time; after the fix, researchers can still spot the real coin 45% of the time making identifiability theoretically almost a 50/50 bet. Scalability also remains at issue; because each transaction requires six or more additional transactions. The data requirements of the blockchain grow very quickly over time. At the time of this writing it is over 56 GB.
The main technology behind ZCash is the utilization of zk-SNARKs (zero knowledge succinct non-interactive argument of knowledge). The name itself helps break down exactly how this works. Zk-SNARKs allow something to be true without needing to verify the process that led it to be true — that ‘zero knowledge’ is required of the intervening operation.
A popular analogy used to describe zk-ZNARKs is the “Two Balls and the Color-Blind Friend” example. Let’s imagine that our we give two balls, one green and one red to our friend; since our friend is color-blind, the balls’ colors are indistinguishable from one another. Our job is to convince our friend that these balls are actually two different colors. How would we do that? The method would be to ask our friend to put the balls behind his back and ask him to produce one to show us — periodically switching the ball. Since we are not color-blind, we can say with certainty whether he switched them or not; if they were the same color, we couldn’t guess whether he switched them or nor with a probability higher than 50%. We can repeat this switching process through a number of iterations until we are satisfied. In this example, our friend never learns the color of the balls, but he can become convinced that the balls are a different color — hence he needed zero knowledge of the actual information (ball color) used to delineate the proof.
While zk-SNARKs do a pretty great job of obfuscating transactions, Zcash’s implementation of zk-SNARKs is an option. In other words, it is not private by default, users need to explicitly enable privacy, and only roughly 10% of transactions use this functionality. The optionality of ‘zk-SNARK-ing’ on Zcash may be due to the fact that the is in quite memory-intensive and unwieldy to process a zk-SNARK transaction — it require running a full node and about 4GB of RAM.
Zcash is the third-largest privacy chain having begun in 2016. It has a relatively robust and cryptographically secure network with a very experienced and well-regarded core development and management team.
The optional basis of its privacy feature via zk-SNARK-ing makes it very easy to identify and link transactions. In addition, because the number of transactors who choose to use the privacy feature is sufficiently small, they are conspicuous on the chain. Lastly, the memory-intensiveness of zk-SNARK-ing makes practicality of of scalability of transactions very questionable.
Cryptographically speaking, Dash is not private. It uses a method of transaction mixing called CoinJoin. CoinJoin itself is a cryptographically weak measure to ensure privacy as relationships can be discovered between transactor even when the transactions are mixed and we only see outputs and inputs. Furthermore, the chain of Dash itself is open; like Zcash, it’s optional to make the transaction private, so open relationships are easily discerned. The particular implementation of CoinJoin that Dash utilizes runs through a number of masternodes and these masternodes are violable to nefarious attackers taking control. In addition, most of these masternodes are run through Virtual Private Servers (VPSs) and there exists the possibility of the operators of the VPS service to log information without the awareness of the masternode owner’s knowledge. In terms of scalability, mixing the coins can take from several hours to days.
Dash is has a cryptographically robust and secure network. It has gained great traction as a viable alternative to Bitcoin with respect to its better consensus-building in development as well as better long-term scaling viability.
With respect to privacy, Dash is the weakest of the three major privacy chains. Not only is CoinJoin significantly violable to both traceability and linkability, but it is an intensive process. Also, like Zcash, using CoinJoin is optional, so it suffers from the same drawbacks. In addition, the masternodes of Dash, while allowing better scalability, are a point of centralization — and aside from the security consequences of the masternodes’ centralization, the operators of the VPSs on which they run have the potential to catalogue data without the knowledge of the masternode owner.
We can see that Monero and Zcash arrive at un-traceability through similar means — not requiring the proof of the operations between inputs and outputs. In terms of un-linkability the stealth addresses of Monero are demonstrably more private than the optionality of Zcash’s uneven zk-SNARK-ing; in Zcash, you can link transactions via a send from an open address to a zk-SNARK’d address, and so on. Dash used a cryptographically weak measure of ensuring privacy, and like Zcash, it is not a totally private chain, with most of its composition open. In all three chains, scalability remains at a looming issue, especially for zk-SNARK-ing in Zcash and Dash’s CoinJoin mixing process.
There is, of course, a new technology that we will get to in the final part of this short survey of the field, which is Mimblewimble. Mimblewimble is a more robust and elegant way of solving both un-traceability, un-linkability, and scalability at once. See you soon!