This is the third part in an article series by the Human Rights Foundation (HRF) on privacy and cryptocurrency, funded by the Zcash Foundation. To read about the purpose of this article series, see our introductory piece “Privacy and Cryptocurrency, Part I: How Private is Bitcoin?”. The next part in the series will explore the asset class known as “stablecoins”. This series is written by Eric Wall who recently joined the HRF as a Privacy Technology Fellow.
“It’s easier in most cases to get your money back than your freedom”
In the previous two parts of the series, we’ve looked at the traces we leave when we’re using bitcoin and the tools we can use to avoid leaving those traces. It is clear that when used in a privacy-conscious manner, bitcoin can be a considerable advancement over the current electronic financial system. Yet, fully utilizing bitcoin’s payment capabilities as a medium-of-exchange brings with it challenges that are considerably more difficult to overcome, especially when we assume our surveilling adversary to be intelligent and well-resourced.
While there are software tools available to the public to obfuscate the traceability of funds even for the frequent spenders of bitcoin, making use of these features is rarely free and their codebases are — at the moment — typically less likely to have received thorough auditing, which in itself can be considered a risk to one’s privacy via bugs. While there’s clearly a trending privacy-focus in bitcoin’s development effort at many different layers, current circumstances still beg a highly valid question: if the goal is to preserve privacy, why not just use a privacy coin?
Being honest about bitcoin’s limitations
In the previous part in this series, we touched on the use case where a person receives bitcoin to a fresh address that’s never been used before. The simplicity of this action is very powerful; a Bitcoin address generated using nothing but computer code and math is enough to receive money from anyone anywhere in the world without any questions asked. And since it is the sender who transmits the transaction, the recipient does not need to broadcast anything at all on the Bitcoin network. Even if bitcoin was criminalized, such as in Bolivia and Nepal, there would be no identifying information about your bitcoin ownership on the blockchain or in any ISP network traffic data logs from this transaction alone.
However, even in this simplest of all scenarios, your privacy is still threatened by the lack of privacy of your counterparty. Let’s assume for simplicity’s sake that you’ve purchased bitcoins from a local money changer and that you didn’t leave any traces of your intent to buy bitcoin anywhere in the online world. Is the sender a local money changer who frequently engages in bitcoin deals in your area? The ability for a surveilling entity to clamp down on the person you bought the coins from brings them one step closer to you. Does your local money changer remember your face or the car you drove? What information could someone deduce today when searching the blockchain for where your coins have moved since the purchase, if they’ve successfully deanonymized other parties you’ve interacted with in the system?
It’s possible that you’d manage to take the necessary precautions to avoid leaving any traces behind in that first face-to-face purchase. But the degree of sophistication required on your end quickly increases as you start transacting more frequently, in different types of scenarios, using different types of devices. It only takes one mistake for you to ruin your own privacy. Bitcoin privacy requires you to be “UTXO-aware” so to speak, which means that even if you are a frequent CoinJoin user, you shouldn’t be oblivious to which coins you are spending in a transaction, and you shouldn’t be oblivious to what your software exactly is doing under the hood. This responsibility can become cumbersome to users simply wishing to use cryptocurrency for their day-to-day transactions.
Can’t I just use the Lightning Network?
The Lightning Network brings some improvements to Bitcoin privacy which we touched on in the first part of this series. You can certainly become an early adopter of Lightning, but you need to be prepared for the fact that Lightning is a scaling technology foremost, not a privacy technology. It currently requires some know-how and some pre-allocation of capital in order to be deployed as a functioning payment system. The system is currently undergoing rapid development, and the exact privacy implications of it have not yet been thoroughly adversarially studied but potential weaknesses can nevertheless already be gauged ahead of time. Additionally, as it is currently an emerging technology, it isn’t certain that you’ll find too many people to transact with using this system yet.
How about the Liquid sidechain?
The security of the Liquid sidechain is different from the Bitcoin network. You can think of the Liquid network as an 11-of-15 multisignature wallet; all the money you use within this network are entrusted with the members of that federation. The privacy benefit of Liquid is that it uses Adam Back’s and Gregory Maxwell’s Confidential Transactions technology, which hides the amounts that are sent in transactions. Hiding amounts is a partial improvement, but on its own does little to prevent an attacker from figuring out who is transacting with who. Adoption of Liquid among retail users is currently close to non-existent, and has not been described as the target demographic for this technology.
Enter privacy coins
It is recognized within the cryptocurrency community that maintaining good privacy hygiene on Bitcoin’s transparent blockchain is a challenge. In an ideal world, future privacy amendments will make bitcoin safe to use even for novice users. Until that world has become reality, there is merit to exploring alternative cryptocurrencies that move the privacy needle further in a world where financial surveillance is becoming an ever-more pressing reality.
The goal of privacy coins is to leverage cryptography in clever ways to make the information on the network and the ledger entries unintelligible to an observer, while still allowing anyone to validate that all the rules of the currency are being followed — and putting all that into a scalable, secure, trust-independent and user-friendly format. Constructing such a system is currently a developing field of research where no path is free of compromise. If devising such a scheme was trivial, it is not unlikely that bitcoin would already exhibit these characteristics today.
Indeed, much of the cryptographic cleverness deployed in privacy coins today (such as Confidential Transactions, leveraged by privacy coins Monero, Grin & Beam) originated as Bitcoin research ideas that for various reasons have not made it into the Bitcoin base protocol. It is important to understand why bitcoiners are cautious when it comes to advancing its privacy characteristics; barring transition and implementation difficulties, privacy-enhancing techniques most often make transaction sizes larger, which impedes the scalability of the system. But more importantly, the coin supply — which today is auditable to anyone with a calculator — would under many privacy schemes instead rely upon trust in that the cryptography works as intended.
In Monero we’ve discovered and patched a critical bug that affects all CryptoNote-based cryptocurrencies, and allows for the creation of an unlimited number of coins in a way that is undetectable to an observer unless they know about the fatal flaw and can search for it.
— getmonero.org, May 17, 2017 (source)
We discovered [and patched] a counterfeiting vulnerability in the cryptography underlying some kinds of zero-knowledge proofs […] an attacker could have created fake Zcash without being detected […] this vulnerability is so subtle that it evaded years of analysis by expert cryptographers focused on zero-knowledge proving systems.
— Electric Coin Company, February 5, 2019 (source)
To be perfectly clear, it isn’t that privacy coins have bugs and bitcoin does not. Bugs are a problem for every cryptocurrency, including bitcoin. The key difference here is that when a bug allows an attacker to print money in a privacy coin, it can go undetected for years. This allows the attacker time to trade these coins with other users, so that even if the attack is detected, there is no recourse but to accept that the boundaries of the currency has been broken, which may obliterate its market value. Bitcoin’s transparency, for all its flaws, ensures that such bugs in coin supply are detected promptly (see the value-overflow incident), giving the users of the network a chance to remediate the situation before the damage has gone systemic.
Moreover, challenges with bugs in code are not limited to coin supply only. Even though a privacy-oriented cryptographic protocol can theoretically guarantee privacy even if, say, its elliptic curve cryptography is broken, it cannot guarantee privacy if the cryptographic protocol itself has been implemented incorrectly (for example, if the software application leaks information or isn’t correctly calculating values in some other pernicious way). The only way we can deflect against these problems is by having many competent eyes scrutinizing the code we use. But that means that every time we use a cryptocurrency or application that is less popular and has had fewer people looking at the code, we increase the risks towards not only our money, but also to our privacy, which is ironic if desiring privacy was the reason we sought out these systems in the first place.
In a famous poem by Robert Frost, traveling by the “road less traveled” can be interpreted as a piece of advice that rewards you with unique experiences embellishing your life. But in the realm of open-source software and cryptocurrencies, those experiences are likely to just be bugs and catastrophic vulnerabilities that could expose your private data to the public and lose you all of your money.
This stuff is difficult. This stuff is subtle. If you are excited about all these new projects claiming magical things, you should be skeptical of those. And if you are frustrated by how slow you perceive bitcoin to move — bitcoin moves too fast. This is hard and scary. And we need to slow down and be careful.
— Andrew Poelstra, Director of Research at Blockstream and co-inventor of the Mimblewimble protocol (the basis of both Grin and Beam)
Does this mean that privacy coins are a bad endeavor? Being aware of tradeoffs and risks is important, but once we have identified the tradeoffs and weighed the risks, we can make somewhat educated decisions. While there are definitely risks one should be aware of when using a privacy coin, there are risks to using anything. While it may not be the smartest idea to use privacy coins to preserve our life savings, they are still viable options to transact with, as long as you can tolerate a bit of risk.
The downsides of using privacy coins compared to bitcoin fall into the following categories: higher volatility risk, a higher risk for catastrophic vulnerabilities and failures, and fewer places and entities who currently accept the currency as payment. The upsides are vastly improved built-in privacy features.
Choosing a Privacy Coin
The best we can do to limit the downsides listed above is to choose a privacy coin with competent developers behind it. The four largest privacy coins when looking at market capitalization (and gleaning at the implied market capitalization for newly launched privacy coins) are Monero, Zcash, Grin, and Beam.
We’ve spoken to one person from each project and challenged them to put into their own words the advantages of their project, in particular when compared to the others. As you will learn, while they all ultimately share a similar goal, the projects are by no means equal, and each privacy coin comes with its own set of tradeoffs towards privacy, security, trust-independence, scalability, and user-friendliness.
It is important to recognize that most cryptocurrencies — privacy coins included — are quite organic. If you are reading this text one year from now, much of what is presented here could already have changed drastically as new improvements continuously make their way into these protocols.
Monero has no founder’s reward, no trusted setup, and no premine. Monero is a true decentralized virtual currency under FinCEN regulations and guidance. There’s no company behind Monero, which means there’s no governing body to regulate. Privacy is mandatory for everyone in Monero, which provides for a large anonymity set. The monetary policy is important here, too. Monero has a minimum block reward of 0.6 XMR per block in perpetuity, to ensure we don’t need to rely on scarcity of the block size and transaction fees to provide an incentive for the miners to provide security to the system. More transactions allows the anonymity set to grow further.
Anyone who claims perfect privacy against an attacker with unlimited resources should be treated with extreme caution and skepticism. I do believe however that Monero offers a very competitive privacy solution in the current marketplace when all factors are considered.
— Francisco “ArticMine” Cabañas, Monero Core team
Monero launched in 2014 and is the oldest out of the four. It is generally applauded for being a community-driven project with no headquarters and no special rewards handed out to the project’s founding members. Much like bitcoin, it is a grassroots project. The specific technologies providing privacy in Monero are called Ring Signatures, Ring Confidential Transactions and Stealth Addresses. Simply put, what these three technologies achieve is they mix the coins that are being spent with a set of decoys (10), hide the amounts that are being sent and hide the addresses of the recipients.
The key terms in the above paragraph are “mix” and “hide”. When something is mixed, tracing it becomes difficult because there’s too much noise, like trying to distinguish the notes in a song when 11 other songs are playing at the same time. In this analogy, the number of concurrent tracks playing is known as the “anonymity set”. In contrast, when something is hidden, there’s no noise, but there’s no sound either (which is obviously preferable from a privacy point-of-view).
Monero uses a combination of mixing and hiding, which achieves good, but not perfect privacy. Monero — as one of the first privacy-centric cryptocurrencies to emerge — has had to deal with notable traceability flaws in the past, and its efforts to tackle these challenges can be gathered by eyeing through the abstracts of the papers on the Monero Research Lab page. It is a continuous process of learning about privacy new attack vectors, patching those, and moving forward.
While transactions are always mixed before they are broadcasted in Monero, users may still desire to obfuscate which IP address they’re emitting these mixed transactions from. Monero can be made to be used with Tor although a different network-layer privacy solution is in progress.
Zcash offers privacy that keeps you safe in a world of machine learning and AI. Monero, Grin, and Beam don’t. They use decoy payments to obscure what you do. While these help, decoys don’t stop merchants from tracking you via your payments. Decoys wouldn’t stop your boss from learning you repeatedly visit a gun range or a gay bar. Decoys don’t keep you safe if you are a dissident trying to accept donations online but hide your real identity. There they fail particularly badly: getting a handful of tiny donations from the secret police would allow an authoritarian government to identify and detain you.
The decoy-based privacy approaches of Monero, Grin, and Beam are about as good as spelling out S — — E — — X when talking to your wife so your three-year-old doesn’t know your nap time plans. It might work for now, but it won’t as everyone grows up and the techniques for tracking people with blockchains are still very much in their infancy.
— Ian Miers, co-founder of Zcash
Zcash’s “zk-SNARKs” provide the highest degree of privacy of any cryptocurrency. This technique doesn’t depend on mixing, because it isn’t necessary. By simply observing the blockchain, there’s no information revealed about senders, receivers or sent amounts at any point. The entire validation model of the system is ensured without providing an observer with any useful information. Miers is right in saying that there is nothing AI or machine learning algorithms could be expected to derive about the identity of users from analyzing the blockchain.
However, Zcash had to pay a price for this seemingly magical privacy technology. That price is known as the trusted setup. It is a highly sensitive initialization phase where random data is generated one-by-one by a group of people who later must not share that data with each other. If the data is combined, they can use it to create counterfeit Zcash. In the most recent setup, 87 participants (identified via PGP) participated.
Going further, just because the privacy of a coin doesn’t depend on mixing, that doesn’t mean that the anonymity set is infinite. Instead, the anonymity set here becomes the entire set of all the users of that currency. In Zcash, this, unfortunately, isn’t really true as it stands currently because the zk-SNARK technology that shields transaction information isn’t enabled by default. Zcash has two address types, t-addresses and z-addresses, and it’s only the transactions between z-addresses that are fully shielded. The t-addresses are just as transparent as ordinary bitcoin transactions. That means that the anonymity set in Zcash for its shielded transactions is just the other shielded transactions.
Let’s try to understand what this means with a practical example. Let’s say your friend asks you to send him some Zcash in the morning while you’re on your way to work. You send him some of your shielded coins to his z-address. Later, when you arrive at your job at a train station, a human rights activist wearing a mask arrives at your desk and pays for his ticket with a shielded Zcash transaction. If you know that the number of people using shielded Zcash on a daily basis on a global scale is a few dozen at best, what are the odds that the human rights activist who just bought the train ticket from you — in your town of all places — was your friend?
Because of the low uptake of shielded transactions, this applies to Zcash in a particularly bad way, but Zcash isn’t alone with this problem. If you live in a small town where barely anyone uses cryptocurrency, the scenario above would probably apply to some extent regardless of cryptocurrency choice; the use of cryptocurrency alone would be enough to spot someone in a crowd. This is also why scalability is of importance to privacy coins, because the number of transactions the system can handle is a key ingredient to how many users can participate in growing that anonymity set. So, if you do find yourself in the scenario above and have the chance to make an in-person payment, pay with cash for the time being.
Wallet recommendation: ZecWallet + Android Companion App.
Grin hides the transaction amounts and the identities of senders and receivers, and there are no addresses. These privacy preserving features in Grin are turned on by default for all users and transactions on the network. In contrast, the “opt-in privacy” approach that some previous projects have chosen, encourages surveillance and censorship, and can lead to marginalization.
Grin’s blockchain design is lightweight with little residual data stored on chain, which allows new users to bootstrap and sync fast. Overdesigning the protocol with functionality that is not thought through is actively discouraged. Grin is a proof that privacy preserving features do not need to come at the cost of performance, or complexity.
There is no trusted setup, and Grin relies on comparatively simple cryptographic assumptions that have been battle tested for a long time. As we’ve seen, projects that depend on experimental or bleeding edge cryptography suffer an increased risk of having catastrophic bugs slip in undetected. This is not surprising as few people in the world, sometimes not even the researchers themselves, are able to fully understand, let alone audit these designs.
Grin doesn’t have a foundation or a company. There are no investors to placate, no offices to raid, no CEO to coerce, and no organisation to subpoena. There is no ICO, no pre-mine, no dev tax, and no way to get rich quick at the expense of others. Development is community driven, and funding comes in the form of donations with no strings attached.
— Daniel Lehnberg, Grin developer
In the first article of this series, we described how CoinJoins comingle the inputs and outputs of multiple transactions into a single transaction. In this article, we’ve touched on Confidential Transactions which hides transaction amounts, which when used within CoinJoins improves its mixing capabilities significantly. When it was later discovered how transactions could be CoinJoined together without requiring any coordination between the senders and how intermediary transaction data could be pruned from the blockchain, it set the scene for a new cryptocurrency protocol to emerge which was named Mimblewimble.
Both Grin and Beam launched in January this year, following a 2.5-year-long widespread developer fascination over this idea. The fascination for this protocol comes from the fact that it both scales better than bitcoin and has vastly improved built-in privacy features without compromising on the system’s trust-independence (“trustlessness”). Many believe that the trustlessness-aspect of cryptocurrencies is so important that the only protocols worth pursuing are the ones that make no compromise in this regard. And while that is true also for Monero’s design philosophy, Mimblewimble-based protocols sync faster and have lower storage requirements since they leave a lot less data on the blockchain.
The Mimblewimble protocol is free from trusted setups and introduces no new cryptographic assumptions over bitcoin (neither does Monero), which means that the way in which Mimblewimble procures these advantages is generally considered safe from a cryptographic point of view.
One of the drawbacks of Mimblewimble-based protocols is that they require messages to be exchanged between the sender and the receiver for a transaction to work. This means that when two people transact, their IP addresses will be exposed to each other. This has led to intermediaries being set up such as grinbox to pass these messages between the users in an encrypted form. This doesn’t solve the problem entirely as you’re still exposing your IP address to that intermediary. Better solutions to this problem are currently in development, and in the interim, it’s possible to transfer Grin via the exchange of a file (for example on a USB stick) to avoid leaving network data traces.
Your IP is your responsibility. When you communicate with the grinbox relay service, you are exposing your IP to the relay. You can obfuscate your real IP address using services such as a VPN and/or TOR or i2p.
Wallet recommendations: Niffler
Beam provides much better scalability than Monero or Zcash, better privacy than Grin or Monero, and better practical privacy than Zcash (if you consider actual shielded address usage).
If you consider ease of use and state of the art privacy-preservation, Beam is your only choice. Try Beam’s mobile wallets and see.
— Guy Corem, Beam
To understand Beam’s supposed advantageous privacy features we have to get a bit technical and to understand the characteristics of Mimblewimble-based-protocols in general. Let’s recall the following from Lehnberg:
Grin hides transaction amounts and the identities senders and receivers, and there are no addresses
While this is true, what the Mimblewimble-protocol doesn’t hide very well is the so-called “transaction graph”. What this means is that in Mimblewimble, before the transactions have been finalized on the blockchain, it is still possible for a network listener to see how transactions reference each other. The Beam developers explain the problem in practical terms here:
Suppose Bob has a store, and Alice is his rival, she wants to know Bob’s supplier. So she pays Bob (buys something from him), then Bob pays his supplier Charlie, later Charlie pays Dan, Dan pays Erin. Alice sees all those transactions, but has no idea of user identities.Eventually Erin gets revealed — buys something from Alice for instance. Alice kindly asks [bribes / threatens / tortures] Erin to tell her who did he get that UTXO from, this way Dan gets revealed. And so on. At every step Alice is certain there is a relation to the next user.
Both Grin and Beam have addressed this problem by leveraging non-interaction CoinJoins in the Dandelion stem phase, which in English means that before a transaction is widely broadcasted over the network, it is forwarded to a number of other users first where each person adds their own transactions they want to send. Due to the nature of the Mimblewimble protocol, transactions can be merged with each other without any coordination, so the contents within the packet are mixed but remain valid.
Beam’s claim to superior privacy over Grin is that in Beam, users themselves will create a number of dummy UTXOs (unspent transaction outputs) to add to the mix during this phase so that regardless of how many users are currently adding transactions, there’s always an anonymity set of a minimum size. Instead of using a “grinbox”, Beam has developed its own decentralized addressing system which is intended to make it easier for users to interact with each other without leaking IP address information. That said, it is important to once again recognize that these are very new projects and that many of these details may change later on.
Except for the fact that its privacy is still mix-based (as per Miers’ remarks), the weakest point of Beam is that it is the smallest coin of the four and operates more similarly to a company project than the other coins. Because of this, its ties to the open-source community are weaker (however, Beam has undergone multiple security audits — the last audit was completed in Q1 2019).
Wallet recommendations: Beam Wallet
Special thanks to Francisco Cabañas, Ian Miers, Daniel Lehnberg and Guy Corem.
*The essays in this series will form the basis for a report to be published by Coin Center, the leading cryptocurrency policy research and advocacy group based in Washington, DC.
**The Zcash Foundation contributed funding for the project. The Zcash Foundation exists to build and support tools that enable privacy and autonomy, particularly with respect to people’s transactions and financial information.