Privacy Pools: Balancing Blockchain Transparency with Individual Privacy
Blockchains make our assets and history public, while most desire some level of privacy. Privacy Pools are a novel solution using zero-knowledge cryptography that can offer benefits to users wishing to demonstrate legitimacy. The flexibility and opt-in nature of Privacy Pools allows each user to choose how and with whom they use them.
By John Orthwein
Head Engineering & Tech at i.AM Lab
Many people think of blockchains as dark and nefarious places where questionable actors come to transact ill-gotten gains. This can be true, but fundamentally blockchains are simply neutral, transparent and public accounting ledgers. You can think of Bitcoin or Ether as a two-column spreadsheet of addresses and quantities. If you possess the private key of an address that has a positive quantity, you have the power to change the public ledger reflecting a “transfer” of some quantity. Ethereum’s smart contracts gave rise to user-defined tokens, each with their own public ledger and similar rules for transfer.
Blockchain proponents spoke glowingly of pseudo-anonymity: a new paradigm, turning the traditional financial privacy model on its head. Instead of publicly opaque transactions and identities known only to sender, receiver and intermediary (bank), blockchain transactions showed all details of all transactions — but the public had no way of knowing the human identities that controlled the addresses.
This seems theoretically interesting at first glance. Practically, however, we quickly run into a problem. Let’s say I settle a bill with my friend using the blockchain, or I publicly associate an NFT with my Twitter/X profile. I’ve now irreversibly revealed my address, assets and entire transaction history to my friend or potentially to the world. Some may welcome such radical transparency, but many of us might desire a modicum of privacy. Everyone desires privacy to some degree. It is a fundamental right and an important part of a functioning society and economy. Privacy should be the default and people should be given that choice because that genie can’t be put back into the bottle.
There have been many solutions proposed to enable on-chain privacy, from dedicated privacy blockchains (Monero, ZCash) to clever, “moon-math” smart contracts that cryptographically break the link between a deposit address and a withdrawal address. The more deposits into the smart contract’s “anonymity set”, the more ambiguous (hence private) a withdrawal would be. Tornado Cash was one such protocol on Ethereum. Tornado Cash was so good at this that it drew the attention of OFAC (US Office of Foreign Assets Control) and the smart contract was placed on the SDN blacklist (Specially Designated Nationals and Blocked Persons List), normally reserved for dictators and terrorists. The Tornado Cash smart contract (and its developers) became criminalized overnight, even though much of the anonymization activity was legitimate transactions of users simply desiring robust financial privacy. Clearly there is a tension between legitimate user privacy and regulatory oversight/compliance. This tension was only exacerbated by the fact that nation states could not stop the activity but could only create the naughty list. (maintain a blacklist)
Last week Vitalik Buterin, Jacob Illum, Matthias Nadler, Fabian Schär and Ameen Soleimani released a paper entitled “Blockchain Privacy and Regulatory Compliance: Towards a practical Equilibrium”. The paper details a novel scheme that sets out to ease this tension and satisfy these conflicting perspectives.
Privacy Pools are an on-chain construct that use extremely powerful cryptographic tools called “zero-knowledge proofs” together with a set of addresses to obscure the exact source of funds. A person can use a zero-knowledge proof to prove a claim about some data without revealing what the data is. Now this is very abstract, so let’s try to understand it on a more practical level.
If we know that tokens held by an address are “clean” (not illicit), then we know that transfers from that address are also clean. If we have a large set of clean addresses, then all transfers from that group are clean too. The paper refers to such sets of addresses as “association sets”.
Remember the goal is to break any address relationship so that the sender–receiver link is sufficiently obfuscated. So, the larger the association set, the more obfuscated the link and the more private the withdrawal address becomes.
Imagine a smart contract that allows anyone to deposit tokens and hundreds of addresses do just that. Now I withdraw my deposited tokens to a fresh, new address, but I want to prove to an external party (the verifier) that the withdrawn tokens are from a clean address. The claim or assertion here would be that the tokens’ source is an address contained in a subset of all depositing addresses. The smart contract allows withdrawal only if I submit the correct proof. The proof is created with the publicly known association set data and the private data — the original deposit address.
If the deposit address is a member of the association set, I can withdraw the tokens to the new address and I have proven that the tokens originated from a member address of the association set. The verifier can check that addresses in the association set are not illicit or blacklisted (a service provider or government might offer such verification). This would create high confidence that withdrawn funds are not illicit and yet the source has not been revealed.
The logic presented here is sound and straightforward. It could provide workable solutions which satisfy honest, privacy-seeking users and compliance professionals/regulators. But with this solution, other nuanced questions arise. Should honest people with legitimate sources accept the onus of proving their own innocence? Does the pragmatism of the tradeoff merit the slippery slope of a “guilty until proven innocent” regime? Legal and philosophical discussions on the presumption of innocence and burden of proof is a long, deep topic far outside the scope of this article. The counterpoint to this is that Privacy Pools as described would be voluntary and opt-in, not a coerced change to a base-layer protocol. Crypto has always been about self-sovereignty, flexibility and alternatives. Privacy Pools represent exactly that: the free choice to use them or not, a choice to associate or disassociate. There is no doubt that further privacy solutions and ideas will develop in open permissionless systems and that many privacy alternatives will coexist on-chain and users will use those that fit their needs best.
Want to know more? Contact us at hello@iam-lab.ch
