Why the concept of anonymity is as clickbaity as this article title… and a zero-knowledge proof
In this day and age, transactions are perhaps one of the most plentiful interactions in existence. Whether people are buying their morning coffee, airtime, insurance, fuel or almost anything else, transactions underpin our way of life. Each transaction signifies our willingness to exchange our money for something we perceive as valuable.
For the most part, these transactions have taken place with cash, credit cards or perhaps via a traditional EFT. With the world’s inevitable shift toward adopting blockchain technology, we are starting to see more and more of these transactions facilitated via another medium: cryptocurrencies. It should thus be of fair importance to us to consider exactly how anonymous these cryptocurrency transactions are. With many recent examples, erm… Facebook, where personal data has been targeted and used maliciously, it comes as no surprise that people’s concerns are far reaching and extend to the privacy of their cryptocurrency transactions.
Let’s look at the following question which will help lead us toward some answers: Which cryptocurrency would you use to send a transaction you did not want anyone to know anything about?
This exact question appeared on a CoinBase poll several months ago, and it really piqued my interest to see what the public’s general perception regarding this question was. Take a moment to answer the question yourself. Have a look at the results below (these were the results at the time of the screenshot and of course may have changed) and see how your thoughts compare with the general public.
Interestingly enough, the results show that 36% of people believe bitcoin is the way to go for transaction anonymity, making it by far the most popular choice.
Spoiler alert, bitcoin is by far not the best way to go if you are looking for transaction anonymity (we’ll get more into that later). So, why is there such a misconstrued perception that bitcoin hides users transactions under some veil of anonymity? I can only conjecture, but it probably has to do with the fact that bitcoin is the face of cryptocurrencies and blockchain technology, whether we like it or not. Other guesses: bitcoin is synonymous with the infamous illegal online marketplace, Silk Road, and if some kind of cyber mafia was accepting it as payment, then it’s probably pretty anonymous right? Actually, not so much.
Bitcoin is, amongst other things, a public transaction ledger. What exactly does that mean? It means that every single bitcoin transaction that has ever taken place, ever-ever, can be viewed openly and easily by anyone in the world with a couple clicks. Try for yourself. Visit https://blockchain.info/ and have a gander. If we take a closer look at one of the blocks, and we pick a transaction, it will look something like this:
The above transaction signifies that 0.01428359 bitcoin was sent from the public address 13xffWvwUGgCVVAYXMwtY7LesHAEn4DhMK to the public address 1NzE3UqrsemkmKu3NKnds8xjefPMJKYia8.
You might now be thinking, well that is pretty anonymous, I have no idea who this ‘13xffWvwUGgCVVAYXMwtY7LesHAEn4DhMK’ person is!? To an extent, you are right. This is what we term pseudo-anonymous. Some person controls this public address and nothing about this long unique number itself, 13xffWvwUGg… helps us to identify who that person actually is.
Let’s first look at the impending danger. If anyone is able to find out who exactly owns that public address, then they have the ability to go and easily find every transaction that has ever taken place with that public address. This means they can scrutinise your entire transaction history! Something that many people would feel is a violation of their privacy.
Well, so what? How would someone find out about my public address anyway? Well for one, you could request payment from someone and you would need to obviously provide them with a public address for payment. Just like that, they know who you are and can go and peruse through all your previous transactions that have taken place with your public address. At this point, you’re probably asking yourself: “There is a workaround though, isn’t there?” “Couldn’t you just generate a new public address and ask for payment to be sent to that new address?” This appears fine, until you send bitcoin from this new address to your old public address or any other public address that may be linked to you. Then you would essentially be back where we started. Any time a transaction occurs between two addresses we can draw a link between them and possibly infer a relationship. This extends to a very powerful concept known as transaction graph analysis. We can begin to draw links between all possible bitcoin transactions. Below is an example of such a graph.
The lines represent the links between certain public addresses due to transactions. The really big circle we see is something called satoshi dice. It’s essentially a gambling game where a user can send some bitcoin to a public address with the hopes of winning some bitcoin in return. Obviously lots of people feel they are lucky!
So, we’ve had a very brief look at how bitcoin perhaps isn’t as anonymous as we think. If we look back to the poll, I’d like to have a brief look at another option: Zcash.
What is Zcash doing differently to afford users anonymity? They are using zero-knowledge proofs! What does this mean? They prove the validity of transactions whilst conveying ‘zero-knowledge’. To expand, they allow us to prove that a certain transaction from one public address to another, is a valid transaction (i.e. the paying public address has enough funds), without revealing anything about those two public addresses or the amount in question. Thus, even though we once again have a public transaction ledger, we can infer nothing at all from these transactions.
Lets now try demystify, at a very basic level, how these zero-knowledge proofs actually work. Remember a zero-knowledge proof is proving something while conveying ‘zero-knowledge’ in the process. So imagine the situation pictured below.
There is a cave shaped like a donut with a wall on the far side from the entrance stopping you from being able to pass through. This wall can however be passed through by saying a magic password. Sarah (in pink) wants to convince John (in green) that she knows the password. The first way she could do this would be to walk with John to the wall, shout out the magic password, and if she passes through then John would be convinced that Sarah knows the password. The problem with this conventional approach is that John would learn the magic password, which perhaps Sarah would not like him to know. This approach is akin to the working of bitcoin where everyone sees every transaction so we can be certain of the bitcoin value each public address holds, but this comes at the cost of everyone being able to know this information.
Sarah needs a way to prove to John that she knows the password without actually telling him what the password is. This is what we term a ‘zero-knowledge proof’. Proving something (the fact that Sarah knows the password), whilst conveying zero-knowledge (without John learning the password).
Sarah would achieve the zero-knowledge proof in the following manner. She would enter the cave and arbitrarily choose to go to side A or B. John would then come to the cave entrance and ask Sarah to either exit from side A or from side B. Now if Sarah does indeed know the password she will be able to pass through the wall and emerge from the requested side. However if she doesn’t know the password, she has a 0.5 probability of being able to come from the side requested by John. John would now simply repeat the experiment n times, meaning Sarah could only pass his tests without knowing the password at probability 2^(-n). Repeating this experiment just 15 times would mean Sarah would only have a 2^(–15) or 0.0031% chance of passing John’s test without actually knowing the password. So more correctly, we actually term this an argument of knowledge, as Sarah cannot actually prove she knows the password, but by repeating the experiment multiple times and letting n tend toward infinity, there is an arbitrarily small chance that Sarah could convince John she knows the password without actually knowing it.
Zcash actually uses something called zero-knowledge succinct non-interactive arguments of knowledge (zk-snarks), think of it as a very, very clever variant of zero-knowledge proofs. If you are feeling brave and want to learn more about zk-snarks, I recommend reading this blog post by Christian Reitwiessner.
What about the others cryptocurrencies that feature in the poll? Ether’s case is akin to bitcoin and it likely has a high ranking in the poll due its popularity amongst the public. Let’s briefly shift our focus to Monero, a cryptocurrency that is definitely worth a mention. Monero has the same goal of affording complete transaction anonymity to users, like Zcash, yet instead of relying on zero-knowledge proofs, it relies on a cryptographic primitive termed ‘ring signatures’. It again presents a very interesting solution to the problem of anonymity and servers to show that there is often more than one way to skin the proverbial cat.
I’ve really only just had time here to scrape the surface of this topic, but I hope that this little bit of insight has helped you to learn something!
Originally published at www.newtownpartners.com on May 25, 2018.
