Your Blockchain Privacy Primer
Just like Zuck, we believe that privacy is a crucial element to the proper functioning of the future of the Internet. That’s why this month we will be going deep on privacy coins.
The Scalability Race
It is well known in the crypto market that scalability remains an unresolved roadblock to mass market adoption. Bitcoin and Ethereum, the two largest cryptoassets by market capitalization, max at around 7 transactions per second (tps) and 15 tps, respectively. To put this into context, individuals often cite the Visa network’s ability to process over 24,000 tps as a benchmark. CryptoKitties, a decentralized app where you can collect and trade digital kitties, nearly crashed Ethereum at the end of 2017 because of the congestion in processing trades. Without scalability, blockchains cannot function.
So what’s preventing blockchains from becoming as scalable as Visa’s network? Their decentralized nature.
Bitcoin and Ethereum are trustless because there are thousands of independent nodes across the world, run by independent companies and individuals, that maintain the security of the network. The more nodes there are, the more difficult it is for one node/person/nation/enterprise to attack the network. However, the more nodes there are, the more servers decisions are processed through, and thus the longer it takes to agree on a decision. A direct democracy is a good analogy here — how long would it take to pass a bill if every American citizen had to vote on every bill proposed as a new law?
Vitalik Buterin, co-founder of Ethereum, has coined this major problem the “scalability trilemma”: how can blockchains be scalable, secure, AND decentralized?¹ Solving this trilemma remains the foremost objective in the industry today. If we cannot find solutions, adoption will never take off, and the complex challenges our industry addresses like non-sovereign money, individual data ownership, or banking the unbanked, may never be solved.
For now, there are a few core ideas² behind solving the scalability trilemma:
- Replace the “direct democracy” approach blockchains use for governance with a representative democracy. The independent nodes all over the world elect a subset of nodes to manage the network. This way, decisions only have to pass through the delegates and can be made much faster. Three of the largest blockchains by market cap, EOS (#5), Tron (#10), and Tezos (#22) use delegated governance. Critics of delegated blockchains argue that with fewer machines, the network will become less secure, and furthermore, these “elections” are subject to manipulation, increasing the potential for corruption.
- Use a smaller number of trusted nodes run by corporations that have reputation at stake
- Maintain the fully decentralized (direct democracy) approach; instead, rely on technological improvements to increase the efficiency of the communication between the nodes in both time and space.
- Since not all transactions need such a high level of security, we can move/validate those with lower security requirements off-chain or to side-chains.
The last two options are complex. There are dozens of companies that are trying to solve this at the protocol layer using technology like sharding or complex calculus. There are many others tackling scalability via off-chain and side-chain solutions such as payment channels (lightning network, raiden) and other state channels, plasma. None of these are yet successfully operational at scale. You can time stamp the industry as being in the midst of a “scalability race.”
But what’s this have to do with Privacy?
Many crypto enthusiasts were originally attracted to Bitcoin because they believed it was anonymous. This is not true; contrary to popular belief, Bitcoin is far from anonymous. While real-world identities aren’t revealed, when users engage in a Bitcoin transaction, their public keys (public address), and transaction amounts are broadcasted to the public ledger. Anyone who has obtained a record of the blockchain over time can easily visit these users’ wallet addresses to see how much Bitcoin they own.³ ⁴ Furthermore, once someone transacts with a counterparty he/she learns one of the counterparty’s public keys, and thereafter can trace the holdings tied to that public key. In fact, law enforcement has previously used end-users’ misperception of Bitcoin’s transparency to its advantage. Kathryn Haun, who is a General Partner at Andreessen Horowitz, previously led a Ted Talk on how the US Government used full-nodes on Bitcoin to trace $13.4M to Ross Ulbricht, the mastermind behind the first modern darknet market, Silk Road.
Nevertheless, there are multiple blockchains that have been engineered to be private. The major ones, based on their technical proficiency⁵ and the market cap of their associated cryptocurrencies, are Monero (#13) and Zcash (#21). In addition, two new privacy coins, Grin and Beam, launched in January 2019 and are generating a lot of recent buzz in the industry. Privacy research continues to be at the forefront of the crypto space, as we’ve seen with the most recent Zether whitepaper, published in late February 2019 as a collaboration between the senior research teams in applied cryptography from Stanford University and Visa.
The purpose of these blockchains is self-explanatory: you can buy/sell/trade value and record the transaction on the blockchain, anonymously. Many view privacy coins as technology that supports the dark web; however, privacy is important for all users if crypto payments are to become mainstream — do you want your coworkers to know how much you spent on your girlfriend’s birthday present? These blockchains are working on protocols that fundamentally protect people’s personal information but also can be audited/examined by law enforcement if nefarious activity is suspected.
So, what does privacy have to do with the scalability race? Think about it this way — when you don’t tell everyone, everything, you theoretically can save time and space. Capitalizing on this interesting axiom, blockchain developers have been working hard to implement “zero-knowledge” proofs, which are protocols within the blockchain code that allow independent nodes to verify transactions in a block without identifying the participants involved or the inputs and outputs of the transactions. There are ways, using math, to make this possible, which is an amazing and potentially game-changing concept.⁶ Thus privacy blockchains and scalability progress are intimately linked.
Over the next few weeks, we will release analyses on the leading and bleeding edge privacy coins. Today, we start with two of the oldest and largest privacy coins by market capitalization — Monero and Zcash.
Disclaimer: These are in-depth reports that will take time to read, but hopefully you will learn a lot. Our recommendation: pick a Sunday afternoon, kick up your feet, and enjoy.
Monero is the oldest major privacy coin. It was created in 2014 through a hard-fork of the Bytecoin protocol. Monero, by design of the protocol, has mandatory anonymization. The protocol relies on three methods to accomplish this (and a fourth on the way):
1. Ring Signatures
Ring Signatures protect the anonymity of the sender (from everyone but the receiver). Generally speaking, when a sender initiates a transaction with a recipient in a blockchain network, the sender digitally signs, with its private key, the value it is sending to prove to the recipient they agree to the value they’re transferring. This is the technical equivalent to signatures we provide on documents today when we’re agreeing to a transaction i.e. signing the check. The receiver uses the public key of the sender to unpack the digital signature from the sender and confirm, based on what the unpacked digital signature says, that the sender intended to send what was sent. Most blockchains today are multi-signature protocols, meaning multiple entities need to sign the transaction on behalf of the sender before it is submitted to the receiver. The receiver then can use the public keys from all of the entities that signed the transaction to decrypt the digital signature and confirm its accuracy.
Ring signatures are a specific type of multi-signature where at least six decoy parties, who each hold the same amount of transacted Monero in their wallets, are randomly selected to sign a transaction in addition to the true sender. You can verify the validity of the transaction by using the public keys of the parties, but you cannot figure out which member sent the funds, and which are decoy co-signers. As Monero’s sponsored website puts it: “In a ‘ring’ of possible signers, all ring members are equal and valid. There is no way an outside observer can tell which of the possible signers in a signature group belongs to your account.” However, Monero initially had issues guaranteeing anonymity with ring signatures because observers, who had access to the public keys of the random accounts chosen, could explore the transaction history of each of the public keys and eliminate the public keys that were inactive — meaning they hadn’t transacted Monero in a while. As it turned out, the account with either the most recent or most active wallet was usually the sender. [You can read more about this here]. Additionally, adding at least six decoy signatures to each transaction significantly increases the size of a transaction and ultimately the Monero blockchain. Because full-nodes have to scan the entire blockchain to validate transactions, the larger the size of the blockchain, the longer it will take to validate transactions, and the more expensive it will be for nodes to scan the blockchain.⁷
RingCT, adopted by Monero in January 2017, anonymizes the amount sent between the sender and receiver. RingCT implements the Confidential Transactions algorithm developed by Gregory Maxwell, a type of “zero-knowledge” proof which allows for the amount transferred to be completely obfuscated to everyone outside of the sender and receiver. The implementation of Confidential Transactions is a reflection of the progress the industry has made with implementing zero-knowledge proofs in the last two years.
Here’s how the algorithm works: before the transaction is submitted to the blockchain, the sender and receiver each choose their own “blinding factor”. A blinding factor is a randomized string of letters and numbers that is multiplied by the value being transacted to obscure the network from knowing how much is really being transferred. Multiplying the blinding factor by the value being transferred produces a new public key called a “Pedersen Commitment”. The sender and receiver each create their own Pedersen Commitment and subtract the receiver’s Pedersen Commitment from the sender’s (Output — Input). When the transaction is published to the blockchain, validating nodes just see the resulting Pedersen Commitment.
Because the validators do not know the random blinding factors of the sender and receiver, there’s no way for them to unwind the resulting Pedersen Commitment and determine the value transferred. But the validators do not need to unwind anything in order to approve the transaction. Here’s the zero-knowledge proof: the only component that differs between the Pedersen Commitment of the sender and that of the receiver is the difference in value of their blinding factors. So as long as the receiver’s Pedersen Commitment — the sender’s Pedersen Commitment equals the difference in their blinding factors, the validating nodes can approve the transaction and post it to the next block.⁸
You may ask — how can the validators be sure the resulting Pedersen Commitment equals the difference in their blinding factors? To test this, before the validators approve the transaction they could have the involved parties redo their transaction with dummy blinding factors supplied by the validators and see if the resulting Pedersen Commitment is what the validators anticipate. Ultimately, there are many ways the protocol can test for the “soundness” of a zero-knowledge proof without breaking with zero-knowledge principle. These are called rangeproofs, and they are a series of proofs that prove a blinding factor lies within a certain interval or “range” of known numbers. A common rangeproof is to prove that the value transacted is non-negative, as transferring negative values would allow the sender to create value out of thin air.⁹ Confidential Transactions require that each transaction contains a rangeproof(s), and the rangeproofs are actually included in the block with the transaction data. For those interested, you can learn more about Monero’s particular rangeproofs here.
In addition, by obscuring transaction values the adoption of RingCT minimized the vulnerability in detecting the true sender in Ring Signatures because it eliminated the requirement that each of the decoys have to possess the value being transferred, thereby massively increasing the decoy pool.
Although zero-knowledge proofs might be the holy grail of secure verification in decentralized systems, the first implementations have been both computationally intensive and expensive. This can be attributed to the rangeproofs, which account for the vast majority of data in blocks that use them. Therefore, in October 2018, Monero hard-forked its protocol and reconstructed Confidential Transactions into a bulletproof, a much more efficient zero-knowledge proof standard. Under the original zero-knowledge proof standard for Confidential Transactions, each transaction size in a block scaled linearly (1 output = 7kB, 2 outputs = 13kB). Under bulletproofs, transaction sizes scale logarithmically instead (ex: 1 output = 2kB, 2 outputs = 2.5kB). According to Monero, this represents an 80% reduction in transaction size. Therefore, the integration of bulletproof standards into zero-knowledge algorithms has the potential to give the Monero blockchain sustainability.
3. Stealth Addresses
Stealth Addresses protect the anonymity of the receiver (from everyone but the sender). Before completing the transaction, the sender creates a new, one-time public address for the receiver by multiplying its private address by the public address of the receiver, thereby creating a stealth address. This stealth address is what the receiver submits to the block when the transaction is pending.
Stealth addresses protect the anonymity of both the sender and the receiver:
- Because a hashed output address doesn’t reveal anything about its inputs, the receiver doesn’t learn the sender’s private key through this process.
- Because none of the validators know the sender’s private key, they cannot establish a connection between the receiver’s public key and its stealth address.
- Because a new stealth address is created for each transaction, this limits each sender’s ability to track the activity of the receiver just to their transaction.
In order to understand Kovri, it’s important to know that there are two layers to blockchain privacy. The first, which Ring Signatures, RingCT, and Stealth Addresses attempt to protect, is validation privacy: the network can verify the transaction without exposing the personal/private details of the involved parties. The second is transmission privacy.
In order to understand transmission privacy, we need to briefly walk through how data transmission works on the Internet. Data transfer on the Internet, whether via a blockchain or other, fundamentally works in the same way: the data is originated and sent from a computer, known as the “client” node.¹⁰ The client node has a public address associated with it, which represents its location within the Internet, known as an IP address. Whether we realize it or not, the data sent and received online is always triggered by a command from the client node via an Internet browser, such as “send me to ESPN.com,” or “send this message to that e-mail address” or “send 3 BTC to Alice.” Based on TCP/IP, the communication protocol for the Internet, the sender’s command tells its client node what the intended destination node is supposed to be for the data.¹¹ Almost always, unless the client and destination nodes are on the same local network, the client node only knows the destination’s domain name, such as espn.com or an e-mail address. In other words, the sender doesn’t know the IP address of the receiver. As a result, the data travels through the Internet being forwarded from the client node through a pathway of nodes, known as “relay” nodes, looking for a DNS server that contains the domain name in its database and its associated IP address.
Here’s a key point to understand: the data itself isn’t traveling aimlessly looking for the right DNS server. If that were the case, the data would pass through and be exposed to a bunch of unnecessary nodes. Instead, the shortest path between the senders address and unknown receivers address is solved, like a puzzle, using Dijkstra’s algorithm.¹² Once the shortest path is determined, the data passes through the relay nodes along that path. Therefore, unnecessary nodes do not touch the data.
Here are additional consequences of this setup:
- Because Dijkstra’s algorithm determines the transmission route before the data is transferred, each node only knows the previous node and the next node in the transmission pathway. The only computer that knows the sending IP address is the sender, and the only computer that knows the receiving IP addresses is the destination computer.
- The DNS server is queried for the IP address of the destination computer, but because Dijkstra’s algorithm computes before the data is transferred, it learns nothing about the information/value being transferred.
- The data that’s being transferred does not contain information on the sender and receiver. So again, relay nodes learn nothing about the sender and receiver.
- The Internet and TCP/IP protocol use domain names for navigation rather than IP addresses because this adds in a critical layer of obfuscation.
So — taking all this into consideration, where’s the vulnerability? Our description may have made TCP/IP appear fortified, but there are actually multiple ways to “cyber attack” via the Internet. There’s an entire industry (Cybersecurity) dedicated to combating this pursuit. Generally speaking, the first type of attack are destructive attacks — many of these, such as DDos, overwhelm and take out the functionality of a targeted client. The second are spying attacks — where attackers can access the sender, receiver and data being transferred.¹³
So how can blockchain nodes avoid the range of possible cyber attacks? Well, guaranteed avoidance isn’t possible unless nodes remain offline, because when you interact with other nodes you assume the risk the counterparty is infected with a virus, that upon interaction, could harm your computer. This, again, is merely how the Internet works because it’s empirically peer-to-peer / node-to-node. However, if the attack isn’t coming from your counterparty but rather a third-party, there is a proposed solution for how to avoid attacks: obfuscating either your location or your transmission pathway.
Privacy, the form of cryptography, strikes again. One of the preeminent proposals behind transmission security are anonymous P2P communication systems. Heard of Tor? Tor, or The Onion Router, was the first commercialized anonymous P2P communication system, developed in the mid-1990’s by the US Navy to protect US intelligence communications online.¹⁴ The purpose of Tor is to enable anonymous transmission of data on the Internet. Nodes on the Tor network essentially have downloaded the Tor software that allows them to decrypt encrypted data transmissions. The Tor network consists of the user/client, internal relay node and exit nodes, which are the last node in transmission before the data exits out of the Tor network and is sent to the receiver, who is likely outside of the Tor “bubble.” Additionally and also as popular, there’s the Invisible Internet Project (I2P), which takes anonymity one step further. I2P, initially released in 2003, is an encrypted Internet inside of the Internet; sender and receivers are apart of the I2P network, and the protected data never leaves the bubble. Because of this, some refer to I2P as the true darknet. Both I2P and Tor are free and open-source software. You can learn more about how Tor and I2P work and their similarities and differences as P2P encryption networks here.
A Monero development team, led by core Monero developer “Anonimal” has been working on an integration of I2P for Monero named Kovri. Simply put, I2P is programmed in Java and Kovri was proposed as an enhanced, C++ implementation. Kovri currently is not live and updates from Anonimal have been few and far between. On December 25, 2018, Anonimal released a white paper on Sekreta, which could be an updated version of Kovri and references Kovri’s I2P protocol throughout its analysis. All in all, the intention of Kovri / Sekreta is to couple transmission privacy with the more popularly addressed validation privacy. We will provide updates if there is any announced progress on Monero’s I2P solution.
In review, Monero has mandatory anonymization and utilizes a combination of zero-knowledge algorithms and community-based signature mixing to preserve users’ privacy. Monero developers are working on an interesting side project to secure transmission privacy, but this project is still under development.
Zcash isn’t the oldest privacy blockchain (it officially launched as a hard-fork of Bitcoin in October 2016), but its team and technology has led by example. Originally designed by cryptographers from some of the world’s leading academic institutions (MIT, Technion, Johns Hopkins, Tel Aviv University and UC Berkeley), Zcash’s anonymization is built entirely on zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which allows Zcash to hide almost all data from the validators in its network (the sender information, receiver information, and transaction amounts) except for time stamps and transaction fees. Many call Zcash’s zk-SNARKs algorithm “moon math,” because of its incredible complexity. Zcash has two main features that make it standout:
- Its zk-SNARKs technology
- Its anonymization is selective
Zcash allows users, both senders and receivers, to choose whether they want their transaction information to be transparent or shielded. A fully transparent transaction, where both the sender and receiver opt out of hiding their information, looks and operates similar to that of Bitcoin. However, if any part of the transaction is shielded, Zcash uses its zk-SNARK algorithm to verify the transaction. Using a zero-knowledge algorithm rather than signature mixing makes it easier for Zcash to comply with law enforcement, as users can reveal their transaction history for a shielded address to a third party by providing their “view key”.¹⁵ Zcash also contains a memo field for shielded transactions, which you can think of as the description line on a check that only you, the recipient, and whichever third party to whom you’ve sent your “view key” can see.
What’s the difference between Zcash’s zk-SNARKs and Monero’s RingCT bulletproof? They are different zero-knowledge algorithms that have trade-offs based on time, size and cost. Exploring the trade-offs can get quite technical and is outside the scope of this paper. (For the ambitious among you, you can start here). Nevertheless, there is one aspect of the comparison that is important to explore: Zcash’s zk-SNARK implementation has, as founder Zooko Wilcox describes it, an “unfortunate vulnerability in the math,” where it requires a trusted setup, while Monero’s bulletproofs do not.
Zcash’s trusted setup is similar to the sender’s and receiver’s selection of a “blinding factor” or secret key in Monero’s RingCT. However, Zcash has one secret key and it holds significantly more importance. Because zk-SNARKs power the entire protocol, Zcash uses its blinding factor to generate the Zcash currency and launch its blockchain. On one hand, it’s efficient that the blinding factor only needs to be chosen once, rather than per transaction like Monero. On the other, the security of the entire network is predicated on this blinding factor. If somebody got a hold of it, he or she could successfully make counterfeit Zcash tokens. And because of Zcash’s privacy features, these counterfeit tokens could go undetected. Talk about a nightmare.¹⁶
So how did Zcash generate this blinding factor so that a) no one could steal it upon creation and b) they could prove to all potential future users of Zcash that no one knew, saw, learned or tampered with this number? Founding members held a ceremony right before the launch of the blockchain from October 22–23, 2016, where six independent teams in distributed locations all over the world generated and contributed a piece or “shard” of the private key, without knowledge of the others. The original Zcash “Sprout Ceremony” was quite elaborate — to hear the details, checkout journalist Morgan Peck’s entertaining first-hand account here.
Unfortunately for Zcash, their ceremonial days aren’t behind them. Every time Zcash wants to hard-fork their protocol, they have to create a new blinding key and conduct another ceremony. On April 13, 2018, Zcash completed their second “Power of Tau Ceremony,” which was public and included hundreds of participants globally,¹⁷ in preparation for their Sapling hard-fork.
One of the major problems with the optional privacy features of Zcash is that if the majority of the network opts out of the privacy feature, it becomes easier for surveyors to track the private users. So it is in Zcash’s best interests for more users to opt into privacy.
Zcash users’ initial disinterest in shielding transactions might be attributed to its computational intensity/cost and latency. Originally, Zcash’s Sprout protocol took multiple gigabytes of memory and over 30 seconds to create a shielded transaction. Under Sapling, a shielded transaction can be created in a few seconds and use only 40 megabytes of memory, making it realistic for users to regularly transact with a shielded address. In fact, this significant decrease in cost and latency pushes Zcash closer to being able to conduct shielded transfers on smartphones/mobile devices. Yet, the Zcash network has yet to reap the fruits of developers’ labor, as only 15% of all transactions on the Zcash blockchain in the past month have been partially or fully shielded.
All in all, Zcash’s protocol design leads by technical example. However, their trusted setups are still a headache, and there remains risk to the underlying security of the network if someone were to obtain this blinding factor. This captures the trade-off between Zcash and Monero. One utilizes a trustless protocol (zk-SNARKs) reliant upon a trusted setup. The other has trustless features but is not trustless throughout, instead relying on obfuscation tricks whose success is correlated to its network size. Neither are perfect, which is why other privacy coins (Grin and Beam) have continued to launch.
All material presented in this article represents the research analysis and opinions of the author. Nothing in this article should be construed as investment advice.
¹ Zooko Wilcox, founder of Zcash referenced in the following Zcash section, has coined Zooko’s Triangle, a similar trilemma around building a system that is secure, decentralized, and uses a naming scheme that is actually meaningful/memorable to the end user. Read more here.
² There is an additional approach, which is to permission the blockchain. Permissioned blockchains, also referred to as consortium blockchains, are fully decentralized but nodes have to be invited to participate. From a governance standpoint, they are essentially closed-sourced, direct democracies. Many enterprises are exploring consortium blockchains as an alternative to their legacy centralized database infrastructure. See JPM Coin and Quorum as an example here.
³ By default, Bitcoin’s wallet is built so that each time you receive a payment, your public address is updated to a new, unique address in order to avoid observer traceability. However, Ethereum does not do this by default, so you can trace a user’s activity by following his or her public key on the blockchain. Read on more on this here. Bitcoin has developed many privacy methods (Centralized Mixing, Tumblebit, CoinJoining, Confidential Transactions, Stealth Addresses, off-chain solutions such as Lightning Network), but these are not a part of the default protocol because they either involve third parties to work or haven’t been implemented yet. Read more on this here.
⁴ There is demand for blockchain-tracking startups whose objective is simply to monitor wallets and transactions on blockchains to detect criminal activities.
⁵ This statement is based on the fact that the majority of leading publications in the blockchain industry that have published primers on privacy blockchains have concentrated their analysis on Monero and Zcash.
⁶ In fact, zero-knowledge proofs were originally invented in 1985 by MIT researchers Shafi Goldwasser and Silvio Micali and University of Toronto researcher Charles Rackoff. See the original paper here. In proof systems between a prover (sender) and a verifier (receiver), research traditionally focused on safeguarding the system from the malicious intentions of the prover. The team instead focused on safeguarding the system from the malicious intentions of the verifier. As we figure out how to make the Internet more secure for users, zero-knowledge proofs are gaining momentum today. Read more from Matthew Green, one of the founding Zcash scientists, here.
⁷ Additionally, the more expensive it becomes for nodes to scan the blockchain, the more expensive miner fees will become. Miner fees are not the focus on this report, but read more on this here.
⁸ This proof works because of the homomorphic properties of Pedersen Commitments.
⁹ For example, if the sender sent 2 Monero to the receiver and kept -1 Monero in his/her wallet as change, the sender essentially sent 1 Monero to the receiver he or she did not own.
¹⁰ The client node can be a personal computer, smartphone, server, etc. any type of computer.
¹¹ For those interested in a visual illustration of the evolution of the Internet, see here.
¹² Does this sound like how GPS works? You don’t drive aimlessly, and the path is predetermined? Dijkstra’s algorithm and variants thereof are used for GPS systems as well.
¹³ For more information on common types of cyber attacks, read here.
¹⁴ The idea for an anonymous communication system was proposed by cryptographer David Chaum in 1981, which soon thereafter developed into eCash, an anonymous electronic P2P money system that many consider to be the original precursor to Bitcoin. Read more here.
¹⁵ Monero offers a view key feature as well, but it only allows third parties to review information on the receiver (show the public address tied to the stealth address), which isn’t very helpful.
¹⁶ In fact, Zcash announced in February 2019 it had discovered a counterfeiting vulnerability in the system 17 months after launch, which was fixed by the Sapling upgrade in October 2018.
¹⁷ In fact, adding hundreds of participants made the ceremony more secure, as an attacker would have needed to learn all hundreds of shards to steal the blinding factor, rather than just six. Also, multiple mixing algorithms were used to randomize the shards, unlike the first ceremony which used just one.