Translation of an article by Eric Walla, Chief Investment Officer at Arcane Assets. In the previous two parts, we learned a...
Translation of an article by Eric Walla, Chief Investment Officer at Arcane Assets.
In the previous two parts, we learned about the footprints we leave when we use Bitcoin and the tools that hide those footprints.
We also realized that it is quite difficult to achieve complete anonymity in Bitcoin. While there are publicly available software tools that make it difficult to track bitcoin transactions, these features are rarely free to use, and their codebases have - so far - been less rigorously audited, which in itself can be considered a privacy risk. Despite the fact that in the development of bitcoin, special attention is paid to privacy issues, the following question still remains relevant today: if the goal is to maintain confidentiality, then why not use anonymous cryptocurrency?
In the previous part of this series, we talked about the importance of using a new address for every transaction. The simplicity of this idea is very important because a Bitcoin address generated using only computer code and mathematics is enough to receive money from anyone anywhere in the world without any questions. And since the sender transmits the transaction, the receiver doesn't need to broadcast anything to the bitcoin network at all. However, even in this simple scenario, our privacy is still under threat from the lack of counterparty privacy.
Suppose you bought bitcoins from an exchange and left no trace of your intention to buy bitcoins elsewhere. It is possible that you will be able to take the necessary precautions so that you do not leave any marks on this first purchase. But you will need to take more precautions if you want to make transactions more often, in different circumstances and using different types of devices. One mistake is enough to destroy your privacy. This responsibility can become burdensome for users who want to use cryptocurrency regularly.
Can't I just use the Lightning Network?
The Lightning Network improves privacy in Bitcoin, which we mentioned in part one . You can, of course, become one of the Lightning users, but you should keep in mind that Lightning is, first of all, a scaling technology, and not a technology to improve the privacy of bitcoin. The system is currently developing rapidly and its privacy aspects have not yet been thoroughly studied. In addition, since this is still a relatively new technology, it is not certain that you will find many people using the Lightning Network.
What about the Liquid sidechain?
Better to think of Liquid as an 11-of-15 multisig wallet; all the money that you use in this network, you actually trust the members of this association.
Liquid's privacy advantage is that it uses Adam Beck and Gregory Maxwell's Confidential Transactions technology, which hides transaction amounts. This improves privacy, but does little to anonymize the parties to the transaction. Plus, retail users currently barely use Liquid.
Anonymous coins
Thus, maintaining a high level of privacy on the transparent bitcoin blockchain is challenging. In the future, the Bitcoin protocol will become more confidential, but until then it makes sense to pay attention to alternative cryptocurrencies that are focused on maintaining complete anonymity of users.
The purpose of anonymous cryptocurrencies is to use cryptography to make the information on the blockchain incomprehensible to an observer, but at the same time, the system must ensure that all rules on the network are followed.
If the development of such a system were trivial, then it is possible that it would have already been implemented in bitcoin.
Most of the cryptographic solutions that are used today in anonymous coins (Monero, Grin and Beam) originally emerged as proposals to improve the privacy of bitcoin, but for various reasons were not implemented.
It's important to understand why Bitcoin developers are careful when it comes to improving privacy. Aside from implementation difficulties, privacy enhancement techniques often increase the size of the transaction, which harms the scalability of the system. Also, the coin offer - which anyone with a calculator can check today - would rely on the trust that cryptography is working correctly to implement proposals to improve privacy.
In Monero, we have discovered and fixed a critical bug that affects all CryptoNote-based cryptocurrencies and allows unlimited coins to be generated in a way that cannot be detected by an observer.
- getmonero.org, May 17, 2017 ( source )
We discovered [and fixed] a cryptographic vulnerability underlying some zero knowledge proofs [...] an attacker could have created fake Zcash without being discovered [...] this vulnerability so subtle that it was not noticed by experienced cryptographers for many years analyzing systems with implementation of a zero knowledge proof.
- Electric Coin Company, February 5, 2019 ( source )
To be clear, this does not mean that anonymous coins have errors and bitcoin does not. Errors are a problem for every cryptocurrency, including bitcoin. The key difference here is that when a bug allows an attacker to print money in anonymous coin, it can go unnoticed for years. This gives the attacker time to exchange these coins for others. The transparency of bitcoin provides quick detection of errors in emission ( example ), which gives network users the opportunity to correct the situation before the damage becomes systemic.
Moreover, problems with bugs in the code are not limited to just emission. While a privacy-focused cryptographic protocol can guarantee a high level of user anonymity, it can itself be implemented with errors. Only a thorough analysis of the software by competent developers can help avoid this.
In the famous poem by Robert Frost, a journey along an “unfamiliar road” can be interpreted as an opportunity to gain new unique experience and knowledge. But in open source software and cryptocurrencies, this advice is likely to lead to new bugs and vulnerabilities.
It's complicated. These are small things. If you are interested in all these new projects with "magic solutions", then you better be skeptical about them. And if you are disappointed with how slow bitcoin is moving, then I can say that bitcoin is moving too fast. It's hard and scary. And we need to slow down and be more careful.
- Andrew Poelstra, director of research at Blockstream and co-author of the Mimblewimble protocol (the core of the Grin and Beam cryptocurrencies).
Does this mean that anonymous coins are a bad idea? It is important to understand the trade-offs and risks here. So, keeping your savings in anonymous coins might not be the smartest idea, but they are still good options for making anonymous transactions.
The disadvantages of anonymous coins include: higher volatility, a higher risk of critical vulnerabilities and failures, as well as fewer organizations that accept such cryptocurrencies. The advantage is a higher level of anonymity.
Choosing an anonymous coin
The best thing we can do to minimize the disadvantages listed above is to choose anonymous coin with competent developers. The four largest coins in terms of market cap (and an estimate of the estimated market cap of recently issued anonymous coins) are Monero, Zcash, Grin, and Beam.
We spoke with one person from each project and asked them to describe in their own words the benefits of their project (especially compared to other coins). While all of these projects have the same goal, each coin has its own set of trade-offs regarding privacy, security, scalability, and usability.
I. Monero
Monero has no founder rewards , no trusted setup, and no premine. Monero is a true decentralized virtual currency in accordance with FinCEN's rules and guidelines. Monero has no company, no regulator. Mandatory privacy for everyone at Monero is ensured by a large anonymous set. The issue of the coin is also important. Monero will always have a minimum block reward of 0.6 XMR - this will encourage miners to keep the network secure at all times.
Any project that claims perfect confidentiality should be treated with extreme caution and skepticism. However, I believe Monero offers a very competitive privacy solution.
- Francisco "ArticMine" Cabanas, Monero Core
The Monero project was launched in 2014 - it is the oldest of the four coins presented. Technologies that provide privacy in Monero: ring signatures, ring confidential transactions and hidden addresses. These three technologies mix the spent coins in a network of false paths (decoys), hide the sent amounts and recipient addresses.
The key terms in the above paragraph are "mix" and "hide". When something is mixed, it becomes difficult to track it down because too much noise is created - it's like listening to one song with 10 others playing at the same time. In this analogy, the number of songs is called the "anonymity set."
This provides good, but not perfect, privacy. Monero was one of the first anonymous cryptocurrencies to deal with user privacy vulnerabilities in the past (see the Monero Research Lab page for its remedial measures ).
Recommended wallet: Monero GUI Wallet + Monerujo (Android app that can be connected to Monero GUI Wallet).
II. Zcash
Zcash brings privacy to the world of machine learning and artificial intelligence. Monero, Grin, and Beam don't. They use decoys to hide what you are doing. While it helps, decoys don't stop merchants from tracking you through your payments. Decoys won't stop your boss from knowing that you've visited a shooting range or gay bar repeatedly. Decoys will not protect you if you are a dissident trying to accept donations on the internet but hiding your real name. Here they are especially vulnerable: receiving a small amount of coins from the police would allow an authoritarian government to identify and detain you.
Monero, Grin, and Beam's approaches to anonymity are almost as good as the letter-by-letter pronunciation of S - - E - - X when talking to your wife. Your three-year-old may not be aware of your plans. But this will not always work - the child will grow up, just like blockchain analysis, which is now in its early stages of development.
- Ian Myers, Co-Founder of Zcash
Zk-SNARKs technology provides a high level of anonymity in any cryptocurrency. This technology is independent of mixing. By analyzing the blockchain, you will not find any information about the senders, recipients, or transaction amounts. Validation in the system is provided without providing the observer with any useful information.
However, Zcash has had to pay the price for this seemingly magical privacy technology. The compromise was the trusted installation . This is a critical phase of network launch, when random data is generated by a group of people who should not share this data with each other. If this data is combined, it can be used to create fake Zcash.
Just because the privacy of a coin is independent of mixing does not mean that the set of anonymity is endless. Anonymity in the blockchain becomes possible due to the fact that all network users use it. In Zcash, unfortunately, this is not entirely true, because in the Zcash blockchain there are two types of addresses - t-addresses and z-addresses - and only transactions between z-addresses are completely anonymous. T-addresses are as transparent as regular bitcoin transactions.
If you know that the number of people using Zcash on a daily basis globally is a few dozen at best, what are the odds of catching you in the crowd?
On the other hand, if you live in a small town where almost no one uses cryptocurrency, the scenario described above is applicable to any cryptocurrency; using cryptocurrency alone is enough to spot someone in the crowd. This is why scalability is important for anonymous coins, since the number of transactions that the system processes is a key component of an anonymous set.
Recommended wallet: ZecWallet + Companion App for Android .
III. Grin
Grin hides transaction amounts and the identity of senders and recipients; there are no addresses. Privacy features are enabled for all users and transactions on the Grin network. In contrast, the privacy approach taken by previous projects encourages surveillance and censorship and can lead to marginalization.
The Grin blockchain is relatively lightweight - it stores little data, allowing new users to quickly download and sync it. Grin is proof that privacy features don't always overload or complicate the blockchain.
There is no trusted setup — Grin relies on relatively simple cryptographic assumptions that have been tested over time. Projects that use experimental or new cryptography are more likely to find critical bugs. This is not surprising since few people in the world, sometimes even researchers themselves, are able to fully understand (let alone audit) the solutions used.
Grin does not have a foundation or company. No investors, no offices, no CEO. There is also no ICO, no developer rewards and no way to get rich quick at the expense of others. Development is carried out by the community and funding is in the form of donations with no strings attached.
- Daniel Lenberg, Grin Developer
In the first part, we described how CoinJoin combines the inputs and outputs of multiple transactions. In this article, we touched on the topic of "confidential transactions", which hide the amount of transactions, which, when used simultaneously with CoinJoin, could significantly improve mixing capabilities. It was later discovered how transactions can be combined into a CoinJoin without requiring any coordination between senders, and intermediate transaction data can be removed from the blockchain. This idea became the basis for a new protocol called Mimblewimble.
Both Grin and Beam launched in January of this last year. The interest in this protocol stems from the fact that it scales better than Bitcoin and has significant privacy improvements. Mimblewimble-based protocols sync faster and have lower memory requirements as they leave much less data on the blockchain.
One of the drawbacks of Mimblewimble-based protocols is that they require a message exchange between sender and receiver in order to complete a transaction. This means that when two people make transactions, their IP addresses will be open to each other. The developers have created intermediaries (grinbox) to transfer encrypted messages between users. This does not completely solve the problem as you are still exposing your IP address to this reseller, however your IP is your responsibility. When you connect with grinbox, you can hide your real IP address via i2p, VPN and / or Tor.
Recommended wallet: Niffler
IV. Beam
Beam provides much better scalability than Monero or Zcash, better privacy than Grin or Monero, and better “privacy in practice” than Zcash.
If you want ease of use while maintaining a reasonable level of privacy, then Beam is your best bet. Try Beam mobile wallets and see for yourself.
- Guy Korem, Beam
Let's remember Lenberg's words: “Grin hides transaction amounts and the identity of senders and recipients; there are no addresses. "
However, the Mimblewimble protocol doesn't hide the so-called "transaction graph" very well. This means that in Mimblewimble (before the transaction was completed on the blockchain), the observer can still see how transactions refer to each other. The Beam developers explain the problem with this example:
Suppose Bob has a store, and Alice is his rival, she wants to know Bob's supplier. So she pays Bob (buys something from him), then Bob pays his supplier Charlie, later Charlie pays Dan. Alice sees all these transactions, but has no idea about the users.
Eventually, she finds out about Dan (he buys something from Alice). Alice kindly asks Dan [bribes / threats / torture] to tell her who he got this UTXO from, thus revealing to Charlie. At every stage, Alice is sure that there is a connection with the user.
Both Grin and Beam have solved this problem by using CoinJoins that do not interact with each other. Before a transaction is broadcast over the network, it is first redirected to a number of other users, where each person adds their own transactions that they want to send. Due to the nature of the Mimblewimble protocol, transactions can be pooled with each other without any coordination, so the contents of the packet are mixed but still valid.
Beam's claim of superior privacy over Grin is that in Beam, users create multiple bogus UTXOs themselves, so no matter how many users add transactions at any given time, there is always a minimal anonymous set. Instead of grinbox, Beam developed its own decentralized addressing system, which should make it easier for users to interact with each other without leaking information about IP addresses. However, it is important to re-emphasize that these are new projects and much more may change in the future.
The fact that privacy is still based on mixing (as Myers pointed out) is Beam's weakest point, as it is the smallest coin of the four. Also, Beam (compared to other coins) resembles the company's project the most, which is why this coin has a rather weak connection with the open source community (although Beam has passed several security audits).
Recommended wallet: Beam Wallet
