📰News

This week, in tech news outside the cryptocurrency world, Reuters reported that Apple scrapped plans for end-to-end encrypted iCloud backups under pressure from the FBI. Apple, a company that primarily makes revenue from device sales, has long pushed their pro-privacy stance as a differentiator from competitors like Google, which collect consumer data used to sell targeted advertising. Link.

Privacy is, unsurprisingly, a hot topic in the cryptocurrency ecosystem, which inherited a strong pro-privacy ethos from the cypherpunk movement, where Satoshi Nakamoto famously introduced Bitcoin. This perspective, though, has long been in tension with the transparent nature of public ledgers. To address this disconnect, many projects have emerged over the years trying various technical approaches to bring privacy to decentralized cryptonetworks.

In this edition of Build Blockchain, we'll take a look at the state of the art in cryptocurrency privacy tech, focusing on the capabilities and limitations of technologies that are live, available, and widely used today. There are many more projects in the pipeline, some of which show great promise, but we'll leave those for a future issue.

Baseline: Weak Pseudonymity

Bitcoin, Ethereum, and most other cryptocurrencies are not anonymous. You probably knew that, but for many people who are only vaguely familiar with the idea of cryptocurrencies, this often comes as a surprise. Transactions on these networks are tied to a pseudonym, namely an address, and the activity of all addresses is visible to everyone. Therefore, any action that ties your address to your real identity reveals all your past and future activity on the network.

Unfortunately, de-anonymizing actions include most everyday use cases, like making a payment, accepting a payment, or using centralized exchanges to buy, sell, and trade. There are also more sophisticated approaches to identification, such as observing network traffic to tie transactions to IP addresses, or triangulating identities by observing repeat payments to merchants a person is known to interact with.

Coin Mixing

The most basic approach to privacy on cryptonetworks is to restore anonymity by breaking the trail of connected transactions between addresses. This can be achieved through a process called mixing. If two or more users first pool their coins together, then send them out to various addresses in equal denominations, it becomes unclear which coins belong to whom.

The group of entities participating in an instance of mixing is commonly referred to as the "anonymity set." Someone attempting to trace coin ownership would know that mixed coins belonged to someone in the anonymity set, but would struggle to say who. The larger the set, the less likely it is coin ownership can be reverse engineered.

The earliest and most basic form of mixers were centralized services, and many still exist today. They allow users to send coins to an address own by the service provider, while a server controlled by the provider tracks how much each user has submitted. At some point in the future, the user asks the provider to send their coins back out to an address of their choosing.

The obvious problem with this approach is that it requires trusting the centralized entity. Not only must you trust them not to steal or lose your coins, you also have to trust them not to log or leak any possibly identifying data, like your IP address or browser information. For this reason, creating trust minimized mixing methods has been the focus of many privacy centric projects.

CoinJoin

In 2013, Bitcoin developer Gregory Maxwell proposed a trustless mixing method now commonly referred to as CoinJoin. Link.

CoinJoin is essentially a trust free mixer shoved into a single transaction. Because Bitcoin transactions can combine any number of inputs, which are spent to any number of outputs, a group of peers can collaborate to contribute funds to a single large transaction where each user dictates the receiving addresses of their coins. The transactions are constructed such that they're only valid when all parties have signed, and there's no way for any party to receive more than their own contribution. On chain, it's impossible to tell whose coins went to which receiving addresses. Link.



While rather elegant, there are still a number of limitations to CoinJoin. For one, because the mixing occurs in a single transaction, the anonymity set is realistically limited to one or two hundred parties. Furthermore, the peers with whom you collaborate to construct the transaction might be able to learn about your receiving addresses. There are also statistical approaches to de-anonymizing CoinJoin transactions, such as the technique referred to as CoinJoin Sudoku. Link.

A number of strategies have been employed to mitigate these risks, such as blinded receiver commitments, and multiple rounds of CoinJoin. Today there are a number of Bitcoin wallets that automate this process for you, and can provide relatively good privacy if used carefuly. In particular, Wasabi wallet and Samourai wallet are two popular open source choices.

A more insidious drawback of CoinJoin, and in fact with all forms of mixing, is the issue of "tainted coins." Let's say, for example, that you participated in a CoinJoin where the anonymity set happened to include an address tied to a dark web market for illicit drugs. For moral or legal reasons, merchants and exchanges might refuse to accept all coins that went through that transaction. Furthermore, entities might choose to blacklist any coins that have ever been mixed, for fear of some unseen liability.

Smart Contract Mixers

CoinJoin utilizes the multi-input, multi-output nature of Bitcoin transactions to provide trust free mixing, but Ethereum's account based protocol is not compatible with this approach. Instead, trustless Ethereum mixers have emerged which leverage the network's robust smart contract features. The Tornado Cash mixer is the most popular example, and it utilizes zero knowledge proofs to remain trust free.

TornadoCash allows users to generate a secret, then submit the hash of that secret to the chain along with a deposit of a standard denomination. At some point in the future, utilizing another address, the user submits a zero knowledge proof of their secret— without actually revealing it— thus claiming their funds without linking it to the deposit directly. All of this is possible because Ethereum smart contracts can be programmed to validate the zero knowledge proofs. Link.



One advantage of this approach is that the anonymity set is potentially unbounded, and it grows the longer funds are in the mixer. The smart contract can account for any number of users, it's purely a matter of demand. Unfortunately, smart contract mixers suffer the same risk of "tainted coins" as other mixing methods.

Monero And Zcash

Thus far, we've talked about approaches to privacy that aim to maintain anonymity by breaking the traceable trail of transactions. Two major drawbacks to this approach are the limited size of anonymity sets and the risk of mixed coins being considered "tainted." Both of these issues stem from the fact that these mixing solutions are being bolted onto networks that are transparent by default. They don't actually hide anything, they just obscure it to some degree. All the senders, receivers, and amounts are still completely visible. There are a number of standalone, privacy centric blockchain networks that aim to solve these issues, the most prominent of which are Monero and Zcash.

Monero uses a form of zero knowledge proofs called "Bulletproofs" to provide confidential transactions. This means the amounts sent and received are completely obscured. The senders and receivers of each transaction are not hidden, but to compensate, the protocol uses a technology known as ring signatures. These allow users to add "decoy" signatures to their transactions from any other known signature on the network, essentially mixing each transaction with other random addresses. Link.



Zcash goes a step further, leveraging a more advanced form of zero knowledge proof to provide fully shielded transactions. This means both the amounts and the addresses involved are completely invisible to the network. Only the proof is actually published. Fully shielded zero knowledge transactions are by far the strongest form of privacy available in crypto today, but there are limitations. Link.



For one, producing these proofs is slow and requires paying higher fees. As such, the Zcash network makes them optional, allowing users to choose transparent addresses with the same properties as Bitcoin. Recent upgrades to the Zcash network have improved this situation, but the total shielded pool on Zcash remains well under 10% of all coins.

Does Anyone Care?

I started this issue of the newsletter with a report that Apple had scrapped plans for end to end encryption of iCloud backups under pressure from politicians and the FBI. To come to this decision, Apple must have estimated the downside from government pressure outweighed the commercial upside of offering this service to consumers. One possible conclusion is that the pressure must have been significant. That’s an alarming thought.

Perhaps even more alarming, and dare I say more likely, is that Apple knows from experience that they stand to gain fairly little from offering consumers better privacy protections. In other words, most people just don’t seem to care. It's not a real differentiator for their products. This would make any further scrutiny from the FBI simply not worth the trouble.

Those of us who are most interested in cryptonetworks tend to take for granted that privacy is desirable, and that it’s worth a little extra trouble or cost to achieve. It’s why the technologies I’ve detailed in this newsletter have been built, and why so many others are being developed as we speak.

Despite this intuition, here’s the ground truth that we actually observe: usage of CoinJoin is minimal on Bitcoin, anonymity sets for Tornado Cash are quite modest, Zcash has absolutely languished in the market— with Monero fairing only slightly better— and an entire decentralized finance ecosystem has emerged on Ethereum, despite everything being transparent. Even amongst the small community of enthusiasts and early adopters, people seem simply not to care.

I wish I had an optimistic note to end on here, but honestly, I don’t. I’m increasingly concerned we’re going to end up building a global financial panopticon, and I don’t know what the consequences of that will be. I suppose I do take solace in believing a decentralized, fully transparent system is still better than the alternative: a world where all currency is digital, but is centrally controlled and visible only to those with power. To me, though, this is very much a “lesser of two evils” outcome.

I guess part of my exasperation about privacy stems from the fact that I don’t see it primarily as a problem for technology to solve. In fact, I believe the technologies for strong privacy do and will exist. I’m just not convinced people will care enough to adopt them. Here’s to hoping I’m very wrong.