One of the most sought after features of cryptocurrency is the relative anonymity one can have when sending and receiving payments. Whereas PayPal, for example, requires each sender to disclose details up-front pertaining to real-world identity, such as name and contact information, it’s normally only the user’s wallet address that needs to be disclosed for sending and receiving crypto.
That being said, with most cryptocurrencies, it doesn’t take much effort to identify a specific user from his/her public address.
Coins such as Bitcoin are often described as “semi-anonymous” or “pseudonymous”, which means that while the identity of the transacting parties remains unknown, the fact that each transaction is broadcast to a public blockchain makes it possible to identify transaction activity for each public address.
This partly explains the emergence of privacy coins, which in some cases are proving to be enormously popular. Privacy coins go one step beyond their more transparent crypto peers by protecting the address of the sender and receiver, as well as the value of coins being sent.
Bitcoin vs Privacy Coins
Bitcoin uses an unspent transaction output model, whereby each transaction consists of outputs and inputs that represent amounts of Bitcoin that have been sent and received over time. These outputs and inputs can be traced to the various public addresses of senders and receivers on the blockchain, and as such, it becomes a fairly straightforward process to track the transactions back to a specific address.
And should that address eventually cash out, its link to a bank account can very likely lead to the identity of specific users being revealed.
In contrast, privacy coins seek to mitigate this level of transparency by protecting the identities of the sender and receiver, protecting the amount being sent, and protecting the inputs and outputs being sent, which thus prevents transaction history for a particular address being traced.
Monero and Zcash are currently the most popular privacy coins – both are in the top 25 coins in terms of market cap. And while both also utilize complex cryptography to achieve that privacy, they each use different algorithms, which we briefly explain.
Like Bitcoin, Monero also involves public addresses. But unlike Bitcoin, the value of Monero each party owns is not connected to this public address. This opaqueness in the Monero blockchain, therefore, means that its inputs and outputs can’t be traced, or tracked back to specific addresses.
Monero achieves this principally using stealth addresses and ring signatures.
In order to receive Bitcoin, you have to share your public address to the network, which in turn sacrifices your privacy to some extent. But whenever a transaction takes place on the Monero network, the sender uses the receiver’s keys to generate a stealth address, which provides instructions to send an output to a one-time destination on the network.
The output that is then sent by the sender is structured in such a way that the receiver can scan the blockchain and, using his private key, identify the output destined for his address. This process prevents the sent outputs from being associated with the receiver’s wallet address.
As such, although everyone can see the one-time public key on the blockchain, only the sender and receiver know the exact details of the transaction, while the receiver’s public wallet address is not publicly linked at any stage of the transaction.
But while stealth addresses protect the receiver’s identity, they do notprotect the sender’s. That’s where ring signatures come in…
This is a digital signature in which a group of potential signers – containing both the involved signing party (the sender) and several non-signers – come together to create a unique authorization for Monero to be sent.
The combination of signer plus non-signers creates a ‘ring’, with non-signers being past outputs arbitrarily taken from the blockchain and acting as decoys, while the actual signer is a one-time key that corresponds with the output being sent from the sender’s wallet.
All these outputs (from the signer and non-signers) are viewed from the outside as being equally likely to be the plausible output being spent in the transaction. This enables the sender to ‘hide’ within the ring and remain indistinguishable from the others while signing the transaction using her one-time key. And in this way, her identity remains concealed.
And finally, the Ring Confidential Transactions (RingCT) enhancement employed by Monero is a more recent, improved version of the ring signature protocol which additionally allows the amount being sent between parties to remain private, specifically by hiding the output amounts on the blockchain.
Initially launched as Zerocash in 2014, Zcash is often described as Bitcoin with a privacy layer; indeed, like Bitcoin, Zcash has a fixed total supply of 21 million coins. It also uses much of Bitcoin’s source code in addition to the application of its privacy features, specifically the encryption of payment information which forms the basis of “shielded transactions”.
Zcash’s main draw is it use of zk-SNARKS, which stands for ‘Zero-Knowledge Succinct Non-Interactive Argument of Knowledge’. It is a complex form of cryptography that protects the identities of the transacting parties, as well the amount being sent.
zk-SNARKS uses “Zero Knowledge Proofs” which enable one party to prove to another that a statement is true, without having to reveal any additional information beyond the validity of the statement itself. As such, it allows a party to prove it has knowledge of something, without having to expose it.
When applying zk-SNARKS to Zcash, some of the key points to note are:
- The two parties (prover and verifier) do not have to be interacting with each other in real-time (explaining the ‘Non-Interactive’ part of the zk-SNARKS acronym).
- Value is carried by “notes” which specify the amount and a public key.
- Each payment address uses two public keys:
- a paying key associated with the notes sent to the address
- a transmission key which can only be accessed by the holder of a related private key.
- The sender sends an encrypted output note on the blockchain to a receiver who uses the transmission key to scan the blockchain and decrypt the note addressed to them.
- The private spending keys of the input notes are cryptographically linked to a signature over the whole transaction, such that a transaction can’t be modified by anyone who does not know these private keys.
- After a note is spent, it can only be proven that somecommitment for it had been revealed, without revealing which one out of all previously created notes. This means that the spent note cannot be linked to the transaction in which it was created.
- Miners verify transactions without knowing who sent or received the coins. Using a cryptographic hash, each party can prove that a certain statement is true without having to disclose the any further details about the identities of the parties involved.
zk-SNARKS is certainly a highly complex form of cryptography (more detailed information can be found here), but it is already proving its worth among the crypto community. Indeed, it is even being adopted by Ethereum.
But wait, isn’t Dash also a privacy coin?
The Dash project has approximately the same size of market cap as Monero at present (April 2018).
Dash has the ‘PrivateSend’ option for users who prefer more anonymity. This function breaks down transaction inputs into certain denominations, including 0.01, 0.1, 1, and 10 DASH. Should a sender want to privately send Dash, his wallet will send a request to the Dash masternodes (preeminent software nodes on the network who hold at least 1000 DASH and are responsible for a variety of important decision-making).
Receiving the request (which is anonymous), the masternodes mix the sameinput denominations from at least three people including the sender (meaning that two other people send messages indicating they also want to mix the same denomination). After mixing the inputs, the masternodes instruct the users’ wallets to pay the transformed input back to themselves, which is done but to a different ‘change’ address.
This process is then repeated several times, which makes it more difficult to ascertain where the coins originated.
But while Dash is sometimes categorized as a privacy coin, PrivateSend is generally not as well-regarded as the privacy protocols implemented on the Monero and Zcash networks. What’s more, it remains unavailable on mobile wallets, it has received much criticism for not being particularly user-friendly, and the protocol is frequently reported to contain bugs/errors. There is also a very real threat that an attack on the network could transpire through sufficient consolidation among the masternodes.
Moreover, CEO Ryan Taylor has also stated that only a small proportion of Dash transactions are executed privately, and has previously downplayed the privacy credentials of his project.
As such, many view Dash as similar in functionality to Bitcoin with a transparent blockchain, but offering privacy through mixing.
The implications for privacy coins are both positive and negative. Having the ability to execute untraceable transactions provides an ideal solution for those seeking less disclosure. Any for many, this might just end up proving to be a crucial modification to the Bitcoin protocol.
But at the same time, authorities will undoubtedly want to ensure that such privacy does not exacerbate the already growing problems of money-laundering and terrorism financing. Indeed, reports suggest that coins like Monero have already become a favourite for criminal activity.
Ultimately, it seems unlikely that privacy coins won’t be scrutinized by regulators at some point in the future. But in the meantime, should privacy be of particular importance to you when transferring value, the means to achieving this status have now well and truly arrived.