Privacy and Cryptocurrency, Part III: Anonymous Coins

coinspot.io

14 min

View Original

Translationof the article by Eric Wall, Chief Investment Officer at Arcane Assets.

In the previous two parts we learned about the traces we leave when we use Bitcoin and about toolsthat hide these traces.

We also realized that achieving complete anonymity in Bitcoin is quite difficult. While there are publicly available software tools that make Bitcoin transactions difficult to track, these features are rarely free to use, and their code bases are currently less audited, which could itself be considered a privacy risk. Despite the fact that during the development of Bitcoin special attention is paid to privacy issues, the following question still remains relevant today: if the goal is to maintain confidentiality, then why not use an anonymous cryptocurrency?

In the previous part of this series, we talked about the importance of using a new address for every transaction. The simplicity of this idea is very important because a Bitcoin address generated using just computer code and mathematics is enough to receive money from anyone anywhere in the world without any questions asked. And, since the sender broadcasts the transaction, the recipient does not need to broadcast anything to the Bitcoin network at all. However, even in this simple scenario, our privacy is still at risk due to the lack of counterparty privacy.

Let's assume that you purchased bitcoins from an exchange and left no trace of your intentions to buy bitcoins elsewhere. It is possible that you will be able to take the necessary precautions to ensure that you do not leave any traces on this first purchase. But you'll need to take more precautions if you want to transact more frequently, in different circumstances, and using different types of devices. It only takes one mistake to ruin your privacy. This responsibility can become burdensome for users who want to use cryptocurrency regularly.

Can't I just use the Lightning Network?

Lightning Network improves privacy in Bitcoin, which we already mentioned in part one. You can, of course, become one of the users of Lightning, but you must keep in mind that Lightning is primarily a scaling technology, and not a technology to improve Bitcoin privacy. Currently, the system is developing rapidly and its privacy aspects have not yet been thoroughly studied. Also, since it's still a relatively new technology, it's not certain that you'll find many people using the Lightning Network.

What about the Liquid sidechain?

It's better to think of Liquid as an 11-of-15 multisig wallet; all the money you use in this network, you actually trust the members of this association.

Liquid's privacy advantage is that it uses Adam Back and Gregory Maxwell's Confidential Transactions technology, which hides transaction amounts. This improves privacy, but does little to keep the parties to the transaction anonymous. In addition, retail users currently use Liquid little to none.

Anonymous coins

Thus, maintaining a high level of privacy on the transparent Bitcoin blockchain is challenging. In the future, the Bitcoin protocol will become more confidential, but until then it makes sense to pay attention to alternative cryptocurrencies that are focused on maintaining complete anonymity of users.

The goal of anonymous cryptocurrencies is to use cryptography to make the information on the blockchain unintelligible to an observer, but at the same time the system must ensure that all the rules of the network are followed.

If developing such a system were trivial, it is possible that it would already be implemented in Bitcoin.

Most of the cryptographic solutions that are used today in anonymous coins (Monero, Grin and Beam) originally emerged as proposals to improve the privacy of Bitcoin, but for various reasons were not implemented.

It's important to understand why Bitcoin developers are cautious when it comes to improving privacy. Apart from implementation difficulties, privacy-enhancing techniques often increase transaction size, which harms system scalability. Also, the coin proposal - which anyone with a calculator can check today - would rely on trust that cryptography is working correctly to implement proposals to improve privacy.

In Monero, we have discovered and fixed a critical bug that affects all CryptoNote-based cryptocurrencies and allows an unlimited number of coins to be created in a manner that cannot be detected by an observer.

- getmonero.org, May 17, 2017 (source)

We discovered [and fixed] a cryptographic vulnerability underlying some zero-knowledge proofs [...] an attacker could create fake Zcash without being detected [...] this is such a subtle vulnerability that it went unnoticed by experienced cryptographers over many years of analyzing systems with implementation of zero-knowledge proof.

- Electric Coin Company, February 5, 2019 (source)

To be clear, this does not mean that anonymous coins have bugs and Bitcoin does not. Bugs are a problem with every cryptocurrency, including Bitcoin. The key difference here is that when a bug allows an attacker to print money in an anonymous coin, it can go undetected for years. This gives the attacker time to exchange these coins for others. Bitcoin's transparency ensures that errors in emission are quickly detected (example), giving network users the opportunity to correct the situation before the damage becomes systemic.

Moreover, problems with code errors are not limited to emissions. Although a privacy-oriented cryptographic protocol can guarantee a high level of user anonymity, it can itself be implemented with errors. Only careful software analysis by competent developers can help avoid this.

In Robert Frost's famous poem, traveling down a “stranger road” can be interpreted as an opportunity to gain new and unique experiences and knowledge. But in the open source and cryptocurrency space, this advice will likely lead to new bugs and vulnerabilities.

It's complicated. These are small things. If you are interested in all these new projects with “magic solutions”, then you better be skeptical about them. And if you are disappointed with how slowly Bitcoin is moving, then I can say that Bitcoin is moving too fast. It's hard and scary. And we need to slow down and be more careful.

- Andrew Poelstra, Director of Research at Blockstream and co-creator of the Mimblewimble protocol (the basis of the Grin and Beam cryptocurrencies).

Does this mean anonymous coins are a bad idea? It's important to understand the trade-offs and risks. So, storing your savings in anonymous coins may not be the smartest idea, but they are still a good option for making anonymous transactions.

The disadvantages of anonymous coins include: higher volatility, a higher risk of critical vulnerabilities and failures, as well as a smaller number of organizations that accept such cryptocurrencies. The advantage is a higher level of anonymity.

Choosing an Anonymous Coin

The best we can do to minimize the disadvantages listed above is to choose an anonymous coin with competent developers. The four largest coins in terms of market capitalization (and an estimate of the estimated market capitalization of recently released anonymous coins) are Monero, Zcash, Grin and Beam.

We spoke to one person from each project and asked them to describe in their own words the benefits of their project (especially compared to other coins). While all of these projects share the same goal, each coin has its own set of tradeoffs regarding privacy, security, scalability, and usability.

I. Monero

Monero has no founder rewards, no trusted setup and there is no premine. Monero is a true decentralized virtual currency in accordance with FinCEN rules and guidelines. Monero has no company, no regulator. Mandatory privacy for everyone in Monero ensures a large anonymous network. The issue of the coin is also important. Monero will always have a minimum block reward of 0.6 XMR - this will incentivize miners to constantly ensure the security of the network.

Any project that claims perfect privacy should be treated with extreme caution and skepticism. However, I believe that Monero offers a very competitive privacy solution.

- Francisco "ArticMine" Cabañas, Monero Core

The Monero project was launched in 2014 and is the oldest of the four coins presented. Technologies that provide privacy in Monero: ring signatures, ring confidential transactions and hidden addresses. These three technologies mix the spent coins in a network of false paths (baits), hiding the amounts sent and the addresses of the recipients.

The key terms in the above paragraph are "mix" and "hide". When something is mixed, it becomes difficult to keep track of it because it creates too much noise - it's like listening to one song while 10 others are playing at the same time. In this analogy, the number of songs is called an "anonymity set."

This provides good but not perfect privacy. Monero was one of the first anonymous cryptocurrencies that has had user privacy vulnerabilities in the past (its efforts to address these issues can be found onpage Monero Research Lab).

Recommended wallet: Monero GUI Wallet + Monerujo ( Android application that can be connected to Monero GUI Wallet).

II. zcash

Zcash brings privacy to the world of machine learning and artificial intelligence. Monero, Grin and Beam don't do this. They use decoy to hide what you are doing. While this helps, honeypots do not prevent merchants from tracking you through your payments. Decoys won't stop your boss from finding out that you've been to a shooting range or gay bar multiple times. Honeypots won't protect you if you're a dissident trying to accept donations online but hiding your real name. This is where they are especially vulnerable: receiving a small amount of coins from the police would allow an authoritarian government to identify and detain you.

Monero, Grin and Beam's approaches to anonymity are about as good as saying S - - E - - X letter by letter when talking to your wife. Your three-year-old may not know about your plans. But this will not always work - the child will grow up, just like blockchain analysis, which is now in the initial stages of development.

- Ian Myers, co-founder of Zcash

zk-SNARKs technology provides a high level of anonymity in any cryptocurrency. This technology does not depend on mixing. By analyzing the blockchain, you will not find any information about the senders, recipients or transaction amounts. Validation in the system is provided without providing any useful information to the observer.

However, Zcash had to pay a price for this seemingly magical privacy technology. The compromise wastrusted installation. This is a critical phase of network startup, where random data is generated by a group of people who should not share this data with each other. If this data is combined, it can be used to create fake Zcash.

Just because a coin's privacy doesn't depend on mixing doesn't mean the anonymity set is infinite. Anonymity in the blockchain becomes possible due to the fact that it is used by all network users. In Zcash, unfortunately, this is not entirely true, because in the Zcash blockchain there are two types of addresses - t-addresses and z-addresses - and only transactions between z-addresses are completely anonymous. T-addresses are as transparent as regular Bitcoin transactions.

If you know that the number of people using Zcash daily globally is a few dozen at best, what are the chances of being spotted in the crowd?

On the other hand, if you live in a small town where almost no one uses cryptocurrency, the above scenario applies to any cryptocurrency; just using cryptocurrency is enough to notice someone in the crowd. This is why scalability is important for anonymous coins, since the number of transactions the system processes is a key component of the anonymous set.

Recommended wallet: ZecWallet + Companion App for Android.

III. Grin

Grin hides transaction amounts and the identity of senders and recipients; there are no addresses here. Privacy features are enabled for all users and transactions on the Grin network. In contrast, the approach to privacy taken by previous projects encourages surveillance and censorship and can lead to marginalization.

The Grin blockchain is relatively lightweight - it stores little data, which allows new users to quickly download and synchronize it. Grin is proof that privacy features don't always add much burden or complexity to the blockchain.

There is no trusted setup—Grin relies on relatively simple cryptographic assumptions that have been tested over time. Projects that use experimental or new cryptography are more likely to find critical bugs. This is not surprising, since few people in the world, sometimes even the researchers themselves, are able to fully understand (let alone audit) the solutions used.

Grin does not have a fund or company. No investors, no offices, no CEO. There are also no ICOs, no developer rewards, and no way to get rich quick at the expense of others. Development is driven by the community and funding comes in the form of donations with no strings attached.

- Daniel Lenberg, Grin developer

In part one we described how CoinJoin combines the inputs and outputs of multiple transactions. In this article, we touched on the topic of "confidential transactions" that hide the transaction amount, which, when used simultaneously with CoinJoin, could greatly improve mixing capabilities. It was later discovered how transactions could be combined into a CoinJoin without requiring any coordination between senders, and intermediate transaction data could be removed from the blockchain. This idea became the basis for a new protocol called Mimblewimble.

Both Grin and Beam were launched in January of this last year. Interest in this protocol stems from the fact that it scales better than Bitcoin and has significant improvements in terms of privacy. Mimblewimble-based protocols sync faster and have lower memory requirements because they leave much less data on the blockchain.

One of the disadvantages of Mimblewimble-based protocols is that they require an exchange of messages between the sender and the recipient to complete the transaction. This means that when two people make transactions, their IP addresses will be exposed to each other. The developers created intermediaries (greenbox) to transmit encrypted messages between users. This does not completely solve the problem since you are still exposing your IP address to this intermediary, but your IP is your responsibility. When you contact grinbox, you can hide your real IP address via i2p, VPN and/or Tor.

Recommended wallet: Niffler

IV. Beam

Beam provides much better scalability than Monero or Zcash, better privacy than Grin or Monero, and better "privacy in practice" than Zcash.

If you want ease of use while maintaining a reasonable level of privacy, then Beam is your best choice. Try Beam mobile wallets and you will see for yourself.

- Gi Korem, Beam

Let's remember Lenberg's words: “Grin hides transaction amounts and the identity of senders and recipients; there are no addresses here.”

However, the Mimblewimble protocol does not hide the so-called “transaction graph” very well. This means that in Mimblewimble (before the transaction has been completed on the blockchain) an observer can still see how transactions refer to each other. Beam developers explain the problem with this example:

Let's say Bob has a store and Alice is his rival and wants to know Bob's supplier. So she pays Bob (buys something from him), then Bob pays his supplier Charlie, later Charlie pays Dan. Alice sees all these transactions, but has no idea about the users.

Eventually she finds out about Dan (he buys something from Alice). Alice kindly asks [bribe/threat/torture] Dan to tell her who he got this UTXO from, thus revealing himself to Charlie. At every stage, Alice is confident that there is a connection with the user.

Both Grin and Beam solved this problem by using CoinJoin, which do not interact with each other. Before a transaction is broadcast over the network, it is first forwarded to a number of other users, where each person adds their own transactions that they want to send. Due to the nature of the Mimblewimble protocol, transactions can be chained together without any coordination, so the contents of the packet are mixed but remain valid.

Beam's claim of superior privacy over Grin is that in Beam, users create multiple fictitious UTXOs themselves, so that no matter how many users add transactions at any given time, there is always a minimum anonymous set. Instead of grinbox, Beam has developed its own decentralized addressing system, which should make it easier for users to interact with each other without leaking information about IP addresses. However, it is important to reiterate that these are new projects and many things may change in the future.

The fact that privacy is still based on mixing (as Myers noted) is Beam's weakest point, as it is the smallest coin of the four. Also, Beam (compared to other coins) is the closest to a company project, which is why this coin has a rather weak connection with the open source community (although Beam has undergone several security audits).

Recommended wallet: Beam Wallet

Просмотры: