Surely you, as a user of bitcoin, ether or any other cryptocurrency, were concerned that anyone could see how many coins you have in your wallet, to whom you transferred them and from whom you received them. There is a lot of controversy around anonymous cryptocurrencies, but one cannot disagree with something - how
In this article, we will look at the technological aspect of anonymity - how they do it - and give a brief overview of the most popular methods, their pros and cons.
Today, there are about a dozen blockchains that allow anonymous transactions. At the same time, for some, the anonymity of transfers is mandatory, for others it is optional, some hide only addressees and recipients, others do not allow third parties to see even the amount of transfers. Almost all the technologies we consider provide complete anonymity - an outside observer cannot analyze balances, recipients, or transaction history. But let's start our review with one of the pioneers in this field in order to trace the evolution of approaches to anonymity.
The currently existing anonymization technologies can be conditionally divided into two groups: based on mixing, where the coins used are mixed with other coins from the blockchain, and technologies that use proofs based on polynomials. Next, we will focus on each of these groups and consider their pros and cons.
based on kneading
the coinjo
It is based on a simple idea - what if users will chip in and make their payments in a single transaction? It turns out that if Arnold Schwarzenegger and Barack Obama chipped in and made two payments to Charlie Sheen and Donald Trump in one transaction, then it becomes more difficult to understand who financed the Trump campaign - Arnold or Barack.
But from the main advantage of CoinJoin follows its main disadvantage - weak security. To date, there are already ways to detect CoinJoin transactions in the network and match sets of inputs to sets of outputs by comparing the amounts of coins spent and generated. An example of a tool for such analysis is −
Pros:
• Simplicity
Cons:
• Demonstrated the possibility of hacking
Monero
The first association that arises with the words “anonymous cryptocurrency” is Monero. This coin
In one of his recent
In the Monero protocol, each output spent in a transaction is mixed with at least 11 (at the time of writing) random outputs from the blockchain, thereby complicating the network’s transfer graph and making the task of tracking transactions computationally difficult. The mixed inputs are signed with a ring signature, which guarantees that the owner of one of the mixed coins put the signature, but does not make it possible to determine who exactly.
To hide the recipients, each newly generated coin uses a one-time address, which makes it impossible for an observer (as difficult as it is to crack encryption keys, of course) to associate any output with a public address. And since September 2017, Monero began to support the protocol
Pros:
• Proven by time
• Relative simplicity
Cons:
• Proof generation and verification is slower than ZK-SNARKs and ZK-STARKs
• Not resistant to hacking using quantum computers
Mimblewimbl to
Mimblewimble (MW) was invented as a scalable technology for anonymizing transfers in the Bitcoin network, but found its implementation as an independent blockchain. Used in cryptocurrencies
MW is remarkable in that it does not have public addresses, and in order to send a transaction, users exchange outputs directly, thus eliminating the possibility for an outside observer to analyze transfers from addressee to addressee.
To hide the sums of inputs and outputs, a fairly common protocol proposed by Greg Maxwell in 2015 is used −
In the original CT, to guarantee the non-negativity of values (the so-called range proof), they use Borromean Signatures (Borromean ring signatures), which took up a lot of space in the blockchain (about 6 kilobytes per output). In this regard, the large size of the transaction was attributed to the disadvantages of anonymous currencies using this technology, but now they have decided to abandon these signatures in favor of a more compact technology - Bulletproofs.
In the MW block itself, there is no concept of a transaction, there are only outputs spent and generated in it. No transaction - no problem!
To prevent deanonymization of the transfer participant at the stage of sending the transaction to the network, the protocol
Pros:
• Small blockchain size
• Relative simplicity
Cons:
• Proof generation and verification is slower than ZK-SNARKs and ZK-STARKs
• Support for features such as scripts and multi-signatures is difficult to implement
• Not resistant to hacking using quantum computers
Proofs on polynomials
ZK-SNARKs
The intricate name of this technology stands for "
In general, zero-knowledge proof allows one party to prove to the other the truth of some mathematical statement without disclosing any information about it. With regard to cryptocurrencies, such methods are used to prove that, for example, a transaction does not produce more coins than it spends, without disclosing the amount of transfers.
ZK-SNARKs is very difficult to understand, and it would take more than one article to describe how it works. On the official page of Zcash, the first currency that implements this protocol, the description of its work is devoted to
Using algebraic polynomials, ZK-SNARKs proves that the sender of the payment owns the coins that he spends, and that the amount of coins spent does not exceed the amount of coins generated.
This protocol was created in order to reduce the size of the proof of the validity of the statement and at the same time quickly verify it. Yes, according to
However, before using this technology, a complex procedure of trusted setup of “public parameters” is required, which is called a “ceremony” (
Pros:
• Small size of proof
• Fast verification
• Relatively fast proof generation
Cons:
• Complex procedure for setting public parameters
• Toxic waste
• Relative complexity of technology
• Not resistant to hacking using quantum computers
ZK-STARKs
The authors of the last two technologies are good at playing with acronyms, and the next acronym stands for Zero-Knowledge Scalable Transparent Arguments of Knowledge. This method was intended to solve the shortcomings of ZK-SNARKs at that time: the need for trusted setting of public parameters, the presence of toxic waste, the instability of cryptography to cracking using quantum algorithms, and insufficiently fast proof generation. However, the developers of ZK-SNARK coped with the last drawback.
ZK-STARKs also use proofs based on polynomials. The technology does not involve the use of public key cryptography, instead relying on hashing and information transfer theory. The rejection of these cryptographic means makes the technology resistant to quantum algorithms. But this comes at a price — the proof can be several hundred kilobytes in size.
Now ZK-STARK does not have an implementation in any of the cryptocurrencies, but exists only as a library
You can read more about how ZK-STARK works in the posts of Vitalik Buterin (
Pros:
• Resistant to hacking by quantum computers
• Relatively fast proof generation
• Relatively fast verification of evidence
• No toxic waste
Cons:
• Technology complexity
• Large proof size
Conclusion
Blockchain and the growing demand for anonymity pose new challenges for cryptography. Thus, the section of cryptography that was born in the mid-1980s - zero-knowledge proofs - has been replenished with new dynamically developing methods in just a few years.
Thus, the flight of scientific thought made CoinJoin obsolete, and MimbleWimble a promising newcomer with fairly fresh ideas. Monero has always been an unshakable giant guarding our privacy. And the SNARKs and STARKs, although they have flaws, can become leaders in the field. Perhaps in the coming years, the points we have indicated in the “Cons” column of each of the technologies will become irrelevant.
Source: habr.com