Surely you, as a user of bitcoin, ether or any other cryptocurrency, were concerned that anyone could see how many coins you have in your wallet, to whom you transferred them and from whom you received them. There is a lot of controversy around anonymous cryptocurrencies, but one cannot disagree with something - how Monero project manager Riccardo Spagni on his Twitter account: “What if I just don’t want the cashier in the supermarket to know how much money I have on my balance sheet and what I spend it on?”
In this article, we will look at the technological aspect of anonymity - how they do it - and give a brief overview of the most popular methods, their pros and cons.
Today, there are about a dozen blockchains that allow anonymous transactions. At the same time, for some, the anonymity of transfers is mandatory, for others it is optional, some hide only addressees and recipients, others do not allow third parties to see even the amount of transfers. Almost all the technologies we consider provide complete anonymity - an outside observer cannot analyze balances, recipients, or transaction history. But let's start our review with one of the pioneers in this field in order to trace the evolution of approaches to anonymity.
The currently existing anonymization technologies can be conditionally divided into two groups: based on mixing, where the coins used are mixed with other coins from the blockchain, and technologies that use proofs based on polynomials. Next, we will focus on each of these groups and consider their pros and cons.
based on kneading
the coinjo
does not anonymize user transfers, but only complicates their tracking. But we decided to include this technology in our review, as it was one of the first attempts to increase the level of privacy of transactions in the Bitcoin network. This technology captivates with its simplicity and does not require changing the rules of the network, so it can be easily used in many blockchains.
It is based on a simple idea - what if users will chip in and make their payments in a single transaction? It turns out that if Arnold Schwarzenegger and Barack Obama chipped in and made two payments to Charlie Sheen and Donald Trump in one transaction, then it becomes more difficult to understand who financed the Trump campaign - Arnold or Barack.
But from the main advantage of CoinJoin follows its main disadvantage - weak security. To date, there are already ways to detect CoinJoin transactions in the network and match sets of inputs to sets of outputs by comparing the amounts of coins spent and generated. An example of a tool for such analysis is − .
Pros:
• Simplicity
Cons:
• Demonstrated the possibility of hacking
Monero
The first association that arises with the words “anonymous cryptocurrency” is Monero. This coin its stability and privacy under the microscope of special services:
In one of his recent we have described the Monero protocol in great detail, and today we will summarize what has been said.
In the Monero protocol, each output spent in a transaction is mixed with at least 11 (at the time of writing) random outputs from the blockchain, thereby complicating the network’s transfer graph and making the task of tracking transactions computationally difficult. The mixed inputs are signed with a ring signature, which guarantees that the owner of one of the mixed coins put the signature, but does not make it possible to determine who exactly.
To hide the recipients, each newly generated coin uses a one-time address, which makes it impossible for an observer (as difficult as it is to crack encryption keys, of course) to associate any output with a public address. And since September 2017, Monero began to support the protocol (CT) with some additions, thus also hiding the amount of transfers. A little later, the developers of the cryptocurrency replaced the Borromean signatures with Bulletproofs, thereby significantly reducing the size of the transaction.
Pros:
• Proven by time
• Relative simplicity
Cons:
• Proof generation and verification is slower than ZK-SNARKs and ZK-STARKs
• Not resistant to hacking using quantum computers
Mimblewimbl to
Mimblewimble (MW) was invented as a scalable technology for anonymizing transfers in the Bitcoin network, but found its implementation as an independent blockchain. Used in cryptocurrencies и .
MW is remarkable in that it does not have public addresses, and in order to send a transaction, users exchange outputs directly, thus eliminating the possibility for an outside observer to analyze transfers from addressee to addressee.
To hide the sums of inputs and outputs, a fairly common protocol proposed by Greg Maxwell in 2015 is used − (CT). That is, the amounts are encrypted (or rather, used ), and instead of them, the network operates with so-called commitments. For a transaction to be considered valid, the amount of coins spent and generated plus a commission must be equal. Since the network does not operate directly with numbers, equality is ensured using the equation of these same commitments, which is called commitment to zero.
In the original CT, to guarantee the non-negativity of values (the so-called range proof), they use Borromean Signatures (Borromean ring signatures), which took up a lot of space in the blockchain (about 6 kilobytes per output). In this regard, the large size of the transaction was attributed to the disadvantages of anonymous currencies using this technology, but now they have decided to abandon these signatures in favor of a more compact technology - Bulletproofs.
In the MW block itself, there is no concept of a transaction, there are only outputs spent and generated in it. No transaction - no problem!
To prevent deanonymization of the transfer participant at the stage of sending the transaction to the network, the protocol , which uses a chain of network proxy nodes of arbitrary length that transmit the transaction to each other before actually propagating it to all participants, thus confusing the trajectory of the transaction entering the network.
Pros:
• Small blockchain size
• Relative simplicity
Cons:
• Proof generation and verification is slower than ZK-SNARKs and ZK-STARKs
• Support for features such as scripts and multi-signatures is difficult to implement
• Not resistant to hacking using quantum computers
Proofs on polynomials
ZK-SNARKs
The intricate name of this technology stands for " Succinct Non-Interactive Argument of Knowledge”, which can be translated as “Squeezed non-interactive zero-knowledge proof”. It became a continuation of the zerocoin protocol, which further evolved into zerocash and was first implemented in the Zcash cryptocurrency.
In general, zero-knowledge proof allows one party to prove to the other the truth of some mathematical statement without disclosing any information about it. With regard to cryptocurrencies, such methods are used to prove that, for example, a transaction does not produce more coins than it spends, without disclosing the amount of transfers.
ZK-SNARKs is very difficult to understand, and it would take more than one article to describe how it works. On the official page of Zcash, the first currency that implements this protocol, the description of its work is devoted to . Therefore, in this chapter we will limit ourselves to a superficial description.
Using algebraic polynomials, ZK-SNARKs proves that the sender of the payment owns the coins that he spends, and that the amount of coins spent does not exceed the amount of coins generated.
This protocol was created in order to reduce the size of the proof of the validity of the statement and at the same time quickly verify it. Yes, according to Zooko Wilcox, CEO of Zcash, the size of the proof takes only 200 bytes, and it can be checked for correctness in 10 milliseconds. Moreover, in the latest version of Zcash, the developers managed to reduce the proof generation time to about two seconds.
However, before using this technology, a complex procedure of trusted setup of “public parameters” is required, which is called a “ceremony” (). The whole difficulty lies in the fact that during the installation of these parameters, none of the parties will have private keys from them, called "toxic waste", otherwise it will be able to generate new coins. You can find out how this procedure takes place in the video on .
Pros:
• Small size of proof
• Fast verification
• Relatively fast proof generation
Cons:
• Complex procedure for setting public parameters
• Toxic waste
• Relative complexity of technology
• Not resistant to hacking using quantum computers
ZK-STARKs
The authors of the last two technologies are good at playing with acronyms, and the next acronym stands for Zero-Knowledge Scalable Transparent Arguments of Knowledge. This method was intended to solve the shortcomings of ZK-SNARKs at that time: the need for trusted setting of public parameters, the presence of toxic waste, the instability of cryptography to cracking using quantum algorithms, and insufficiently fast proof generation. However, the developers of ZK-SNARK coped with the last drawback.
ZK-STARKs also use proofs based on polynomials. The technology does not involve the use of public key cryptography, instead relying on hashing and information transfer theory. The rejection of these cryptographic means makes the technology resistant to quantum algorithms. But this comes at a price — the proof can be several hundred kilobytes in size.
Now ZK-STARK does not have an implementation in any of the cryptocurrencies, but exists only as a library . However, developers have plans for it that go far beyond blockchains (in their the authors give an example with proof of the presence of DNA in the police database). For this purpose, a , which at the end of 2018 collected investments from the largest companies in the industry.
You can read more about how ZK-STARK works in the posts of Vitalik Buterin (, , ).
Pros:
• Resistant to hacking by quantum computers
• Relatively fast proof generation
• Relatively fast verification of evidence
• No toxic waste
Cons:
• Technology complexity
• Large proof size
Conclusion
Blockchain and the growing demand for anonymity pose new challenges for cryptography. Thus, the section of cryptography that was born in the mid-1980s - zero-knowledge proofs - has been replenished with new dynamically developing methods in just a few years.
Thus, the flight of scientific thought made CoinJoin obsolete, and MimbleWimble a promising newcomer with fairly fresh ideas. Monero has always been an unshakable giant guarding our privacy. And the SNARKs and STARKs, although they have flaws, can become leaders in the field. Perhaps in the coming years, the points we have indicated in the “Cons” column of each of the technologies will become irrelevant.
Source: habr.com