This is an overview of notable privacy-preserving blockchains. Some of these are blockchain-focused research projects in and of themselves, whereas some are focused on private blockchain technology whilst also working in tandem on privacy-preservation technology with wider implications, and some are working on projects of which private cryptocurrencies are merely one potential use case. All of these projects have positive aspects as well as drawbacks – it is important to remember that when analyzing these projects that they all operate on different scales and utilizing different stacks, which when compounded with wildly different user bases, leads to multiple solutions to the problems of creating privacy-preserving blockchain technology.
This document will focus on two long-standing blockchains – Monero and Zcash – as they are ‘battle tested’ and serve as good examples of both ends of the ‘spectrum’ of approaches to privacy-preservation.
The ‘original’ community driven and privacy-centric blockchain is Monero. Its protocol, dubbed ‘CryptoNote’, was authored – in a similar fashion to the Bitcoin protocol – by an anonymous researcher (or group of researchers) identified pseudonymously as Nicolas Van Saberhagen. This protocol was then used in two short-lived blockchains before Monero was created from a fork of its previous incarnation – bitMonero – only five days after its deployment.
The Monero protocol implements three cryptographic techniques in order to maintain privacy-preservation: stealth addresses in order to obscure the party sending a transaction, ring signatures in order to obscure the party on the receiving end of a transaction, and ring confidential transactions in order to obscure the amount involved in a transaction. Stealth addresses are a “new anonymous one-time address as the destination that is not linked to the recipient’s public address” which are created every time a transaction is sent, in order to avoid the public address appearing on the blockchain. This importantly bolsters the ‘unlinkability’ of Monero accounts, as any two transactions that have in fact been sent to the same participant are not able to be associated with each other, as they have been sent to different stealth addresses. Ring signatures essentially provide the continued fungibility of Monero in that any one of a number of public key signatures could be the one that actually signed a given transaction. In other words, whilst Bitcoin transactions require signing by the public key of the sender (thus you can ‘track’ a Bitcoin from its current owner to its original owner), Monero transactions are signed by one public key out of a group, and you should not be able to tell which key ultimately signed it. As such, tracking the ownership of Monero, especially when combined with the obfuscation afforded by stealth addresses and ring confidential transactions. Finally, ring confidential transactions – otherwise referred to as RingCT – hide the amount being sent in a given transaction from the blockchain, by “applying a mathematical function to all funds such that public observers can see that the transactions are legitimate, but only the sender and receiver can know the actual amounts.” , thus removing potential for the sort of blockchain analysis by groups such as Chainanalysis as discussed in the previous post.
The only potential drawback to Monero is that its strong privacy features make it more difficult to run and develop wallets – with no hardwallet support to date – which makes using it a less user-friendly experience, potentially harming larger scale adoption. It has privacy ‘baked-in’, thus not allowing for a single user’s mistake to potentially harm the overall privacy of the blockchain, and whilst there were some reported issues early, these were swiftly patched.
Zcash – Monero’s main contender in the early days of the cryptocurrency hype – offers many of the same features as Monero: hiding the sender, receiver, and amount of a transaction from public viewing. It does this by implementing Zero-Knowledge Succinct Non-interactive pRoofs of Knowledge (zk-SNARKS), a particular instance of a zero-knowledge proof system. Whilst on paper Zcash seems far stronger than Monero, since zero-knowledge proofs are the subject of much academic attention, coupled with the fact that it lacks the disadvantage that Monero has when it comes to wallet development and maintenance, it has several drawbacks in this comparison.
Zcash, as it uses a zk-SNARKS, relies on a ‘Trusted Setup’. This setup took the form of a ceremony in which the “public parameters” that are used for transaction construction and verification. The information used to set these parameters up, however, must remain secret in order to prevent malicious parties from using this information to construct proofs for Zcash they do not legitimately own. As such, the information used in – referred to as “toxic waste” must be destroyed. As it impossible to prove with computational certainty that this did in fact occur, there remains a certain amount of skepticism in the currency as it relies on an element of non-verifiable trust. Whilst Zcash has worked towards resolving this with Multi-Party Computation Ceremonies (MPC), this problem cannot be entirely resolved. One thing to note, however, is that this attack vector does not relate to the blockchain’s ability to provide privacy, merely that this would allow for the malicious actor to essentially create unlimited amounts of Zcash. If this were discovered, this would catastrophically deprecate the value of the currency, and thus render the privacy-preservation of Zcash a moot point, and as such the possibility of this occurring in the future has led to a certain wariness in adopting it as a financial instrument.
Furthermore, Zcash has two address types: ‘z’ addresses, which are private, and ‘t’ address, which are transparent in the manner of Bitcoin. This latter type of addresses, as well as being used for transactions with exchanges, are also less expensive than the former due their being less computationally intensive. Furthermore, most Zcash wallets default to using ‘t’ addresses, and this leads to a situation in which transactions are only private in the manner offered by Monero when both parties use ‘z’ addresses. Many users therefore do not know if their transactions are in fact fully private and can easily make a mistake when getting used to the wallet interfaces. As such, it would be possible for some blockchain analysis to occur, potentially allowing for greater address linkage and coin tracking to occur in the future. Used properly, however, Zcash transactions theoretically totally private transactions.
Ultimately, both blockchains are, when used with the proper caution, privacy-preserving to a great extent. They stand – as previously noted – as strong examples of the sorts of technology offered by privacy-preserving blockchains.