Good News for Privacy on Bitcoin and Ethereum
The past few months saw the development of some new, exciting privacy technologies for both Bitcoin and Ethereum; Confidential Transactions, Reusable Payment Codes, zk-SNARKs and Ring Signatures. This revives the hope that cryptocurrency will give humanity financial privacy.
In case you didn’t know, privacy and cryptocurrencies are in most cases a tragedy. If you look at Bitcoin and Ethereum, nothing is private at all. That is not an accident, but part of the basic concept of blockchain currencies.
The whole idea of Bitcoin and other blockchain money is that every peer in the network checks the validity of every transaction and every block. To do so, everybody must be able to know who sends how many coins to whom. Everything needs to be fully transparent. Obviously, this is the radical opposite of anonymity and privacy.
Whenever you do business with blockchain money, you should be aware that not only your business partner, your bank, and your government knows what you do; everybody knows. And, worse, thanks to blockchain analysis technologies, everybody does not just know your last transaction, but potentially your whole financial affairs. It’s not so hard to combine blockchain data to merge addresses and inputs to the whole story of your wallet.
There are some cryptocurrencies with advanced privacy, most notable Monero and Zcash. However, there are also some technologies in development to increase privacy on major blockchains like Bitcoin and Ethereum. In this article, we will take a look at these developments.
In short; a new algorithm called “Bulletproof” significantly reduces the size of Confidential Transactions, and Stash releases a mobile wallet for Bitcoin and Bitcoin Cash, which deploys Reusable Payment Codes. Meanwhile, after the Metropolis hard fork, Ethereum is able to hide the content of a contract with the zk-SNARK zero-knowledge proof and to deploy Ring Signatures to break the transaction chain in a contract.
All of these are extremely promising technologies with the potential to provide full anonymity in cryptocurrency transactions.
Bitcoin: Confidential Transactions and Stealth Addresses
To understand Confidential Transactions, a good starting point could be to imagine you play rock-paper-scissors via email. At first glance, this is impossible. When you write “rock,” your partner will answer “paper,” and when you write “scissors,” your partner will answer “rock.” Such games require the players to be co-present.
However, smart cryptographers have found a solution to play games like rock-paper-scissors, coin flipping or poker via email. To do so, they developed so-called “commitments” – functions, to commit to a certain value, but keep it secret until you want to disclose it. Imagine it like both players putting their votes in a closed box, exchange the boxes and then the key to open them. An easy way to construct such a commitment is to hash your value, so that your partner can’t read it, but later when you disclose it, validate that you say the truth.
Confidential transactions is a technology to adopt this method to Bitcoin transactions. It uses several cryptographic technologies, like Pedersen Commitments, to construct such a commitment in a Bitcoin transaction. Confidential Transactions improve the privacy of Bitcoin “by making the transaction amounts private, while preserving the ability of the public network to verify that the ledger entries still add up,” as Gregory Maxwell explains.
The magic of Confidential Transactions is that it hides the amount someone sends, while at the same time enables everybody else to check if the transaction is valid. This is possible because you can subtract the commitments from each other. So you take the input-commitment and the output-commitment, subtract one from the other, and if the result is zero, the transaction is valid.
To use a simple analogy; take the formula (4+3) – (5+2) = 0. It remains the same when you throw away the details and simplify to 7 – 7 = 0. So you can prove that the formula is valid without knowing every detail.
Confidential transactions are a possible method to hide the amount which has been sent by a bitcoin transaction. While disclosing the sending and receiving address, it is not a silver bullet for privacy, but a part of the solution. For example, a combination of Confidential transactions and mixing technologies like JoinMarket could result in a state close to complete anonymity.
Confidential Transactions was first proposed by Adam Back, further developed by Gregory Maxwell and implemented on Blockstream’s Elements Sidechain. Confidential Transactions could be deployed via a soft fork, by putting them in ‘anyone can spend’ addresses, similar to SegWit, but would be a bit more complicated and confusing, as non-updated nodes would simply fail to know that the bitcoins did move at all, so the whole network would lose consistency of the UTXO set.
Another downside of Confidential Transactions is that transactions are quite large. A standard transaction requires about 200 bytes of space. A standard Confidential Transaction, as it was outlined by Gregory Maxwell and others, would increase the required space by a factor of 60. So a Confidential Transaction would need around 10 kilobytes of blockchain space.
Cryptographers from Stanford University, Benedikt Bünz and Jonathan Bootle, cooperated with Blockstream to research methods to make Confidential Transactions more space efficient. On November 14, Maxwell presented the amazing results in the Bitcoin mailing list. An algorithm called “Bulletproof” drastically reduces the required space for Confidential Transactions:
“This cuts the bloat factor down to ~3x for today’s traffic patterns. Since the scaling of this approach is logarithmic with the number of outputs, use of CoinJoin can make the bloat factor arbitrarily small. E.g., combining 64 transactions still only results in a proof under 1.1KB, so in that case the space overhead from the range proof is basically negligible.”
Core developer and Blockstream employee Pieter Wuille commented, “Bulletproofs are an amazing discovery that fundamentally changes what is possible.” However, it is hard to say, when Confidential Transactions will come to Bitcoin – if ever, since it fundamentally changes some aspects of Bitcoin, which could be highly relevant to issues of regulation.
Reusable Payment Codes
One of the standard recommendation for Bitcoin users is never to use the same address twice. The reason for this is simply that merely using the same address twice reveals a lot of your financial affairs publicly on the blockchain.
For many users, this is not such an easy requirement. For example, if you have a tip address on your blog, get repeating payments from one party or just don’t want to post or send a new address every time you request money, for example, because your node or wallet is not where you are, it is complicated not to use the same address several times.
The newly released Android SPV wallet Stash, which supports both Bitcoin as well as Bitcoin Cash, offers a solution to this problem; it implements Reusable Payment Codes as outlined in BIP 47. “Our payment address innovation gives users a single, re-usable address for payments and messaging that prevents blockchain observers from viewing transaction history,” the wallet developers explain.
The BIP explains how it works. Basically, if you want to receive payments, you can publish your Reusable Payment Code on your blog or Twitter. Based on this code it is possible to derive a lot of addresses for which the private key is known by the owner of the Reusable Payment Code. If someone wants to send them funds, they publish a one-time notification address, containing their own paycode. After this has happened, both sender and receiver can derive a nearly infinite number of deposit addresses, which are only used by the sender. So it is possible to identify the sender of funds, while an observer is unable to connect the addresses derived from the payment code.
Ethereum: Privacy inside of the Contract
The approach of Ethereum to privacy is somehow different. With the success of the first part of the Metropolis hard fork, it became possible to integrate more cryptographic operations in smart contracts. This enables several privacy enhancing technologies to be deployed inside a smart contract. While this does not change the underlying privacy properties of ether transactions, it enables the creation of nearly complete private transfers inside a smart contract.
Currently, mostly two kinds of technologies are discussed and implemented; zk-SNARKs and Ring Signatures.
Zk-SNARKs are the zero-knowledge proofs deployed by Zcash. “‘Zero-knowledge’ proofs allow one party (the prover) to prove to another (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself,” the website of Zcash writes.
Zcash uses zk-SNARKs to determine “the validity of a transaction according to the network’s consensus rules … without revealing any of the information it performed the calculations on.” This is done by “encoding some of the network’s consensus rules in zk-SNARK.”
Zk-SNARKs are like Confidential transactions, but better; they do not just hide the amount that is sent in a transaction, but also sender and receiver, while at the same time allowing nodes to be able to verify the validity of a transaction.
In Ethereum this cannot be used for ether transactions. But since the Metropolis hard fork, it is possible to deploy it to hide the content of a smart contract. For example, take a simple ERC20 contract, which manages the creation and the sending and receiving of tokens on the Ethereum blockchain. If you use zk-SNARKs for it, it would be possible to hide every operation inside the contract, especially the transfer of token. The miners and nodes know that some function of the contract is executed and that this is correct, but they don’t know what exactly happens.
Another example for the use of zk-SNARKs is a voting contract, in which each token holder can vote on something, and you can verify, if every holder voted only once, without disclosing who voted for what. If you want to use blockchain for democratic elections, this could be a breakthrough.
How zk-SNARKs work exactly is a complicated topic. There are interesting technical guides on the website of Zcash, a three post series of Vitalik Buterin and an introduction of Christian Reitwiessner from the Ethereum foundation. Also, there already is a library deploying zkSNARKs for Solidity smart contracts called ZoKrates. It’s creator, Jacob Eberhardt, already predicts the rise of ‘Zapps’; privacy-centric decentralized applications on Ethereum.
However, zk-SNARKs have a downside; they need a lot of space and computational power to be processed. In the first demo implementations on Ethereum, a simple zk-SNARKs contract costs around $10 alone for gas. Even with improvements, like recently done by the bank ING, the zero-knowledge proofs are still expensive.
This is where Ring Signatures step in.
Ring Signatures are the basic privacy tech deployed by the cryptocurrency monero. Ring Signatures are a cryptographic technology first introduced in 2001. It enables any member of a group of users to perform a digital signature, that can be proven to be made by a member of this group, while it is impossible to determine by which member of the group.
In Monero Ring Signatures are used to sign transactions in a way that an observer cannot tell which of a possible group of signers sent the transaction. This breaks the chain of sender and receiver and makes monero transactions untraceable.
Recently a developer used the cryptographic operations enables by Metropolis to write a Ring Signature contract for Ethereum. This is some kind of mixing contract, in which the participating addresses build a group. After they transferred from the contract, it is not possible to determine which member of the group sent the funds. This process can easily be done with ether as well as an individualized token.
Currently, the contract only exists on the Ropsten testnet. Maybe in the near future, it will be deployed on the main net, as part of a decentralized mixer on Ethereum. It is not as effective as zk-SNARKs to break the chain of transactions, as there are some possible privacy disclosing attacks on Ring Signatures, but it helps to improve privacy, while the costs of contract execution are significantly lower than with zk-SNARKs.