How Zcoin’s privacy technology compares to the competition
This post will hopefully give you a brief overview of the major blockchain privacy mechanisms that are implemented in cryptocurrencies today and in particular how the Zerocoin protocol used in Zcoin stacks up.
Blockchain privacy is a particularly difficult thing to achieve as a public blockchain is designed so that all transactions are transparent and the supply of coins can be publicly verified. Privacy mechanisms have to ensure that these elements are preserved so it’s a conflicting mix of protecting privacy while maintaining public verifiability. To understand the innovation behind Zerocoin, we need to examine the history of blockchain privacy.
Cryptocurrency Tumblers and Coinjoin
As used in: Dash
- Works on top of most cryptocurrencies without the need for specific consensus rules
- Relatively simple to implement
- Basic anonymity
- Requires mixers to be online
- Earlier implementations involve trust in a third party mixer
One of the first methods people sought to achieve this was through the use of cryptocurrency tumblers. They work by mixing funds with others by sending your coins to other people and then giving their coins to you. An easy way to visualize this is a group of people each putting the same number of coins into a common pot, mixing it up and then taking the same amount of coins back from which you started with. The idea is that it is now hard to prove whose coin originally belonged to who thus providing some degree of privacy. This comes with several drawbacks, foremost that you need to trust the tumbler not to steal your coins.
Coinjoin is an improvement of this mixing idea and removes the possibility for the tumbler to steal the coins, it was popularly used in Darkcoin (now known as Dash). However there are still many drawbacks with Coinjoin.
cluster intersection attacks.
Other improvements to CoinJoin such as CoinShuffle++ removed the need for a trusted third party but are still subject to the other drawbacks of CoinJoin namely a limited anonymity set and the requirement that participants are online.
The main benefit of Coinjoin type schemes is that they are relatively simple and work on top of the cryptocurrency without the need to use specific consensus rules. With appropriate precautions, CoinJoin can provide a basic degree of anonymity.
Tumblebit is also a very promising improvement over Coinjoin type schemes but is beyond the scope of this article. It however is a privacy scheme not implemented at the protocol level and still requires other people to make available their funds for mixing as compared to the other schemes we will cover below. Its main benefit, the same with Coinjoin is that it can be implemented on top of Bitcoin or any other coin based out of Bitcoin without any requirement to change the protocol.
Cryptonote and Ring Signatures
As used in: Monero, AEON
- No need for a mixer and mixing is done automatically
- Can be implemented with privacy on by default
- Anonymity increases as time passes as outputs become the new inputs of new mixes
- Hides transaction amounts when implemented with RingCT
- Well researched cryptography
- Scalability issues because of large transaction sizes and a non prunable blockchain
- Risks of blockchain being deanonymized in the future or through incorrect implementations
- Cannot take advantage of existing Bitcoin ecosystem and requires separate integration work
- Ring size is practically limited
The next anonymity scheme we will explore is ring signatures as used in Cryptonote currencies such as Monero which greatly improves anonymity over Coinjoin type schemes. A ring signature works by proving someone signed the transaction from a group of people without revealing which person it was. One common proposed use case of ring signatures is for it to be used to provide an anonymous signature from a “high ranking White House official” without revealing which official signed the message.
Cryptonote uses ring signatures in a way whereby a user can craft a transaction and use the outputs of other similar transactions on the blockchain automatically to form the inputs to a ring signature transaction so that it is unclear which input belongs to the person actually doing the transaction. It does this automatically without requiring other users to specify that they wish to mix and does not need to wait for other people to provide funds since it’s just scanning the blockchain for those outputs to use. As there is no mixer, there’s no mixer you need to trust. Monero also recently implemented RingCT (Ring Confidential Transactions) which hides transaction amounts as well.
discrete logarithm problem is widely used in cryptography and it is expected that discrete logarithms will remain viable until the age of quantum computing.
Despite these drawbacks, Cryptonote today has proven itself to be one of the better and well reviewed privacy technologies out there and the only instances where it has been publicly deanonymized arose from improper implementation such as the Shadowcash fiasco or through the use of mixin-0 transaction in Monero which resulted in a cascade effect that rendered 87% of inputs traceable (https://eprint.iacr.org/2017/338) (which were subsequently mitigated for newer transactions). Cryptonote solves many of the problems of cryptocurrency tumblers and offers good anonymity at the cost of scalability with large transaction sizes and a non prunable blockchain.
Zerocoin and Zcoin
As used in: Zcoin, PIVX
- No need for a mixer
- Very high anonymity in the many thousands (if not more) with a single mint and spend transaction and completely breaks transaction links between addresses.
- Retains supply auditability
- Uses well researched cryptography
- Proof sizes are currently large
- Requires a trusted setup
- Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.
- Some care is required when doing Zerocoin mints and spends.
We now come to Zerocoin as implemented in Zcoin. Unlike the previous anonymity schemes which involve obscuring the real transactions with other inputs or transactions, the Zerocoin protocol completely breaks the transaction links between coins through the use of zero knowledge proofs.
In simple terms, a zero knowledge proof is a proof you did something or know something without revealing any other information other than you did it. For example, proving that you know a password without actually revealing the password.
Zerocoin works by allowing you to burn coins up (otherwise known a Zerocoin mint) and then later redeem an equivalent number of brand new coins (known as a Zerocoin spend). These coins appear with no prior transaction history and are similar to newly mined coins. The zk-proof is used to prove that you indeed burnt coins without revealing the specific coins that you burnt and therefore are entitled to redeem an equivalent number of new clean coins.
new trusted setup ceremony.
zkSNARKs are relatively weak.
The other main drawback of Zerocash is that due to the complex math required, the generation of a private transaction takes significantly longer than any of the previous privacy schemes approaching a minute on a powerful computer and much longer for lesser systems. This makes it less likely for people to use its privacy features and also may exclude less powerful systems such as mobile devices.
So although Zerocash offers potentially the highest anonymity, it does this at the cost of supply auditability combined with a complicated trusted setup, the use of new cryptography and a long generation time to create private transactions. The Zcash team is however conducting research on zkSTARKs (the replacement to zkSNARKs) which doesn’t require a trusted setup and uses stronger cryptography. However, to date, zkSTARKS is currently impractical to use as each proof is several hundred kilobytes.
Evaluating Other Privacy Schemes and Why Isn’t my favorite privacy coin featured in this article?
All of the blockchain privacy schemes listed here are well reviewed by researchers and the concepts well understood. However, there are many coins in the privacy space but only a handful that really protect it. These are the key factors when coming across a new privacy mechanism:
- Does it offer privacy on the blockchain? Some privacy coins market themselves as providing privacy but completely don’t offer any privacy on the blockchain (see also this article on how protecting your IP address/TOR alone is insufficient).
- Is the privacy mechanism written by experts and reviewed? Read to see if their privacy scheme was vetted by cryptographers and has academic papers referencing it! Many are just cooked up by developers or programmers without any history in cryptography or information security. The technologies implementing privacy technology are generally not easy and even world class cryptographers make mistakes.
- Is it merely a rebrand of existing technology? Some projects rename existing privacy schemes with their own names and pass it off as their own. This is acceptable if they disclose the original privacy technology behind it.
- Does it involve centralized trust? If a privacy scheme that relies on you to trust someone else to protect your privacy, it is generally a poor privacy scheme.
- Does the team understand the cryptography behind these schemes? This is hard to determine unless you’re an expert yourself. Check their team to see if there is anyone with cryptography credentials on their team or on their list of advisors.
Grin an upcoming altcoin that implements MimbleWimble, is an interesting and promising scheme but has yet to be launched and is therefore not covered in this article.
Every anonymity scheme has its own sets of benefits and trade-offs and we believe that continuous exploration and research of these privacy schemes can only serve to improve blockchain privacy as a whole. We at Zcoin strongly believe that the Zerocoin protocol compares very favorably to other anonymity schemes by providing a very well rounded anonymity package, giving very strong anonymity using proven cryptography while remaining scalable and auditable. We continue to research into ways to further improve Zerocoin.