Crypto and the privacy-transparency tradeoff

by Blocks99

4 months ago

Bitcoin has introduced the most transparent record of transactions ever, enabling third-party accounting on a blockchain network. Yet there will always be a privacy-transparency tradeoff.

Some say Bitcoin transactions are anonymous, but the privacy-transparency tradeoff is undeniable. In fact, it is the most transparent money in the world, compared to cash and other kinds of money. Anyone can see details of a transaction on Bitcoin or Ethereum and many other public blockchains. For instance, if Bob sends 1.5 ETH to Alice, the network records as follows:

  • Transaction hash (ID)
  • Bob’s wallet address (sender)
  • Alice’s wallet address (recipient)
  • Bob sends to Alice 1.5 ETH
  • Transaction fee 0.0001 ETH

Figure A: privacy-transparency tradeoff

Figure A: Transaction record on Ethereum network

However, people don’t know who the actual owner of a Bitcoin address is. Because of transparency of transaction tracking and anonymity of address owner’s identity, Bitcoin is considered pseudonymous. This can lead to problems under some circumstances. For example, in financial and banking transactions, account holders must be identified. However, their transaction information is revealed to authorized and involved parties only, not publicly exposed. That is why privacy coins are an interesting concept in the cryptocurrency space. There are dozens of such coins. Several well-known ones include Monero, Dash, Zcash, Komodo, Verge, Grin and Beam. Blocks of those networks, record all inputs (senders) and all outputs (receivers), but don’t specify their mapping, i.e. don’t clarify who has transferred funds to whom, as in the case of Bob and Alice.

Figure B: Transaction record on Dash network

Figure C: privacy-transparency tradeoff

Figure C: Transaction record on Beam network

Unfortunately, instead of developing protocols to fit the banking industry, privacy coins aim to avoid governmental oversight and facilitate confidential transactions such as money laundering activities and illicit financing. That is why several large exchanges have delisted Monero, Dash and Zcash to comply with certain regulations.

Privacy of transactions is a necessity of banking systems. On the other hand, transparency is essential for accounting and auditing. On public blockchains like Bitcoin and Ethereum, everything is transparent. There is always a tradeoff between privacy and transparency.

However, privacy should be distinguished from confidentiality. Privacy ensures that transaction information is distributed to certain involved parties and not made publicly available, but can be shown to authorities on request. In contrast, confidentiality means that no one can know the full record of a transaction except the sender and the receiver. Certain details may even disappear forever after some days. Obviously, a confidential transaction satisfies privacy but not vice versa. Banking and financial services need privacy and transparency, but not the confidentiality that privacy coins offer.

Harmony says it aims to develop a concept of “auditable privacy” in 2020, but does not specify precisely what is meant by auditability and privacy. However, it revealed that ZPKs (BulletProof) are investigated for implementation, attached to confidential transaction and multilevel signature technology. Incognito, on the other hand, is developing a decentralized platform for issuing privacy coins, based on fundamentals of ZPKs, homomorphic encryption, ring signature and confidentiality technologies. Some progress has been made. Nevertheless, privacy versus transparency (auditability/traceability) remains a tradeoff. Technically, making them balanced and scalable is difficult, and combining multiple privacy techniques can possibly result in incompatibility and ineffectiveness.

How can Bitcoin deal with the privacy vs. transparency dilemma? All transactions on the Bitcoin Network can already be tracked and traced. Whenever people want to buy or cash out bitcoins (or alternative coins) for fiat, they must access crypto-fiat or over the counter (OTC) exchanges. Know your customer (KYC) is a simple procedure to comply with anti-money laundering (AML) regulations. KYC allows exchanges to identify an individual in connection with one or several Bitcoin addresses. Then, privacy is guaranteed by the firms while transparency is preserved. This is what Coinbase and other crypto exchanges have done for regulatory compliance.

Some authors argue that presently existing privacy coins should be renamed “anonymous coins.” In practice, if an illegal operator wants to use a privacy coin like GRIN or BEAM, he or she still needs to cash out somewhere. That’s why fiat gateways are the bottleneck and/or barrier for money laundering. This, combined with low liquidity and harder regulations on crypto exchanges, makes privacy or anonymous coins unattractive for money laundering and illicit financing.

Capacity to support regulatory compliance (including AML) is a must for blockchains to achieve mass adoption. Zcash and Dash are planning to develop protocols that enable privacy in an optional layer along with suitable tracking ability. A dark future is waiting for anonymous coins that fully support confidential transactions without traceability.

Privacy protocols in blockchain: an overview

Privacy ensures that only certain parties – sender, receiver, transaction verifier, record keeper and authorities – are granted access to the transaction information, not the public. Confidentiality means that no one can know transaction details except the sender and the receiver.

Note that complete transparency in Bitcoin has merits, but exposing all transaction information to the public is not suitable for banking services and many other fields. Developers and researchers have addressed the issue and made some progress in privacy. Noteworthy approaches include indistinguishability obfuscation (IO), usage of homomorphic encryption, zero-knowledge proofs (ZKPs) and ring signatures.

Indistinguishability obfuscation is an elegant cryptographic technology that can serve all privacy and confidentiality issues on a blockchain. IO can create an unbreakable obfuscation mechanism that turns smart contracts into a black box. The key idea behind IO is a multilinear jigsaw puzzle, which basically obfuscates program code by mixing it with random elements. If the program is run as intended, it will produce expected output. Otherwise, it makes the program look random. However, the technology is not ready for implementation and deployment in practice.

Homomorphic encryption allows operations to be performed on encrypted data without knowing anything about it. Like IO, this technology is mostly still theory. However, significant advance of the concept have been implemented in the Enigma project by MIT’s Media Lab. On blockchains, it enables processing on ciphertext. For example, the data stored on the blockchain can be encrypted using homomorphic encryption, and computations can be performed on those data without the need for decryption, providing privacy and confidentiality.

Zero-knowledge proofs allow validators to prove to the verifier that they know a value X without showing any information apart from X. To prove that one possesses knowledge of certain information, it is unnecessary to reveal it. The difficulty is to prove the possession without disclosing the information. A practical algorithm, Succinct Non-Interactive Argument of Knowledge (ZK-SNARK) has been implemented successfully in Zcash to ensure privacy. The Ethereum R&D team is collaborating with Zcash to integrate the protocol on Ethereum, an already very active research project. An excellent paper on the project is available here. An additional example of ZKP is the Zero-Knowledge Succinct Transparent Argument of Knowledge (ZK-STARKs), which is an improvement on ZK-SNARKs. ZK-STARKs consume much less bandwidth and storage than counterparts. Also, they do not require the initial, somewhat controversial, trusted setup that is required for ZK-SNARKs. ZK-STARKs are much quicker than ZK-SNARKs, since they do not make use of elliptical curves and rely on hashes. Another ZKP is Zero Knowledge Prover and Verifier for Boolean Circuits (ZKBoo), but it has yet to be implemented.

State channels are a possible solution for privacy, which is available on Hyperledger project. The idea relies on the fact that all transactions are off-chain and the main blockchain does not see the transaction at all except for the final state output, ensuring privacy and confidentiality. The original and full version of the transaction information is stored at the channels (as side-chains).

Secure multiparty computation is based on the concept that data are split into multiple partitions between participating parties under a secret sharing mechanism. Then the network processes the data without the need to reconstruct it on a single machine. The computed output is shared between parties.

Specific hardware can provide confidentiality trusted computing platforms. For example, Intel Software Guard Extension (SGX) allows code to be run in a hardware-protected environment called an enclave. Once the code runs successfully in the isolated enclave, it can produce a proof called a quote that is attestable by Intel’s cloud servers. However, there is concern that trusting Intel causes a certain centralization that is not in line with the true philosophy of blockchain. Nevertheless, many platforms have used Intel chips. Once a node has executed the smart contract, it can produce the quote as a proof of correct and successful execution and other nodes will only have to verify it. This idea can be further extended by using any Trusted Execution Environment (TEE), which can provide the same functionality as an enclave and is available even on mobile devices with Near Field Communication (NFC) and a secure element.

CoinJoin has come up with a simple idea that mixing transactions can produce privacy and confidentiality. The method doesn’t map senders with receivers, but instead seeks to ensure that the total inputs and the total outputs are equal without double spending. CoinJoin needs interactive cooperation between multiple parties. If anyone does not keep up with the commitment to create a single transaction by signing the transaction as required, it will result in a denial of service attack. In this protocol, there is no need for a single trusted third party.

Confidential transactions use Pedersen commitments that allow a user to commit to some value while keeping it secret with the capability of revealing it later. Two properties that need to be satisfied to design a commitment scheme are binding and hiding. Binding makes sure that the committer is unable to change the chosen value once committed, whereas the hiding property ensures that any unauthorized party is unable to find the original value to which the committer made a commitment. Pedersen commitments support homomorphic encryption of values. Using commitment schemes allows hiding of payment values in a Bitcoin transaction. This concept has already been implemented in the Elements Project.

MimbleWimble was interestingly introduced by an anonymous Bitcoin developer using the pseudonym Tom Elvis Jedusor (the French name of fictional Harry Potter character, Voldemort). Mimblewimble is the name of a spell used to tongue-tie victims in Harry Potter. It extends the idea of confidential transactions and CoinJoin, which allows aggregation of transactions without requiring any interactivity. However, it is incompatible with Bitcoin scripting language along with various other features of standard Bitcoin protocol. Mimblewimble can enhance both privacy and scalability issues at once. Applying the technology means that a block contains an input list, output list and something called “excesses,” which are lists of signatures and differences between outputs and inputs. In contrast to Bitcoin, MimbleWimble outputs contain public keys only, and the difference between the old and new outputs is signed by all participants involved in the transactions. The protocol reduces block size while improving privacy and scalability. However, it is not suitable for accounting and banking services in general, since sender-receiver mapping and transaction amount are recorded nowhere. Grin and Beam have successfully implemented MimbleWimble.

Bulletproofs is a non-interactive zero-knowledge proof protocol for general arithmetic circuits with very short proofs (arguments of knowledge systems) and without requiring a trusted setup. The essence of Bulletproofs is its inner-product algorithm, a proof (argument of knowledge) for two independent binding vector Pedersen commitments that satisfy the given inner-product relation. Bulletproofs results in communication-efficient, zero-knowledge proofs, but reduces overall communication by a factor of three. Bulletproofs has a wide range of applications, for instance, in multi-party computation (MPC) systems, privacy protocols and secret communications. You can find the original Bulletproofs research here.

Additionally, Monero has utilized ring confidential transaction (ringCT), stealth addresses and ring signature for privacy. However, those methods increase the complexity and block size. Recently, Monero has been trying to implement Bulletproof, instead. Other confidential transaction technologies are provided by smart contracts. 

There are dozens of privacy technologies out there. Many protocols have been successfully implemented, but some remain theory. Of course, privacy is a need for blockchain, but it needs to be compatible with security, scalability, transparency and auditability.

ZKPs are the most interesting protocols, since they offer true privacy and confidentiality along with a wide range of applications in various fields. Compared to other anonymous cryptos, Dash seems to be the weakest, since it uses private-send (a kind of confidential transaction) with low privacy and scalability. Monero, after Bulletproof implementation, is expected to be one of the two best privacy coins, the other being Zcash. Zcash, offered on a multi-level basis with shielded transactions, provides users with many options to send funds like Bitcoin in a completely confidential manner. Note that Bitcoin, Ethereum and many other cryptos are allowed in the US and other nations, classified as crypto assets, but regulation is still a challenge for anonymous coins.

Privacy technology is an interesting and hot topic not only in the crypto space, but also in blockchain, cloud computing and data sharing discussions.

About the author:

Thuat on the privacy-transparency tradeoff

Thuat Do (Paven) is a PhD candidate at the Hong Kong University of Science and Technology. His areas of research include blockchain and cryptocurrencies, data science and applied mathematics. He is also an advisor and consultant for several blockchain projects in Vietnam.

This piece reflects the authors’ personal opinions and does not necessarily represent the views of Blocks99 as an independent media portal.