Privacy Coins

Imagine a world where every single transaction you make is broadcast to everyone
in the world – this is what a blockchain would do. Andreas Antonopoulos believes
that solving the problem of privacy is more important than that of scalability and
throughput. The opposite mentality was used when first creating the Internet and
privacy has become the most valuable asset on the Internet. Every piece of
information that you disclose on the Internet is monitored, registered, sold and even
hacked. Bitcoin can only offer partial anonymity known as pseudonymity, we still do
not have complete financial privacy. On a normal blockchain, the ledger contains
information about the sender, receiver, quantity of asset and the specific asset.
However, through the creation of privacy coins we are one step closer to the goal of
complete financial privacy. The 3 main attributes of the coins in this category are:
privacy, fungibility and decentralization. Zcash, Monero, Dash and PivX are amongst
the most popular privacy coins. Each of these privacy coins implements a different
type of cryptography to ensure the security and encryption of the data.

Zero Knowledge Proofs

Zero knowledge proofs (zk-proofs) originated from a cryptographic method called
an interactive proofs that allows two parties (the prover and verifier) to share
secrets – with a high degree of probability, without actually having to reveal any
information about proving the statement. The term “zero knowledge” comes from
the fact that no information is shared regarding the secret, but the 2nd party (the
verifier) is convinced that the 1st party (the prover) knows the secret.

Three properties that every zero-knowledge protocol must satisfy are:

completeness - convince the verifier of the truth with a high degree of probability,
soundness - can only convince the verifier of the truth if they are telling the truth,
and zero-knowledgeness – the verifier doesn’t learn anything about the
solution/secret.

This concept is most easily explained by illustrating a basic implementation. This

begins with 2 people being outside a circular cave with a locked door at the back of
the circle (shown below). The prover is trying to convince the verifier that they
know the code to the door without telling them the code.

The prover goes into the cave and stands at the back; the verifier then goes into the
entrance and shouts a direction (A or B) for the prover to walk out. This protocol
will be repeated ‘X’ number of times, each time making the likelihood of the prover
being a malicious actor more unlikely. There are a couple scenarios that could occur:
if the prover is lying and does not know the combination to the door then there is an
extremely high probability (exponentially increasing with each trial) that the
verifier would call a direction the prover did not enter in the cave (the verifier
would see this because the verifier would not be able to walk out the correct
direction), if the prover does know the code then they will be able to exit the cave
the right direction 100% of the time.

Zk-SNARKs (Succinct Non-Interactive Argument of Knowledge) is the most popular

implementation of this cryptographic method in the cryptoasset of Zcash. A major
problem with the current implementations of this cryptographic method is that the
supply of the tokens does not have the ability to be audited. Even with annual audits,
unless you trust the creators/founders then there is no way to prove the claims with
100% reliability. A co-author of the Zcash whitepaper has also said that quantum
algorithms can compromise the trusted setup efficiently.

Zk-STARKs (Scalable and Transparent Argument of Knowledge) is the most recent

R&D behind zero knowledge proofs. They claim that STARKs is more trustless,
secure, cheaper, faster, scalable and post quantum secure when compares to
SNARKs. Many of the researchers/developers from the Zcash project are currently
working to develop and implement the STARKs solution.

RingCT
Before we jump into the cryptographic methods that the Monero network uses, it is
important to understand the difference between unlinkability and untraceability.
Unlinkability means that a receiving address can be public yet all the payments
made to the address can’t be linked to it (stealth addresses). The ring signatures
provide untraceability – each transaction uses multiple cryptographic signatures
that control multiple outputs to mix with the output of the sender. An observer
cannot tell which party controls which outputs, thus providing untraceability (and
plausible deniability for everyone in the ring signature).

RingCT is based on Confidential Transactions (designed by Greg Maxwell) combined

with ring signatures and used on the input side of the transactions.

Confidential Transactions include a cryptographic proof that the sum of the input
numbers is the same as the sum of the output numbers without having to reveal the
actual numbers, but you can still trace which address sent/received the tokens (if
CT was your only privacy method).

Ring Signatures allows the transactions to be untraceable, protecting the sender’s

privacy. This occurs through the use of digital signatures, where there is an actual
signer hidden amongst numerous decoys (ring members) to authorize a transaction.
The digital signature is made up of the actual signer combined with non-signers to
make a “ring.” All members are equal/valid and are plausibly the actual signer of the
transaction. The actual signer is a one-time spend key that corresponds with an
output being sent from the sender’s wallet. The non-signers are past transaction
outputs pulled from the blockchain acting as decoys. These outputs together make
up the inputs of a transaction. To a 3rd party all of the inputs look equally likely to be
the output spent in a transaction; this hides the true origin of a transaction.

Stealth Addresses
Stealth addresses perform a very specific function; they prevent any public
association of a transaction’s output with a recipient’s wallet and conceal a
transaction’s actual destination address. They are based on the elliptic-curve Diffie-
Hellman cryptography. Stealth addresses allow for a person to receive payments
from multiple people and obfuscate all the other transactions except the one that
they sent.

Normally, a blockchain transaction need a public address belonging to the recipient,

once your identity and wallet address have been compromised the current balance
and any transactions in or out of the wallet can be seen. Remember the ability to
spend a token is essentially the same as having the knowledge of the private key to
the public key associated with the coins. Additionally, the Monero network records
transaction outputs in a blockchain. If you own Monero, you have control over some
of these outputs. When a person sends some Monero they announce to the chain
that they are sending some of the old outputs to a new output that the receiver
controls. Each Monero wallet address contains a “public view key” and a “public
send key.”

Stealth addresses work by creating one-time use addresses. If person 1 (P1) is

trying to send person 2 (P2) 10 tokens, he would generate a transaction on the
chain. Stealth address’s mechanism uses a combination of various public and private
keys that are dynamic and for one-time use only. P1’s wallet will use P2’s “public
view key” and “public spend key”, club it with random strings of data that generate
the “one time unique public key” for P2’s output (output being spendable tokens).
Everyone will be able to see a transaction being recorded but P1 and P2 will be the
only ones that know it was between them and involved 10 tokens. P2 can use their
“private view key” to locate the transaction on the blockchain and retrieve it into his
wallet. P2 can then calculate the one-time private key that corresponds to the one-
time public key for the transaction to spend the tokens. This all occurs without
having P2’s wallet address publically linked to any transaction. Stealth Addresses
take care of the recipient’s privacy (by making transaction unlinkable) and is only 1
of the components to the Monero network.

Coinjoin
Coinjoin is an anonymization method proposed by Gregory Maxwell. The underlying
idea is “when making a payment, find someone else who wants to make a payment
and make a joint payment.” Through the use of a coinjoin protocol, it is either hard
or impossible to link inputs to outputs. Thus the user’s unlinkability is improved and
taint analysis is harder, if not impossible. Coinjoin requires parties jointly sign an
agreement to mix their coins.

DASH is the most popular coin that utilizes the coinjoin cryptography, but similar
protocols can be (and have been) implemented on Bitcoin to improve the
anonymization of the network.

Sources
https://masterthecrypto.com/privacy-coins-anonymous-cryptocurrencies/
https://monero.stackexchange.com/questions/95/what-is-ringct-and-how-does-it-
compare-to-confidential-transactions/107#107
https://masterthecrypto.com/verifying-cryptocurrency-transactions/
https://people.xiph.org/~greg/confidential_values.txt
https://bitcoinmagazine.com/articles/coinjoin-combining-bitcoin-transactions-to-
obfuscate-trails-and-increase-privacy-1465235087/
https://en.bitcoin.it/wiki/CoinJoin
https://en.wikipedia.org/wiki/CoinJoin
https://bitcoin.stackexchange.com/questions/41875/what-is-the-difference-from-
coinjoin-and-a-coinshuffle-transaction
https://www.mycryptopedia.com/everything-need-know-stealth-addresses/
https://www.investopedia.com/terms/s/stealth-address-cryptocurrency.asp
https://bitcoin.stackexchange.com/questions/20701/what-is-a-stealth-address
https://monero.stackexchange.com/questions/1500/what-is-a-stealth-address
http://www.nicolascourtois.com/bitcoin/paycoin_privacy_monero_6.pdf