Is it possible to have anonymous transactions on the public blockchain? (part 2)
In the first part of this article, I’ve described the challenge of implementing anonymous transactions on the public blockchain. I proposed a bunch of solutions we can use to achieve this goal on most popular cryptocurrencies like Bitcoin or Ethereum, even though those coins do not really support anonymity. Luckily, besides that, there are cryptocurrencies focused mostly on privacy. They implement many of the already mentioned mechanisms on the protocol level, thus move cryptocurrency anonymity to a different level.
… or rather “zero-knowledge succinct non-interactive argument of knowledge” (zk-SNARK), as called by ZCash developers. zk-SNARK enables proving ownership of a given data without disclosing not only the data itself but any information about this data. In other words, it’s like Peggy wants to prove Victor  that she knows a secret without telling him anything about the secret. That doesn’t sound very clear, so let’s explain the Ali Baba cave example from Wikipedia
Let say we have the ring-shaped cave, with one entrance and the door blocking the way around. To unlock the door, Peggy must know the secret, and that’s what she wants to prove Victor.
She randomly takes either path A or B. The important part is that Victor knows nothing about the path she takes (that’s secret related information!).
Victor chooses an exit path for Peggy. She opens the door if necessary, and returns along the desired path.
But if she doesn’t know the secret, she would only be able to return by the named path in 50% of the cases.
Let’s say Peggy appears at the exit Victor named. Repeat the process twice to be 75% sure she knows the secret. Repeat 20 times, and her chance of successfully appearing at the right exit becomes about one in a million.
Zerocoin was proposed as an extension to the Bitcoin protocol that would provide true anonymity to transactions. Currently not compatible with Bitcoin, but available in stand-alone Zcoin and Anoncoin cryptocurrencies (alongside PIVX, SmartCash, Navcoin, and more. Some of them already opted-out from using Zerocoin protocol and migrated to other privacy solutions).
This protocol presupposes the existence of temporary, protocol-level Zerocoin tokens, existing on a base blockchain. The anonymity afforded here is obtained by separate Zerocoin mint and spend transactions. Minting is nothing more than burning some base currencies (e.g., Bitcoin) in exchange for Zerocoin tokens. The trick here is that you receive new, history-free tokens that are not linked in any way to coins you’ve burnt out. Single Zerocoin token is unique, can’t be duplicated or forged. To redeem it for the base currency, the owned of the token needs to prove the actual ownership. This is done by Zerocoin spend transaction and relies on zero-knowledge proof described above. After verification, the amount of the base currency equal to the Zerocoin denomination is transferred from the Zerocoin escrow pool. This might look similar to the mixing services, but is built-in into cryptocurrency’s protocol itself. However, Zerocoin requires significant computation time to work (mostly done by miners) and is the source of many security issues. Regardless, this protocol was one of the first solutions to the traceability problem in UTXO-based blockchains like Bitcoin.
Yet another method similar to coin-mixing and yet another with no 100% guarantee. Dash cryptocurrency utilizes the capability of masternodes, so the connection between the sender and receiver is untraceable. When the user wants to make an anonymous transaction, the PrivateSend function begins by splitting the inputs into discrete, non-unique relevant denominations (0.01 DASH, 0.1 DASH, 1 DASH, and 10 DASH). Then, a user’s wallet is initiating a request to randomly picked masternode to mix certain denominations of Dash coins. Within the mixing session, the masternode mixes up the inputs with two other masternodes, who has the same denominations. This process is repeated multiple times, so resulting coins are fully anonymized and obscured. Well, at least it’s said so. Some researches show there is a method of tracing PrivateSend transaction based on analyzing common origins between inputs on the same transaction. Using separate addresses for PrivateSend transactions solves this potential problem, though. Also, increasing the number of mixing rounds makes tracing exponentially more difficult. In the end, it all comes to the question of how secure you want (or need) to be.
In cryptography, Ring Signature is a type of digital signature that can be performed by any member of a group – each having separate keys. The goal is to sign the message as a particular group of people so that determining which of the group members’ keys was used to produce the signature is computationally infeasible. The cryptocurrency Monero was the first which adopted this method for anonymizing transactions. Their RingCT (Ring Confidential Transactions) algorithm hides the transaction amount and the identity of the payer and recipient, meaning that no one (except the sender and the receiver) can track any transaction details. What’s also nice about this approach is that it doesn’t rely on a centralized entity and – unlike things like CoinJoin or other mixers – you don’t need to collaborate with anyone to perform such anonymous transactions.
Blind signature is a kind of digital signature in which the message is disguised before it is signed so that even the signer itself will not learn the message content. That mechanism allows the signer and message author to be different parties. To verify the signature, one need to unblind the message first, but such operation tells nothing about the message author. Blind Signature schemes can be implemented over a number of common public key signing algorithms, such as RSA, DSA, or even on the elliptic curve. They are widely used in Smart Contracts, for example, when implementing an anonymous e-voting system.
MimbleWimble is a blockchain protocol focused on privacy, fungibility, and scalability. Although, the word comes from the magic world of Harry Potter, also known as the Tongue-Tying Spell is a curse that prevents your opponent from accurately casting their next spell.
It proposes a set of changes in the UTXO model and PoW consensus algorithm to be able to:
- hide sender and receiver addresses,
- hide amount transferred,
- join two transactions, in which the second one is spending the first one in a way that every intermediate information vanishes.
To achieve the first goal, CoinJoin (already described in the first part of this article) is used. The second trick is Confidential Transaction (CT) – a cryptographic protocol that results in the amount value of a transaction being encrypted so that every network member is still able to verify that amount, but without revealing the exact value. This relies on the mentioned above Blind Signatures and Homomorphic encryption. The third technology here is well known Merkle Tree. MimbleWImble uses it to encrypt transactions at the node level and then join them together under a number of conditions. This also allows us to significantly reduce blockchain size since many intermediate pieces of information are not really needed to verify the resulting transaction and might be securely removed from the blockchain.
MimbleWimble is mostly known for being implemented in Beam and Grin cryptocurrencies.
In two blog posts, I have covered techniques for achieving a reasonable level of anonymity using widely-known cryptocurrencies. If you find this topic interesting or want to explore it further, you are welcome to contact us.