Editor's Note: This article comes fromUnitimes（ID：Uni-times）Editor's Note: This article comes from

, by Ryan Gentry & Matt Shapiro, edited by Jhonny, published with permission.

Original title: "Privacy Is a Feature Not a Product"

Privacy protection will be a feature of cryptocurrency without borders, but not its core feature. Users should not take balance sheet risk on less valuable and less secure cryptocurrencies purely for financial privacy (e.g., sell BTC or ETH for ZEC).

This article will make the point that general-purpose platforms such as Bitcoin and Ethereum already provide enough privacy guarantees for most users that there is no need for these users to move to niche privacy-focused blockchain networks.

Privacy must be a key component of open finance, global currency without borders, and Web 3.0. However, in the cryptocurrency ecosystem to date, most of the privacy-related development activity has occurred on privacy-focused blockchains. However, the Bitcoin and Ethereum communities give top priority to solving issues such as scalability and user experience.

Developers who place the importance of financial privacy above all other features build protocols primarily to support privacy, with use cases including assets such as Zcash and Monero, as well as Grin and Beam New entrants. They all make various trade-offs between functionality and usability to ensure privacy is their core value proposition.

But is privacy a core value proposition that an independent blockchain should be built on?

A common argument among crypto investors is that due to the importance of privacy in financial transactions, privacy-focused blockchains such as Zcash, Monero, Grin, and Beam should be perfectly capable of accumulating value. We agree that privacy is important in financial transactions, but we don't believe there is a causal relationship between the two.

We expect that the most valuable blockchains will win out across a range of different technical tradeoffs, and that users and businesses will find novel ways to bring privacy to these networks, rather than having network participants choose native privacy protocols and provide Bearing balance sheet risk.

In addition, Layer 1 assets (such as BTC, ETH, etc.) should generally be considered as currencies. These Layer 1 assets will have obvious network effects, so only a few blockchains can win this protracted battle.

If blockchain platforms with non-native privacy features (such as Bitcoin and Ethereum, etc.) can already provide good enough privacy for most people, then blockchains with native privacy (such as Zcash, Monero, etc.) will become irrelevant.

secondary title

Four types of private information can be leaked in cryptocurrency transactions: sender, receiver, transaction amount, and IP address. If all four of these pieces of information can be successfully hidden from any third-party observer, then the transaction is completely private.

image description

Table 1: Privacy Spectrum of Cryptocurrency Transactions (click image to enlarge)

At the other end is Zcash's Sapling transaction, which blocks the four types of information mentioned above (when combined with obfuscated IP technologies such as Dandelion or Kovri).

Zcash's zk-SNARK architecture allows the sender to transfer a certain amount of tokens to the anonymous receiver. The amount of tokens transferred will not be known to a third party, and any relevant identity information will never be recorded on the blockchain, nor will it be recorded on the network. leaked. In theory, Zcash's privacy transactions are perfect.

[Remarks: The development of Zcash generally went through the stages of OverWinter (overwinter) -> Sprout (germination) -> Sapling (sapling)]

In 2019, the cryptocurrency market generally rebounded, with ZEC being a notable exception.

image description

Zcash price since January 2018 (in BTC)

Despite this promise of privacy protection, the market has made it clear that the privacy protection provided by Zcash's Sapling (sapling) transactions will not make ZEC valuable.

There are several reasons.

First, the core innovation of cryptocurrencies is the ability to programmatically achieve easily verifiable scarcity without trusting any one party.

Scarcity enables social scalability (social scalability), because people from different cultures and industries can verify that their token holdings are a guaranteed percentage of the known whole. But unfortunately, perfect privacy protection hinders the auditability of cryptocurrencies.

For example, in March 2018, Zcash discovered a vulnerability in their encryption technology that could lead to infinite inflation of ZEC tokens. As the Zcash Foundation itself admits, until the Sprout address was deprecated, it was impossible to know if any party exploited the vulnerability to mint ZEC tokens. Users can verify how many tokens are being sent to the hidden pool, but have no way of knowing whether those tokens were forged by the attacker.

That said, completely private transactions would prevent investors from verifying that Zcash is as scarce as it is supposed to be.

Second, optimizing for privacy the way Zcash does comes with a heavy cost penalty. Every time a completely private transaction is created, the sender must compute a series of precise computational steps in order to generate a proof that miners can verify using zero-knowledge techniques. These steps are computationally expensive, and the Sprout version is too cumbersome to be widely adopted.

The Zcash team then designed a version of Sapling explicitly optimized for token transfers, eschewing any redundant features (such as Ethereum's stateful smart contracts, or Monero's multi-signature contracts), although These features may appear in Zcash in the future. But more efficient perfect privacy transactions consume the programmability of Zcash.

With the swarming bull market bubble of 2016 and 2017 coming to an end, today’s market favors less private, but more secure, programmable, and provably scarce cryptoassets like Bitcoin and Ethereum.

So the question now is: How much privacy protection is good enough?

Both the Bitcoin and Ethereum communities are working hard to bring native privacy into their blockchains. But Bitcoin and Ethereum are not optimized for perfect privacy, but for "Lost in the crowd" privacy - a strategy popularized by the Tor network.

"Hiding in the crowd" privacy policy refers to making cryptocurrency transactions follow a set of rules that make it difficult for third-party observers to discern who actually sent, received, or how much was sent in a particular transaction. The more transactions that follow these rules, the more participants there are, and the harder it is for observers to de-anonymize transactions.

Contrary to fully private transactions such as Zcash, this "hide in the crowd" strategy brings transaction privacy and security to users through obfuscation, because third-party observers can see transactions as they occur, but No definitive judgment can be made about the sender, receiver, or transaction volume. All judgments are probabilistic at best, and in the vast majority of cases, both the sender and the receiver can achieve "plausible deniability" (that is, hide themselves).

Greg Maxwell first proposed the concept of CoinJoin in 2013, which refers to a number of different participants combining their multiple single-input, single-output transactions into a multi-input, multi-output transaction. This splits the direct link between sender and receiver, and also blurs who received how many BTC if all outputs were the same size. Recently, applications such as Wasabi Wallet and Samourai Wallet that use CoinJoin schemes to minimize the need for trust have gained popularity.

image description

Since 2019 (as of August) according to Chainalysis statistics, the monthly mixed USD value of Wasabi Wallet is on the rise.

Also, the CoinJoin scheme is not fully privacy-preserving, since observers can tell which coins were sent to the mixer and which were sent out. This remarkable growth trend in the above figure shows that the user group using this scheme is large enough, so users who seek privacy protection can actually "hide in the crowd". Chainalysis, one of the most prominent blockchain analysis firms whose clients include the FBI, DEA, and IRS, confirmed that they were "unable to track how coins were mixed Trajectory of movement in service."

By default, Ethereum's base layer is less private than Bitcoin by default, because Ethereum uses an account-based model instead of Bitcoin's unspent transaction output (UTXO)-based model. This means that on the Ethereum network, an address is reused across many different transactions, rather than assigning a new address for each transaction.

One advantage smart contract platforms such as Ethereum have over Bitcoin, though, is that they allow for more advanced types of transactions. A smart contract can provide "in the crowd" privacy for all assets sent to it, or even complete privacy for all assets sent to it. Several of these privacy-preserving smart contracts are currently live on mainnet, with many more use cases in development.

Ethereum "mixers" such as Argent's Hopper, Heiswap, and Tornado offer different ways of "hiding in the crowd" to preserve privacy, comparable to Bitcoin's CoinJoin scheme.

Through these Ethereum "mixers", users can deposit a fixed amount of a specific asset (such as 0.1 ETH or 10 DAI) into a smart contract, and wait for enough users to deposit similar amounts to build a large anonymity set. The original amount is then withdrawn to a new address that is not associated with the original address.

But since each user must deposit exactly the same amount into the contract, it will be difficult for these privacy solutions to attract large deposits, which will limit the expansion of these solutions to sustainable independent businesses.

Aztec Protocol has developed a series of modular smart contracts that allow asset confidentiality, address secrecy, and zero-value output, essentially to build a private asset pool "hiding among the crowd" on Ethereum. Users need to send their public crypto assets to a smart contract, which will then generate a "private version" of these assets into its private pool and assign the user a new private address to trade. The more assets a privacy pool attracts, the larger the crowd, which provides stronger protections for all participants.

Providing privacy protection to existing blockchains is not just a Layer 2 add-on. In the near future, small public chains with strong governance capabilities, such as Decred and Tezos, will add protocol-native privacy protection functions. Like Bitcoin and Ethereum, these public chain platform communities see the value proposition of private transactions and are working on privacy protection as a function provided to the community, rather than native financial privacy protection as a core product function. Also, the Tezos community is directly stealing Zcash's Sapling design!

All of these public chain efforts above are trying to improve on the current gold standard of “hiding in the crowd” privacy schemes: Monero (XMR).

As mentioned above, currently only 5% of ZEC is fully private, but 100% of XMR is transmitted following a set of rules that create privacy/security through obscurity.

Ring Confidential Transaction realizes the obfuscation of the transaction amount and conceals the real transaction amount.

Meanwhile, Monero did not fare much better than Zcash in the 2018 bear market. See below:

image description

Monero price movement since January 2018 (in BTC terms)

Although XMR transactions are slightly more flexible than ZEC, Monero still cannot implement stateful smart contract functions. While a recent research breakthrough has made HTLCs (Hash Time-Locked Contracts) possible, this may require a lot of engineering. Sadly for Monero, their developer community is small and poorly funded, meaning new feature development is relatively static.

Regardless of the underlying public chain, these "hidden in the crowd" privacy schemes can only provide "reasonable denial", but the larger the crowd, the more they can hide themselves.

Let's continue reading.

Earlier this year, a researcher released a report pointing out that a low-cost FloodXMR attack on Monero can be launched within a year at a cost of only $1,700 by using certain aspects of the Monero ring signature selection process. 50% of transactions are de-anonymized.

The Monero community rejected this cost estimate, saying it was too low. They also pushed back against the algorithm, saying the analysis was too simplistic and did not take into account any real-world circumstances, such as multiple simultaneous attacks, or price fluctuations.

The purpose of this section is not to restate the FloodXMR attack, but to use its principles to build a general framework for us to consider the privacy pool of public chains. The basic framework of the FloodXMR attack is as follows:

A certain number of XMR transactions take place on the Monero network every day. These transactions are all commingled so that no one but the participants themselves know who sent how much value to whom. However, since all transactions are public and addresses are reused in the ring signature scheme, it is possible for the attacker himself to participate in a large number of these transactions.

By doing this, the attacker greatly reduces the anonymity set and can more easily determine the actual sender and receiver of each transaction, effectively deanonymizing them. Specifically, a “malicious actor controlling the keys to 75% of transaction outputs generated within a year was able to track 47.63% of all transaction inputs created during the same time period,” according to the aforementioned researchers’ report.

If certain assumptions are made, this attack could be extended to Bitcoin's CoinJoin privacy pool (which actually exists) and Ethereum's Aztec Protocol privacy pool. For most of the past 12 months, the proportion of transactions using the CoinJoin scheme accounted for 5% to 10% of Bitcoin transaction volume, and it increased in July and August 2019. See below:

Monthly bitcoin transactions using the Coinjoin scheme as a percentage of all bitcoin transactions in the current month

Assuming the average transaction fee, the number of privacy-seeking transactions, and the proportion of mainstream cryptoassets held in a particular privacy pool remain constant, the cost of deanonymization (C) is:

The figure below shows the de-anonymization cost of BTC's Wasabi Wallet privacy pool, ETH's Aztec Protocol privacy pool (assuming it occupies 5% of ETH's market capitalization) and XMR, the average value in the figure (average transaction fee and average daily transaction volume ) is using the average from October 19, 2018 to the time of publication.

image description

The graph below provides another way of looking at the cost of deanonymization. In this approach, what we want to determine is what percentage of the market capitalization needs to be held in the privacy pool of Ethereum or Bitcoin to achieve the same deanonymization cost as Monero.

image description

Table 3: Assuming the cost of deanonymization remains constant, the proportion of privacy pools in the market capitalization

Of course, this high-level analysis ignores the many nuances of how attackers target different blockchains. The above two charts are not intended to provide exact numbers, but to provide an order of magnitude range, so that everyone can understand the degree of privacy protection these "hidden in the crowd" solutions can provide.

secondary title

The raison d'être of cryptocurrencies is to provide a method of exchanging digital value without relying on trusted third parties. To be a global currency without borders, cryptocurrencies must be censorship resistant. A prerequisite for censorship resistance is financial privacy protection.

The battle for privacy in cryptocurrencies will be an arms race with those trying to deanonymize cryptocurrency users, a war that must be won if cryptocurrencies are to succeed.

Unfortunately, as we discussed above, the cost of doing perfectly private transactions by default the way Zcash is is too high. This approach to total privacy undermines another core value proposition of cryptocurrencies: the use of a permissionless means of verifying that transactions have not been double-spent or improperly inflated throughout transaction history. Without this verification property, it is impossible for any cryptocurrency to be socially scalable enough to be a global, borderless currency.

Therefore, the winning cryptocurrency must achieve some sort of imperfect “hide in the crowd” privacy, built on top of publicly verifiable public ledgers. As can be seen from Tables 2 and 3 above, the Bitcoin and Ethereum communities are able to connect privacy pools with their own public chains, and their deanonymization costs will soon decrease due to higher transaction volumes and transaction fees. More than the deanonymization cost of the entire Monero blockchain.

Clearly, privacy protection will be a feature of a currency without borders, but not its core feature.

Arguments for privacy protection should be framed around this understanding. Fund managers will start investing in companies that offer "privacy-as-a-service" on smart contract platforms like bitcoin or ethereum, rather than investing in the underlying encryption that optimizes anonymity in transactions currency. Layer 2 solutions will provide privacy protection for their transaction participants by default, which may make a lot of money away from those blockchain platforms (such as Zcash and Monero, etc.) that value transaction privacy.