Privacy And Schnorr Signatures

Will it improve or harm privacy?

First of all: I don’t know. I will present you both sides of the coin and let you come to immature predictions by yourself.
If you don’t know how to do that, don’t worry, you can use my immature speculation as a starting point and only modify it where I am wrong.

Sam Wouters just published an excellent article on how Schnorr signatures will help Bitcoin to scale and make some form of spamming uneconomical: “Why Schnorr signatures will help solve 2 of Bitcoin’s biggest problems today”.
I will write about the privacy aspect, he did not discussed, despite it is often cited when discussing the benefits of Schnorr.

Quick recap

Luckily in order to discuss privacy we only need to understand the basic idea of Schnorr signatures and don’t need to go into any technical details, since it’s all about incentives.

As you can see from the illustration, when you have more red boxes on the left side, with Schnorr signatures it’s enough to provide only one signature, but make no mistake, signatures are pretty heavy in terms of bytes, which ultimately determines how much fees you will pay for the transaction.
Note the red boxes are inputs and the green ones are outputs, but you can simply and incorrectly think of them as addresses.
In order to understand the rest of the article also note there can be more green boxes on the right side within one transaction, not only one, like this:

The takeaway is: with Schnorr it becomes more economical to make a payment with your buddies together than making payments one by one.

The case for privacy

You might have heard about CoinJoin before. This protocol was scratched up by Greg Maxwell and as far as I know the only today working implementation of it is JoinMarket.
In the past Blockchain.info had a service based on it, called SharedCoin and there’s Mycelium’s implementation: ShufflePuff, which I believe its development has been discontinued due to their failed crowdfunding. Also DarkWallet was doing something with it, but its main dev, Amir Taaki flew to Syria to fight ISIS.

Not sure if you’ve noticed it, but I probably just listed all the main Bitcoin privacy projects of pre 2016, so yes, CoinJoin’s hype just started to decline recently, but Schnorr might turn that around.

How? Coinjoin joins coins together, as you could see if you join coins together while using Schnorr you’d pay less fees. So far sounds great, right? It indeed does, but there are some issues with coinjoin. The long list of discontinued projects is no coincidence.

• Coordination between parties is difficult.
• Great initial liquidity is needed.
• It’s only private when the amounts are the same.

In other words: if you want to send 0.1234btc via coinjoin to someone you need to find a couple of other people who happens to also want to spend 0.1234btc in the same time and then you can join together your coins.
The various CoinJoin schemes partially hack around this problem, and with Schnorr low fees will incentivize people to join and eventually overcome their liquidity problems, right? Right, but…

The case against privacy

But it might even provide a greater incentive that’s not only not great for privacy, but also not great for innovation. Schnorr gives an advantage to wallets with the greatest liquidities with the easiest coordination mechanisms, like blockchain.info. In order for Schnorr to lower fees you don’t actually need privacy, you don’t need the amounts to match, like in CoinJoin, you can simply join inputs together and viola, fees are lower.

But you still need to fix the first and second issues of CoinJoin: liquidity and coordination. And guess what, blockchain.info already solved the first one and how hard could it be for them to coordinate its users to join their inputs together when the only thing that doesn’t happen on their central server is generating the private keys. Oh, but there is more: remember, they already have a lot of experience doing this, via SharedCoin, which they turned off, because of legal reasons, I suppose, still the experience is there.
Sure blockchain analysis companies will have a harder job in guessing which inputs belong to which users, but does it matter at this point? Blockchain.info will just take the place of blockchain analyisis companies and sell the information themselves, the only difference is what they know is 100% accuarate.
I admit this was a little too pessimistic, there are still many more unknown variables, so take my predictions with a grain of salt.

Final predictions

At this point this is how I see the Schnorr incentive game play out:

1. CoinJoin and similar privacy oriented projects start utilizing this. In the same time exchanges and centralized services start paying out their customers with Schnorr. They are already joining coins together, so not much of a work to add.
2. Blockchain.info and similar “semi-centralized” wallets with great liquidity will utilize Schnorr to provide the lowest fees possible and at this time they very possibly conquer the market.
3. Finally the rest of the wallets catch up. This won’t be that easy, because the less centralized you are the harder the coordination to solve is.
4. If Schnorr doesn’t get obsolated by an uneforeseen event (Potcoin kills Bitcoin?) then some cyberpunk will come up with a decentralized crypto magic to coordinate input joining within the next few decades that’ll eventually win.