Summary: Privacy Work In Cryptocurrencies

I have never done this before, but I am going to publish someone else’s work. This work is an excerpt from an academic paper. The past few days I was on two long flights and I had CoinShuffle++ printed out to reread it. This was the first time I paid full attention to every single concept presented and every single word written, and I am still digesting it. The end of the paper gives a summary on most notable privacy work in cryptocurrencies up until 2016–2017. Without further ado:

Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate

NDSS ’17, 26 February — 1 March 2017, San Diego, CA, USA Copyright 2017 Internet Society, ISBN 1–891562–46–0


A. Tumblers

  1. Accountable Tumblers: Mixcoin mitigates the second problem by holding the tumbler accountable if it steals the funds, but theft is still possible. Blindcoin improves upon Mixcoin in that the tumbler additionally cannot break anonymity. [nopara73’s note: ZeroLink’s Chaumian CoinJoin mixing could be inserted here here, in that case the mixer is not accountable, but untrusted, so that is the main improvement there on Blindcoin. However ZeroLink is more than its recommended mixing technique, it is a complete privacy framework that can be used also with Mixcoin, Blindcoin, TumbleBit, CoinShuffle and CoinShuffle++, I just often have to simplify and incorrectly refer to the mixing technique as ZeroLink.]
  2. Blindly Signed Contracts and TumbleBit: Blindly Signed Contracts and its successor TumbleBit propose an untrusted tumbler based on the combination of blind signatures and smart contracts to solve both aforementioned challenges, i.e., theft and anonymity. To perform ordinary mixing this approach requires at least two transactions to be confirmed sequentially (in two different blocks), whereas CoinShuffle++ requires just one transaction.
    TumbleBit supports using the second transaction to send a payment to a recipient directly, which is then on par with CoinShuffle++, which also requires one transaction for mixing and one transaction for sending a payment to a recipient. However, this mode of TumbleBit comes with limitations. First, it requires coordination between the tumbler and the recipient. Second, it requires more fees than CoinShuffle++, because the CoinJoin transaction used in CoinShuffle++ is cheap, in particular if using aggregate signatures. Third, it requires the payment amount to be exactly the mixing amount, which hinders availability severely, because it is very difficult to find enough users that are willing to send the exact same amount of funds at a similar time. With CoinShuffle++, instead, the second transaction, i.e., the actual spending transaction is a normal transaction and supports change addresses, at which peers get their remaining funds back.

B. Other P2P Mixing Approaches

CoinShuffle++, instead, does not make any trust assumption on the mixing participants, except that there must be two honest peers, which is a fundamental requirement for any protocol providing anonymity. Xim improves on its related previous work in that it uses a fee-based advertisement mechanism to pair partners for mixing, and provides evidence of the agreement that can be leveraged if a party aborts. Even in the simple case of a mixing between two peers

Xim requires publishing several Bitcoin transactions in the Bitcoin blockchain, which takes on average at least ten minutes for each transaction.

In contrast, CoinShuffle++ requires to submit a single transaction to the Bitcoin blockchain independently on the number of peers.

C. Privacy-preserving Crypto-currencies

  1. Zerocoin and Zerocash: Zerocoin and its followup work Zerocash, whose implementation Zcash has been deployed recently [4], are crypto-currency protocols that provide anonymity by design. Although these solutions provide strong privacy guarantees, it is not clear whether Zcash will see widespread adoption, in particular given its reliance on a trusted setup due to the use of zkSNARKS.
  2. CryptoNote: The CryptoNote design relies on ring signatures to provide anonymity for the sender of a transaction. In contrast to CoinShuffle++, an online mixing protocol is not necessary and a sufficient anonymity set can be created using funds of users currently not online. However, this comes with two important drawbacks for scalability.
    First, CryptoNote requires each transaction to contain a ring signature of size O(n), where n is the size of the anonymity set, whereas our approach based on CoinJoin needs only constant space per user. Storing the ring signatures requires a lot of precious space in the blockchain, and verifying them puts a large burden on all nodes in the currency network. (In other words, the advantage of CoinShuffle++ is that it moves the anonymization work to an online mixing protocol, which is independent of the blockchain.)
    Second, CryptoNote is not compatible with pruning, a feature supported by the Bitcoin Core client. Pruning reduces the storage requirements of nodes drastically by deleting spent transactions from local storage once verified. This is impossible in CryptoNote because it is not entirely clear whether funds in the blockchain have been spent or not. A CoinJoinbased approach such as CoinShuffle++ does not suffer from this problem and is compatible with pruning.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store