I have never done this before, but I am going to publish someone else’s work. This work is an excerpt from an academic paper. The past few days I was on two long flights and I had CoinShuffle++ printed out to reread it. This was the first time I paid full attention to every single concept presented and every single word written, and I am still digesting it. The end of the paper gives a summary on most notable privacy work in cryptocurrencies up until 2016–2017. Without further ado:
Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate
NDSS ’17, 26 February — 1 March 2017, San Diego, CA, USA Copyright 2017 Internet Society, ISBN 1–891562–46–0 http://dx.doi.org/10.14722/ndss.2017.23415
VII. RELATED WORK IN CRYPTO-CURRENCIES
We give an overview of the literature on privacy-preserving protocols for crypto-currencies. Related work for P2P mixing protocols is discussed throughout the paper.
A. Tumblers
A tumbler provides a backwards-compatible centralized mixing service to unlink users from their funds: several users transfer their funds to the tumbler, which returns them to the users at fresh addresses. The main advantage of a centralized approach is that it scales well to large anonymity sets, because the anonymity set is the set of all users using the service in some predefined time window. However, by using these services naively, a user must fully trust the tumbler: First, anonymity is restricted towards external observers, i.e., the mixing service itself can still determine the owner of the funds. Second and more important, the users have to transfer their funds to the tumbler, which could just steal them by refusing to return them.
- Accountable Tumblers: Mixcoin mitigates the second problem by holding the tumbler accountable if it steals the funds, but theft is still possible. Blindcoin improves upon Mixcoin in that the tumbler additionally cannot break anonymity. [nopara73’s note: ZeroLink’s Chaumian CoinJoin mixing could be inserted here here, in that case the mixer is not accountable, but untrusted, so that is the main improvement there on Blindcoin. However ZeroLink is more than its recommended mixing technique, it is a complete privacy framework that can be used also with Mixcoin, Blindcoin, TumbleBit, CoinShuffle and CoinShuffle++, I just often have to simplify and incorrectly refer to the mixing technique as ZeroLink.]
- Blindly Signed Contracts and TumbleBit: Blindly Signed Contracts and its successor TumbleBit propose an untrusted tumbler based on the combination of blind signatures and smart contracts to solve both aforementioned challenges, i.e., theft and anonymity. To perform ordinary mixing this approach requires at least two transactions to be confirmed sequentially (in two different blocks), whereas CoinShuffle++ requires just one transaction.
TumbleBit supports using the second transaction to send a payment to a recipient directly, which is then on par with CoinShuffle++, which also requires one transaction for mixing and one transaction for sending a payment to a recipient. However, this mode of TumbleBit comes with limitations. First, it requires coordination between the tumbler and the recipient. Second, it requires more fees than CoinShuffle++, because the CoinJoin transaction used in CoinShuffle++ is cheap, in particular if using aggregate signatures. Third, it requires the payment amount to be exactly the mixing amount, which hinders availability severely, because it is very difficult to find enough users that are willing to send the exact same amount of funds at a similar time. With CoinShuffle++, instead, the second transaction, i.e., the actual spending transaction is a normal transaction and supports change addresses, at which peers get their remaining funds back.
B. Other P2P Mixing Approaches
In CoinParty, a set of mixing peers is used to mix funds of users. It is assumed that 1/3 of the mixing parties are honest. This trust assumption is not in line with the philosophy of Bitcoin, which works in a P2P setting without strong identities, where Sybil attacks are easily possible.
CoinShuffle++, instead, does not make any trust assumption on the mixing participants, except that there must be two honest peers, which is a fundamental requirement for any protocol providing anonymity. Xim improves on its related previous work in that it uses a fee-based advertisement mechanism to pair partners for mixing, and provides evidence of the agreement that can be leveraged if a party aborts. Even in the simple case of a mixing between two peers
Xim requires publishing several Bitcoin transactions in the Bitcoin blockchain, which takes on average at least ten minutes for each transaction.
In contrast, CoinShuffle++ requires to submit a single transaction to the Bitcoin blockchain independently on the number of peers.
C. Privacy-preserving Crypto-currencies
Bitcoin is by far the most widespread crypto-currency and will most probably retain this status in the foreseeable future, so users are in need of solutions enhancing privacy in Bitcoin. Nevertheless, several promising designs of crypto-currencies with built-in privacy features are available.
- Zerocoin and Zerocash: Zerocoin and its followup work Zerocash, whose implementation Zcash has been deployed recently [4], are crypto-currency protocols that provide anonymity by design. Although these solutions provide strong privacy guarantees, it is not clear whether Zcash will see widespread adoption, in particular given its reliance on a trusted setup due to the use of zkSNARKS.
- CryptoNote: The CryptoNote design relies on ring signatures to provide anonymity for the sender of a transaction. In contrast to CoinShuffle++, an online mixing protocol is not necessary and a sufficient anonymity set can be created using funds of users currently not online. However, this comes with two important drawbacks for scalability.
First, CryptoNote requires each transaction to contain a ring signature of size O(n), where n is the size of the anonymity set, whereas our approach based on CoinJoin needs only constant space per user. Storing the ring signatures requires a lot of precious space in the blockchain, and verifying them puts a large burden on all nodes in the currency network. (In other words, the advantage of CoinShuffle++ is that it moves the anonymization work to an online mixing protocol, which is independent of the blockchain.)
Second, CryptoNote is not compatible with pruning, a feature supported by the Bitcoin Core client. Pruning reduces the storage requirements of nodes drastically by deleting spent transactions from local storage once verified. This is impossible in CryptoNote because it is not entirely clear whether funds in the blockchain have been spent or not. A CoinJoinbased approach such as CoinShuffle++ does not suffer from this problem and is compatible with pruning.
