Encouraging developments for privacy at Bitcoin and Ethereum
Over the last few months, some exciting privacy technologies for Bitcoin and Ethereum have been further developed and improved: Confidential Transactions, Reusable Payment Codes, zkSNARKs and Ring Signatures. This revives the hope that cryptocurrencies will give humanity financial privacy.
If you are unaware, it's time for you to know: cryptocurrency privacy is usually a tragedy. If you look at the two strongest crypto currencies, Bitcoin and Ethereum, you should realize that there is nothing private here. And this is not an accident or accidental happening, but the logical consequence of the basic concept of cryptocurrencies.
The whole idea of Bitcoin and other cryptocurrencies is that every node in a decentralized network checks the validity of each transaction and block. In order to do this, everyone must be able to see who has sent how many coins to whom. Everything has to be completely transparent. This does not seem to have much to do with privacy and anonymity.
When you transfer money to a blockchain like Bitcoin or Ethereum, you should be aware of the following: Not only your business partner, your bank, and the government know what you do - everyone. And, worse, thanks to Blockchain analysis techniques, not only does everyone know about your last transaction, but you'll also be able to link your various transactions and addresses and inputs to find out what's going on in your wallet.
The situation is not very pleasing. Cryptocurrencies are still regarded as a particularly private means of payment. But it does not take much imagination to imagine that they will be the trailblazer of the financially absolutely transparent citizen. To prevent this, crypto currencies are being developed on the one hand, which, like Monero and Zcash, offer better privacy. On the other hand, technologies are being created that improve privacy on blockchains such as Bitcoin or Ethereum. These will be the subject of this article.
Specifically, these are the following technologies (click link to jump directly to the description):
Confidential Transactions
Reusable Payment Codes
zkSNARKs
Ring signatures
Bitcoin: Confidential Transactions and Reusable Payment Codes
Confidential Transactions
To understand what Confidential Transactions do, you might start by imagining that you play scissors-stone paper by e-mail.
Of course it is nonsense: If you write to me by e-mail that you have a stone, I answer "paper", and if you write that you have a "pair of scissors", of course I will have a stone. As long as the two players are not present and set their bid at the same time, the one who moves first loses.
However, cryptographers have long developed a method for playing scissors-stone paper, coin throws or poker by e-mail. To do that, one needs so-called "commitments" - these are functions with which one can fix a certain value ("scissors", "head", "four kings"), but keep it secret until it is revealed. You can think of it as if you were writing the result on a piece of paper, putting it in a box, giving the box to the partner, and then, when it comes to the revelation, handing over the key. With hashes or encryption, it's relatively easy to make such commitments.
But if we try to apply the same to Bitcoin, it gets a little harder. The idea of Confidential Transactions is to keep the amounts sent in a transaction as secret as the commitment to e-mail coin toss, but at the same time to allow all nodes in the network to verify that the transaction is correct. It's similar to sending an encrypted commitment to Scissors Paper by email, but the email provider can check if I make a valid bid or something nonsense like "Well". Absurd, right?
The whole cryptographic magic of Confidential Transactions lies in resolving this paradox. The concept was suggested by Adam Back. Gregory Maxwell has further developed it, and it was first implemented in Blockstream's Elements Sidechain. In a text file, Maxwell explains what the trick is: by using different cryptographic technologies, such as Pedersen Commitments, it becomes possible to offset the inputs and outputs - even if they are obfuscated.
A valid transaction covers inputs and outputs (less fees). So, if you calculate the formula "Inputs - Outputs", only the fees are left over. The special thing about the commitments of Confidential Transactions is that it is possible to subtract them without knowing their exact content.
One of the standard recommendations for Bitcoin users is that you should never use the same address multiple times. The reason for this is mainly that it would reveal too much about his privacy. Therefore, you can create a new address at Bitcoin.de for each deposit. Does not everyone know how many Bitcoins are on your wallet?
In many cases this is an inconvenient requirement. For example, if you, like me, have a donation address on a blog, keep getting payments from a party or person, or just have no access to the wallet, but still want to issue a payment request.
The recently released Android SPV Wallet Stash, available for Bitcoin and Bitcoin Cash, offers a solution to this problem: it has implemented reusable payment codes as described in BIP 47. "Our innovative payment address gives users a single, reusable address for payments and messages, which prevents blockchain observers from seeing the history of transactions," the Wallet developers explain.
How does this work? Basically similar to the HD wallets that produce a basically almost infinite number of keys and addresses from a master key. Anyone who knows the Reusable Payment Code can generate any number of addresses for which the owner of the code has the private key. In order to ensure that the recipient knows who sent him something, in the first transaction, he builds a kind of "tunnel": in it he publishes his own paycode, with the help of which he derives addresses from the Reusable Payment Code. Thus, it is possible for the receiver to identify the sender, even though this money transfers to outwardly unrelated addresses.
The two currently discussed and tested technologies are zkSNARKs and ring signatures.
zkSNARKs are the Zero-Knowledge Proofs used by Zcash. "Zero-knowledge proofs allow one party to prove to another that a statement is true without revealing more information than the statement is true," explains the Zcash website.
So, just like Confidential Transactions, zkSNARKs are much more far-reaching: while Confidential Transactions can only unseen the correctness of transaction amounts, zkSNARKs can conceal and validate any kind of information. Zcash uses them to "check the validity of a transaction according to the rules of network consensus without revealing any of the information on which the calculations are based." This is possible by "encoding some of the network's consensus rules in zkSNARKs . "
Thus, transactions sent with zkSNARKs are completely anonymous: they not only hide the amount sent, but also the sender and recipient - while the other nodes in the network remain able to confirm that the transaction is correct.
With Ethereum, the zero-knowledge proof can not be used for normal ether transactions. However, since Metropolis Hardfork, it has been possible to use it to disguise the contents of a smart contract. For example, one can take an ERC20 contract to create, send, and receive tokens, and then cloak the operations in the contract, such as the transfer of tokens. The miners and knots then know that a function is running within the contract, and that everything is going well, but they do not know what exactly is going on.
Another possible application would be election contracts: anyone who is registered in a smart contract can cast a vote, and you can determine what the result of a poll is and that each has a maximum of one vote - but you can not understand who voted for something. If you intend to map democratic elections on a block chain, this would be a condition.
How exactly zkSNARKs work is a complicated topic. There are interesting technical introductions on the website of Zcash, a series of three parts by Vitalik Buterin and an introduction by Christian Reitwiessner of the Ethereum Foundation. There is already a library called ZoKrates, which implements zkSNARKs for solidity. Its author, Jacob Eberhardt, has already predicted that there will soon be plenty of "Zapps" - private decentralized applications on Ethereum.
However, zkSNARKs also have a downside: they require a lot of space and computer resources. A first demo implementation showed that running a zkSNAKRs contract is very expensive. The cost of gas was about $ 10. Even with the improvements made by Bank ING, the zero-knowledge proofs continue to be quite expensive.
This is where we need to talk about ring signatures.
Ring signatures are the basic technology of the quite private cryptocurrency Monero. Ring signatures were first introduced in 2001. They are a cryptographic technology for signing messages in such a way that you can verify that they have been signed by a member of a group but can not tell who exactly.
At Monero, the ring signatures are used to sign transactions in exactly this way: An observer can confirm that the signature is valid because it can be assigned to a group of potential subscribers, but it is not possible to specifically identify the sender of the transaction to determine. Monero breaks the chain of transactions.
Recently, a developer used the Metropolis-enabled cryptographic operations to sign functions with ring signatures within a contract. The contract published in the Ropsten Testnet is a kind of mixer. While it can be said that the contract is sending a valid transaction to the outside, it remains unclear which member of the contract has done so. This is possible with both Ether and ERC20 tokens.
It is possible that in the near future, Ring Signatures will also create a contract on Ethereum's live chain. Maybe as part of a more complex, decentralized Mixer for Ethereum. However, ring signatures are not as effective as zkSNARKs in breaking the chain of transactions, as there are some possible attacks on the privacy of ring signatures. However, the cost of running the contract is significantly lower than that of zero-knowledge proofs.
If you are unaware, it's time for you to know: cryptocurrency privacy is usually a tragedy. If you look at the two strongest crypto currencies, Bitcoin and Ethereum, you should realize that there is nothing private here. And this is not an accident or accidental happening, but the logical consequence of the basic concept of cryptocurrencies.
The whole idea of Bitcoin and other cryptocurrencies is that every node in a decentralized network checks the validity of each transaction and block. In order to do this, everyone must be able to see who has sent how many coins to whom. Everything has to be completely transparent. This does not seem to have much to do with privacy and anonymity.
When you transfer money to a blockchain like Bitcoin or Ethereum, you should be aware of the following: Not only your business partner, your bank, and the government know what you do - everyone. And, worse, thanks to Blockchain analysis techniques, not only does everyone know about your last transaction, but you'll also be able to link your various transactions and addresses and inputs to find out what's going on in your wallet.
The situation is not very pleasing. Cryptocurrencies are still regarded as a particularly private means of payment. But it does not take much imagination to imagine that they will be the trailblazer of the financially absolutely transparent citizen. To prevent this, crypto currencies are being developed on the one hand, which, like Monero and Zcash, offer better privacy. On the other hand, technologies are being created that improve privacy on blockchains such as Bitcoin or Ethereum. These will be the subject of this article.
Specifically, these are the following technologies (click link to jump directly to the description):
Confidential Transactions
Reusable Payment Codes
zkSNARKs
Ring signatures
Bitcoin: Confidential Transactions and Reusable Payment Codes
Confidential Transactions
To understand what Confidential Transactions do, you might start by imagining that you play scissors-stone paper by e-mail.
Of course it is nonsense: If you write to me by e-mail that you have a stone, I answer "paper", and if you write that you have a "pair of scissors", of course I will have a stone. As long as the two players are not present and set their bid at the same time, the one who moves first loses.
However, cryptographers have long developed a method for playing scissors-stone paper, coin throws or poker by e-mail. To do that, one needs so-called "commitments" - these are functions with which one can fix a certain value ("scissors", "head", "four kings"), but keep it secret until it is revealed. You can think of it as if you were writing the result on a piece of paper, putting it in a box, giving the box to the partner, and then, when it comes to the revelation, handing over the key. With hashes or encryption, it's relatively easy to make such commitments.
But if we try to apply the same to Bitcoin, it gets a little harder. The idea of Confidential Transactions is to keep the amounts sent in a transaction as secret as the commitment to e-mail coin toss, but at the same time to allow all nodes in the network to verify that the transaction is correct. It's similar to sending an encrypted commitment to Scissors Paper by email, but the email provider can check if I make a valid bid or something nonsense like "Well". Absurd, right?
The whole cryptographic magic of Confidential Transactions lies in resolving this paradox. The concept was suggested by Adam Back. Gregory Maxwell has further developed it, and it was first implemented in Blockstream's Elements Sidechain. In a text file, Maxwell explains what the trick is: by using different cryptographic technologies, such as Pedersen Commitments, it becomes possible to offset the inputs and outputs - even if they are obfuscated.
A valid transaction covers inputs and outputs (less fees). So, if you calculate the formula "Inputs - Outputs", only the fees are left over. The special thing about the commitments of Confidential Transactions is that it is possible to subtract them without knowing their exact content.
Reusable Payment Codes
One of the standard recommendations for Bitcoin users is that you should never use the same address multiple times. The reason for this is mainly that it would reveal too much about his privacy. Therefore, you can create a new address at Bitcoin.de for each deposit. Does not everyone know how many Bitcoins are on your wallet?
In many cases this is an inconvenient requirement. For example, if you, like me, have a donation address on a blog, keep getting payments from a party or person, or just have no access to the wallet, but still want to issue a payment request.
The recently released Android SPV Wallet Stash, available for Bitcoin and Bitcoin Cash, offers a solution to this problem: it has implemented reusable payment codes as described in BIP 47. "Our innovative payment address gives users a single, reusable address for payments and messages, which prevents blockchain observers from seeing the history of transactions," the Wallet developers explain.
How does this work? Basically similar to the HD wallets that produce a basically almost infinite number of keys and addresses from a master key. Anyone who knows the Reusable Payment Code can generate any number of addresses for which the owner of the code has the private key. In order to ensure that the recipient knows who sent him something, in the first transaction, he builds a kind of "tunnel": in it he publishes his own paycode, with the help of which he derives addresses from the Reusable Payment Code. Thus, it is possible for the receiver to identify the sender, even though this money transfers to outwardly unrelated addresses.
Ethereum: Privacy in the Contracts
Ethereum's approach to increase privacy is slightly different. After the first part of Metropolis Hardfork has been completed, it is possible to process more complex cryptographic operations in Smart Contracts. This allows you to increase privacy within the contract with certain technologies - while the normal ether transactions remain fully transparent.The two currently discussed and tested technologies are zkSNARKs and ring signatures.
zkSNARKs
zkSNARKs are the Zero-Knowledge Proofs used by Zcash. "Zero-knowledge proofs allow one party to prove to another that a statement is true without revealing more information than the statement is true," explains the Zcash website.
So, just like Confidential Transactions, zkSNARKs are much more far-reaching: while Confidential Transactions can only unseen the correctness of transaction amounts, zkSNARKs can conceal and validate any kind of information. Zcash uses them to "check the validity of a transaction according to the rules of network consensus without revealing any of the information on which the calculations are based." This is possible by "encoding some of the network's consensus rules in zkSNARKs . "
Thus, transactions sent with zkSNARKs are completely anonymous: they not only hide the amount sent, but also the sender and recipient - while the other nodes in the network remain able to confirm that the transaction is correct.
With Ethereum, the zero-knowledge proof can not be used for normal ether transactions. However, since Metropolis Hardfork, it has been possible to use it to disguise the contents of a smart contract. For example, one can take an ERC20 contract to create, send, and receive tokens, and then cloak the operations in the contract, such as the transfer of tokens. The miners and knots then know that a function is running within the contract, and that everything is going well, but they do not know what exactly is going on.
Another possible application would be election contracts: anyone who is registered in a smart contract can cast a vote, and you can determine what the result of a poll is and that each has a maximum of one vote - but you can not understand who voted for something. If you intend to map democratic elections on a block chain, this would be a condition.
How exactly zkSNARKs work is a complicated topic. There are interesting technical introductions on the website of Zcash, a series of three parts by Vitalik Buterin and an introduction by Christian Reitwiessner of the Ethereum Foundation. There is already a library called ZoKrates, which implements zkSNARKs for solidity. Its author, Jacob Eberhardt, has already predicted that there will soon be plenty of "Zapps" - private decentralized applications on Ethereum.
However, zkSNARKs also have a downside: they require a lot of space and computer resources. A first demo implementation showed that running a zkSNAKRs contract is very expensive. The cost of gas was about $ 10. Even with the improvements made by Bank ING, the zero-knowledge proofs continue to be quite expensive.
This is where we need to talk about ring signatures.
Ring signatures
Ring signatures are the basic technology of the quite private cryptocurrency Monero. Ring signatures were first introduced in 2001. They are a cryptographic technology for signing messages in such a way that you can verify that they have been signed by a member of a group but can not tell who exactly.
At Monero, the ring signatures are used to sign transactions in exactly this way: An observer can confirm that the signature is valid because it can be assigned to a group of potential subscribers, but it is not possible to specifically identify the sender of the transaction to determine. Monero breaks the chain of transactions.
Recently, a developer used the Metropolis-enabled cryptographic operations to sign functions with ring signatures within a contract. The contract published in the Ropsten Testnet is a kind of mixer. While it can be said that the contract is sending a valid transaction to the outside, it remains unclear which member of the contract has done so. This is possible with both Ether and ERC20 tokens.
It is possible that in the near future, Ring Signatures will also create a contract on Ethereum's live chain. Maybe as part of a more complex, decentralized Mixer for Ethereum. However, ring signatures are not as effective as zkSNARKs in breaking the chain of transactions, as there are some possible attacks on the privacy of ring signatures. However, the cost of running the contract is significantly lower than that of zero-knowledge proofs.
Post a Comment