The R3 consortium released a summary last November of the various schemes that software developers have devised for protecting privacy for blockchain-based transactions, according to American Banker .
The study, which has not previously been made public, provides a comparison of the level of privacy offered by each approach. The study was done by Jack Gavigan, a co-founder of Zcash, a cryptocurrency that uses zero-knowledge proofs, one of the methods evaluated in the report. Financial institutions are anxious to use the efficiency features of blockchain technology, but the lack of privacy has proven a stumbling block.
Edward Budd, chief digital officer for global transaction banking at Deutsche Bank, said privacy requirements for blockchain will be no different than existing regulations that apply to any financial markets technology.
Software developers have come up with various methods to protect client privacy for blockchain-based transactions. These include permissioned blockchains, off-chain approaches, mixing coins from multiple users, ring signatures, Pederson commitments, zero-knowledge proofs and stealth addresses.
The study noted that technologies that improve privacy require storing large amounts of data.
Monero, which offers ring signatures that hide the sending address of a transaction, had the most bytes per transaction in a chart that compared the cost of confidentiality for technologies designed to improve the privacy of bitcoin. Bitcoin had the least bytes per transaction in this chart, followed by CryptoNote, Zcash and Confidential Transactions.
Following is a summary of the different privacy technologies reviewed in the report.
Permissioned ledgers limit participants in a blockchain to known parties. The study characterized this as a “low tech” privacy option. These ledgers alone may not protect participants from insider trading and antitrust laws that call for confidentiality among different departments within an organization.
Off-chain messaging, sidechains and state channels sequester data from the main blockchain. Sidechains and state channels allow participants to perform transactions on a privately controlled chain where assets are represented and reconcilable on a more public chain. Such approaches improve privacy but eliminate the resilience from having data duplicated on different computers.
Mixing combines coins from different users and divides them into smaller amounts and redistributes them to intended recipients. This randomizes the transaction history. A good mixing service combines a large number of random transactions and reallocates them, a time-consuming practice requiring coordination.
Mixing is not expected to find favor with regulators.
Ring signatures were initially part of the CryptoNote protocol deployed by Monero as a way to conceal the sender’s address. This creates a transaction tied to multiple senders’ private keys. It makes it impossible to determine, by looking at a ring signature, the address initiating and eventually signing the transaction.
Zooko Wilcox, a Zcash co-founder who worked on the report, called the ring signature strategy “hiding in a crowd.” He said the success depends on how big the crowd is and how random its members are.
Other observations can improve an attacker’s chances of guessing the address, such as looking at prior transactions from each of the addresses.
Monero uses a method called triangular distribution which involves picking decoy addresses. This method favors coins frequently used in recent transactions and more likely to seem authentic rather than addresses of coins that have sat idle.
Bitcoin core developer Greg Maxwell has developed Pederson commitments as part of his “Confidential Transactions,” a planned addition to Monero. This allows a sender to select a transaction amount and not reveal it to the general public by marking it on a blockchain with a hash. The user can release the amount to the recipient by reproducing the hash stored on the blockchain as proof.
A Pederson commitment is transferable so the recipient can spend it again without revealing the amount. The hashes are “homomorphic” and can host simple arithmetic functions without decrypting the data.
Zcash zero-knowledge proofs allow a user to prove statements about data without revealing the data’s content. They are used to cryptographically conduct validation on encrypted data in a way that the sender and the amount sent can remain private but be proven as legitimate.
The study authors noted that zero-knowledge proofs are slow. Computations take around 48 seconds. Zero-knowledge proofs may not be suited to high throughput trading that requires fast results.
In addition, in order to deploy zero-knowledge proofs in a cryptocurrency, other cryptographic elements are needed. The process creates a private key that can create counterfeit coins. Zcash users must trust the counterfeit-enabling key was destroyed.
Zcash uses a decentralized parameter generation method designed to ensure a copy of the private key does not come into existence. They developed six separate key fragments isolated and spread globally. To circumvent this process, an attacker would have to get and reassemble all six key shards.
Stealth addresses reverse the process of receiving currency and relaying an address to the sender. With a stealth address, the sender can create an address and populate it with a transaction. While the address is new, the sender knows the receiver has a key to open it.
Stealth addresses offer a way for both parties to agree on a destination address without revealing the data to the system and without sharing other addresses under the recipient’s control.
Each method addresses part of the puzzle. Gavigan said many implementations combine different technologies.
At the same time, companies have their own unique needs.
Image from Shutterstock.