This article is featured in Bitcoin Magazine’s “The Privacy Issue”. Subscribe to receive your copy.
Privacy is a fundamental issue in using a public blockchain system like Bitcoin. Numerous projects and proposals have been made over the years to either build privacy preserving tools on top of Bitcoin, or fundamentally add privacy at the protocol layer itself. Satoshi himself discussed briefly the idea of zero knowledge proofs being a mechanism to enable greater privacy before he left.
This is all the original whitepaper had to say on the topic of privacy:
10. Privacy
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the “tape”, is made public, but without telling who the parties were.
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
——————-
That’s it. That is the only consideration Satoshi gave in releasing Bitcoin to the transactional privacy of its users. Don’t reuse addresses, and carefully think through when you spend a coin together with another one because it will create transparent ownership links on the blockchain. Fifteen years later we have a comprehensive enough body of knowledge and experience to know that this section in the whitepaper is woefully incomplete.
It was nothing more than an abstract description of the model within which private, or non-private, use of Bitcoin would evolve over the coming decade. His advice to avoid spending coins together is no more practical than someone advising you to never spend more than a single cash note when buying something for the rest of time. It was inevitable that in the course of using Bitcoin as a currency people would regularly have to spend multiple coins together, inextricably linking their funds together over the time in the course of successive transactions.
Basic heuristics such as spending coins together form the basis of blockchain analysis, and the unraveling of people’s transaction history. If multiple coins are spent together in a single transaction, it’s a good assumption that all of those coins are owned by the same person. If an address is used to receive multiple coins from different people, those are all owned by the same person. When large groups of coins get spent together and connected over time, this forms a cluster. All of these, and other, basic heuristics are why Bitcoin’s blockchain are not private. You can watch transactions on-chain and apply these heuristics to them.
Now before I go any further, that was a critical point to make early on to ensure people could reason about it correctly, but it prescribed no reasonable or useful models for how to proactively maintain your privacy as a user. This is one of Bitcoin’s fundamental shortcomings. The protocol itself does not provide any tool or architecture to inherently protect the privacy of its users, that is left entirely up to them.
Choosing Privacy
Many protocols have been designed over the years to try to address this problem:
- Coinjoins: Protocols where users collaborate to spend their coins together, allowing them to send the same amount of coins to each of their addresses in the same transaction, confusing observers as to who’s coins went where.
- Coinswap: Protocols where users can privately perform a swap involving two transactions where they exchange their coins with each other. As long as both parties cooperate with each other, no connection is visible on the blockchain between the two transactions.
- Chaumian Ecash Mints: Protocols allowing a centralized issue to mint cryptographically blinded tokens structured in a way that they cannot tell which token is which when a user goes to redeem them. It facilitates centralized yet highly private transactions.
- Confidential Transactions: One of the components that is critical to Monero, it was originally developed by a developer working on Bitcoin. It obscures the amounts cryptographically blinding them, and providing a proof that the outputs to a transaction are equal to or less than the inputs without showing them. It was highly inefficient at the time it was proposed, and would have exacerbated Bitcoin’s scaling issues. It also allows a quantum attacker to secretly inflate the Bitcoin supply without being detected, or unravel everyone’s transaction history, if they can break the cryptographic assumptions Bitcoin depends on, depending on which types of cryptographic commitments it uses.
- Zerocoin: A scheme created to allow depositing coins into a single “escrow pool”, withdrawing later with no connected on-chain history to before verified by a zero knowledge proof. It was never implemented because the scheme was very computationally intensive to use at the time.
The first two of these proposals are application layer proposals, they are things that can be built on top of Bitcoin right now. No changes are necessary, and anyone can build software and tools allowing users to utilize either protocol. The second two are fundamental upgrades to Bitcoin at a protocol level. They cannot just be done now, and require convincing people to upgrade Bitcoin in a way that comes with non-negligible trade offs. In my opinion those upgrades will most likely never happen.
That leaves us with things we can build now. Many tools have already been built, and many more will have to be built, but our path forward is paved with privacy tools that people have to choose to use. If no one makes use of them, they are useless. No one can achieve privacy alone in a public system like Bitcoin, you need other people in order to achieve privacy on a blockchain, you need a crowd to hide in. This is very much an individual choice, yet at the same time each individual’s choice has a profound impact on the whole of everyone using Bitcoin.
It is one of the most important choices there is to make regarding Bitcoin.
If people do not value their privacy enough to act to preserve it, then privacy on Bitcoin will die. It will become verboten, something ostracized at first, then actively penalized and punished as time goes on. Governments will stigmatize it, regulate it away, and relegate it to an obscure minority on the fringes of society. At that point, privacy on Bitcoin will have failed.
Even Eric Hughes, the author of the Cypherpunk Manifesto, coiner of the phrase “cypherpunks write code,” realized later on that code alone was not enough:
“Perhaps the single most important lesson I’ve learned from cypherpunks is that code alone doesn’t cut it. Not code alone, not code widely distributed, not even code widely used. Some measure of toleration in society for activities conducted in private is necessary for long term success. Not convenient, not easier, but necessary.” -Eric Hughes, Cypherpunk Mailing List Mar 14, 1996.
People must choose to value privacy at large. It must be a valuable thing to them, valuable enough that they will act even in the face of coercion and intimidation to achieve it. It must be widely tolerated in society, the same way that free speech is in America, or the right to bear arms. It must be something so widely supported that even in the face of fierce opposition from some segment of society, governments will not act to outright stifle it in the face of the size of its support.
People must disobey such attempts in such large numbers that it is socially and practically intractable to actually enforce them. This decision, and the actions that follow it, is very much a political decision. A political act.
People must act, or this battle is already lost.
Building Privacy
We are going to assume for now that people will act, and in sufficient numbers to be successful. So what exactly do they do? Without fundamental changes to the protocol people have to opt into specific tools in order to preserve their privacy. What tools? How do they work?
We went over a handful of tools above, but we did not really go into a deeper or holistic view of how they work. It’s important to understand how different tools can interact with each other. Seen in a vacuum, it’s easy to walk away thinking that any individual privacy tool on Bitcoin can never be good enough on a technological level, but when you start to look at all of them interacting together it should be apparent that a very strong degree of privacy can be achieved. If users adopt all of these tools together.
Almost everything in Bitcoin is composable, none of the tools people have at their fingertips exist in a vacuum. Different things can be used in synergistic ways, whether that takes the form of being combined outright into single tools or multiple tools being used in tandem. Let’s go through the current state of things from top (upper layers) to bottom (the base layer).
Chaumian Ecash
Chaumian ecash mints are an old idea predating Bitcoin by decades. David Chaum came up with the concept in 1982. Chaumian ecash utilizes blind signatures to create a private payment mechanism. In the scheme, a central mint server acts as a token issuer, facilitating the creation of new tokens backed by deposits and redeeming tokens for new ones to process transactions. The private nature of the transactions it processes are powered by blind signatures.
Each token is essentially just a random value signed by the mint. In the naive case of such a scheme, the mint would be able to track the redemption of each token it signed, correlating the one being redeemed with the one being issued and viewing each token chain’s transactional history. By blinding each token value before submitting to the mint for signing, the mint is unaware of the exact value it signed. After acquiring the mint’s signature, they can unblind it, resulting in a perfectly valid signature from the mint on the plaintext of the token value the user generated.
The mint would only see a plaintext token whenever it was redeemed to be issued a new one, and because the token was blinded when it signed it, it would have no idea when or for who it signed. This allows for centralized, but incredibly private, transactions. The mint will have no idea who is paying who when it redeems tokens for new ones.
For the cost of trusting the operator to custody funds, users can realize a level of almost perfect privacy. It also has no requirements for receiving liquidity or other shortcomings protocols like Lightning suffer from. Any user anywhere willing to trust a mint can receive money privately simply by receiving a token from another user and redeeming it for a new one from the mint.
The utility of ecash goes far beyond just private scalable payments as well, ecash tokens can be made programmable. When someone uses a Chaumian mint, they are trusting the operator to process payments honestly and not steal everyone’s money. There is no reason at that point why they can’t also do more than process payments. They can also enforce smart contracts.
The same way that Bitcoin script allows people to program conditions on when their bitcoin can be spent, mints could use script or other programming languages to allow users to program conditional spending requirements into ecash tokens. Rather than just generating a random value to blind for the mint to sign, users could generate a script program to blind. After the mint signs it, when someone comes to redeem that token they will see the script it is programmed with. The mint simply refuses to authorize a redemption unless the script is fulfilled.
There are a few different trust models possible now, with more surely to come as people think more about how they can be built. The simplest and most straightforward is a single operator. This is the same as any custodial system like Coinbase. The next is a federated operator, distributing the trust across multiple parties. This puts ecash on par with many other systems built in this space people consider decentralized. There are even suggested models that invert the entire risk relationship, where the chaumian mint issues tokens backed by its own money, lending them out to users and periodically calling in the debt.
So, even right now, we can achieve an enormous amount of privacy…but at the cost of a loss of sovereignty and control over our own funds. This is far, far from ideal, but it’s a path forward that is open to us now. We just need there to be enough people operating these, and a solution for people using different mints to interact with them.
Enter the Lightning Network. It allows seamless deposits and withdrawals by users interacting with a mint, and a quick settlement mechanism for a receiving user to cash in a mint from one token and transfer it to another mint they prefer using or trust more.
Lightning Network
Lightning is a network of bi-directional payment channels, allowing users to route payments off-chain across this network. Users collaborate with one another to lock funds in a two party multisig address, using pre-signed transactions to ensure each party can claim their funds back without any help if necessary. After being established, the balance of funds can be updated off-chain by signing a new set of transactions and exchanging “penalty keys” that would allow the other party to confiscate the entirety of a cheating user’s funds in the channel if they attempted to use any old transactions on-chain.
Lightning, while far from perfect, is a massive improvement in terms of privacy compared to on-chain bitcoin use purely by virtue of not recording every transaction that occurs on the blockchain. Rather than every transaction a user makes permanently recording the history of where coins came from and where they went, the only visible history on the blockchain is the creation of the payment channel. Nothing about payments made or received is visible to the general public, only the counterparty the channel was opened with.
As far as the off-chain footprint is concerned, things are a bit more nuanced. Receivers for instance currently reveal their Lightning node to anyone paying them. This could be addressed with BOLT 12, a proposal incorporating a scheme called blinded paths which obscures the receiver’s Lightning node from the sender by having them compute the last few hops in the payment route. Senders however currently have excellent privacy, with the receiver learning nothing about their Lightning node or funds.
Lightning has some rough edges for end users to deal with though. Namely the requirement to have liquidity allocated by their channel counterparty to receive money, and the inability to receive more money than their channel counterparties have available to route to them. It functions amazingly as a payment routing network, assuming users have addressed the liquidity issues.
Most users address these by making use of a Lightning Service Provider (LSP). They fill the role of providing liquidity for users to receive money, but the trade off of solving that problem comes with privacy trade offs. The LSP is a large entity serving many users, and in the process learns about a large number of users’ payment activity. In some cases, particularly LSPs that make use of Trampoline Routing (a scheme where the LSP calculates a payment route for you), they even learn the destination of all their users’ payments.
Some of these issues can be addressed by bolting Chaumian ecash mints on top of Lightning. By having many users “use” a single Lightning node operated by the mint, liquidity allocated so the mint can receive funds can be shared more efficiently by all users. The private nature of ecash also helps shield users from some of the privacy shortcomings of Lightning. Even if the mint, the Lightning node operator, knows where payments it makes across the network are going, it doesn’t know which user(s) made them.
Overall use of Lightning directly by a user is not as private as Chaumian ecash, and does come with the added issues of having to source receiving liquidity and interact with LSPs, but it does not require relinquishing control of your funds. It can’t scale as well as ecash, and is more complicated to use, but it has a far superior trust model.
One thing Lightning doesn’t do however, is completely obscure the ability to track coins moving on-chain. It might hide and obscure individual payments conducted off-chain, but it is still possible to track coins into a channel, and track where they go when that channel is closed.
Coinjoins
Coinjoins are a protocol that enables multiple users to collaborate together to craft a transaction structured in a way to make tracking their coins difficult or impossible. Heuristics like common input ownership and clustering are the basis of tracking people’s funds. Breaking these is how to protect your privacy. Coinjoins accomplish this by structuring the amounts going in and out of a transaction properly.
Assume you have five people who want to obscure their transaction history, by combining their coins together in a single transaction and all creating outputs of the same denomination they create a false positive for common ownership by spending their coins together and create a false cluster. Because the outputs are of the same denomination, no one can be sure when they are spent in the future whose coins they actually are.
Now consider a Lightning user again. Even if realizing the maximum privacy benefits possible with Lightning, they still need to consider the privacy implications of interacting with the blockchain. Imagine a user withdrew coins from a KYC exchange and opened a Lightning channel. He might be able to make thousands of transactions back and forth over Lightning, but when he closes that channel with less funds than he put into it, the exchange can see that he at least spent that much somewhere in his off-chain activity.
When he spends those coins with other coins known to be his, or opens a new Lightning channel associated with his node with them, the exchange can be even more confident they are still under his control. These connections need to be broken and obfuscated. That is the role coinjoins can play.
Coinjoin was the most widely deployed protocol for base layer privacy, the two largest examples being Wasabi by ZKSnacks and Whirlpool by Samourai. Samourai was recently shut down after the founders were arrested, and Wasabi voluntarily discontinued the operation of their coordinator shortly after. Both of these systems depended entirely on a centralized coordinator server to help users actually construct their coinjoin transactions.
Joinmarket is another option that is operational currently, using a decentralized model where “takers” (users) select from a market of “makers” (liquidity providers) to coordinate coinjoins. Joinmarket however is not as well developed or maintained as there is no company behind it. It is a purely open source project.
These are not the only options by any means. People can spin up a Wasabi or Whirlpool server again if they want, people can even design new coordination models for serverless coordination. The coinjoin transaction itself, and how it is coordinated, are very separate things despite being related. There are many different ways the goal of coordinating the creation of the coinjoin can be accomplished. And importantly, it is permissionless to try new ways.
The Holistic Stack
Now that we’ve gone through these pieces, think about how they all interrelate. How they form together to create a holistic synergy at every layer to maximize privacy. Users transacting with an ecash mint have a massive degree of privacy even from the mint operators, those mint operators in using Lightning can themselves achieve substantial privacy for themselves and their users interacting with other mints, and in reorganizing liquidity on the base layer coinjoins can keep even that activity done on a public blockchain obscured.
Even without radical changes to Bitcoin itself, there is a path forward from where we are now to a private and censorship resistant Bitcoin. It is not ideal, it does require either costs and complexity or compromising on the desired goal of trustlessness, but it is possible.
Going forward, it can be made even better with each improvement made to the Bitcoin protocol. Covenant schemes that improve scalability could address some of the issues with systems like Lightning. This would allow more users to be able to interact with Bitcoin in a private way self-custodially, rather than having to delegate control of their funds to a chaumian mint.
Some of these scaling improvements might even reduce the need for on-chain privacy schemes such as coinjoins. Having more people share custody of a single coin in a trustless manner would introduce natural ambiguity as to who is doing what when withdrawals are made from that coin.
We have a path forward even now, and that path will get brighter with each improvement made to the Bitcoin protocol. People just have to choose to actually walk down it.
A Future With Privacy, Or A Future Without
Privacy might seem to some like a thing not worth caring about, or not that important. “What do you have to hide anyway?” I think those people simply don’t appreciate the implications of having no privacy. Look around at the world today, look at how quick people are to ostracize and shame someone publicly for innocuous things. Holding the wrong opinion, saying the wrong thing, voting for the wrong politician.
More and more the lack of privacy in regards to personal life is causing disastrous and traumatizing consequences for people. It is vitally important that people actually have control over what information about themselves is or is not made available to the public. This is not just a matter of criminals wanting to hide nefarious or horrific things, it is about everyday people being able to protect themselves from the whims of the mob.
Going even further than that, people living under totalitarian or oppressive governments around the world have much more to lose than a job or social standing if they are not able to maintain privacy. They can literally lose their lives.
Privacy can be the difference between physical safety and danger even for people living in a safe and free jurisdiction. Imagine if in the course of transacting with someone you revealed that you own a sizable amount of bitcoin, you have now in a very real sense opened yourself up to the possibility of physical danger. There are numerous documented cases of kidnappings, physical assault, even torture by criminals attempting to steal bitcoin from individuals who have revealed themselves to be wealthy.
Even domestic violence is an example of a situation where privacy is of utmost importance. One of the biggest reasons people do not leave abusive relationships is the financial inability to. How can someone in that situation attempt to work their way towards financial independence to leave without privacy? Without the ability to save and earn money without their partner discovering it?
Privacy is important.
To come back to Bitcoin, one of the chief properties it is valued for is its censorship resistance. The ability to transact however and whenever you want, without permission, without someone else having the ability to stop you. Transactions have two parties though, a sender and a receiver. A buyer and a seller.
If governments, regulators, the mob of the public, all can track your payments and coins in public, how can you have censorship resistance? How can that exist when any government or mob can coerce and threaten people to not transact with you? How can Bitcoin be censorship resistant when everything you do can be followed, and when you become persona non grata, the weight of government and social pressure can prevent others from interacting with you? Remove that choice from the individual of whether to transact with you or not, and impose a decision on them? When a merchant has to worry that if they receive “the wrong coins” the government will track them down and seize them, resulting in them losing money? It can’t.
If coins can be distinguished from each other in any meaningful way, and tracked as they move around, Bitcoin starts breaking down and not even functioning properly as a money. Money has to be fungible, i.e. two coins must be indistinguishable from each other from a merchant’s point of view. To be fungible, it has to be private.
Privacy, fungibility, and censorship resistance are all facets of the same thing. They can only exist together.
People have to choose to value privacy, or Bitcoin will lose its censorship resistance. Most people won’t choose privacy over purely ideological grounds, or political grounds, they will need to be shown it is actually useful. They need to actually see and use something that lets them donate to a cause important to them without being shamed or attacked for it. They need to see that people in a totalitarian state can actually use it to accomplish something meaningful. They need to actually see the eerie and creepy omnipresent ads online disappear or become wildly inaccurate as they make purchases privately, out of sight of the big data fishing net.
This is the most important battle Bitcoin will ever face, and we are at an inflection point in that fight right now. The outcome of this fight will shape Bitcoin for the rest of its existence. Will it be a tool for sovereignty and freedom, or one for surveillance and oppression? That is up to us to decide.
I do not want to live in a world where I have no privacy of thought, of interaction, of transaction. Where every action I take, every thought I utter, or even think, is put under the scrutiny of the government and the mob of the public. Where the slightest misstep leads my life to ruin, with no room for dissent or dialogue or debate.
I choose privacy. I choose censorship resistance. I choose freedom.
This news is republished from another source. You can check the original article here