What makes a good private cryptocurrency

Introduction

Among cryptocurrencies privacy is a major category of features for which there is a real need. When I say privacy, I’m referring to people who depend on their anonymity for their safety. The canonical examples include journalists, dissidents, political activists, and criminals. These groups are frequently targeted by governments, known to be the most powerful kind of adversary with incredible resources. For this reason, the gold standard of privacy is privacy from governments. Obviously, if you are private from governments, you are also private from everyone else, meaning that you don’t have to be targeted by a government to find utility in privacy.

Privacy is an area that I’ve seen an incredible amount of misinformation in and people lacking domain expertise are surprisingly easy to mislead and beguile. Proof of this is that projects, which to domain experts are obviously disingenuous, persist with real people defending them. These defenders, if not paid promoters, really don’t know any better. These disingenuous projects have exactly zero domain experts supporting them, underscoring that it’s not a matter of opinion or tradeoffs. It’s about as black and white as it gets.

In this post I’ll give an overview of

  • What exactly is domain expertise privacy
  • The evolution of privacy in cryptocurrencies
  • How cryptocurrency transactions are linked to actual identities in practice
  • How to evaluate private coins in terms of their features
  • The current ecosystem of private coins

So why are you saying most people are misguided when it comes to privacy?

Most people lack domain expertise. Domain expertise is having real-world practical experience with workflows that require high levels of privacy. It also involves learning about how criminals get caught by governments. Also, you need to learn about tactics governments use to deanonymize people that goes beyond technical attacks like issuing national security letters. In that sense, you need to have some exposure to the privacy community and learn about the ever evolving creep by governments to further domestic spying.

Preferably, you should also be reading guides and listening to chatter by communities of people who are criminals by definition, and the tools they recommend and use for their workflows. For those groups, the more illicit their activities, the better, given that people with something real to lose make it their business to be domain experts in computer security out of necessity. The ones who don’t are caught at a much higher rate.

I’d say the three broad communities of people with things to say are

  • people who care about privacy from an ethical standpoint
  • criminals who care about privacy for self-preservation
  • computer security experts and cryptographers

From listen to chatter from these groups, you’ll mostly learn about the tools you should be using, but you’ll also learn a lot of other things: how people get caught; how sophisticated the attacks are by governments; how a single mistake can compromise you; the very fuzzy legal gray area the government operates in; how governments play dirty; non-technical aspects of securing your privacy; and more. This kind of domain knowledge is not obvious or intuitive. There’s no single source to learn it all, and there’s a lot of it. This is why the average person trying to evaluate private cryptocurrencies is almost always lacking experienced judgment, even though they may be genuine and intelligent. Evaluating privacy is really an area for domain experts who have real world experience.

How cryptocurrency activity is linked to real identities

Bitcoin is pseudonymous, meaning that real identities are not attached to addresses explicitly. Bitcoin is transparent but if your transactions are not linked to you then you are anonymous.

So here’s where it gets interesting. Most people have to purchase cryptocurrency to acquire it. Those fiat currency to cryptocurrency gateways are heavily monitored due to anti-money laundering and know-your-customer laws, abbreviated as AML/KYC. To go a step further, to cash out you typically need to link a bank account, also an institution with even stricter AML/KYC regulations. The point being, these gateways will know your identity. There is almost no way around this. Due to the public and traceable nature of bitcoin transactions, a good amount of information can be intuited by knowing one of your bitcoin addresses. Like what your other addresses are, who your business partners/vendors are, how much money you have, and how much money you’ve been moving around.

Governments targeting individuals usually start with an entity they want to deanonymize, like a darknet operator. Their starting point for cryptocurrencies are the addresses people deposit and withdraw money from for these darknet sites. The goal here is to follow the transactions until they reach a fiat gateway with AML/KYC regulations and subpoena them for information the identity of the account.

The anatomy of a cryptocurrency transaction is (simplified)
(a) a sender
(b) an amount
(c) a recipient

These are the key pieces of information that are used to deanonymize identities transacting in cryptocurrencies and any effective private technology will focus on these three core areas. There is more information that can be used to gather more information on targets, like IP addresses, but attacks like this are unlikely to be particularly cost-effective or feasible and so are less important to focus on if more vulnerable attack vectors aren’t hardened. To date, the three core areas I listed are necessary ingredients for blockchain analysis.

A history of the evolution of cryptocurrency privacy

It starts with Bitcoin, the first cryptocurrency and to date the most price-stable and liquid cryptocurrency (making it attractive to vendors/businesses). Bitcoin was known to be pseudonymous, meaning addresses aren’t directly connected to real identities, but transactions are still public and that can be used to reveal your identity.

One of the first business cases of bitcoin was anonymous marketplaces, or darknet markets. Bitcoin then was so new that there were no blockchain analysis companies or experts. Law enforcement and governments knew of bitcoin only through Wikileaks accepting it as a payment option and had little expertise or understanding of the technology. For privacy, bitcoins would be tumbled. Tumbling was using a trusted third-party to send your bitcoins to, and in turn they would send you someone else’s bitcoins to a separate address you controlled (minus a randomized fee). So any direct link through your transactions was broken. Techniques were used like delayed remission and remission in phases (e.g. 6 transactions over 48 hours). The problem with this method was largely that you had to trust the tumbling service not to steal your bitcoins, not to keep logs, and to send you bitcoins in a way that was difficult to trace to the original sender (you).

Due to the mandate of law enforcement and deep pockets of governments, expertise in blockchain analysis was cultivated and blockchain companies started sprouting up. The cannonical targets were darknet market operators and high-profile hacks like Mount Gox. Some arrests occurred for darknet vendors who failed to take appropriate security measures when moving their bitcoins. Some darknet operators were caught, but it is unclear if it is because TOR was the successful attack vector or blockchain analysis, and it is difficult to trust the official court documents due to parallel construction.

As a response to trusted tumblers, Dash (formerly Darkcoin) is created with prioritized nodes responsible for protocol-level mixing. Coinjoin is created for bitcoin as a privacy measure which batches senders and recipients where the amounts sent by the senders are all equal, so it is unclear exactly who sent which coins to who. The Cryptonote protocol is released in 2014 using the first zero-knowledge cryptography to obscure the sender in a transaction.

RingCT, another zero-knowledge protocol, is developed which shields the transaction amounts. RingCT is not implemented in bitcoin due to the increased size of transactions which would affect scalability. Monero implements RCT in early 2017.

The zerocoin and zerocash protocols are developed by academic cryptographers and made into two separate coins: zcoin and zcash, respectively. The zerocoin protocol allows users to “burn” coins in fixed denominations, giving them a metaphorical IOU (actually a zero-knowedge proof). Anyone with this IOU can then “mint” the same amount of coins. There is no direct link between the coins burned to create the IOU and the coins minted to cash in the IOU. The zerocash protocol shields the sender, amount, and recipient of the transaction completely. That said, technologically it requires a trusted-setup and is too computationally expensive to be practical for all transactions.

Zero-knowledge cryptography continues to be the gold standard for privacy because it allows for provable privacy by definition since no information is revealed concerning the statement that is being proved. The cryptonote (+RingCT), zerocash, and zerocoin protocols are considered the most private ones to date. That said, Monero is the first and only coin that inspires enough confidence to be a successor to bitcoin in darkent markets. The primary friction regarding Monero’s adoption comes from its low liquidity to bitcoin and darknet vendor complacency. As arrests continue due to blockchain analysis for bitcoin, there is pressure for further Monero adoption.

How to evaluate a private coin

The easiest litmus test for a traceable coin is to look for a rich list. This can be done in 30 seconds. Rich lists are lists of addresses with the most coins. These rich lists are only possible if transactions are traceable. Monero is the only major coin to date without a rich list because all transactions are private by default. Zcash’s transparent transactions have a rich list, which is why mandatory privacy is important.

The next easy litmus test is if the coins is proof of stake or proof of work. Proof of stake coins give block rewards based on the amount held in transparent addresses weighted by balance held. If proof of stake exists then coins are traceable because we have no other way of knowing how many coins exist in which staked addresses.

Now I might check how private a transaction is. If coins are moving from address A to address B, how privately can these coins be moved? The less information revealed, the better. As I mentioned, I look to see as little information as possible that can be deduced about the senders, transaction amount, and recipients of a transaction.

Next is whether privacy is mandatory or optional. Optional privacy is extremely problematic because then the vast majority of transactions use the default public state. Now using a private transaction could draw the wrong kind of attention. It’s like walking outside with a bag over your head. You are anonymous but it draws attention since you stick out from the crowd. For Zcash privacy is optional due to the high resource requirement of creating private transactions. For Zcoin transactions are public but coins can be burned and minted at will to break the direct linking of where coins came from and went. Monero is the only coin with mandatory privacy, but with optional transparency (meaning you can reveal your private transactions to others if you wish).

I generally look for exaggerated or absolute claims at this point. Phrases like 100% private; completely untraceable; totally anonymous, etc. defy the care cryptographers and privacy experts use to describe these tools. They use much more qualified language. There are no guarantees in privacy and nothing is 100% private. Claims like these largely reveal that the developers lack actual domain expertise because this kind of language is strongly discouraged in the privacy community and different ways of describing privacy are used. Also, exaggerated claims are usually for marketing to people without domain expertise who are easily convinced/impressed. Privacy experts are strongly mission-focused and use extremely qualified language so as not to give the impression that tools are safe to use without care given the risks involved. The number of times I have seen a boastful and overconfident privacy expert is exactly zero.

If I’m at this point, I might check out the community and how the founders describe the need for this private coin and why other coins might be insufficient. Domain experts in privacy are rare, and they typically do not spend their time on projects with no future. Domain experts can recognize other domain experts. They have a particularly way of talking and thinking when it comes to privacy that is acquired. For example, when discussing the weaknesses of other coins, they focus on the technology and aspects that influence privacy almost exclusively. The Monero community, for example, is frequently complained about as being overly obnoxious about the minutia of privacy and overly critical about theoretical problems. I have seen other privacy enthusiasts criticize Monero specifically due to the perception of the community with no focus on the technology, and that immediately suggests they almost certainly are not domain experts. Claims of “coin X is secure because we’ve put a large bounty on deanonymization and nobody has claimed it” also betrays the lack of domain expertise here since that is not the basis of security.

There are other things I might look for but I’ve covered a decent amount of information. These other things include: little-to-no marketing, fair incentives (e.g. no pre-mine, instamine, ICO), the core developer qualifications, github activity, honesty, etc. These things all correlate with mission-driven people who care first about privacy.

The current ecosystem of major private coins

Monero

Uses the cryptonote protocol. Core privacy features are ring signatures to obscure the senders, ring confidential transactions to shield the transaction amounts, and stealth addresses derived from the recipient address to shield the recipient. All transactions are private by default. Monero is also re-implementing an i2p router specifically for the cryptocurrency, and this project is called Kovri. This coin has no pre-mine, no ICO, no investors. There is no overarching corporation or non-profit. It is largely grassroots and this is the second most developed cryptocurrency after bitcoin. This is typically the only private coin considered by darknet markets. Exactly zero dollars has ever been used to promote Monero and its growth has been by word of mouth. Monero is considered the gold-standard among private coins largely because it started with domain experts in privacy who took all the right steps in the formation and design choices for a private coin.

Zcash

Uses the Zerocash protocol which is a successor to the Zerocoin protocol. Uses the strongest zero-knowledge cryptography in existence for cryptocurrencies today which completely shields the sender, recipient, and transaction amounts for private transactions.

That said, Zcash requires a trusted set-up to create initial parameters used in the protocol. If this data was compromised, it would allow an attacker to mint an unlimited amount of Zcash, and this inflation would be undetectable, making Zcash a questionable store of value in 2017. There is a 20% developer tax on mining rewards for the first four years (and then 0% after that), which is widely considered to be excessive and unfair for a cryptocurrency. Zcash has investors which is problematic in that they can influence the decision the team makes and their motivations are unlikely to be aligned with those of privacy experts. Zcash is maintained by the Zerocoin Electronic Cash Company, incorporated in the United States. This means the NSA can send this company national security letters and they will have to comply. Private transactions are extremely resource intensive and for that reason privacy is optional and only a small percentage of the total transactions are private. This coins aims to be a better version of bitcoin considering that privacy is a big issue, rather than a coin inspired to ensure privacy from governments. On multiple occasions core team members have stated that they are open to making their work compatible with law enforcement, which is a polite way of discussing a backdoor. Due to the people in charge of this project, there are reservations about using this coin for privacy from governments, especially the United States government.

Zerocoin protocol

This protocol is worth mentioning but there is no major coin like Monero or Zcash which uses this protocol. I chose to list the protocol instead of Zcoin because that coin does not appear to be actively developed. This protocol was designed by the same researchers who later created the Zerocash protocol. Requires a trusted setup which is a product of two large prime numbers. The value chosen was from the RSA factoring challenge which makes this a quasi-trusted set-up. Here coins can be “burnt” in fixed denominations creating a sort of IOU note. This IOU note can be used to “mint” those coins back into existence, and there is no way to link burnt and minted coins. Transactions are still transparent. The original creators of this protocol are now involved in the Zerocash protocol. This protocol also uses better-studied cryptography compared to the Zerocash protocol.

Coins which claim to be private but are problematic

Dash

Oversells itself as “completely private” with its private send feature. Dash’s private send is mixing with a modified version of coinjoin, which is obfuscation by definition. The prioritizing of marketing and phrases that appeal better to those goals often draw sharp criticism from privacy experts given the danger of overselling something that is much less secure than claimed. Prioritized nodes called Masternodes are responsible for the mixing which creates a vulnerability due to governments co-oping or setting up their own Masternodes. That these attacks are costly is irrelevant in the face of the sheer resourcefulness and abilities of well-funded adversaries.

All transactions in Dash are transparent and Dash has a rich list. Furthermore, Dash had an “accidental” instamine of more than 10% of the total coins that will ever be created in its lifetime in the first 48 hours, and this is largely thought to have been deliberate to enrich the founder in a socially acceptable manner- the story being the instamine was the result of a bug, and the community didn’t want the coin to be relaunched.

Verge

An obvious scam to privacy experts. This coin is a bitcoin clone with TOR and i2p baked in. This coin exists largely due to the ignorance and low difficulty of manipulating/impressing non-experts. Transactions are completely traceable and the core privacy vulnerabilities of sender, recipient, and transaction amounts are not shielded or obscured. Claims made by the team are frequently outright dishonest. This coin has no future in privacy and the obvious reason for its existence is to enrich the founders. Community members seem to have serious deficiencies in their understanding of privacy, like how identifying the IP addresses of full-nodes is not a realistic threat to the privacy of users, or how pseudonymity does not protect your privacy considering you need to cash out to fiat at heavily monitored gateways, or that privacy is all or nothing so if you cannot protect criminals then you cannot protect civilians.

Cloakcoin

Less impressive than Dash, more impressive than Verge. The project has been “closed source” for more than 4 years, meaning the code is not public. And to be honest, I am unimpressed with the quality of their whitepaper after working on this problem for 4 years. The closed source nature of the code is beyond unusual in privacy and cryptocurrency projects and highly suspect. Being closed source alone is enough of a red flag to exclude this as a serious attempt at privacy. The core privacy feature appears to be a form of coinjoin with one or more prioritized nodes. The coin is proof of stake meaning without any extra information I can tell that this coin is traceable. All transactions are public (although some are obscured by mixing). Claims in the whitepaper are exaggerated and terminology seems to be borrowed from Monero, namely “private, secure, and untraceable”.

Bytecoin

The original coin implementing the Cryptonote protocol. For reasons unexplained, the developers decided to have an 83% premine and claimed that the coin existed in the darkweb for two years, despite exactly zero people being able to confirm the existence of Bytecoin from any sphere for the clearnet or darknet. The Bytecoin developers faked the digital signature on the whitepapers to appear to come from 2012 to give legitimacy to the premine, and analysis of the whitepaper metadata revealed that the paper could have been written no earlier than 2014. The developers also released a crippled miner, meaning it was carefully and deliberately de-optimized so to give the team a significant advantage with their optimized miner on Bytecoin and any forks. The mysterious history of Bytecoin and the Cryptonote protocol is the most bizarre story I am familiar with in all of cryptocurrency history.

Zcash

For exactly the same reasons I listed earlier:

  • The motivations of the team members seemingly not aligned with privacy from governments
  • The 20% developer tax for the first four years
  • Incorporation in the United States
  • Trusted-setup making it a questionable store of value
  • Optional privacy
  • Rushing a technology out too early for it to be feasible in a product they called production-ready
  • Money raised from a small group of investors
  • Very questionable tweets by Zooko and his team suggesting backdoors might be a reasonable feature to aid law enforcement
  • Dishonest marketing (i.e. monerolink.com) that is inconsistent with the behavior of honest actors focused on privacy – this study continues to perpetuate misinformation in the privacy space today. Technically accurate, but presented in an extremely misleading way.
  • Strong reservations by others who focus on fairness and honesty

My largest concerns are with the team itself rather than the technology and they do not inspire confidence from a privacy standpoint. I get the strong impression that they are in it for the wrong reasons. It largely seems they have found a solution (zero-knowledge cryptography) and are trying to find a problem (cryptocurrencies). Due to the lack of domain knowledge that comes with trying to find a problem from a preconceived solution, they’ve ignored the delicate and subtle aspects of privacy from governments and stumbled at every step by running this cryptocurrency like a company. There is seriously no other way you could tweet about inserting backdoors to aid law enforcement in a serious manner.

Some other coins worth mentioning

Zcoin

The original coin implementing the Zerocoin protocol. The developer(s) seem to have good domain knowledge of privacy, the right motivations, and honest intentions. That said, they seem to have way too little Github activity for the size of the team that they have and I wonder if this project has largely been abandoned. Without this coin being actively developed consistently, I have reservations about this project.

PIVX

A fork of Dash without the instamine. While Dash’s “privacy” comes from mixing, PIVX has stated that they intend to implement the Zerocoin protocol. If they are serious and follow through on this then they will be a serious contender in privacy. The Zerocoin protocol for PIVX’s privacy would be a significant improvement over mixing.

Shadowcash

While I think optional privacy and proof of stake is a bad direction for a private coin, the team and community seem to have the right intentions in the privacy space. Shadowcash implemented ring signatures while using the architecture of bitcoin. This project has been discontinued for unclear reasons. The Shadowcash team now works on Particl, a decentralized marketplace. I am probably not giving the Shadowcash project enough credit since it looks like they did significant work on their project, but I am not all that familiar with this it.

Conclusions

Privacy is a major category for cryptocurrencies. Privacy from governments is hard to get right, and most coins get it wrong because they lack domain knowledge. The weakest point for privacy is traceability, and it largely comes down to features which obscure or shield the three core components of a transaction: sender, amount, and recipient.

The best approaches to privacy involve zero-knowledge cryptography, where a statement is proved without revealing any details about the statement. Zero-knowledge cryptography is preferable because privacy is provable at the mathematical level. To date the only protocols that provide good levels of privacy are the cryptonote (+ RingCT), Zerocoin, and Zerocash protocols.

Considering all the aspects of real-world privacy, Monero is considered the obvious winner in privacy from governments. People who lack domain expertise in privacy and cryptocurrencies frequently think Zcash is the obvious winner due to the team of academic cryptographers and the more powerful zero-knowledge cryptography, but I’ve outlined technical and non-technical considerations which warrant extreme concern about the project at this time from a privacy standpoint. Lastly, I’ve discussed some of the more well-known privacy-focused cryptocurrencies and my thoughts on each of the projects.