How to stack STX to earn BTC on OKEx
Privacy coins explained — lifting the veil on anonymous cryptocurrencies
An introduction to privacy-focused cryptocurrencies, their features, utility and future
Privacy coins are one of the largest and most controversial classes of cryptocurrencies today. For their proponents, they promote greater financial freedom than traditional electronic payment methods or non-private digital assets like BTC. However, for their detractors — namely law enforcement agencies — they represent a real threat and pose unique challenges when it comes to investigating financial crimes.
In this article, we pull back the curtain on privacy coins to discuss their salient features, why they exist, and the methods they employ to support anonymity. We conclude with a discussion with an overview of legal concerns and the future of privacy coins in general.
Table of contents
- What are privacy coins?
- Why were privacy coins created?
- Understanding fungibility
- Privacy coin use cases
- Examples of top privacy coins
- How do privacy coins work?
- Issues surrounding privacy coins
- What is the future of privacy coins?
What are privacy coins?
Privacy coins are cryptocurrencies that use a variety of techniques to protect the identities of their users. Like Bitcoin, privacy coins also use a transaction ledger or database, but unlike the market leader, the sending and receiving addresses, as well as the amounts being transacted on privacy coins, are not recorded publicly.
Unlike the typical public digital asset, privacy coins are designed in such a way that critical data is obscured from the rest of the network, making it virtually impossible to connect any transaction to a particular individual or entity.
There are two main categories of privacy coins: those that offer privacy by default, such as Monero's XMR, and those that provide optional privacy, such as DASH and Zcash's ZEC.
Different combinations of techniques discussed later in this article result in varying degrees of user anonymity. However, as expected, privacy coins have been under increased scrutiny due to their potential for illicit use.
Why were privacy coins created?
Like many early altcoins, privacy coins emerged as a response to perceived shortcomings in Bitcoin's design. In its first few years, users generally assumed that Bitcoin transactions were completely anonymous because — unlike traditional electronic payments — Bitcoin addresses are not formally tied to real-world identities.
However, since Bitcoin's blockchain maintains a permanent public record of each and every transaction, it is theoretically possible to identify, track and link transactions to individuals and organizations. As the space has matured, analytics firms such as Chainalysis have come up with methods and tools to do exactly that, and there have been cases in which law enforcement has used such analyses as part of their investigations.
The first privacy coins appeared shortly after the FBI's takedown of the original dark-web marketplace, Silk Road, in 2013. The only payment method accepted on the marketplace was BTC, and the majority of the goods sold were illegal. The prosecution used blockchain analysis during the eventual trial and used it to make its case against the defendants who ran the website.
The trial essentially sparked a debate around actually untraceable cryptocurrencies, and DASH and XMR were launched the following year.
For many of those attracted to Bitcoin early on, its perceived privacy was a key attraction. However, BTC has turned out not to be as "fungible" as it was believed to be.
Fungibility is an essential characteristic of money and means that one unit of something can be swapped with another, with neither party feeling aggrieved by the exchange. Take, for example, the U.S. dollar. If you pay for an $80 item with a $100 bill, the shopkeeper doesn't care exactly which $100 bill it is. Provided the note is authentic, it will be worth the same as any other $100 bill in existence. Likewise, you don't care which $20 bill you get back as change, or even if you receive two $10 bills.
When we spend dollars, pounds, euros or yuan, we're not usually aware of the history behind each note, nor do we generally care. With BTC, however, anyone can trace a transaction — and the coin(s) in it — right back to the block it originated from by simply looking at the blockchain. Suppose the 1 BTC you hold today had previously been used in some criminal act. A merchant, exchange or another service provider could potentially learn that history and decide they don't want your "tainted" coin.
In this sense, one can make a strong argument that BTC is less fungible than physical cash. Industry experts even claim investors may eventually opt to pay a premium for "virgin Bitcoin," and there have already been examples of platforms blacklisting addresses based on coin histories.
This discussion around fungibility, or lack thereof, is important for understanding how privacy coins work, as their aim is to remain as fungible as possible. Readers interested in this topic may also find our in-depth discussion on nonfungible tokens useful.
Privacy coin use cases
As mentioned earlier, the privacy-enhancing techniques protocols use to conceal the identities of their users strengthen the fungibility of cryptocurrencies like XMR, DASH, ZEC and others. Although fungibility is an important quality for any form of money, it's not the only reason why someone might want to keep their transactions private.
Privacy coins have been adopted for many illicit activities. For example, dark-web marketplaces are increasingly demanding that users transact in XMR, and those behind ransomware attacks frequently request payments in privacy coins. There is also a growing fear among lawmakers that privacy coins make it easier to get away with financial crimes like terrorist financing and money laundering.
However, financial privacy isn't attractive to only those breaking the law. There are all kinds of reasons why an individual might want to use a privacy coin, such as:
- To keep finances personal: Do you really want your employer to know how much money you have and where you spend it?
- To retain customer privacy: Knowledge of customer-spending habits is worth a lot of money, particularly to rival merchants.
- To pay for goods or services that might help an individual flee an authoritarian regime.
- To pay for goods or services that others in the individual's community might deem immoral. Some religious groups, for example, can be incredibly hostile to certain lifestyles.
Examples of top privacy coins
The number of privacy coin projects and the market capitalizations of the most popular among them demonstrate that participants in the space value financial privacy and that there is a genuine user base interested in these projects.
Cryptocurrency market data provider CoinGecko lists 62 different privacy coins, as of May 2021. Below, we've listed privacy-focused projects (and their tickers) featured in the site's top 200 assets by market cap. At publication time, these cryptos had a combined total value of more than $23 billion.
- Monero (XMR)
- Dash (DASH)
- Zcash (ZEC)
- Decred (DCR)
- Digibyte (DGB)
- Horizon (HZN)
- Pirate Chain (ARRR)
- Verge (XVG)
- Haven (XHV)
How do privacy coins work?
Privacy coins maintain fungibility by preventing transactions from being linked to individuals and known entities. This is done by obfuscating or hiding transaction data, including sending and receiving addresses, using a variety of techniques listed below:
- Stealth addresses
- Ring signatures
- Ring confidential transactions
- Coin mixing
Stealth addresses are among the multiple privacy-enhancing techniques used in the most prominent privacy coin, Monero, which goes by the ticker XMR. With stealth addresses, the protocol essentially creates one-time addresses for receiving funds, concealing the receiver's identity.
Unlike BTC, which uses a single public and private key pair, XMR wallets use two private keys and two public keys. When creating a transaction, the sender uses the recipient's public keys and a random number — known only to themselves and the receiver — to generate a one-time public key.
The receiver uses one of their private keys — the private view key — to scan the blockchain for incoming transactions. Once a transaction is detected, they generate a one-time private key using their private spend key, which corresponds to the one-time public key the sender used initially. Later, they can send the XMR to any other user on the network by signing a transaction with this one-time private key.
Known as stealth addresses, these one-time public keys are visible to the entire network, but only the parties involved in the transaction know who received the transaction. Thus, the sender can prove that they did send XMR to the recipient, but no one else on the network can associate the stealth address with either of them.
Ring signatures are also used in XMR to allow the sender of an XMR transaction to remain anonymous. To understand how ring signatures protect privacy, let's first consider a typical BTC transaction.
When making a simple BTC transfer, only the sender signs the transaction using a signature created with their private key. While the private key itself is never revealed, its associated public key — used by the network to verify transactions — links the sender with the transaction.
With ring signatures, the network automatically selects a group of transaction signers — known as "the ring." Together, the signers create a single transaction using the genuine output from the actual transaction and a selection of previous transaction outputs. Only one of the transaction outputs forming the new input is the real one, but there is no way of telling which it is from outside the ring. The other ring members essentially serve as decoys, allowing the sender to remain hidden.
Ring confidential transactions
Ring confidential transactions — or RingCT, for short — were introduced to Monero in January 2017 to hide the amount of XMR being sent in transactions. They represent a privacy improvement over ring signatures because the original ring-signature implementation still exposed the amount being transacted to the rest of the network.
To create the rings required for traditional ring signatures, all transaction outputs used to create the ring must be the same size. For example, if you were sending 7.5 XMR, the protocol might break up the amount into three different rings, with output sizes of 5, 2 and 0.5 XMR, respectively. While this makes creating rings much more efficient than if the sender had to wait until enough users wanted to send exactly the same amount of XMR, it doesn't conceal the amount being sent.
Ring-confidential transactions require the sender to encode the amount being transacted using a secret function shared with the recipient. This function is derived from the sender's private view key and the public key for the transaction. Thus, the recipient has the data to decode the transaction amount, but the rest of the network does not.
However, before a transaction can be confirmed, the network still requires proof that the XMR transacted has not been spent twice. To verify transactions without knowledge of the amount sent, the network uses a technique known as Pedersen commitments, which is a type of zero-knowledge proof.
To put it in simple terms, this method verifies the validity of a transaction by comparing the sums of the encrypted inputs and outputs. As long as the two values match, the network can be sure that no new coins were being generated, without having to know the specific amounts.
Zero-knowledge proofs and zk-SNARKs
Zcash was the first cryptocurrency to leverage zk-SNARKs to protect its users' identities. Zk-SNARKs stands for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. They are a form of zero-knowledge proof that leverages the Pedersen commitments used in Monero — and discussed above — to protect from double-spending. At their most basic level, zk-SNARKs can prove knowledge of some secret information without disclosing what the information is.
A full explanation of zero-knowledge proofs is outside the scope of this introduction to privacy coins. However, you can consider them as a way to mathematically prove that the sum of a set of values — in the case of XMR and ZEC, transaction input and output values — match, and are equal, without revealing any of the values. This allows the network to verify that no new coins have been created.
When making a transaction, the sender creates a zero-knowledge proof to provide extremely high assurances that both the input and output values equal one another. Additionally, it assures the receiver that the sender has the necessary private keys to sign the transaction and that only the holder of the private key used has constructed the transaction.
Zk-SNARKs and Pedersen commitments rely on some fairly complex mathematics. However, we can simplify the concept, somewhat, with the following famous example:
Alice and Bob are standing outside a cave that has two passageways — A and B — inside. There is a password-protected door that links the two. Someone with knowledge of the password could enter passage A or B and leave via the other side. However, without knowing the password, they could only exit using the passageway by which they entered.
Alice wants to prove to Bob that she knows the password but doesn't want to reveal it. She enters the cave and follows passageway A. Without knowing which passageway she took, Bob tells her to leave via passageway B. Alice reaches the door at the end of passageway A, uses the password to unlock it and leaves the cave along passageway B.
Bob shouldn't take this single example as proof that Alice knows the password. She might have entered via passageway B and simply turned around to exit the cave via Bob's chosen route. However, if Alice is consistently able to leave the cave by whichever route Bob requests multiple times over, the assurances that she does know the password multiply quickly. After 10 times, the probability that Alice just guessed correctly every time is 1 in 1,024. Repeat the experiment another 10 times, and the chance drops to 1 in 1,048,576.
This is the principle along which zk-SNARKs and Pedersen commitments are constructed. While they can never categorically prove that the prover knows the required secret, repeating the process many times results in strong enough evidence of knowledge to convince the verifier. These techniques are very useful to privacy coins, which must hide transaction data from a network requiring proof of a transaction's validity.
Bulletproofs are another example of a privacy technique used in cryptocurrencies. They were added to Monero in 2018, bringing benefits in terms of both privacy and scalability.
Bulletproofs are a form of zero-knowledge proofs. However, unlike the zk-SNARKs used in ZEC, bulletproofs do not rely on a trusted setup. When ZEC was created, its founders held an elaborate ceremony in which they generated a set of public parameters and destroyed the random numbers from which they were derived. These parameters are vital in achieving shielded transactions. However, they represent something of a vulnerability, as whoever knows how the parameters were generated can also double-spend ZEC.
Before bulletproofs, the alternative to relying on such a single, shared parameter set required the construction of a new secret for every transaction. Thus, while representing a clear security improvement, the process demanded a lot of information be recorded to the blockchain, impacting a network's scalability. This method was used by Monero prior to the implementation of bulletproofs.
Bulletproofs, by contrast, do not require a single, shared secret. Therefore, the privacy achieved is much less likely to be compromised later. Additionally, they take up a lot less block space, enabling more transactions to be processed each second.
DASH uses a technique called coin mixing to protect the privacy of users choosing to employ the optional PrivateSend transactions it supports. However, lacking the features discussed above, DASH privacy is much weaker than that of XMR, ZEC or later privacy coins like Haven's XHV.
When making a PrivateSend transaction, the user first selects the number of coins they want to mix, and their wallet software breaks down the amount into uniform denominations. For example, if 12.5 DASH are mixed, the wallet might break it into one unit of 10 DASH, two units of 1 DASH and five units of 0.1 DASH. Then, each of these groups of denominations is assigned a newly generated address.
Next, the wallet consults a list of Dash Masternodes and randomly selects nodes from those not used recently to mix coins. The user's wallet sends a mixing request to the selected Masternode, which relays this to the rest of the network to find Masternodes also looking to mix the same coin denominations.
Once a group of users wanting to mix coins is formed, each user sends the Masternode the inputs they want to mix and the new output addresses at which the mixed coins will arrive. After verifying that the mixing requests follow network rules, the Masternode combines the inputs and outputs and sends the randomly assigned proposed transaction outputs to the users. The user then verifies that the Masternode has performed its role honestly and signs the transaction. Finally, the Masternode broadcasts it to the rest of the network.
The greater the number of inputs mixed, the greater each user's privacy will be from using this technique. Similarly, combining coins multiple times increases the user's privacy further.
This coin-mixing technique can also be used to enhance the privacy of most cryptocurrencies. For example, privacy-focused Bitcoin wallets, like Samurai and Wasabi, include the coin-mixing implementations Whirlpool and CoinJoin, respectively.
Although coin mixing undoubtedly improves user privacy, the technique is much weaker than the others previously discussed. The main reason for this is that some entity needs to perform the mixing. Centralized coin-mixing services like those offered to Bitcoin users have a clear central point of failure and require their users to trust the provider. Many of these services also mix coins using detectable patterns. Indeed, law enforcement agencies have previously successfully tracked coin-mixed BTC transactions.
While Dash's decentralized network of Masternodes improves on this, each Masternode does know which users received which outputs from any mixing transactions it previously performed. If a Masternode were ever compromised, the attacker could quickly undo the privacy achieved.
Finally, choosing to mix coins with two other users — the minimum group size in Dash — will result in very weak privacy. With just three participants, each user has a 33% chance of being responsible for any of the three outputs created. Meanwhile, creating larger groups or mixing coins multiple times to achieve a greater degree of privacy is time-consuming using coin-mixing techniques.
Issues surrounding privacy coins
Despite there being perfectly legal and legitimate reasons for using privacy coins, regulators and lawmakers are, understandably, concerned about their illicit use cases.
In October 2020, Europol published a report titled, "Internet Organised Crime Threat Assessment 2020." Among other perceived dangers, the international law enforcement agency highlighted privacy-focused cryptocurrencies and those BTC wallets that use coin-mixing techniques to provide additional user privacy as potential dangers. The following month, the government of South Korea introduced new anti-money laundering regulations that explicitly banned the trading of privacy coins in the nation.
Many major exchange platforms started to delist XMR and other privacy-focused crypto assets in the wake of such developments. With trading venues largely existing outside of current regulatory frameworks, these moves appear to represent a preemptive effort to avoid any legal clampdown on the crypto industry.
Subsequently, those developing Dash took issue with what they believe to be a heavy-handed approach by exchanges. They contend that the law should distinguish between privacy coins and those crypto assets attempting to achieve absolute anonymity. In the definitions offered, Dash and Zcash fell into the privacy coin category because they provide greater privacy but not complete anonymity. Monero and other cryptocurrencies, by contrast, seek to provide the highest level of privacy as standard.
The Dash developers also raised the fact that sophisticated blockchain analysis can reveal information to link users with DASH transactions, even when using the PrivateSend function. In contrast, the U.S. Internal Revenue Service has explicitly stated that it cannot break Monero's privacy features and has even offered a substantial reward for anyone who can help deanonymize XMR transactions.
What is the future of privacy coins?
Given their clear utility and the ability of the strongest privacy coins to evade current blockchain forensics capabilities, it is unlikely that cryptocurrencies enabling more discrete transactions will go away any time soon. Exchange platforms delisting digital assets like XMR certainly make it more difficult for the average person to get hold of privacy coins. However, several peer-to-peer marketplaces and anonymity-focused trading venues will gladly facilitate the exchange of BTC and other digital assets for XMR. While such regulatory moves might reduce the number of people speculating on them, those who really need privacy will still find a way to buy privacy coins.
In addition to having their own use cases, the research that goes into privacy coins is also useful to Bitcoin development. The technological advances made by developers working exclusively on privacy coins can be implemented into Bitcoin later, should they prove secure and useful on these live, financially incentivized testnets. Similarly, privacy coins are pushing the boundaries of what regulators will tolerate. Eventual policies addressing privacy coins will give Bitcoin developers a much clearer idea of how far they can push privacy on the leading blockchain network before regulators start to get uncomfortable.