Cryptocurrency Privacy Technologies

Fundamentals

Why Does RSA Actually Work?

March 23, 2023 by patrickd

Applied Elliptic Curve Cryptography

August 22, 2023 by patrickd

Chaumian eCash

Blind Signatures

March 24, 2023 by patrickd

Confidential Transactions

Ring Signatures

September 27, 2023 by patrickd

Borromean Ring Signatures

October 18, 2023 by patrickd

Exploiting EC-Recover For Efficient Borromean Ring Signatures

October 21, 2023 by patrickd

Confidential Transactions

November 1, 2023 by patrickd

From Zero(coin) to Firo

Zerocoin

January 9, 2024 by patrickd

Sigma Protocol(s), One-Out-Of-Many-Proofs

February 10, 2024 by patrickd

Bulletproof Range Proofs

March 18, 2024 by patrickd

Lelantus

March 25, 2023 by patrickd

Lelantus Spark

Soon

	^[XZC]	^[XZC]	^[FIRO]	^[FIRO]
^[Version]	`0.13.7.7` (opens in a new tab)	`0.14.0.5` (opens in a new tab)	`0.14.12.1` (opens in a new tab)	`0.14.13.2` (opens in a new tab)
^[Released]	Jan, 2019	Aug, 2020	Mar, 2023	Feb, 2024
^{[Untraceability]}	${\color{green}{\text{Yes}}}$ ^[ZCN]	${\color{green}{\text{Yes}}}$ ^[SIG]	${\color{green}{\text{Yes}}}$ ^[LEL]	${\color{green}{\text{Yes}}}$ ^[SPA]
^{[Confidentiality]}	$-$ ^[ZCN]	$-$ ^[SIG]	${\color{green}{\text{Yes}}}$ ^[LEL]	${\color{green}{\text{Yes}}}$ ^[SPA]
^[Anonymity]	$-$ ^[ZCN]	$-$ ^[SIG]	$-$ ^[LEL]	${\color{green}{\text{Yes}}}$ ^[SPA]
^{[IP Obfuscation]}	${\color{green}{\text{Yes}}}$ ^[D++]	${\color{green}{\text{Yes}}}$ ^[D++]	${\color{green}{\text{Yes}}}$ ^[D++]	${\color{green}{\text{Yes}}}$ ^[D++]
^{[Default Privacy]}	$\text{Opt-In}$ ^[ZCN]^[W]	$\text{Opt-In}$ ^[W]	${\color{green}{\text{Opt-Out}}}$ ^[W]	${\color{green}{\text{Opt-Out}}}$ ^[W]
^{[Anonymity Set]}	$\text{0 - 10k}$ ^[SB]	$\text{0 - 16k}$ ^[SB]	$\text{16k - 65k}$ ^[OB]	$\text{16k - 65k}$ ^[OB]
^{[Trusted Setup]}	${\color{red}{\text{Yes}}}$ ^[C91]	$-$	$-$	$-$
^{[Known Attacks]}	${\color{red}{\text{Crit}}}$ ^[FRG]^[TA]	$\text{Low}$ ^[TA]	$\text{Low}$ ^[TA]	$\text{Low}$ ^[TA]

⚠️

The comparison table is a work-in-progress and may be inaccurate. Further information should be added for fair cross-project comparisons, such as: performance measurements on standardized hardware, judging supply auditability and necessary assumptions, effective anonymity set size and what it depends on, light wallet information leakage, cryptographic assumptions, quantum Resistance, ...

[Version]	Version of the cryptocurrency's software release the column is referring to. The versions chosen should be (or have been) considered stable and include as many privacy enhancing features as possible to compare the best the projects have to offer.
[Released]	Release date of the cryptocurrency's software version the column is referring to.
[Untraceability]	Ability to prevent tracing the origin of funds (ie. the capability to break links within the transaction graph). Note that this represents untraceability under the assumption that everything is working as expected, best practices are followed, and there's nobody actively attempting to attack the user's privacy (See ^{[Known Attacks]} for possible exceptions).
[Confidentiality]	Ability to hide transaction details, such as the amount transferred, from anyone other than the involved parties. Note that this represents confidentiality under the assumption that everything is working as expected, best practices are followed, and there's nobody actively attempting to attack the user's privacy (See ^{[Known Attacks]} for possible exceptions).
[Anonymity]	Ability to prevent linking identities (of users participating) to transactions or accounts (ie. obtaining an address yields no information on the user's on-chain activity). Typically achieved by "stealth addresses" which can be used to transfer funds to someone where even the sender is unable to observe their later use by the recipient. Note that this represents anonymity under the assumption that everything is working as expected, best practices are followed, and there's nobody actively attempting to attack the user's privacy (See ^{[Known Attacks]} for possible exceptions).
[IP Obfuscation]	Ability to obfuscate the IP Address of the transaction sender which does not require separate usage of Tor, VPN, or proxies (ie. it must be an integrated solution of the network or official wallets). Note that this is under the assumption that everything is working as expected, best practices are followed, and there's nobody actively attempting to attack the user's privacy (See ^{[Known Attacks]} for possible exceptions).
[Default Privacy]	Whether the cryptocurrency enhances privacy of transactions by default. It may be that the protocol decided for a transparent-by-default approach, where users have to Opt-In to make private transactions. Or the opposite, where the cryptocurrency still supports transparent transactions but enhances privacy by default. Others might choose to have privacy always on and may or may not have a way to "retroactively opt-out" by revealing a secret.
[Anonymity Set]	The Anonymity Set refers to the group of potential signers in a transaction that could plausibly be the actual signer from an outsider's perspective.
[Trusted Setup]	Whether the cryptocurrency's cryptography required a Trusted Setup. Meaning some parameters had to be determined by a trusted party that, unless the parameters were destroyed, could serve as a backdoor to the system. Projects might use Multi Party Computation to hold a "ceremony" in which such parameters are generated where all participants would need to collude in order to obtain such a backdoor.
[Known Attacks]	Vectors of attacking a user's privacy or security of funds that are currently known for this column's cryptocurrency protocol.
[XZC]	Zcoin (XZC) cryptocurrency, later rebranded to Firo (FIRO). https://web.archive.org/web/20181229210719/https://zcoin.io/ (opens in a new tab)
[FIRO]	Firo (FIRO) cryptocurrency, previously Zcoin (XZC). https://firo.org/ (opens in a new tab)
[ZCN]	The Zerocoin Protocol offers burning fixed denominations of public coins, obtaining a receipt in return. The user may later redeem the receipt, without revealing it, to reobtain the burned amount without a connection to the burning transaction. While this breaks the transaction graph, it lacks confidentiality since the use of fixed denominations leaks the transaction amounts. It further lacks anonymity since it's only possible to send funds to another user in a secure manner by making transparent transactions. Due to the high space complexity of the proving system, making all transfers private (^{[Default Privacy]}) was impractical. Due to each fixed denomination requiring its own Accumulator, users are fragmented among more than a single ^{[Anonymity Set]}. Sets belonging to lesser used denominations may be lacking other participants to hide among.
[SIG]	The Sigma Protocol works by the same burn-redeem scheme as Zerocoin^[ZCN] but replaces the under-the-hood cryptography used to achieve it. Sigma comes with two major improvements: There no longer is a need for a ^{[Trusted Setup]} and the efficency of proofs was significantly improved. It still required a separate ^{[Anonymity Set]} for each fixed denomination though.
[LEL]	The Lelantus Protocol extends the One-Out-Of-Many Proofs used by the Sigma Protocol^[SIG] to hide transaction amounts. With this, the protocol gains confidentiality with a minimal impact on its efficiency and no longer suffers from the impacts of fixed denominations and fragmented anonymity sets. Although Receiver Address Privacy was implemented in a later release, these function on the transparent ledger, independently from Lelantus.
[SPA]	The Lelantus Spark Protocol introduced many capabilities, most significantly, the addition of "Spark Addresses" (ie. stealth addresses) that do not cause a leak of the address owner's information, achieving anonymity.
[D++]	Incorporation of Dandelion++ privacy enhancing routing, also known as BIP156 (opens in a new tab). This protocol is designed to provide anonymity when broadcasting transactions through a cryptocurrency's peer-to-peer layer. A paper has shown that adversarial nodes can coordinate to identify originators reducing transaction anonymity. An adversary that controls 20% of the nodes in a peer-to-peer network intercepts on average 70% of transactions, and to these, Dandelion++ offers an uncertainty among 32 possible originators per transaction. The paper also shows that this problem stays constant despite growth of network size.^[1]
[FRG]	The protocol has a fundamental cryptographic flaw that allows forgery of proofs granting an attacker the ability to inflate their balance, stealing other user's funds.
[TA]	The protocol is leaking timing information (eg. Transaction Date-Time) which could potentially allow Timing Analysis to be used to correlate transactions and detect patterns. To avoid this, users should schedule their transfers at randomized times (ie. don't transfer at specific times during the day, don't make transfers in regular intervals).
[W]	The ^{[Default Privacy]} is Wallet controlled (ie. transactions will be private by default if the Wallet software as been programmed to do so).
[SB]	Anonymity set is a Sequence of Buckets. The anonymity set builds up over time like a bucket being filled. Once the bucket is full, it will be put aside and a new bucket is started from 0.
[OB]	Anonymity set is a sequence of Overlapping Buckets, a way to implement a Sliding Window. The anonymity set builds up over time like a bucket being filled. Once the bucket is full, it will be put aside and a new bucket is started but a minimal amount from the previous bucket is copied over (pre-seeding) to ensure that the new bucket does not start empty.
[C91]	The currency's ^{[Trusted Setup]} utilizes RSA-2048 parameters generated in 1991 from the RSA factoring challenge (opens in a new tab), which had a USD200,000 prize if someone managed to factor them. The challenge ended in 2007 with nobody claiming the prize, but this still requires trusting the challenge organizers to truly have destroyed trapdoor information after generation.
[1]	Sharma, P.K., Gosain, D. and Diaz, C., 2022. On the anonymity of peer-to-peer network anonymity schemes used by cryptocurrencies. arXiv preprint arXiv:2201.11860.