Privacy by Design

Monero, Zerocoin, Zerocash

Privacy

### <img src="./img/logo/monero.svg" class="icon"> Hiding Amount
 - Ring Confidential Transactions (RingCT)
 - confidential transaction (TX) & ring signatures
 - Multilayered Linkable Spontaneous Anonymous Group signatures
 - introcuded Jan. 2017, madatory since Sep. 2017

note:
              - mit #1220516 eingeführt
              - Monero Eigenerfindung (nicht CryptoNote)
              - RingCT benutzt MLSAG Signaturen
              - Spontaneous: kein aktives Mixen, sondern passiv und dezentral

## <img src="./img/logo/zerocoin.png" class="icon"> Protocol
 ### Mint Transaction
 - generate random serial number $S$
 - generate random number $r$
 - mint coin: $C = H(S, r)$
 - commit to blockchain (Pedersen Commit)
 - consumes 1 Basecoin (input of TX)

![](./img/zc_tx.svg)

note:
              - commit: von Miner
              - Pedersen Commit
                - = Commitment scheme
                - 2 Phasen:
                  - commit:
                    - verschlossene Box übergeben
                    - kann nicht manipuliert werden
                  - reveal
                    - später veröffentlicht
              - encrypt/hash. verschiedene Erklärungen
                - Funkt. bei der Output nicht auf Input schließen lässt
              - gekoppelt an Bitcoin
              - Beweis, dass man Basecoin besessen hat und nun nicht mehr ausgegeben werden kann
                - Miners verifizieren das
                - Kann wie Poker Chip zurück eingelöst werden
              - $r$: immer privat
              - $S$: wird später veröffentlicht
              - Alle coins werden in Merkle Tree gespeichert
              - Zurückwechseln theoretisch möglich, aber nicht nötig

## <img src="./img/logo/zcash.svg" class="icon"> zk-SNARK
 ***Z***ero-***K***nowledge ***S***uccinct ***N***on-interactive ***AR***gument of ***K***nowledge
 - zero-knowledge proof
 - succinct: short and easy to verify
 - non-interactive:
 - common reference string initial setup
 - argument $\neq$ proof
 - of knowledge: that coin exists

note:
 - deutsch: ohne Wissen prägnante nicht Interaktive Argumente für Wissen
 - non-interactive:
 - Problem: Zufällige Challenges könnten gefaked sein (3. wird das nicht akzeptieren)
 - Problem: Interaktiv (offline, gestorben, ...)
 - gemeinsame Referenz
 - zk proofs stützen sich oft darauf, dass hash functions ideal sind
 - 2. Alternative: initiales Setup
 - Developer: Zerocoin & zk-SNARK
 - Zcash: erste und bisher einzige Anwenung
 - Herausforderung:
 - JoinSplit TX in verifizierbare arithmetische Flüsse (Gleichungen) übertragen
 - Input für Flüsse finden, damit output 0 wird
 - Zwischenschritte werden an zufälligen Stellen überprüft???
 <a href="https://z.cash/images/arithmetic-circuit.png" target="_blank">
 <img style="max-width:100%;" src="https://z.cash/images/arithmetic-circuit.png" alt="Rechnungsfluss">
 </a>

## <img src="./img/logo/zcash.svg" class="icon"> Problems
 - producing proofs is inefficient
 - initial setup (public parameters) for non-interactive challenges required
 - 1.2 GB
 - system is broken if someone knows the secret randomness
 - gathered in [Multi-party Computation Ceremony](https://youtu.be/D6dY-3x3teM)
 - secret randomness and hardware destroyed
 - Zcash: founders award

note:
              - zwar schnell verifiziert, aber langsam erzeugt (178sec → 40sec)
              - backdoor möglich, wenn nicht 100% zufällig:
                - Proofs so bauen, dass es nur für bestimmte Fälle funktioniert
                - Falschgeld bzw. Coins klauen
              - Multi-party Computation Ceremony
                - verschiedene HW (zufällig gewählte Shops)
                - air gapped Computer
                - verschiedene Orte auf der Welt
                - YouTube Video
              - founders award
                - 20% der Münzen wird bis zum Ende an die Investoren und Entwickler übertragen
                - Algorithmus so geschaffen
                - Fork könnte das weg lassen
                - Statt Premining (Entwickler hätten dabei große Macht am Anfang)

Final Thoughts

### Other Altcoins focused on Privacy
 - <img src="./img/logo/anoncoin.png" class="icon"> [Anoncoin](https://anoncoin.net/)
 - <img src="./img/logo/zero.png" class="icon"> [Zero](http://zero.finance/), <img src="./img/logo/zcoin.svg" class="icon"> [Zcoin](https://zcoin.io/), <img src="./img/logo/zclassic.png" class="icon"> [Zclassic](https://zclassic.org/)
 - [CryptoNote](https://cryptonote.org/) <img src="./img/logo/bytecoin.svg" class="icon"> [Bytecoin](https://bytecoin.org/)
 - <img src="./img/logo/boolberry.png" class="icon"> [Boolberry](http://boolberry.org/)
 - <img src="./img/logo/darknet.png" class="icon"> [DarkNetCoin](http://darknetcoin.com)
 - Darkcoin / XCoun <a href="https://www.dash.org/"><img src="./img/logo/dash_logo.png" class="icon" /></a>
 - <img src="./img/logo/pivx.png" class="icon"> [PIVX](https://pivx.org/)
 - <img src="./img/logo/monero.svg" class="icon"> [Monero](https://getmonero.org/)
 - <img src="./img/logo/verge.svg" class="icon"> [Verge](https://vergecurrency.com/)
 - <img src="./img/logo/aeon.png" class="icon"> [AEON](https://aeon.cash)

note:
              kleiner Ausschnitt aus u.a. https://en.wikipedia.org/wiki/CryptoNote#/media/File:Forks-tree-fixed.png
              - Anoncoin: builtin I2P und tor support
              - Zero: Weiterentwicklung von Zcash (im Aufbau)
              - Zcoin: benutzt Zero**Coin**, rießiger RSA accumulator (mixing) (tausende statt duzende Nodes)
              - Zclassic: Fork von Zcash
              - Bytecoin: erste CryptoNote Implementierung
              - Darkcoun / XCoin => Dash: userfriendly, optional: private send = coin mixing service
              - PIVX:
                - = Dash (fast)
                - haben zeitweise Zero**Coin** implementiert
                - implementieren Zcash
                - Proof of Stake
              - Verge: I2P
              - AEON: stammt von Monero ab, bessere usability, Blockchain pruning für Skalierbarkeit und mehr Privatsphäre (reducing age-based attacks), litecoin für Monero
              - (=> Coin Mill conspiracy)

The Dark Side...

Taxes?
Darknet
Solution: Backdoor?

Thanks

# Sources

## <img src="./img/logo/monero_logo.svg" alt="Monero" class="icon" style="background:#fff;">
 - https://getmonero.org/
 - https://monero.org/
 - [Monero Talk at Bitcoinference 2015 (YouTube)](https://youtu.be/GEVm1dMn5Ks)
 - <a href="https://en.wikipedia.org/wiki/Monero_(cryptocurrency)">Wikipedia: Monero (cryptocurrency)</a>
 - [Wikipedia: CryptoNote](https://en.wikipedia.org/wiki/CryptoNote)
 - https://moneroforcash.com/monero-vs-dash-vs-zcash-vs-bitcoinmixers.php

## <img src="./img/logo/zerocoin_logo.png" alt="Zerocoin" class="icon" style="background:#fff;"> / <img src="./img/logo/zcash_logo.svg" alt="Zerocash" class="icon" style="background:#fff;">
 - https://zerocoin.org/ -- partly outdated
 - https://zerocash-project.org/
 - [Zerocash - Project Q&A](https://zerocash-project.org/q_and_a)
 - [Zerocash - How it works](https://zerocash-project.org/how_zerocash_works)
 - https://z.cash/
 - [Zcash - Technology](https://z.cash/technology/zksnarks.html)
 - [Zcash: Multi-party Computation Ceremony (YouTube)](https://youtu.be/D6dY-3x3teM)
 - [ntrigano: Bitcoin and Anonymity - Part 6 - Zerocoin and Zerocash (2017-03-19, YouTube)](https://youtu.be/Q_DszC_Qooo)
 - [Wikipedia: Zerocoin](https://en.wikipedia.org/wiki/Zerocoin) -- chaos
 - [Wikipedia: Zcash](https://en.wikipedia.org/wiki/Zcash)
 - [Zerocash Presentation Slides (2014-05-20)](https://zerocash-project.org/media/slides/Zerocash-Oakland14-20140520.pdf)
 - [Sven M. Hallberg: The Zcash anonymous cryptocurrency - or zk-SNARKs for the interested layperson (33rd Chaos Communication Congress, Hamburg, 2017-11-14)](https://media.ccc.de/v/33c3-8330-the_zcash_anonymous_cryptocurrency)

## Images
 - `Video_surveillance_logo_without_background.svg` by <a href="//commons.wikimedia.org/wiki/User:Therud" title="User:Therud">Therud</a> - <a href="//commons.wikimedia.org/wiki/File:Video_surveillance_logo.svg" title="File:Video surveillance logo.svg">File:Video surveillance logo.svg</a>, <a href="https://creativecommons.org/licenses/by-sa/4.0" title="Creative Commons Attribution-Share Alike 4.0">CC BY-SA 4.0</a>, <a href="https://commons.wikimedia.org/w/index.php?curid=47842802">Link</a>
 - `CryptoNote blockchain analysis ambiguity.gif` by CryptoNote official site - <a rel="nofollow" class="external free" href="https://cryptonote.org/inside#untraceable-payments">https://cryptonote.org/inside#untraceable-payments</a>, <a href="https://creativecommons.org/licenses/by-sa/3.0" title="Creative Commons Attribution-Share Alike 3.0">CC BY-SA 3.0</a>, <a href="https://commons.wikimedia.org/w/index.php?curid=36757416">Link</a>
 - `Monero-Logo.svg` by The Monero Project - <a rel="nofollow" class="external free" href="https://downloads.getmonero.org/resources/branding.zip">https://downloads.getmonero.org/resources/branding.zip</a>, Public Domain, <a href="https://commons.wikimedia.org/w/index.php?curid=52278994">Link</a>
 - `Zerocoin_logo.png` by Source (<a href="//en.wikipedia.org/wiki/Wikipedia:Non-free_content_criteria#4" title="Wikipedia:Non-free content criteria">WP:NFCC#4</a>), <a href="//en.wikipedia.org/wiki/File:Zerocoin_logo.png" title="Fair use of copyrighted material in the context of Zerocoin">Fair use</a>, <a href="https://en.wikipedia.org/w/index.php?curid=41662878">Link</a>
 - `Zcash-logo-black.png` By zooko et al - www.z.cash, Public Domain, <a href="https://commons.wikimedia.org/w/index.php?curid=52032750">Link</a>
 - `Official_Dash_Logo.png` by Dash community - <a rel="nofollow" class="external free" href="https://www.dashpay.io/promotional-graphics/">https://www.dashpay.io/promotional-graphics/</a>, <a href="https://creativecommons.org/licenses/by-sa/4.0" title="Creative Commons Attribution-Share Alike 4.0">CC BY-SA 4.0</a>, <a href="https://commons.wikimedia.org/w/index.php?curid=39214594">Link</a>

*Last access: 2017-11-16*

## Papers
              - CryptoNote v 2.0: https://cryptonote.org/whitepaper.pdf
              - RingCT: https://eprint.iacr.org/2015/1098.pdf
              - Zerocoin: http://zerocoin.org/media/pdf/ZerocoinOakland.pdf
              - Zerocash: https://zerocash-project.org/media/pdf/zerocash-oakland2014.pdf
              - Zerocash extended: https://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
              - zk-SNARK: https://eprint.iacr.org/2013/879.pdf
              - CHL06 (prevent laundering but keeping privacy): https://www.cs.jhu.edu/~susan/papers/CHL06.pdf

*Last access on all sources: 2017-11-16*

<a rel="license" href="http://creativecommons.org/licenses/by/4.0/">
 <img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" />
 </a>
 
 Everything else is created by <a xmlns:cc="http://creativecommons.org/ns#" href="https://gitlab.cs.fau.de/sedrubal/blockchain-presentation-privacy-by-design" property="cc:attributionName" rel="cc:attributionURL">Sebastian Endres</a> and licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.

Bonus: Criticism on Zcash

Source: Reddit (Author: Monero Fanboy)

If a bug existed that would create additional coins, there is no way you would see it.

The math and cryptography backing it isn't peer reviewed yet and in an infancy stage.

For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company

It is still possible for blockchain analysts to correlate information through public transactions