Why do we need Privacy for Transactions?

• personalized ads
• crime on wealthy people
• censorship
• sensitive business relationships
• unaware complicity
• ...

Terms

• anonymity
• decentralization
• fungible
• unlinkable
• untraceable

Conventional Means of Payment

Cash

• customer (sender)
• vendor (receiver)
• amount
• unlinkable
• untraceable
• decentralized
• fungible

Credit Card

For Bank:

• sender
• receiver
• amount
• unlinkable
• untraceable
• decentralized
• fungible

Bitcoin

Public ledger contains transactions:

• sender
• receiver
• amount
• unlinkable
• untraceable
• decentralized
• fungible

Overview

• since 2014
• based on CryptoNote
• biggest privacy focused Altcoin
• only obfuscated transactions
• no need to trust anyone from the network

Privacy

• sender
• receiver
• amount
• unlinkable
• untraceable
• decentralized
• fungible

Monero Account

• view key pair
• spend key pair
• (mnemonic seed)

Hiding Receiver Address

• Stealth Addresses
• ephemeral keys
• randomly generated for each transaction
• not linkable to published receiver address
• only sender and receiver "understand" the transaction

Hiding Sender Address

• Ring Signatures
• only one member of ring signs on behalf
• not traceable who did signing
• decentralized

Hiding Amount

• Ring Confidential Transactions (RingCT)
  • confidential transaction (TX) & ring signatures
  • Multilayered Linkable Spontaneous Anonymous Group signatures
• introcuded Jan. 2017, madatory since Sep. 2017

Prevent Double Spending

• linkable ring signatures
• one-time ring signature
• unique key image

Overview

• started as extension for itcoin protocol
• automatically mix transactions with others
• benefits of size of bitcoin network
• transferable to any Basecoin

Privacy

• sender
• receiver
• amount
• unlinkable
• untraceable
• decentralized
• fungible

Protocol

Mint Transaction

• generate random serial number $S$
• generate random number $r$
• mint coin: $C = H(S, r)$
• commit to blockchain (Pedersen Commit)
• consumes 1 Basecoin (input of TX)

Protocol

Spend Transaction

• reveal $S$ (proof that not spend before)
• publish zero-knowledge proof:

  I know a $r$ such that $H(S, r)$ is one of the Zerocoins in blockchain

• use any Zerocoin as TX input
• consumes one Zerocoin and produces new one

Zero-Knowledge Proofs

Peggy proofs Victor that statement $S$ is true without conveying any information

• used for authentication mechanisms without password transfer
• usually: interactive challenge response
• stronger validity by repetition

Example

color-blind person does not believe,
that balls are colored and distinguishable

Problems

• only sender address is obfuscated
• verification inefficient
  • idea: store intermediate steps in blockchain
  • bloated blockchain

Overview

• since 2013
• more efficient crypto
  • verification: 6ms
  • proof size reduced by 98%
• new transaction type zXXXX
  • JoinSplits

Privacy

• sender
• receiver
• amount
• unlinkable
• untraceable
• decentralized
• fungible

zk-SNARK

Zero-Knowledge Succinct Non-interactive ARgument of Knowledge

• zero-knowledge proof
• succinct: short and easy to verify
• non-interactive:
  • common reference string initial setup
• argument $\neq$ proof
• of knowledge: that coin exists

Problems

• producing proofs is inefficient
• initial setup (public parameters) for non-interactive challenges required
  • 1.2 GB
  • system is broken if someone knows the secret randomness
    • gathered in Multi-party Computation Ceremony
    • secret randomness and hardware destroyed
• Zcash: founders award

Additional Things to do

• review code
• review algorithms
• use /

Other Altcoins focused on Privacy

• Anoncoin
• Zero, Zcoin, Zclassic
• CryptoNote Bytecoin
  • Boolberry
    • DarkNetCoin
  • Darkcoin / XCoun
    • PIVX
  • Monero
    • Verge
    • AEON

The Dark Side...

• Taxes?
• Darknet
• Solution: Backdoor?

Thanks

Sources

• https://getmonero.org/
• https://monero.org/
• Monero Talk at Bitcoinference 2015 (YouTube)
• Wikipedia: Monero (cryptocurrency)
• Wikipedia: CryptoNote
• https://moneroforcash.com/monero-vs-dash-vs-zcash-vs-bitcoinmixers.php

/

• https://zerocoin.org/ -- partly outdated
• https://zerocash-project.org/
  • Zerocash - Project Q&A
  • Zerocash - How it works
• https://z.cash/
  • Zcash - Technology
• Zcash: Multi-party Computation Ceremony (YouTube)
• ntrigano: Bitcoin and Anonymity - Part 6 - Zerocoin and Zerocash (2017-03-19, YouTube)
• Wikipedia: Zerocoin -- chaos
• Wikipedia: Zcash
• Zerocash Presentation Slides (2014-05-20)
• Sven M. Hallberg: The Zcash anonymous cryptocurrency - or zk-SNARKs for the interested layperson (33rd Chaos Communication Congress, Hamburg, 2017-11-14)

Images

• Video_surveillance_logo_without_background.svg by Therud - File:Video surveillance logo.svg, CC BY-SA 4.0, Link
• CryptoNote blockchain analysis ambiguity.gif by CryptoNote official site - https://cryptonote.org/inside#untraceable-payments, CC BY-SA 3.0, Link
• Monero-Logo.svg by The Monero Project - https://downloads.getmonero.org/resources/branding.zip, Public Domain, Link
• Zerocoin_logo.png by Source (WP:NFCC#4), Fair use, Link
• Zcash-logo-black.png By zooko et al - www.z.cash, Public Domain, Link
• Official_Dash_Logo.png by Dash community - https://www.dashpay.io/promotional-graphics/, CC BY-SA 4.0, Link

Last access: 2017-11-16

Papers

• CryptoNote v 2.0: https://cryptonote.org/whitepaper.pdf
• RingCT: https://eprint.iacr.org/2015/1098.pdf
• Zerocoin: http://zerocoin.org/media/pdf/ZerocoinOakland.pdf
• Zerocash: https://zerocash-project.org/media/pdf/zerocash-oakland2014.pdf
• Zerocash extended: https://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
• zk-SNARK: https://eprint.iacr.org/2013/879.pdf
• CHL06 (prevent laundering but keeping privacy): https://www.cs.jhu.edu/~susan/papers/CHL06.pdf

Last access on all sources: 2017-11-16

Everything else is created by Sebastian Endres and licensed under a Creative Commons Attribution 4.0 International License.

Bonus: Criticism on Zcash

Source: Reddit (Author: Monero Fanboy)

• If a bug existed that would create additional coins, there is no way you would see it.
• The math and cryptography backing it isn't peer reviewed yet and in an infancy stage.
• For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company
• It is still possible for blockchain analysts to correlate information through public transactions