Wednesday, September 26, 2018

Ranking the Privacy coins by anon-set - ZeroCoin protocol takes the cake!

EDIT Be aware, the moderators of r/cryptocurrency have SHADOW DELETED without cause the original thread. This is most likely at the request of the XMR community

https://www.reddit.com/r/CryptoCurrency/comments/9gl5xp/cutting_to_the_chase_or_how_to_properly_evaluate/

This causes the post to appear to me, but to everyone else its been deleted. Now, why would they undertake such an underhanded tactic?

End EDIT

There's a lot of talk about anonymity and privacy as it relates to blockchains. And legacy coins like BTC and BCH that do not have privacy are more effected than those with it. Recently a report surfaced mentioning that cryptos are basically bad news for criminals: https://dailyhodl.com/2018/09/16/bitcoin-is-actually-a-money-laundering-tracking-device-that-catches-criminals-report/

TL;DR is at the bottom

Why? Because they're easy to track. Once they've got a single piece of identifying info that's linked to an address (say that coinbase transfer to an exchange) then all transactions are linkable to that id. But, privacy coins are different because they obscure this history (or in some cases 'delete' it all together). However, it can be a little difficult to decide which privacy coin offers the best privacy, along with the best combination of fees, security and usability.

So with no further ado, here is your simple guide to evaluating privacy coins! Like daily tx throughput is a key metric of btc/blockchain adoption and usage, privacy coins have their own 'key metric' to determine their ability to hide your tx history: the size of their anonymity set. This is basically the number of other people with which your transaction is plausibly 'mixed' so at to sever the link between your address and that coin. The greater this number is, the more difficult it is to associate a coin with your address, thus making it more private.

To make this easier to understand, it helps to know the following: All privacy coins do the same thing, just in vastly different ways. What is that thing? Obscuring/removing your linkage to a coin by mixing it with a similar coin denomination from another wallet. Monero is a slight exception to this, since transaction amounts are hidden in the blockchain as well, so there's no need for denominations. Also, your coin is mixed with fake coins that aren't real, instead of coins from other wallets, but no one can tell that from the blockchain so it works.

PIVX

In PIVX, for example, ~10-20% of all pivx held in wallets is 'gathered' by the accumulator (note it never leaves your control) in a central pool of zpiv using standard denominations like 10 zpiv, 1zpiv, .1zpiv etc. This is a configurable setting in the wallet so some may wish to turn it on/off at their discretion, but recent research has shown that 24% of all PIVX held in wallets is private/zpiv, see u/turtleflax's comment below.

After all of that, by using a zero-knowledge proof which cryptographically proves you owned whatever zpiv was minted from your wallet without any linking information to you, zpiv is 'sent' to your wallet and shows up with no transaction history. So the anonymity set is 10%, ~24% nowadays, of all PIVX held in wallets, which is obviously huge.

ZCoin

ZCoin and PIVX uses the same strategy as both implement the ZeroCoin protocol, which itself is just a specification, PIVX and ZCoin are implementations of that spec. Same idea with the denominations. PIVX's implementation is much more advanced however. ZCoin doesn't have an accumulator or anything and its privacy is optional.

However, its not possible to break a Zerocoin/ZCoin/PIVX transaction because there is nothing to break. It would be like trying to guess someone's password just by them logging in and proving they know their password and it works. That doesn't give you any information that would help. Furthermore, the total anonymity set is around 6.5% of the total supply which puts it comfortably in the same region as PIVX.

ZCash

ZCash is an implementation of the ZeroCash protocol which is an improvement on the ZeroCoin protocol. The cool thing about ZCash is that it also hides the amount of the transaction. ZCash's privacy is optional and the blockchain is split between t-addresses and z-addresses. t-addrs are transparent and contain visible balances just like Bitcoin, which ZCash is a software fork of. z-addrs are shielded. ZCash appears to have two kinds of shielded transactions (shielded and fully shielded).

I'm not sure of the difference between them, but according to this handy block explorer: https://explorer.zcha.in/statistics/usage, shielded txs are far more prevalent than fully shielded ones. The difference between them may be that fully shielded txs are transactions between two z-addrs while a tx that is 'just shielded' may be one between a z-addr and a t-addr and possibly a t-addr and a z-addr, but again, I'm not sure.

The developers claim that the anonymity set is very large in comparison to coins like Dash, and since it is based on the ZeroCoin protocol like PIVX and ZCoin, it is reasonable to assume its anon set is similarly large and based on a proportion of the supply, though where among the three it stands is of course up for debate/verification. Perhaps as large as the shielded value colume for any time period, also note that is a lower bound, so for the past month: 394989 ZEC would be the total shielded ZEC, so this seems a reasonable lower-bound on the Anon-set. Its hard to Tell between this and PIVX which is larger.

Dash

In Dash, it depends on how many rounds you mix. Each coin is once again broken down into standard denominations like 10, 1, .1 .01 Dash. Each round involves a minimum of three different wallets. So take the number of participants and raise it to the rounds you mix-th power, and that is your minimum anonymity set. So mixing four rounds gives you a minimum anonymity set of (3 participants)4 rounds = 81. Eight rounds gives you a min set of 38 = 6,561.

Could be more if more than three wallets were involved in any single mix, which is possible. However, it could be less if the same participants are used per round, which is unlikely. This is still a HUGE anonymity set; however, its probably at least an order of magnitude less than PIVX and ZCoin unless you were to get 4-5 wallets mixing per round. Still, even 81 could be rightly considered overkill, especially since considering the nature of privateSend and the random separation between 'minting' and spending makes Dash immune to timing analysis attacks. The determination of which coin to use will come down to your anonymity needs. How private do you need to be?

Monero

In Monero, the anonymity set is the number of mixins used at the time of your transaction. Which is currently 7. Monero originally had optional privacy where the min mixin was 0 and those transactions were transparent like btc's. However, having these 0 mixin transactions together with the higher mixin transactions allowed for higher ones to be deanoned, that and 3 forms of timing analysis attacks forced the min mixin to be raised to 3, then 5 and now 7.

TL;DR

So in short, if you want to rank privacy coins by their anon-set size (which is the only thing that matters) the list is as follows:

1. ZeroCoin and ZeroCash implementations: PIVX, ZCoin, ZCash

2. Dash

3. Monero

Note: Each tier represents a range of at least >1 order of magnitude greater anonymity set. So ZCoin, ZCash and PIVX are all grouped together, even though PIVX may have an anon-set 10-50x greater than ZCash or ZCoin (just an example, not a real figure), all three of them are still going to have anon sets 1-4 orders of magnitude greater than Dash, and like 6-7 greater than Monero. Monero's default min mixin is 7 and the max definable in the gui wallet IIRC is 26. Be aware however that using higher, rarer ring sizes causes your transaction to stick out.

Due to the nature of how they are selected, there are wide ranges for the anon sets of these coins, except for monero. But especially so for that of Dash, which may on occasion cross into the grey zone between numbers 1 and 2 due to uncertainty around the number of wallets participating, and the fact that an attacker will never know how many rounds a tx is going through.

And because Dash doesn't rely on encryption for its privacy, if you don't catch/trace the transaction when its happening, i.e. by buying up 70% or more of the masternodes, you can never deanon it. If you use encryption, especially for the entire blockchain, you paint a large target on your blockchain. If your encryption is ever broken, then all past transactions will be deanoned at once, so not good. This is a benefit of steganography over some encryption based privacy schemes. Edit:

Don't worry, my comments and posts are always heavily downvoted, that's how you know they're good stuff!



No comments:

Post a Comment