Privacy coin is the name given to cryptocurrencies that enable digital anonymous payments (digital cash). Bitcoin was still considered a privacy coin at the beginning of its launch, and it found its application as a means of payment on numerous darknet marketplaces. However, due to the increasing integration of cryptocurrencies into existing government payment systems, regulatory requirements, such as KYC or anti-money laundering (AML) laws, have led to a softening of anonymity in the Bitcoin ecosystem. Transactions with Bitcoin are therefore not anonymous, but merely pseudonymous. Therefore, attempts are being made to expand the pseudonymization that exists in the Bitcoin ecosystem to make it as completely anonymized as possible. The beginnings of privacy coins and digital cash can be found in the history of crypto anarchy and cypherpunks.
For many cryptocurrencies, most of which are based on distributed ledger technology (DLT), the public visibility of historical payment flows is an indispensable prerequisite for their function as a means of payment. However, public DLTs show how often, and if so, in what context, cryptocurrency units (coins) from which addresses have changed hands or their digital wallet. If it can be proven that coins were previously unlawfully in the possession of any previous owners, they can also be subsequently assigned to their rightful owners and, under certain circumstances, confiscated. Very few cryptocurrencies, or their coins, can be considered sufficiently fungible so far. Privacy coins thus represent a subtype of cryptocurrencies that make it more difficult to trace coin ownership and, as a payment medium, restore fungibility similar to that of previous banknotes.
Privacy Technologies of Privacy Coins
To ensure the highest possible anonymity of payment transactions based on public DLTs, various technological approaches, some of them competing, are currently being developed. The development towards a higher level of protection of the privacy known from Bitcoin is often compared to the development from the original HTTP protocol for web browsers to the HTTPS that is common today.
In the CoinJoin procedure, the sender and recipient addresses of actually pseudonymous transactions can also be disguised retrospectively by mixing them with third-party transactions. To put it simply, one can imagine that several payers throw their “coins” (coins) into a common “pot”, the coins in the pot are “shuffled”, and then each recipient is arbitrarily reassigned exactly the amount of coins to which he is still entitled. There are special digital wallets (Bitcoin mixers) for the application of this method, e.g. Wasabi Wallet, Samourai Wallet, Sparrow Wallet or specially programmed cryptocurrencies, e.g. DASH (PrivateSend).
Confidential Transactions (CT)
Confidential Transactions (CT) are used in numerous privacy coins, often in combination with other privacy technologies. In CT, the amounts to be transferred are hidden from the public. Bulletproofs also makes it possible to combine the range proofs of different participants into one proof, which means that the information is only stored in a highly compressed form on the blockchain.
Stealth addresses (ECDH addresses) are single-use addresses that are constantly being regenerated. Together with a transaction key to be created by the sender, transactions can be made via a “shared secret” without revealing the sender and recipient addresses.
Ring signatures are one of the most tried and tested anonymization methods in the field of cryptocurrency. Introduced by a fraudulently set up cryptocurrency, ring signatures are used to process many of the payment transactions made on darknet marketplaces. Out of a group of users, only one of the users signs the corresponding message or transaction, and then it is no longer mathematically possible to determine which of the users created the signature. In conjunction with CT (RingCT) and stealth addresses, ring signatures are used in Monero, MobileCoin and Particl, among others.
On August 31, 2020, the company CipherTrace stated that it would be able to deanonymize Monero ring signatures with a sufficiently high probability. The Monero developer community then stated that it would further increase the number of connected signatures in the future through a new algorithm (triptych).
The use of zero-knowledge evidence proves the knowledge of a secret piece of information without revealing the secret information itself. In the case of cryptocurrencies, this would be proof of having actually made a transaction without disclosing the amount or the sender and recipient addresses. However, in May 2019, a relevant vulnerability in the Zerocoin protocol was disclosed.
A further development of Zerocoin is the Zerocash protocol (zk-SNARKs), which is used, for example, by Zcash. In practice, Zcash’s anonymous transactions have comparatively high signing times and high storage requirements. This is one reason why anonymous transactions are not suggested by the protocol by default, and the anonymity that can be achieved in practice is severely limited by the small number of anonymous transactions (Anon-Set).
The principle of Mimblewimble was first introduced in July 2016. With Mimblewimble, several transactions are cryptographically grouped together in the same way as CoinJoin, in order to save storage space on the one hand and to hide them from the public on the other. Transactions can only be carried out at Mimblewimble if the sender and receiver are “online” at the same time. This avoids the same coins being offered to different recipients for payment at the same time (double spending). The permanent storage of spent UTXOs is dispensed with, which significantly reduces the size of the blockchain (pruning). The first crypto projects to use the Mimblewimble protocol are Grin or Beam.
Dandelion is not so much a cryptographic anonymization method as it is a method for concealing the location of the computer. Due to a slight delay in sending messages, it should no longer be possible for different network nodes to narrow down the geographical location of the sending network participant and his IP address based on the time difference of the arrival of the messages.
Taproot + Schnorr signatures
This hides the possible spending conditions from the general public, accelerates their validation, and reduces the necessary storage requirements. Schnorr signatures make it possible to sign messages with multiple keys in one signature. Schnorr signatures are used in the cryptocurrency MobileCoin.