One way to take when trying to expand privacy on the blockchain is, to begin with very low-tech approaches, utilizing no crypto beyond simple hashing, encryption, and public key cryptography. This is the path that Bitcoin started from in 2009; though the level of privacy that it provides in practice is quite difficult to quantify and limited, it still clearly provided some value.
The simplest step that Bitcoin took to fairly expand privacy is its use of one-time accounts, like Zcash, so as to store funds. Just as with Zcash, each transaction should totally empty at least one account, and make one or more new accounts, and it is prescribed for users to create another private key for each new account that they intend to get funds into (though it is possible to have various accounts with the same private key). The main benefit that this brings is that a user’s funds are not linked to each other by default: if 50 coins are received from source A and 50 coins from source B, there is no chance for other users to tell that those funds belong to the same individual. Additionally, if 13 coins are sent to someone else’s account C, and thereby create a fourth account D where the remaining 37 coins from one of these accounts as “change” are sent, the other users can’t even tell which of the two outputs of the transaction is the “payment” and which is the “change”.
However, there is a problem. If at any point in the future, a transaction is made consuming from two accounts at the same time, then those accounts are irrevertibly “linked”, making it obvious to the world that they come from one user. And, what’s more, these linkages are transitive: if, at any point, A and B are linked together, and then at any other point A and C are linked together, and so forth, then a large amount of evidence is created by which statistical analysis can link up the entire set of assets.
Mike Hearn, a Bitcoin developer, came up with a mitigation strategy that decreases the likelihood of this happening called merge avoidance: essentially, a fancy term for trying really hard to minimize the number of times that the accounts are linked together by spending from them at the same time. This unquestionably helps, but even still, privacy within the Bitcoin system has turned out to be highly porous and heuristic, with nothing even close to moving toward high guarantees.
A somewhat further advanced technique is called CoinJoin. Basically, the CoinJoin protocol works as shown below:
- N parties come together over some unknown channel, eg. Tor. They each give a destination address D … D[N].
- One of the parties creates a transaction which sends one coin to each destination address.
- The N parties log out and then separately log in to the channel, and each contributes one coin to the account that the funds will be paid out from.
If N coins are paid into the account, they are distributed to the destination addresses, otherwise, they are refunded.
If all participants are honest and give a single coin, then everybody will put one coin in and get one coin out, however, nobody will realize which input maps to which output. If at least one participant doesn’t put one coin in, then the process will fail, the coins will get refunded, and every participant can attempt once more.
So far, just token anonymization is talked about. Shouldn’t something be said about two-party smart contracts? Here, the same mechanism as Hawk is used, except the cryptography is substituted with simpler crypto economics – namely, the “auditable computation” trick. The members send their funds into a contract which stores the hash of the code. When there comes time to send out funds, either party can present the result. The other party can either send a transaction to agree on the result, enabling the funds to be sent, or it can publish the genuine code to the contract, at which point the code will run and circulate the funds accurately. A security deposit can be used to boost the parties to participate honestly. Consequently, the system is private by default, and only if there is a debate does any data gets leaked to the outside world.