Why crypto? To investors, the question is clear: for the possibility of returns that cannot be found in any other class of investment. For enthusiasts, it’s a chance to be on the cutting edge, on the forefront of a new technology being used in new ways. But when it comes to regular users using one coin or another to buy things a common response is anonymity.
Transactions on the ledger are anonymous, the story goes, and, in this heavily surveilled age, it is valuable to have some aspect of one’s life be immune to the inquisitive eyes of big tech and bigger government. How true is this story? How anonymous is ‘anonymous,’ exactly?
The anonymity of something like Bitcoin or any other mainstream cryptocurrency is a curious thing. It is true that aside from a public key, there is nothing to identify a participant in a transaction on typical blockchain. You prove your identity when it comes to directing your unspent transaction outputs purely through the possession of a private key: no other measure of identity exists.
From the outside, this seems perfectly safe: the public key is cryptographically generated, random, and meaningless for anyone snooping. The problem comes in the staggering lack of anonymity that’s also a part of the deal on modern blockchain networks. For the system to work the whole history of transactions, down to the very last satoshi must be public. Each transfer is a matter of public record and even though the public key is not directly tied to you it is faultlessly tied to your entire transaction history.
This means that your identity is as good as leaked if at any point you use your crypto holdings to make any sort of purchase traceable to you. Even relatively anonymous purchases, if taken in sufficient numbers and in aggregate can be used to identify you. Machine learning excels at sifting vast seas of data in order to extract the faintest hint of a pattern.
Some defense is possible, of course, by using a network of alternative addresses, each generated from your master key. These hierarchical deterministic wallets, as detailed in BIP 0032, are a great idea and help with both privacy and security. But they are not always enough. It’s true that you can generate addresses on the fly, but you must be, then, incredibly vigilant.
Any transaction link between your network of isolated transactions breaks the anonymity, forever. Is there a solution?
What we want is something that lets us preserve anonymity selectively. To, on one hand, allow for purely private transactions which may, for regulatory or business reasons, be selectively revealed to trusted third parties. The problem with that is the very way any blockchain is run, you need to prove transactions are valid or they won’t be committed as blocks. That’s the whole point of distributed consensus building. How to reach a consensus over something you do not know?
Cryptographers have had an answer for decades: Zero-Knowledge Proofs. The idea is simple: Have two parties, Alice and Bob. Alice knows a secret and wishes to prove what she does to Bob (or to prove some fact about the secret) but in such a way that no matter how many times she proves it, she reveals no knowledge about the secret to Bob.
Historically, zero-knowledge proofs were a form of interactive proving protocol. Bob could ask questions, make requests, and so on until he was satisfied that Alice knew a secret or that the claim Alice was making was true about the secret. This was fascinating, mathematically, but of limited utility. Everything changed with the advent of non-interactive zero-knowledge proofs.
zkSNARKs are zero-knowledge proofs (hence the zk) that are Succinct, Non-interactive Arguments of Knowledge. This means that it’s a technique for proving statements about some secret information that is quick to verify (milliseconds), small to store (a few hundred bytes), and which are non-interactive. This means that aside from one pre-arranged string everyone knows (the Common Reference String) no further communication is needed for the proof to work.
A zkSNARK means that you can send a collection of bytes that cryptographically prove the validity of statements about a secret and anyone who knows the protocol (public) and has access to the common reference string (public) can prove the validity without extracting a single bit of knowledge about your secret.
How this works is well outside the scope of an article like this. In extreme brief, it works by turning claims about transactions, say, into the claim of knowing the solution to a complex equation. This equation is then converted into an algebraic network with nodes being operations and ‘wires’ the values traveling between them. Now we can represent the claim as constraints upon these ‘wires.’
This is intractable so the next step is to bundle them all, which is done using a Quadratic Arithmetic Program representation which turns a huge number of claims about numbers into one statement about high-degree polynomials. This is convenient because two different polynomials are exceedingly unlikely to be the same in a randomly chosen point. A technique called ‘homomorphic encryption’ and ‘elliptic curve pairing’ is then used to evaluate the polynomials blindly. This allows us to not know what the evaluation point will be in advance, thus defeating malicious attacks.
The math is complex, the caveats many, but the system does work and provides an entirely new form of crypto transaction. Using the pioneering zCash as an example, you can create entirely shielded transactions. These transactions are registered on the blockchain, are verified, but reveal neither sender nor recipient, and keep hidden as well both the ‘memo’ field and the transaction amount. Everything an outside observer can detect is that (a) a transaction took place (b) the transaction is valid.
This shielding is accomplished by treating all the normal claims of verification as arithmetic claims for which a zkSNARK may be constructed. This includes inputs summing into outputs, the spender possessing a private key, and signing the whole transaction. All of these are proven without being revealed. The only issue is where the money comes from. As a result of this problem, all input funds must come from commitments.
A commitment represents fully anonymous cash held on the zCash blockchain. Physically each is a hash memorized on all the nodes, and no input may be registered on a shielded transaction without first nullifying a commitment that has not to be nullified before. Nullification proves the ownership of the original keys but does not reveal any information about them. Indeed, due to zkSNARKs an outside observer can only verify that an adequate commitment has been nullified, not which one it was or how much money it represents.
The deployment of zkSNARKs and related protocols being developed has the potential to change everything. A key holdup in the adoption of public blockchains more universally is the fact that true privacy is impossible on them. Businesses routinely make deals and payments the details of which are highly confidential. They’d never allow even the slimmest possibility of the data leaking by correlating public transaction data.
With zkSNARKs, all the benefits of the public blockchain are still there in decentralization, robustness, and strength in depth. What’s gone is the drawbacks: as desired transactions may be completely private, known only to the sender and recipient, or the public, or shared with precisely those people the principals of the transactions select. This opens up public blockchain for more serious use in the private sector.
The presence of a viable ZKP-based anonymity layer is yet another thing to keep an eye on when selecting a cryptocurrency, and something to keep in mind when making any decisions related to them in the future.