2021-07-15

Last month, the FBI took just a couple of weeks to recover over $2 million in Bitcoin from the Colonial Pipeline hackers who had stolen over $4 million worth of Bitcoin. Wait, isn't Bitcoin that Internet money that's used by shady criminals? It should be untraceable, right? Isn't it a cryptocurrency, after all?

Also last month, the government of El Salvador adopted Bitcoin as legal tender (despite most Salvadorians either opposing the move, knowing nothing about cryptocurrencies, or being unable to use Bitcoin). Nayib Bukele asserted that citizens will not be legally obligated to accept Bitcoin, but this shouldn't ease anyone's concerns when the government could just as easily reverse that policy next week. The Salvadorian story is riddled with U.S. dollar-denominated bonds, Blockstream's own completely centralized side-chain, and custodial wallets requiring the disclosure of personally identifying information. The wannabe inheritors of the cypherpunk movement are celebrating this development, claiming that this is totally not a centralizing takeover of Bitcoin. Wait, wasn't Bitcoin about peace and lack of central authorities?

These are both myths. The truth is that Bitcoin has no privacy, and that Bitcoiners have abandoned its original principles of "banking the unbanked" and decentralization.

Bitcoin's inherent traceability coupled with its centralization in the hands of governments and corporations poses a problem of immense magnitude, and other governments following in the footsteps of El Salvador could create a privacy disaster on an unforeseeable level.

Bitcoin is worse for privacy than fiat

Most people mistakenly think the term "cryptocurrency" refers to something secretive or anonymous. In the early days of Bitcoin, when it was not understood by many people, it seemed untraceable because criminals were among the first to learn the technology and provide its first use cases.

In reality, Bitcoin transactions are viewable by the whole world. Because the Bitcoin blockchain does not obscure transaction details such as the chain of ownership of coins, the transaction amount, or the recipient's address, an adversary can become privy to all financial information such as the value of portfolios, purchases, spending habits, and incomes. Though the public nature of Bitcoin solves the problem of double spending and provides immutability, trustlessness, and a certain degree of decentralization, it does so at the cost of privacy.

Of course, financial privacy under the current financial system is by no means close to optimal. A handful of corporations monitor financial data and divulge sensitive information not only to advertisers but unwittingly and routinely to hackers.

However, even the current financial system is more private than Bitcoin. Satoshi noted as much in the Bitcoin whitepaper:

… the traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party.

Even though there is centralized control of fiat currencies, JP Morgan does not publicly broadcast every transaction, and any old person on the street cannot query JP Morgan's databases for information tied to any old account.

Bitcoin transactions are inherently traceable

Exactly as the name suggests, Bitcoin's blockchain is a chain of blocks storing transactions and acting as a distributed ledger among users of the Bitcoin network. Each user has an address that acts as their de facto identity and a secret key with which they sign transaction data in a digital signature.

A Bitcoin transaction is composed of inputs and outputs, with the inputs themselves being outputs of previous transactions. A transaction occurs when a sender transfers ownership of an electronic coin to a recipient. In order to do so, the sender must prove their ownership of the transaction outputs which they are now attempting to spend as inputs. Hence, a coin is nothing more than a chain of digital signatures that can be traced back through the ledger, with each signature proving that the sender's address owns the transaction output without revealing the sender's secret key.

A sender begins to transfer a coin by first composing the necessary transaction data and then digitally signing a hash of the transaction data and their own secret key, thus appending to a chain of digital signatures that trace the history of a coin's ownership through the history of the ledger. The sender then broadcasts the transaction to the network. Miners monitor these broadcasts, check the validity of their signatures, gather them into pools, and then compete with each other to have their pool published as the next block. Once the network validates a proposed block, the block is securely linked to the last accepted block in order to continue the chain and is thus published to the ledger.

Bitcoin transaction data explicitly specify the transaction amount, the transaction outputs being spent, and the hash of the recipient's address, thus revealing a traceable history of the coins as well as a fixed value that uniquely identifies the recipient. As Satoshi notes in the whitepaper:

The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone … The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

Even though Bitcoin achieves a sort of pseudonymity by dealing with addresses rather than names or physical locations, it does not achieve unlinkability. Any observer can look up a given address' transaction history and balance and could, with enough resources, piece together this data to determine the physical identity tied to that address. And any merchant can easily tie a physical identity to an address if the customer purchases something in person.

There are a few techniques to obscure Bitcoin transactions, but they are vastly overrated. A person can "mix" bitcoins by having a third party swap them for new ones and send the new bitcoins to the desired address, but this involves trusting a third party. Coinjoin is a peer-to-peer mixing service, but it still requires a level of trust as well as technical know-how. Even if mixers were to become trustless and practical, there is nothing a user can do if governments link their physical identity to the address used prior to the mix. Whatever privacy extensions to Bitcoin that can be built in the future can be subverted by the untraceability of Bitcoin prior to their invention.

A second anonymization technique is sending transactions through a convoluted route before reaching the ultimate recipient (similar to Tor), but a keen observer can note that some transaction amount left a sender and that the same amount landed at the eventual recipient's address.

Yet another anonymization technique that falls short is generating a unique Bitcoin address for every single transaction received, but this technique is useless if the recipient eventually consolidates the transaction outputs at a single address. These techniques also incur more transaction fees than should be required.

In any case, any Bitcoin recipient could be vulnerable to transaction graph analysis, a deanonymization technique in which an adversary transacts once with a person, identifies one of that person's addresses, and tags a cluster of addresses involved with that address.

If even some supposedly sophisticated hackers were no match for the analytical skills of the FBI, surely the average user cannot dream of retaining a semblance of untraceability in the face of a governmental adversary.

Untraceability must be a priority

Bitcoiners cannot in good faith claim to be "banking the unbanked" if adoption means that oppressive regimes can track every financial move made by citizens. Here are some potential consequences of a Bitcoin mandate:

• Entire budgets, incomes, and financial histories are public information. The IRS can monitor every single transaction, having the power to record and tax even the smallest of exchanges between friends.
• Merchants can, prior to confirming a purchase, look up the balance of a customer and decide to jack up the price or rob them outright.
• Freedom of association is a thing of the past, as governments, employers, etc. can hold someone hostage over their payments and force "correct" transaction behavior.
• A person can, through no fault of their own, come under possession of coins which were previously stolen. Since coins are chains of digital signatures that can be traced through the history of the ledger, those coins could be blacklisted and that person could lose money.

Even if governments don't directly monitor all this information themselves, custodial wallets such as the one being imposed in El Salvador can reveal physical identities and refuse transactions due to their own biases, nefarious motivations, or outside pressure. We can't even envision all the potential ramifications, especially in a global system that is moving toward former conspiracy theories such as contact tracing.

As with the Edward Snowden leaks, some people might respond to these points and say that they have "nothing to hide and thus nothing to fear" (as if there hasn't been enough evidence in the past two years to convince everyone on this planet otherwise). This statement discloses not only an utter lack of imagination and awareness, but also a complete lack of empathy. It's entirely possible that you have nothing to fear and would love a government that requires physical identification for every important function of life. But maybe the Salvadorians don't want that. Sure, if you live in a Miami mansion in a free country you might not object to your government tracking your purchases (if you even care about using Bitcoin as a currency and not just as a store of value). But if you live under an oppressive regime, you might lose your life for a payment someone in the United States would take for granted. Somewhere in the past decade, the priorities of Bitcoiners shifted from "banking the unbanked" to pumping the bag for Miami millionaires.

Normal people cannot be expected to have the technical know-how required to figure out privacy in Bitcoin. It's infeasible to have a functioning economy in which the average person has to learn how to route transactions, generate a new address for each purchase, or set up a non-custodial Lightning Wallet. Unfortunately, because Bitcoiners have sacrificed privacy, they have paved the way for a totalitarian financial system.

Interestingly, there have been conversations surrounding traceability in digital currencies for decades. Hal Finney, one of the original cypherpunks, argued in 1994 that traceability in digital currencies makes it harder to commit crimes:

… if you can make an untraceable payment, you could be coerced into doing so, for example by being robbed at gunpoint. Contrariwise, if the cash system used by you and your bank is such that all money is inherently traceable, it will be a lot harder to commit robbery, extortion, kidnapping, and all those other horrors which people fear will come with digital cash.

Hal makes a fair point about the ramifications of untraceability, but these threats are far outweighed by the ramifications of traceability which can easily be abused by governments. An untraceable system could open the door to coercive payments, but so can traceable systems that allow the linking of addresses to physical identities for the purposes of extortion, blackmail, or blacklisting.

Satoshi himself may have favored untraceability, even though he did not implement it in Bitcoin. In a thread from 2010, he wrote that untraceability would make possible "a much better, easier, more convenient implementation of Bitcoin." In fact, in the same thread, he floated the idea of three concepts which would have to be implemented to realize untraceability. These concepts are that an implementation would have to obscure the values of transactions from public nodes, would have to generate a new blinded key for each payment, and would have to incorporate group signatures over digital signatures:

… you need to be able to sign a signature such that you can't tell that two signatures came from the same private key. I'm not sure if always signing a different blinded public key would already give you this property. If not, I think that's where group signatures come in. With group signatures, it is possible for something to be signed but not know who signed it.

These same concepts were implemented, but just not in Bitcoin. They were implemented in a different cryptocurrency called Monero.

Monero solves this

Monero is a cryptocurrency launched in 2014 that is designed to afford far greater privacy than Bitcoin by making use of three technologies in particular: ring signatures, stealth addresses, and RingCT.

Ring signatures

Just like Bitcoin's digital signatures, ring signatures are a way to confirm the authenticity and source of a transaction output. Whereas digital signatures reveal exactly which transaction outputs are being spent, ring signatures go several steps further to obfuscate the outputs in order to shield the identity of the sender.

In a ring signature, the sender of a transaction does not necessarily sign the transaction themselves. Instead, Monero places the sender in a group (or ring) of at least ten other addresses extracted from past outputs that are chosen semi-randomly from the blockchain and do not belong to the sender. These other outputs are called decoys, and the addresses belonging to the decoys are mixed together with the sender's address in order to hide which output is in fact being spent. One of the ring members signs the transaction, but an observer cannot cryptographically examine the ring signature to determine its true signer. The fact that a certain output appears in the ring signature is inconclusive, since an observer cannot tell whether that output is truly being spent or is a decoy.

Ring signatures offer plausible deniability to users since the appearance of a user's signature on the ledger does not prove that they were a part of that transaction.

The immediate objection to ring signatures is that they could eliminate proof of ownership and open the door to double spending since an output could appear twice in the ledger, first as a decoy and second as a truly spent output. To address this, every ring signature in Monero produces a key image that is uniquely derived from the truly spent output but does not reveal the true signer. For verification purposes, since the network cannot identify which outputs are spent, it instead checks whether a given key image has been used before despite not knowing which ring member corresponds to the key image.

Stealth addresses

While Bitcoin's ledger publishes a fixed value that is the hash of the recipient's address in every transaction with that recipient, Monero uses one-time addresses called stealth addresses. Recipients have a unique disposable one-time address recorded on the ledger for every single transaction. The stealth address is derived from a combination of the public address and some randomness. The recipient can access their stealth address with their secret key without ever exposing their public address.

With stealth addresses, not only is a public address not recorded on the blockchain, but multiple payments to the same address cannot be linked together.

Monero transactions must use stealth addresses, and wallets handle all of the cryptography under the hood.

RingCT

While Bitcoin transactions reveal the amount in the clear, Monero uses RingCT (Ring Confidential Transactions) to obscure the transaction amount. RingCT allows a sender to prove transaction legitimacy to the network without revealing the transaction amount.

RingCT encrypts transaction amounts in two ways. It first encrypts the amount using the public information from the recipient's address and then integrates it into a commitment by which the network can verify the validity of the transaction without retrieving the transaction amount itself. Verification involves a range proof to ensure that the committed amount is a positive number and a proof that the inputs balance the outputs. The commitment scheme used by Monero allows the sender to prove that there is zero difference between the inputs and the outputs without revealing the amount or the source of the inputs (which could be masked by a decoy).

These privacy features can be circumvented, however, if two senders communicate with each other "off-chain" and discover that they have sent coins to the same address. This is possible to do because senders can, of course, see the static recipient address and only the inner workings of Monero enforce the privacy measures. If this happens, the senders can link a recipient's stealth addresses.

Monero has yet another feature for the above scenario called subaddresses. Each public address can generate multiple subaddresses whose deposits all get consolidated. There is no need for a Monero recipient to generate multiple addresses and worry about never linking them like in Bitcoin. Instead, a Monero recipient can generate multiple subaddresses from a single addresses and share a unique one with each sender. Subaddresses route to the same wallet balance, but they are cryptographically unlinkable.

All these privacy features are built into Monero and don't require any fancy software or technical know-how. Anyone can use a Monero wallet just like with any other cryptocurrency.

Zcash is not the way

Monero isn't the only "privacy coin" out there, but it has the most privacy, hasn't been broken, and has the most usage. The most prominent privacy coin challenger to Monero is Zcash.

Similar to Monero, Zcash uses a commitment scheme for spending coins. Zcash incorporates both zero-knowledge proofs to prove control over coins without divulging sensitive information and zk-SNARK to make these proofs compact and efficient so that the blockchain records just the existence of transactions and proofs but not the addresses or amounts.

zk-SNARK expands any Zcash transaction's anonymity set to be the entire blockchain, meaning that an adversary cannot distinguish one Zcash transaction from any other that has ever been recorded. This is far superior to Monero, in which the anonymity set is fixed to 11 ring members (the addresses corresponding to the 10 decoys and the truly spent output).

However, Monero's privacy scheme is much older than zk-SNARKS, meaning it has been subjected to more extensive peer review. Moreover, Monero transactions are private by default whereas Zcash transactions are only optionally private, meaning Zcash is for the large part functionally similar to Bitcoin. Additionally, there is ongoing work as part of the Kovri project to also obscure IP addresses in Monero.

Most importantly, Zcash is NOT completely trustless. Using Zcash involves a one-time trusted setup in which a trusted party chooses certain public mathematical parameters for everyone to use for the lifetime of the system. The problem is that anyone who knows these parameters could create an unlimited number of coins - all without detection, because the privacy is so good that not even the coin supply can be verified. This is essentially a backdoor that defeats one of the basic points in having cryptocurrencies.

In Monero, on the other hand, there is no trusted setup and the supply of coins is publicly verifiable.

Some other privacy coins are MimbleWimble and NuCypher, which aren't in much use. MimbleWimble in fact is open to linkability and the same transaction graph analysis that can be used to deanonymize Bitcoin transactions.

Mo' Monero

Moving to Monero focuses the purpose of cryptocurrencies around privacy, which is of paramount importance in shielding citizens from oppressive regimes and bad actors. Satoshi was interested in just this, and if Bitcoin's developers had taken a different turn the centralized and totalitarian Leviathan could have been avoided.

Even though Monero might have some issues with scalability, it has an active developer group working on optimizations. Moreover, general bandwidth and storage keep progressing, and their growth may even come to eventually outpace blockchain requirements.

Monero also addresses many of the other shortcomings of Bitcoin such as transaction fees, mining centralization, and continued mining incentives, but these are topics for a different post.

I'm preparing myself for a flood of red-laser-eye-profile-picture accounts to pester me over this post. If you'd like to support me in the troubling onslaught to come, you can find my Monero address here or below. Don't worry, with Monero's privacy not even red laser eyes can see that you donated.

For more robust examination of these concepts, I suggest reading the following:

1. Bitcoin and Cryptocurrency Technologies
2. Mastering Monero