Privacy Is a Feature, Not a Product
Disclosure: Multicoin has established, maintains and enforces written policies and procedures reasonably designed to identify and effectively manage conflicts of interest related to its investment activities. Multicoin Capital abides by a “No Trade Policy” for the assets listed in this report for 3 days (“No Trade Period”) following its public release. Multicoin Capital is long BTC-USD and ETH-USD; and short ZEC-BTC and XMR-BTC.
Privacy is a feature of valuable cryptocurrencies, not a product offering in and of itself. Users should not have to take balance sheet risk (e.g. by selling some BTC or ETH for ZEC) on less valuable and less secure cryptocurrencies in order to achieve financial privacy. This essay will argue that general platforms like Bitcoin and Ethereum already offer sufficient privacy guarantees for most users to never need niche privacy-focused blockchains.
Censorship resistance, a core tenet of all three of our Crypto Mega Theses, cannot be achieved without privacy. Therefore privacy must be a key component of open finance, global state-free money, and Web3. Within the cryptocurrency ecosystem to date, however, development activity relating to privacy has mostly taken place on privacy-focused blockchains. The Bitcoin and Ethereum communities have prioritized solving issues such as scaling and user experience first.
The developers that value financial privacy above all other features built protocols that support it natively. Examples include assets like Zcash and Monero, as well as newer entrants like Grin and Beam. They all make various tradeoffs in functionality and usability to specifically ensure that privacy is their core value proposition. But is privacy the right value proposition on which a standalone chain should be built?
A common thesis amongst crypto investors is that blockchains focused on privacy should accrue value strictly due to the importance of privacy in financial transactions. While we fundamentally agree with the latter, we do not believe there is a causal relationship between the two.
Rather than network participants taking balance sheet risk by choosing natively private protocols, we expect the most valuable blockchains to win on a different set of technical tradeoffs, with users and companies finding novel ways to bring privacy into those networks. Moreover, as we’ve written about, layer-1 assets should generally be thought of as money, and layer-1 monies accrue clear network effects such that only a few chains will persist in the long run. If chains with non-native privacy offer good-enough privacy for most, chains with native privacy will fall into irrelevance.
In this essay we will discuss how technical tradeoffs around privacy inhibit functionality, the inherent balance sheet risk of using blockchains and assets specialized for privacy, different methods of bringing privacy to more widely adopted blockchains, what is “private enough,” and how we think about investments relating to privacy.
There are four types of private information that can be leaked in a cryptocurrency transaction: the sender, the receiver, the amount transacted, and the IP address. If all four are successfully hidden from any 3rd-party observer, then the transaction is perfectly private.
As seen in Table 1, privacy is a spectrum. On one end of the spectrum are transactions which don’t hide any of the above information, e.g. basic Bitcoin or Ethereum transactions. On the other end of the spectrum are Zcash’s Sapling transactions, which shield all four of the types of info above (when combined with an IP-obscuring technology like Dandelion or Kovri). Zcash's zk-SNARK circuits allow a sender to transfer a blinded amount of coins to an anonymous receiver with no identifying information ever being recorded on a blockchain, nor leaked to the network. They are, in theory, perfect.
Although Zcash is nearly 3 years old, only about 5% in ZEC in existence is stored using SNARKs (about half of which uses legacy SNARKs). About 95% of ZEC are stored in Transparent addresses that offer no privacy. In 2019, crypto markets have generally rebounded, although ZEC is a notable exception.
While the promise is there, the market has spoken: The privacy offered by Zcash’s Sapling transactions does not make ZEC valuable.
There are a few reasons why.
First, the core innovation of cryptocurrencies is the notion of programmatically enforced, easily verifiable scarcity without trusting any party or group of parties. This feature allows for social scalability, as people from all cultures and walks of life can verify that their coins are a guaranteed percentage of a known whole. Unfortunately, perfect privacy by definition prevents perfect auditability.
In March 2018, Zcash discovered a bug in their cryptography that could have allowed for infinite inflation. As the Zcash Foundation admitted themselves, it is impossible to know if any party has taken advantage until Sprout addresses are deprecated. A user can verify how many coins were sent into shielded pools, but has no way of knowing if those coins were arbitrarily inflated by bad actors.
Perfectly private transactions prevent investors from verifying if Zcash is as scarce as it is supposed to be.
Second, optimizing for privacy in the manner that Zcash has comes with a heavy cost. Every time a perfectly private transaction is created, the sender must compute an exact series of computational steps in order to generate the proof that a miner can verify in zero knowledge (for a refresher on zero-knowledge proofs refer to this). These steps are computationally expensive, and the Sprout version was too cumbersome to allow for widespread adoption. The Zcash team engineered the Sapling version to be explicitly optimized for coin transfers, eschewing any additional functionality like Ethereum’s stateful smart contracts, or Monero’s multi-sig contracts (though these may be coming).
More efficient perfectly private transactions cost Zcash any programmability.
With the end of the indiscriminate bull market bubble of 2016 and 2017, the market today prefers less private, but more secure, programmable, and provably scarce assets like Bitcoin and Ethereum.
Still, it seems unlikely that the future of state-free money will be completely transparent. Censorship resistance requires some level of financial privacy. So now, the natural question is: how private is private enough?
“Lost in the Crowd” Privacy
The Bitcoin and Ethereum communities have both been working hard to bring native privacy to their chains. Instead of optimizing for perfect privacy, they are making do with “lost in the crowd” privacy—a strategy popularized by the Tor Network.
“Lost in the crowd” privacy is about making transactions conform to a set of rules that make it difficult for an observer to discern the actual sender, receiver, or amount of a given transaction. The more transactions that abide by these rules, the larger the crowd gets, and the harder it is for the observer to deanonymize transactions.
In contrast to perfectly private transactions, this strategy creates security through obscurity for users, as third-party observers can see that transactions are occurring, but cannot make any definitive claims about senders, receivers, or amounts transacted. All claims are probabilistic at best, and in the vast majority of cases, senders and receivers maintain plausible deniability.
Bitcoiners are using CoinJoins as their tool of choice to get lost in the crowd.
First proposed in 2013 by Greg Maxwell, CoinJoins are transactions where several different parties combine their multiple single-input, single-output transactions into a single multiple-input, multiple-output transaction. This breaks the direct link between sender and receiver, and if all outputs are the same size, it also obscures who received how much BTC. Applications for trust-minimized coordination of CoinJoins, like Wasabi Wallet and Samourai Wallet, have recently exploded in popularity.
Again, CoinJoins are not perfectly private, as observers can tell which coins are sent to and from mixers. But this type of growth provides a large enough crowd such that users seeking privacy can in fact get lost in the crowd. Chainalysis, one of the most prominent blockchain analytics company that includes the FBI, DEA, and IRS as customers, confirmed they are “unable to follow the trail of coins as they move through mixing services.” (1)
Ethereum’s base layer is by default less private than Bitcoin’s, because it uses an account-based model instead of a UTXO-based model. This means that a single address is reused over many different transactions instead of a new address for each transaction.
However, one advantage that smart contract platforms have over Bitcoin is that they allow for more advanced transaction types. A smart contract can be written to provide “lost in the crowd” privacy to all assets sent to it. A smart contract can even be written to give perfect privacy to all assets sent to it. (2) Today, several examples of these privacy-enabling smart contracts are live on mainnet, and many more are in development.
Ethereum “mixers” like Argent’s Hopper, Heiswap and Tornado present versions of “lost in the crowd” privacy, producing an effect comparable to Bitcoin’s CoinJoins. Here, users can deposit fixed amounts of a given asset (e.g. 0.1 ETH, or 10 DAI) into a smart contract, wait until enough users have made similar-sized deposits to build a large anonymity set, and then withdraw their original amount to a new address with no link to the original. Because the denominations must be exact, it will be difficult for these solutions to attract large deposits, which will limit their ability to scale into sustainable standalone businesses.
Aztec Protocol has developed a modular series of smart contracts that allow for confidential assets, stealth addresses, and zero-value outputs, essentially aiming to build a “lost in the crowd” privacy pool of assets on Ethereum. Users will need to send their public assets to a smart contract, which will mint private versions of those assets into its privacy pool and assign the user a new private address to transact with. The more assets the privacy pool attracts, the larger the crowd, offering stronger protections to all participants.
Competition to provide privacy to existing chains is not only a layer-2 add-on. Smaller public blockchains with strong governance like Decred and Tezos are adding protocol-native privacy functionality in the near future. Like Bitcoin and Ethereum, these communities see the value proposition of private transactions, and are working to offer privacy as a feature to their communities rather than starting with native financial privacy as a core product offering. Moreover, the Tezos community is stealing Zcash’s Sapling work directly! (3)
All this work on public blockchains is attempting to improve upon the current gold standard for “lost in the crowd” privacy: Monero. Whereas only 5% of ZEC are shielded, 100% of XMR are transferred according to a set of rules that create security through obscurity by default.
Monero transactions use three primitives to obscure the sender, receiver, and amount: ring signatures, stealth addresses, and Ring Confidential Transactions (RingCT). Ring signatures allow a sender to sign a transaction with 11 users’ keys, obscuring which key is theirs. Stealth addresses allow a receiver to use a one-time address for each transaction, hiding their true public key. RingCT allows for the amounts transacted to be blinded, but verifiably non-inflationary.
Because all transactions are forced to use these features, all XMR belong to the same anonymity set and are lost in the same crowd. Despite this, Monero has not weathered the 2018 bear market much better than Zcash.
Though Monero transactions are slightly more flexible than Zcash’s, stateful smart contracts are still impossible. A recent research breakthrough made HTLCs (enabling layer-2 solutions like the Lightning Network) plausible, though much engineering will likely be required. Unfortunately for Monero, their developer community is small and funding is scarce, which means that new feature development is relatively static.
No matter the base layer chain, “lost in the crowd” privacy can only provide plausible deniability. The larger the crowd, the more plausible the deniability.
How private is private enough, now becomes thus: If an adversary wanted to deanonymize a user’s transactions, how much would they have to spend to do so if the transactions are in Wasabi Wallet’s Bitcoin anonymity set vs. Aztec’s Ethereum anonymity set vs. Monero’s anonymity set?
Cost to De-Anonymize
Earlier this year, researchers proposed a FloodXMR attack on Monero that leveraged certain aspects of its ring signature selection process to deanonymize 50% of its transactions over a year for only $1,700. The Monero community pushed back on the cost, saying it was orders of magnitude too low. They also pushed back on the methodology, saying it was too simple of an analysis that didn’t account for any real world conditions like multiple attacks occurring at once, or price fluctuations.
This section is not aiming to reproduce FloodXMR, but to utilize its principles to build a general framework for how to think about privacy pools on non-private chains. The attack is basically structured like this: Every day a certain amount of transactions take place on Monero. They are all mixed together such that no one party can know who sent what value to whom, except for their own. However, because all transactions are public, and addresses are reused in the ring signature schema, an attacker could take part in a large number of these transactions themselves.
By doing this, the attacker has dramatically lowered the anonymity set, and will have a much easier time determining the actual senders and receivers of each transaction, effectively deanonymizing them. Specifically, according to the aforementioned report, a “malicious actor which controls 75% of the transaction output keys generated in a one-year timeframe is able to trace 47.63% of all transaction inputs created in the same time period.” 
This attack can be extended to Bitcoin’s CoinJoin privacy pool (and actually, already has), and Ethereum’s Aztec Protocol privacy pool, if certain assumptions are made. For most of the last 12 months, CoinJoins as a percent of Bitcoin transaction volume have ranged between 5-10%. 
Assuming the average transaction fee, number of privacy-seeking transactions, and percentage of main chain market capitalization held in a given privacy pool remains constant then the Cost to Deanonymize (C) becomes:
C = (avg tx fee) x (avg # new txs/day) x 1.25 x (% of market cap in privacy pool) x 365
Table 2 shows C for BTC’s Wasabi Wallet pool, ETH’s Aztec pool (assuming it held 5% of ETH’s market cap), and XMR using averages from October 19, 2018 to today.
Another way of looking at the cost to deanonymize is shown in Table 3. Here, we determine what percentage of market cap would need to be held in Ethereum’s or Bitcoin’s privacy pool to achieve the same cost to deanonymize as Monero.
Of course, this high-level analysis disregards many nuances in how an attacker would approach each chain. It is not meant to offer exact numbers, but to give a sense within an order of magnitude of how private these “lost in the crowd” solutions really are. The market should take these numbers with a grain of salt, but understand that given their significantly larger market caps, transaction volumes, and transaction fees, privacy pools in Bitcoin and Ethereum will soon be (if they aren’t already) more expensive to attack than the entire Monero anonymity set.
Instead of speculating about the future, one way to quantify what the market thinks about privacy today is to determine which cryptocurrency is most frequently used by those who need privacy the most: Dark Web users. With Monero currently assumed to be the most private cryptocurrency, one would think that it would still reign supreme; however, CipherTrace found that less than 5% of Dark Web transactions used Monero. Most, tellingly, used Bitcoin.
The raison d'être for cryptocurrencies is to provide a digital method of transacting value without relying on a trusted third party. The cryptocurrency that becomes global, state-free money must be censorship-resistant. A prerequisite to censorship resistance is financial privacy. The fight for privacy in cryptocurrencies will be an arms race against those that seek to deanonymize cryptocurrency users, but it must be won if cryptocurrencies are to succeed.
Unfortunately, as we have described above, the cost of perfectly private transactions by default, a la Zcash, is too high. It ruins another core value proposition of cryptocurrencies: The permissionless ability to verify that throughout the entire history of transactions no double-spends occurred, and no undue inflation occurred. Without this verification property, no cryptocurrency can be socially scalable enough to win as a global, state-free money.
Therefore, the winning cryptocurrency must implement some version of the imperfect “lost in the crowd” style privacy built on top of a publicly verifiable ledger. As evidenced by Table 2 and Table 3, the Bitcoin and Ethereum communities are able to bolt on privacy pools to their natively public chains, and very quickly make them more expensive to deanonymize than the entire Monero chain, due to their higher transaction volumes and fees. It is clear that privacy will be a feature of state-free money, but will not be the core product.
Privacy theses should be predicated around this understanding. Instead of investing in base-layer cryptocurrencies that optimize for anonymity in transacting, managers will start funding companies that offer privacy-as-a-service on top of Bitcoin or smart contract platforms. Layer-2 solutions will offer privacy-by-default to their transactors, which may drive large volumes off of the main chain from those who value privacy in transacting.
Fundamentally, perfect privacy being too expensive to achieve on the base layer chain is an opportunity that businesses like Wasabi Wallet, Samourai Wallet, Argent, Heiswap, Tornado, and Aztec Protocol are all seizing. We believe the dollars invested in Zcash and Monero will start flowing to businesses like these, or the base-layer cryptocurrencies they are building on.
(1) As effective as they are today, CoinJoins are expected to become cheaper and more effective in 2020 when Bitcoin soft-forks in Taproot. Today, CoinJoins may obscure the exact sender and receiver, but each signature is still listed in the transaction, which leaves a breadcrumb for others to follow. With Taproot, all sender and receiver signatures can be aggregated into a single signature. By removing the sender and receiver addresses from the transaction set entirely, Taproot both makes CoinJoin transactions less expensive (increasing the number of users that will take advantage of them) and more private.
In parallel, significant development effort is going into layer-2 solutions like Lightning Network and Liquid Sidechain, which are both private by default in an attempt to mitigate the main chain’s deficiency. Lightning transactions all occur off-chain, so that only channel-opens and -closes are visible. Also, all transactions are onion-routed packets by default, which means that routing nodes cannot see who the sender or receiver of a transaction is, nor the amount being transacted. Liquid Sidechain incorporates Confidential Transactions to blind amounts and asset types, though the sender and receiver are still visible.
(2) Ernst & Young’s blockchain unit recently released the Nightfall protocol for private transactions on Ethereum using zk-snarks, while JPMorgan’s Quorum unit released the Anonymous-Zether protocol for tracking private balances using zk-snarks, and Clearmatics released the Zeth library to directly implement Zcash transactions onto Ethereum. It is clear to all of these enterprises that before they can use a public blockchain, they must have the ability to transact privately.
If Zcash-level private transactions on public blockchains like Ethereum seems too good to be true, that’s because it may very well be the case: these transactions are expensive.
There are several developments on the horizon that may help change this fact, though. Like how Schnorr Signatures and Taproot are coming to help Bitcoin’s privacy, EIP-1108 should be implemented in Ethereum’s Fall 2019 Istanbul hard fork. It will drastically reduce the gas costs of elliptic curve arithmetic precompiles, which are used in all of the previously mentioned smart contracts. For Aztec specifically, it should reduce gas costs by 75%.
(3) Future blockchains with more advanced virtual machines should be able to offer near-native performance for perfectly private transactions: Solana, Eth 2.0, Polkadot, etc. These are further down the road and out of scope for this essay.
(4) The FloodXMR attack incorrectly asserted that only ring signatures from the 24 hours before a transaction were reused, when in fact any ring signature dating back to the September 15, 2017 RingCT hard fork can be reused. This makes Monero’s anonymity set much larger and much more expensive to attack, without certain assumptions. 60% of Monero’s cumulative transaction fees paid since 9/15/17 occurred during the peak of the bull market mania from 11/1/17-2/1/18. The average month from 9/17 to 10/18 (excluding 11/17-2/18) saw 122k txs, while 11/17-2/18 averaged 182k txs, a 50% increase. If we assume those extra 50% transactions were speculators depositing and withdrawing from exchanges, then they are de facto deanonymized without our adversary needing to pay the fees themselves. That assumption makes the optimistic total adversarial spend to have been 75% of all transactions since 9/17 just under $3M. If a constant 25% of monthly volume is speculatively assumed to be with exchanges, that total adversarial spend drops to $700k since 9/17.
Tellingly, once the Bulletproof fork went through in October 2018 and dropped transaction fees by 95%, the amount an adversary would need to spend to be 75% of the transactions dropped below $10k/month. Well within the budget of any 3 letter agency, or curious consultancy. This Cost to Deanonymize metric, therefore, is assuming that enough information has been leaked from 9/17-10/18 that an adversary has already deanonymized 50% of the transactions occurring during that time, and need only spend enough transaction fees to maintain its position as 75% of Monero volume. (all tx fee data from bitinfocharts.com)
(5) All data pulled from Google BigQuery’s public crypto-bitcoin database. Methodology described by inline comments in the query.