What is the most fascinating thing about the rise of cryptocurrency and blockchain technology, apart from the decentralization?
Think about it.
We feel that it is the open transparency. The blockchain’s tamper-protection and transparency make sure that malicious players are exposed the moment they take some harmful action. However, this completely compromises an individual’s privacy. Now you might be wondering, what’s the big deal?
Why is privacy (or lack of privacy) such a big deal?
Well…think about it.
Do you really want the entire world to know what all you are spending your money on? Why should you be shackled to make any of your purchases? Why shouldn’t you have the freedom to spend your money on anything that you want to?
And that is not the only reason why privacy is required. Let us introduce you to the concept of fungibility.
Investopedia defines fungibility as follows:
“Fungibility is a good or asset’s interchangeability with other individual goods or assets of the same type.”
Ok, so how do we explain that in simpler terms.
Suppose you borrowed $20 from a friend. If you return the money to him with ANOTHER $20 bill, then it is perfectly fine. In fact, you can even return the money to them in the form of 1 $10 bill and 2 $5 bills. It is still fine. The dollar has fungible properties (not all the time though).
However, what happens if you borrowed your friend’s MacBook for the day and on returning you give them another laptop? That won’t be an equivalent exchange now, will it? In fact, even if you exchange their MacBook with another Macbook, even then it won’t be an equivalent exchange. In this example, MacBook is a non-fungible asset.
So, are cryptocurrencies fungible or not? How about Bitcoin?
Bitcoin and most other cryptocurrencies pride themselves for being transparent. However, because everyone can see the transactions and trace the ownership of each and every single bitcoin. Because of this, any Bitcoin that goes through some illegal transactions can in essence “taint” your Bitcoin.
In certain bitcoin service providers and exchanges, these “tainted” coins will never be worth as much as “clean” coins. This kills fungibility and is one of the most oft-used criticisms against bitcoin. After all, why should you suffer if one of the previous owners of your bitcoin used it to make some illegal purchases?
This is where privacy coins come in.
Since all their data and transactions are private, no one can know what transactions your coins have gone through before and neither can they know what was used to buy with them. Since, its transaction history can never be known, it also means that the “transaction” trail is non-existent. As a result of this, the concept of “tainted” privacy coins and “clean” privacy coins doesn’t exist and hence they are fungible!
These are the reasons why privacy is important.
The coins that we are about to introduce to you today, have been created for this very reason. These coins give you all the benefits of a decentralized cryptocurrency without compromising on the privacy factor. Remember, these coins have been placed in no order in particular.
According to Monero’s site, “Monero is cash for a connected world. It’s fast, private, and secure. With Monero, you are your own bank. You can spend safely, knowing that others cannot see your balances or track your activity.” The Monero token is XMR.
Monero gains its privacy using a special kind of cryptography and we are going to get into it in a bit. But first, let’s see how it got started.
Bytecoin and Monero
In July of 2012, a new cryptocurrency came through which intrigued a lot of people. You see, this coin was using the CryptoNote application layer protocol, which was similar to the application layer which runs bitcoin in many aspects but still had some distinctive capabilities.
The name of this coin was Bytecoin, and it initially showed a lot of promise. However, things began to soon unravel.
Firstly, people noticed that a lot of shady dealings were going on in the community, and secondly, they noticed that a staggering 80% of the coins had already been mined.
However, people still saw the potential behind the CryptoNote protocol, and that’s when a decision was made.
The Bytecoin blockchain will be forked, and the new chain will be named “Bitmonero” which was eventually shortened to “Monero”, which means “coin” in Esperanto. In this new blockchain, a block will be mined every 2 mins.
The Monero Team
The Monero team is extremely secretive. According to their website, only 2 members of the core team have decided to reveal their identities. One of them is Francisco Cabanas aka “ArcticMine”, while the other one is Riccardo “fluffypony” Spagni.
Spagni is pretty much the poster boy for Monero. He has an academic background in informatics and logistics. He has spent quite a long time in software development before starting a successful import/export business with his wife. Because of the financial freedom he got from that venture, he had the freedom needed to tinker around with Bitcoin in early 2011.
Ever since he revealed his identity, he has been working tirelessly for Monero, promoting the coin and giving numerous talks and presentations.
The Four Properties of Monero
#1 The Electonic Cash Triangle
Bitcoin transactions follow simple public key cryptography. What does that mean?
Suppose Alice wants to transact using Bitcoins, what should she do? Well, firstly she would have to choose her private key, that private would mathematically generate her public address. The private key will not be shared with anyone, Alice will keep it only for herself, while she will share the public address with everyone. So, if someone wants to send Alice Bitcoins, they will send it to her public address. Similarly, if Alice were to send Bitcoins to someone, she needs to use her private key.
However there is a problem with this system,
The public address…is well… public. Everyone can access your spending history by simply googling your public address. Now, while Bitcoin does a brilliant job of being a decentralized cryptocurrency, it does a bad job of being a private currency system.
As the Electronic Cash Triangle states, the ideal Electronic cash must fulfill three requirements:
- It should be electronic.
- It should be decentralized.
- It should be private.
Monero fulfills all these criteria by being a blockchain-based cryptocurrency and maintains privacy via the following:
- The privacy of the sender is maintained by Ring Signatures.
- The privacy of the recipient is maintained by Confidential Addresses
- The privacy of the transaction is maintained by Ring CT aka Ring Confidential Transactions.
Every single one of these will be expanded upon later.
#2 Dynamic Scalability
So, let’s ask you a quick question.
What is the biggest problem with cryptocurrencies right now?
In a single word..scalability.
Back when Satoshi Nakamoto created Bitcoin, he was forced to impose a 1 MB limit on the Bitcoin blocks. He envisioned that Bitcoin blocks may get filled with spam transactions and that would lead to DoS (Denial of Service) attacks.
While the block limit may have worked, unfortunately, this led to a problem. Bitcoin became popular! And as a result, it just didn’t have the provisions required to keep up with the increasing demand. Check out this graph (via Blockchain.info):
That graph shows the increasing amount of transactions per month since 2009 and as you can see, the increase has been pretty drastic. However, the problem is that miners have struggled to keep up. In Bitcoin, as we have already mentioned, transactions go through only when the miners physically put the transaction details inside individual blocks. However, with so many transactions, this process becomes extremely slow. Bitcoin can barely manage 7 transactions per second. The median confirmation time for each transaction went to as much as 13 mins.
The other problem that Bitcoin users were facing was bloated transaction fees. Because transactions were processed on a first-come-first-serve basis, users usually pay higher transactions fees than usual, to incentivize miners to prioritize their transaction over others. Most of the time, normal users need to wait for a new block to be mined before their transaction can go through, and this is where we face another roadblock. Bitcoin has a block production time of 10 mins. This further adds to the delay.
Because of these issues, people soon realized that while Bitcoin can make for an excellent store-of-value, it becomes increasingly impractical to use especially for microtransactions.
Unlike Bitcoin, however, Monero doesn’t have a pre-set size limit. Now, as we have already stated, not having a pre-size limit can be problematic. There is always the problem of some troll filling the blocks up with spam transactions.
So how does Monero reduce that? By building in a block reward penalty. This is how it works.
Firstly, the median size of the last 100 blocks is taken which is called M100. Now suppose the miners mined a new block and it has a particular size which is called “NBS” aka New Block Size. If NBS > M100, then the block reward gets reduced in quadratic dependency of how much NBS exceeds M100.
This means that if NBS is [10%, 50%, 80%, 100%] greater than M100, the block reward gets reduced by [1%, 25%, 64%, 100%]. Generally, blocks greater than 2*M100 are not allowed, and blocks <= 60kB are always free of any block reward penalties.
#3 ASIC (Application Specific Integrated Circuit) Resistant
Bitcoins can be mined via ASIC chips, however, the problem with that is ASICs are expensive, and pools with more money tend to have more ASICs and, consequently, more mining power. In fact, check out the hashrate distribution chart for Bitcoin via Blockchain.info.
As you can see, 3 pools BTC.com, AntPool, and SlushPool alone own more than 50% of the network’s hashrate aka mining power. This completely defeats the purpose of decentralization, plus, there is one more big issue. Individual users simply can’t compete with big money pools.
The way Monero tried to circumnavigate this problem is by making their system “ASIC resistant”. So, how does Monero do that? Remember, when we said that Monero was based on the CryptoNote system which makes it distinctly different from bitcoins? Well, the hashing algorithm used in CryptoNote based systems is called “CryptoNight”.
CryptoNight is a memory-hard hash function. It is designed to be inefficiently computable on GPU, FPGA and ASIC architectures. The brief overview of how CryptoNight works is as follows:
- The algorithm first initializes a large scratchpad with pseudo-random data.
- After that numerous read/write operations take place at pseudo-random addresses contained in the scratchpad.
- Finally, the entire scratchpad is hashed to produce the final value.
Let’s check out all the steps that go behind the entire operation:
Step 1: Scratchpad Initialization
The function begins with the scratchpad initialization. These are the steps that goes behind the initialization:
- The input data is hashed using the Keccak hash function with parameters b= 1600 and c=512.
- The first 32 bytes of the Keccak output is interpreted as an AES-256 key [AES] and expanded to 10 round keys
- 2 MB worth of scratchpad is allocated
- Bytes from 64-191 are extracted from the final state of the Keccak and split into 8 blocks with 16 bytes each
- The following procedure is then used to encrypt the block:for i = 0..9 do:block = aes_round(block, round_keys[i])
- The blocks go through AES encryption and the result is eventually XOR’d with the round key.
- The resultant blocks now become the first 128 bytes of the scratchpad. The blocks then undergo a second round of encryption which becomes the second 128 bytes of the scratchpad.
Step 2: Memory Hard Loop
Alright, so now that we have done the scratchpad initialization, we need to do the step which makes CryptoNight unique. Let’s make it memory-hard and ASIC-unfriendly.
- Firstly, bytes 0..31 and 32..63 of the Keccak output are XORed.
- The resulting 32 bytes are then used to initialize variables a and b, which have 16 bytes each.
- These variables, a and b enters the main loop which is then iterated 524,288 times.
- So what happens when a 16-byte value has to be converted into an address in the scratchpad? Firstly, it will get interpreted as a little-endian integer, and then they 21 low-order bits are used as a byte index. The 4 low-order bits of the index gets cleared to ensure the 16-byte alignment.
- The resultant data is entered into the scratchpad in 16-byte blocks.
Step 3: The Result Calculation
Now, for the final calculation.
- 32-63 bytes of the Keccak output is expanded into 10 AES round keys pretty much the same way that the first part is.
- Bytes 64-191 are extracted from their Keccak state and XOR’d with the first 128 bytes of the scratchpad.
- This resultant state gets encrypted the same way as the first part but with new keys.
- The result is XOR’d with the second 128 bytes from the scratchpad, encrypted again, and so on.
- After XORing with the last 128 bytes of the scratchpad, the result is encrypted the last time and then the bytes 64..191 in the Keccak state are replaced with the result.
- The Keccak state is then passed through Keccak-f (the Keccak permutation) with b = 1600.
- The 2 low-order bits of the first byte of the state are used to select a hash function: 0=BLAKE-256
[BLAKE], 1=Groestl-256 [GROESTL], 2=JH-256 [JH], and 3=Skein-256 [SKEIN].The hash function which is chosen is applied to the Keccak state which results in the final output of the CryptoNight algorithm.
The CryptoNight algorithm was built to create a more fair and decentralized currency system. It was hoped that this will help in preventing the creation of ASIC mining pools and help in more even distribution of the cryptocurrency.
Cryptonight requires 2 MB of fast memory to work. This is why ASICs that can parallelize this algorithm will be extremely expensive. 2 MB memory will require a lot of silicon in the SHA256 circuitry.
#4 Multiple Keys
Unlike Bitcoin, which requires 1 public key and 1 private key, Monero needs multiple keys to function. The keys are broadly divided into two categories:
- View Keys
- Spend Keys
The view keys are for the receiver of a particular transaction. Monero has a public view key and a private view key. The public view key will generate the stealth public address i.e. the one-time address where the funds will be sent for the receiver. The private view key will be used by the receiver to scan the blockchain and locate their funds.
If the View Keys were all about the receiver, the spend keys are about the sender. Quite like view keys, there are also two kinds of spend keys, public spend key and private spend key. The public spend key will help the sender do ring transactions. The private spend key will help in key image creation and enable them to send transactions.
The Monero address btw is a 95-character string which is made of the public spend and public view key.
The Three Pillars of Monero
Ok, so till now what we have done is just look at Monero on the surface. We need to go deep and see what makes it so special. For that, we need to familiarize ourselves with what we like to call the “Three Pillars of Monero.”
- Ring Signatures.
- Stealth Address
- Ring Confidential Transactions
How do normal signatures works in real life?
You get a pen, put your signature on the paper and that’s that right? However, having said that, there is a very real problem of someone forging your signature and misusing it for malicious purposes. Now, what happens if you combine your signature with 5 random people’s signature? Won’t it make your signature more difficult to decipher?
That’s the logic behind ring signatures (for simplicity’s sake, we are going to consider only pre-RingCT transactions.)
Imagine Alice wants to send 100 XMR to Bob. How is she going to utilize ring signatures? Well, firstly she will have to determine her ring size. The ring size is random outputs which are taken from the Monero blockchain. So, if she were to send 100 XMR, she will need to find other similar outputs. The bigger the ring size, the more expensive the transaction (i.e. transaction fees). After choosing the outputs for her ring size she signs them with her private spend key.
So, how does this save her identity?
If Alice chooses a ring size of 5,
So, suppose Alice chooses a ring size of 5 i.e. 4 decoy outputs and her own transaction. For an outsider, any of these decoys have as much chance of being the transaction as Alice’s real one.
In a ring signature transaction, any of the decoys is as likely of being an output as the actual output because of which any unintended third party (including the miners) won’t be able to know who the sender is. Oh, and btw, miners are included in this “unintended third party” group. This, however, causes a problem.
Now, this brings us to a problem.
It is critical for these miners to actually see the transaction to prevent double spend attacks. In simple words, suppose you own 1 BTC, and you try to send that Bitcoin to your friend. After doing so, you cannot send the same Bitcoin to another person. In cryptocurrencies like bitcoin and ethereum, such action can be denied via miners. Since the miners can see the bitcoins that you are using to transact, they can immediately spot a potential double spending scenario,
However, in Monero, the miners can’t see your XMR. So, how do you prevent double spend without compromising privacy?
Via more cryptography of course.
Every transaction in Monero has its own unique key image (more on this later). Since the key image is unique for each transaction, the miners can simply check the key image and know whether it has been used or not and prevent double spending.
So, this is how the sender’s identity gets protected. So what about the receiver?
If Alice is sending Monero to Bob, then what is protecting Bob’s identity? Remember that there are two public keys for each user in Monero? There is a public spend key and a public view key.
So, Alice’s wallet will use these two public keys to generate a unique one-time public key. The computation of this one-time public key (P) works like this:
P = H(rA)G + B
In this equation:
r = Random scalar chosen by Alice.
A = Bob’s public view key.
G = Cryptographic constant.
B = Bob’s public spend key.
H() = The Keccak hashing algorithm used by Monero.
This one-time public key creates a one-time public address which is called “stealth address”. The stealth address is a random location in the Monero blockchain where Alice had sent the Monero to. Now, how is the Bob going to find this random location and get her Monero?
Remember that Bob also has a private spend key? This is exactly where it comes to play. Bob’s private spend key will act like a tracker to trace the entire Blockchain to locate and unlock Alice’s transaction.
This is where it comes into play. The private spend key basically helps Bob scan the blockchain for his transaction. When Bob comes across the transaction, he can calculate a private key which corresponds to the one-time public key and retrieves his Monero. So Alice paid Bob in Monero without anyone getting to know.
Before we go any further, remember the key image that we were talking about? How Monero prevents any and all double spends because of unique key image generation?
We have seen how the one-time public key(P) was calculated. Suppose the private spend key of the sender is “x”. The key image (I) will be:
I = xH(P).
Note the following:
- It is infeasible to derive the one-time public address P from the key image “I”.
- What prevents the creation of multiple key images? Remember that “I” is a hash of P. P is for one-time use only and hash functions are deterministic, meaning H(P) will ALWAYS be I.
Ring Confidential Transactions
Alright, so now we have seen how the identity of the sender and the receiver gets protected. What about the identity of the transactions?
Earlier, if Alice had to send 12.5 XMR to Bob, the 12.5 will get broken down into smaller denominations, which would get ring signatures. Let’s say the 12.5 breaks down into 10, 2 and 0.5. So, Monero would now go through the blockchain to look for similar outputs and then create rings for each of the denominations.
There was a small problem though. While this did protect the identities, the fact remained that it didn’t really protect the transactions. Suppose, Alice wanted to send Bob 0,9 XMR and there weren’t many such outputs available, she wouldn’t be able to get her desired ring size.
This is where Ring CT comes in.
What RingCT does is simple, it hides the transaction amounts in the blockchain. What this also means is that any transaction inputs don’t need to be broken down into known denominations, a wallet can now pick up ring members from any Ring CT outputs.
Because all the outputs now get hidden, it is impossible to know the value of the transaction.
Because of these three pillars working in harmony, Monero gets its privacy.
The second coin on our list is ZCash.
Zcash is a decentralized peer-to-peer cryptocurrency. It was created as a fork of Bitcoin and quite like bitcoin it also has a hard limit of 21 million coins. However, that’s where the comparisons end. Zcash gives you complete and total privacy through the utilization of Zk-SNARKs. In order to understand Zcash, you must understand Zk-SNARKs. Zk-SNARKS stand for Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge. So, we guess the first question you should ask yourself is….
What are Zero-Knowledge Proofs?
In any trusted system, there are two parties, the prover, and the verifier. Prior to this discovery, it was always assumed that it was the “prover” who would be a malicious one instead of the verifier. These researchers flipped this idea around and questioned the morality of the verifier instead of the prover. They asked two simple questions:
- How can anyone know for sure that the verifier is not going to leak any information?
- How much about the prover should the verifier actually know?
The later actually has some very severe real-life implications. Take the example of password protection.
Imagine you are trying to login to a website using a password. The standard protocol is that the client i.e. you, writes in the password and you send it to the server, the server will then hash your password and then compare it with the hash in their system. If it is a match, then the password is deemed successful.
This system works smoothly, save for one problem.
The server has the plain, original version of your password, which completely compromises your privacy. If the server gets attacked in any way, then the attacker will get hold of your password. This is why innovations like ZKP are essential. Using ZKP, the client would only need to reveal as much information as necessary to the server in order to get in.
That, in essence, is the idea behind ZKPs.
A ZKP has the following three properties:
- Completeness: If the statement is true then an honest verifier can be convinced of it by an honest prover.
- Soundness: If the prover is dishonest, they can’t convince the verifier of the soundness of the statement by lying.
- Zero-Knowledge: If the statement is true, the verifier will have no idea what the statement actually is.
Let’s do a thought experiment and see how ZKP works.
The Billiard Balls
So we have a prover and a verifier, but the verifier is color-blind. The prover has two billiard balls, red and green. Now, color-blind people can’t tell the difference between the two colors, as you can see from the following image:
So, this is the situation right now. The verifier believes that both the balls are of the same color, while the prover wants to prove that the colors are both the same. How are we going to do this?
The verifier takes both the balls and hides it behind their back. Now, he can either switch the balls in his hands or keep them as is. After he is done switching the balls (or not), he presents them to the prover. The prover can obviously see the actual color of the balls and will know instantly whether the switch has been made or not.
The verifier can then repeat this experiment as many times as he wants before he is satisfied with the fact that the prover wasn’t lying about the color of the balls.
Let’s look up the three properties of the ZKP in the experiment given above:
- Completeness: Since the statement was true, the honest prover convinced the honest verifier.
- Soundness: If the prover was dishonest, they couldn’t have fooled the verifier because the test was done multiple times.
- Zero-Knowledge: The prover never saw the verifier switching the balls in his hand.
ZKP and Cryptography
So, far you know what ZKPs are and how they function. But how are they integrated with modern day cryptography? For this, we look into the breakthrough research that was done by Claus-Peter Schnorr in the 1980s. The research is called Schorr’s Protocol and lays the foundation for the integration of ZKP in modern-day cryptography. In other words, these are one of the first steps taken towards Zk-Snarks.
Schnorr Identification Protocol
Imagine that there is a prover named Alice and a verifier named Bob. Alice says that she has a public key that in full working condition and can accept and receive information. Bob plans to check the validity of her claims and the only way that Alice can do that is by revealing her private key.
Obviously, this is not the ideal solution. She wants a method by which she can prove to Bob that she has the private key without actually revealing her private key. For this, she will be utilizing the Schnorr protocol.
Let’s get started with the parameters that we will be using:
p = A prime number.
q= Factor of p-1.
“a” such that a^q = 1 mod p.
Note: These three variables will be public. So anyone who wants to know will have the knowledge of the value of these three variables.
s = Alice’s private key and can be any value as long as 0<x<q
v = Alice’s public key.
The value of v will be as follows:
v = a^-s mod q.
Along with p,q, and a, the value of “v” will also be public knowledge. However, only Alice will know the value of private key “s.”
Now that we have seen all the variables and values, let’s see how Schnorr’s protocol will work.
Step 1: Alice encrypts the message and sends it
Alice creates a message “M” and sends it to Bob by encrypting it with her private key. This is what she needs to do to follow Schnorr’s protocol.
- She chooses a random number “r” such that 0<r<q
- She computes a value “X” such that X = a^r mod p
- After computing the value of “X” she concatenates it to the original message. Concatenation means adding two strings to create one string. Eg. if two strings are “Strictly” and “Crypto”, the concatenated string will be “StrictlyCrypto”
- Since the original message is “M”, the concatenated string becomes M||X where “||” denotes concatenation.
- A new string “e” is declared which stores the hash of this concatenated string. So, e = H(M||X) where H() is the hash function.
- When all this is done, Alice will have to calculate one final value “y”. y = (r + s*e) mod q
When all the calculations are over, she finally sends over three values to Bob:
- The original message “M”
Step #2: Bob verifies Alice’s message
Alright, so Bob has received the M, e, and y values from Alice. He is also privy to the following publicly known values:
- Alice’s public key “v”
- The prime number “p”
- “q” which is a factor of p-1
- And the “a” such that a^q = 1 mod p
All these values have been chosen by Alice.
Firstly, Bob calculates a value X’ such that: X’ = a^y * v^e mod p
We are already aware that v = a^-s. Now let’s substitute the value of “v” in the above equation.
X’ = a^y * a^-se = a ^ (y-s*e).
We are also aware of “y”‘s value which is: y = r + s*e.
Conversely, this means r = y-s*e
If we were to substitute this value in the X’ equation above we get:
X’ = a^r
Doesn’t that equation look familiar to you?
Scroll up and see the value of X that Alice had computed. X = a^r
Hence X = X’
What are the conclusions that one can draw from this?
Bob never knew the value of X, all that he received from Alice are: The message M, the signatures (e and y) and all the public values (public key “v”, p ,q, and a).
Keeping this in mind, he doesn’t know whether the value of X’ is actually the same as the value of X or not. He needs to do one final test to make sure that Alice isn’t lying.
This is where “e” comes in.
Do you remember what the value of “e” was? It was the hash of the concatenated string which included the original message M and X. So, e = H(M||X).
He has e and M.
So, he will calculate H(M||X’) and if this value is the same as “e” then he knows that X is the same as X’ and hence Alice was telling the truth all along.
Now, let’s run this scenario through the three properties of ZKPs to find out how it measures up:
Completeness: Since Bob ended up with the same hash as the one that Anna presented, he was convinced of her honesty.
Soundness: The only way that Alice could have proved her honesty was by using her private key. She couldn’t have lied about being in possession of it.
Zero Knowledge: At no point was Bob aware of Alice’s private key.
Creating a Non-Interactive System
The early models of zero-knowledge systems, while effective, had one big problem. For them to work, both the prover and verifier needed to be present at the same time. This is called an “interactive” system and that makes the whole system highly unscalable and inefficient. Asking for a system where verifiers and provers are online together at the same time is not the most practical way to go about things.
In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and ushered in the era of non-interactive zero-knowledge proofs. Let’s see how a non-interactive system works using simple discrete logarithms. First, let’s look at an interactive system:
- Alice, the prover, wants to prove to Bob, the verifier, that she is aware of an “x” such that y = g^x to a base g
- Alice picks a random value v from a set of values Z, and computes t = g^v and sends t to Bob
- Bob picks a random value c from the set Z and sends it to Alice
- Alice computes r = v-c*x and returns r to Bob
- Bob checks if t= g^r * y^c holds or not ( since r= v-c*x, y= g^x and by simple substitution, g^(v-c*x)* g ^ c*x = g^v = t)
- Bob doesn’t know the value of x, by merely checking if t = g^r * y^c he can verify that Alice does indeed know the value of x.
As you can see in the calculations above, both the prover and verifier need to be online to exchange various values for the proof to go through. If even one of them decides to go offline, the proof won’t go through. Let’s look at how Fiat and Shamir’s method will make this non-interactive:
- Alice wants to prove to Bob that she knows a value x such that y = g^x to a base g.
- Alice picks a random value v from a set of values Z, and computes t = g^v.
- Alice computes c = H(g,y,t) where H() is a hash function.
- Alice computes r = v – c*x.
- Bob or anyone can then check if t = g^r * y^c.
Now, suddenly zero-knowledge proofs obtained the non-interactive property. This laid the foundations for Zk-Snarks.
Zk-SNARKs: An Introduction
So, now that you know what zero-knowledge proofs are and how it can be used in cryptography, let’s introduce ourselves with Zk-SNARKS aka “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge” aka a fine example why developers shouldn’t be allowed to name anything.
Its use in blockchain technology is immense. Let’s check this with an example. Suppose Alice and Bob enter a smart contract agreement, where Bob has to do certain tasks in a row and in a proper order in order to receive the payment from Alice. Obviously, Alice wants to be shown proof that Bob is following each and every step sequentially, however, what if Bob works for a security company and is dealing with highly classified data?
Using Zk-Snarks, Bob can show just enough proof to Alice as to what he is doing, without explicitly showing her the actual parts. That way, Bob can be credible without giving away any confidential information.
Functionality of Zk-SNARKS
A typical Zk-Snark has three algorithms: G, P, and V.
- G: A key generator which takes an input “lambda” and a program C. It generates two public keys, a proving key (pk) and a verification key (vk). The value “lambda” should be confidential and not revealed under any circumstances whatsoever.
- P: The prover will be taking three items as input. The inputs being: pk, random input x (another public item), and the actual statement (w) whose validity they want to prove without revealing the details. The P algorithm will generate proof prf such that: prf = P(pk, x, w)
- V: This is the verifier algorithm which checks the prover’s claim. It returns the value “TRUE” or “FALSE”. This algorithm takes in three inputs: vk, x, and prf. The function will act thus: V(vk, x, prf).
Christian Lundkvist shows how the algorithms will work in unison in an example function. Consider the following:
function C(x, w)
return ( sha256(w) == x );
The function takes in two values x and w. It returns TRUE if the SHA-256 hash of w is the same as x otherwise it returns FALSE.
So, how does Zk-Snark work with the above program?
Step #1: Key Generation
The verifier will have to first generate the proving and verifying key using the generator G. The first thing they will have to do is to generate lambda. As mentioned above, lambda is a secret value so they need to be extra careful while doing so. Generation will look like this:
G(C, lambda) = (pk , vk).
Now that the keys are generated, we go to the next stage.
Step #2: Proof Generation
Alright, so the two keys have been generated, the Prover must now generate a proof to validate her statement. She is going to use the proving algorithm P. Refer to the example function given above. Her statement is “w” and the SHA-256 hash is “x”.
prf = P( pk, x, w).
Step #3: Verification
With the proof now generated, it is upto the Verifier to verify the validity. He does it through the verification function V.
How Does ZCash Work?
As ZCash creator Zooko Wilcox puts it, “Zcash is another blockchain and cryptographic money which permits private exchanges (and by and large private information) in an open blockchain. This permits organizations, buyers, and new applications to control who gets the chance to see the points of interest of their exchanges, even while utilizing a worldwide, authorization less blockchain.”
How are ZCash transactions different from the normal bitcoin ones? First, let’s look at a pictorial representation of a Zcash transaction:
What does that image tell us? In Zcash, you have a choice to choose between two kinds of transactions:
- Normal transparent transaction
- Shielded private transaction
Suppose Alice wants to send 1 Zec to Bob. (Zec = Zcash). She can either send a normal transparent transaction, she can send the tokens to Bob’s transparent address or t-addr. But what if she wanted to make a private transaction? Well, she can simply send the tokens to Bill’s shielded address aka “z-addr.”
Image Credit: Z.Cash
Evan Duffield came across Bitcoin in 2010 and was extremely impressed by the technology. However, he was not that enthused about the slow transaction speed and the lack of privacy. He had some ideas on how to make Bitcoin function better but Bitcoin was already such a settled commodity that there was no way such changes were going to come to the core’s code.
That’s why on January 18, 2014, he decided to use the Core code to make his own cryptocurrency. This new currency was called Xcoin, which would then be renamed as DarkCoin, and then eventually Dash.
Dash has a hard cap of 18 million coins, meaning there will only be 18 million Dash ever made. As of writing, there are ~7.85 million coins in circulation. The average block mining time is 2.5 mins, which is 4 times faster than bitcoin (~10 mins block mining time). Dash also has a variable block reward which decreases by 7.1% every year.
Dash has three main features that one must be well-versed in:
Feature #1: Masternodes
Bitcoin and Ethereum networks are P2P networks which consist of several full nodes. The nodes are the lifeblood of these systems, but they are also a big reason why they are so slow. Whenever a new block is discovered, it needs to propagate through the system and be approved by a supermajority of these nodes. As the network grows and the number of nodes grows as well, it leads to a significant increase in the block propagation time.
MIners would ideally want their newly found blocks to propagate through the network as quickly as possible. You must understand that block discovery is sorta like a competition. Each and every second of delay leads to some other miner gettng their block approved before theirs.
Miners ideally want their newly found blocks to propagate across the network as quickly as possible. Every second delay increases the chance of some other miner winning the “block race” and getting their blocks added to the chain before theirs.
Dash’s solution to this is the utilization of masternodes.
What exactly are Masternodes?
Masternodes are like the full nodes in the Bitcoin network, except that they must provide a particular service to the network and MUST have some sort of heavy investment in the system. To run a Masternode, one has to invest 1000 DASH.
As the Dash whitepaper puts it:
“These nodes are very important to the health of the network. They provide clients with the ability to synchronize and quick propagation of messages throughout the network. We propose adding a secondary network, known as the Dash Masternode network. These nodes will have high availability and provide a required level of service to the network in order to take part in the Masternode Reward Program.”
So, you might be asking, why should a Masternode need to make such an investment? At current valuation, 1000 DASH is a quarter of a million dollars!
Well, you see, the Masternodes get paid back for their services in accordance with their investments. It is a way to incentivize the masternodes to put in the best performance for the network.
The masternodes create a second tier network, following a Proof of service algorithm, and exists on top of the normal first tier network of miners. This two-tier system creates a synergy between proof of service and proof of work mechanisms in the Dash network.
A masternode is in charge of two of the most important functions of Dash:
Rewarding the Masternodes
As you may have guessed, masternodes perform an important function in the ecosystem. However, since the number of active masternodes can fluctuate, the reward mechanism needs to keep adjust as well. It follows the following formula:
n = Number of Masternodes an operator controlst = Total number of Masternodes
r = Current block reward (presently ~3.6 DASH)
b = Blocks in an average day. For the Dash network this usually is 576.
a = The average Masternode payment (45% of the average block amount)
Return on investment for running a Masternode can be calculated as:
((n/t)*r * b*a*365) / 1000
The two things that Dash is focussing on are speed and privacy of the transactions. The InstantSend feature solves the speed problem by providing near-instant transactions.
Firstly, how do transactions in Bitcoin work?
- Alice wants to send 1 BTC to Bob and creates a transaction.
- Unlike fiat money which can be exchanged from hand-to-hand, you can’t really do that with digital currency.
- So, in the context of cryptocurrencies, a transaction is a message to the miners which states Alice’s intention to go through the transaction with Bob.
- The miners need to first verify that it was indeed Alice who sent the transaction to Bob.
- When that is done, the miners validate the transaction by putting it in the blocks that they have mined.
Now, like we have said above, miners need to validate these transactions in order to prevent double spending. So, the question arises, how does Dash prevent double spending while providing near instant transactions?
Let’s go through the steps of the InstantSend:
- Whenever a miner discovers a block in Dash, they send the hash of the block to the network.
- The hash is then used to select 10 masternodes, who form a quorum which exists for 2.5 mins (i.e. the time taken to form a new block)
- This selected quorum becomes the InstantSend authority of the Dash Network for that time period. So If Alice and Bob want to utilize InstantSend, then this quorum will be in charge of doing so.
- The quorum locks up the inputs of the chosen transaction and broadcasts its details. This lock-up and broadcast ensure that double spending can’t happen. So if Alice wants to send the same input to someone else, the network as a whole will reject the transaction as a whole.
- Alice and Bob will both receive 5 confirmations at least of the transaction within a second to ensure that the transaction goes through.
So, now that you know how InstantSend works, let’s move onto the next amazing feature that Dash provides us, PrivateSend. PrivateSend helps in providing transaction privacy and fungibility by swapping coins among users to break the traceable history of the coins.
The first concept that we need to understand is CoinJoin.
What is CoinJoin?
CoinJoin works of a simple principle: “When you want to make a payment, find someone else who also wants to make a payment and make a joint payment together.” CoinJoin is an anonymization method proposed for bitcoin transactions by Gregory Maxwell.
Image Credit: Wikipedia
Look at the image above. Do you see how the joint payment makes sure that a third party can’t relate the input to its corresponding output in one bitcoin transaction? This ensures that transaction flow is not known to anyone. This helps in fungibility.
CoinJoin is however not without its weaknesses. Some of these weaknesses are:
- Transaction Merging
- Forward Linking
- Through Linking
Having said that, Dash still saw a lot of value in coin mixing for privacy and fungibility. This is why they implemented a modified and superior form of CoinJoin called “PrivateSend.” So what are these modifications?
- PrivateSend uses masternodes
- Chaining occurs by mixing multiple masternodes
- The mix is restricted to certain accepted fixed denominations. Examples of these fixed denominations are 0.01 DASH, 0.1 DASH, 1 DASH, 10 DASH etc.) The maximum allowed denomination is 1000 DASH.
- The use of a passive node.
How does PrivateSend Operate?
To give you a general overview of how it functions, PrivateSend basically lends privacy to functions by adding multiple identical inputs from multiple users and then sending them to multiple outputs. Since the transaction flow can’t be t
The Dash Whitepaper states:
“PrivateSend uses the fact that a transaction can be formed by multiple parties and made out to multiple parties to merge funds together in a way where they cannot be uncoupled thereafter. Given that all PrivateSend transactions are setup for users to pay themselves, the system is highly secure against theft and users coins always remain safe. Currently to mix using PrivateSend requires at least three participants.”
Image Credit: Dash Whitepaper
So, what is happening in the image above?
As you can see, there are 3 users who have submitted the denominated funds for coinmixing. The new outputs have been randomly ordered and the users can then promptly proceed to pay themselves back.
As stated above, the allowed denominations are 0.01 DASH, 0.1 DASH, 1 DASH, 10 DASH, 100 DASH, AND 1000 DASH. These denominations are extremely critical for the mixing purposes. The common denominations are then accordingly mixed together to ensure anonymity.
PrivateSend is limited to 1000 DASH per session.
So, what does that mean?
If you want to send a huge amount of money, say 4000 DASH what do you need to do? You will need multiple sessions to send your money. PrivateSend ensures prevention of timing attacks and makes user experience by running passive nodes. Each and every PrivateSend sessions is also limited to only 3 clients, meaning there is a 1 in 3 chance of following these transactions. So what does PrivateSend do to increase the anonymity of their transactions? The answer, a chaining approach in which funds are sent through multiple Masternodes one after another.
Dash has a lot of great properties, however, there is something that has been unsettling a lot of people about it. You see, despite all its amazing innovations, it is still a proof-of-work coin. This is the reason why Private Instant Verified Transaction aka PIVX came about. To put it extremely bluntly, PIVX is Dash with proof-of-stake. At the time of writing, the block time is about 60 seconds. Transaction fees are also pretty minimal. This is the reason why we felt that PIVX belongs on this list.
Proof-of-Stake vs Proof-of-Work
Now, before we explain to you why proof-of-stake is required, how about we look into the shortcomings of proof-of-work?
#1 Energy Wastage
The biggest problem of Proof-of-work is the energy wastage. This is how much energy Bitcoin has consumed over the last few months. As you can see, Bitcoin has a voracious appetite:
In December 2017, research showed that Bitcoin consumes more energy than 159 individual countries. That is a pretty crazy statistic!
As we have already told you, Bitcoin uses ASICs for mining. The problem with that is ASICs are expensive, and pools with more money tend to have more ASICs and, consequently, more mining power. In fact, check out the hashrate distribution chart for Bitcoin via Blockchain.info.
As you can see, 3 pools BTC.com, AntPool, and SlushPool alone own more than 50% of the network’s hashrate aka mining power. This completely defeats the purpose of decentralization, plus, there is one more big issue. Individual users simply can’t compete with big money pools.
So, what about Proof-of-Stake?
The main draw of POS is that it makes mining a purely virtual process. Now, there are many different kinds of proof-of-stake execution, however, the general idea goes like this.
- POS uses “validators” instead of miners.
- Validators lock up a certain amount of Ether as stake.
- Once they find a block which they think can be added to the chain, they place bets on it.
- If the block gets appended, they receive a reward which is proportionate to their bets.
Quite like Dash, PIVX also has masternodes i.e. incentivized nodes that are economically rewarded to offer their best services to the network. One can run a masternode by locking up 10,000 PIV (approx $20,000).
And once again, similar to Dash, the masternodes in the PIVX network form the backbone of the system, which is why they receive higher rewards as opposed to other normal nodes. The locking up of such a huge amount ensures that the masternodes perform to the best of the ability. The reward mechanism is determined by the seesaw mechanism. We will get to it in a bit.
Privacy and Speed
The two most important features of PIVX (along with POS) are its privacy and speed. Let’s look at how it attains these features.
Quite like Dash, PIVX also uses CoinJoin which has been modified and improved using decentralization and a network of masternodes. If some malicious elements gain control over 50% of the current masternodes, they would still have less than 0.5% chance of de-anonymizing an individual transaction which has gone through 8 rounds of mixing.
Now, we come to the speed part i.e. near instant transactions. PIVX calls instant transactions SwiftTX transactions. These are spendable within seconds which are guaranteed by a network os masternodes, quite like Dash.
See-Saw Rewards Mechanism
Many critics have noted one potential flaw in the Dash Masternode program. The Dash masternode owner gets voting and governance rights inside the ecosystem. However, here is where we face a problem? What if some rich corporation buys lots of masternodes, wouldn’t that centralize the system, which is against the very principle of cryptocurrencies?
This is why PIVX utilizes the see-saw reward mechanism. This is how it works:
- The see-saw algorithm will first check the number of masternodes in accordance with the amount of PIVX that has been staked at that moment.
- Suppose the number of masternodes is too high, the algorithm will adjust reward released to the owners.
- Basically, if the number of masternodes is too high, the reward will be less, if the number of masternodes is less, then the reward will be more.
- This is supposed to incentivize the masternode owners to give up their voting rights and stake more of their coins instead.
- This, in theory, will create a greater distribution of voting rights and PIVX holders.
So, to summarize things up:
The block rewards that are received by the staker and the winning masternode is variable. The rewards vary based on the number of coins which are held in the masternodes vs the total amount of coins available for staking on the network.
Optimized PIVX Staking
The staking system is pretty straightforward, more the amount of money staked by the user, more the possible rewards that can be earned. For example, an address with about 15,000 PIVX will earn about 50% more per PIVX than an address with about 1,000 PIVX. Each address needs to have at least a 100 confirmation.
Like we have already said before, the masternodes will earn more than regular nodes, however, their rewards vary according to the see-saw algorithm.
Why Does PIVX Have An Unlimited Coin Supply?
Unlike Dash, which has an upper limit of 21 million tokens, PIVX has an unlimited coin supply. The reasoning behind this is that why Bitcoin is a digital store-of-value asset, like gold, it requires a limited supply. However, the purpose of PIVX is to be more a decentralized private currency. Currencies don’t have an upper limit and it increases and decreases in accordance with inflation and deflation. IN the central banking world, it is called “quantitative easing.”
The supply of PIVX increases by 5% per year. Because of this, it is hoped that people would much rather transact using PIVX then simply hold onto it. Because of the increase in supply, it will not exponentially increase in value but will be deflationary. These new coins that are generated will be used as POS rewards and given to stakeholders and masternodes.
This deflation in value has another humongous benefit. Do you remember how one can actually get a masternode? You will need to stake up to 10,000 PIV tokens. If the value of each token expoenentially goes up, then the price of settnig up a masternode goes up expoenentially. This system will keep masternodes affordable (relatively) and make sure that the distribution is more even.
Wallet and Future Development
Because of the introduction of zPIV Deterministic Wallet, users will no longer need to keep backups after each instance of zPIV minting. By backing up a zPIV seed, users will have the full back up of any zPIV minted in the future, and be able to easily import the zPIV seed to a new wallet and restore any zPIV minted with the seed
Plans are in place to have iOS mobile wallet reintorduced. Apply had earlier rejected the iOS PIVX Mbile Wallet.
All in all, PIVX definitely has an interesting system in place and it is something that you can look into.
Why are we putting Verge(XVG) on the list?
Is it the best privacy coin out there? Nope.
Does it have the most sound technology? Again…Nope.
However, the sheer amount of hype that they have raised in 2018, through some clever marketing and partnerships, they at least deserve a mention.
So, to give you an overview, Verge is a privacy-focussed cryptocurrency that tries to keep the transactions anonymous and untraceable and gives high throughput and near-instant confirmation times. The project is open source and there is no single company and/or foundation behind Verge. The development group is committed to privacy, anonymity, and decentralization.
How Transactions Become Anonymous
Verge’s perspective on privacy comes from the point of view of how users connect to a network. Think about this, how does the internet, as we know it, works?
It is actually extremely straightforward. The internet, in essence, interconnects different computers in the world. In order to exchange information from one computer to another, the message must go through the middle-man which is the Internet Service Provider (ISP) or any other number of middlemen. The ISP requires the value of your IP address and the IP address of your target computer in order to transfer the message.
Do you see the problem here?
The ISP gets the following information:
- IP address of the sender
- IP address of the receiver
- The message itself.
There is absolutely no privacy here whatsoever. So, in order to bring in some privacy here, Verge uses two techniques:
According to Wikipedia:
“Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms”. Tor’s intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.”
Basically, instead of simply transferring your message through an ISP, Tor simply bounces the message between numerous relay computers on the Tor peer-to-peer network.
Because of this numerous “bouncing around” the IP address of the sender is difficult to trace back. TOR ensures that not a single node will know the whole route taken by the message. This is the reason why, the message becomes anonymous and untraceable. Tor’s directory service identifies the path for connections.
Verge uses Tor to anonymize its transactions and to also anonymize the identity of the users.
I2p or invisible internet project is a routing system that allows applications to send messages to each other privately without any outside interference. Unlike Tor which provides directory-based circuit routing, I2P enables dynamic routing of the information packets. Since I2P doesn’t maintain a directory, it completely prevents the network congestion and interruptions.
I2P divides the routing into two separate tunnels:
- An outgoing tunnel.
- An Incoming tunnel.
What does this do?
This ensures that the message Alice sends to Bob follows a different path from the message that Bob sends to Alice. So, how does this help with privacy? Imagine that an attacker is looking into the messages sent between Bob and Alice. They will only see one half of the message without knowing what the other half is. It is like listening to a phone conversation and listening to only one person speak.
Verge plans to use I2P and Tor in synergy to provide security to their users. Tor acts as a portal for a user to anonymously access the internet, while I2P creates the whole experience more smooth and doubles up on the privacy.
So, how does Verge mine their coins?
So, why did we include Verge on our list? It is because of the sheer amount of hype they generated by partnering up with PornHub.
Pornhub is a pornographic video sharing website and the largest porn site on the internet. Here are some absolutely crazy stats on Pornhub that we were able to dig up:
- They stream 75 GB worth of data per second.
- They have had a total of 87.8 billion views.
- “Mind Geek”, the company that owns Pornhub, Brazzers, YouPorn, and Reality Kings is one of the top 3 bandwidth-consuming companies in the world, the other two being Google and Netflix.
The idea of XVG (a privacy coin) and Pornhub (a porn site) partnering with each other is fascinating and makes a lot of sense when you think about it. This is one of the first proper real-world use cases for a privacy coin.
In fact, this may be one of the most monumental steps taken by cryptocurrencies in general. Time and again, Porn has stepped up to the plate and led the way in technology adoption.
Don’t believe us? Let’s go through some of the facts.
- Way back in 1895, the first movie was publicly screened. Just a year later the first “adult movie” was created. The film was titled “Le Coucher de la Mariée” was released. It showed a woman performing a striptease
- The rise of 8mm: The sale of 8mm cameras and projectors shot up because of the porn industry.
- VCR: When VCR first came about, Hollywood was very reserved about it fearing piracy. However, the adult industry openly embraced it and before long, VCR became synonymous with the entertainment industry
- Online Payments: Richard Gordon, the founder of Electronic Card Systems, founded an online payment service for different porn sites. So yes, Porn founded the e-Commerce industry
- Blu-Ray: The porn industry championed the Blu-Ray discs and made them more popular
- Snapchat: Snapchat was initially a service used by horny teenagers to sext with each other. It has now gone on to become a billion-dollar social media platform
- Higher Bandwidth: Because of the higher bandwidth that porn demands, it won’t be a stretch to say that porn is one of the reasons why we have higher internet speeds.
As we can see, time and time again the porn industry has paved the way for faster adoption of new technology. Plus, also consider this, in 2017 PornHub had an average 81 million viewers daily. That’s the equivalent of Turkey’s entire population getting exposed to cryptocurrency advertisements every single day!
Of course, we can’t say for sure whether this is going to be amazing or not. However, going by history, let’s just say that we won’t be surprised if cryptocurrency adoption skyrockets after this.
Verge and 51% Attacks
It won’t be an exaggeration to say that 51% attacks are, quite literally, the bane of cryptocurrencies. The 51% attack happens when a malicious party gets control of 51% of the network’s hashrate. When they do acquire that they can pretty do whatever they want with the network. This, in essence, destroys the very concept of decentralization. When an entity does get control of 51% hashrate, they can subject the network to a plethora of attacks such as:
- Selfish Mining.
- Double Spending.
- Canceling all transactions.
- Random Forks
Verge is no stranger at 51% attacks. They have already suffered two such attacks! In the second attack, the attacker(s) were able to rob 35 million XVG tokens, which were valued at around $1.75 million during the time of the attack.
The main issue, however, is that the mode of attack seems to be nearly identical to the one they faced before. This could mean one of two things. Either the Verge team has been lackadaisical or the vulnerability is so immense that it can’t be fixed.
That is a worrying sign for something that plans to be a privacy-focused cryptocurrency.
So there you have it. The top 5 privacy coins of 2018. We hope you enjoyed the read and gained a lot of value from it. Keep an eye out on this space, we will bring more informative guides for your reading pleasure.