Topic: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion - page 3. (Read 1164 times)

Obviously, because privacy is optional in Zcash.
Only a small minority (0.8M of 15M ZEC) of coins lives in shielded pools, and only a small fraction of transactions is z2z.

It seems most Zcash users are not interested in its privacy features, but hope to profit from other people's interest in its privacy features.

Why is Zcash not really a privacy coin?

According to CoinGecko, Monero is traded most on Binance - an exchange with 14 Billion US dollars in total trading volume over the last 24h.
I'm not an expert on centralized exchanges, but HitBTC with almost 2 Billion USD and Kraken with 500 Million US dollars total daily volume are also some pretty big names who list Monero. The latter I remember, recently introduced Lightning withdrawals; so it seems adding privacy to Bitcoin is certainly not something exchanges are completely shying away from.

As for Grin, indeed there's little volume and according to CoinGecko, over the last 24h, we see most volume on Bitforex and Gate.io (these names are new to me); KuCoin and HitBTC also list it but have barely any trades going on.
Anyhow, I am not convinced that exchanges even really care about privacy in Bitcoin or not; they just care about people buying and selling as much as possible.

I know that you didn't say that, but I'm pretty certain they can and probably already do engage in a lot of lobbying.

Zcash listed on exchanges is not really privacy coin, Monero is often not available for withdrawal from exchanges or it is delisted, and Grin has very low volume to have much bigger influence.
I didn't say that exchanges have the power to influence regulators, but they have power to support or not support new potential Bitcoin fork especially if they control bitcoin miners.
Remember what happened with Bcash and all other BTC forks, this would be like a small disturbance compared to adding privacy to Bitcoin, that is my opinion.

I doubt that; they sell and buy Zcash, Monero and Grin amongst other privacy cryptos, so why would a privacy upgrade to Bitcoin Layer 1 influence regulators any more than adding another privacy coin to their offer book?

If anything, large exchanges may (or already do?) even have the power to influence regulators and authorities through their lobby work.

Keep in mind that exchanges don't really have a say in what softfork is activated or not.

Just think how many Bitcoins are owned by Binance, Coinbase and other centralized exchanges and services, some of them even have their own mining pools.
I am sure they would be all be against adding privacy protocol changes for Bitcoin, because of the fear from regulators could hurt their business.
If they don't like mixers and coinjoin I could only imagine reaction to Bitcoin becoming privacy coin.

Apologies if I'm missing something, but I don't see how that solves the problem at all.

Whether or not Alice signs a message before making the transaction is irrelevant. Before the payment is made and the scam has taken place, then there is nothing to be gained by Alice signing a message saying she is intending to make the payment. After she has made the payment, the payment will be verified by a third party viewing the transaction, not by any signed message. And as you point out, with or without a signed message, Bob can still deny the receiving address is his.

Privacy coin or not, hidden addresses or not, without a signed message from the recipient confirming their payment address, there is always the possibility that they deny the address is theirs.

You can pre-sign incoming transactions of predetermined denominations from a hot wallet to a cold wallet,
and keep them stored in the hot wallet to be used at any later time. So it can be made to work with a few limitations.

I think if you look at my post and topic history, it's obvious that I love Lightning.
But I just don't think interaction is going to be accepted / acceptable on layer 1. Even on Lightning, where it's technically impossible to do away with interaction, mechanisms have been developed to 'hide' it - LNURL, BOLT12 are just two examples. People just don't like this..

Honestly, being able to have things like static invoices (BOLT12) is a huge creature comfort. Or being able to receive payments directly into a cold storage wallet.
By the way; does interactivity in pure MimbleWimble / Grin mean that basically cold wallets don't exist? Or has someone come up with a smart solution?

This is going to sound cliche, but BIP322 signed messages solve half of this problem.

- Alice signs a BIP322 message from the UTXO she's about to spend. This proves that she is able to spend it.
- Alice sends the payment to Bob.
- Bob denies receiving payment.
- Everybody who reads the BIP322 signed message knows that Alice sent the money to some address. But still nobody can verify that this is Bob's address without cryptographic proof, which Bob refuses to supply so he can feign non-payment.

(Now somebody might say why doesn't Alice simply put Bob's address in the BIP322 message, and show it to Bob so he can confirm, but that isn't going to work; Bob can still feign non-payment to everyone else.)

Strange to hear you denounce Lightning just like that...

If Bitcoin is to achieve any sort of mainstream adoption, and actual use as a currency, then most users will eventually be far more familiar with the interactive nature of L2 transactions than the non-interactive nature of L1.

Btw, another advantage I haven't mentioned is that multisig greatly reduces worries about mistyping addresses or sending to the wrong address, since the receiver must actually prove being able to spend received funds before being able to receive them. That gives much more peace of mind and mostly avoids the need for an extra "test" transaction of negligible value before a big value transaction.

Wow, we're already at 2 pages of discussion. Thanks everyone who chimed in so far - I'm catching up right now!

I opted to just add Grin since it implemented MimbleWimble first, from what I can tell. But if the implementation is different and these changes make its implementation more interesting for Bitcoin, I'll have a closer look there.

You think so? I believe some privacy upgrades could be implemented as soft fork.

What do you guys think about this, though? A hard fork would mean from then on, every UTXO would be private, on the other hand, old UTXOs would still remain 'open' - so might as well go for softfork (if technically possible)? I think that's an interesting question to discuss.


Great insight, thanks! I will add these points as drawbacks of ZCash and Monero. I personally think scalability should always be maintained and / or improved in Bitcoin to maintain maximum decentralization.

Interaction sounds pretty much like a no-go to me, to be honest. It's great to hear that Litecoin was able to solve this limitation - will definitely dig up and link some information about this.

I guess it's closer to L1 than L2.. but I get where you're coming from. Some aspects do happen off-chain (coordination of inputs / outputs), but in the end, you swap an on-chain UTXO for another on-chain UTXO. You never really 'leave' layer 1 for extended period of time compared to actually moving coins into a Lightning channel or a sidechain.

Interesting point that you brought up. I've thought about it a bit and there are certainly points for / against either point. Honestly, even with Bitcoin, I wouldn't know where to go complain / sue / ... if I went 'first' on a purchase and wouldn't get the goods - even though technically I could prove the payment. On the other hand, I don't think that a cryptocurrency that allows to prove payment would incur a big hit on privacy. Most privacy features would remain intact, like unlinkability of funds and payment history.

True, any UTXO before the soft- or hardfork would of course still be in the open. But the moment you spend it to a new 'privacy address' (or whatever) it would be 'gone' from the transparent pool basically.
Whether spending using a new, privacy-oriented technique can be enforced probably depends on the type of fork. But traditionally, I think we've all preferred softforks.. Most people happily switch to the new system, like SegWit, due to the obvious benefits it offers.

Realistically, nobody is doing that today, though (as I alluded to earlier) and they still send and receive Bitcoin for goods.

None, because I don't need to. I trust the merchants I transact with. But, even there was a need, a PGP message is not going to save a junkie. Alright, so Bob signs Alice his invoice, Alice sends him the bitcoin and gets no product in return. Now what? Why should I believe Alice for telling me she never got her product and not Bob yelling in craze that he gave it and that she's a liar?

Minimum trust is required. Probably that's why PGP isn't used in invoices.

Edit: No zero. I just looked into my emails and when I used CoinPayments they did send me one signed message of their invoice, and another of their receipt later.

Absolutely. And how many merchants, both online or in person that you have spent bitcoin with, use PGP? For me, the answer is zero. Even getting peer to peer traders to use PGP is a challenge.

And regardless, even if everyone did use PGP all the time, that's entirely separate to bitcoin itself. If you want to use PGP as a solution, then there is nothing stopping me from also applying the same solution to Monero, for example. You give me your Monero address via PGP, and I can release your address along with the other necessary information to prove I paid you: https://www.getmonero.org/resources/user-guides/prove-payment.html

Solution: PGP. Bob can't deny he asked for money if he signed it.

I'm not convinced that this is a drastically different scenario to what we already have in Bitcoin.

Alice pays Bob.
Bob denies receiving payment.
Alice publishes a transaction hash which anyone can look up.
Bob denies the receiving address in that transaction belongs to him.

If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny. On the other hand, there is a good chance the address was a one time address generated by a payment processor plugin on a website and she therefore has no independently verifiable record of the address.

It's great point, additionally optional means there's no incentive to implement/support such privacy feature unless the developer/service is heavily privacy-oriented. An example is Z-cash, where AFAIK most exchange don't support withdraw to shielded address.

What weed? I don't know what you're talking about, pal. Now pull over so we can get back on-topic.

No. Privacy isn't that, or similar to that. When I say I want privacy, I mean I want the ability to selectively reveal my activity to the rest of the world. That applies to the other party too. I can't forbid from the merchant to not reveal this activity since he's part of it. However, if both of us want to remain private, we must not leave some surveillance companies effectively tracing that activity and revealing it to the world without our consent.

Part of the discussion here should also be what privacy is and what it means to other people.
I think that if you are saying something is private the only way that it should be able to be revealed is if all people involved agree to it. Otherwise it's just hidden but can be shown. The old spy adage "Any 2 people can keep a secret so long as one of them is dead" comes into play here.

To others privacy just means it can't be found out by outsiders but anyone involved can reveal it.

To others it means that it can never be shown. It's done it happened but you can't prove it.
https://www.youtube.com/watch?v=WTbgsoHDc24



I'm stealing that line from you for future use.

-Dave

One thing that is deserved to be said is that no matter what privacy-oriented concepts, ideas, techniques are implemented in bitcoin, you can never achieve the same levels of privacy in comparison with privacy-oriented cryptocurrencies. The reason is simple: Their privacy model is enforced by default*, whereas in bitcoin, privacy enhancement is optional. Stones are set from genesis, and even though Monero (which is what takes the cake) experienced leaks on privacy, it still forms the best black-box-like electronic money out there, in sum.

*Z-cash excluded?

If you give me cash, and I don't give you weed, you can't prove you gave me cash. Yet, it's working fine centuries now.