Pages:
Author

Topic: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion - page 3. (Read 1292 times)

legendary
Activity: 990
Merit: 1108
Why is Zcash not really a privacy coin?

Obviously, because privacy is optional in Zcash.
Only a small minority (0.8M of 15M ZEC) of coins lives in shielded pools, and only a small fraction of transactions is z2z.

It seems most Zcash users are not interested in its privacy features, but hope to profit from other people's interest in its privacy features.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
I doubt that; they sell and buy Zcash, Monero and Grin amongst other privacy cryptos, so why would a privacy upgrade to Bitcoin Layer 1 influence regulators any more than adding another privacy coin to their offer book?
Zcash listed on exchanges is not really privacy coin, Monero is often not available for withdrawal from exchanges or it is delisted, and Grin has very low volume to have much bigger influence.
Why is Zcash not really a privacy coin?

According to CoinGecko, Monero is traded most on Binance - an exchange with 14 Billion US dollars in total trading volume over the last 24h.
I'm not an expert on centralized exchanges, but HitBTC with almost 2 Billion USD and Kraken with 500 Million US dollars total daily volume are also some pretty big names who list Monero. The latter I remember, recently introduced Lightning withdrawals; so it seems adding privacy to Bitcoin is certainly not something exchanges are completely shying away from.

As for Grin, indeed there's little volume and according to CoinGecko, over the last 24h, we see most volume on Bitforex and Gate.io (these names are new to me); KuCoin and HitBTC also list it but have barely any trades going on.
Anyhow, I am not convinced that exchanges even really care about privacy in Bitcoin or not; they just care about people buying and selling as much as possible.

I didn't say that exchanges have the power to influence regulators, but they have power to support or not support new potential Bitcoin fork especially if they control bitcoin miners.
I know that you didn't say that, but I'm pretty certain they can and probably already do engage in a lot of lobbying.

legendary
Activity: 2212
Merit: 7064
I doubt that; they sell and buy Zcash, Monero and Grin amongst other privacy cryptos, so why would a privacy upgrade to Bitcoin Layer 1 influence regulators any more than adding another privacy coin to their offer book?
Zcash listed on exchanges is not really privacy coin, Monero is often not available for withdrawal from exchanges or it is delisted, and Grin has very low volume to have much bigger influence.
I didn't say that exchanges have the power to influence regulators, but they have power to support or not support new potential Bitcoin fork especially if they control bitcoin miners.
Remember what happened with Bcash and all other BTC forks, this would be like a small disturbance compared to adding privacy to Bitcoin, that is my opinion.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
You think so? I believe some privacy upgrades could be implemented as soft fork.
Just think how many Bitcoins are owned by Binance, Coinbase and other centralized exchanges and services, some of them even have their own mining pools.
I am sure they would be all be against adding privacy protocol changes for Bitcoin, because of the fear from regulators could hurt their business.
If they don't like mixers and coinjoin I could only imagine reaction to Bitcoin becoming privacy coin.
I doubt that; they sell and buy Zcash, Monero and Grin amongst other privacy cryptos, so why would a privacy upgrade to Bitcoin Layer 1 influence regulators any more than adding another privacy coin to their offer book?

If anything, large exchanges may (or already do?) even have the power to influence regulators and authorities through their lobby work.

Keep in mind that exchanges don't really have a say in what softfork is activated or not.
legendary
Activity: 2212
Merit: 7064
You think so? I believe some privacy upgrades could be implemented as soft fork.
Just think how many Bitcoins are owned by Binance, Coinbase and other centralized exchanges and services, some of them even have their own mining pools.
I am sure they would be all be against adding privacy protocol changes for Bitcoin, because of the fear from regulators could hurt their business.
If they don't like mixers and coinjoin I could only imagine reaction to Bitcoin becoming privacy coin.
legendary
Activity: 2268
Merit: 18748
This is going to sound cliche, but BIP322 signed messages solve half of this problem.
Apologies if I'm missing something, but I don't see how that solves the problem at all.

Whether or not Alice signs a message before making the transaction is irrelevant. Before the payment is made and the scam has taken place, then there is nothing to be gained by Alice signing a message saying she is intending to make the payment. After she has made the payment, the payment will be verified by a third party viewing the transaction, not by any signed message. And as you point out, with or without a signed message, Bob can still deny the receiving address is his.

Privacy coin or not, hidden addresses or not, without a signed message from the recipient confirming their payment address, there is always the possibility that they deny the address is theirs.
legendary
Activity: 990
Merit: 1108
By the way; does interactivity in pure MimbleWimble / Grin mean that basically cold wallets don't exist? Or has someone come up with a smart solution?

You can pre-sign incoming transactions of predetermined denominations from a hot wallet to a cold wallet,
and keep them stored in the hot wallet to be used at any later time. So it can be made to work with a few limitations.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
Another feature, that can be considered both an advantage in some cases, and a disadvantage in others, is that MW transactions are multisig by sender AND receiver, and thus require them to interact to build the tx, just as is already the case for Lightning.
Interaction sounds pretty much like a no-go to me, to be honest.

Strange to hear you denounce Lightning just like that...
I think if you look at my post and topic history, it's obvious that I love Lightning.
But I just don't think interaction is going to be accepted / acceptable on layer 1. Even on Lightning, where it's technically impossible to do away with interaction, mechanisms have been developed to 'hide' it - LNURL, BOLT12 are just two examples. People just don't like this.. Wink

If Bitcoin is to achieve any sort of mainstream adoption, and actual use as a currency, then most users will eventually be far more familiar with the interactive nature of L2 transactions than the non-interactive nature of L1.
Honestly, being able to have things like static invoices (BOLT12) is a huge creature comfort. Or being able to receive payments directly into a cold storage wallet.
By the way; does interactivity in pure MimbleWimble / Grin mean that basically cold wallets don't exist? Or has someone come up with a smart solution?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Alice pays Bob.
Bob denies receiving payment.
Alice publishes a transaction hash which anyone can look up.
Bob denies the receiving address in that transaction belongs to him.

If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny. On the other hand, there is a good chance the address was a one time address generated by a payment processor plugin on a website and she therefore has no independently verifiable record of the address.

This is going to sound cliche, but BIP322 signed messages solve half of this problem.

- Alice signs a BIP322 message from the UTXO she's about to spend. This proves that she is able to spend it.
- Alice sends the payment to Bob.
- Bob denies receiving payment.
- Everybody who reads the BIP322 signed message knows that Alice sent the money to some address. But still nobody can verify that this is Bob's address without cryptographic proof, which Bob refuses to supply so he can feign non-payment.

(Now somebody might say why doesn't Alice simply put Bob's address in the BIP322 message, and show it to Bob so he can confirm, but that isn't going to work; Bob can still feign non-payment to everyone else.)
legendary
Activity: 990
Merit: 1108
Another feature, that can be considered both an advantage in some cases, and a disadvantage in others, is that MW transactions are multisig by sender AND receiver, and thus require them to interact to build the tx, just as is already the case for Lightning.
Interaction sounds pretty much like a no-go to me, to be honest.

Strange to hear you denounce Lightning just like that...

If Bitcoin is to achieve any sort of mainstream adoption, and actual use as a currency, then most users will eventually be far more familiar with the interactive nature of L2 transactions than the non-interactive nature of L1.

Btw, another advantage I haven't mentioned is that multisig greatly reduces worries about mistyping addresses or sending to the wrong address, since the receiver must actually prove being able to spend received funds before being able to receive them. That gives much more peace of mind and mostly avoids the need for an extra "test" transaction of negligible value before a big value transaction.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
Wow, we're already at 2 pages of discussion. Thanks everyone who chimed in so far - I'm catching up right now!

MimbleWimble: complete new protocol for confidential transactions and smaller transactions
You could also add Litecoin to the list (I see you mentioned it above), it has code that is very similar to Bitcoin and was used before as testing ground for Bitcoin.
I opted to just add Grin since it implemented MimbleWimble first, from what I can tell. But if the implementation is different and these changes make its implementation more interesting for Bitcoin, I'll have a closer look there.

I would always vote for adding any privacy based protocol change in Bitcoin but I am more than certain that would create huge conflicts of interest and probably hard fork.
You think so? I believe some privacy upgrades could be implemented as soft fork.

What do you guys think about this, though? A hard fork would mean from then on, every UTXO would be private, on the other hand, old UTXOs would still remain 'open' - so might as well go for softfork (if technically possible)? I think that's an interesting question to discuss.


The biggest downsides of privacy tech like ZCash and Monero is that they hugely hurt scalability, not just by having much larger transactions, but also by making it impossible to identify the UTXO set.
[...]
Great insight, thanks! I will add these points as drawbacks of ZCash and Monero. I personally think scalability should always be maintained and / or improved in Bitcoin to maintain maximum decentralization.

Another feature, that can be considered both an advantage in some cases, and a disadvantage in others, is that MW transactions are multisig by sender AND receiver, and thus require them to interact to build the tx, just as is already the case for Lightning. The advantage being that you cannot receive unwanted coins (like tainted ones), and don't need to scan the blockchain for new outputs unless you just transacted. The disadvantage is that you need to be in communication with the recipient.

Note that Litecoin's MWEB implementation is not pure MW, but a more complicated hybrid that no longer requires receiver interaction.
Interaction sounds pretty much like a no-go to me, to be honest. It's great to hear that Litecoin was able to solve this limitation - will definitely dig up and link some information about this.

Layer 1 privacy concepts that could / do work in Bitcoin:
  • CoinJoin (Greg Maxwell): combine transactions to hide who pays whom - usable today
  • CoinSwap (Greg Maxwell): swap coins with someone else to get new transaction history - usable today

Do these two can be classified as part of layer 1 privacy since it doesn't require change on layer 1 protocol?
I guess it's closer to L1 than L2.. but I get where you're coming from. Some aspects do happen off-chain (coordination of inputs / outputs), but in the end, you swap an on-chain UTXO for another on-chain UTXO. You never really 'leave' layer 1 for extended period of time compared to actually moving coins into a Lightning channel or a sidechain.

You can either have privacy or you can have proof. You can't really have both. Which was why I also pointed out privacy might be better on L2.
If you don't trust me or I don't trust you then here you go it's all in public, if we do then it's the same transaction but on L2
Interesting point that you brought up. I've thought about it a bit and there are certainly points for / against either point. Honestly, even with Bitcoin, I wouldn't know where to go complain / sue / ... if I went 'first' on a purchase and wouldn't get the goods - even though technically I could prove the payment. On the other hand, I don't think that a cryptocurrency that allows to prove payment would incur a big hit on privacy. Most privacy features would remain intact, like unlinkability of funds and payment history.

One thing that is deserved to be said is that no matter what privacy-oriented concepts, ideas, techniques are implemented in bitcoin, you can never achieve the same levels of privacy in comparison with privacy-oriented cryptocurrencies. The reason is simple: Their privacy model is enforced by default*, whereas in bitcoin, privacy enhancement is optional. Stones are set from genesis, and even though Monero (which is what takes the cake) experienced leaks on privacy, it still forms the best black-box-like electronic money out there, in sum.
True, any UTXO before the soft- or hardfork would of course still be in the open. But the moment you spend it to a new 'privacy address' (or whatever) it would be 'gone' from the transparent pool basically.
Whether spending using a new, privacy-oriented technique can be enforced probably depends on the type of fork. But traditionally, I think we've all preferred softforks.. Wink Most people happily switch to the new system, like SegWit, due to the obvious benefits it offers.

If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny.
Solution: PGP. Bob can't deny he asked for money if he signed it.
Realistically, nobody is doing that today, though (as I alluded to earlier) and they still send and receive Bitcoin for goods.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Absolutely. And how many merchants, both online or in person that you have spent bitcoin with, use PGP? For me, the answer is zero.
None, because I don't need to. I trust the merchants I transact with. But, even there was a need, a PGP message is not going to save a junkie. Alright, so Bob signs Alice his invoice, Alice sends him the bitcoin and gets no product in return. Now what? Why should I believe Alice for telling me she never got her product and not Bob yelling in craze that he gave it and that she's a liar?

Minimum trust is required. Probably that's why PGP isn't used in invoices.

Edit: No zero. I just looked into my emails and when I used CoinPayments they did send me one signed message of their invoice, and another of their receipt later.
legendary
Activity: 2268
Merit: 18748
Solution: PGP. Bob can't deny he asked for money if he signed it.
Absolutely. And how many merchants, both online or in person that you have spent bitcoin with, use PGP? For me, the answer is zero. Even getting peer to peer traders to use PGP is a challenge.

And regardless, even if everyone did use PGP all the time, that's entirely separate to bitcoin itself. If you want to use PGP as a solution, then there is nothing stopping me from also applying the same solution to Monero, for example. You give me your Monero address via PGP, and I can release your address along with the other necessary information to prove I paid you: https://www.getmonero.org/resources/user-guides/prove-payment.html
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny.
Solution: PGP. Bob can't deny he asked for money if he signed it.
legendary
Activity: 2268
Merit: 18748
If you can't do that then there will be a lot of people who are going to start popping up saying that they didn't get their money.
I'm not convinced that this is a drastically different scenario to what we already have in Bitcoin.

Alice pays Bob.
Bob denies receiving payment.
Alice publishes a transaction hash which anyone can look up.
Bob denies the receiving address in that transaction belongs to him.

If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny. On the other hand, there is a good chance the address was a one time address generated by a payment processor plugin on a website and she therefore has no independently verifiable record of the address.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Well to be fair if you dont give me my weed I kick your ass and I cant do that from a keyboard.
What weed? I don't know what you're talking about, pal. Now pull over so we can get back on-topic.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
The old spy adage "Any 2 people can keep a secret so long as one of them is dead" comes into play here.
No. Privacy isn't that, or similar to that. When I say I want privacy, I mean I want the ability to selectively reveal my activity to the rest of the world. That applies to the other party too. I can't forbid from the merchant to not reveal this activity since he's part of it. However, if both of us want to remain private, we must not leave some surveillance companies effectively tracing that activity and revealing it to the world without our consent.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Part of the discussion here should also be what privacy is and what it means to other people.
I think that if you are saying something is private the only way that it should be able to be revealed is if all people involved agree to it. Otherwise it's just hidden but can be shown. The old spy adage "Any 2 people can keep a secret so long as one of them is dead" comes into play here.

To others privacy just means it can't be found out by outsiders but anyone involved can reveal it.

To others it means that it can never be shown. It's done it happened but you can't prove it.
https://www.youtube.com/watch?v=WTbgsoHDc24


If you give me cash, and I don't give you weed, you can't prove you gave me cash. Yet, it's working fine centuries now.

I'm stealing that line from you for future use.

-Dave
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
One thing that is deserved to be said is that no matter what privacy-oriented concepts, ideas, techniques are implemented in bitcoin, you can never achieve the same levels of privacy in comparison with privacy-oriented cryptocurrencies. The reason is simple: Their privacy model is enforced by default*, whereas in bitcoin, privacy enhancement is optional. Stones are set from genesis, and even though Monero (which is what takes the cake) experienced leaks on privacy, it still forms the best black-box-like electronic money out there, in sum.

*Z-cash excluded?

Requirement that both agree to release it is what enables fraud. If I pay you X in exchange for some good Y and you refuse to give me Y after you were paid X, then I should be able to prove (regardless of how you feel about it) that I paid X to get Y.
If you give me cash, and I don't give you weed, you can't prove you gave me cash. Yet, it's working fine centuries now.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Why, if I said I paid and you say I didn't and I release my side and you don't release yours then although there is not 100% proof you did not get paid it looks shady as hell.

So I can make you look shady by claiming I paid you and releasing my fake side and by definition you couldn't release yours?

It seems you want to transact with people whom you trust and don't trust at the same time.
You trust them to provide the goods/services you pay for, but
you don't trust them not to disclose tx info without your consent.

You could only get away with it once possibly twice before people assume it's you doing the scamming.
Perhaps 3 flags.
1) open and public transactions
2) closed either side can release the transaction information
3) closed both sides have to agree to release the transaction

You would also have to have a way of forcing that. i.e. addresses that begin with 1 are option 1, addresses that begin with 2 are option 2, addresses that begin with a 3 are option 3.

That way when you pay you know what you are getting into. If we really don't trust each other 1 or 2. One is fully public 2 is private but can be released without my consent or knowledge so there is proof for the sender. 3 is private and secure.

-Dave
Pages:
Jump to: