2 years ago
Reviewing Bitcoin’s past of projected privateness improvements tin assistance america larn from the past and support up with caller improvements arsenic we go.
A mentation of this nonfiction was primitively published connected sethforprivacy.com.
Ragnar Lifthrasir asked for a database of Bitcoin proposals and ideas to amended privateness that either are inactive a enactment successful progress, were abandoned oregon ne'er implemented, oregon failed to marque an impact, and truthful present is my effort astatine conscionable that.
This volition by nary means beryllium an exhaustive list, and I could usage immoderate assistance I tin get with keeping it up to day oregon uncovering humanities proposals that person fallen retired of favor. The sections beneath volition beryllium breached down by task oregon implementation and successful bid of connection (where possible).
Note: While immoderate of these proposals were non-starters oregon person been abandoned, immoderate are absorbing and perchance promising proposals. This is not a “hall of shame,” but alternatively a accidental to larn from past proposals and support up with caller ones arsenic we spell along.
Bitcoin
Confidential Transactions
Status: Never formally projected for Bitcoin
Pros: Drastically improved privateness against amount-based heuristics; enables greatly-improved and much flexible app-layer privateness tools for Bitcoin (i.e., unequal output CoinJoins)
Cons: Supply auditability becomes much analyzable (but is inactive possible) and relies connected much precocious cryptography; transaction sizes and verification times are some importantly increased
Confidential Transactions (used successful Monero since 2017 and Liquid since 2018) are a method utilized to unsighted the amounts successful a transaction successful a mode that is inactive verifiable and provable without revealing amounts to anyone extracurricular of the transaction participants. Miners, nodes and outer observers tin inactive validate that transactions bash not make oregon destruct funds without knowing the existent amounts being transferred.
Further Reading:
Reusable Payment Codes For Hierarchical Deterministic Wallets — BIP47
Status: Unanimously discouraged for implementation
Pros: Much easier receipt of funds to a static code portion preserving privacy; nary nonstop nexus betwixt outgo codification and on-chain addresses/transactions (unlike static Bitcoin addresses)
Cons: Most versions necessitate a notification transaction to beryllium sent on-chain truthful that the recipient knows however to look for funds sent to them; notification transaction tin undermine privateness if done incorrectly
The connection for Reusable Payment Codes is 1 of the best-known BIPs owed to its adoption and usage by Samourai Wallet nether the sanction “PayNym.” This connection is akin to Stealth Addresses successful that a azygous outgo codification tin beryllium utilized to deduce unlinkable on-chain addresses, but differs successful that it does not usage antithetic addressing formats on-chain and alternatively relies connected a notification transaction to let the recipient to find their funds on-chain.
PayNyms, contempt being rejected/discouraged successful BIP47 person seen rather wide usage and person precocious been implemented successful Sparrow Wallet and adjacent by a Bitcoin mining excavation “Lincoin.”
A great summary of the 3 main Reusable Payment Code schemes has been provided by Ruben Somsen, the writer of Silent Payments successful the gist for Reusable Taproot Addresses.
Further Reading:
Stealth Addresses — BIP63
Status: Never accepted arsenic a BIP contempt being fixed a BIP number
Pros: When enforced, prevents each links betwixt off-chain addresses/pubkeys and on-chain one-time addresses; breaks each address-based heuristics
Cons: Wallets present person to scan each transactions to validate which ones are owned by the user’s backstage keys; tin nary longer bash elemental address-based wallet sync
Stealth Addresses are a caller conception that allows a receiver to stock oregon people a azygous static code that senders tin deduce one-time addresses from, breaking immoderate cryptographic links to the shared/published code on-chain. While this does adhd sizeable overhead to wallet scan times (all transactions indispensable beryllium scanned to spot what is owned by your backstage keys alternatively of conscionable validating known addresses) it wholly breaks wallet clustering by addresses on with galore different cardinal heuristics.
Stealth Addresses were primitively projected for Bitcoin successful 2011 connected BitcoinTalk, but were abandoned arsenic a BIP aft OP_RETURN was changed:
“OP_RETURN got changed to 40 bytes astatine the past minute, preventing my stealth code modular from working, and moved connected to enactment connected different things.”
–u/petertodd
While Dark Wallet did instrumentality Stealth Addresses for Bitcoin, the wallet ne'er officially launched and was abandoned. Monero, connected the different hand, includes Stealth Addresses arsenic they were a halfway portion of the archetypal Cryptonote protocol that Monero was created from.
Further Reading:
PayJoin — BIP78
Status: Draft
Pros: Creates transactions that look mean but interruption communal heuristics; casual to execute erstwhile supported by the recipient
Cons: Requires blistery wallet connected the merchant/recipient side, cannot nonstop to elemental code etc.; malicious sender tin effort to unit recipient to uncover UTXOs (attack is mitigated if decently implemented)
PayJoin whitethorn besides beryllium good known to the Bitcoin privateness assemblage arsenic it has gotten immoderate media and insignificant adoption contempt its authoritative “draft” status. PayJoin lets the sender and recipient of a transaction enactment unneurotic to physique a combined transaction that includes a UTXO (or more) from some the sender and intended recipient of funds, obfuscating the existent quality of the outgo on-chain.
A akin protocol was implemented successful Samourai Wallet successful 2019 arsenic “Stowaway” (before the PayJoin connection BIP), and PayJoin due was implemented successful BTCPay Server successful June 2020, JoinMarket successful August 2020, Blue Wallet successful October 2020, and Sparrow Wallet successful November 2020. See these documents for much information:
- Stowaway, Samourai Wallet
- “BTCPay Server PayJoin Guide,” BTCPay Server
- PayJoin (aka, P2EP) idiosyncratic guide, JoinMarket
- Paying to a PayNym, Sparrow Wallet
Although implemented successful immoderate wallets and tools, PayJoin usage unluckily seems to stay precise sparse contiguous (though it’s hard to observe on-chain truthful mightiness beryllium higher than we realize). Most of the deficiency of adoption appears to beryllium owed to the request to support blistery keys connected the merchant broadside successful bid to enactment PayJoin which galore merchants are unwilling to bash for the advantages PayJoin brings.
Further Reading:
Peer-To-Peer Communication Encryption — BIP151 and BIP324
Status: Original BIP151 withdrawn, caller BIP324 successful draft
Pros: Prevents elemental snooping by internet-service providers (ISPs) and mobile carriers; prevents man-in-the-middle attacks by rogue nodes pretending to beryllium your specified distant node; tin pin known bully nodes to guarantee you person steadfast nodes arsenic peers
Cons: Increased overhead successful peer-to-peer (P2P) protocol; caller denial-of-service (DoS) vectors created by the usage of encryption; does not afloat forestall heavy packet inspection by ISPs, etc.
P2P connection encryption is simply a ample and indispensable measurement guardant successful securing the P2P web successful Bitcoin against communal attacks and providing basal privateness to those moving a node from their ISP and different basal surveillance, and has been projected for Bitcoin via BIPs 151 and 324.
“BIP324 proposes a caller Bitcoin P2P protocol, which features transport encryption and somewhat little bandwidth usage.”
P2P communications encryption is thing that is not commonly done successful the cryptocurrency space, but is besides being worked connected successful the Monero community.
Further Reading:
Dandelion — BIP156
Status: Rejected
Pros (Specifically Dandelion++ Iteration): Prevents deterministic linking of transactions backmost to their originating node by progressive surveillance of the P2P network; provides beardown network-level privateness without necessitating usage of an anonymity web (which person their ain superior DoS/Sybil issues)
Cons (Specifically Dandelion++ Iteration): Transaction broadcast takes overmuch longer (usually 1 infinitesimal to one-and-a-half minutes for implicit propagation alternatively of conscionable a fewer seconds); opens up caller DoS vectors if utilizing a malicious distant node and not your own
Dandelion is an attack to bringing plausible deniability to the Bitcoin peer-to-peer web successful a mode that prevents others connected the web from deterministically tying transactions with the originating node. It does this by selecting a acceptable of nodes to transmit the transaction to successful bid (one astatine a time, called the “stem” phase) and past lone transmit to the remainder of the web aft a predetermined fig of nodes person besides transmitted the transaction (called the “fluff” phase).
Dandelion++, an iteration that resolves galore of the problems with the archetypal Dandelion proposal, was implemented successful Monero successful 2020.
Further Reading:
Taproot — BIP341
Status: Draft (but really not, arsenic it’s already deployed successful Bitcoin via brushed fork)
Pros: Drastically improved privateness erstwhile utilizing scripts (like multisig oregon Lightning transmission opens/closes) assuming wide adoption; much scripting possibilities via Tapscript; imaginable ratio improvements, batching, etc.
Cons: Non-cooperative, channel-close transactions indispensable inactive uncover script, negating privateness gains successful those situations
Taproot is apt the astir well-recognized BIP connected this list, and has really been implemented successful Bitcoin contempt inactive being marked arsenic “Draft” successful the BIP GitHub repository.
Taproot is truly lone connected this database arsenic it has truthful acold gone practically unused, but arsenic things tin determination precise dilatory toward adoption successful Bitcoin (especially erstwhile optional, arsenic Taproot usage is) it volition apt instrumentality respective years earlier Taproot is wide used.
Once Taproot is usable for Lightning Network transmission opens it volition supply bully privateness by hiding the publication details successful each transmission unfastened transaction and making it overmuch harder to find transmission opens on-chain successful Bitcoin. This privateness does interruption down successful the lawsuit of a non-cooperative transmission close, however, arsenic the publication indispensable beryllium revealed successful this lawsuit on-chain.
Further Reading:
SNICKER
Status: Abandoned, ne'er formally projected for Bitcoin
As I don’t cognize overmuch astir SNICKER I won’t spell into item connected my thoughts, but spot the quote below for the summary of what the connection was meant to do:
“SNICKER (Simple Non-Interactive Coinjoin with Keys for Encryption Reused) is simply a elemental method for allowing the instauration of a 2 enactment coinjoin without immoderate synchronisation oregon enactment betwixt the participants. It relies connected the thought of reused keys (either reused addresses, oregon recognition of ownership of signed inputs and frankincense pubkeys successful signatures).”
As acold arsenic I tin archer the connection has been abandoned since 2020.
Further Reading:
CoinSwap
Status: Work successful progress, but ne'er formally projected for Bitcoin
Pros: Appears to beryllium a mean transaction benignant on-chain
Cons: Does not really obfuscate oregon interruption immoderate on-chain history, it simply attempts to interruption elemental ownership heuristics; allows those with tainted funds to swap for “clean” funds to the detriment of the swap participant; nary wide privateness advantages successful astir situations
CoinSwap was a fashionable and oft-discussed connection successful 2020 to let users to swap UTXOs (and frankincense their associated history), but was met with beardown pushback arsenic it does thing to region past oregon interruption deterministic links.
See the below quote for a elemental summary of CoinSwap:
“Coinswap is simply a protocol that allows 2 oregon much users to make a acceptable of transactions that look similar autarkic payments but which really swap their coins with each other, optionally making a outgo successful the process.”
It seemed that CoinSwap had been abandoned, arsenic determination was nary advancement made since 2020, but recently, Chris Belcher launched an implementation of CoinSwap called Teleport Transactions.
Further Reading:
Silent Payments
Status: Work successful progress, not yet formally projected for Bitcoin
Pros: Much easier receipt of funds to a static code portion preserving privacy; nary nonstop nexus betwixt outgo codification and on-chain addresses/transactions (unlike static Bitcoin addresses); does not necessitate on-chain notification transaction, dissimilar BIP47
Cons: Currently wholly incompatible with airy wallets; adding a caller Silent Payment codification aft archetypal artifact download (IBD) requires wholly restarting IBD; requires changeless scanning of the blockchain for caller uses/transactions
Silent Payments are each the rage successful caller Bitcoin discussion, and are akin successful immoderate ways to BIP47 (mentioned above).
While they besides connection the quality to stock oregon publicize a azygous static outgo codification and person payments that are not linkable on-chain, determination stay superior tradeoffs successful the attack that marque light-wallet usage practically intolerable and tin necessitate implicit re-downloading of the Bitcoin blockchain to find caller transactions for immoderate caller Silent Addresses.
It volition beryllium absorbing to spot this connection play retired but truthful acold the amended enactment appears to beryllium BIP47 still.
A great summary of the 3 main reusable outgo codification schemes has been provided by Ruben Somsen, the writer of Silent Payments, successful the gist for Reusable Taproot addresses.
Further Reading:
Reusable Taproot Addresses
Status: Work successful progress, not yet formally projected for Bitcoin
Pros: Much easier receipt of funds to a static code portion preserving privacy; nary nonstop nexus betwixt outgo codification and on-chain addresses/transactions (unlike static Bitcoin addresses); combines archetypal outgo and notification into 1 “real” transaction, dissimilar BIP47; notification transaction appears conscionable similar immoderate different Taproot walk on-chain
Cons: Sender and receiver some indispensable enactment and usage Taproot; sender needs to travel a peculiar protocol to beryllium capable to retrieve from backup
While this connection bears galore similarities to BIP47 and Silent Payments, it leverages caller capabilities successful Taproot to fundamentally amended connected the tradeoffs taken by BIP47 reusable outgo codes. A great summary has been provided by Ruben Somsen, the writer of Silent Payments successful the gist below:
Reusable Taproot addresses:
- No continuous scanning of each transaction
- One-time enactment with the recipient (stateful for sender: if they forget, they request to interact again)
- No on-chain footprint
- Sender needs to travel a peculiar protocol to beryllium capable to retrieve from backup (this downside tin beryllium mitigated, spot below)
BIP47:
- No continuous scanning of each transaction
- No enactment with the recipient
- On-chain footprint (or alternatively one-time enactment and stateful backups)
Silent Payments:
- Continuous scanning of each transaction (increases outgo of moving afloat node)
- No enactment with the recipient
- No on-chain footprint
Further Reading:
Lightning Network
Please enactment that astir of these proposals are inactive precise overmuch a enactment successful advancement and person yet to beryllium fixed a wide yes/no approval. As such, the Lightning Network proposals are chiefly added beneath arsenic important developments to travel that perchance connection improved privateness erstwhile utilizing the Lightning Network.
As the Lightning Network was primitively designed arsenic a instrumentality for scalability and not privacy, galore of the halfway plan decisions initially chosen are highly detrimental to idiosyncratic privacy. Many of the proposals beneath are seeking to remedy those issues and hopefully volition beryllium capable to bash truthful without harming outgo reliability oregon routing efficiency.
Route Blinding
Status: Work successful progress
Pros: Prevents sender from ascertaining afloat way to recipient; hides recipient node alias/pubkey; provides overmuch amended recipient privateness wide versus existent transparent routing methods; tin supply amended outgo occurrence complaint by providing section routing information successful immoderate circumstantial scenarios
Cons: Can beryllium hard to trade blinded routes successful circumstantial routing graph scenarios; tin person a antagonistic interaction connected outgo occurrence complaint successful circumstantial scenarios
The existent Lightning Network suffers from terrible issues centered astir receiver privacy, and Route Blinding is 1 of the cardinal proposals seeking to remedy astatine slightest a portion of this issue.
To punctuation the proposal:
“Route blinding is simply a lightweight method to supply recipient anonymity by blinding an arbitrary magnitude of hops astatine the extremity of an bulb path.”
Route blinding is inactive precise overmuch a enactment successful advancement but shows committedness for allowing a receiver to person funds without deterministically revealing the last node receiving the funds.
Further Reading:
Trampoline Onion Routing
Status: Work successful progress
Pros: Can let airy wallets to trade routes successful a privacy-preserving mode without a afloat way graph; tin beryllium utilized to supply receiver privateness from the sender (but not the trampoline node arsenic acold arsenic I tin tell)
Cons: None that I cognize of astatine this time
While not strictly a privateness improvement, Trampoline Onion Routing tin supply amended way privateness successful immoderate scenarios for the receiver and truthful is mentioned here. It tin besides beryllium paired with way blinding to supply adjacent amended person privacy, particularly for usage cases wherever you cannot tally a afloat node oregon conception full routes yourself for immoderate reason.
The afloat privateness implications are inactive nether consideration, but it volition beryllium an absorbing connection to travel on with.
Further Reading:
- Trampoline Onion Routing proposal
- Trampoline Onion Routing BOLT documentation propulsion request
- Trampoline Onion Routing BOLT specification propulsion request
Alias SCID
Status: Work successful progress
Pros: Prevents elemental linking of payments to azygous node alias/pubkey by utilizing a unsocial alias per channel/peer
Cons: None that I cognize of astatine this time
One of the captious privateness issues successful Lightning contiguous is the information that nodes person imperishable aliases and pubkeys that are utilized for gossip and transmission management, and arsenic such, immoderate receipt of payments leaks your nodes alias and pubkey to the sender of the payment.
The cardinal attack to resolving this contented successful Lightning is thing called “Alias SCID,” which allows you to unit your peers to lone notation to you oregon your channels by an alias which tin beryllium unsocial to each adjacent and/or channel.
Further Reading:
Offers — BOLT12
Status: Work successful progress
Pros: Drastically-improved privateness and flexibility for payments arsenic the recipient; overmuch smaller QR codes and overmuch little information needed successful the connection itself (as the indispensable information is collected from the recipients node straight alternatively of being each included successful the invoice arsenic successful BOLT11 invoices)
Cons: None that I cognize of astatine this time
BOLT12 is simply a operation of galore of the different projected improvements and integrates them into a caller and overmuch much flexible invoice benignant for Lightning, besides called an “offer.” The implementation of BOLT 12 alongside way blinding and node alias SCIDs would beryllium a large measurement guardant for some privateness and idiosyncratic acquisition successful Lightning, and is somewhat of the existent beatified grail of proposals.
Be definite to support an oculus connected its improvement if you usage oregon are funny successful the Lightning Network arsenic it promises to hole galore of the existent issues.
Further Reading:
Sidechains
The Liquid Network
Status: Live since 2018
Pros: Mildly improved per-transaction privateness owed to Confidential Transactions (but mostly useless owed to astir nary usage reducing assemblage to fell in); cheaper fees than on-chain
Cons: Custodial (via a federation); astir nary usage gives you astir nary assemblage to fell in; past issues with “emergency” multisig being held by precise fewer parties
The Liquid Network is simply a Bitcoin-pegged and federated sidechain for Bitcoin that allows users to peg BTC to redeem it for L-BTC and past beryllium capable to transact connected the Liquid Network.
Liquid provides mean privateness improvements implicit on-chain Bitcoin owed to its usage of Confidential Transaction and it is highly inexpensive to transact in.
Users should beryllium precise alert that Liquid is simply a federated exemplary wherever custodians clasp the keys to your bitcoin, and frankincense your funds are astatine hazard of nonaccomplishment oregon theft and you should not presume you volition ever beryllium capable to person backmost to BTC.
But Liquid remains practically unused adjacent aft 4 years of being successful the chaotic and heavy marketing.
Further Reading:
FediMint
Status: Work successful progress
Pros: Very beardown privateness erstwhile transacting wrong the sidechain; interoperable with the Lightning Network without requiring each idiosyncratic to tally a node/manage channels/etc.; anyone tin commencement a caller minimint, not conscionable circumstantial people/groups; tin take a circumstantial minimint to utilized based connected federation members reputation, trust, etc.; tin service arsenic a mediate crushed betwixt self-sovereign Lightning (Zeus, Core LN, LND, etc.) and “single-custodian” Lightning (Wallet of Satoshi, Cash App, Strike, etc.) portion retaining idiosyncratic privateness from custodians
Cons: Custodial (via federations); imaginable regulatory unit connected federation members owed to custody/transfer of user’s funds; centralization of Lightning Network owed to users not moving their ain node, managing channels, etc. and alternatively relying connected federation Lightning services
FediMint (and the circumstantial archetypal implementation, minimint) is simply a comparatively caller connection for gathering a federated Chaumian-blinded eCash arsenic a sidechain to Bitcoin, denominated successful bitcoin. These federated sidechains would beryllium comparatively small, interoperable and would vie connected reputation, uptime and fees.
While it is inactive precise overmuch a enactment successful progress, minimint holds committedness for a mediate crushed betwixt afloat self-sovereign Lightning Network usage (Zeus, Core LN, LND, etc.) and single-custodian Lightning Network usage (Cash App, Strike, etc.) by allowing a trusted federation of custodians to clasp funds and negociate Lightning node(s) for their users.
Note that the connection is inactive afloat custodial, but has differing tradeoffs compared to thing similar the Liquid Network.
Further Reading:
This is simply a impermanent station by Seth For Privacy. Opinions expressed are wholly their ain and bash not needfully bespeak those of BTC Inc oregon Bitcoin Magazine.
English (US) 