Understanding the main solutions and development potential of Bitcoin privacy protection in one article

Written by Karim Helmy (Data Analyst at Coin Metrics) and Matthew Batsinelas (Altonomy)

Translated by: Perry Wang

The original article was published in blockchain media The Block. The Block authorized Lianwen to translate and publish the Chinese version.

summary

• Bitcoin privacy is constantly improving.

• Developers have proposed underlying upgrades such as Dandelion , Schnorr , and Taproot to improve the privacy protection of the Bitcoin blockchain.

• Sidechains are like conducting transactions within a walled garden, providing an upgraded solution for privacy protection.

• The Lightning Network has made significant improvements to privacy protection, and the second-layer L2 privacy protection has made remarkable progress through protocols such as ant colony routing , atomic multi-path payment , and zkChannel .

Where the Bitcoin blockchain is headed

It is possible to conduct private transactions with Bitcoin today, but it is difficult. Users who utilize CoinJoin and related technologies and practice high standards of privacy protection can protect their financial privacy. In addition, a variety of tools have emerged in the Bitcoin ecosystem to facilitate private transactions and exchanges. This process will become easier and easier through improvements to tools, L2 networks, and the core protocol of the Bitcoin network.

One of the main ways to improve Bitcoin's privacy protection is by upgrading the underlying blockchain network. The Bitcoin network has tended to be conservative and generally avoids hard forks that are incompatible with traditional versions and modify consensus. However, upgrades made by backward-compatible soft forks, which still allow traditional nodes to verify the validity of the blockchain, are generally accepted.

This means that upgrading the network via a soft fork is a difficult task. There are many reasons why upgrades are rejected, such as technical conflicts with Bitcoin's core vision , existing components of the software, etc. Even a successful fork can take years to complete from conception to implementation.

Bottom-level upgrade

Although upgrading the Bitcoin blockchain network may be difficult, there are still several ways to upgrade privacy protection that are worth exploring. One potential upgrade is Dandelion++ , which modifies the way Bitcoin transactions are routed .

Currently, unconfirmed Bitcoin transactions are advertised through propagation, in which nodes continuously broadcast transactions to their peers at a random, exponentially delayed rate. Since the IP addresses of Bitcoin users are exposed to the network, attackers can infer the IP address from which the transaction was sent. The attacker can eventually associate the IP address with the Bitcoin address, effectively breaking the user's anonymity.

DandeLion++ proposes to use another propagation method instead of diffusion propagation, in which transactions are first passed to each peer node in turn in the stem phase , and then diffused in the fluff phase . Since each node only shares transactions with one peer node in the stem phase and the length of the stem is randomly determined, it is difficult for the counterparty to determine the source of the transaction.

DandeLion’s “Dandelion” propagation stage, source: https://github.com/bitcoin/bips/blob/master/bip-0156.mediawiki

Dandelion++ has been officially incorporated into the Bitcoin blockchain by Bitcoin Improvement Proposal BIP 156. The protocol can be soft-forked into the network, and Dandelion-enabled nodes will be fully compatible with nodes running existing Bitcoin versions.

The two most promising upgrade plans for the Bitcoin network are Schnorr and Taproot .

The Schnorr signature scheme proposes to modify the signature mechanism of the Bitcoin blockchain from the elliptic curve digital signature algorithm ECDSA to the Schnorr signature algorithm . The signature (Schnorr signature) generated by this algorithm is linearly operable.

This linear relationship allows users of Schnorr signatures to aggregate multiple independent signatures into a single valid signature. Users can therefore create threshold signatures on the aggregated public key, which requires approval from a sufficient subset of signers to spend. This process allows users to move multi-signatures off-chain, thereby helping the network scale. Unlike current multi-signatures, threshold signatures are also steganographic, meaning that transactions interacting with them look like normal transactions on-chain.

Schnorr signature aggregation is also useful in creating scriptless scripts , which allow users to create and interact with certain smart contracts in a private manner. Not all smart contracts can be replaced with scriptless scripts, but they can be used to represent on-chain scripts used in cross-chain atomic swaps and the Lightning Network.

Taproot leverages Schnorr signature aggregation to allow users to create smart contracts that are not disclosed to the participants in a collaborative case. If the parties involved agree on a certain outcome, the transactions that create and spend these contracts will also be private. Unlike scriptless scripts, Taproot can be applied to any computation that can be expressed in Bitcoin script.

Taproot converts smart contracts into an abstract language tree of independent statements. This tree is then adapted into a Merkle tree so that parties who know the Merkle root can verify whether a specific statement is included in the contract.

If the parties agree on a certain outcome, Taproot completely ignores the resulting Merkle Abstract Language Tree (MAST). This is achieved by creating a Schnorr threshold public key between the parties adjusted by the MAST root hash, and sending funds to an address derived from the resulting key.

In the cooperative case, users can spend from this contract by co-signing endorsed transactions. In the non-cooperative case, users can spend from the contract by broadcasting a transaction showing the MAST root and the relevant branches of the tree.

For sufficiently complex scripts, even in the non-cooperative case, Taproot reveals much less information to an observer and takes up much less space on-chain.

Schnorr signatures were formally proposed for Bitcoin in BIP 340. Taproot was formally proposed for Bitcoin in BIP 341 and 342. The BIP authors hope to bundle the two upgrades together and implement them through a soft fork.

Soft forking the upgrades specified by these BIPs into the Bitcoin blockchain would have a huge benefit to network expansion. One of the most useful features of Schnorr signatures, but not included in BIP 340-342, is cross-input aggregation . This construction would allow users to aggregate all signatures in a transaction into a single signature.

Implementing cross-input aggregation will greatly reduce blockchain bloat, as it reduces the number of signatures kept on-chain, and signatures take up a lot of block space . Unfortunately, cross-input aggregation conflicts with the current opcode upgrade mechanism. It should still be possible to implement this feature at some point, bundled with the Taproot extension called G'root , but this will take some time and there are no concrete plans at this time.

The hurdles of implementing cross-input aggregation highlight the difficulty of upgrading the network . Another proposed underlying improvement , confidential transactions, has also encountered significant hurdles to implementation, despite offering significant benefits for privacy and fungibility.

Confidential Transactions: Case Study 1

Confidential transactions (CT) is a proposed upgrade to Bitcoin that will greatly improve privacy and fungibility on the network. CT will allow observers to verify that the sum of transaction inputs equals the sum of transaction outputs without knowing the actual amount of funds involved. This will allow network participants to verify the validity of transactions while ensuring that the transaction size is not disclosed to participants.

The implementation of CT on the Bitcoin blockchain will make it impossible for blockchain analysis tools to track the movement of funds in any effective way. This may cause difficulties for businesses trying to achieve regulatory compliance, but overall it will improve privacy .

CT is not just a theoretical construct, but is also used by a variety of alternative coins including Monero and Grin . In Monero, CT is used in conjunction with Ring Signatures , which obfuscate transaction signatories , hiding transaction sizes and senders from observers. The resulting transactions are much larger than Bitcoin transactions, but theoretically have much better privacy guarantees. In addition to taking up more block space, CTs have a more substantial problem that makes them contradictory to the basic idea of ​​Bitcoin. CTs make it difficult to censor the blockchain, and errors in CT implementations can lead to inflation loopholes , allowing individuals to secretly inflate the money supply.

These vulnerabilities would be difficult to detect and would undermine the integrity of the blockchain. Many in the Bitcoin community are deeply concerned about this possibility, including Alex Gladstein, chief strategy officer at the Human Rights Foundation, who believes that "it is very important to prioritize privacy as much as possible. Auditability is of course a stumbling block in this regard. We cannot have a system in the Bitcoin blockchain where full nodes cannot audit its money supply, after all, this audit is critical to the value of the Bitcoin system."

“Otherwise it’s not monetary innovation, it’s just technological innovation. It’s not going to be really useful at the end of the day,” Gladstein added.

Therefore, it seems unlikely that CT will be incorporated into the Bitcoin blockchain in the near future.

Multiple other proposed upgrades to Bitcoin’s base layer have also been stalled for similar ideological or practical reasons. But some of these changes can be implemented on sidechains , which offer a promising way to address barriers to Bitcoin’s base layer updates.

Sidechain

A sidechain is a blockchain that runs in parallel to a base chain (such as the Bitcoin blockchain) and derives its security from it.

Liquid is one of the most notable sidechains today, and it uses a federated security model . In this model, users obtain funds on the sidechain by depositing mainchain funds into a contract controlled by a federation member. Once a user controls funds on the sidechain, they can freely trade on that chain without requiring transaction confirmation on the base chain. Users can burn their assets on the sidechain to return funds to the mainchain.

Liquid Federation block signature diagram, source: https://arxiv.org/pdf/1612.05491.pdf

The federated security model requires users to trust the federation members because they hold the wallet keys that protect the user's funds. Another model, joint mining , relies on allowing miners on the main chain to also order transactions on the side chain, which is achieved by including a reference in every block of the main chain joint mining.

The RSK sidechain has been most notable for its adoption of merged-mining. The merged-mining model is less dependent on trust relationships than the federated security model, but has been criticized as a way to sneakily increase the block size . Maintaining the peg between the mainchain and sidechain assets is also more challenging with this model than with the federated security model, as the native token of the merged-mined blockchain does not represent a liability denominated in the mainchain’s assets.

From a privacy perspective, sidechains are of most interest for the ability to enforce arbitrary consensus rules and transaction verification requirements that are not supported by the Bitcoin mainchain. For example, Liquid supports confidential transactions , even though Bitcoin does not. Sidechains may be useful for testing new technologies before deploying them to the Bitcoin blockchain, or for running trust-based privacy protocols (e.g., zk-SNARKs) that may be incompatible with the Bitcoin social contract.

Sidechains are a type of L2 network that allow users to conduct transactions off-chain while benefiting from some of Bitcoin’s security guarantees . Lightning Network is another L2 network technology. While Lightning Network cannot be used to enforce arbitrary transaction validation rules, it brings some privacy benefits to Bitcoin users without requiring updates to the base chain, and its settlement guarantees are better than sidechains.

Lightning Network

Lightning is a network built on top of Bitcoin that is designed to perform instant transactions with low fees.

The Lightning Network is built on the concept of bidirectional payment channels, allowing two participants who share a channel to trade freely with each other without on-chain settlement, as long as the net amount of the two-way mutual transactions does not exceed a certain amount. This amount is determined by the amount of on-chain funds locked in the channel contract. Lightning payments can be routed through a series of channels, allowing two parties to pay each other without having a direct channel between them.

As it stands, the Lightning Network can significantly improve user privacy. The Lightning Network allows users to settle transactions in batches , eliminating the need to reveal the details of individual transactions to observers. In addition, several upgrades to the Lightning Network have been proposed to further improve the privacy benefits provided by the Lightning Network, all without requiring changes to the underlying behavior of Bitcoin.

The Lightning Network routes payments through intermediary channels, making it difficult for observers to determine whether two parties have transacted. One of the most exciting potential upgrades to the Lightning Network is the implementation of Ant Colony Routing , which would change the way the Lightning Network calculates payment routes. The Lightning Network currently uses shortest path routing, which requires nodes to keep track of a global routing table. This approach scales poorly and allows adversaries to learn the topology of the network, so nodes can be strategically placed to best monitor traffic. Ant Colony Routing proposes replacing the current routing mechanism with one that is fully distributed, efficiently scalable, and robust to graph learning attacks.

Another feature is Atomic Multi-Path Payments AMP, which allows users to split payments and complete them through several channels. These payments will be executed atomically, and no partial payment will be received, whether it succeeds or fails. AMP makes it more difficult for intermediaries on the payment path to determine the total amount of the payment, which will improve privacy in the network. In addition, AMP supports large payments on illiquid channels, which will increase available liquidity.

The primary purpose of Ant Colony Routing and AMP is to increase scale and liquidity , respectively, with the secondary benefit of privacy protection. On the other hand, zkChannels , currently being developed by Bolt Labs, is a feature that is explicitly designed with privacy in mind. These channels use advanced cryptography to allow users to send payments without the recipient knowing the identity of the original sender, provided that the payment has been routed through at least one intermediary. This cash-like feature can be used to make discreet payments without revealing an individual's identity .

The principle of payment protocol zkChannels, source: https://medium.com/boltlabs/zkchannels-for-bitcoin-f1bbf6e3570e

The implementation of Schnorr signatures on Bitcoin will also benefit the privacy protection of the Lightning Network. Using scriptless scripts, users will be able to construct Lightning channels with confidential payments.

Privacy in the digital age

The Bitcoin blockchain is being pulled in a number of different directions. Some want the platform to be institutionalized as a financial asset held primarily by custodians. Others want to see it grow into a fast and cheap medium of exchange . The final group wants Bitcoin to remain a self-sovereign, fully verifiable store of value . How these groups interact has historically shaped the industry and will continue to do so in the future.

At first glance, improving the privacy of the Bitcoin network seems to be at odds with the goals of each group. Privacy makes it difficult for institutions to verify that the funds they receive are clean. Baseline privacy payments take up more block space than transparent payments. In addition, base privacy may make it difficult for people to verify that the money supply is not inflated.

But at a deeper level, privacy protection is a useful complement to each of these goals.

Confidential payments enable institutions to transfer large amounts of funds without fear of front-running. Privacy makes everyday payments possible without the need for government or private institutions to monitor them, and moving payments off-chain allows for faster payments and lower fees. Privacy makes it easier to self-custody funds without fear of theft.

Carefully implemented privacy protections are key to Bitcoin's success .