Privacy in Cryptocurrencies: An Overview

Transactions in Bitcoin are recorded in its blockchain. This makes it possible to see whether coins sent through the network are still valid unspent coins. At the same time, however, the transparency of the data stored in the blockchain can be used to infer private information of users. There are already many cryptocurrencies and “money laundry” options which promise to ensure, or at least increase, privacy for their users. In the two tables below, we list key features and specifications of several cryptocurrencies (table 1) and categorize mixing services (table 2) which claim to protect privacy.

In our comparison of anonymous cryptocurrencies we use the following definition of the term “Privacy”: To protect privacy, an e-cash scheme should satisfy the following conditions:

  • Untraceability: It is infeasible to learn anything about the history of a coin.
  • Sender-Anonymity: It is infeasible to link two payments to the same sender.
  • Receiver-Anonymity: It is infeasible to link two payments to the same recipient.
  • Hidden Amount: It is possible to hide the value of a transaction.

Note that an attacker who wants to obtain the private information of a user could come in different disguises: e.g. as the sender of a transaction or just as a passive observer. “Infeasible” should mean that no one has the means to extract private information from the data exchanged during a transaction and the traces left in the ledger.

Important: In the table below, “ü” does not necessarily mean 100% privacy protection. It only indicates that methods are taken to improve privacy (depending for example on the size of the anonymity set; see also e.g. [1], [2] below). Furthermore, we do not discuss other aspects of security, like unforgeability of coins, double-spending, setup issues, or vulnerabilities in the P2P network. Please see the official websites and blogs of the corresponding services for further information.

Please contact us if you find inaccuracies or if you would like to suggest additions. Thanks!

 

Anonymous decentralized e-cash schemes:

 UntraceabilitySender-AnonymityReceiver-AnonymityHidden Amount
AppeCoin
(a draft)
ü
Private, Delegated, and Public Shuffle of
Coins
ü
Private, Delegated, and Public Shuffle of Coins
ü
One-Time Address
(Universal Re-Encryption)
ü
Encrypted
(Zero-Knowledge Proof for Balance in Splitting Transaction)
Cloakcoin
ü
Off-chain Mix with Secure Communication Channel via Onion-Routing
ü
Off-chain Mix
(Enigma Transaction)
ü
Off-chain Mix
(Enigma Transaction)

(Fixed Denomination)
CryptoNote
(Bytecoin,
Dashcoin, ... )
ü
Ring Signature and One-Time Address
ü
Ring Signature
ü
One-Time Address
(Stealth Address)

Dash
(PIVX)
ü
Coin-Mixing by Masternodes
ü
Coin-Mixing by Masternodes
ü
Coin-Mixing by Masternodes

Monero
(based on
Cryptonote)
ü
Ring Signature and One-Time Address
ü
Ring Signature
ü
One-Time Address
(Stealth Address)
ü
Confidential Transaction
Shadowcash
ü
Minting Shadow Tokens from Shadowcash
ü
Ring Signature for Shadow Tokens
ü
One-Time Address
(Stealth Address)
?
Zcash
(Komodo)
ü
Fully Encrypted Coin
ü
Zero-Knowledge Proof of Ownership
(zk-SNARK)
ü
One-Time Address
(Random/zk-SNARK)
ü
Encrypted
(zk-SNARK for Balance in Pour Transaction)
Zerocoin
(needs a
basecoin)
ü
Encrypted Coin Serial Number
ü
Zero-Knowledge Proof of Ownership
(Accumulator/Fiat-Shamir)
?

(Fixed Denomination)

 

Mixing Services:

A mixing service is an external tool which attempts to increase anonymity of a cryptocurrency. We organize several mixing services into centralized mixes, n-Party mixes, or mixes which use other methods.

The user of a centralized mixing service must trust the operator to return his money, and to keep the information about the mix private. Some services offer accountability, i.e., the ability to prove theft if the operator does not return the client’s money.

The user of an n-party mix (or decentralized mix) forms a group with other users and mixes his coins with theirs. This is usually done in a single mix transaction and prevents theft. Anonymity depends on the size of the anonymity set and whether it is possible to find partners anonymously. Frequent problems related to decentralized mixes include: Denial of Service and Sybil attacks, poor performance, and incompatibility with Bitcoin.

Centralized Mixn-Party MixOther Type
Barber´s Fair Exchange
2-Party
Bitcoin Fog
BitLaundry
Bitmixer
BlindCoin
(based on Mixcoin; Blind Signature/Public Log)
CoinJoin
CoinParty
(Threshold Transaction)
CoinShuffle
CoinSwap
(2-Party)
DarkWallet
(based on CoinJoin;
+ Stealth Payment
Joinmarket
Proposal
by W. Ladd
(Blind Signature)
Mixcoin
(with accountability)
SharedCoin
TumbleBit
(Off-Blockchain Payments)
XIM
(based on Barber;
2-Party; Sybil and DoS resilient)

 

Recent article(s) about this topic:

[1] An empirical analysis of linkability in Monero blockchain 2017 (A. Miller, M. Moeser, K. Lee, A. Narayanan)

[2] AN UNOFFICIAL RESPONSE TO “AN EMPIRICAL ANALYSIS OF LINKABILITY IN THE MONERO BLOCKCHAIN” (J. Ehrenhofer) / a discussion in Monero Reddit