Blockchain privacy technologies series: Mixing

Introduction

“Where does a wise man hide a leaf? In the forest. But what does he do if there is no forest? He grows a forest to hide it in.” ― G K Chesterton, The Innocence of Father Brown
"Mixing" technologies rely on obfuscation to hide sensitive information (identity, transaction data) and ultimately ensure privacy and anonymity. Obfuscation commonly takes various forms: adding noise to cover conversation, blend in a crowd, create copies or decoys, natural camouflage... In the context of blockchain, obfuscation is implemented using cryptography.

Note

Besides, most of the interesting blockchain' properties relies on cryptography: immutability, security....and privacy.
Cryptography is based on computer science and mathematics, especially probabilities.
Often it won't ensure absolute validity but rather ensure a very high likelihood of validity.
It is not absolutely true to say that a blockchain is immutable, or that a private key can't be deduced from a public key. It is "only" very unlikely. So unlikely that we end up considering that the properties ensured by cryptography are always true.

"Mixing private keys": Ring Signatures

Group signatures

A group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group.
It can be compared to the use of rubber stamp. Several employees are being delivered a company's stamp/seal. They use it to sign documents. They don't sign in their name but in the name of the company they belong to. It serves as evidence of authenticity while preserving anonymity.

However group signatures requires a group manager. This leads to critical drawbacks.
First, anonymity can be compromised. The group manager can reveal the identity of signer using its group manager's secret key.
Second, signers groups can't be improvised. The group manager is in charge of forming the group.

Ring signatures

Ring signatures are an improvement of group signatures. They don't require a group manager. Especially they guarantee the anonymity of signers. And a group of signers = Ring can be improvised.

Consider a group of n entities.
Each have public/private key pairs, (P1, S1), (P2, S2), ..., (Pn, Sn).
Party i can compute a ring signature σ on a message m, on input (m, Si, P1, ..., Pn).
Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P1, ..., Pn.

Implementations

Monero Logo
Ring signatures only ensure privacy of the sender. Monero goes further with Ring Confidential Transactions that also obfuscate the identity of the recipient and the transaction amounts.

"Mixing coins": CoinJoin

Imagine the following situation:

  • 10 "spenders"
  • 10 "recipients"
  • requirements:
    • [ ] none of the spender wants to be tied to the recipient after sending their 1€
    • [ ] each spender spends 1 €
    • [ ] each recipient receives 1€

CoinJoin follows this protocol to fulfill the privacy requirement:

  1. All spenders put their one 1€ coin in a bag
  2. Each recipient pulls out 1€ coin out of the bag.
  3. [x] each spender spent 1€
  4. [x] each recipient received 1€
  5. [x] no way to tell where any of the 1€ coins came from

In more technical terms, CoinJoin is a special kind of Bitcoin transaction that breaks the common input ownership euristic. Bitcoin transactions are made of inputs and outputs. Inputs being unspent outputs (UTXO) of previous transactions.
Bitcoin Transaction
Usually all the inputs belong to one same address. CoinJoin breaks this rule. It mixes inputs from different addresses to prevent associating sender and recipient addresses. Instead of performing 1-to-1 payments, we perform m-to-n.

Implementations

Wasabi wallet
Skycoin
Dash

zk-SNARK & Mixing on Ethereum: Tornado Cash

Tornado Cash logo
CoinJoin mixes bitcoins. Tornado Cash mixes ethers using a smart contract.
This "mixer" smart contract collects deposits from a depositary, transfers deposits to withdrawer, and prevents linking depositary and withdrawer thanks to zk proofs.

  1. Deposit
    • A secret is generated
    • The hashed secret (="commitment") is sent to the mixer smart contract along with an amount of n-ETH
    • From now on, this unspent commitment, just like an Bitcoin UTXO, is waiting to be withdrawn/spent. It is mixed to other n-ETH deposits
  2. Withdraw For the smart contract to allow the withdrawal, the withdrawer needs to prove ownership of a secret corresponding to an unspent commitment. zkSNARKs allows doing it without revealing which deposit the secret was generated from.

You'll only receive email when Gauthier Riou publishes a new post

More from Gauthier Riou