Wow, we're already at 2 pages of discussion. Thanks everyone who chimed in so far - I'm catching up right now!
MimbleWimble: complete new protocol for confidential transactions and smaller transactions
You could also add Litecoin to the list (I see you mentioned it above), it has code that is very similar to Bitcoin and was used before as testing ground for Bitcoin.
I opted to just add Grin since it implemented MimbleWimble first, from what I can tell. But if the implementation is different and these changes make its implementation more interesting for Bitcoin, I'll have a closer look there.
I would always vote for adding any privacy based protocol change in Bitcoin but I am more than certain that would create huge conflicts of interest and probably hard fork.
You think so? I believe some privacy upgrades could be implemented as soft fork.
What do you guys think about this, though? A hard fork would mean from then on, every UTXO would be private, on the other hand, old UTXOs would still remain 'open' - so might as well go for softfork (if technically possible)? I think that's an interesting question to discuss.
The biggest downsides of privacy tech like ZCash and Monero is that they hugely hurt scalability, not just by having much larger transactions, but also by making it impossible to identify the UTXO set.
[...]
Great insight, thanks! I will add these points as drawbacks of ZCash and Monero. I personally think scalability should always be maintained and / or improved in Bitcoin to maintain maximum decentralization.
Another feature, that can be considered both an advantage in some cases, and a disadvantage in others, is that MW transactions are multisig by sender AND receiver, and thus require them to interact to build the tx, just as is already the case for Lightning. The advantage being that you cannot receive unwanted coins (like tainted ones), and don't need to scan the blockchain for new outputs unless you just transacted. The disadvantage is that you need to be in communication with the recipient.
Note that Litecoin's MWEB implementation is not pure MW, but a more complicated hybrid that no longer requires receiver interaction.
Interaction sounds pretty much like a no-go to me, to be honest. It's great to hear that Litecoin was able to solve this limitation - will definitely dig up and link some information about this.
Layer 1 privacy concepts that could / do work in Bitcoin:- CoinJoin (Greg Maxwell): combine transactions to hide who pays whom - usable today
- CoinSwap (Greg Maxwell): swap coins with someone else to get new transaction history - usable today
Do these two can be classified as part of layer 1 privacy since it doesn't require change on layer 1 protocol?
I guess it's closer to L1 than L2.. but I get where you're coming from. Some aspects do happen off-chain (coordination of inputs / outputs), but in the end, you swap an on-chain UTXO for another on-chain UTXO. You never really 'leave' layer 1 for extended period of time compared to actually moving coins into a Lightning channel or a sidechain.
You can either have privacy or you can have proof. You can't really have both. Which was why I also pointed out privacy might be better on L2.
If you don't trust me or I don't trust you then here you go it's all in public, if we do then it's the same transaction but on L2
Interesting point that you brought up. I've thought about it a bit and there are certainly points for / against either point. Honestly, even with Bitcoin, I wouldn't know where to go complain / sue / ... if I went 'first' on a purchase and wouldn't get the goods - even though technically I could prove the payment. On the other hand, I don't think that a cryptocurrency that allows to prove payment would incur a big hit on privacy. Most privacy features would remain intact, like unlinkability of funds and payment history.
One thing that is deserved to be said is that no matter what privacy-oriented concepts, ideas, techniques are implemented in bitcoin, you can never achieve the same levels of privacy in comparison with privacy-oriented cryptocurrencies. The reason is simple: Their privacy model is enforced by default*, whereas in bitcoin, privacy enhancement is optional. Stones are set from genesis, and even though Monero (which is what takes the cake)
experienced leaks on privacy, it still forms the best black-box-like electronic money out there, in sum.
True, any UTXO
before the soft- or hardfork would of course still be in the open. But the moment you spend it to a new 'privacy address' (or whatever) it would be 'gone' from the
transparent pool basically.
Whether spending using a new, privacy-oriented technique can be enforced probably depends on the type of fork. But traditionally, I think we've all preferred softforks..
Most people happily switch to the new system, like SegWit, due to the obvious benefits it offers.
If Alice is really lucky, she has some correspondence from Bob with the address in it which can be independently verified and which Bob cannot deny.
Solution: PGP. Bob can't deny he asked for money if he signed it.
Realistically, nobody is doing that today, though (as I alluded to earlier) and they still send and receive Bitcoin for goods.
