[Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion

[n0nce]

Why is Zcash not really a privacy coin?

Obviously, because privacy is optional in Zcash.
Only a small minority (0.8M of 15M ZEC) of coins lives in shielded pools, and only a small fraction of transactions is z2z.

It seems most Zcash users are not interested in its privacy features, but hope to profit from other people's interest in its privacy features.

Interesting. To be fair, layer 1 privacy upgrades for Bitcoin would always be optional or partial, too - since old UTXOs couldn't be magically 'made private' until they move, right?
But I guess depending on how it's implemented, every new UTXO after the upgrade could be private by default, without an option to disable that.

What do you think about that?
Are there existing concepts / ideas about the very question how to best 'add' privacy to an existing coin (in terms of what to do with pre-upgrade UTXOs and whether privacy can or should be optional afterwards)?

[1714042995]

1714042995

[1714042995]

1714042995

[tromp]

But I guess depending on how it's implemented, every new UTXO after the upgrade could be private by default, without an option to disable that.

Zcash currently allows all 4 directions between transparent t addresses and shielded z addresses: t2t, t2z, z2t, and z2z. I'm not sure how these qualifiers work if you have different types of inputs, or different types of outputs in one tx.
A first step to phasing out transparent addresses is to disable z2t, so once shielded you stay shielded. A second step is to disable t2t, so you cannot create new transparent outputs. I don't think you want to take either step in Bitcoin.

Are there existing concepts / ideas about the very question how to best 'add' privacy to an existing coin (in terms of what to do with pre-upgrade UTXOs and whether privacy can or should be optional afterwards)?

IMO a coin that values full auditability should keep private amounts optional, although one could argue that with ElGamal commitments, at least unconditional soundness is preserved.

[dkbit98]

Why is Zcash not really a privacy coin?

Because most exchanges I know only accept depositing and withdrawing coins to and from transparent Zcash t-addresses... there is nothing private about that.
If privacy for Bitcoin would be optional I suspect that not many exchanges would enable private deposits/withdrawals, but it certainly have much better chances than for ztrash.
Bitcoin is big enough for anyone to attack it directly, maybe that is why they started dealing with privacy stuff for ethereum and other shitcoins.

According to CoinGecko, Monero is traded most on Binance - an exchange with 14 Billion US dollars in total trading volume over the last 24h.
I'm not an expert on centralized exchanges, but HitBTC with almost 2 Billion USD and Kraken with 500 Million US dollars total daily volume are also some pretty big names who list Monero. The latter I remember, recently introduced Lightning withdrawals; so it seems adding privacy to Bitcoin is certainly not something exchanges are completely shying away from.

Most reported trading volume on centralized exchanges is fake and washtrading, even on Binance, so I don't trust what they are saying.
On the other hand, one of the the biggest volume in Bisq exchange is for XMR and you can't fake that so easy, or you can't disable and halt withdrawals.

[n0nce]

Why is Zcash not really a privacy coin?

Because most exchanges I know only accept depositing and withdrawing coins to and from transparent Zcash t-addresses... there is nothing private about that.
If privacy for Bitcoin would be optional I suspect that not many exchanges would enable private deposits/withdrawals, but it certainly have much better chances than for ztrash.

I guess if you disable z2t by default, like tromp just said, they would kind of be forced to do allow depositing / withdrawing 'private coins'. With Zcash, they kind of have the power of choice as it's a lower marketcap and it's technically possible to go from shielded to transparent. But if we disable this on the by far biggest market cap asset by default, they kind of have to follow suit.

Even though Lightning Network privacy can be attacked, it's way more hidden than an on-chain withdrawal and history has shown that if the market wants e.g. Lightning withdrawals, exchanges will implement that. Even though it could make some regulator go all whiney-whiney.

Most reported trading volume on centralized exchanges is fake and washtrading, even on Binance, so I don't trust what they are saying.
On the other hand, one of the the biggest volume in Bisq exchange is for XMR and you can't fake that so easy, or you can't disable and halt withdrawals.

Sure; big Bisq fan here, too - just trying to say I wouldn't be too worried on centralized exchanges' opinion on things when it comes to advancing Bitcoin to the next level if I may say so.

[dkbit98]

I guess if you disable z2t by default, like tromp just said, they would kind of be forced to do allow depositing / withdrawing 'private coins'. With Zcash, they kind of have the power of choice as it's a lower marketcap and it's technically possible to go from shielded to transparent. But if we disable this on the by far biggest market cap asset by default, they kind of have to follow suit.

Or they would just delist Zcash from this exchanges, and they don't have to explain why.
I don't like Zcash for several reasons, and it has even worse history than monero, but some security experts like Edward Snowden thinks it's good for privacy.
Lightning Network is fine and more people is using it, but I am nor sure it's the best option for for transacting large amounts of money, and we don't know what tech Chainalysis and others are using from tracking.
Sad thing is that most people don't care at all about privacy until it's to late. 

[BlackHatCoiner]

Sad thing is that most people don't care at all about privacy until it's to late.

Not as sad it is to load up your wallet on a public Electrum server by mistake, which unquestionably didn't happen to me today.

</off-topic>

[n0nce]

I guess if you disable z2t by default, like tromp just said, they would kind of be forced to do allow depositing / withdrawing 'private coins'. With Zcash, they kind of have the power of choice as it's a lower marketcap and it's technically possible to go from shielded to transparent. But if we disable this on the by far biggest market cap asset by default, they kind of have to follow suit.

Or they would just delist Zcash from this exchanges, and they don't have to explain why.

Sure; because it's a low-volume altcoin. But good luck delisting Bitcoin..

Sad thing is that most people don't care at all about privacy until it's to late.

Not as sad it is to load up your wallet on a public Electrum server by mistake, which unquestionably didn't happen to me today.

</off-topic>

Oh noes!  It's hard to build privacy, and easy to break it.. That's why a built-in mechanism would be so great.

I am really interested in reading more about silent payments and stealth addresses.
Stealth addresses have a lot of downsides though, and I don't really see a way to fix that. There must be another way.

For now, Litecoin's MimbleWimble implementation sounds the most interesting to me, but I believe extension blocks were extremely unpopular in Bitcoin in the past, weren't they?

[ABCbits]

I don't like Zcash for several reasons, and it has even worse history than monero, but some security experts like Edward Snowden thinks it's good for privacy.

At least for Edward Snowden, it could be because he involved on Zcash creation. And when it happened, Monero still at rough start.

For now, Litecoin's MimbleWimble implementation sounds the most interesting to me, but I believe extension blocks were extremely unpopular in Bitcoin in the past, weren't they?

You're right. Here are few past discussion that i could remember,
Superspace: Scaling Bitcoin Beyond SegWit
Auxiliary block: Increasing max block size with softfork

While it's interesting approach, it's crude way to increase blocksize and add another technical complexity. IMO it'll never happen when increasing blocksize is the only goal.

[n0nce]

You're right. Here are few past discussion that i could remember,
Superspace: Scaling Bitcoin Beyond SegWit
Auxiliary block: Increasing max block size with softfork

While it's interesting approach, it's crude way to increase blocksize and add another technical complexity. IMO it'll never happen when increasing blocksize is the only goal.

I'm against blocksize increase, too, but I find it interesting to use extension blocks for MimbleWimble transactions.
Though on the other hand, it also feels a bit like Lightning or sidechains, where you add functionality (Lightning: speed and lower fees; extension blocks: privacy) 'on top' instead of 'Layer 1'.
It should be possible to prevent blocksize changes and only use these blocks for privacy, but I've got to read up on extension blocks further to understand whether that's an option.
As far as I know, in Litecoin hasn't increased their block size, either.

[dkbit98]

At least for Edward Snowden, it could be because he involved on Zcash creation. And when it happened, Monero still at rough start.

Yeah, I believe he was one of the six people, with pseudonym John Dobbertin, that participated in zcash ''trusted setup'' ceremony.
He said nobody paid him to be a part of this ceremony, but they did pay other people to participate.... all this is a shitshow because they had to make one more ceremony two years later to upgrade, and they will probably have more ''upgrades'' in future
Now even if zcash is to become without this trusted setup they will always have this suspicious shady history and it's never going to be widely accepted.
Bitcoin on the other hand never did such shenanigans, so privacy changes would be easier for people to accept.

[tromp]

He said nobody paid him to be a part of this ceremony, but they did pay other people to participate....

Nothing unusual there.
Todd went on a long road trip [1], staying at an unpredictable motel, buying a disposable computer and thoroughly destroying it afterwards, generally making lots of expenses for which Zcash reimbursed him.
Snowden probably chose to make negligible expenses and declined to be paid.

Now even if zcash is to become without this trusted setup they will always have this suspicious shady history and it's never going to be widely accepted.

If you want to talk about shady history, look at Monero's Cryptonote origins with the Bytecoin scam [2] and the purposely obfuscated inefficient miner software [3]...

[1] https://www.coindesk.com/markets/2016/11/14/zcash-and-the-art-of-security-theater/

[2] https://bitcointalk.org/index.php?topic=4508322.0

[3] https://da-data.blogspot.com/2014/08/minting-money-with-monero-and-cpu.html

[NotATether]

I guess if you disable z2t by default, like tromp just said, they would kind of be forced to do allow depositing / withdrawing 'private coins'.

Or they would just delist Zcash from this exchanges, and they don't have to explain why.

That's actually what Australia did, according to my employer (who is incorporated there).

See, lawmakers do not care about "normal address" and "private address" - they are both random strings of text to them, without a name and postal address.

[BlackHatCoiner]

See, lawmakers do not care about "normal address" and "private address" - they are both random strings of text to them, without a name and postal address.

Which is exactly why enforced improvement in privacy doesn't necessarily translate to improvement in utility or improvement in fungibility. Banning Zcash from exchanges due to it being a "privacy coin", means that all ZEC are essentially tainted.

[Hueristic]

Seraphis explanation for those interested.

https://www.youtube.com/watch?v=fEJpE7LumG8

[dkbit98]

Nothing unusual there.

Not unusual for shitcoin shenanigans  
It's just a company with workers and all other crap.
If I start to name all the shady stuff in zcash I would probably need days to finish exposing everything.

If you want to talk about shady history, look at Monero's Cryptonote origins with the Bytecoin scam [2] and the purposely obfuscated inefficient miner software [3]...

If you look my previous posts you will see that I said the same thing for monero, but they are still better than zcash in almost everything.
Some people even say that one country secret service (I won't name the country) is actually the one who is behind everything done in zcash.
Now if you look at nationality of some  scientists who worked on zcash and place they worked, you will understand better, it's not some anonymous guys like in case with Bitcoin.

Which is exactly why enforced improvement in privacy doesn't necessarily translate to improvement in utility or improvement in fungibility. Banning Zcash from exchanges due to it being a "privacy coin", means that all ZEC are essentially tainted.

Let's face it, nobody is using that crap for privacy, and you can easily confirm this onchain comparing number of transactions with everything else.
You can also look in Bisq exchange markets and you will see zec having zero volume there 

[o_e_l_e_o]

Banning Zcash from exchanges due to it being a "privacy coin", means that all ZEC are essentially tainted.

But exchanges can afford to do that because Zcash and all its pairs make up a tiny amount of their volume. If all bitcoin transactions suddenly became 100% private tomorrow, the vast majority of centralized exchanges would either have to accept that or shut down since they would not be able to survive without the volume of bitcoin and its trading pairs.

If you look my previous posts you will see that I said the same thing for monero, but they are still better than zcash in almost everything.

Not to get too off topic here, but I agree. There is no doubt that Monero (or BitMonero as it was called at the time) had shady beginnings, but the fact remains that Monero as it exists today is open source, verifiable, and importantly trustless, which cannot be said for Zcash. To use Zcash, you must trust completely in the set up process and the six individuals involved in that process. This is a complete non-starter as far as I am concerned for any currency, least of all a currency which styles itself as a privacy currency.

[tromp]

To use Zcash, you must trust completely in the set up process and the six individuals involved in that process. This is a complete non-starter as far as I am concerned for any currency, least of all a currency which styles itself as a privacy currency.

As of their NU5 upgrade on May 31, Zcash no longer relies on a trusted setup [1] [2].

[1] https://www.coindesk.com/tech/2022/05/31/zcashs-nu5-upgrade-goes-live-boosting-privacy-and-removing-trusted-setups/
[2] https://zips.z.cash/zip-0224

[o_e_l_e_o]

As of their NU5 upgrade on May 31, Zcash no longer relies on a trusted setup [1] [2].

Only for people creating and using the new Halo 2 Orchard addresses though, unless I'm mistaken? Since the old Groth16 addresses are still in use and can still be created, funded, etc., then the risk of someone compromising the entire set up and printing unlimited ZEC in secret remains. Doesn't really make a difference if the addresses I am using are trustless, when the majority of the network are still using addresses based on the old system.

Zcash need to phase out all old addresses before this upgrade means anything.


On a slight tangent, how feasible do people think it would be to do something like this for bitcoin? If we phased out all addresses except taproot (for example), then there is a privacy increase there not just from the inherent properties of taproot but also by putting everyone in to the same anonymity set and breaking some forms of blockchain analysis, such as change address identification based on matching input/output script types.

[NotATether]

On a slight tangent, how feasible do people think it would be to do something like this for bitcoin? If we phased out all addresses except taproot (for example), then there is a privacy increase there not just from the inherent properties of taproot but also by putting everyone in to the same anonymity set and breaking some forms of blockchain analysis, such as change address identification based on matching input/output script types.

That depends on whether wallets use Taproot correctly. Most will probably just set a public key and completely ignore the script path, because privacy gains only begin when you have at least two TapScripts.

Taproot is a brick and mortar, but by no means the finished building.

[tromp]

As of their NU5 upgrade on May 31, Zcash no longer relies on a trusted setup [1] [2].

Only for people creating and using the new Halo 2 Orchard addresses though, unless I'm mistaken? Since the old Groth16 addresses are still in use and can still be created, funded, etc., then the risk of someone compromising the entire set up and printing unlimited ZEC in secret remains.

There's only a risk of unlimited ZEC *within the old Sprout/Sapling pools*. There is no risk of that unlimited ZEC getting out to either the transparent or the Orchard pool due to turnstiles.

So the only risk is to people who keep ZEC in the old shielded pools in case the turnstile prevents them from getting their funds out due to someone else having inflated funds moved out.

Zcash need to phase out all old addresses before this upgrade means anything.

Disagree. The upgrade clearly means something with the turnstile protection and with the new address format defaulting payments to the Orchard pool.