Threats to privacy are continually evolving in the digital realm, from instances of expedient KYC/AML practices of cryptocurrency exchanges to the potential danger of enhanced surveillance capitalism under Facebook’s recently unveiled Libra.
Where centralized institutions suffering from an agency problem cannot be trusted to place a premium on user privacy (e.g., Facebook and Cambridge Analytica), the onus falls on users, developers, and privacy proponents to create responses. In the cryptocurrency sector, that has largely drawn from cryptography, once hailed as the last safeguard for privacy in the digital realm by cypherpunks.
The notion of employing cryptography for financial privacy gained traction with bitcoin, leading to misleading narratives about its value proposition, but eventually, was understood that it needed to be taken further. Bitcoin is only pseudonymous, and while you can remain close to anonymous if you take the right precautions, that is often outside the area of expertise for most of its users.
Enter privacy-oriented cryptocurrencies.
Monero and ZCash have prevailed among the privacy-focused cryptocurrencies over the last several years, deploying innovative techniques and cryptographic primitives to mask user identities and transaction amounts. However, despite their achievements and popularities, they have their shortcomings in user-experience and face the continual struggle of progressively improving their privacy mechanics.
With the IRS recently presenting a wholesale crackdown on cryptocurrency user data (to find tax evaders), further intrusions into the anonymity of crypto users from government agencies are likely on the horizon. Fortunately, where privacy meets transparency, privacy proponents are pushing back, and with monero, that has taken several shapes in recent years.
Monero’s Continual Privacy Battle
Monero has built-in privacy features, like Ring Confidential Transactions (RingCTs), that mask user identities and transaction amounts to provide a higher level of anonymity than bitcoin, and most other cryptocurrencies. RingCTs are based on the concept of ring signatures, which hide the true signatory of a transaction among a subset (i.e., ring) of users.
Monero’s application of RingCTs is limited by a fundamental problem with its design, however. The size of the spend proof of the ring increases linearly with the ring size, making it prohibitively large to increase the ring size past a specific number of participants, which would make the transaction more anonymous. As a result, most RingCT transactions in monero are bounded by the size costs of the ring, since larger ring signatures mean more cumbersome transactions.
Omniring, a recently proposed paper from May this year, proposes an elegant and formalized solution to scale RingCT transactions logarithmically without sacrificing privacy or requiring the trade-off of a trusted setup. According to the paper, their proposal relies on a form of zero-knowledge proofs derived from Bulletproofs, which were recently incorporated into the monero protocol themselves.
The primary goal of improving RingCTs is to increase the participant size without trade-offs in privacy or size encumberment. According to the paper, Omniring can achieve three salient objectives:
“Omniring is the first RingCT scheme which 1) does not require a trusted setup or pairing-friendly elliptic curves, 2) has a proof size logarithmic in the size of the ring, and 3) allows to share the same ring between all source accounts in a transaction, thereby enabling significantly improved privacy level without sacrificing performance.”
Taken as a whole, these advances promise to vastly improve the privacy of monero, bolstering one of its core privacy components — RingCTs.
The team behind the Omniring paper cites that there existed no rigorous formalization of RingCTs before their initiative, which led to the lack of a precise security model. Such shortcomings can lead to security or privacy vulnerabilities that are overlooked. The team took a comprehensive approach to formalize RingCTs, and cites their central advantages to previous models as honing in on the following areas:
- Capturing Stealth Addresses
- Non-Reliance on External Communication Channels
- Stronger Security Guarantees
- Unified Ring for All Source Accounts
In particular, the unified ring for all source accounts, of which the name “Omniring” is derived, has some compelling consequences. For example, separate ring signature events are used for each source account (i.e., address/user), which means that each source account is independently anonymous in a separate ring set. According to Omniring:
“In our model, all source accounts of a single transaction share one ring, hence the name ‘Omniring.’ This approach does not only improve efficiency, but it also improves the level of anonymity: Let us consider the case of spending from k source accounts. In the separated-rings approach, each source account is hidden within a different ring of some size n, meaning that each of the k source accounts has at most 1-out-of-n anonymity. On the other hand, in the unified ring approach of ours, having a ring of size kn offers up to k-out-of-kn anonymity.”
The paper continues:
“Now consider for instance the case that one of the real source accounts used for spending is de-anonymized. In the unified ring approach, the other real source accounts now still have (k−1)-out-of-(kn−1) anonymity,i.e., all other accounts in the unified ring still count towards the crowd to hide in. However, in the separated-ring approach, the entire ring containing the de-anonymized account would be useless for anonymity after de-anonymization.”
More generally, their implementation not only improves the privacy, but makes it more resilient to a circumstance where one participant in a ring set is deanonymized. The paper subsequently goes on to formalize the security of RingCTs, notably defining unforgeability, privacy, and the mathematical model behind the security of RingCTs.
The broader takeaway from Omniring is that it articulates a formal model for more efficient, private, and secure RingCTs — something that is not an outright problem with monero but could present adverse long-term consequences if not appropriately addressed.
Moving forward, Omniring seems poised for further exploration by the monero community coming of its presentation at the Monero Konferenco conference in late June this year.
The Aegis of Privacy
One of the fascinating aspects of bitcoin and privacy-oriented cryptocurrencies is their ability to adapt in real-time as open-source protocols. Previously, intrusions into financial privacy lacked any formidable defensive analog, at least one that was mainstream enough to be tapped by a casual user.
Today, bitcoin (e.g., with Schnorr, Dandelion++, etc.), and monero (e.g., Omniring) are demonstrating their ability to identify vulnerabilities in privacy and efficiency, concurrently addressing them with formalized solutions. Both cryptocurrencies take a conservative approach to change, which bodes well for sustainability, and should serve them well as an increasing premium is placed on privacy by the public.
Facebook’s foray into crypto with Libra should rightfully spur concern in people, as the tech giant’s track record for privacy preservation is about as bad as it can get. Couple their social media data with real-time payments insights on the very same users, and you have a perfect storm of surveillance. As a result, it seems inevitable that should Facebook simultaneously help introduce people to the world of cryptocurrencies and the broader need for privacy, the technologies underpinning monero and bitcoin will continue to advance at unprecedented paces.
There will never be a time when privacy is “achieved,” as it is an ongoing struggle. However, boosts in the assurances of the underlying technology, cryptography, can provide more encouraging alternatives for people tired of data harvesting, and hopefully, furnish long-term safeguards to the surveillance capitalism projected by cypherpunks.