Bitcoin could boast of revolutionary protection of financial information only at its dawn. For example, in 2011−2013, payments in Bitcoins were accepted by the DarkNet marketplace Silk Road (for the purpose of anonymity). Since then, Bitcoin has compromised itself as an untraceable medium of exchange. Moreover, Bitcoin has never claimed to be anonymous as its mechanism is "pseudo-anonymous." "The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone," as stated in the white paper of Bitcoin. Public blockchains allow users to track the transaction history of a specific address, which can help in identifying the person. After it became known that the National Security Agency (NSA) had been tracking Bitcoin users for several years, Emin Gun Sirer, a professor at Cornell University, who leads the initiative group on the study of IC3 cryptocurrency, said that financial privacy is "extremely important" for the Bitcoin community, and he expects that after the news from the NSA, "people interested in confidentiality will switch to private cryptocurrencies." Given that the scandal with the NSA erupted in March, by now, all those who wished had time to transfer their assets to a less transparent crypto. DeCenter reviewed the main crypto candidates and their technology designed to increase privacy.

Monero

The CryptoNote protocol used in Monero was described in October 2013 by Nicolas van Saberhagen. His identity still remains unknown, and, most likely, the work was written under a pseudonym. Bytecoin became the first cryptocurrency to use this protocol back in 2012, but in two years, due to the lack of transparency and the suspicion of fraud Bytecoin was forked, and as a result, Monero came into existence ("monero" translates as a "coin" from Esperanto). The team is still hiding under the pseudonyms (Othe, Smooth, BinaryFate, Luigi1111, and NoodleDoodle) except for two members, Riccardo Spagni and Francisco Cabañas.

Monero uses extensive functionality to protect privacy:

What: hiding the transfer amount

How: using the protocol of ring confidential transactions (RING CT)

This protocol became mandatory for Monero in September 2017. From that moment on, all the mined coins are initially in the form of visible outputs (that is, their number can be seen). When coins are sent during the first transaction, however, the sum of its outputs is "disguised." As a result, the transaction does not need to be split as in the case of mixing.

What: hiding the sender

How: using ring signatures

The technology of ring signatures was described by Ronald Rivest, Adi Shamir, and Yael Tauman in 2001. This is a type of digital signature in which a group of potential signers forms their own signature for authorizing transactions. An analogy from the world of traditional finance would be a joint bank account, the checks of which can be signed by any of its owners. In the case of ring signatures, the actual final signature in each particular case remains unknown.

What: hiding the recipient

How: using stealth addresses

Certain outputs correspond to certain addresses or one-time public keys, where the funds are sent. The third-party does not know to which address which output matches, and also cannot connect the addresses of the sender and the recipient. So, if Alice sends Bob Monero, the blockchain will not reveal any correspondence between a particular one-time address and Bob's public key. If Bob requires proof that the coins were actually sent, however, Alice's wallet will be able to confirm this.

Another mechanism under development is Kovri, which will hide the IP addresses of senders. It will have common APIs with other cryptocurrencies, so that third parties will not be able to see that you are using Monero.

Monero passed the stress test last year, proving its privacy as the law enforcement agencies could not find out how many Monero coins belonged to the owner of the AlphaBay DarkNet site (but they did manage to reveal his Zcash balance).

One of the side effects of Monero's high privacy is the large transaction size, which is 50 times larger than the transaction size in Bitcoin.

Zcash

The Zcash cryptocurrency was launched by Zooko Wilcox in October 2016. Originally known as Zerocoin, Zcash was forked from Bitcoin. Zcash transaction privacy is an optional feature: like its "parent," the platform can also work with open transactions that are translated to a public blockchain.

Zcash is based on the zero-knowledge proof protocol, or rather its zk-SNARKs version, developed in 2014 by cryptographers from Johns Hopkins University (Christina Garman, Matthew Green, Ian Mears), MIT (Alessandro Chiesa, Madars Virza), Technion (Eli Ben Sasson), and Tel Aviv University (Eran Tromer).

When using evidence with zero-knowledge, the system can check the very fact that the "auditee" really owns what he or she claims (coins and addresses), without receiving any information about the nature of the object in question (the exact address and number of coins).

How Private Transactions Work in Zcash

Private transactions in Zcash are transactions between hidden addresses (z-addrs). To understand this mechanism, you need to first remember the principle of the Bitcoin transaction, namely one of its main elements, the list of UTXO, that is, unspent transaction outputs. Suppose that each UTXO contains 1 BTC, and each address contains only one UTXO. That is, the node contains a list of such UTXOs, each of which can be described with the address of its owner, for example, UTXO1 = (PK1), UTXO2 = (PK2), UTXO3 = (PK3), where PK is public key. Suppose that PK1 is Alice's address, and she wants to send her UTXO consisting of 1 BTC to the PK4 address. She forms the corresponding transaction and signs it with her private key (this proves to the node that Alice really owns the funds stored at this address). When the transaction is sent, the node will update the state: UTXO4 = (PK4), UTXO2 = (PK2), UTXO3 = (PK3).

Now let us imagine that each UTXO also has a unique identifier "r" (this will be important a bit later, as we move on to private transactions). In this case, the storage of a node will already look like this: UTXO1 = (PK1, r1), UTXO2 = (PK1, r2), UTXO3 = (PK2, r3).

For a private transaction the following conditions must be satisfied:

 Each node should store only encrypted data, that is, not UTXOs themselves, but their hashes (H): H1 = "HASH" (UTXO1), H2 = "HASH" (UTXO2), H3 = "HASH" (UTXO3);

 The node should continue to store the UTXO hash, even when it was already spent. In this case, it becomes a repository of all the transaction outputs (and not only for unspent transactions), which prevents tracking.

To distinguish the spent outputs from unspent ones without harming privacy, the system uses a special nullifier set. This is a list of hashes of all UTXO identifiers. That is, each node, in addition to the list of hash outputs, also stores a nullifier set.

Sending a private transaction by steps:

Suppose that Alice owns UTXO1 and wants to send the 1 BTC stored there to Bob, who has the PK4 address. For this, she:

 Randomly selects the new identifier r4, after which the corresponding unspent output will be defined in the system as UTXO4 = (PK4, r4);

 Privately sends UTXO4 to Bob;

 Sends a nullifier (nf) of UTXO1 record to all nodes: nf2 = "HASH" (r1);

 Sends a new output hash to all nodes: H4 = HASH (Note4).

That is, she nullifies her UTXO and creates a new record, which is controlled by Bob.

When the node receives nf2 and H4, it checks whether the output corresponding to nf2 has already been spent. To do this, it looks whether there is a nullifier set for nf2. If not, the node adds nf2 to the nullifier set, and H4 to the set of hashed outputs. Thus, it validates the transaction between Alice and Bob.

What Does It Have to Do with Zero-Knowledge Proof?

We checked that UTXO1 hasn't been previously spent, but did not check that it actually belongs to Alice. We did not even check to see if there was really such a record in the network, that is, whether it was present in the list of hashed UTXOs of this node. Alice could confirm its existence by simply publishing its UTXO, not its hash, but this would compromise privacy.

Here zero-knowledge proof comes to the rescue. In addition to all of the above steps, Alice will also publish a proof that convinces all nodes that the sender of this transaction, whoever he or she is, knows the values ​​of PK1 (public key), sk1 (private key), and r1 (identifier):

 The output hash of UTXO1 = (PK1, r1) exists in the set of hashed UTXOs;

 Sk1 is a private key corresponding to PK1 (thus, whoever owns it also owns UTXO1);

 The hash r1 corresponds to nf2, (and so, if nf2 is not yet in the nullifier set, then the corresponding output still hasn't been spent).

Moreover, the proof does not disclose specific values ​​of PK1, sk1, and r1.

This is a simplified scenario for a private transaction. In practice, hashed UTXOs are stored not just as a list, but as a Merkle tree. In addition to this, the given scenario describes a transaction sent through a private channel, but it's not necessary to use private channels to preserve privacy. The restrictions when using this cryptocurrency include higher memory requirements. In order to use private transactions in Zcash, you should have at least 4 GB of RAM. In more detail, the technical side is described in the protocol specifications published on GitHub.

The initial parameters for zero-knowledge proofs are set by a narrow circle of participants during the secret ceremony "Powers of Tau." At the end of the ceremony, the participants destroy the computers on which the data was generated, and the generation methods are the most unexpected. For example, during one of the ceremonies random numbers have been generated using nuclear waste from the Chernobyl nuclear power plant.

In March, former CIA agent Edward Snowden said that Zcash was the most interesting cryptocurrency at that moment for him, because "its privacy characteristics are really unique." He also noted that now there are more and more projects trying to reach the same level of privacy, and this is a "positive thing."

Dash

Dash, under the original name Xcoin, was launched in January 2014 by Evan Duffield. Subsequently, after the rebranding, the coin became known as . . . no, not Dash . . . but Darkcoin. And only in early 2015, the developers came to the name "digital cash," or simply, “Dash.”

Dash is a fork of Litecoin, which means it has the "blood" of Bitcoin as well. PrivateSend, the privacy technology used in Dash, is also rooted in Bitcoin development. PrivateSend, along with SharedCoins, Dark Wallet, CoinShuffle, and JoinMarket, is the implementation of the mixing technology CoinJoin, proposed in 2013 by Bitcoin Core developer Gregory Maxwell to anonymize Bitcoin transactions.

In short, the essence of CoinJoin can be described as follows: "When you want to make a payment, find someone else who also wants to make a payment and make a joint payment together." Then there will be no separate input and output corresponding to a particular address. PrivateSend has the same principle: three users put their coins into one transaction, which sends them to the newly-generated addresses belonging to the same users. Thus, the coins are mixed among the participants, and it becomes impossible to trace the original owner on the blockchain. This process can be repeated automatically up to eight times, between different users.

The PrivateSend feature needs to be activated in the Dash Core client or other Dash wallets. Its disadvantage is that it requires certain user efforts: forming a joint transaction, as well as waiting till mixing is completed and paying a small fee.

In the Dash network a mixer, which allows you to mix and split transactions into small parts, is a masternode. The minimum staking requirement is 1,000 Dash. That is, users connect to a random master node, and it collects coins and merges them into a single transaction. Here, one of the vulnerabilities of the mechanism emerges—the user has to trust a masternode. By analogy with VPN servers, it knows where the coins came from and where they went. It is like a magician moving glasses, under one of which is a coin. The masternode knows exactly where the money is. Therefore, if masternodes are compromised, they will transfer your financial information "on demand."

The distrust of masternodes of the Dash network has a history. The fact is that at the initial stage of the Dash development, there was a so-called “instamine” (instant mining). According to the founder of Dash, it was unintended. Two million coins (with a total emission of 22 million Dash and a circulating supply of 8.3 million Dash) were produced within a few days after the network had been launched. Instamine may occur due to vulnerabilities in the mining algorithm, which fails to adequately adjust the difficulty level depending on demand. The project did not change protocol rules, neither did it relaunch the network. Given that a quarter of the coins currently in circulation were mined by just a few miners in the first week of the Dash existence, many masternodes are now controlled by those few "elected" participants. And so, although multiple mixing of coins theoretically should proportionately increase privacy, the coin may not even get out from under the control of one person owning  various masternodes.

Sudhir Khatwani, editor in chief of Coinsutra, also notes that the privacy mechanism used in Dash “provides an analyzable metadata to find out the real sender/receiver." Also, serious issues were raised by the partnership announced in October 2016 between Dash and the compliance platform Coinfirm, which makes Dash "clean" in the eyes of the regulator through KYC and AML procedures, but very vulnerable from the users' point of view, as they seek anonymity. Anyway, at the moment, along with "instant payments" and "security," the Dash website still features the characteristic of "privacy," which promises protection of financial information, activity history, and balances via PrivateSend.