CoinJoin comes up with a simple idea that mixing transactions can produce privacy and confidentiality. The technique doesn’t map senders with receivers, instead, it concerns the total inputs and the total outputs to be equal without double spending. Mixing results a single address is no longer associated with transactions, which could lead to the identification of the users. CoinJoin needs interactive cooperation between multiple parties. Therefore, if any one does not keep up with the commitment to create a single transaction by not signing the transaction as required, then it will result in a denial of service attack. In this protocol, there is no need for a single trusted third party. This concept is different from a mixing service which acts as a trusted intermediary among the bitcoin users agreed with shuffling of transactions.

Confidential transactions use Pedersen commitments that allow a user committing to some value while keeping it secret with the capability of revealing it later. Two properties that need to be satisfied in order to design a commitment scheme are binding and hiding. Binding makes sure that the committer is unable to change the chosen value once committed, whereas the hiding property ensures that any adversary is unable to find the original value to which the committer made a commitment. Pedersen commitments also allow addition operations and preserve commutative property on the commitments, which makes it specifically useful for providing confidentiality in bitcoin transactions. In other words, it supports homomorphic encryption of values. Using commitment schemes allows the hiding of payment values in a bitcoin transaction. This concept is already implemented in the Elements Project.

MimbleWimble was interestingly introduced by an anonymous Bitcoin developer, namely Tom Elvis Jedusor (the French name of fictional Harry Potter character, Voldemort). Mimblewimble is the name of a spell used to tongue-tie victims in Harry Potter as well. It extends the idea of confidential transactions and CoinJoin, which allows aggregation of transactions without requiring any interactivity. However, it is incompatible with Bitcoin scripting language along with various other features of standard Bitcoin protocol. Mimblewimble can enhance privacy and scalability issues both at once. Applying the technique results that a block contains an input list, output list, and something called excesses which are lists of signatures and differences between outputs and inputs. In contrast to Bitcoin, MimbleWimble outputs contain pubic keys only, and the difference between the old and new outputs is signed by all participants involved in the transactions. The protocol reduces block size while improve privacy and scalability. However, it is not suitable for accounting and banking services in general, since sender-receiver mapping and transaction amount are recorded nowhere. GRIN and BEAM have successfully implemented MimbleWimble. 

Bulletproofs is a non-interactive Zero-knowledge Proof protocol for general Arithmetic Circuits with very short proofs (Arguments of Knowledge Systems) and without requiring a trusted setup. The essence of Bulletproofs is its inner-product algorithm, an argument of knowledge for two independent binding vector Pedersen Commitments that satisfies the given inner-product relation. Bulletproofs results communication-efficient, zero-knowledge proofs, but reduces overall communication by a factor of three. Bulletproofs has a wide range of applications, for instance, in Multi-party Computation (MPC) systems, privacy protocols, secret communications. An original Bulletproofs research is HERE.

Additionally, Monero has utilized ring confidential transaction (ringCT), stealth addresses and ring signature for privacy. However, those techniques increase the complexity and blocksize. Recently, Monero has been trying to implement Bulletproof, instead. Other confidential transaction techniques are provided by smartcontracts.  

There is a dozen of privacy techniques out there. Many protocols are successfully implemented but some has not come into practice yet. Of course, privacy is a need for blockchain, but it should get along with security, scalability, transparency and auditability. In the following, we summarize our discussion in a brief comparison regarding notable privacy protocols under several criteria. Due to lack of knowledge and information, some are in blank. 


ComplexityProof sizeQuantum secure
ProverVerifierCommunication
BulletproofO(N*log(N))~ 30sO(N)~ 1100msO(log(N))< 300 bytesNo
ZK-SNARKsO(N*log(N))~ 2.3sO(1)~ 10msO(1)45 kbNo
ZK-STARKsO(N*poly-log(N))~ 1.6sO(poly-log(N))~ 16msO(poly-log(N))1.3 kbYes

BulletproofMimble-wimbleState ChannelsRingCTZK-SNARKsZK-STARKs
ImplementationMoneroGRINBEAMHyper-ledgerMoneroZcashNA
ComplexityMediumLow
HighMediumMedium
BlocksizeSmallSmallNALargeSmallSmall
Trusted SetupNoNoYes
YesNo
EncryptionYesNoNoNoYesYes
ScalabilityMediumHighMediumLowMediumMedium
Privacy HighMediumLow-mediumMediumHighHigh
Auditability HighLowHighMediumHighHigh
Compatibility to Bitcoin & the likesYesNoYes
YesYes

ZKPs are the most interesting protocols, since they offer true privacy and confidentiality along with wide range of applications in various fields. Compared to the aforementioned anonymous cryptos, Dash seems to be the most obsolete one, since it uses private-send (a kind of confidential transaction) with low privacy and scalability. Monero, after Bulletproof implementation, is going to be one of the two best privacy coins. The other is Zcash which has offered multi-level of shielded-transactions providing users many options to send their funds like Bitcoin or in a complete confidential way according to their wish. This brings Zcash to a better approach for compliance among the group. Note that Bitcoin, Ethereum and many other cryptos are allowed in the U.S. and some other nations, but regulation is still the hardest challenge for anonymous coins.

Privacy technology is an interesting and hot topic not only in crypto space but also in blockchain, cloud computing, data sharing. No one is perfect. The author analyzes various privacy techniques in different sides and criteria. Hope that this article can help developers choosing what is/are suitable for their own blockchains or computing platforms. 

End of the 3 articles series on privacy.