Onion Information

Page Clicks: 0

First Seen: 03/12/2024

Last Indexed: 10/23/2024

Domain Index Total: 84

Table of Contents Introduction Bitcoin - Privacy by Wallet Monero - Privacy by Default Zcash - Privacy by Pool Comparing Size and Cost Bitcoin Transaction Notes Monero Transaction Notes Zcash Transaction Notes Results Throughput Bitcoin Network Notes Monero Network Notes Zcash Network Notes Results Conclusion Transactions used for estimates Bitcoin Monero Zcash Introduction # As my first blog post I wanted to go ahead and share some thoughts I’ve had about efficiency within transaction types when comparing privacy protocols and usage. I have recently discussed this in some depth on Twitter where I was surprised by the results, finding that Monero manages to be quite a bit more efficient on size compared to Bitcoin when trying to use both in a private manner. I’ll use this blog post to break it down in a bit more detail, and add a new contender to the mix - Zcash. 1/ Thread on comparing “reasonably private” spends in #Monero and #Bitcoin , and trying to find a better way to judge scalability/throughput if all spends provide reasonable/good privacy guarantees. Starting off with transaction sizes, or more accurately, “private spend size”: Seth For Privacy | #FreeSamourai (@sethforprivacy) July 20, 2020 The reason I’ve chosen to focus on efficiency of each protocol is that users will generally prioritize simplicity and low cost, and if a privacy protocol can provide both of those to users, they can greatly aid adoption of powerful tools. While users do generally prefer to have privacy (who reading this is willing to email me all of your passwords and home address?), they will not normally go above and beyond, at great cost in time and money, to preserve their privacy. So for this post, let’s take a look at how each of the three most recognized privacy approaches in cryptocurrency stack up in size, cost (in both money and time!), and throughput. But first, an introduction to each network’s approach to privacy. Bitcoin - Privacy by Wallet # Bitcoin is the king of cryptocurrencies and made major breakthroughs that enabled the existence of cryptocurrencies like Monero and Zcash . While many thought its approach to privacy sufficient in the early days, people quickly realized that the pseudonymity it offered was insufficient for many use cases and allowed users to very easily ruin their own privacy via things like combining outputs, re-using addresses, and simple output amount analysis among many other heuristics. There are currently two main approaches to gaining some level of “reasonable privacy” on Bitcoin, using CoinJoin 1 to obfuscate UTXO ownership, and the Lightning Network 2 to move the trail of funds off-chain (to some extent, privacy via Lightning is still very much a work-in-progress and not well understood). CoinJoin is a technique where a group of unique users use a central coordinator to build a shared transaction that combines all of their input UTXOs of the same fixed amount and then “mixes” these funds to break deterministic links between the input UTXOs and output addresses. The most well known approaches to this are Samourai , Wasabi , and JoinMarket (note that JoinMarket uses a maker/taker model instead of a coordinator model, but that is outside the scope of this blog post). For this blog post we’ll focus on Samourai wallet, as that is most widely accepted as the ideal way to gain privacy in Bitcoin. For more information on how the basics of Samourai Wallet work, see “Samourai 101” for a great explainer. Monero - Privacy by Default # Monero was created in 2014 as a fork of a project called “Bytecoin” by a small community of developers. Monero is not a fork of Bitcoin, and uses an entirely new codebase called “Cryptonote” 3 that has evolved into the Monero protocol. Monero was started with three core aims - privacy that is usable and approachable for the masses, by default, a scalable and iterating base-layer, and ASIC-resistance to enable commodity hardware mining which aids decentralization. Monero enables this default privacy for all users of the network through a variety of means: Ring Signatures 4 : this technology hides the true spend in every transaction, protecting the privacy of the sender. This requires no coordination and is completely non-interactive (unlike CoinJoin) and happens entirely via the protocol itself. RingCT 5 : this technology hides all amounts sent and received on-chain (via Confidential Transactions 6 ). Stealth addresses 7 : this technology hides sender and receiver addresses on-chain by letting the sender generate a one-time address using the receiver’s public key, so no actual addresses are ever published to the blockchain. Dandelion++ 8 : This technology helps to hide the sender’s IP address when sending Monero by using a special method of relaying transactions to other nodes. These technologies combine to allow any user interacting with the Monero network to gain strong privacy without taking extra effort, making multiple transactions, or relying on a central coordinator. Zcash - Privacy by Pool # Zcash is a code fork of Bitcoin created in 2016 that adds on optional privacy via a technology called zk-SNARKs 9 , allowing users to opt-in to hiding the sender, receiver, and amount of a given transaction (if sending from a z-address to another z-address). This functions in similar ways to Monero, in that there are one-time addresses, amount commitments, and proofs that the transaction spends a previous output. Zcash retains many of the network characteristics of Bitcoin, but does enable vastly greater privacy to those users who choose to opt-in. Unfortunately, because these strong privacy tools are not enabled by default for users, they see very little adoption and normal, Bitcoin-like transactions are by far the majority of transactions made on the Zcash network. For more info on how Zcash works technically, see “Zcash Technology” for a solid introduction. Comparing Size and Cost # As comparing across unique networks is very difficult, I’ve done my best to find a unifying set of metrics that we can more easily compare, and used the common denominator of USD as a fee measure as native units are not easily comparable. Bitcoin Transaction Notes # This example chain of transactions represents the recommended way to gain “reasonable privacy” and spend in Bitcoin, and requires a TX0 pre-mix transaction , a Whirlpool mixing transaction , and a post-mix transaction (here a STONEWALL transaction is used for the comparison, as this is most common and does not require a trusted second part). It’s important to note that it takes a great deal of time to perform a single “reasonably private” spend, and in my own testing it took ~4.5h to go from TX0 to STONEWALL spend. This overall time could be reduced somewhat by creating multiple mixed outputs from each TX0, but is not possible for all users depending on input amount and pool size. Note that this amount can vary greatly depending on how much a user is willing to spend on fees, how congested the network is, block time variability, etc. 12/ Key takeaways (continued): * #Bitcoin remains extremely expensive to transact privately, and fees are cheap (comparatively) at present * To send funds privately, took $37.50 and about 4.5h total, quite time consuming and costly, even with the ease of use of Samourai - Seth For Privacy | #FreeSamourai (@sethforprivacy) June 9, 2020 For this comparison I have omitted “doxxic change” costs and mixing fees , as they are variable and hard to compare with Monero and Zcash transactions. I am purely listing Bitcoin transaction fees below. Monero Transaction Notes # This example transaction is a standard 1-in 2-out Monero transaction with the present network technology, and represents the most common spend. Note that no preparatory, mixing, or post-mix transactions are necessary to protect the sender, receiver, and amount, or to break any deterministic links along the way. Sending a Monero transaction is as simple as a basic Bitcoin transaction, and takes ~2min to confirm on-chain. Zcash Transaction Notes # This example transaction is a standard 1-in 2-out z-to-z transaction in Zcash, and represents the highest level of privacy available to users who opt-in to sending from and to a z-address (fully shielded). This type of transaction hides the sender, receiver, and amount on-chain. Note that no preparatory, mixing, or post-mix transactions are necessary to protect the sender, receiver, and amount, or to break any deterministic links along the way. Results # As you can see below, Monero offers the most cost and space-efficient transactions of the three networks, saving almost 900b per “reasonably private” spend compared to comparable transactions in Bitcoin and Zcash, and is 33% the cost of Zcash and 0.0002% the cost of Bitcoin. The largest caveat here for the scaling of Monero is that it is not currently fully pruneable in the same way as Bitcoin (Bitcoin can prune down to just the current UTXO set), and requires retaining a database of all outputs to use as decoys in each future transaction as no output is ever known-spent by the network 10 . Zcash is (as far as I can tell) not pruneable in any way at present. It’s important to note that most users of both Zcash and Bitcoin do not opt into using these privacy tools, and instead choose to transact without hiding sender/receiver/amount for the vast majority of transactions. Cryptocurrency Transaction Size Transaction Cost (in USD as of 2023-12-16) Bitcoin 2,363b, 1,475vb $93.85 (@ 150sat/vb) Monero 1,419b $0.056 (median) Zcash 2,373b $0.0293 (median) Note that the lowest possible cost for this transaction flow in Bitcoin (in USD as of 2023-12-16) is $0.63 @ 1sat/vb. Throughput # Throughput is an even harder metric to measure across networks, as each network has made their own choices of block size and block time to match their own needs and goals. To provide a common ground here, I’ve chosen to list the default limits/times of each network and the throughput that allows, as well as provide a version of each weighted to Bitcoin’s design choices of 10min block times and 1MB/4MB block size caps. Bitcoin Network Notes # Bitcoin has retained the 10min block times from its inception, but block sizes have been changed (in a way) with the introduction of SegWit 11 to a maximum of 4MB for native SegWit transactions, and 1MB for “legacy” transactions. To provide the optimal network conditions for this comparison, I am assuming a 100% native SegWit adoption, something that is not even close to reality, but provides a better picture of what is possible in Bitcoin natively. More details of how the weighting of transactions works in Bitcoin can be found in “What’s the blocksize limit after SegWit?” . Monero Network Notes # The Monero network has a block time of 2min, but has a more complex block size limit than most other networks. In Monero, block sizes hav...