A major highlight of the recent Baltic Honeybadger 2017 conference in Riga, Latvia was the final panel at the end of the second day of events, which consisted of a number of well-known developers in the Bitcoin ecosystem. During the panel discussion, the developers shared their thoughts on the current state of privacy in Bitcoin. Various participants on the panel pointed out the close relationship between privacy and scalability, the privacy issues with light wallets, and how the ecosystem is now on the cusp of a number of different privacy enhancements.
Bitcoin Privacy Improves as the Technology Scales by Default
The first panelist to comment on the topic of privacy in Bitcoin was applied cryptography consultant and sometimes Bitcoin Core contributor Peter Todd. For Todd, the main point he wanted to get across was that improved privacy is something that is inherently associated with better scalability of the system.
“The whole reason why Bitcoin has such terrible privacy is everyone has everyone else’s transactions, and any scalability measure that makes Bitcoin scale better inevitably is going to make fewer people have fewer people’s data,” said Todd. Todd noted that people who use centralized off-chain services like Coinbase may have better privacy than those who are transacting on the public blockchain, depending on their threat model.
For example, Coinbase knows everything that Coinbase users are doing, but North Korea knows nothing about these transactions because they’re processed on Coinbase’s internal servers. “As we go scale this tech up, if we do so successfully, we will get improved privacy no matter what we do,” added Todd, who pointed to the Lightning Network as a perfect example of this concept in practice.
In terms of privacy-focused altcoins, such as Monero and Zcash, Todd claimed the scalability situation is actually worse. “Zcash and Monero both essentially have accumulators that mean that nodes need more data to go and process transactions,” explained Todd. “There are tradeoffs around this . . . but a lot of this tech isn’t there yet and it just makes things more complex.”
Better Privacy Needs to Be Balanced with Usability
When SatoshiLabs CTO Pavol Rusnak commented on Bitcoin privacy, he brought up the issue of usability in terms of future privacy improvements. In his view, there is a triangle of tradeoffs between privacy, security, and usability that must be understood. As a specific example, Rusnak pointed to MimbleWimble, which is a proposal for a much more private and scalable blockchain. Rusnak noted that while the proposal may improve the privacy situation, it also degrades usability by removing the ability to view one’s transaction history on the blockchain.
“The question is: If there is a coin that has security and privacy but it loses usability because of its transaction history, will people be interested in using it?” asked Rusnak. “I think yes. But it’s still — we have a lot of people who are Trezor users and they really tend to look into their transaction history. They put labels everywhere.” Rusnak went on to add that there is no “silver bullet” that can be applied to every use case out there.
The Privacy Problem for SPV Wallets
As the microphone was handed over to Libbitcoin lead maintainer Eric Voskuil, he brought up the issue of wallets based on simplified payment verification (SPV). “I’d like to get client-server scenarios out of the P2P protocol,” said Voskuil. “I think it’s creeping in a bad direction.” In Voskuil’s view, shortcuts have been taken in order to implement more user-friendly bitcoin wallets. Some of these shortcuts have created new problems, and Voskuil specifically pointed to the issue of bloom filters, which are used in SPV wallets.
“You can think of it as a DoS attack against nodes, it gives up privacy, there’s just nothing good about it,” said Voskuil. As Voskuil explained, those who use these bloom filters are giving some anonymous node on the network — which may actually be a node operated by a blockchain analytics company — an IP address to attach to a transaction. In Voskuil’s view, it would be better to simply connect to a server via the Tor network and publish a transaction there. That way, no one would know where it came from.
Ciphrex CEO and Bitcoin Core contributor Eric Lombrozo agreed with Voskuil’s comments on bloom filters, and he indicated that the sync time associated with operating a full node is what pushes users to these less-secure, less-private wallets in the first place. “Right now, verification is not that cheap, and that’s a problem because then you basically end up outsourcing this to third parties, and that changes the entire security model of Bitcoin,” said Lombrozo. Lombrozo went on to refer to bloom filters as “a hack” that was never really fleshed out or well designed at all. “You don’t have to download entire blocks, but you do give up tremendous amounts of privacy,” Lombrozo added.
In the past, Chaincode Labs’s Matt Corallo, who was a co-author of the Bitcoin Improvement Proposal (BIP) related to bloom filters, has said he regrets ever writing up the idea. Lombrozo also pointed to Lightning Network developers Olaoluwa Osuntokun and Alex Akselrod’s proposal for client-side filtering in light clients, which would improve the privacy issues related to the use of SPV. “It gives you better privacy,” explained Lombrozo. “You can actually download a filter associated with a block and on your node you can actually check whether that block might contain transactions you’re interested in before you download the entire block.”
Lombrozo also brought up BIP 151, which was authored by Bitcoin Core contributor Jonas Schnelli. The point of this proposal is to encrypt the data being sent over the P2P protocol, which could offer an obvious privacy improvement for light clients in terms of making their network communications less public. Blockstream CEO Adam Back also agreed with the idea that bloom filters are not very good for user privacy. However, Back also clarified that most of the light wallets available today, even the ones on smartphones, are not pure SPV wallets.
Instead, the user usually connects to a server provided by the wallet developer or points the wallet at the user’s own full node running at home (or some combination of the two). For this reason, Back wondered whether there is much of a need for SPV wallets in Bitcoin. “If you already have two crosschecks — a semi-trusted node and an option of your own node — then do we really need the SPV protocol?” asked Back. “Because you’re allowing yourself to be surrounded by people who are trying to spy on your privacy — the people doing the kind of Chainanalysis kinds of things are running lots of crawlers on the network and being SPV providers to many wallets.”
On the Cusp of Improvements in Bitcoin Privacy
The most privacy-focused individual on the panel may have been JoinMarket developer Adam Gibson. JoinMarket is the most widely-used implementation of CoinJoin, which is a way for users to mix their bitcoins with each other and obscure their transaction history. Gibson continued Todd’s point on the relationship between privacy and scalability by specifically talking about Blockstream Mathematician Andrew Poelstra’s concept of scriptless scripts. “The way I’d put it is it’s like taking the semantics of the transaction off chain, so you may still have a transaction but the meaning of it is obscured [and] it becomes a lot more private,” explained Gibson. “For example, you might do a coin swap where you and I swap the history of our coins, but we do it in such a way that it just looks like a totally ordinary transaction.
In fact, it’s impossible to distinguish from an ordinary transaction.” According to Gibson, there are many other examples of ways in which data can be taken off of the base Bitcoin blockchain layer to improve privacy. Like Todd, Gibson pointed to the Lightning Network as another obvious example. Gibson also pointed out that he’s now more excited by the concept of Confidential Transactions due to a recent paper that describes a way to massively improve the efficiency of these types of transactions, which are meant to mask the amounts associated with transactions.
The JoinMarket developer went on to describe a world where Confidential Transactions are combined with CoinJoin to mask the most important attributes of Bitcoin transactions. In fact, Gibson indicated that this sort of combination can be done in a manner that makes privacy-conscious transactions cheaper than traditional Bitcoin transactions. Gibson also pointed to Schnorr signatures and MAST as two other upcoming improvements that could have implications for user privacy, but he also indicated that there is not much users can do to improve their own privacy today — outside of using JoinMarket or practicing good Bitcoin privacy hygiene such as avoiding address reuse.
This is all in addition to the previous privacy improvements for light clients described by Lombrozo. “There’s a lot of very close things at this point, which makes me a bit more positive than I might have been before,” concluded Gibson.