When you define privacy as a crime, then only criminals have privacy.
Author: Kaori
Editor: Jaleel, 0×26
When it comes to privacy, despite the fact that blockchain data is publicly transparent and traceable, it seems that we have found a utopia of freedom and equality. On the other hand, how to protect transactions or personal privacy has become an unavoidable issue. Despite the need for privacy protection, the tricky part is that we still live in a digitally centralized regulatory society. The challenge lies in how to make privacy and regulation coexist on public blockchains, which will be a long journey.
- After Arweave 2.6, has the ecological development entered a period of prosperity?
- a16z Dialogue with Solana Co-founder Why didn’t Solana become an EVM-based public blockchain?
- Highly dependent on the cycle, trapped in a regulatory predicament, is ‘cryptocurrency first stock’ Coinbase worth investing in?
Last week, Vitalik and four other authors published a paper titled “Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium,” which sparked widespread discussion.
The authors stated that this paper avoids the legal debate of who is right or wrong, but aims to address the issue that Tornado Cash cannot distinguish between illegal and normal user behavior. They propose a new technical solution called Privacy Pools based on existing privacy protocol technology.
The problem that Privacy Pools aims to solve is whether privacy and regulation can really coexist on public blockchains.
How Privacy Pools prove that money is “clean”
As a neutral infrastructure, the core idea of Privacy Pools is to allow users to publish zkSNARK proofs to prove that their funds come from known legitimate sources or not from illegal sources, without publicly revealing the entire transaction process.
In other words, using Privacy Pools, you can prove in a way that anyone can verify that my deposit is legitimate and not from illegal funds. Then provide this proof without disclosing your exact deposit information, thus protecting transaction privacy.
With the support of zkSNARK proofs, the specific implementation of Privacy Pools requires another core configuration called the Association Set.
The Association Set is generated by an Association Set Provider (ASP) following certain rules, such as the rule of “inclusion” – “all deposits from trusted trading platforms,” while other rules exclude – “all deposits except those marked as risky.” Then users only need to prove their membership in the Association Set without publicly revealing which Association Set they chose, just make a commitment, and can demonstrate compliance without fully disclosing their transactions.
When users deposit to Privacy Pools, each deposit is assigned a unique secret/coin ID. When withdrawing, users specify an Association Set associated with their deposit and provide a nullifier to prove that the deposit exists and is located in the chosen Association Set, thus showing without revealing the specific deposit. In special cases, users can also provide more direct proof to their counterparts to demonstrate specific deposits.
One thing worth mentioning about the Association Set of Privacy Pools is that ordinary users are incentivized to prove their affiliation with a legitimate Association Set in order to “prove their innocence,” while illegal users are unable to provide such proof, achieving “separation equilibrium.”
Vitalik provided a vivid explanation of one of the use cases in the paper, which is quoted here for readers’ understanding.
Let’s assume there are five users: Alice, Bob, Carl, David, and Eve. The first four are honest users, while Eve is a known thief. Although Eve’s true identity may be unknown, the public knows that funds received by the address labeled “Eve” have been stolen.
Each user can choose an association set when making a withdrawal, which must include their own deposit. This means that when each user chooses an association set, they cannot exclude their own deposit.
For Alice, Bob, Carl, and David, in order to avoid association with the known bad actor Eve, they can choose an association set that does not include Eve. In this way, they can prove that they are not associated with Eve.
However, Eve faces a problem. He cannot choose an association set that includes only himself, as this would immediately reveal him as a bad actor. In order to try to hide his bad behavior, Eve may choose an association set that includes all five users, hoping to confuse the situation.
Since the other four users have chosen association sets that do not include Eve, Eve’s attempt becomes futile, as people can determine that Eve is the bad actor through the process of elimination.
The result is that through the choice of association sets, Alice, Bob, Carl, and David can prove that they are not associated with the known bad actor Eve. Eve cannot hide his bad behavior because his association set includes everyone.
This diagram in the paper further illustrates the difference between these two types of proofs. The membership proof includes a specific set of deposits, while the exclusion proof’s association set includes all deposits except for a specific set.
In theory, Privacy Pools still allow North Korean hackers or any illicit users to use the protocol, but they cannot generate high-quality whitelist proofs like Eve. Although they may still generate low-quality or outdated proofs to temporarily confuse the situation, it becomes easier for regulatory agencies to locate illicit users compared to before.
The Pros and Cons of Association Sets
The introduction of association sets eliminates the need for users to prove the direct connection between withdrawals and deposits, but there are many doubts and debates in the community about whether association sets can truly protect users’ privacy.
As mentioned earlier, association sets are generated by off-chain set providers following certain rules. So who is responsible for generating these association sets? Why should users trust the providers of these association sets? And how can we ensure that illegal addresses will not appear in these association pools in the future?
Some Twitter users have pointed out the similarities between this and conducting coin mixing transactions on Coinbase for compliant privacy. Although Privacy Pools are non-custodial privacy only used to prove that you are not associated with illegal transactions, Coinbase fully controls and safeguards funds and has a complete understanding of user identities. But how do we know if association set providers have a better or lesser understanding of the users choosing the association sets compared to Coinbase’s understanding of its users?
One of the co-authors of the paper, Jacob Illum, a researcher at Chainalysis, a cryptographic industry research institution, said in a podcast that it is impossible for ordinary users to provide association sets. This requires some background and ability in blockchain forensics or blockchain analysis. So only those who have this ability can become Association Set Providers (ASPs), such as some analysis organizations or large financial institutions.
At the same time, users need to choose association sets that are large enough to protect transaction privacy as much as possible, because the smaller the set, the greater the risk of exposure if the set contents leak.
AX1’s editor-in-chief VL (@VladislavLiu) said that illegal “users can still deceive the system with low-quality whitelist proofs. The paper suggests using third-party whitelist providers (i.e. association set providers), but this brings another set of problems. What if these providers are not good enough? Or what if they are compromised?”
Who is qualified to provide these association sets? The paper provides several solutions, but in reality, there has not yet been an institution or organization that has come forward to say that they can. This is the problem that Privacy Pools will soon face, as well as the challenge faced by anyone who wants to obtain blockchain privacy rights: trust or distrust, compromise or non-compromise, or indifference, treating privacy as nothing.
“Tornado Cash” VS “Privacy Pools”
When it comes to on-chain privacy protection, we have to mention Tornado Cash. Since Privacy Pools is an improvement based on Tornado Cash, let’s see what the differences are between the two.
The main idea of Tornado Cash is to mix a large number of deposit and withdrawal behaviors together. After depositing tokens into Tornado, depositors provide ZK Proofs to prove that they have made deposits, and then withdraw from a new address, thereby cutting off the association between deposit and withdrawal addresses. As a result, on the blockchain, only deposits and withdrawals can be seen, and the corresponding relationship between the two cannot be seen, so it has anonymity.
The key problem with Tornado Cash is that it is difficult for legitimate users to separate themselves from the criminal activities attracted by the protocol. If proof of non-relevance is required, it relies on Tornado Cash’s centralized servers. Users need to provide specific information about their withdrawals to the server, and the server uses its own database to check which deposit the withdrawal corresponds to, and then generates this proof. However, as mentioned earlier, Privacy Pools distinguishes between legitimate users and illegal users by placing the transactions of legitimate users into a whitelist through the setting of association sets, and illegal users cannot prove that their transactions belong to this association set.
In other words, Tornado Cash uses a generic anonymity set – all deposits and withdrawals are mixed in one pool. Privacy Pools uses customizable anonymity sets – users can choose the deposit and withdrawal methods they want to mix according to their preferences and needs.
Twitter user @0xArhat created a table to compare the two from multiple perspectives such as flexibility, disclosure, and privacy level.
Privacy Pools can customize the content of associated sets, allowing customization and updates based on different jurisdictions or changing rules and requirements of entities. Each associated set has its own fund pool and proof rules, thus avoiding fund contamination. However, all deposits in Tornado Cash are placed in one fund pool, which easily leads to anonymous violations.
Privacy Pools also incentivize users to behave honestly in terms of compliance and reputation, while Tornado Cash operates on a trustless and permissionless basis, naturally attracting the attention of illegal actors.
These are some of the settings envisioned by the authors of the paper that can save Privacy Pools from the fate of Tornado Cash, allowing regulation and privacy to coexist. However, to achieve this, it is necessary to sacrifice a bit of privacy and add some “flexibility” while fully maintaining privacy and permissionlessness.
KOL Eva Beylin (@evabeylin) commented that Privacy Pools can not only enhance transaction privacy but also contribute to DAO governance (membership), node reputation, and KYC compliance. Privacy Pools, with its unintentional advantages, may have a better future than Tornado Cash.
How to use Privacy Pools
Currently, Privacy Pools is still in the testing phase, and users can test the protocol using the Optimism Goerli testnet.
1. Create a Note Wallet
2. Generate a mnemonic phrase and securely store it
3. Set a password
4. Download the Secrets file and upload it during login
5. The registration process is complete. During login, click “Choose File” and upload the downloaded JSON file, then enter the password
Privacy, Innocent; Privacy, Guilty
The experience of the founder of Tornado Cash has dealt a blow to the belief in “code as speech,” and the emergence of Privacy Pools has once again raised questions about the decentralization of blockchain. For example, does using Privacy Pools prove that the source of funds has violated the original purpose of privacy protection? However, in order to comply, concessions seem to be necessary, finding a balance between the two, as more and more people realize that complete anonymity is no longer feasible in today’s world.
In the end, there is a natural conflict between complete privacy and regulatory compliance that cannot be ignored. However, we can make our own choices and find a balance. Privacy Pools may not be the solution for everyone, but it is indeed a solution for many.
The location of that balance point not only requires industry builders to think about it, but also requires legislators and law enforcers to think about it. Because if you define privacy as a crime, then only criminals will have privacy.
Reference materials:
1. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4563364
3. https://www.techflowpost.com/article/detail_13920.html
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
