The cryptocurrency industry was initially headlined every bit anonymous digital cash. While experts were peachy to point out that this was not exactly the case, Bitcoin (BTC) plant initial popularity in darknet markets such as Silk Road, where merchants sold illegal goods ranging from low-cal drugs to, allegedly, hitman services. Founded in 2022, Silk Road thrived for the next two years until the Federal Bureau of Investigation shut it down in 2022. Government later revealed that completely costless blockchain explorers aided their investigative efforts.

Bitcoin's transaction ledger is completely open for the public to view. What the blockchain does lack is openly bachelor identity data, equally all transactions are conducted between wallet addresses, which tin be considered pseudonyms. All the same, each wallet address is unique and can be tied to specific people or entities.

Mapping an address to its holder can be equally simple as making a transaction. A buyer and seller tin can potentially reveal their entire transaction history to each other. Though they may non know with whom they've transacted previously, they can know the balance and spending amounts through a simple check on a blockchain explorer. In technical terms, this is called linkability: how easy information technology is to reconstruct a particular chain of transactions.

Bitcoin'south chain of transactions is theoretically easy to link. In practice though, this is non a piddling chore, every bit it can exist complicated to determine which office of a Bitcoin transaction is the alter and which is the actual coin that was spent.

Bitcoin-based privacy solutions

Given the explicit privacy weakness of Bitcoin and other open up ledgers, various remedy solutions take been adult over the years. The offset was proposed in early on 2022 by Gregory Maxwell, a core Bitcoin developer. Later dubbed CoinJoin, the engineering utilized an already existing principle of Bitcoin that single transactions can contain many "outputs" and "inputs" that menstruation to and from multiple wallets.

Each transaction takes a certain amount of Bitcoin in the form of inputs and reshapes it, like dirt, into different chunks of outputs. With CoinJoin, multiple participants offer their Bitcoin into a single transaction, which so reshapes them into different outputs that are sent to the wallets specified by each user.

The result is that the chain of transactions is scrambled: an external viewer tracking wallet A doesn't know to which exact wallet B the Bitcoin was sent to. Wallet B may incorporate Bitcoin pieced together from dozens of input wallets. The amount of participants, called the anonymity prepare, is important for the overall forcefulness of mixing. Information technology's much more than hard to track ane wallet out of ten,000 than ane out of 10.

Related: Cryptocurrency Mixers and Why Governments May Want to Shut Them Down

Another solution was given by Bitcoin mixers. Though they utilized a similar approach, they were centralized services that held custody of the Bitcoin during the scrambling process. Nevertheless, mixers initially proved pop for users as they were much simpler to implement than the peer-to-peer CoinJoin.

Their security flaws were soon fabricated axiomatic past researchers. A December 2022 newspaper by Felix Maduakor demonstrated a fairly uncomplicated heuristic procedure to deanonymize mixer transactions. The algorithm relied on factors such as timing, Bitcoin transaction amounts and their corresponding fees to filter the destination wallet. In add-on, one service had a uncomplicated web-based vulnerability that could leak all mixed transaction data by exploiting internal record keeping. A different 2022 paper also concluded that even the almost popular mixers utilized poor security practices that made it piece of cake to trace their operations.

Despite the pregnant security flaws, mixers connected to be pop well into 2022. However, police seizures and voluntary closures pressured the sector and may have finally helped to adjourn their use. As Chainalysis noted in a July 2022 webinar, CoinJoin-based wallets offered by Wasabi and Samourai steadily gained popularity during 2022, processing over $250 meg in Bitcoin.

Wasabi wallet BTC volume for 2022

As a largely decentralized procedure, CoinJoin doesn't rely on the security skills of mixer operators, thus removing unnecessary failure points. Despite this, the system is far from perfect. Maxwell subsequently distanced himself from pure CoinJoin implementations, noting in a presentation that "if all the users are putting in and taking out different amounts, y'all tin can easily unravel the CoinJoin."

Though that can be mitigated past utilizing fixed output amounts, similar to cash bills, information technology doesn't appear to be enough to forestall tracking. In a chat with Cointelegraph, Chainalysis CEO Michael Gronager explained:

"CoinJoins and mixers do reach a certain level of dissociation between funds. All the same, in many cases this link tin exist reestablished through forensics work."

Farther testify of the vulnerability of CoinJoin was given by Chainalysis'south investigation into the operations of PlusToken. According to a Dec 2022 written report excerpt, the firm was able to track 45,000 Bitcoin out of the 180,000 total collected by the Ponzi scheme, despite complex obfuscation tactics that likewise included CoinJoin services. Nopara73, a pseudonymous developer behind Wasabi wallet, dedicated the technology in an "Ask Me Anything" thread on Reddit, saying, "I don't recollect the technical part of the story is difficult to figure out. Hint: they had more coins than the unabridged market cap of Monero."

Privacy-based altcoins rise

As the ecosystem matured, dozens of projects arose specifically to provide individual transactions to users. The present landscape is divided into several major families of coins based on unlike protocols.

Monero (XMR) is currently the largest privacy money by marketplace capitalization, and information technology was one of the first to be introduced on the market. It'southward based on the CryptoNote protocol pioneered past Bytecoin (BCN) in 2022 and augmented over time by RingCT, a system combining ring signatures and Confidential Transactions cryptography.

Monero makes an effort to hide all parts of a transaction: sender, receiver and amount.

The sender is hidden via ring signatures. When creating a transaction, Monero aggregates the sender's true output with other semi-random outputs picked from previous blocks. This creates an issue like to CoinJoin past giving plausible deniability to the user, every bit external parties cannot pick the real coins without additional information.

A technology called Confidential Transactions further improves on this by hiding the amount of coins for each output. Stealth addresses, a office of the original CryptoNote protocol, hide the receiver by creating a ane-time wallet accost for each transaction.

Monero's closest competitor is Zcash (ZEC), which uses zero-knowledge cryptography to hide transactions. At a high level, naught-knowledge proofs allow for a "prover" — a user sending the coin — to conclusively demonstrate to a "verifier" — or a blockchain node — that they know a sure value, without e'er revealing the actual number. Used in a privacy-axial blockchain, this allows the details of a transaction to be completely encrypted and uses zero-knowledge proofs equally a guarantee that information technology is valid. Many variants of zero-noesis proofs exist. The one currently used by Zcash is called zk-SNARKs.

The latest major improver to privacy coins is the Mimblewimble protocol. Implemented in projects such every bit Grin and Beam, Mimblewimble primarily uses CoinJoin and Confidential Transactions to ensure privacy. Notwithstanding, its blockchain compages is significantly different from most other coins.

For example, Mimblewimble blockchains do not have permanent addresses. Instead, crypto is exchanged in a two-step procedure: the sender delivers partially filled transaction information through external ways, such as emails, and the receiver must so add their ain data before retransmitting the completed transaction file.

Several other projects use CoinJoin variants for their privacy features. Dash's PrivateSend mixes coins through multiple steps of CoinJoin, while Decred's (DCR) privacy mode uses CoinShuffle++, an updated and improved implementation of the original protocol. Though there are bitter debates betwixt the opposing camps, each protocol comes with their ain advantages and disadvantages.

The price of anonymity

Privacy protocols in general suffer from performance and scalability bug. The additional layer of secrecy often has a very measurable cost in terms of transaction size, speed of execution and computing performance.

Monero's transactions are several times heavier than their equivalent on the Bitcoin network. Though the introduction of "bulletproofs" range proofs was a meaning remedy to this problem, Monero transactions tend to be heavier than 1,500 bytes, while simple Bitcoin transactions can exist as depression every bit 280 bytes.

This poses a meaning problem for scalability. Though Monero has dynamic block sizes, avoiding truthful bottlenecks, the unabridged blockchain still grows significantly faster in size. Eventually, it will become incommunicable to maintain Monero nodes on simple computers, which its community sees equally a major attribute of decentralization.

Zcash is a mixed blockchain containing both transparent and "shielded" transactions. Private transactions endure from a like size problem to Monero, weighing on average two,000 bytes.

Before the introduction of Sapling, sending money privately besides required about 4 GB of available RAM, which made shielded transactions highly impractical.

Like issues exist for Mimblewimble-based coins. Its raw transactions are over 5,000 bytes due to the presence of heavy-range proofs. The chief scalability benefit for Mimblewimble-based coins is the power to "clip" a blockchain: removing past transaction information without impacting its validity. Smile estimated a reduction of roughly 98% for a sample case of 10 million transactions, from around 130 GB to merely under 2 GB. That is less than one-half the size of the Bitcoin blockchain when it had the same amount of transactions in December 2022, according to information from Blockchain.com.

The ability to prune a blockchain is a major factor for some researchers. While Monero was considered unable to scale through pruning, the team released a express implementation of it at the start of 2022. Critics described it every bit "more than similar sharding than pruning" due to its failure to completely remove transactions. Monero developers explained on Twitter that removing outputs is impossible with current engineering science, adding, "Our implementation definitely prunes certain transaction information."

Zcash was also unable to prune its data, only the team at Electric Coin Company — the company behind Zcash — chose to further leverage zero-noesis proofs to introduce a like concept of scaling. Its proposed Halo technique would utilize a "proofs of proofs" arrangement that would confirm the validity of the blockchain's by states. This would allow nodes to only agree information on recent transactions, together with a proof of correctness for everything that occurred earlier.

Compromises on privacy

Practicality, decentralization and anonymity issues often pose a trilemma for whatever single privacy engineering science. Though Monero scores relatively well on practicality and decentralization, its anonymity has been put into question in the past.

Fireice_uk, a pseudonymous Monero contributor and the developer of the xmr-stak miner software, identified several weaknesses in the band signature approach, noting that churning immediately exposes the true origin of the funds by creating a loop of transactions. They likewise demonstrated a mode to break normal ring signatures based on leakage of metadata: the transaction's time of creation can be compared with internet service provider records to identify the true output.

Leading Monero community members responded on Reddit, acknowledging some of these concerns while downplaying their relevance. When asked by Cointelegraph whether the team acted upon these concerns, fireice_uk said that the efforts have been insufficient:

"Over the past yr, the book of enquiry into metadata leaks increased and they simply stock-still the very everyman hanging fruit. The current state of affairs leaves me uncertain if the whole ring signature based family of coins is viable — and I'chiliad saying that as a dev of one of them."

Sarang Noether, a pseudonymous member of the Monero Research Lab, responded to this criticism in a chat with Cointelegraph. While noting that this is a "subtle issue" that depends on the implied threat model — who wants to deanonymize the transactions — they added:

"There's network-level metadata floating effectually, which may or may non affect a item user depending on their threat model — and is tricky to reduce. In that location'south on-chain metadata floating around, including things like timing, input/output structure, non-standard transaction information, etc. Reducing exploitable metadata is important, but eliminating information technology entirely is impossible."

Addressing churning, Noether noted that information technology is a subject of ongoing research, while revealing that at that place are proper and improper ways of doing it: "Similar to how to choosing decoy inputs poorly can lead to heuristics about what is more likely to exist the true signer, churning 'badly' could lead to heuristics trying to place the procedure."

Though the cryptography powering Zcash shielded transactions is often described as fundamentally better than that of Monero's, the dominance of transparent addresses places strong restrictions. Researchers from University College London, now officially known as UCL, were able to de-anonymize several transfers by tackling the conversion step between shielded and unshielded coins. When asked whether Zcash sees value in increasing the amount of shielded transactions and thus the anonymity set, Electric Coin Company's vice president of marketing, Josh Swihart, told Cointelegraph:

"A large anonymity set is important, and we don't believe in that location is a point of diminishing returns. We share the world with billions of people, each driving dozens of transactions per month, and hundreds of millions of businesses and institutions driving many multiples more. The anonymity set should exist big plenty to safely protect all of those people, companies and institutions on a per-transaction basis."

Swihart also pointed out that the amount of fully shielded transactions grows over time, which increases its anonymity set. Nevertheless, information shows that the ratio of shielded to transparent transaction volume has been oscillating between x% and twenty% for near of Zcash's history, with petty recent growth:

Volume of shielded transactions on Zcash

Centralization is likewise a major concern for Zcash, as zk-SNARKs crave a "trusted setup" to properly part: specific parameters fix past the developers. Any security or trust compromise during each generation event would exist catastrophic, as attackers would be able to create new coins nigh undetected. Nevertheless, the introduction of Halo-based applied science would remove the demand for a trusted setup.

Discussing the importance of anonymity sets, fireice_uk emphasized, "It is life-or-expiry critical. It is impossible to hide in a crowd of 1. Anything that can be done to whittle down the crowd will affect privacy." They added, "We can see that very well with the Mimblewimble intermission," referring to the breakthrough by Ivan Bogatyy — a researcher at Dragonfly Capital — who de-anonymized up to 96% of real-time Grin transactions.

Smiling developers responded past dismissing the importance of the breakthrough. Nevertheless, they acknowledged that "Grin'south privacy is far from perfect," noting that "transaction linkability is a limitation that nosotros're looking to mitigate."

Is there a clear leader?

Though each arrangement has its own strengths and weaknesses, information technology ultimately comes downwardly to each user to brand the best of bachelor tools. Even Zcash, which has arguably the well-nigh resilient anti-linkability system, can notwithstanding exist misused through careless transitions betwixt transparent and shielded addresses. Monero is in this sense somewhat easier to employ. Every bit Chainalysis reported in its webinar, information technology is the preferred privacy money in darknet markets.

All the same, Bitcoin remains the most popular payment method. Furthermore, its users tend to not place emphasis on privacy, with the majority of funds to darknet markets sent directly from centralized exchanges.

Privacy-enhancing engineering appears to be uninteresting to darknet market users, the segment that arguably would need it virtually. Until privacy coins are widely adopted in loftier-stakes environments like these, debates on their anonymity will remain highly theoretical.

Non-criminal case for privacy

Information technology'southward important to annotation that privacy should not exist strictly associated with illicit use. Chainalysis highlighted that only a little more than 10% of funds sent to mixers come up from criminal activities.

A similar proportion tin be expected in privacy coin use. Though regulators are increasingly scrutinizing cryptocurrency-enabled criminal offence, maintaining some privacy for legitimate utilize is critical, according to Chainalysis's CEO:

"Complete anonymity opens the door to illicit activity that by definition cannot be investigated. That's non a globe you desire to live in. On the other mitt, complete transparency ways no privacy at all. That's as well not a world you want to live in. We believe that the market decides, and currently the not-privacy coins encounter the most momentum."

Speaking on behalf of the company, Swihart's opinion on transaction privacy understandably went even further. Electric Coin Company believes that a person's ability to transact with others is a fundamental right, while "businesses have a right to transact securely without exposing information to competitors or others that might wish them damage."

Answering a question on whether facilitating criminal use is an adequate compromise for privacy, Swihart added, "The compromise argument is a red herring. People with bad intent will use whatever tools they can to do illegal things. Today, that more often than not involves the United states of america dollar."