In February 2018, Bill Gates conducted an AMA session on Reddit and expressed his opinion on cryptocurrencies:

“The main feature of cryptocurrencies is their anonymity. I don’t think this is a good thing. The Government’s ability to find money laundering and tax evasion and terrorist funding is a good thing. Right now cryptocurrencies are used for buying fentanyl and other drugs so it is a rare technology that has caused deaths in a fairly direct way. I think the speculative wave around ICOs and cryptocurrencies is super risky for those who go long.”

After that a huge discussion started — one can see all the comments here.

It is very romantic to claim total anonymity in digital space, however, it leads to irresponsibility, and one time may cause a great social disaster. On the other hand, an increasing control over the Internet from some states (let be honest — both totalitarian and democratic states DO that) cannot but embarrass.

I let alone any ethical direction of this conversation as I have another goal. What’s the current situation with anonymity in crypto? Most of the cryptocurrencies are pseudo-anonymous. Let’s take Bitcoin: all the transactions that take place between the network’s participants are public, so any transaction can be unambiguously traced to a unique origin and final recipient. Even if two participants exchange funds in an indirect way, a properly engineered path-finding method will reveal the origin and final recipient.

When it comes to true-anonymity claim, at the moment of writing, I have in mind just two examples — Monero and Zcash. Let’s talk about the first one.

Esperanto of money

In December 2012, Nicolas van Saberhagen presented a whitepaper of CryptoNote — electronic cash that doesn’t have inefficiencies of Bitcoin. Although the official birthdate of Monero is 18 April 2014, it is superfluous [at least for the purpose of this article] to come along the historical details — one can trace the history of CryptoNote and Monero on its own. Also, for the purpose of this article, I will be using the second edition of the white paper that was published in on October 2013.

Among inefficiencies the paper listed traceability of transactions, economy of proof-of-work consensus mechanism, irregular emission and some others. In particular, traceability is the greatest point of dissatisfaction towards Bitcoin for the authors of CryptoNote. Nicolas refers to scientists from NTT Laboratories that proposed criteria for Universal Electronic Cash; being re-formulated, they are:

Untraceability, or the transaction sender cannot be identified by any mean;

Unlinkability, or it is unfeasible to prove that two outgoing transactions were sent to the same person.

Combining both we get a truly anonymous cryptocurrency. For a number of reasons, Bitcoin doesn’t meet these criteria (detailed argumentation presented in the paper), there is a clear need for another set of mechanics to be applied. So Nicolas proposes to use ring signatures.

A ring signature is a type of digital signature that can be performed by any member of a group of users. It has been developed by a number of mathematicians in 2001, one of them was Ron Rivest that should be known for you from one of the previous posts (for many times it seems that the same people invented almost EVERYTHING in blockchain and crypto).

So what’s special about ring signature? In case of ECDSA (presented in the previous post) and some other algorithms, it is necessary for the sender to provide his or her public key for verification of transaction. Instead, a ring signature designates that the message is signed by a member of the group, but who exactly signed remains unknown. Formally it looks as follows:

Each party has a public and private [secret] key (P, S respectively). Alice creates a ring signature σ on a message m with her private key S1 and public keys of the group (P1, P2, Pn). One can verify the validity of ring signature given σ, m and public keys (P1, P2, Pn), but the sender remains undiscovered.

A more formal though graphical representation is presented above:

This approach allows making the sender identity indistinguishable from the users whose public keys he or she used in the ring signature. But the second option — unlinkability — remains uncovered. That’s why an extension of the original algorithm is proposed — a one-time key. In case of Monero, the sender uses the receiver’s public address and his own random data to compute a one-time key for the payment.

The receiver is the only one who can release the funds after the transaction is committed since the sender produces only the public part. That’s why the second requirement for electronic cash system — unlinkability — is fulfilled with this algorithm.

Comparing to Bitcoin, there’s also another difference — instead of ECDSA algorithm for key generation, Monero utilizes EdDSA which is a bit different in terms of mathematics, but there has been no intention to provide a comprehensive comparison between mathematical parts of two cryptocurrencies.