Secure communications have been integral to the rise and fall of empires. It is only natural that when a new medium emerges, such as digital communications and transactions, that humans develop new techniques to secure messages over these new media. Cyphers and code breakers are not new; however, the medium through which we use them has been ever-evolving. Privacy-preserving protocols are the backbone of blockchain technology, a technology that has promised secure transactions and communication. In this piece, we outline some of the most interesting privacy-preserving protocols available to blockchain-based technology. Below we breakdown what they mean.

Ring Signatures

Several popular blockchains implement ring signatures to protect the privacy of individuals conducting digital transactions. Ring signatures improve privacy by obfuscating the origin of the inputs and, subsequently, the history of the output.

A ring signature is a transaction in which the initiating signature is added to a set of possible signatures to produce a unique signature that authorizes a particular transaction. In a ring signature, all contributing signatures are equal and valid even though they may not be the participant conducting the transaction. Once a transaction is created the protocol pulls additional inputs for the transaction thus creating a group of plausible inputs for the defined output.

This mechanism hides the origin of the transactions by obfuscating it among many other ‘dummy’ origins. It is impossible to discern a real transaction from a fake one. To go a step further, the amounts contained in a ring signature can be hidden, therefore reducing the potential for a privacy leak.

For example, if Zeus would like to transfer some amount X to Yoni, the protocol would combine Zeus’ transactions with several other inputs from unknown parties into one jointly signed transaction. Yoni then receives the amount X from Zeus from one of the many outputs of the ring signature.

An outside observer cannot link Zeus’s input to the output received by Yoni. On the blockchain, all of the inputs are valid candidates for the output received by Yoni, thus adding a level of security and privacy to the transaction.

Ring signature transaction signing

ZK-SNARKs

Zk-SNARK stands for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. Zk-SNARKs involve the construction of a proof of some specific knowledge without revealing the information. In other words, ZK-SNARKs allow for any entity to prove something to another that a statement is true without having to reveal any information other than the statement itself. The “succinct” in zk-SNARKS is related to the amount of space required for a proof, only a few hundred bytes. This makes storing ZK-SNARKS on a blockchain more reasonable.

The drawback of zk-SNARKs is that they require a trusted setup. If a malicious actor has access to all the information used to generate the initial keys, that actor can then create proofs that look valid to the verifiers but are false. Many participants in a SNARK setup go to great lengths to ensure the randomness of the key generation is protected.

Imagine a situation in which you must prove membership of a specific group (i.e., individuals over the age of 18), however due to privacy concerns, you do not wish to reveal the exact date of your birth; then, you can use a zk-SNARK to prove this.

ZK-STARKs

STARKs are like SNARKs, but there are some very critical distinctions. First STARKs do not require a trusted set up to work. Secondly, zk-STARKs are post-quantum secure.

This is because STARKs rely on cryptographic functions that are not known to be susceptible to large quantum computations. In other words, STARKs rely on weaker cryptographic assumptions than SNARKs. This feature is very important if we seek to build digital protocols that will stand the test of time. However, these features come at a cost. STARK proofs are at a minimum an order of magnitude larger than SNARK proofs.

The size of STARKs could lead to unnecessary blockchain bloat or worse, turn into a bandwidth sink for an active network.

Bulletproofs

Bulletproofs are in the ZK family; however, they are not as large as zk-STARKs and do not require a trusted set up like zk-SNARKs. You get the best of both worlds.

The significant feature of bulletproofs is that as the size of the proof to prove x transactions increases by log(x) instead of linearly. Bulletproofs can be used to greatly reduce the size of blockchain data without the need for a trusted set up.

However, the only drawback is the time required to prove and verify bulletproofs.

The chart below summarizes the difference between STARKs, SNARKs, and Bullerproofs.

(Source: Elena Nadilinski’s slides from Devcon4)

Conclusion

In this piece we highlight some of the cutting-edge privacy-preserving protocols in blockchain today.

Zero-Knowledge proofs and Ring transactions are increasingly being used to defend individual privacy in the age of surveillance capitalism.

The Concordium network will seek to employ the latest privacy-preserving technology to deliver a comprehensive privacy solution while allowing for the verification of compliance.

Please read more about our approach at Concordium.com