It is well known in the crypto market that scalability remains an unresolved roadblock to mass market adoption. Bitcoin and Ethereum, the two largest cryptoassets by market capitalization, max at around 7 transactions per second (tps) and 15 tps, respectively. To put this into context, individuals often cite the Visa network’s ability to process over 24,000 tps as a benchmark. CryptoKitties, a decentralized app where you can collect and trade digital kitties, nearly crashed Ethereum at the end of 2017 because of the congestion in processing trades. Without scalability, blockchains cannot function.
So what’s preventing blockchains from becoming as scalable as Visa’s network? Their decentralized nature.
Bitcoin and Ethereum are trustless because there are thousands of independent nodes across the world, run by independent companies and individuals, that maintain the security of the network. The more nodes there are, the more difficult it is for one node/person/nation/enterprise to attack the network. However, the more nodes there are, the more servers decisions are processed through, and thus the longer it takes to agree on a decision. A direct democracy is a good analogy here — how long would it take to pass a bill if every American citizen had to vote on every bill proposed as a new law?
Vitalik Buterin, co-founder of Ethereum, has coined this major problem the “scalability trilemma”: how can blockchains be scalable, secure, AND decentralized? Solving this trilemma remains the foremost objective in the industry today. If we cannot find solutions, adoption will never take off, and the complex challenges our industry addresses like non-sovereign money, individual data ownership, or banking the unbanked, may never be solved.
For now, there are a few core ideas behind solving the scalability trilemma:
- Replace the “direct democracy” approach blockchains use for governance with a representative democracy. The independent nodes all over the world elect a subset of nodes to manage the network. This way, decisions only have to pass through the delegates and can be made much faster. Three of the largest blockchains by market cap, EOS, Tron, and Tezos use delegated governance. Critics of delegated blockchains argue that with fewer machines, the network will become less secure, and furthermore, these “elections” are subject to manipulation, increasing the potential for corruption.
- Use a smaller number of trusted nodes run by corporations that have reputation at stake
- Maintain the fully decentralized (direct democracy) approach; instead, rely on technological improvements to increase the efficiency of the communication between the nodes in both time and space.
- Since not all transactions need such a high level of security, we can move/validate those with lower security requirements off-chain or to side-chains.
The last two options are complex. There are dozens of companies that are trying to solve this at the protocol layer using technology like sharding or complex calculus. There are many others tackling scalability via off-chain and side-chain solutions such as payment channels (lightning network, raiden) and other state channels, plasma. None of these are yet successfully operational at scale. You can time stamp the industry as being in the midst of a “scalability race.”
But what’s this have to do with Privacy?
Many crypto enthusiasts were originally attracted to Bitcoin because they believed it was anonymous. This is not true; contrary to popular belief, Bitcoin is far from anonymous. While real-world identities aren’t revealed, when users engage in a Bitcoin transaction, their public keys (public address), and transaction amounts are broadcasted to the public ledger. Anyone who has obtained a record of the blockchain over time can easily visit these users’ wallet addresses to see how much Bitcoin they own. Furthermore, once someone transacts with a counterparty he/she learns one of the counterparty’s public keys, and thereafter can trace the holdings tied to that public key. In fact, law enforcement has previously used end-users’ misperception of Bitcoin’s transparency to its advantage. Kathryn Haun, who is a General Partner at Andreessen Horowitz, previously led a Ted Talk on how the US Government used full-nodes on Bitcoin to trace $13.4M to Ross Ulbricht, the mastermind behind the first modern darknet market, Silk Road.
Nevertheless, there are multiple blockchains that have been engineered to be private. The major ones, based on their technical proficiency and the market cap of their associated cryptocurrencies, are Monero and Zcash. In addition, two new privacy coins, Grin and Beam, launched in January 2019 and are generating a lot of recent buzz in the industry. Privacy research continues to be at the forefront of the crypto space, as we’ve seen with the most recent Zether whitepaper, published in late February 2019 as a collaboration between the senior research teams in applied cryptography from Stanford University and Visa.
The purpose of these blockchains is self-explanatory: you can buy/sell/trade value and record the transaction on the blockchain, anonymously. Many view privacy coins as technology that supports the dark web; however, privacy is important for all users if crypto payments are to become mainstream — do you want your coworkers to know how much you spent on your girlfriend’s birthday present? These blockchains are working on protocols that fundamentally protect people’s personal information but also can be audited/examined by law enforcement if nefarious activity is suspected.
So, what does privacy have to do with the scalability race? Think about it this way — when you don’t tell everyone, everything, you theoretically can save time and space. Capitalizing on this interesting axiom, blockchain developers have been working hard to implement “zero-knowledge” proofs, which are protocols within the blockchain code that allow independent nodes to verify transactions in a block without identifying the participants involved or the inputs and outputs of the transactions. There are ways, using math, to make this possible, which is an amazing and potentially game-changing concept. Thus privacy blockchains and scalability progress are intimately linked.
We start with one of the oldest and largest privacy coins by market capitalization — Zcash.
Zcash isn’t the oldest privacy blockchain (it officially launched as a hard-fork of Bitcoin in October 2016), but its team and technology has led by example. Originally designed by cryptographers from some of the world’s leading academic institutions (MIT, Technion, Johns Hopkins, Tel Aviv University and UC Berkeley), Zcash’s anonymization is built entirely on zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which allows Zcash to hide almost all data from the validators in its network (the sender information, receiver information, and transaction amounts) except for time stamps and transaction fees. Many call Zcash’s zk-SNARKs algorithm “moon math,” because of its incredible complexity. Zcash has two main features that make it standout:
- Its zk-SNARKs technology
- Its anonymization is selective
Zcash allows users, both senders and receivers, to choose whether they want their transaction information to be transparent or shielded. A fully transparent transaction, where both the sender and receiver opt out of hiding their information, looks and operates similar to that of Bitcoin. However, if any part of the transaction is shielded, Zcash uses its zk-SNARK algorithm to verify the transaction. Using a zero-knowledge algorithm rather than signature mixing makes it easier for Zcash to comply with law enforcement, as users can reveal their transaction history for a shielded address to a third party by providing their “view key”. Zcash also contains a memo field for shielded transactions, which you can think of as the description line on a check that only you, the recipient, and whichever third party to whom you’ve sent your “view key” can see.
What’s the difference between Zcash’s zk-SNARKs and Monero’s RingCT bulletproof? They are different zero-knowledge algorithms that have trade-offs based on time, size and cost. Exploring the trade-offs can get quite technical and is outside the scope of this paper. (For the ambitious among you, you can start here). Nevertheless, there is one aspect of the comparison that is important to explore: Zcash’s zk-SNARK implementation has, as founder Zooko Wilcox describes it, an unfortunate vulnerability in the math, where it requires a trusted setup, while Monero’s bulletproofs do not.
Zcash’s trusted setup is similar to the sender’s and receiver’s selection of a “blinding factor” or secret key in Monero’s RingCT. However, Zcash has one secret key and it holds significantly more importance. Because zk-SNARKs power the entire protocol, Zcash uses its blinding factor to generate the Zcash currency and launch its blockchain. On one hand, it’s efficient that the blinding factor only needs to be chosen once, rather than per transaction like Monero. On the other, the security of the entire network is predicated on this blinding factor. If somebody got a hold of it, he or she could successfully make counterfeit Zcash tokens. And because of Zcash’s privacy features, these counterfeit tokens could go undetected. Talk about a nightmare.
So how did Zcash generate this blinding factor so that a) no one could steal it upon creation and b) they could prove to all potential future users of Zcash that no one knew, saw, learned or tampered with this number? Founding members held a ceremony right before the launch of the blockchain from October 22–23, 2016, where six independent teams in distributed locations all over the world generated and contributed a piece or “shard” of the private key, without knowledge of the others. The original Zcash “Sprout Ceremony” was quite elaborate — to hear the details, checkout journalist Morgan Peck’s entertaining first-hand account here.
Unfortunately for Zcash, their ceremonial days aren’t behind them. Every time Zcash wants to hard-fork their protocol, they have to create a new blinding key and conduct another ceremony. On April 13, 2018, Zcash completed their second “Power of Tau Ceremony,” which was public and included hundreds of participants globally, in preparation for their Sapling hard-fork.
One of the major problems with the optional privacy features of Zcash is that if the majority of the network opts out of the privacy feature, it becomes easier for surveyors to track the private users. So it is in Zcash’s best interests for more users to opt into privacy.
Zcash users’ initial disinterest in shielding transactions might be attributed to its computational intensity/cost and latency. Originally, Zcash’s Sprout protocol took multiple gigabytes of memory and over 30 seconds to create a shielded transaction. Under Sapling, a shielded transaction can be created in a few seconds and use only 40 megabytes of memory, making it realistic for users to regularly transact with a shielded address. In fact, this significant decrease in cost and latency pushes Zcash closer to being able to conduct shielded transfers on smartphones/mobile devices. Yet, the Zcash network has yet to reap the fruits of developers’ labor, as only 15% of all transactions on the Zcash blockchain in the past month have been partially or fully shielded.
All in all, Zcash’s protocol design leads by technical example. However, their trusted setups are still a headache, and there remains risk to the underlying security of the network if someone were to obtain this blinding factor. This captures the trade-off between Zcash and Monero. One utilizes a trustless protocol (zk-SNARKs) reliant upon a trusted setup. The other has trustless features but is not trustless throughout, instead relying on obfuscation tricks whose success is correlated to its network size. Neither are perfect, which is why other privacy coins (Grin and Beam, for example) have continued to launch.
This is an excerpt from a report that was originally published by Wave Financial.