A model of this text was initially printed on sethforprivacy.com.
Ragnar Lifthrasir asked for a list of Bitcoin proposals and concepts to enhance privateness that both are nonetheless a piece in progress, have been deserted or by no means applied, or did not make an affect, and so right here is my try at simply that.
This may in no way be an exhaustive listing, and I may use any assist I can get with conserving it updated or discovering historic proposals which have fallen out of favor. The sections beneath will likely be damaged down by venture or implementation and so as of proposal (the place doable).
Word: Whereas a few of these proposals have been non-starters or have been deserted, some are fascinating and probably promising proposals. This isn’t a “corridor of disgrace,” however slightly an opportunity to study from previous proposals and sustain with new ones as we go alongside.
Bitcoin
Confidential Transactions
Standing: By no means formally proposed for Bitcoin
Professionals: Drastically improved privateness towards amount-based heuristics; permits greatly-improved and extra versatile app-layer privateness instruments for Bitcoin (i.e., unequal output CoinJoins)
Cons: Provide auditability turns into extra advanced (however continues to be doable) and depends on extra superior cryptography; transaction sizes and verification instances are each considerably elevated
Confidential Transactions (utilized in Monero since 2017 and Liquid since 2018) are a method used to blind the quantities in a transaction in a method that’s nonetheless verifiable and provable with out revealing quantities to anybody exterior of the transaction members. Miners, nodes and exterior observers can nonetheless validate that transactions don’t create or destroy funds with out realizing the true quantities being transferred.
Additional Studying:
Reusable Cost Codes For Hierarchical Deterministic Wallets — BIP47
Standing: Unanimously discouraged for implementation
Professionals: A lot simpler receipt of funds to a static tackle whereas preserving privateness; no direct hyperlink between fee code and on-chain addresses/transactions (not like static Bitcoin addresses)
Cons: Most variations require a notification transaction to be despatched on-chain in order that the recipient is aware of find out how to search for funds despatched to them; notification transaction can undermine privateness if executed incorrectly
The proposal for Reusable Cost Codes is without doubt one of the best-known BIPs because of its adoption and use by Samourai Pockets below the title “PayNym.” This proposal is just like Stealth Addresses in {that a} single fee code can be utilized to derive unlinkable on-chain addresses, however differs in that it doesn’t use totally different addressing codecs on-chain and as a substitute depends on a notification transaction to permit the recipient to seek out their funds on-chain.
PayNyms, regardless of being rejected/discouraged in BIP47 have seen fairly widespread use and have not too long ago been applied in Sparrow Pockets and even by a Bitcoin mining pool “Lincoin.”
An excellent abstract of the three important Reusable Cost Code schemes has been supplied by Ruben Somsen, the creator of Silent Funds within the gist for Reusable Taproot Addresses.
Additional Studying:
Stealth Addresses — BIP63
Standing: By no means accepted as a BIP regardless of being given a BIP quantity
Professionals: When enforced, prevents all hyperlinks between off-chain addresses/pubkeys and on-chain one-time addresses; breaks all address-based heuristics
Cons: Wallets now should scan all transactions to validate which of them are owned by the person’s non-public keys; can now not do easy address-based pockets sync
Stealth Addresses are a novel idea that permits a receiver to share or publish a single static tackle that senders can derive one-time addresses from, breaking any cryptographic hyperlinks to the shared/printed tackle on-chain. Whereas this does add appreciable overhead to pockets scan instances (all transactions have to be scanned to see what’s owned by your non-public keys as a substitute of simply validating identified addresses) it fully breaks pockets clustering by addresses together with many different key heuristics.
Stealth Addresses have been initially proposed for Bitcoin in 2011 on BitcoinTalk, however have been deserted as a BIP after OP_RETURN was modified:
“OP_RETURN bought modified to 40 bytes on the final minute, stopping my stealth tackle commonplace from working, and moved on to work on different issues.”
–u/petertodd
Whereas Darkish Pockets did implement Stealth Addresses for Bitcoin, the pockets by no means formally launched and was deserted. Monero, alternatively, consists of Stealth Addresses as they have been a core a part of the unique Cryptonote protocol that Monero was created from.
Additional Studying:
PayJoin — BIP78
Standing: Draft
Professionals: Creates transactions that look regular however break widespread heuristics; straightforward to carry out when supported by the recipient
Cons: Requires scorching pockets on the service provider/recipient facet, can not ship to easy tackle and so on.; malicious sender can try to pressure recipient to disclose UTXOs (assault is mitigated if correctly applied)
PayJoin may be well-known to the Bitcoin privateness crowd because it has gotten some media and minor adoption regardless of its official “draft” standing. PayJoin lets the sender and recipient of a transaction work collectively to construct a mixed transaction that features a UTXO (or extra) from each the sender and meant recipient of funds, obfuscating the true nature of the fee on-chain.
An identical protocol was applied in Samourai Pockets in 2019 as “Stowaway” (earlier than the PayJoin proposal BIP), and PayJoin correct was applied in BTCPay Server in June 2020, JoinMarket in August 2020, Blue Pockets in October 2020, and Sparrow Pockets in November 2020. See these paperwork for extra info:
Though applied in some wallets and instruments, PayJoin utilization sadly appears to stay very sparse as we speak (although it’s arduous to detect on-chain so may be larger than we notice). Many of the lack of adoption seems to be as a result of must maintain scorching keys on the service provider facet with a view to assist PayJoin which many retailers are unwilling to do for the benefits PayJoin brings.
Additional Studying:
Peer-To-Peer Communication Encryption — BIP151 and BIP324
Standing: Unique BIP151 withdrawn, new BIP324 in draft
Professionals: Prevents easy snooping by internet-service suppliers (ISPs) and cell carriers; prevents man-in-the-middle assaults by rogue nodes pretending to be your specified distant node; can pin identified good nodes to make sure you have wholesome nodes as friends
Cons: Elevated overhead in peer-to-peer (P2P) protocol; new denial-of-service (DoS) vectors created by means of encryption; doesn’t totally forestall deep packet inspection by ISPs, and so on.
P2P communication encryption is a big and needed step ahead in securing the P2P community in Bitcoin towards widespread assaults and offering primary privateness to these working a node from their ISP and different primary surveillance, and has been proposed for Bitcoin by way of BIPs 151 and 324.
To cite the creator:
“BIP324 proposes a brand new Bitcoin P2P protocol, which options transport encryption and barely decrease bandwidth utilization.”
P2P communications encryption is one thing that’s not generally executed within the cryptocurrency house, however can also be being labored on within the Monero group.
Additional Studying:
Dandelion — BIP156
Standing: Rejected
Professionals (Particularly Dandelion++ Iteration): Prevents deterministic linking of transactions again to their originating node by lively surveillance of the P2P community; gives sturdy network-level privateness with out necessitating use of an anonymity community (which have their very own critical DoS/Sybil points)
Cons (Particularly Dandelion++ Iteration): Transaction broadcast takes for much longer (often one minute to one-and-a-half minutes for full propagation as a substitute of only a few seconds); opens up new DoS vectors if utilizing a malicious distant node and never your individual
Dandelion is an method to bringing believable deniability to the Bitcoin peer-to-peer community in a method that stops others on the community from deterministically tying transactions with the originating node. It does this by choosing a set of nodes to transmit the transaction to in sequence (one after the other, known as the “stem” section) after which solely transmit to the remainder of the community after a predetermined variety of nodes have additionally transmitted the transaction (known as the “fluff” section).
Dandelion++, an iteration that resolves most of the issues with the unique Dandelion proposal, was applied in Monero in 2020.
Additional Studying:
Taproot — BIP341
Standing: Draft (however really not, because it’s already deployed in Bitcoin by way of tender fork)
Professionals: Drastically improved privateness when utilizing scripts (like multisig or Lightning channel opens/closes) assuming broad adoption; extra scripting potentialities by way of Tapscript; potential effectivity enhancements, batching, and so on.
Cons: Non-cooperative, channel-close transactions should nonetheless reveal script, negating privateness beneficial properties in these conditions
Taproot is probably going probably the most well-recognized BIP on this listing, and has really been applied in Bitcoin regardless of nonetheless being marked as “Draft” within the BIP GitHub repository.
Taproot is basically solely on this listing because it has to date gone virtually unused, however as issues can transfer very slowly towards adoption in Bitcoin (particularly when elective, as Taproot utilization is) it can seemingly take a number of years earlier than Taproot is broadly used.
As soon as Taproot is usable for Lightning Community channel opens it can present good privateness by hiding the script particulars in every channel open transaction and making it a lot more durable to seek out channel opens on-chain in Bitcoin. This privateness does break down within the occasion of a non-cooperative channel shut, nonetheless, because the script have to be revealed on this case on-chain.
Additional Studying:
SNICKER
Standing: Deserted, by no means formally proposed for Bitcoin
As I don’t know a lot about SNICKER I gained’t go into element on my ideas, however see the quote beneath for the abstract of what the proposal was meant to do:
“SNICKER (Easy Non-Interactive Coinjoin with Keys for Encryption Reused) is a straightforward technique for permitting the creation of a two social gathering coinjoin with none synchronisation or interplay between the members. It depends on the concept of reused keys (both reused addresses, or identification of possession of signed inputs and thus pubkeys in signatures).”
So far as I can inform the proposal has been deserted since 2020.
Additional Studying:
CoinSwap
Standing: Work in progress, however by no means formally proposed for Bitcoin
Professionals: Seems to be a traditional transaction sort on-chain
Cons: Doesn’t really obfuscate or break any on-chain historical past, it merely makes an attempt to interrupt easy possession heuristics; permits these with tainted funds to swap for “clear” funds to the detriment of the swap participant; no clear privateness benefits in most conditions
CoinSwap was a well-liked and oft-discussed proposal in 2020 to permit customers to swap UTXOs (and thus their related historical past), however was met with sturdy pushback because it does nothing to take away historical past or break deterministic hyperlinks.
See the beneath quote for a easy abstract of CoinSwap:
“Coinswap is a protocol that permits two or extra customers to create a set of transactions that seem like unbiased funds however which really swap their cash with one another, optionally making a fee within the course of.”
It appeared that CoinSwap had been deserted, as there was no progress made since 2020, however not too long ago, Chris Belcher launched an implementation of CoinSwap known as Teleport Transactions.
Additional Studying:
Silent Funds
Standing: Work in progress, not but formally proposed for Bitcoin
Professionals: A lot simpler receipt of funds to a static tackle whereas preserving privateness; no direct hyperlink between fee code and on-chain addresses/transactions (not like static Bitcoin addresses); doesn’t require on-chain notification transaction, not like BIP47
Cons: At the moment utterly incompatible with mild wallets; including a brand new Silent Cost code after preliminary block obtain (IBD) requires utterly restarting IBD; requires fixed scanning of the blockchain for brand new makes use of/transactions
Silent Funds are all the craze in current Bitcoin dialogue, and are related in some methods to BIP47 (talked about above).
Whereas in addition they provide the power to share or publicize a single static fee code and obtain funds that aren’t linkable on-chain, there stay critical tradeoffs within the method that make light-wallet utilization virtually unattainable and might require full re-downloading of the Bitcoin blockchain to seek out new transactions for any new Silent Addresses.
It is going to be fascinating to see this proposal play out however to date the higher possibility seems to be BIP47 nonetheless.
An excellent abstract of the three important reusable fee code schemes has been supplied by Ruben Somsen, the creator of Silent Funds, within the gist for Reusable Taproot addresses.
Additional Studying:
Reusable Taproot Addresses
Standing: Work in progress, not but formally proposed for Bitcoin
Professionals: A lot simpler receipt of funds to a static tackle whereas preserving privateness; no direct hyperlink between fee code and on-chain addresses/transactions (not like static Bitcoin addresses); combines first fee and notification into one “actual” transaction, not like BIP47; notification transaction seems identical to another Taproot spend on-chain
Cons: Sender and receiver each should assist and use Taproot; sender must comply with a particular protocol to have the ability to get better from backup
Whereas this proposal bears many similarities to BIP47 and Silent Funds, it leverages new capabilities in Taproot to primarily enhance on the tradeoffs taken by BIP47 reusable fee codes. An excellent abstract has been supplied by Ruben Somsen, the creator of Silent Funds within the gist beneath:
Reusable Taproot addresses:
- No steady scanning of each transaction
- One-time interplay with the recipient (stateful for sender: in the event that they neglect, they should work together once more)
- No on-chain footprint
- Sender must comply with a particular protocol to have the ability to get better from backup (this draw back may be mitigated, see beneath)
BIP47:
- No steady scanning of each transaction
- No interplay with the recipient
- On-chain footprint (or alternatively one-time interplay and stateful backups)
Silent Funds:
- Steady scanning of each transaction (will increase value of working full node)
- No interplay with the recipient
- No on-chain footprint
Additional Studying:
Lightning Community
Please observe that almost all of those proposals are nonetheless very a lot a piece in progress and have but to be given a transparent sure/no approval. As such, the Lightning Community proposals are primarily added beneath as necessary developments to comply with that probably provide improved privateness when utilizing the Lightning Community.
Because the Lightning Community was initially designed as a device for scalability and never privateness, most of the core design choices initially chosen are extraordinarily detrimental to person privateness. Most of the proposals beneath are in search of to treatment these points and hopefully will likely be ready to take action with out harming fee reliability or routing effectivity.
Route Blinding
Standing: Work in progress
Professionals: Prevents sender from ascertaining full path to recipient; hides recipient node alias/pubkey; gives a lot better recipient privateness total versus present clear routing strategies; can present higher fee success price by offering native routing information in some particular situations
Cons: Will be troublesome to craft blinded routes in particular routing graph situations; can have a unfavorable affect on fee success price in particular situations
The present Lightning Community suffers from extreme points centered round receiver privateness, and Route Blinding is without doubt one of the key proposals in search of to treatment at the very least part of this problem.
To cite the proposal:
“Route blinding is a light-weight approach to offer recipient anonymity by blinding an arbitrary quantity of hops on the finish of an onion path.”
Route blinding continues to be very a lot a piece in progress however exhibits promise for permitting a receiver to obtain funds with out deterministically revealing the ultimate node receiving the funds.
Additional Studying:
Trampoline Onion Routing
Standing: Work in progress
Professionals: Can permit mild wallets to craft routes in a privacy-preserving method with out a full route graph; can be utilized to offer receiver privateness from the sender (however not the trampoline node so far as I can inform)
Cons: None that I do know of right now
Whereas not strictly a privateness enchancment, Trampoline Onion Routing can present higher route privateness in some situations for the receiver and so is talked about right here. It can be paired with route blinding to offer even higher obtain privateness, particularly to be used instances the place you can not run a full node or assemble complete routes your self for no matter purpose.
The total privateness implications are nonetheless into account, however it will likely be an fascinating proposal to comply with together with.
Additional Studying:
Alias SCID
Standing: Work in progress
Professionals: Prevents easy linking of funds to single node alias/pubkey by utilizing a singular alias per channel/peer
Cons: None that I do know of right now
One of many vital privateness points in Lightning as we speak is the truth that nodes have everlasting aliases and pubkeys which are used for gossip and channel administration, and as such, any receipt of funds leaks your nodes alias and pubkey to the sender of the fee.
The important thing method to resolving this problem in Lightning is one thing known as “Alias SCID,” which lets you pressure your friends to solely seek advice from you or your channels by an alias which may be distinctive to every peer and/or channel.
Additional Studying:
Provides — BOLT12
Standing: Work in progress
Professionals: Drastically-improved privateness and adaptability for funds because the recipient; a lot smaller QR codes and far much less information wanted within the provide itself (as the required information is collected from the recipients node instantly as a substitute of being all included within the bill as in BOLT11 invoices)
Cons: None that I do know of right now
BOLT12 is a mix of most of the different proposed enhancements and integrates them into a brand new and far more versatile bill sort for Lightning, additionally known as an “provide.” The implementation of BOLT 12 alongside route blinding and node alias SCIDs could be an enormous step ahead for each privateness and person expertise in Lightning, and is considerably of the present holy grail of proposals.
Be sure you control its growth in case you use or have an interest within the Lightning Community because it guarantees to repair most of the present points.
Additional Studying:
Sidechains
The Liquid Community
Standing: Dwell since 2018
Professionals: Mildly improved per-transaction privateness because of Confidential Transactions (however largely ineffective because of nearly no utilization decreasing crowd to cover in); cheaper charges than on-chain
Cons: Custodial (by way of a federation); nearly no utilization provides you nearly no crowd to cover in; previous points with “emergency” multisig being held by only a few events
The Liquid Community is a Bitcoin-pegged and federated sidechain for Bitcoin that permits customers to peg BTC to redeem it for L-BTC after which have the ability to transact on the Liquid Community.
Liquid gives average privateness enhancements over on-chain Bitcoin because of its use of Confidential Transaction and this can be very low cost to transact in.
Customers ought to be very conscious that Liquid is a federated mannequin the place custodians maintain the keys to your bitcoin, and thus your funds are vulnerable to loss or theft and you shouldn’t assume you’ll at all times have the ability to convert again to BTC.
However Liquid stays virtually unused even after 4 years of being within the wild and heavy advertising.
Additional Studying:
FediMint
Standing: Work in progress
Professionals: Very sturdy privateness when transacting inside the sidechain; interoperable with the Lightning Community with out requiring every person to run a node/handle channels/and so on.; anybody can begin a brand new minimint, not simply particular folks/teams; can select a selected minimint to used primarily based on federation members repute, belief, and so on.; can function a center floor between self-sovereign Lightning (Zeus, Core LN, LND, and so on.) and “single-custodian” Lightning (Pockets of Satoshi, Money App, Strike, and so on.) whereas retaining person privateness from custodians
Cons: Custodial (by way of federations); potential regulatory strain on federation members because of custody/switch of person’s funds; centralization of Lightning Community because of customers not working their very own node, managing channels, and so on. and as a substitute counting on federation Lightning providers
FediMint (and the particular preliminary implementation, minimint) is a comparatively new proposal for constructing a federated Chaumian-blinded eCash as a sidechain to Bitcoin, denominated in bitcoin. These federated sidechains could be comparatively small, interoperable and would compete on repute, uptime and charges.
Whereas it’s nonetheless very a lot a piece in progress, minimint holds promise for a center floor between totally self-sovereign Lightning Community utilization (Zeus, Core LN, LND, and so on.) and single-custodian Lightning Community utilization (Money App, Strike, and so on.) by permitting a trusted federation of custodians to carry funds and handle Lightning node(s) for his or her customers.
Word that the proposal continues to be totally custodial, however has differing tradeoffs in comparison with one thing just like the Liquid Community.
Additional Studying:
This can be a visitor put up by Seth For Privateness. Opinions expressed are fully their very own and don’t essentially mirror these of BTC Inc or Bitcoin Journal.
