Are privacy coins future proof?
Privacy is the single most important element of a financial system. The only people who would advocate for a system without privacy, for all, is someone who aims to benefit.
But with the urgency to include privacy in our cryptocurrencies at any cost, have we overlooked critical fundamentals? Is privacy sustainable? And who will pay the price?
There are non-trivial tradeoffs associated with obfuscating transaction amounts and addresses. The two main approaches to obfuscating amounts are confidential transactions (ct) and Zero-knowledge Proof (zkps) of various sorts. Confidential Transactions are less complex than zkps, but both types of tech are vulnerable to stealth inflation bugs and the inability to be forgotten or omitted from the ledger.
If either of these systems were implemented in Decred and a stealth inflation attack occurred, it could ruin the governance system. Further, stealth inflation would substantially undermine the value proposition of the finite deterministic issuance schedule.
What is a stealth inflation attack?
Stealth Inflation is an attack that inflates the supply of the currency beyond the agreed-upon issuance that is difficult or impossible to detect.
If the supply is inflated, this devalues or dilutes the overall worth of the currency. The more there is of anything, the less it is worth. Supply & demand 101.
In the context of governance, this new undetectable supply is now in the hands of those that can vote on the direction of the project without having any value at risk. Some call this “skin in the game”. Without having any value at risk, an incentive develops to destroy the project to limit its competition. The project is now worth less because of the additional supply, & voting power is now in the hands of those that will not be affected by its devaluing.
Should the additional supply be detected & removed, this undermines another value proposition, that of immutability, & weakens the confidence of the community. If this additional supply was spent (for goods & or services) those in possession of these coins are essentially holding counterfeit coins.
Consider Charlie Lee’s comment on the severity of the issue when talking about a bug that was detected in BTC.
“They (the developers) later revealed that the vulnerability was due to an inflation bug, it’s pretty bad, I mean inflation bug is like one of the worst things that could happen to Bitcoin. If someone is able to print Bitcoin out of thin air, that would totally kill the value of Bitcoins”
Decred is a simple ledger that mathematically confirms truth in accounting. All units are known that have been produced by the system & are easily auditable at any time. This includes the ability to keep transactions private using the native mixer CoinShuffle++ at a trivial cost, without sacrificing the integrity of the ledger.
Why is it important that private transactions are prunable?
Pruning the Blockchain ledger means being able to confidently remove redundant data and transactions, with 100% certainty they are no longer required. Pruning allows the Blockchain to remain relatively small and be more efficient for those running the software that validates the chain.
Monero (XMR) does not obfuscate addresses, but it does obfuscate which addresses link to which other addresses. XMR ring signatures make it, so you cannot tell which transactions are fully spent and which are not, making it impossible to prune the chain. The entire chain must be stored forever because nobody can tell which transaction outputs are spent versus unspent. ZCash’s (ZEC) zkps have the same property. Since you cannot tell which transactions are spent, you cannot prune them.
“Think about a decade or a century in the future — is it reasonable to force every transaction ever to be available forever? Of course not, it's fucking stupid. As ZCash is learning the hard way, a single person can sit and churn transactions all day, bloat their chain, and they have to keep copies of it forever the same applies to Monero.” — @JYP
How is Decred’s Coinshuffle++ method an improvement?
Most people in this space engineer for 5-10 years out because they're incapable of thinking beyond that time horizon. The mixing tech Decred have developed and put into production is prunable, is post-quantum secure (pq) and has substantial opt-in uptake.
The bulk of the process occurs off-chain, which allows us to use Post-Quantum Public Key Infrastructure (pq pki) without consensus changes or bloating our chain any more than the usual Elliptic Curve Public Key Infrastructure (ec pki).
Decred’s mixing is a process that involves creating coin-joined transactions. You cannot force that to occur. If we forced everyone to mix, despite that being very hard or impossible consensus rules wise, it would involve substantial delays when creating transactions. Since both zkps and ring-ct involve a very particular transaction format, they can easily enforce that as part of consensus.
In our case, the transactions on-chain look substantially similar to pretty much all others. Most of the mixing process occurs off-chain, so there's no way to enforce that it has occurred while transacting on-chain. It's only the creation of a shared coin-joined transaction that is on-chain, whereas zkps and ring-ct require all data to be on-chain and verified there.
From first principles, a blockchain is a voluntary system you are not required to use, but anyone can choose to use it. The same applies to staking, atomic swaps, voting, and privacy. Decred’s personal preference is to give people freedom of choice when possible. Another consideration is centralized exchanges. They/their fiat banking partners/regulators don't like privacy, so once you require privacy, you immediately run afoul of those actors. In fact, ZCash made their privacy opt-in for this exact reason, back in 2016.
In the opt-in method, is there a concern with tainted coins?
The main issue with taint in BTC is that, since BTC participation is so low, mixed coins look suspicious given the substantial majority of the coins are not mixed. In Decred, however, the vast majority of coins are mixed due to staking. So, it's actually exceedingly rare for you to be able to deal with coins that haven't been mixed and therefore using mixed coins is not suspicious in any way since it's almost impossible to avoid them.
Coins mixed through Decred's Coinshuffle++ are identifiable as being mixed in pretty much the same way you would distinguish coins that have been mixed from Samurai or Wasabi. The main difference is the high throughput the stake pool gives its users and the fact it’s a built-in service that requires no third-party. These two factors alone make the service incredibly future-proof.
Paying the price for privacy
Is privacy sustainable? Who will pay the price? These questions really depend on how far you are willing to look into the future.
If you can’t audit a coin supply with 100% clarity that the chain is producing the correct number of coins, then the holder will pay the price due to the devaluing effect of unpredictable supply.
If you are unable to prune or remove historic private transactions, that are no longer applicable. The people running the chain will pay the price, which in-turn will reduce majority participation due to the cost of running fully validating nodes.
To most, a blockchain that has over 100 GB of transactions in the first year means it has a lot of activity, and it's thriving. But anyone paying an ounce of attention knows all of this data has to be carried forward by the people running the software.
Special thanks to JYP and Dave Collins for their help and input