What You Need To Know About Zero Knowledge

Anonymity? Privacy? How quaint. We live in a world bedecked with ever more cameras, ever more sensors, ever more drones, ever more data, ever fewer things that can be hidden. TLS and Tor can hide your online browsing, true — but, realistically, everything important you do, online or off, can easily be audited and tracked.

True, you can still send private messages. Signal/RedPhone/TextSecure from Open WhisperSystems are the gold standard for secure messaging, and Dark Matter looks interesting. But if you want to go beyond messaging into transacting, your luck runs out.

Consider Bitcoin. It’s infamous as the currency of choice for dark markets — but it’s also, “in a sense, the least anonymous money that has ever existed, since every transaction is observable by anyone with a bitcoin account,” to quote economist David Friedman. Just ask alleged Silk Road kingpin Ross Ulbricht, who had 700,000 bitcoin on his laptop directly traceable to Silk Road’s accounts.

You can’t ask for payment in unmarked bitcoin; there’s no such thing. Claims that “Large European companies may eye Bitcoin as an option for securing their data and keeping it private from the United States” are currently comical. Sure, you can “tumble” your bitcoin payments, ie have them mixed and mingled with those of strangers, or perhaps use a service like Dark Wallet (which is essentially a distributed tumbler) — but then you have to implicitly trust that service to protect your anonymity…and not keep your money.

Well, that’s the inevitable downside of a single global distributed ledger, right? Anyone can look at it. Stands to reason.

…Or so you’d think.

But you underestimate today’s mathematicians and cryptographers at your peril. I give you Zerocoin, a way to perform genuinely anonymous cryptocurrency transactions. It was intended as an extension to bitcoin, but is also fully workable as a separate and independent “zerocoin” cryptocurrency.

How is this possible? The concept is elegantly simple: zerocoins are drawn from a collective escrow pool which is defined, notated, and maintained on the host currency’s blockchain, and each coin’s transaction history is erased when it emerges from the pool. Transactions are verified by means of zero-knowledge proofs: a mathematical means to prove a truth without having to reveal any further verifying information. (For further details see this superb illustrated primer by Matthew Green, one of Zerocoin’s creators, or the original Zerocoin paper.)

It’s more than just a fascinating concept; a startup called Moneta has gone and implemented the Zerocoin protocol (along with other blockchain improvements.) Their “genesis block” — the launch of their blockchain — is scheduled for the next few months.

Meanwhile, the Zerocoin people have expanded their initial proposal into an even more anonymized protocol, called Zerocash. Zerocash is not entirely trustless; it has to be initially set up by a trusted entity. Thereafter, though, its blockchain would allow transactions that did not contain any public information about their sender or receiver or amount — but all of these things can still be verified using zero-knowledge proofs. (Indeed, “such proofs are less than 300 bytes long and can be verified in only a few milliseconds.” They are memorably known as zk-SNARKs, for “zero-knowledge Succinct Non-interactive ARguments of Knowledge.”)

…But let’s not get too excited. Let’s throw a little cold water on these fever dreams. There are hundreds of would-be Bitcoin successors out there, and every one has failed to supplant the king of the heap. Bitcoin’s tech may seem increasingly obsolete (only five years in!) but its network effects seem to make it unassailable. Despite all the catcalls and lamentations of the last year, a single Bitcoin is still worth more than $200. That is beyond remarkable. Like Wikipedia, Bitcoin may not work in theory, but it’s nearly unstoppable in practice; and no other cryptocurrency will topple it from its perch any time soon.

That’s why pegged sidechains are important. I’ve written about them before; basically, they’re a way to exchange bitcoins across an interwoven braid of many blockchains, and thus extend the protocol without having to somehow overthrow Bitcoin’s primacy. (Blockstream, the startup behind sidechains, recently raised $21 million, and counts among its founders several core Bitcoin developers.)

To my mind, Zerocoin and Zerocash are the low-hanging fruit of sidechains. Just transfer your bitcoin to a sidechain that implements one of those protocols, and voila, instant Bitcoin anonymity; you can send or receive money while maintaining mathematically perfect privacy. Will this have practical and regulatory repercussions? You bet. Will it always be a good thing? Realistically, probably not. But in a world creeping towards becoming the Panopticon of Things, one camera-enabled remote-controlled device at a time, anything that protects privacy is a good thing. Three cheers for zero knowledge.

Although even that will just be a first step. I’ll leave the last word to Moneta co-founder Gary Lee:

The vision of the Moneta project is to help significantly advance Bitcoin technology as a sidechain. As a sidechain, we want to help people realize that it’s possible to make Bitcoin lightning-fast, far more private, and far more scalable. For example, people often think that Bitcoin is limited to 7 transactions per second and can never compete with Visa. With some changes to the protocol, we can increase that number one-hundred fold. Also, with increased scalability comes decreased transaction fees. Think of all the new marketplaces and behaviors that can arise if we can decrease Bitcoin’s transaction fees from the magnitude of cents to the magnitude of hundredths of a cent … We hope to convey that Bitcoin’s underlying protocol can in fact be advanced significantly — not just marginal improvements, but 10x or 100x improvements.