And also Secret Network, which hides smart contract variables, which therefore includes token and wrapped token amounts, along with the current owner. Monero has a trustless-enough bridge over to there.
And also Aztec Network, and Tornado Cash, and Zcash, and soon Starkware, and...
I'm surprised so many people on Hacker News apparently still believe that you can "see all transactions" on every blockchain. It really only takes some surface level research to find working, production blockchains/cryptocurrencies that use one of several types of cryptography to hide that data, plus if you're using a pseudonymous blockchain, non-custodial ways to "break the link" between wallets.
Are any of those even in the top 30 cryptocurrencies by market cap? Is anyone speaking about them in the context of Web3 or is it all ETH, XRP and maybe two more?
From my blissfully uninformed mind, the only time these cryptocurrencies pop up is precisely this: as a counterargument to the popular ones, where you can see all the transactions. They're fringes even among the fringe that is cryptocurrencies.
> Is anyone speaking about them in the context of Web3 or is it all ETH, XRP and maybe two more?
Aztec Network, Tornado Cash, and Starkware all run on top of Ethereum... Aztec and Starkware are currently in the community spotlight because they're rollups or so-called "Layer 2s" that push the state of the art of Ethereum's tech (and the state of the art in zero knowledge cryptography, especially Starkware's CAIRO language and their EVM to zero knowledge proof circuit transpiler). Tornado Cash has over $4B in deposits, and for many is the go-to way to anonymize transactions on Ethereum.
Ernst & Young released Baseline last year, a zero-knowledge cryptography toolkit for operating private data services on the public Ethereum network.
The answer to "who cares" is basically the entire nascent industry, plus a handful of mathematicians and cryptographers - if you are paying attention.
A lot of these smaller networks are on top of or connected to top 10 chains.
A number of the top 10 networks will eventually (~5-10 year time frame) get privacy preserving transactions however the space is still very much in development and it's a bit easier to reason about the network and what changes to make next when you can see what the users are doing. I know at the very least, IOG (the company currently leading Cardano development) is doing privacy preserving smart contracts research with the intent that it eventually becomes part of the protocol.
There's a lot for Layer 1 protocols to accomplish as it is so the space is largely delegating privacy chain research/functionality to L2s for the time being.
I hear the word “eventually” associated with crypto, quite a bit. I’ve yet to see an “eventually” actually pan out before they run out of money or the value tanks so low nobody will mine it anymore. As an observer following all of this fairly closely, it feels remarkably like a scam.
I find it telling that several currently live privacy networks were mentioned in this comment tree that you can use today, yet you still latch on to the word "eventually" and call the space a scam.
Maybe that was a bit unfair. Perhaps what I should say is that there is too much competition, such that no one can get the traction they need to truly accomplish their goals, with few exceptions.
Well, you have to see all transactions, in order to know the current balances on every wallet, in order to prevent double spending. This is, in fact, the whole principle on which blockchains operate.
There is no such requirement. The only requirement is that you be able to prove consistency and correctness of the ledger. The naive blockchain implementation needs transaction visibility but there isn't a hard requirement for it beyond that.
Monero uses a system that at a high level is referred to as Ring Signatures (it's not too complicated but it's more than I want to get into at the moment). Zcash and other networks use zero knowledge non-interactive proofs to prove consistency/correctness.
The major drawback of privacy preserving chains is that the transactions are expensive to compute due to all the maths that goes into maintaining that consistency without publicly leaking information. This isn't prohibitive for a desktop but a mobile phone will likely take a few minutes to build and send a transaction in the current environment (can be improved by HW acceleration or general HW improvements).
I've spent the last 30 minutes researching how ring signatures can be used to prevent double spending without revealing the spender's balance, and I've found nothing. Do you know where I can find the details?
There are a lot of variations, but in Zerocash-style schemes (which can be viewed as massive ring signatures), each note has an associated 'nullifier'. Spending a note involves revealing its nullifier, and for the transaction to be valid, the nullifier must not have been used before.
A nullifier is derived deterministically from private account data, and zero-knowledge proofs are used to show that a nullifier was dervied correctly without revealing the private account data.
Here's a short explanation video to get you started. The general idea is that multiple signers are used, such that an outside observer doesn't know which signer is the "real" one, but only knows that "at least one of them" is.
Technically the part the preserves double spending is Ring CT however by and large I see it lumped under Ring sigs when discussed.
Here's a link to the Ring CT papers. The original explains the base system, 2.0 formalises the security of the system, and 3.0 describes how the original protocols had issues and how they were improved.
Personally I find the Ring CT 3.0 paper to be the most enlightening of these. For a simpler/shorter explanation however, Moneropedia has some videos that are helpful in this.
Monero uses a UTxO (unspent transaction outputs) accounting model. There are a number of networks that use this model, namely Bitcoin. The UTxO model doesn't strictly have a concept of accounts but rather keys and UTxO. You can think of UTxO as as atomic chunks of data/value. These UTxO are created once and used once. If you want to spend money, your inputs are UTxO, the outputs are UTxO, and the balances of all of these inputs and outputs must sum up to a net 0. Now UTxO can only be spent if a valid cryptographic signature can be produced. If your private keys can produce that signature, the value held in that UTxO can be spent by you.
This gives us our three key points. All UTxO consumed or spent in a Tx must collectively sum up to zero, UTxO can only be spent if the proof object/cryptographic signature produced is valid, and UTxO can only be spent if they haven't yet been spent.
First Ring CT has each sender derive a one time private key from their private key and a one time public key derived from the recipient's public key. These keys are used to produce a set of encrypted "coins" which essentially hold the value of the UTxOs being spent and then created. This allows the sender and recipient to know the contents of the actual meaningful transaction. Then a cryptographic proof verifies that out of all the public keys in the Tx, all the keys can spend their selection of coins included in the Tx and only one of them is the real set of coins. From there the balance is verified by doing that some clever math where the sum of the encrypted outputs is divided by the sum of the encrypted inputs must equal some constant determined by the encryption key. This is a bit of a simplification but it works out such that it is equivalent to "ins - outs = 0" in a traditional UTxO system.
The key/signature verification mentioned previously has a nifty property where the produced "key images" serve as what are effectively "hashes" of the UTxO. This means that if any key image has previously been used in a transaction, it effectively guarantees that the corresponding UTxO has already been spent. Going back and checking this is somewhat more expensive than on a traditional network however optimisations (like using a bloom filter) allow for this check to run significantly faster.
That's how Monero upholds those 3 properties that are required for consistency in a UTxO based network without leaking information about the sender, recipient, or balances. In short it's using one time PKI derivations to break information symmetry and then from there structuring the encrypted data so that you can use some clever arithmetic and signature checks to verify correctness.
Apologies if my explanation isn't terribly clear or perfectly accurate. It's my reasonably solid understanding of the system. I'm not a formally trained cryptographer or mathematician so my choice of words or explanations may be somewhat inaccurate however they give a reasonable coverage of how the system works. If you want to dive more into the meat of it, I'd seriously recommend the Ring CT 3.0 paper as it's really well put together once you can get through the terse notation and dense amount of information.
I would like to see more information about how Secret network's TEEs (trusted execution environments) are secure. The fact that they rely on special features of some Intel proessors makes me think that any sufficiently powerful actor would be able to break the encryption through backdoors that would exist in those processors.
