DEVELOPMENT

What is the privacy pool used by Vitalik? How does it protect privacy while proving legitimacy?

share
What is the privacy pool used by Vitalik? How does it protect privacy while proving legitimacy?

Vitalik recently deposited his ETH assets into a project called Railgun, a privacy pools protocol, and published a post reintroducing the concept of privacy pools to the public. This article revisits Vitalik and others' previous papers on privacy pools, explaining how to prove asset legitimacy while maintaining privacy. Introduction Paper.

What Problem Privacy Pools Aim to Solve

Blockchain Does Not Ensure Privacy

From a privacy perspective, the problem with blockchain addresses is that every transaction is a public dataset. Whenever assets are transferred to another address or interact with smart contracts, the transactions remain permanently visible on the blockchain.

For example, when Alice pays for dinner using a blockchain wallet, the recipient, the restaurant, now knows her address and can analyze all past and future activities associated with that address. Similarly, Alice now knows the restaurant's wallet address and can use this information to obtain other customers' wallet addresses or view the restaurant's income. Even a third party who knows the restaurant's wallet address can analyze the entire history of users involved.

Tornado Cannot Prove Compliance

To address blockchain privacy issues, various privacy protocols have emerged, including Zcash and Tornado Cash. While they do solve privacy concerns, Tornado Cash, in addition to legitimate users, has been exploited by various malicious actors, resulting in various issues.

Cybersecurity | How hackers use Tornado.Cash to launder illicit funds?

Therefore, many developers have started to consider how to prove the legitimacy of funds while maintaining user privacy.

Introduction to Privacy Pools Concept

The privacy pools discussed by Vitalik are a privacy protocol based on smart contracts. It allows users to prove that their funds do not come from known illicit sources without publicly revealing their entire transaction history.

Users Can Choose the Associated Fund Set

The core idea of privacy pools is that users prove their funds are within a more restricted associated set, rather than merely verifying withdrawals related to previous deposits through zero-knowledge proof (ZKP) like Tornado Cash.

The associated set of privacy pools can be a complete subset of all user deposits or only the set containing the user's own deposits. However, the more common scenario should be a collection of various sizes between the two to maximize privacy while avoiding including illicit funds in the set.

This set can be expanded or narrowed according to user preferences. Users can specify the set by providing the Merkle root of the set as input, and it is expected that tools will emerge to make it easier for users to specify related sets that match their preferences.

For example, suppose there are five users: Alice, Bob, Carl, David, and Eve. The first four are honest and law-abiding users who still wish to protect their privacy, while Eve is a thief, and this fact is widely known. Although the public may not know Eve's true identity, they have enough evidence to conclude and mark Eve's address as suspicious.

When users want to withdraw, each user can choose the associated set they specify. Their associated set must include their own deposits while they are free to choose which other addresses' funds to include.

Economically, considering the motives and utility maximization of Alice, Bob, Carl, and David, they would not include Eve's address in the set. On one hand, they want to maximize their privacy by expanding the associated set, and on the other hand, they aim to reduce the probability of being associated with suspicious funds, so they do not include Eve's funds in the associated set.

Of course, Eve also wants to maximize her associated set, but she cannot exclude her own deposits, forcing her associated set to become the collection of all five deposits. Therefore, even though Eve herself has not provided any information, through a simple exclusion process, a clear inference can be made: the fifth withdrawal can only come from Eve.

Through market mechanisms, users maximize their deposit collections while naturally isolating illicit funds

Of course, if users have specific needs, they can provide more information externally.

Choosing Associations and Infrastructure

In practice, users are unlikely to manually select deposit-associated sets but subscribe to intermediary services provided by Association Set Providers (ASPs), which automate the creation of associated sets with certain attributes to protect user privacy and exclude suspicious funds. In some cases, ASPs can build on-chain without external intervention, and Railgun mentioned by Vitalik is an example.

Challenges Privacy Pools Face

However, the paper also highlights several challenges that privacy pools may face.

Standard for Determining Asset Legitimacy

Obviously, the above privacy pool protocol requires a system and standards to operate properly, assisting in determining which assets are "good" and which are "bad," requiring societal consensus.

Without global consensus, the perception of whether assets are considered good or bad depends on social perspectives or jurisdiction, and associated sets may vary significantly according to different countries and regions.

Assume two jurisdictions with different rule sets. Subjects in Jurisdiction A and B can use the same privacy protocol and choose to publish proofs that meet their respective jurisdictional requirements. Both can easily achieve privacy within their own jurisdictions and exclude non-compliant withdrawals. If necessary, users can issue a proof for the intersection of two associated sets to meet the requirements of both jurisdictions simultaneously.

Size and Stability of Associated Sets

The attributes of each associated set should be stable and not change over time. However, this would limit the need for revalidating withdrawals with new sets. Generally, large and diverse sets may offer better privacy but may be less accurate and stable, while smaller sets are easier to maintain but provide poorer privacy.

To achieve meaningful privacy, it is crucial to ensure that associated sets are large enough and include a variety of deposits, but this may become difficult to maintain.

Competition in On-Chain Analysis Tools

Today, many entities rely on on-chain tools to analyze blockchain transactions and identify potential suspicious activities, interactions with illegal addresses, and other non-compliant transactions. These tools typically assess the risk associated with each transaction through risk scoring.

Privacy pool protocols may make this analysis more challenging as they eliminate the link between deposits and withdrawals.

Privacy Pools May Become the New Privacy Standard

The concept of privacy pools has long been discussed in the community, and Vitalik's involvement in the Railgun project indicates his stance and support, potentially resolving the compliance issues that have long plagued Tornado Cash, demonstrating that privacy and compliance are not parallel lines.

However, some developers hold negative opinions on this matter, such as Zooko, the founder of Zcash, who believes that privacy pools require users to actively prove the innocence of their assets, which is not a good idea.

Privacy OG Quarrel! Developers of Privacy Pools and Zooko, Founder of Zcash, Not Seeing Eye to Eye