What is the privacy pool used by Vitalik? How to protect privacy while proving legitimacy?
Vitalik recently deposited his ETH assets into a privacy pools protocol called Railgun and published an article introducing the concept of privacy pools to the public. The article reviews Vitalik’s previous papers on privacy pools and explains how assets can be proven legitimate while maintaining privacy.
Table of Contents:
Toggle
What problems do privacy pools aim to solve?
Blockchain does not guarantee privacy
Tornado cannot prove compliance
Introduction to the concept of privacy pools
Users can choose their associated set of funds
Choosing associations and infrastructure
Challenges faced by privacy pools
Criteria for determining asset legitimacy
Size and stability of the associated set
Competition among on-chain analysis tools
Privacy pools may become the new privacy standard
From a privacy perspective, it is problematic that every transaction of a blockchain address is publicly available. Whenever someone transfers assets to another address or interacts with a smart contract, the transaction is permanently visible on the blockchain.
For example, when Alice pays for dinner using a blockchain wallet, the recipient (restaurant) now knows her address and can analyze all past and future activities associated with that address. Similarly, Alice now knows the restaurant’s wallet address and can use this information to obtain other customers’ wallet addresses or view the restaurant’s income. Even a third party who knows the restaurant’s wallet address can analyze the entire transaction history of this chain of users.
To address the privacy issues of blockchain, various privacy protocols have emerged, including Zcash and Tornado Cash. While these protocols do solve privacy problems, they have also been used by malicious actors, resulting in various issues.
Therefore, many developers have started to consider how to prove the legitimacy of funds while preserving user privacy. Vitalik’s discussed privacy pools are a type of privacy protocol based on smart contracts. They allow users to prove that their funds do not come from known or illegal sources without publicly revealing their entire transaction history.
The core idea of privacy pools is that users prove their funds are within a more restricted associated set, rather than just verifying withdrawals are related to previous deposits through zero-knowledge proofs (ZKPs) as Tornado Cash does.
The associated set of a privacy pool can be a complete subset of all user deposits or only include the user’s own deposits. However, the most common scenario should be any collection size between the two, maximizing privacy while avoiding including illegal funds.
This set can be expanded or narrowed according to user preferences. Users can specify the set by providing the Merkle root of the collection as input. An ecosystem is expected to emerge, providing tools that make it easier for users to specify associated sets that match their preferences.
For example, let’s assume there are five users: Alice, Bob, Carl, David, and Eve. The first four are honest and law-abiding users who still want to protect their privacy, while Eve is a thief, and this fact is widely known. Although the public may not know Eve’s true identity, they have enough evidence to conclude that Eve’s address is suspicious.
When users want to make a withdrawal, each user can choose their associated set. Their associated set must include their own deposits, and they can freely choose which other addresses’ funds to include.
Considering the motivations and utility maximization of Alice, Bob, Carl, and David, they would not include Eve’s address in their associated sets. On the one hand, they want to maximize their privacy by expanding their associated sets. On the other hand, they want to minimize the probability of being considered suspicious funds. Therefore, they do not include Eve’s funds in their associated sets.
However, Eve also wants to maximize her associated set, but she cannot exclude her own deposits, forcing her associated set to be the entire collection of the five deposits. Thus, even though Eve herself does not provide any information, clear inferences can be made through a simple exclusion process: the fifth withdrawal can only come from Eve.
By market mechanisms, users can maximize the size of their associated sets, naturally isolating illegal funds. It is expected that the design of associated sets in privacy pools will satisfy users’ privacy needs while avoiding suspicions of legitimacy.
Of course, if users have specific requirements, they can provide more information externally.
In practice, users are not expected to manually select associated sets of deposits but rather subscribe to intermediary services provided by Associated Set Providers (ASPs). These services will automate the creation of associated sets with certain attributes to protect user privacy and exclude suspicious funds. In some cases, ASPs can be entirely built on-chain without external intervention. Railgun, mentioned by Vitalik in this article, is an example of such a service.
However, the article also points out several challenges that privacy pools may face.
It is evident that for the privacy pool protocol to function properly, there needs to be a system and standards to determine which assets are “good” and which are “bad” to assist in judging legitimacy. This requires social consensus.
Without global consensus, the determination of whether an asset is considered good or bad depends on social perspectives or jurisdictional boundaries, and the associated sets may vary greatly depending on different countries and regions.
Suppose there are two jurisdictions with different rule sets. Subjects in jurisdictions A and B can use the same privacy protocol and choose to publish proofs that meet the requirements of their respective jurisdictions. Both can easily achieve privacy within their own jurisdiction and exclude non-compliant withdrawals. If necessary, users can issue a proof for the intersection of the two associated sets, making these withdrawals comply with the requirements of both jurisdictions.
The attributes of each associated set should be stable and should not change over time. However, this would limit the need for revalidating withdrawals with new sets. Generally, larger and more diverse sets may provide better privacy but may be less accurate and stable, while smaller sets are easier to maintain but offer poorer privacy.
Today, many entities rely on on-chain tools to analyze blockchain transactions and identify potential suspicious activities, interactions with illegal addresses, and other non-compliant transactions. These tools typically assess the risk associated with each transaction through risk scoring.
Privacy pool protocols may make such analysis more difficult as they eliminate the link between deposits and withdrawals.
The concept of privacy pools has been widely discussed in the community, and Vitalik’s participation in the Railgun project indicates his position and support. It may indeed solve the long-standing compliance issues of Tornado Cash and help the market understand that privacy and compliance are not mutually exclusive.
However, some developers have expressed negative opinions about privacy pools. For example, Zooko, the founder of Zcash, believes that privacy pools require users to actively prove the innocence of their assets and are not a good idea.
Privacy Pools
Vitalik
Privacy
Further reading:
Privacy OG Clash! Developers of Privacy Pools and Zcash Founder Disagree with Each Other
Dirty Money Can Be Tracked! Vitalik and Others Publish Whitepaper on Balancing Blockchain Privacy and Regulatory Compliance.