Vitalik recently deposited his ETH assets into a privacy pools protocol project called Railgun, and he published an article introducing the concept of privacy pools to the public. This article reviews Vitalik’s previous papers on privacy pools and explains how to maintain privacy while proving the legitimacy of assets.
Table of Contents
Toggle
What problem do privacy pools aim to solve?
Blockchain does not guarantee privacy
Tornado cannot prove compliance
Introduction to privacy pool concept
Users can choose the association set of funds
Selecting associations and infrastructure
Challenges faced by privacy pools
Standards for determining asset legitimacy
Size and stability of association sets
Competition from on-chain analysis tools
Privacy pools may become the new privacy standard
From a privacy perspective, it is problematic that every transaction of a blockchain address is a public dataset. Whenever someone transfers assets to another address or interacts with a smart contract, the transaction will be permanently visible on the blockchain.
For example, when Alice pays for dinner using a blockchain wallet, the recipient (restaurant) now knows her address and can analyze all past and future activities associated with that address. Similarly, Alice now knows the restaurant’s wallet address and can use this information to obtain other customers’ wallet addresses or view the restaurant’s income. Even a third party who knows the restaurant’s wallet address can analyze the entire transaction history of these users.
To solve the privacy issues of blockchain, many privacy protocols have emerged, including Zcash and Tornado Cash. Although they do solve privacy problems, Tornado Cash has also been used by various malicious actors, resulting in many derivative problems.
Therefore, many developers have started to think about how to maintain user privacy while proving the legitimacy of their funds. Vitalik’s discussed privacy pools, which are smart contract-based privacy protocols. They allow users to prove that their funds do not come from known (non) legitimate sources without publicly revealing their entire transaction history.
The core idea of privacy pools is that users prove that their funds are within a more restricted association set, rather than simply verifying withdrawals and previous deposits through zero-knowledge proofs (ZKPs) like Tornado Cash. The association set of a privacy pool can be a complete subset of all user deposits or only include the user’s own deposits. However, the most common situation should be any set size between the two, maximizing privacy while avoiding the inclusion of illegal funds.
This set can be expanded or narrowed according to the user’s preference. Users can specify the set by providing the Merkle root of the set as input, and an ecosystem is expected to emerge to make it easier for users to specify relevant tools for desired association sets.
For example, let’s assume there are five users: Alice, Bob, Carl, David, and Eve. The first four are honest and law-abiding users who still want to protect their privacy, while Eve is a thief, and it is assumed that this fact is widely known. Although the public may not know Eve’s true identity, they have enough evidence to conclude and mark Eve’s address as suspicious.
When users want to make a withdrawal, each user can choose their specified association set. Their association set must include their own deposits, and they can freely choose which other addresses’ funds to include.
Considering the motivations and utility maximization of Alice, Bob, Carl, and David, they would not include Eve’s address in their association sets. On the one hand, they want to maximize the protection of their privacy by expanding their association sets. On the other hand, they want to reduce the probability of being seen as suspicious funds, so they do not include Eve’s funds in their association sets.
Of course, Eve also wants to maximize her association set, but she cannot exclude her own deposit, forcing her association set to be the collection of all five deposits. Therefore, even though Eve herself has not provided any information, clear inferences can be made through a simple exclusion process: the fifth withdrawal can only come from Eve.
By market mechanisms, users can maximize the collection of their own deposits while naturally isolating illegal funds. It is expected that the design of association sets in privacy pools can simultaneously meet users’ privacy needs and avoid suspicions of legality.
Of course, if users have specific requirements, they can provide more information externally.
In practice, users are not expected to manually select association sets for deposits but subscribe to the intermediary services of Association Set Providers (ASPs). These services automate the generation of association sets with certain attributes to protect user privacy and exclude suspicious funds. In some cases, ASPs can be completely built on-chain without external interventions.
Railgun, mentioned by Vitalik in this article, is an example of such a service.
However, the paper also points out several challenges that privacy pools may face.
Obviously, for the above privacy pool protocol to function properly, there needs to be a system and standards to help determine which assets are “good” and which assets are “bad,” requiring social consensus.
Without global consensus, the determination of whether an asset is considered good or bad depends on social viewpoints or jurisdictional boundaries, and there may be significant differences in association sets based on different countries and regions.
Suppose there are two jurisdictions with different rule sets. Subjects from jurisdiction A and B can both use the same privacy protocol and choose to publish proofs that satisfy their respective jurisdictional requirements. Both can easily achieve privacy within their own jurisdiction and exclude non-compliant withdrawals within their jurisdiction. If needed, users can issue a proof for the intersection of the two association sets to make these withdrawals comply with the requirements of both jurisdictions.
The attributes of each association set should be stable and not change over time. However, this would limit the need for re-verifying withdrawals with new sets. Generally, large and diverse sets may have better privacy but may be less accurate and stable, while smaller sets are easier to maintain but provide poorer privacy.
Today, many entities rely on on-chain tools to analyze blockchain transactions and identify potential suspicious activities, interactions with illegal addresses, and other non-compliant transactions. These tools typically evaluate the risk associated with each transaction through risk scoring.
Privacy pool protocols may make this analysis more difficult because they eliminate the connection between deposits and withdrawals.
The concept of privacy pools has been discussed in the community for a long time, and Vitalik’s involvement in the Railgun project indicates his position and support. It may indeed solve the long-standing compliance issues of Tornado Cash and help the market understand that privacy and compliance are not parallel lines.
However, some developers hold negative opinions on this matter. For example, Zooko, the founder of Zcash, believes that privacy pools require users to actively prove the innocence of their assets, which is not a good idea.
Privacy Pools
Vitalik
Privacy