Moving Money - Self-hosted Wallets and Privacy Coins

In the last article we looked at exchanges as the gateway to the world of transferring money using cryptocurrency. In this next instalment we will dive deeper into how crypto users can take direct control of their funds without relying on intermediaries to hold assets and make payments on their behalf. We will also examine how the details of payments can be obfuscated through the use of privacy coins.

Firstly, some basics. On a public blockchain funds are associated with unique addresses. If you control the address, you control the associated funds. Instead of relying on financial intermediaries (like exchanges) some crypto users prefer to directly exercise this control themselves. But how is this control achieved?

Let's look at a typical crypto address to get started. For example consider the string of digits below (The 0x at the start tells you that this crypto address is represented as a sequence of Hexadecimal digits, starting with de) 

0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe

This address is derived from a mathematically special pair of very large numbers, called a public-private key pair. That key pair is, in turn, typically derived from a secret seed that is randomly generated by, and should only be known to, the crypto user. To be able to move funds associated with an address you need to prove that you own it. Without going into the maths this proof is established by you being able to perform a calculation that only you can do because you know the private half of the key pair from which the address was derived. If you can do this sum you must be the owner of the crypto address and therefore the associated funds. As the blockchain is public anyone can verify that you got the sum right, but they can't reverse the process to work out what your private key is.

There are software and hardware solutions, called wallets, to help crypto owners generate these secret seeds, derive key pairs and calculate the proof sums to conduct transactions. Of course using any of these aids means trusting them, and perhaps their developers, to have at least some theoretical visibility of your precious keys and therefore control of your funds. Remember that there is no-one to appeal to if you lose your keys or they are directly or indirectly stolen. There is no organisation, supervisory body or government to set things right if you lose control of your keys. Your funds are gone - forever!

You could attempt to write your own software to control your keys, calculate the proofs and participate fully on the blockchain so you rely on no-one. Such is the dream of crypto freedom from intermediaries; in practice those dependencies just shift further down the software stack to the providers of the libraries, operating systems and hardware you use - eventually you have to trust someone!

Privacy Coins

Once we have established ownership we can transfer funds to another address to move money between users. It is well known that most cryptocurrency blockchains are public. Unlike a private bank register, anyone with the right software can view the transactions recorded on these ledgers and see which addresses sent and received what funds. This is remarkable transparency, akin in some ways to seeing the entire digital life of a banknote as it moves from the central bank printers via the consumer purse to the cash register and back to the bank again eventually for destruction. If you can associate a specific address with a specific user then that aspect of their financial life is open to everyone. Unsurprisingly, for good or ill, some users want to avoid this scrutiny!

Privacy coins employ several sophisticated techniques to mask the originator, the beneficiary and in some cases the amount of a transactions. I'll use the workings of the Monero privacy coin as an example to explain how this clever obfuscation is achieved.

Challenge 1 - Conceal the Originator

In a crypto transaction the address defines the originator and proving ownership of the source address is required to authorise the movement of funds, so how can the address be concealed and yet the transaction verified and approved? The trick here is for the originator to randomly pick a number of other addresses from the visible Monero blockchain, that belong to other users, as decoys. A clever bit of maths called a Ring Signature is calculated with the aid of the originator's key pair associated with the real transacting address. This is used to prove that one of the addresses is owned by the originator and authorised to be spent crucially without revealing which one. As part of the ring signature algorithm the originator is obligated to calculate a key image, a special non-reversible derivative of the originator address, which can be verified by miners to prevent future double spending.

 Challenge 2 - Hide the Beneficiary

To hide the beneficiary each transaction generates a new one-time stealth address derived from a public key provided by the recipient. So instead of the beneficiary providing the address they want the funds to be transferred to, they let the originator calculate this address. Unlike traditional blockchains the originator also includes the public key of this new stealth address in the published transaction (its only used once). From this public information the beneficiary can compute the associated private key (as this one-time key pair is mathematically derived from the recipient's original key pair, the public half of which was shared with the originator) to take control of the funds at the new address. 

But hang on! How does the beneficiary know which newly published transaction on the blockchain is theirs so they can take control of it? In fact, each Monero user must scan the new transactions on the blockchain to see which one is their output and then they can workout what the new output address is. Another key pair, called a View key, is involved here but I'll leave that for another time.

Challenge 3 - Don't reveal the Amount

With the originator and the beneficiary concealed the last piece of information to hide is the amount of the transaction. How do we conceal the value of the funds transfer, without opening the door to fraudulent spending? This is done by adding secret random offsets to each of the transaction amounts such that when added together these additional blinding factors cancel out and the balanced sum of inputs, outputs and miner fee can be verified before the transaction is included on the chain. As the amount is not published on chain to view the transferred amount the recipient has to calculate the value by recovering the random offsets, which are encoded by the sender and included on chain in a manner which needs the recipient private key to recover.

All this mathematical ingenuity adds up to a real challenge to unravelling who is sending what funds to whom. Of course, for now at least, not many real-world goods and services can be purchased with privacy coins, so the on and off ramps to this hidden world are of the utmost interest to those seeking to follow the money.