Skip to main content

Comparing Reasonably Private Spends in Bitcoin, Monero, and Zcash

Introduction

As my first blog post I wanted to go ahead and share some thoughts I’ve had about efficiency within transaction types when comparing privacy protocols and usage.

I have recently discussed this in some depth on Twitter where I was surprised by the results, finding that Monero manages to be quite a bit more efficient on size compared to Bitcoin when trying to use both in a private manner. I’ll use this blog post to break it down in a bit more detail, and add a new contender to the mix – Zcash.

The reason I’ve chosen to focus on efficiency of each protocol is that users will generally prioritize simplicity and low cost, and if a privacy protocol can provide both of those to users, they can greatly aid adoption of powerful tools. While users do generally prefer to have privacy (who reading this is willing to email me all of your passwords and home address?), they will not normally go above and beyond, at great cost in time and money, to preserve their privacy.

So for this post, let’s take a look at how each of the three most recognized privacy approaches in cryptocurrency stack up in size, cost (in both money and time!), and throughput.

But first, an introduction to each network’s approach to privacy.

Bitcoin - Privacy by Wallet

Bitcoin is the king of cryptocurrencies and made major breakthroughs that enabled the existence of cryptocurrencies like Monero and Zcash. While many thought it’s approach to privacy sufficient in the early days, people quickly realized that the pseudonymity it offered was insufficient for many use cases and allowed users to very easily ruin their own privacy via things like combining outputs, re-using addresses, and simple output amount analysis among many other heuristics.

There are currently two main approaches to gaining some level of “reasonable privacy” on Bitcoin, using CoinJoin1 to obfuscate UTXO ownership, and the Lightning Network2 to move the trail of funds off-chain (to some extent, privacy via Lightning is still very much a work-in-progress and not well understood).

CoinJoin is a technique where a group of unique users use a central coordinator to build a shared transaction that combines all of their input UTXOs of the same fixed amount and then “mixes” these funds to break deterministic links between the input UTXOs and output addresses. The most well known approaches to this are Samourai, Wasabi, and JoinMarket (note that JoinMarket uses a maker/taker model instead of a coordinator model, but that is outside the scope of this blog post).

For this blog post we’ll focus on Samourai wallet, as that is most widely accepted as the ideal way to gain privacy in Bitcoin at the moment. For more information on how the basics of Samourai Wallet work, see “Samourai 101” for a great explainer.

Monero - Privacy by Default

Monero was created in 2014 as a fork of a project called “Bytecoin” by a small community of developers. Monero is not a fork of Bitcoin, and uses an entirely new codebase called “Cryptonote”3 that has evolved into the Monero protocol. Monero was started with three core aims – privacy that is usable and approachable for the masses, by default, a scalable and iterating base-layer, and ASIC-resistance to enable commodity hardware mining which aids decentralization.

Monero enables this default privacy for all users of the network through a variety of means:

  • RingCT4: this technology hides all amounts sent and received on-chain (via Confidential Transactions5), as well as hides which output is actually being spent among (currently) 10 others (via ring signatures6). This requires no coordination and is completely non-interactive (unlike CoinJoin) and happens entirely via the protocol itself.
  • Stealth addresses7: this technology hides sender and receiver addresses on-chain by letting the sender generate a one-time address using the receiver’s public key, so no actual addresses are ever published to the blockchain.
  • Dandelion++8: This technology helps to hide the sender’s IP address when sending Monero by using a special method of relaying transactions to other nodes.

These technologies combine to allow any user interacting with the Monero network to gain strong privacy without taking extra effort, making multiple transactions, or relying on a central coordinator.

Zcash - Privacy by Pool

Zcash is a code fork of Bitcoin created in 2016 that adds on optional privacy via a technology called zk-SNARKs9, allowing users to opt-in to hiding the sender, receiver, and amount of a given transaction (if sending from a z-address to another z-address). This functions in similar ways to Monero, in that there are one-time addresses, amount commitments, and proofs that the transaction spends a previous output.

Zcash retains many of the network characteristics of Bitcoin, but does enable vastly greater privacy to those users who choose to opt-in. Unfortunately, because these strong privacy tools are not enabled by default for users, they see very little adoption and normal, Bitcoin-like transactions are by far the majority of transactions made on the Zcash network.

For more info on how Zcash works technically, see “Zcash Technology” for a solid introduction.

Comparing Size and Cost

As comparing across unique networks is very difficult, I’ve done my best to find a unifying set of metrics that we can more easily compare, and used the common denominator of USD as a fee measure as native units are not easily comparable.

Bitcoin Transaction Notes

This example chain of transactions represents the recommended way to gain “reasonable privacy” and spend in Bitcoin, and requires a TX0 pre-mix transaction, a Whirlpool mixing transaction, and a post-mix transaction (here a STONEWALL transaction is used for the comparison, as this is most common and does not require a trusted second part).

It’s important to note that it takes a great deal of time to perform a single “reasonably private” spend, and in my own testing it took ~4.5h to go from TX0 to STONEWALL spend. This overall time could be reduced somewhat by creating multiple mixed outputs from each TX0, but is not possible for all users depending on input amount and pool size.

For this comparison I have omitted “doxxic change” costs and mixing fees, as they are variable and hard to compare with Monero and Zcash transactions. I am purely listing Bitcoin transaction fees below.

Monero Transaction Notes

This example transaction is a standard 1-in 2-out Monero transaction with the present network technology, and represents the most common spend. Note that no preparatory, mixing, or post-mix transactions are necessary to protect the sender, receiver, and amount, or to break any deterministic links along the way.

Sending a Monero transaction is as simple as a basic Bitcoin transaction, and takes ~2min to confirm on-chain.

Zcash Transaction Notes

This example transaction is a standard 1-in 2-out z-to-z transaction in Zcash, and represents the highest level of privacy available to users who opt-in to sending from and to a z-address (fully shielded). This type of transaction hides the sender, receiver, and amount on-chain. Note that no preparatory, mixing, or post-mix transactions are necessary to protect the sender, receiver, and amount, or to break any deterministic links along the way.

Results

As you can see below, Monero offers the most cost and space-efficient transactions of the three networks, saving almost 900b per “reasonably private” spend compared to comparable transactions in Bitcoin and Zcash, and is 33% the cost of Zcash and 0.0002% the cost of Bitcoin.

The largest caveat here for the scaling of Monero is that it is not currently fully pruneable in the same way as Bitcoin (Bitcoin can prune down to just the current UTXO set), and requires retaining a database of all outputs to use as decoys in each future transaction as no output is ever known-spent by the network10. Zcash is (as far as I can tell) not pruneable in any way at present.

It’s important to note that most users of both Zcash and Bitcoin do not opt into using these privacy tools, and instead choose to transact without hiding sender/receiver/amount for the vast majority of transactions.

For more info on comparing the frequency of spends utilizing these privacy tools, see a recent Tweet thread from @JEhrenhofer:

Cryptocurrency Transaction Size Transaction Cost (in USD as of 2021-04-20)
Bitcoin 2,363b, 1,475vb $41.00 (@ 50sat/vb)
Monero 1,419b $0.0208 (median)
Zcash 2,373b $0.0232 (median)

Throughput

Throughput is an even harder metric to measure across networks, as each network has made their own choices of block size and block time to match their own needs and goals. To provide a common ground here, I’ve chosen to list the default limits/times of each network and the throughput that allows, as well as provide a version of each weighted to Bitcoin’s design choices of 10min block times and 1MB/4MB block size caps.

Bitcoin Network Notes

Bitcoin has retained the 10min block times from it’s inception, but block sizes have been changed (in a way) with the introduction of SegWit11 to a maximum of 4MB for native SegWit transactions, and 1MB for “legacy” transactions. To provide the optimal network conditions for this comparison, I am assuming a 100% native SegWit adoption, something that is not even close to reality, but provides a better picture of what is possible in Bitcoin natively.

More details of how the weighting of transactions works in Bitcoin can be found in “What’s the blocksize limit after SegWit?".

Monero Network Notes

The Monero network has a block time of 2min, but has a more complex block size limit than most other networks. In Monero, block sizes have a median and a hard cap that can both be expanded by miners at the expense of block subsidy penalties proportional to the block size increase. For the calculations below I’ve chosen the default block size hard cap, but the Monero network can easily and smoothly scale up without any developer intervention or software releases.

For more info on how this dynamic block scaling works, see “How Monero Solved the Block Size Problem That Plagues Bitcoin”.

Zcash Network Notes

Zcash uses similar properties to the Bitcoin network, but with a reduced block time of only 1.25min between blocks while also changing block size to 2MB. As SegWit is not supported, there is no complicated block limit differences to discuss here.

Results

As you can see below, due to the much more space-efficient transactions in Monero, you can support the most Bitcoin-weighted TPS when comparing “reasonably private” spends across the three networks.

Note that Zcash technically supports the highest TPS at the default block sizes, but combining their very quick block times with full blocks would lead to difficulties for nodes and a quickly growing blockchain.

Cryptocurrency Block Time Block Size Limit Max TPS/10min Max TPS/10min weighted to Bitcoin block size Chain growth weighted to Bitcoin TX count
Bitcoin 10min legacy of 1MB, SegWit of 4MB ~2,750 (with SegWit) ~2,750 (with SegWit) 0.77GB/d
Monero 2min Initial median of 300KB, hard cap of 2x median ~2,150 ~2,900 (with SegWit) 0.46GB/d
Zcash 1.25min 2MB ~6,900 ~1,725 (with SegWit) 0.77GB/d

Conclusion

To summarize the findings here, we see that while Monero is often discounted as a privacy tool due to “scaling issues” or “inefficient transactions”, it actually boasts the most scalable privacy implementation among the leaders, and has been constantly iterating, dropping from nearly 13KB per transaction to ~1.4KB per transaction since it’s inception.

There is still a long way to go, but it’s exciting to see the constant progress pay off in a comparison of “reasonably private” spends like I’ve tried to do here.

I do realize that these comparisons are incredibly difficult to make, and would be grateful for any pointers on how I can better hone this approach to give a clear picture of privacy tool efficiency today.

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...