Table of Contents:
Nowadays, ring signatures and zero-knowledge proofs are two of the most used and known privacy enhancing technologies applied to cryptocurrency. And, as cryptography is the heart and soul of the crypto scene (and the only reason scarce digital goods are possible), this is no small feature.
Both zero-knowledge proofs and ring signatures have proved effective at maintaining user anonymity and privacy. Their sustainability and ability to remain ahead amidst fierce competition and innovation are celebrated among blockchain privacy enthusiasts.
To wade into the debate on which of them does a better job and is more cost-effective, we will look at the technology behind their operations, their applications on the blockchain, and their advantages and disadvantages.
An overview of ring signatures
Ring signatures are one of the earliest cryptographic inventions and, to date, one of the most effective. As its name implies, a ring signature involves a group in which all members own keys. These members form a ring, banding together to aid each other’s privacy.
One of the earliest scenarios used to describe the way ring signatures work is the White House dilemma, which goes as follows:
Imagine there is a sensitive information leak from the Oval Office. The leaked information has no source, so everyone who works in the government house immediately becomes a suspect. Mr. President then points out that the information could only have been leaked by a staff member, but he has no idea of who it was. The secret is in the open, but no one can tell how it got out or who leaked it. If every staff member enjoys plausible deniability (i.e., there’s no proofs against them), then the outcome is akin to ring signatures.
With no clear suspects, there can be no culprits.
How do ring signatures work?
Ring signatures need an existing group of people on both sides of each transaction. One signature is enough to send a ring signature message, while the other group members function as decoys. Using our previous example, the sending group of people would be “the White House personnel” and the receiving one “the general public”, as the data leak was not sent to any one single individual. Since it is not computationally possible to single out the participants in the transaction through their keys, ring signatures preserve anonymity.
Although they bear similarities to group signatures, ring signatures differ on two grounds. First, the anonymity of the individual keys involved in a ring signature is irrevocable. Then, no additional setup is needed to determine a signing set, which means that any random set of keys can act as decoys with or without the knowledge of the key owners. In other words, any member of the network can form part of a decoy group with or without their knowledge.
Ron Rivest, Adi Shamir, and Yael Tauman Kalai introduced the concept of ring signatures in 2001 at ASIACRYPT. Since then, ring signatures have been used for several real-life applications, including privacy enhancement on public blockchain networks.
Real-Life Applications of Ring Signatures
When Ron Rivest et al. released the original ring signature paper in 2001, they mentioned a few real-life use cases of ring signatures. Here are a few suggested real-world applications.
As we saw in the White House dilemma, whistleblowing is tremendously helped by plausible deniability. However, if this were to be facilitated by technology, it could potentially be a lot safer for leakers.
Using ring signatures, individuals and victims can expose documents and materials that prove particular government and private cover-ups without exposing their identities. Even when you can tell that a government official was behind the leak, the exact identity of the signer will remain unknown.
One variant of the fundamental ring signature structure involves linkability to avoid the double spending problem. This concept allows observers to determine if one group member (for example, a bank) was responsible for any ring signatures, giving them legitimacy.
In this structure, while the sender's identity remains uncompromised, verifiers can determine if the signer has signed any previous or future messages, linking each ring signature to another under the same private key. With linkability, ring signatures can be used for offline e-cash transactions, keeping both sender and recipient anonymous while eliminating the double spending problem.
Although deniable signatures are not mainstream, they have been outlined as a possible way to send and receive messages with third-party encryption. This kind of signatures would not be transferable to anyone except their original recipient, and observers would not be privy to information about both the sender and the receiver.
E-voting uses ring signatures with both linkability and traceability. Not only will verifiers link to ring signatures from a particular private key, but they will also be privy to the signer's public key. Individuals can cast votes without compromising their identities to parties other than a trusted electoral umpire.
Monero is a private blockchain network that uses ring signatures along with Ring Confidential Transactions (an advanced form of ring signatures that also involves stealth addresses) to drive private crypto transactions.
Monero uses several public keys pulled with a triangular distribution method, and the signer's keys create a ring of possible signers. All the possible signers are equally valid, making the transaction output untraceable. This creates plausible deniability for each transaction output.
Monero also utilizes a cryptographic technique called the Pederson commitment to obscure transaction amounts, senders’ and receivers’ addresses. This helps Monero offer its users high privacy with reasonable efficiency and verifiable, trustless coin generation.
Zero-knowledge proofs are one of the most commonly adopted privacy protocols. A few privacy enhancing technologies have derived from it but, in particular, zk-SNARKs have recently been highlighted in the blockchain space, driving anonymity and scalability.
Zero-Knowledge Succinct Non-interactive Argument of Knowledge (zk-SNARK) proofs allow users to prove their ownership of specific information or that they have done something without disclosing underlying details. Individuals or entities can prove an action (e.g., having over $5,000 in the bank) without telling the third party what action they took (e.g., their exact balance), the recipient of such actions, and the item or items exchanged.
Zk-SNARKs do not only provide zero-knowledge proofs, but they also do it in such a way that signers and verifiers do not need to establish any interaction to prove or confirm transactions. Commitments that establish the authenticity of zk-SNARK transactions are published as hashes.
How do zk-SNARKs Work?
To understand the concept of zk-SNARKs, we first have to consider how zero-knowledge proofs work. Imagine a world in which people can prove that they own something or did something without telling you what they own or have done. Yet, you, as a third-party observer, can confirm that they truly own that item or that they are behind the action they claim to have carried out.
Zk-SNARKs use zero-knowledge proofs and ensure no interaction exists between the proving party and verifiers. With zk-SNARKs, users can convince the verifier that, in addition to showcasing that the information within the hash exists, they also know what lies therein.
After proving the existence and knowledge of the information, the succinct nature of zk-SNARKs implies that they can be verified in milliseconds and with a proof length of hundreds of bytes. In the early days of zero-knowledge proofs, both parties (provers and verifiers) had to communicate multiple times to establish trust.
With a non-interactive construction, only a single piece of information is sufficient to establish trust between both parties. Zk-SNARKs are also computationally sound statements, and they cannot be constructed without access to the private input that proves the transaction.
Let’s illustrate this all in a mundane example:
A zk-SNARK is alike owning a bracelet that certifies your belonging to a secret multi-billionaire society: if you wear it out on the street, other members would be able to identify you easily. However, they would not need to interact with you, you would not need to interact with them, and the information conveyed by the bracelet (e.g., your social status and other conditions to join the exclusive group) are immediately transferred to the “verifier”.
For example, Panther leverages zk-SNARKs to restore privacy in Web3 and DeFi while providing financial institutions with a clear path to compliantly participate in decentralized finance. Using zk-proofs, Panther enables users to prove their regulatory compliance without sharing underlying data. Panther does this through zk- and non zk-Reveals that generate zero-knowledge reports for selective disclosures.
Real-world applications of zk-SNARKs
Several privacy-centric blockchain protocols have adopted zkSNARKs to enable user and transaction anonymity across the main chain, sidechains, and bridges. Zcash is one of the most popular, using shielded zero-knowledge proofs to keep users anonymous as they transact on-chain.
Another popular project that adopts zkSNARKs is Horizen. In addition to driving privacy in the crypto space, these projects have also employed zkSNARKs to establish trust between users and law enforcement agencies.
Furthermore, Panther also leverages zk-SNARKs to restore privacy in Web3 and DeFi while providing financial institutions with a clear path to compliantly participate in decentralized finance.
zkAudits are gaining popularity, allowing auditors to independently verify information without disclosing the identities of senders and receivers. The now-bankrupt Celsius Network used zkAudits, powered by Horizen, to prove liquidity and revenue in real-time without the help of third-party validators while also keeping the underlying transaction information anonymous.
With zk-SNARKs, blockchain networks can outsource an expensive computation and validate that the result is correct without redoing its execution. This opens up a category of trustless computing and an innovative way of blockchain scaling.
Similarly, zk-SNARKs can also allow change a blockchain model from everyone-computing-everything to one-party-computes-the-rest-verify.
Ring signatures versus zk-SNARKs
Ring signatures and zkSNARKs have both received fair criticism since going mainstream. While new developments have addressed most detected design flaws, a few linger on. The ring signature tool that Monero uses, for example has been faulted by research in recent years. Allegedly, Monero’s ring signature scheme could result in users potentially losing their privacy through tracing analysis. However, no one has ever been shown to crack Monero’s cryptography. This criticism is often issued along with pointing out that the blockchain is obscure enough to not have been tested at a macro scale yet.
There is also the danger of de-anonymization due to public pool decoys. If an individual uses a ring signature to move cryptocurrencies into a public pool, for instance, the decoy is then broken, which endangers the signer's anonymity.
Monero, currently holds a model that enables for 32 decoys per transaction without performance degradation.
zkSNARKs, on the other hand, have received also been criticized due the following:
- zkSNARKs require a trusted setup for their creation (albeit Zcash has recently released a protocol upgrade, Halo, and a shielding mechanism, Orchard, that eliminate the need for a trusted setup).
- zkSNARKs are a resource-heavy tool.
- Zcash's zkSNARKs-powered blockchain is not private by default.
Regarding trusted setups, the challenge here is that individuals could exploit the process that generates zkSNARKs to produce false proofs that look valid to any verifier. In the case of Zcash, for example, this could lead to the creation of new coins.
However, it’s worth mentioning that cryptographic researchers at the Electric Coin Company (ECC) have discovered a technique for creating zk-SNARKs without a trusted setup. Halo achieves practical zero-knowledge recursive proof composition without the need for a trusted setup.The ECC is already exploring the use of Halo within Zcash to both eliminate trusted setups and to scale Zcash at Layer-1 using nested proof composition.
The resource-heaviness of zk-SNARKs also puts them at a disadvantage, discouraging adoption as users would instead opt for cryptographic networks with faster transaction speeds. Creating zkSNARKs is complex and usually takes far more computing time than ring signatures, their proponents argue.
Ring signatures and zk-SNARKs are fundamental cryptographic privacy tools with real-world use cases. While they both have shortcomings, they have completely different working mechanism and serve different purposes.
Both tools have furthered the cause of blockchain privacy and remain widely in use today by some of the world's most anonymous cryptocurrencies. There is no right or wrong when it comes to which one to use, just different possibilities, limitations, and prospects.
If you enjoyed this article, make sure to sign up to our newsletter to continue receiving others like it!
Panther is a decentralized protocol that enables interoperable privacy in DeFi using zero-knowledge proofs.
Users can mint fully-collateralized, composable tokens called zAssets, which can be used to execute private, trusted DeFi transactions across multiple blockchains.
Panther helps investors protect their personal financial data and trading strategies, and provides financial institutions with a clear path to compliantly participate in DeFi.