Incognito, Monero, Zcash, Beam and Grin
Monero, Zcash, Beam, and Grin are designed to be single cryptocurrencies, intended for use as transferable stores of value.
Incognito is designed to be a universal privacy platform, intended to support private transactions of any cryptocurrency.
Fundamental Privacy Tech
To make a transaction private, three pieces of information need to be hidden: sender information (TX inputs), receiver information (TX outputs) and transaction amount. To achieve privacy, Monero, Zcash, Beam & Grin use three different cryptography techniques, RingCT, zk-SNARK, and MimbleWimble, respectively.
Monero - RingCT
To protect the sender’s privacy, Monero utilizes ring signatures. A ring signature is essentially a type of digital signature made up of the merged signatures of multiple signers, which can authorize a certain transaction. The goal of this mechanism is to conceal the actual signer’s signature among decoy signatures.
These single-use addresses are called stealth addresses; they are generated by the sender on behalf of the recipient using the recipient’s public address and are unique to the transaction. All incoming payments are sent to different one-time addresses that appear on the blockchain and cannot be linked to the recipient’s public address.
RingCT enables confidential transactions on Monero blockchain. It can hide transaction amounts through encryption while preserving the network’s ability to verify correctness. Two techniques that provide confidential transactions are Pedersen commitments and bulletproofs.
Pedersen commitment schemes encode the value of all transactions that participate in the ring signature. With their homomorphic addition properties, the verifier could check that the sum of inputs is equal to that of the outputs, without decrypting the value of each input in the ring. Since the verifier doesn’t know the amount of an input, a user may create a negative output, and the verifier would not be able to detect it due to the encryption of the output amount. To avoid negative UTXO, Monero uses bulletproofs to check the range of an encrypted amount.
Bulletproofs are used to secure the supply of Monero by preventing senders from committing to negative values. They do this by cryptographically proving that transaction amounts are greater than zero and smaller than some arbitrary number.
Zcash - zk-SNARKs
One major difference between Monero and Zcash is that Zcash’s privacy feature is optional. To guarantee transaction validity without revealing the actual data, Zcash uses a different kind of privacy mechanism called zk-SNARKs, which stands for zero-knowledge succinct non-interactive argument of knowledge.
For a proof system to be considered zero-knowledge, it must satisfy three properties:
- Completeness – if the statement is true, an honest prover can convince an honest verifier of this fact.
- Soundness – if the statement is false, a dishonest prover cannot convince an honest verifier that it is true, excluding a small probability known as a soundness error.
- Zero-knowledge – if the statement is true, the verifier doesn’t need to learn anything else other than the fact that the statement is true in order to verify it.
Ring signatures are zero-knowledge systems as well.
- Succinct zero-knowledge proofs can be verified in as little time as a few milliseconds. This is due to the fact that the length of the proof is not affected by the size of the statement that it’s proving; even for very large pieces of data, the zero-knowledge proof can be packed in a few hundred bytes.
- Non-interactive zero-knowledge proofs don’t require back-and-forth communication between the prover and verifier.
The sender of a Zcash transaction needs to construct a proof to show that the sum of input amounts is equal to the sum of output amounts, as well as show the ownership of the inputs. The shielded UTXO (unspent transaction output) in Zcash is called a commitment (not to be confused with a Pedersen commitment). Zcash’s proof generation process offloads the major part of the computational work to the transaction sender (which can take up to 40 seconds), and leaves the prover with a short verification process to undergo (which typically takes just milliseconds.)
Beam & Grin - MimbleWimble
MimbleWimble has no concept of a blockchain address. Rather than tying all outputs to an address, outputs have no data regarding where they came from, and are spent via a private key. The UTXO model is replaced by one multisignature for all inputs and outputs – called Confidential Transactions. If Alice wants to send Bob a coin, both Alice and Bob create a multisignature key that is used to verify the transaction.
Confidential Transactions use the Pedersen Commitment scheme; there are no addresses. Instead, the parties share a “blinding factor”. The blinding factor encrypts the inputs and outputs of the transaction along with both parties’ public and private keys. This blinding factor is shared as a secret between both parties engaged in the transaction. Due to the blinding factor replacing addresses, only these two parties know that they were involved in a transaction.
Both the sender and receiver have to work together to craft the transaction before it is broadcasted to the network. Here’s what happens during that communication:
The parties agree on the amount to be transferred.
The sender picks the inputs they want to use to create the amount to be transferred, and adds together all the blinding factors for that transaction.
The sender sends the transaction data to the receiver. The receiver then picks the blinding factors for the outputs of the transactions, adds them together, and sends them back to the sender along with any additional required information.
The blinding factor makes up part of the zero-knowledge proof system used in Confidential Transactions. If you know the blinding factor for a given output, you can spend it. By adding together all the blinding factors for every input in the transaction, you can prove you own all the inputs used in the transaction, without sharing the private keys.
Mimblewimble’s important scalability feature is “Cut Through”. This allows Mimblewimble to eliminate the spent outputs. This compresses the size of the blockchain, making Mimblewimble much lighter by reducing data storage.
First, Incognito proposed a solution to shield any cryptocurrency. In effect, cryptocurrencies like BTC, ETH, USDT, etc. can now also be privacy coins. Both shielding and unshielding processes are carried out via a decentralized group of trustless custodians. Once shielded, transactions are confidential and untraceable. To provide privacy, we employed the linkable ring signature scheme, homomorphic commitment scheme, and zero-knowledge range proofs.
Second, Incognito presented a solution to scale out a privacy-focused cryptonetwork by implementing sharding on privacy transactions, as well as a new consensus based on proof-of-stake, pBFT, and BLS. Transaction throughput scales out linearly with the number of shards. Currently, with 8 shards active, Incognito can handle 100 TPS. With a full deployment of 64 shards, Incognito can handle 800 TPS.
Third, Incognito offers users and developers a simple way to create their own privacy coins. Incognito’s community believes that in the near future, tokens will increasingly represent everyday assets, including but not limited to stocks, fiats, gold, real estate and any form of ownership. We also strongly believe that very few people will willingly disclose their token holdings to the entire world.
As a privacy hub, Incognito needs to transfer many different types of assets. Confidential Asset technique will later be utilized to shield transacted asset types.
Monero, Zcash, Beam, and Grin use Proof of Work. Transactions are stored in a single chain like Bitcoin blockchain.
Incognito uses Proof of Stake. Sharding technique is used to improve the transaction throughput.
Monero - RingCT
- Decoy sampling distribution: if decoy sampling is small, or if distribution is not uniformly random, then observers could guess the actual sender. A bigger decoy sampling leads to increased block size and slows the throughput.
- Deanonymized outputs are used as decoys, which could reveal the real input.
Zcash - zk-SNARKs
- Creation requires a trusted setup – a security concern on its own.
- Resource heavy – proof size is large.
- Not private by default – less private overall.
Beam & Grin - MimbleWimble
- Some form of communication between the sender and receiver is necessary in order for the transaction to be signed by both parties. This makes sending transactions more complicated compared to Monero and Zcash. It could also require TX participants to be online for the TX to occur.
- The way the MW transactions are crafted makes it more difficult to create multi-party transactions as multiple parties have to communicate to craft the TX.
- When MW transactions are published to the unconfirmed TX pool, the TX inputs and outputs are still visible. Miners are required to create the transaction blocks in a way that allows transaction cut-through to hide some of this information. The confirmed block will have a smaller number of inputs and outputs mixed together in a way that makes it more difficult to recognize the sides of a specific transaction. However, it is possible and probably easy for anyone to keep a record of all transactions from the unconfirmed transaction pool. This data could be used to build detailed transaction graphs of the network.
Incognito - RingCT
- As it uses the same approach as Monero, Incognito also faces problems like decoy sampling distribution and transaction size.
- Currently, Incognito cannot shield asset types. This important privacy feature is currently in the works, and is scheduled to be delivered by Q1 2021.
|Incognito||Monero||Zcash||Beam & Grin|
|Confidential Transaction||RingCT StealthAddress ConfidentialAsset||RingCT StealthAddresses||zk-SNARKs||MimbleWimble|
|Database||Multiple chain(Sharding)||Single chain||Single chain||Single chain|