Battle of the Privacycoins: Verge Offers Little Privacy and Nothing Unique
Based on blockchain technology, most cryptocurrencies have an open and public ledger. While this is required for these systems to work, it comes with a significant downside: Privacy is often quite limited. Government agencies, analytics companies and other interested parties — let’s call them “spies” — have ways to analyze the public blockchains and peer-to-peer networks of cryptocurrencies like Bitcoin, to cluster addresses and tie them to IP addresses or other identifying information.
Unsatisfied with Bitcoin’s privacy features, several cryptocurrency projects have, over the years, launched with the specific goal to improve on them. And not without success. Several of these privacycoins are among the most popular cryptocurrencies on the market today.
However, as detailed in this month’s cover story, Bitcoin’s privacy features have recently seen significant improvements as well and are set to further improve over the next months and years. This miniseries will compare different privacycoins to the privacy offered by Bitcoin.
In part 3: Verge
Verge (XVG) was originally launched in 2014 as “Dogecoin Dark” by Justin Sunerok, who is still lead developer of the project today. To cultivate a more serious image, the project rebranded to “Verge” in 2016. As a codebase fork of Dogecoin, its base protocol is similar to Bitcoin in many ways. (Dogecoin was a codebase fork of Litecoin, which was a codebase fork of Bitcoin.)
Verge has been in the news several times over the past year, most notoriously because the coin was successfully 51%-attacked on multiple occasions. But Verge is probably best known for its partnership with major porn site Pornhub, which made headlines all over the crypto media and beyond.
At the time of writing, Verge (XVG) claims the 39th spot on altcoin market cap lists, down from a top-25 spot earlier this year. This makes it the fourth (and last) privacy-focused altcoin in the market cap top 50, after Monero, Dash and Zcash.
According to the subtitle of the the Verge “Black Paper,” which describes the project, Verge is “the most privacy focused cryptocurrency.” However, even the Verge project leaders themselves appear to be a bit more equivocal on this point. Describing (what seems to refer to) Monero as “too private,” the Verge Currency Beginner’s Guide written and published by Verge Currency Core members instead argues that privacy should be optional.
This optionality is represented by Verge’s “Wraith protocol.” The Wraith protocol would let users choose whether they want to conduct a regular transaction (like a normal Bitcoin transaction) or a RingCT transaction, similar to Monero. RingCT transactions include “decoy” coins in transactions to obfuscate which coin is really being spent and also hides the amounts involved in a transaction for everyone but the payer and payee.
However, RingCT transactions have actually not yet been implemented at this point in time. As such, Verge users can only make regular transactions.
What has been implemented are optional stealth addresses. Stealth addresses are perhaps best understood as cryptographic puzzles. They essentially allow the sender of XVG to generate a brand new Verge address to send the XVG to, which can then be claimed by the owner (and only by the owner) of the stealth address. The main benefits are that several Verge addresses can be generated from the same stealth address and that the stealth address cannot be linked to the actual addresses on the blockchain by anyone but the payer and the payee. This means that the stealth address can be posted online, perhaps as a donation address, without the user needing to worry about his privacy.
But Verge’s main privacy offering is probably a very different type of privacy: privacy on the peer-to-peer network layer.
The peer-to-peer network, of course, is where nodes transmit and relay all transactions and blocks to one another. Unfortunately, this network can be spied on, specifically by deploying nodes to track the data it receives from other nodes. If done right, this information can be used to figure out where certain transactions originated. If spies can link this originating node to an IP address, they’ve gone a long way toward de-anonymizing the creator of a transaction.
Verge counters peer-to-peer network analysis by having nodes and wallets communicate through Tor. By transmitting their transactions through the privacy-preserving, onion routing network, Verge users escape the prying eye of the spy. Tor is integrated into different Verge wallets by default, even including a mobile wallet for Android.
Since RingCT isn’t delivered yet, the only privacy features offered by Verge today are stealth addresses and Tor.
Of these, only stealth addresses counter blockchain analysis — to some extent. This is a good feature, especially for some specific use cases (like donation addresses). But it is also a bit limited. Simply generating a new (regular) address for each payment (which is standard in many Bitcoin wallets and also possible on Verge) and not sharing this address with anyone but the payer (which shouldn’t be too difficult) offers similar privacy in most cases. Further, stealth addresses are also available for Bitcoin (via Samourai Wallet).
As such, Verge’s only real differentiator would have to be Tor integration. This is a well-established solutions to counter network analysis, and the fact that Verge offers it by default is good from a privacy standpoint — though Tor overhead can slow the network down quite a bit.
However, Verge isn’t really unique in this regard either. Bitcoin can also be used over Tor, as can other cryptocurrencies. Granted, this does sometimes require some technical expertise, which not everyone has. Verge offers a more user-friendly experience in this regard.
Bitcoin is also likely to adopt Dandelion, a recent proposal to counter network analysis. This solution doesn’t encrypt all network traffic like Tor does, but it uses a clever trick to obfuscate the source of transactions that goes a long way to achieve the same goal with much less overhead. That said, Dandelion is not implemented yet.
The much bigger problem for Verge is that network analysis is only one strategy to de-anonymize cryptocurrency users. And it’s almost certainly not the main one: blockchain analysis probably offers spies much more de-anonymizing data. As long as some addresses can be linked to real-world identities, address clustering tools can go a long way toward breaking all user privacy. In a world where a large chunk of all transactions are to and from KYC/AML compliant exchanges, protecting privacy on the peer-to-peer network alone probably doesn’t achieve much at all.
Thus, at least until RingCT is implemented, Verge can not reasonably be considered a privacycoin on par with Monero, Zcash or even Bitcoin — if it can be considered a privacycoin in the first place. It is definitely not “the most privacy focused cryptocurrency.”