Anonymous Shadow Eclipses Other Privacy Projects with Zero Knowledge

18 minute read

Posted by: DeepDotWeb

October 24, 2014

In order to properly share an especially innovative development in terms of financial privacy and overall online privacy, let’s go real old school.

Like 1930s-radio and comic-old school, specifically a character called The Shadow, a mysterious crime fighter who some superhero experts credit as the unofficial inspiration for Batman.

The do-gooder himself would have been mostly forgotten, if not for his menacing tagline, “Who knows what evil lurks in the heart of man? Only The Shadow knows” which refers not only to his ability to fight crime with fists and wits, but also to his psychic ability to know where and when evil deeds are going down – and get there first. So sort of like “Minority Report” meets “The Dark Knight” but without so many flying cars, touch screens, or other cool toys.


The underlying cryptocurrency, ShadowCash (SDC), is proof-of-stake based and can be quickly and easily be traded among other Shadow users or spent with participating merchants as a private transaction. Users also earn an annual 2% income on their SDC holdings.

So unlike the old radio hero, this particular Shadow doesn’t know and really doesn’t want to know anything at all about what is lurking in the hearts of men or women – and neither should anyone else, be it hackers, law enforcement, governments or other users.

Shadow explained

Inspired by the Cypherpunks’ call for an anonymous currency [0], Shadow works by bringing together several current online technologies and services and in the process improves their overall security with advancements in zero knowledge cryptographic primitives.

Team members have referred to Shadow as the “anti-Google” [1] and hope that the project will become the solution for anyone seeking online anonymity, including private communication, shopping, browsing and publishing. Shadow’s team sees potential for its services to be useful to the wider online community, by making Darknet privacy user friendly and easily accessible. The recent release of ShadowCore is a foundational step towards that end goal.

Potential users could include journalists looking for a neutral place to gather and discuss information outside of public networks, possible whistleblowers looking for an unmonitored area to collect and store sensitive materials, people who want to buy and sell goods or services without worrying about local restrictions or transaction fees, or simply anyone who – on general principles – isn’t interested in having their records monitored or captured by anyone.

Shadow’s financial unit, ShadowCash, also goes above and beyond other digital currencies to make the process invisible to outside eyes, but still nearly seamless for users, who can conduct their business anywhere in the world, on desktops or mobile devices.

Bitcoin Refresher

Before we go deeper into why Shadow works well, let’s talk about why it is badly needed in today’s world where many think Bitcoin is the standard in digital currency.

Bitcoins are essentially blocks of specific data that are ‘mined’ between financial transactions with a special piece of hardware. They are kept in digital wallets and traded in peer-to-peer transactions. The system is finding favor in more communities and industries, but has faced difficulty achieving truly widespread adoption.

When Bitcoin was first launched in 2009, a successful and profitable mining session could be done in less than an hour. Today, the landscape is much different. It is no longer possible for mining to be done by casual users on their home system, as specialized chips (ASIC – Application-Specific Integrated Circuits) have been designed to perform Bitcoin mining far more efficiently than standard CPUs or graphics cards. Mining competition is so fierce that miners join mining pools to collectively pool their resources, which has led to increased centralization and potentially dangerous amounts of mining power being in the hands of the largest pools. [2]

Bitcoins are traded on exchanges similar to stock exchanges and their value can be volatile. Though they were only worth a few dollars apiece in much of their early days, their value has been across the boards in the last few years, soaring past $1,000 towards the end of 2013. At the time of writing (October 2014) they are valued at just under $400.

They can also be shared with other users or spent with online merchants as well as traditional brick-and-mortar merchants, everyone from Virgin Airlines to Tesla Automotive.

But Bitcoin isn’t perfect – it’s not hard to follow a money trail to discover the owner of a digital wallet, especially if someone uses their coins in place of cash at more public venues.

Bitcoin has also attracted negative scrutiny by most banks, which aren’t necessarily fans of the low-fee person-to-person transactions, and law enforcement, which hasn’t taken kindly to people using them to fund illegal activities.

During a recent hearing with the Canadian Senate, Andreas Antonopoulos stated that although Bitcoin wallets are pseudo-anonymous (nameless), the lack of privacy actually makes Bitcoin easier to trace than traditional fiat money systems. All transactional data is stored in a publicly visible ledger making an investigator’s job even easier. [3]

Over time, the Bitcoin developers may improve their privacy measures, but in the meantime, users craving real privacy alternatives should look to the altcoin space.

Bitcoin over Tor isn’t a good idea

A recent study by Alex Biryukov and Ivan Pustogarov, titled “Bitcoin over Tor isn’t a good idea”, showed that the lack of privacy in Bitcoin has prompted some users to turn to Tor to anonymize their presence on the network without realizing that in doing so, they are putting themselves at risk for a man-in-the-middle attack.

Excerpt from their Whitepaper:

While Bitcoin provides some level of anonymity (or rather pseudonymity) by encouraging the users to have any number of random-looking Bitcoin addresses, recent research shows that this level of anonymity is rather low. This encourages users to connect to the Bitcoin network through anonymizers like Tor and motivates development of default Tor functionality for popular mobile SPV clients. In this paper we show that combining Tor and Bitcoin creates an attack vector for the deterministic and stealthy man-in-the-middle attacks. A low-resource attacker can gain full control of information flows between all users who chose to use Bitcoin over Tor. In particular the attacker can link together user’s transactions regardless of pseudonyms used, control which Bitcoin blocks and transactions are relayed to the user and can delay or discard user’s transactions and blocks. In collusion with a powerful miner double-spending attacks become possible and a totally virtual Bitcoin reality can be created for such set of users.

The findings of this study could start a paradigm shift with people moving away from using Tor to anonymize their wallets on the Bitcoin network. Tor was designed to circumvent government censorship on clearnet sites, but in the future we could see a shift towards more advanced garlic routing protocols like I2P that were designed specifically for anonymity, privacy and hidden services.

Shadow is working towards a default I2P implementation that would turn each ShadowCore client into an I2P router; strengthening the overall anonymity of the I2P network for every ShadowCore client that’s online.

Coinjoin flaws

Some cryptocurrency developers in their quest for plausible deniability, have came up with a different way to create anonymity by letting people turn in different types of digital coins and exchange them for another ‘safer’ denomination.

The concept has its merits, in a similar theoretical way that money laundering makes financial sense: the funds come in from undisclosed sources, are converted by a third party into something less detectable and returned with enthusiasm. However, this system is fundamentally flawed when applied to cryptocurrencies because unlike cash there are no “dirty” or “clean” coins there are only inputs and outputs. offers a service called SharedCoin, which implements a version of the CoinJoin protocol. It constructs one transaction from several smaller ones in the hope of making analysis more difficult.

Security expert Kristov Atlas was able to identify relationships between participants in CoinJoin transactions using his CoinJoin Sudoku tool. [4] His work prompted to release a statement conceding, “for people who want to truly hide transactions, SharedCoin and other implementations of CoinJoin are not for you – they are neither sufficient nor convenient. SharedCoin provides a basic level of enhanced privacy for transactions, but doesn’t guarantee anonymity nor was it intended to.”

Major points of the study demonstrated that statistical analysis of transactions can:

  • Identify which of the transactions on the ledger are likely to have been facilitated by CoinJoin/SharedCoin services
  • Calculate correlation factors for each of the inputs and outputs
  • Identify highest-correlation pairs that reveal specific sources and destinations of payments [5]

The idea behind CoinJoin, where certain coins – Darkcoin, Bitcoin and other varieties — can be turned by a third party into an untainted “SharedCoin”, then used to purchase items from deep web marketplaces, where there’s no interest in where the funds originated or what they started as. One example given is if a restaurant owner paid employees in ‘safer’ SharedCoins, he or she would risk the middleman knowing details about every employee’s financial information as well. [5]

Grams’ Helix

Some of the more widely used mixers are based on similar mixing technology. Grams’ developers have taken the concept a step further with their “Helix” system. They’ve created a pool of coins that exist on a separate server; these coins are exchanged with coins used in dark commerce. Once exchanged, the coins are mixed, then distributed to parties minus a processing fee. Operators also claim that Bitcoin daemons are switched out regularly. While this scheme protects a portion of the coins in the event the main server is attacked, the system still relies on trust in the operators and in the underlying technology.

Trust issues aside, we found four drawbacks to this service:

  1. Time: Typical transactions take 3-4 hours to complete.
  2. Fees: The operators charge a 3% fee for using the service.
  3. Limits: Minimum withdrawal is .02 BTC and Maximum withdrawal is 1 BTC per mix.
  4. Logging: Logs are kept for 7 days unless manually deleted by the user. [6]

In crypto, anything to do with trust is usually a deal breaker. Bitcoin was founded upon the core principle of trustless exchange; moving backwards towards trust-based systems is a devolutionary step. Shadow offers superior privacy guarantees without trust in operators, centralized technology or the drawbacks associated with it.


As stated, one of the major drawbacks of this service is that the middleman function is controlled by dedicated servers or employees of an official exchange. In fact, this week reports have emerged of one the darknet’s largest mixing services, BitBlender, being hacked and its users’ coins stolen. It is too early to know this was a true attack on the service or if the operators decided to hit the “scam” button and exit the market.(http://silkroad5v7dywlc.onion/index.php?topic=32926.msg1004817#msg1004817) Nothing better illustrates the deficiencies of present solutions and their inherent dangers.

Shadow’s new zero-knowledge system means that you no longer need to entrust your coins to third parties in order to make untraceable transactions. In fact, the coins don’t even need to leave your wallet before being spent.

Advanced Coinjoin

There are more advanced Coinjoin implementations that use individual nodes, which are harder to track or hack. This is a plus in that the process attempts to avoid any sort of central recordkeeping authority and accompanying vulnerabilities. However, that same asset is its downside – you’re never quite sure who is handling your transactions and what the node operators could potentially do with your personal and financial information. Furthermore, while this type of system is more advanced, it still requires trust in centralized nodes, or larger master nodes, to handle the transaction. And the problem with trusting third-parties should be obvious to readers by now.


Another concept claimed to solve aspects of the privacy problem is that of Stealth Addresses, which allows users to create secure addresses, so outsiders can’t link the transaction to buyer or seller. The concept was first implemented by a project called Bytecoin, then modified by Peter Todd in the SX tool. [8]

DarkWallet, currently in the alpha stage of testing, has taken this concept and combined it with the Coinjoin mixing protocol and multi-signature capability.

As noted earlier, Coinjoin mixing only provides a basic level of privacy over the standard Bitcoin transaction. The combination of the three technologies does provide a greater level of privacy over standard mixes, however, one drawback is that it requires the redeemer to also be using DarkWallet or the sx tool. This is the result of the Bitcoin development team waiting for privacy technology to mature before deciding whether or not to adopt it at the protocol level. [9]

Shadow liked the DarkWallet concept, but wanted to make it better. Instead of building their wallet into a browser framework, they built a browser framework into their wallet. This is the first time that this type of framework has been layered client-side in a cryptocurrency. It gives the team more flexibility to build custom solutions like a digital distribution platform, something the team is already working on.


Their open source stealth address implementation has been adopted by several other projects including Boomcoin, Stealthcoin, Gnosis, XCash and many more.

Presenting Zero Knowledge

Shadow also uses a novel concept for verification called Zero-Knowledge.

Typically, when a user visits a site, there’s an instantaneous security check, depending on the type of site and what information it’s designed to safeguard. Then, the user’s browser looks for a valid security certificate and then conducts a digital ‘handshake,’ sometimes with a string of numbers, for both ends to verify the data. Mainstream encryption methods such as SSL can create a longer process on both ends of the transaction. [10]

However, with Zero-Knowledge, instead of a script that checks the properties and history of a particular coin and verifies that it is indeed unique and unspent, a script could simply verify that the security process was properly followed to create the coin, so therefore the coin is legitimate.

The designation of the transcription method will remain with that particular coin through its entire history, whether or not it is exchanged to another user. This process will also speed up the transaction process and offers privacy guarantees to buyers and sellers. [11]


In the film The Matrix, Morpheus gives Neo two options after revealing the truth about the Matrix to him. Neo could either A, take the red pill and see how deep the rabbit hole went or B, take the blue pill and go back to believing whatever he wanted.

Shadow has aptly designed the roadmap for their new anonymity protocol in the form of a blue pill, which is a reflection of it’s zero knowledge technology.

The ShadowSend protocol combines:

  • Native I2P Support
    • IP Obfuscation
      • Garlic routing anonymizes IP addresses on the network
    • Dual-key stealth addresses
      • Unlinkability
        • Severs links between the sender and receiver
      • Ring signatures
        • Signature obfuscation
          • Signatures are grouped with other signatures to hide the real sender
        • NIZK (Non-Interactive Zero Knowledge) proofs
          • Untraceability
            • Separates the transaction inputs and outputs

All these features create a scenario of blissful financial ignorance of everyone’s transactions. A detailed diagram is available here (full image here):


We’ve included a good deal of background material to let people know what privacy attempts have sounded good initially, but haven’t worked as promised, and what Shadow can do better.

Still we haven’t looked at the bigger picture of Shadow shadow project

Despite having a secure or anonymous financial transaction; any leak in the details can compromise the entire deal. For example: a buyer might send funds to a seller and while the actual transaction might be hard to trace the details of the deal might be exposed in a compromised communication system such as e-mail, sms or even a phone call.

Shadow’s developers realized that the system is only as good as its weakest link; without proper and secure communication conducting business successfully can be a liability. They’ve engineered a highly secure peer-to-peer encrypted messaging system that facilitates anonymous communication without relying on any centralized servers.

Except from the ShadowChat Whitepaper:

Shadow has implemented a P2P Encrypted Instant Messaging system utilising state-of-the-art technology to keep your communications private. All messages are encrypted by the proven AES-256-CBC algorithm, and distributed between nodes in such a way as to prevent the recipients of messages from being inferred by assailants utilising sophisticated traffic analysis, even if the assailants can view the entire network and/or run nodes of the network. To eliminate the risk and hassle of sharing passwords, we utilise the proven and trusted method of Elliptic Curve Diffie-Hellman (ECDH) key exchange. The Elliptic Curve Digital Signature Algorithm (ECDSA) is used to give you confidence that the messages you receive come from where they claim to. Messages are distributed over the pre-existing Shadow P2P network and a copy of each encrypted message is stored on each node for a period of 48 hours. [13]

Recently, a darknet market vendor revealed that over a two month period only around half of their customers used PGP encryption, with around a quarter of customers using what would be considered unsafe encryption (third-party services such as Privnote), and the remaining quarter using no encryption whatsoever. [14] [15] Obviously only so much can be gleaned from this, given the sample size and time-frame, but it appears that a significant number of darknet market users are taking needless risks when communicating with vendors. Whether this is due to the difficulty of using the system, or recklessness/indifference on their parts, is a matter for debate, but PGP’s usability has been the subject of fierce criticism for some time. In a famous 1999 paper called “Why Johnny Can’t Encrypt”, [16] computer scientists Alma Whitten and J.D. Tygar stated that PGP “is not usable enough to provide effective security for most computer users.” Little has changed in the interim: earlier this year expert in applied cryptography Matthew Green proclaimed: “It’s time for PGP to die.” [17]

ShadowChat, Shadow’s encrypted messaging system, provides a viable alternative by simplifying the process dramatically, while being every bit as secure. The sending or receiving of funds and encrypted messages can all be done from within the ShadowCore client, and the encryption/decryption of messages is performed automatically. All you need to get a conversation going is to share an SDC address and its corresponding public key.

One interesting use case for ShadowChat is customer retention through direct marketing. Traditionally this space has been reserved for e-mail lists. Shadow offers a secure alternative for businesses and merchants to inform their customers about deals or specials they are running on a particular market without exposing either party to spam.

Shadow developers have stated they will be updating ShadowChat in the near future to support voice, video and file sharing capabilities. At that point we could see a real anonymous replacement for Skype, WhatsApp and more traditional communication protocols such as e-mail, SMS and cellular calls. All you’ll need is a data plan from your mobile provider to conduct private commerce and communication.


Though project members will likely cringe at the comparison, Shadow essentially can be compared to a Facebook of sorts for the more privacy-minded — not necessarily in terms of the current ad-heavy, publicly-traded behemoth that Facebook has become, but more how FB initially began by integrating so many separate existing web features and services into its architecture – chat, mail, photo storage, newsfeeds, third-party apps, profiles and more.

The Shadow team plans to continue their efforts to allow users to create a comprehensive anonymous presence and appeal to clearnet and darknet users alike.

Future of Shadow

Its future in a competitive market also depends on how well it delivers – Shadow’s work so far is a good indicator by which to judge the team’s capability. All of their prior releases have been pioneering milestones for the industry:

  1. ShadowSend: The first C++ dual-key stealth address implementation
  2. ShadowLite: The first Proof-of-Stake Simplified Payment Verification (SPV)
  3. ShadowGo: The first fully-featured iOS and Android wallets to support staking
  4. ShadowCore: The first HTML cryptobrowser

A detailed roadmap is available here:

Shadow has already announced plans to support ShadowCore with a Shadow Development Kit, which will give developers some useful tools to create future applications – even games — that make use of Shadow’s anonymizing technology and potentially could lead to more innovations from the greater development community. This opens up a new channel for entrepreneurs looking to earn SDC through in-app purchases.

We spent some time in Shadow’s IRC channel and the team hinted that they are building an asset exchange that will utilize their zero knowledge privacy technology. This is important for a couple of reasons- we could see a green asset listed on the exchange to represent the marijuana industry. There are plenty of coins in the marijuana altcoin vertical, but none offer any form of privacy greater than Bitcoin. While some states in the USA have legalized marijuana, it is still illegal on the Federal level which makes privacy even more important. There have been numerous cases where the Federal government has raided lawfully run medical marijuana dispensaries seizing their assets, bank accounts, customer ledgers and income. [18] ShadowCash offers the Cannabis industry an alternative private banking and currency solution that protects the businesses’ income from seizure and customer data leakage.

This is also an interesting development concept for Darkmarkets because despite being high traffic and high volume enterprises, they have no way of listing securities or initial public offerings for potential investors. Overstock recently reached out to the counterparty team to build an asset exchange. If this is something that interests any market operators or their customers, I would suggest reaching out to the development team to find out more information on how you can support the project’s development. A positive step would be adding Shadow as a form of payment across all private commerce markets.

Shadow Team can be reached via ShadowChat:

  • Address: SdmUNgks4yF3Lsg4yHp6TeP5eMUhwD4maf
  • Public Key: qkksFarNPufFsoE2GRCDYPaWiVMg8CpjZVsfvHDKMx5B

For more info visit

For the latest updates:

Shadow is available on these exchanges:

Use Shadow wherever Bitcoin is accepted:


Updated: 2014-10-24