Dero is a private cryptocurrency with a variety of user-focused features. With its advertising, it has attracted many people who value privacy. Unfortunately, many other communities of private cryptocurrencies have very unfavorable views of the Dero community, and vice versa. While these unfavorable views feed back into each other, this post attempts to review why these misunderstandings originally occurred, provide common ground, and put forth a new basis for going forward. This post will never convince those truly toxic to not be toxic, yet aims to appeal to anyone who values privacy and is willing to engage in good faith.
Please note these are my personal thoughts intended for a beginner. They aren't not meant to be 100% accurate on every formal definition, I haven't spent hours publishing them into a proper article, and I don't care to spend such effort. I may or may not update this for clarity/flow as time goes on. Until then, please note this is a rather low quality piece of writing in my opinion, even if it does sufficiently convey my thoughts.
Dero has defined a view of privacy technology which is distinct from most protocols, and formal analyses of protocols. We start by defining a clear set of terms, in line with more popular definitions, in order to ensure a common understanding. Without that, communication would be impossible.
Privacy, on the human level, is the ability to choose who can see your data. If you choose for no one else to see your data, no one else may. If you choose for your spouse to see your data, they may. If you choose for the world to, they may. It is always your choice.
With Bitcoin, the choice is effectively non-existant. Everyone may see a transaction's origin, the amount its for, and the outputs it creates. While Bitcoin is anonymous, in that transactions do not specify the human that made them, transactions still contain cryptographic identifiers such as a public keys which can be used to determine the address of the sender (which arguably makes it pseudonymous, though address reuse is discouraged and once-used addresses aren't much of a name). This address can then be linked to people through various mechanisms, making it a very weak form of privacy at best.
The security of any system is generally measured by the "bits of security", with 128-bits of security being the frequently agreed upon target. This means that to break the system, an attacker should have to perform 2**128 operations, or 340,282,366,920,938,463,463,374,607,431,768,211,456 operations. Even with all the hashes performed by the Bitcoin network in 2023, it'd take over ten billon years to perform that may hashes. It's a completely infeasible number for the current scale of humanity.
In practice, we choose 256-bit hash algorithms and 256-bit elliptic curves. A hash algorithm is expected to take some message, "Hello World" for example, and produce a hash: an opaque output which if even a single bit of the original message changes, should look completely different. To find a collision, two messages which share a hash, the birthday problem shows a solution can be found with solely 128-bits of work. For a 256-bit elliptic curve, the basis of modern private and public keys, recovering the private key from the public key also only takes 128-bits of work.
This does drastically change with quantum computers. With quantum computers, the recommendation is to move to a 512-bit hash (twice as large) as quantum computers have even more efficient algorithms possible. Elliptic curves are recommended for complete deprecation due to how quantum computers can recover private keys from public keys (how they can factor public keys/solve for the elliptic curve discrete log problem).
A protocol is called zero knowledge if someone who has zero knowledge has as much information as someone who watched the protocol happen. Zero knowledge protocols do not reveal anything about the data they're operated over. One could argue privacy is for humans and is enabled by zero knowledge protocols, which is for math and machines.
Encryption is the ability to take a message and encrypt it, such that no one else can read it, yet it can be later decrypted. Encrypted messages are as private as the scheme is secure.
Note that encryption is not the only way to achieve privacy. The output of a hash function looks random, and for any secure hash is irreversible. While it cannot be decrypted, no one is able to recover the message hashed into it, it does not reveal the message and is accordingly zero knowledge.
With encryption, anyone may choose to share the contents by sharing the encryption key. With a hash function, anyone may choose to share the message which was hashed by sharing the message itself. Anyone who has these can even verify the encryption actually used that key (if using authenticated encryption) or the message actually hashes to that value (by rerunning the hash function).
Sender privacy is the inability for anyone who looks at a transaction on a blockchain network to determine the origin of the transaction. This is most trivially offered by ring signatures. Ring signatures provide a list of signers and have which signer actually produced the signature be zero knowledge. This means no outside observer can ask the protocol itself who the signer was, yet they do have a list of candidates. As one can perform analysis on Bitcoin, one can perform analysis on these candidates, attempting to remove some, reduce the considered likelihood of others, and note ones considered likely. This is via statistical analysis, and while not perfect, is still a notable concern.
I believe Dero refers to this as "anonymity".
As sender privacy is the inability to determine the sender, receiver privacy is the inability to determine the receiver. This is most trivially offered by stealth address. When one sends to a stealth address, they actually create a new one-time address which cannot be linked back to the address nor any other address (nor generated one-time address). This hides who the receiver is.
Amount privacy hides the amount being sent. "Confidential Transactions" is likely the most famous proposal for amount privacy. Confidential Transactions proposed using Pedersen Commitments and range proofs to make the amount completely privacy.
I believe Dero calls "amount privacy" privacy, leaving all other forms of privacy to be defined... not as privacy?
Network privacy refers to the inability for someone to view your network traffic, as can be done to figure out the transactions you sent. This is frequently accomplished via usages of networks such as Tor.
This isn't performed on-chain yet is a critical component to privately using private protocols, as likely needed to maintain your privacy.
So, how does Dero stack up regarding the privacy of its protocol? Please note I'll only evaluate the on-chain aspects (sender, receiver, amount) for cryptocurrency transfers. I'll also be comparing to Monero, a popular privacy cryptocurrency which I am personally affiliated. The reasons for including these comparisons will be explained in a following section.
Dero uses rings for sender privacy, as can be observed on their blockchain explorer. The specific transaction linked to has a ring of 16 accounts. The sender is one of them. This actually makes it quite similar to Monero, which also uses rings for sender privacy. The main distinction is Monero uses the UTXO model, while Dero uses accounts due to opinions on preferred functionality/UX.
Dero again uses rings for receiver privacy. One of those accounts in that ring is the receipient of the coins transferred. In comparison, Monero uses stealth addresses. The recipient of the coins transferred could be literally user of the Monero network. From a technical point of view, the usage of a ring for receiver privacy is a design decision made due to the usage of an account model (as stealth addresses effectively create a new account with every transactiion). This does limit the privacy offered by it however (the receiver is one of the explicitly listed accounts, not possibly any account on the blockchain).
Dero uses ElGamal ciphertexts to represent balances, where ElGamal is a Partially Homomorphic Encryption system. This means if someone wishes to transfer 5 DERO, one can create an encryption of 5, and then add it to the existing encrypted balance without knowing nor decrypting it. ElGamal ciphertexts are perfectly binding yet not perfectly blinding. The side effect of this is a quantum computer can decrypt ElGamal ciphertexts, yet not forge them (though other aspects of the protocol may still enable a quantum computer to cause hidden inflation). Monero uses Pedersen commitments which are perfectly blinding yet not perfectly binding. As a commitment, it does not offer the ability to be decrypted. As a perfectly blinding commitment, even a quantum computer cannot break them.
I believe the divide formed due to terminology. It's that simple.
You've just heard about this brand new amazing protocol. It offers anonymity, privacy, encryption! Other blockchain protocols aren't using encryption, but this is! That must mean it's private!
And you're super excited. You want to tell more people about this!
So you go and you tell people. And they say you're wrong. You're not wrong. You read that this uses encryption, and you know that encrypted data means private data. You also read that the people you're talking to don't use encryption, and they confirm they don't. Why are they telling you you're wrong, when they're confirming what you say?
This continues, before someone gets mad or someone gets muted. Why did they yell at me? Why did they silence me? Is it because the great technology I'm here to discuss is better than theirs? Is it because they're toxic?
When it's really just a distinction in language.
This leaves a bad taste. Some people try again, and the new attempts go similarly. Now people start talking about their experiences trying to share how great this new protocol is, and how it always goes poorly. That other community must just be really toxic and not worth the time. We shouldn't associate with them.
Isolation forms.
With isolation, the further development of one's own terminology continues. You're in your own space as the only people talking, so all new terms must be from yourselves. These terms may be independently used in a different manner by different communities, but you don't know. That community silenced you for 'spam', when you were speaking the truth, because they just must be toxic. Why should you care what they're up to?
And it continues...
And continues...
And continues.
I don't want to be the dick who says "I'm not a member of the Dero community, yet you're wrong and you all need to adapt". That doesn't change the Dero community is the one which has a variety of unique technological terminology and claims. Either members of the Dero community must learn the language most speak, or everyone else, from academia to all other private cryptocurrencies to whoever must. The most feasible answer is for the smallest group to take the burden, and I do hope more people in Dero start using more common nomenclature. At the very least, I hope they understand the point I'm trying to make about the diversification of language causing issues.
I'd also hope more people make an effort to actually understand how privacy is evaluated, the impact of metadata and statistical analysis, and try to learn more about the exact implications of the systems they use.
I believe large portions of the Dero community don't understand encryption is not the only way to achieve privacy, and that non-encrypted data can be just as private as encrypted data. Theoretically, encrypted data will always have a lower upper-bound on how zero knowledge it is when compared to non-encrypted data, as one has decryption and one does not. That's why I tried to include a comparison with Monero, to comment on how even though Monero doesn't use encryption for our sender/receiver/amount privacy, Monero is as private as Dero for its transfers (more, due to the complete receiver privacy and forward amount privacy against post-quantum adversaries if said adversary doesn't know your address). The only technical argument against that claim is about the choice of ring size (as I believe Dero offers much larger rings than Monero if the user chooses, yet that is its own concern due to the metadata it leaks).
There's also commentary on "Private Smart Contracts" and "Fully Homomorphic Encryption". The former I do not care to comment on in this piece, the latter I will simply say Dero doesn't have. Dero does have FHE-grade privacy because FHE does not increase how private data is (compared to other encryption systems). It increases the functionality of the encrypted data. Dero's usage of ElGamal solely enables additive operations, which is all that's needed for their protocol. I have no judgement on them for using a Partially Homomorphic Encryption system, as it's much more performant and sane, yet to claim they use FHE is to claim they've made years of performance breakthroughs on the feasibility of FHE which they have not.
I haven't commented on why this terminology was first introduced, nor why it's been so aggressively continued, nor how the almost explicitly false claims started/who has propagated them. I don't care to at this time, though I do have thoughts on the matter. At this time, I don't allege any involvement by anyone, and I'll note communities can make false claims in a long game of telephone with no provoking by actual developers of the project. In that case however, I'd say it's the responsibility of the developers to correct them.
As prior stated, I am affiliated with Monero. I don't personally care for Dero, and that's okay, just as anyone who is a fan of Dero is welcome to be a fan. I do believe it is working on various features/functions which at least make it distinct, and I'm not against distinct protocols trying to improve the space. I've limited what I've commented on this piece to not only be a very surface opening of future conversations, yet also to ensure my accuracy in what I comment on (not speaking past my knowledge).
I do have one notable prior spat with Dero, where I tried to clarify things and was kicked and/or banned from their community. This adds further commentary on Dero's isolationism, unfortunately this time from Dero's own moderators/administrators. Due to how ridiculous it was, I made a joke post on Twitter which descended into an argument years ago. Since then, I've tried to be much more factual and open. I wrote this post to try and voice my frustrations, yet also try and set a basis for future discussions. At worst, it's a sign I can tap whenever Dero is brought up to me.