Ethereum Privacy: The Road to Self-Sovereignty

Ethereum must provide privacy unconditionally, without forcing users to prove their innocence.

This roadmap outlines the necessary steps to transform Ethereum into a maximally private and self-sovereign financial system. Privacy must not be an optional feature that users must consciously enable — it must be the default state of the network. Ethereum’s architecture must be designed to ensure that users are private by default, not by exception.

Today, Ethereum operates in a partial, opt-in privacy model, where users must take deliberate steps to conceal their financial activities — often at the cost of usability, accessibility, and even effectiveness. This paradigm must shift. Privacy-preserving technologies should be deeply integrated at the protocol level, allowing transactions, smart contracts, and network interactions to be inherently confidential. A system that treats privacy as suspicious by default is fundamentally flawed. Ethereum must empower users with unconditional privacy — making self-sovereignty a guarantee, not a privilege.


Building a truly privacy-first Ethereum needs all our insights! Please share your feedback, ideas, and any concerns here so we can actively co-create this path forward together.

26 Likes

Ethereum must provide privacy unconditionally , without forcing users to prove their innocence.

This roadmap outlines the necessary steps to transform Ethereum into a maximally private and self-sovereign financial system. Privacy must not be an optional feature that users must consciously enable — it must be the default state of the network.

Presumably the proof-of-innocence refers to the first demo implementation of the Privacy Pools paper Vitalik and I wrote, so I’ll chime in here.

I think privacy by default at the L1 is a bad idea—unless we also build tools that allow (not force) users to dissociate from other users. If we don’t, then we are actually the ones forcing users to provide privacy to other users (including DeFi hackers, terrorists, and in the case of North Korea: both) just to access privacy themselves.

Being able to disscociate from other users actually increases my sovereignty, it does not decrease it. Sovereignty is about choice.

I have had this argument about 100 times since the Privacy Pools paper came out, many times with people who are triggered by the proof-of-innocence meme, and you can see these arguments on Twitter by searching the keyword “dissociation” on my account (ameensol): https://x.com/search?lang=en&q=dissociation%20(from%3Aameensol).

It’s also a fallacy to compare anonymous money to encryption (and personally, I wish this wasn’t true but it is). In the case of encryption, I don’t need participation from anyone else to get the benefits of being able to keep secrets. But in the case of anonymous money, if I am the only one using the anon money system, it’s pretty obvious who I am. So value I get from the anon money system is actually socially derived from the participation of other users, and thus the quality of my anonymity set matters, not just the quantity. If I am in the anon set that also includes North Korean hackers, I will have a much harder time getting my funds from the anon money system accepted anywhere else (and rightfully so).


source: https://x.com/delete_shitcoin/status/1521461832266956803

Being able to prove the funds are legit is an important part of helping combat the ability of criminals to launder money through our anon money systems. Tornado Cash & ZCash have view keys, where users can selectively reveal their transactions to an authority if desired. Before they both joined Vitalik and I on the Privacy Pools paper, Fabian Schar and Matthias Nadler wrote the best paper on Tornado Cash that I have seen, in which they 1) argue for the importance of privacy and 2) provide a potential regulatory framework for it: anonymous money system should be legal, but users should still be required to reveal their transaction history to a financial authority in order to legally access them.

I know it’s difficult, but if you can bring yourself to empathize with a regulator, the problem you face is: how do I tell the good money apart from the bad money? One solution is the above: require all anon money system users to reveal their tx history to a financial authority, and in the backend, create a data-sharing system by which we know the sum of all users that have complied with this requirement, and thus by process of elimination, we know that the rest of the money is (probably) the bad money. However, this still creates a government-owned honeypot of all the tx history which itself can be leaked or abused, and is thus not an ideal solution.

The reason Vitalik, Matthias, Fabian and I got together and wrote the Privacy Pools paper is because Vitalik thought of a potentially better way: what if we can prove in public which deposits we are not, allowing users to publicly dissociate from known bad money, and thus create a more useful separating criteria for regulators, and critically, potentially avoiding the need for a centralized honeypot of all the tx history in the first place. If I was a regulator, I would be OK with this solution. Financial institutions, if desired, could still demand the specific tx history from their users, but at least the funds are known to not be from known illicit sources, based on their public dissociation proofs.

In conclusion, I encourage any technological development we do on enhancing base layer privacy to proceed in lockstep with tools that allow public dissociation proofs, which would serve to enhance user sovereignty by allowing users to choose for themselves who they are willing to associate with.

18 Likes

Thank you for this thoughtful roadmap. It is encouraging to see privacy being discussed more openly within the Ethereum community. In my view, privacy is not only a foundational value but also a key limiting factor in Ethereum’s broader adoption.

I completely agree with @ameensol on the importance of selective disclosure and strong support for on-chain privacy. These ideas enable more flexible forms of interaction, which are essential as Ethereum matures into a general-purpose coordination layer.

However, the term privacy often serves as a catch-all. It is frequently used interchangeably to describe very different concerns: anonymity, tool usage privacy, interaction privacy, and more. Without sharper distinctions, important nuances get lost in conversation.

Right now, Ethereum’s full transparency creates a significant obstacle for everyday users. Most people do not want everyone they know to have complete visibility into their financial activity and on-chain behavior. This issue becomes more pressing as Ethereum evolves into a platform for more than just financial transactions.

Much of the current focus is on asset transfers. But Ethereum is becoming more expressive, and privacy in nonfinancial contexts like DAO governance, coordination, and social identity will become just as essential. In these cases, it is not realistic to expect every application to build and maintain complex privacy infrastructure. There is a strong case for shared infrastructure that can support these needs.

While the roadmap rightly emphasizes changes to the core protocol, it is also worth considering paths forward that do not depend on protocol-level consensus. For example, probabilistic privacy systems can offer meaningful guarantees with more flexibility and less infrastructure dependency than deterministic systems. Some ongoing efforts, including the one I am contributing to (Mirage), explore this design space. These systems enable anonymous interactions without requiring strict unlinkability, and they are not limited to token transfers. This opens the door to more private DeFi usage, salary disbursement, and other common activities.

In addition, network-level anonymity and traffic obfuscation can be developed today. These are precisely the kinds of approaches that can provide immediate relief while remaining compatible with Ethereum. Mirage focuses on this layer, exploring how probabilistic techniques and network-level strategies can improve privacy without requiring changes to the base protocol. These approaches may not solve everything, but they can address urgent privacy needs while the community works on deeper protocol changes.

In summary, I fully support the direction of this roadmap. Core upgrades are essential. But privacy is a present concern, not just a future goal. We should explore and support adjacent systems that improve the privacy of Ethereum users today without waiting for long protocol processes or consensus decisions.

The ongoing community calls and public discussions are important, and I support them. At the same time, I worry that a roadmap like this risks being sidelined as attention shifts to more immediate or politically easier priorities, something that has happened to privacy proposals time and again. We should not let that happen anymore.

1 Like

like cash, privacy by default is lindy. I would welcome this as part of Ethereum’s credible neutrality pitch for fair settlement of agreements. I can appreciate ameen’s point that disassociation is a powerful tool - but it acknowledges a role of external governance that feels increasingly irrelevant to the challenges of the world and what people, including governments (who increasingly are users) expect of Ethereum. We might see that optionality extended to L2s or other agreements built on top, or other chains, really.

6 Likes

I wrote up my own roadmap:

https://ethereum-magicians.org/t/a-maximally-simple-l1-privacy-roadmap/23459

It’s not meant as a competitor to this; I think there’s value in doing both at the same time.

9 Likes

Hey Vitalik

This is probably going to be too complex for most users. Metamask is already terribly complex.
The more complex it is the more attacks will happen.

You can make it simpler by marking contract calls as accepting transactions from shielded accounts only. Then Metamask can automatically enforce this. Most users do not need—and do not care about—shielded transactions, and most smart contracts do not need them either. There are smart contracts like Uniswap that do need them; they can simply mark their contracts as requiring shielded transactions.

If I have a wallet, I should be able to have Metamask generate a private key for me and use it as a temporary “from” address, while using an existing wallet to provide gas. In fact, if Ethereum were designed from scratch, this should be done for every transaction.

Big changes are hard to sell to users. This is especially true since many of them frankly do not care so much about making their transaction private. It’s probably better to discuss how to achieve things through small changes.

We have it already running on our network. Happy to collaborate with any wallets

I don’t frankly think this is a particularly relevant problem at the moment. The computational bottleneck nowadays is state — everything else is fast. You can do many thousands of signature verifications for any signature type. For instance, with ECDSA, you can perform about 100,000 verifications per single thread.

The same is true for ZK verification, since it’s just a few pairings.

The problem about doing lots of things solving a small problem is that it makes the protocol harder to implement by someone else. In our project for instance, it puts lots of strain on engineering resources since we need to keep up with EVM. Most ETH compatible project today de facto use older versions of Solidity compilers exacftly because it is hard to keep up with all the changes. I think most of the community will say that ETH foundation needs to do more deep analysis on how frequent changes affect the ecosystem.

2 Likes

I contribute some user-centric inputs for consideration, to ensure that users aren’t too far behind as we progress on the roadmap.

1. Reference mental models

Understanding the who/what/when/where/how of privacy in crypto is Very Complicated.

Is it your real-world identity that is private, your string of transactions, or your IP address? Private from whom – your wallet, the RPC, random snoops? Is it private only now, or even after quantum computing? How do I choose between inclusion lists (Privacy Pools) or exclusion lists (Railgun)?

We need reference mental models that help users avoid drowning in complexity. (Recall Tim Berners-Lee’s original vision in the 1990s, that of course everyone would run a personal web server – nope, too hard.)

It’s not just for users’ sanity – clear and widely adopted mental models also help builders avoid using conventional but crypto-fatal mental models like adding telemetry to wallets… that include wallet seed phrases (Slope wallet).

Cryptozombies, Privacy Edition?

2. False sense of privacy

In cybersecurity there is a phenomenon called “false sense of security.” ChatGPT describes it:

“A false sense of security often arises when people adopt several cybersecurity tools—firewalls, antivirus software, VPNs—and assume they’re fully protected. The more tools they use, the safer they feel, even if those tools are misconfigured, outdated, or overlapping ineffectively. This illusion of safety is dangerous because it discourages deeper vigilance. True security requires more than stacking tools; it demands proper setup, regular testing, and a critical mindset.”

The same will happen when we are trying out privacy at so many different levels. Like the legions of early bitcoin users who mistook pseudonymity for anonymity, many are going to assume they have privacy when they don’t – at least not in the ways that they assumed.

How do we combat this? I imagine this is a task for someone at the 99th percentile of intelligence and memory – i.e. we need an AI-driven solution.

Perhaps it’s an AI agent that asks us what our priorities, fears, and constraints are, and then makes a recommendation on which identity to use with which application, based on the application’s privacy boundaries. Before we sign a transaction, we quiz it for a recommendation on where and how to transact. It monitors new privacy tools as they come live, evaluates them against our personalized criteria, and proposes updates to our design.

It helps us possess a justified sense of privacy.

3. Privacy is normal, but is it worth it?

Most people want privacy, but are not willing to pay the UX cost. Will the UX overhead in this roadmap be worth it for users?

Recall the transition from physical buttons to touchscreen glass in the evolution of smartphones:
In the mid-2000s, users were hesitant to switch from physical buttons to full glass touchscreens, associating them with laggy, stylus-dependent experiences. This changed with the 2007 iPhone, which introduced a smooth, finger-friendly capacitive touchscreen, multi-touch gestures, and a sleek design. As app ecosystems grew and large screens enhanced media consumption and navigation, touchscreens became essential. Social trends and minimalist design made button phones feel outdated. Gradually, users embraced the versatility of touchscreens.

I’ll never forget the pain of losing the ability to type surreptitiously under the table with my Blackberry’s physical keyboard, but the switch eventually became worth it because of the bajillions of apps on the App Store, and because everyone cool was getting an iPhone.

What will make it worth it for people who don’t bother with privacy today, to bother tomorrow? Before we start another round of infra fatigue, what’s our killer app?

4. Privacy Parties

Let’s throw privacy day parties: people spend a whole day transferring their assets over to private addresses, contracts, wallets, etc. Like with trusted set up ceremonies, we can harness community and memes to accelerate adoption – while boosting anonymity sets =D

Finally, on that note of pushing adoption – let’s highlight that privacy IS security. Privacy alone is too niche, too fraught with simplistic “what about the [insert vulnerable group]” arguments. Security is universally aspirational.

4 Likes

I totally agree that privacy - especially confidentiality - is one of the key ingredients that Ethereum is missing these days. If introduced naively, it will have bad effects on UX (additional complexity) and scalability (loss of performance due to encryption and rising gas cost). We can’t afford this. It needs proper balancing, but it is urgent.

Confidentiality is not only important from a cypherpunk perspective, but a basic requirement for any serious business that wants to use Ethereum as global settlement layer.

What I am missing from the proposed roadmap is a proper market analysis:
There is a lot of movement in the market on layer 2s (besides Aztec, e.g. Parfin’s approach with Rayls), Kaleido’s Paladin and its client side ideas, Zama’s FHE approach, mempool encryption as proposed by Shutter Network, and - maybe more important: a lot of movement on Solana, see their recent announcements (“Confidential Balances Token Extensions”) or Arcium’s orthogonal approach to bring in privacy through a separate network. Very promising from my perspective.

Ethereum doesn’t have to reinvent the wheel - and shouldn’t. Analysis and potential collaboration with some of these projects, or adoption of their approach should be prio number 1. Some of them bring real-world experience - very much driven from the markets, the users, and sometimes important regulatory aspects.

Look beyond your bubble.

2 Likes

Hey guys, thanks for bringing up this can of worms about privacy. What do you think about going forward with eip-7503?

I mention it in the first phase here:

As I say there, I think we first need to think about a more generalised (i.e. future-proof) transaction format. In practice, we could move forward independently, but I think it is worth (and definitely important enough) “patching” the transaction format first (i.e. make it privacy friendly; gas/mana parameters are still leaked for example).

1 Like

Not trying to be snarky here! How does Ethereum plan to execute on making most of the transaction inclusion pipeline private when that pipeline is currently captured by entities which all have $$$ incentives to not have this pipeline be privacy-friendly?

How are you going to pressure, for example, Farcaster to make all of their mini app traffic encrypted and therefore essentially non-monetizable? Haven’t they raised at a valuation of 1B USD on this idea? No EF-funded or highly-Ethereum-aligned effort is going to build a better app than Farcaster either, right? So how can this be won for most users?

This is such an important conversation. Totally agree privacy shouldn’t be something users have to “earn” or “enable” manually.

While transforming Ethereum at core level into maximally private would be awesome as it will enable privacy by default, right now one project which came to my mind regarding privacy on EVM would be Oasis Protocol which is already pushing for privacy at the protocol level, with confidential smart contracts and data privacy baked in.

Would love to see more of that mindset brought into Ethereum too, as it will enable data protection at greater level.

2 Likes

We are launching BITE, a privacy-oriented blockchain that extends EVM and Solidity with support for encrypted transactions and data.

The test net is roughly scheduled for this summer

We’re looking for DApps interested in collaborating with us to test and explore the protocol.

More details here!

I don’t know how to handle this guys: https://cointelegraph.com/news/eu-crypto-ban-anonymous-privacy-tokens-2027

Does the discussion of this news item fit in this post?

I think Ethereum has a great community but crypto is losing Europe (or maybe the other way around) but certainly Ethereum should improve privacy without losing any territory. Such a crazy world can’t end well for cryptousers.

I will continue to defend privacy but Ethereum must consider these types of eventualities IMHO.

Governments around the world have made it clear—they’re not fans of true privacy.
Monero, arguably one of the most useful cryptocurrencies, has become a target. People use it for real-world needs, like accessing affordable prescription medications on the darknet. But instead of acknowledging its utility, regulators have made Monero nearly impossible to buy—delisting it from exchanges not just in Europe, but globally.

Why? Because the more centralized, surveillance-friendly, and U.S.-based a crypto project is, the more governments seem to embrace it.

Enter Base and the broader rollup ecosystem—an ideal setup for regulators. Now, Base claims to be decentralized because it appointed a “decentralization council”… comprised almost entirely of its own employees. Vitalik even calls Base a “Stage 2” rollup. But if this is Stage 2, has the term lost all meaning? Weren’t rollups supposed to be decentralized? Now we’re told it’s fine for them to take years to decentralize. Really? How many years did it take Satoshi to decentralize Bitcoin?

Back in the day, everyone criticized EOS for having “only” 21 validators. Meanwhile, Ethereum is now effectively controlled by just three entities: Coinbase, Binance, and Lido—two of which are U.S. corporations.

Something to think about.

4 Likes

Many privacy conversations seem to assume something like:

Visibility → Privacy Loss

But I’m wondering whether that framing is incomplete.

In practice, observers rarely act on raw visibility alone.

They observe signals and then perform inference.

Something closer to:

Observable Signals

Inference

Reconstructed Structures

Privacy Loss

Examples of reconstructed structures might include:

  • identity

  • relationships

  • behavior

  • ownership

  • association

That leads to a question I’d be interested in hearing opinions on:

Can privacy loss be modelled as successful reconstruction rather than simple exposure?

If that framing has merit, then privacy mechanisms may not only need to reduce visibility—they may also need to reduce reconstructability.

That could imply complementary research directions beyond cryptography alone:

  • observer models

  • reconstruction pathways

  • inference limits

  • exposure modeling

  • relationship reconstruction

  • explainable privacy metrics

For example, two systems could expose similar amounts of data but produce very different reconstruction outcomes depending on what observers can infer.

I’m trying to test whether this distinction resonates with people working on privacy and anonymity.

1 Like

I think this framing resonates strongly.

In fact, one of the conclusions I arrived at while working on GhostShard(A privacy protocol combining ERC 5564 and EIP 7702 to bring UTXO style privacy to the account model ) was that privacy loss is often less about information exposure and more about successful ownership reconstruction.

Many blockchain privacy discussions implicitly treat visibility itself as the problem:

Visibility → Privacy Loss

But public blockchains expose enormous amounts of information that nobody cares about because it cannot be meaningfully attributed.

What typically creates privacy loss is the successful reconstruction of hidden structures from visible signals.

For example:

Observable Transactions

Ownership Reconstruction

Identity Attribution

Privacy Loss

From this perspective, the critical question becomes:

“What can an observer successfully reconstruct?”

rather than:

“What can an observer see?”

This distinction matters because it suggests that privacy and transparency are not necessarily opposites.

A system may expose every transaction while still making ownership reconstruction computationally, statistically, or operationally difficult.

Conversely, a system may hide large amounts of information while still leaking enough structural signals to reconstruct participants and relationships.

This is one of the motivations behind ownership-fragmentation approaches such as GhostShard.

The protocol does not attempt to hide that assets exist, that transfers occur, or that economic activity is happening.

Instead, it attempts to disrupt reconstruction itself by decomposing ownership into disposable fragments and continuously destroying persistent ownership structures that graph analysis relies upon.

Viewed through this lens, privacy mechanisms can be categorized not only by how much information they conceal, but by which reconstruction pathways they disrupt:

  • Identity reconstruction

  • Ownership reconstruction

  • Relationship reconstruction

  • Behavioral reconstruction

  • Temporal reconstruction

This may also suggest alternative privacy metrics.

Rather than measuring only exposed information, we could measure an observer’s probability of successfully reconstructing a target structure given all available signals.

In other words, privacy may be better understood as resistance to inference than resistance to observation.

Observation is merely the input.
Reconstruction is where privacy is actually lost.

1 Like

Interesting, I release the pERC20 proposal before I read this post.

pERC20 = private ERC20. The same as the phase2.

This resonates strongly, and I think your framing highlights an important distinction that often gets collapsed in privacy discussions.

What stood out to me is the shift from treating privacy loss as a direct consequence of visibility toward treating it as a consequence of successful reconstruction.

That distinction feels important because public systems often expose large amounts of information that are not harmful until observers can connect them into meaningful structures.

Another thing I’ve been exploring from a slightly more general angle is whether ownership reconstruction itself is only one instance of a broader phenomenon.

Very tentatively:

Observation
→ Inference
→ Reconstruction of latent structure
→ Privacy loss

Where ownership is one latent structure, but others may include:

  • identity

  • relationships

  • behavior

  • associations

Which raises another question that I find interesting:

Should privacy mechanisms be evaluated by how much information they conceal—

or by which reconstruction pathways they disrupt?

For example, two systems could expose similar observable data while producing very different reconstruction outcomes depending on observer capabilities and available external context.

That would imply privacy may be observer-relative rather than an absolute property of visibility.

One thing I find particularly interesting in GhostShard’s framing is that it implicitly treats privacy as a problem of reconstruction under observer assumptions.

In the language I’ve been exploring, the thing being reconstructed could be called a latent structure (the hidden thing that observers care to recover, such as ownership, identity, relationships, or behavioural patterns).

It seems like making those assumptions explicit could eventually become a useful way to compare privacy systems—not only by what they hide, but by what kinds of reconstruction they prevent.

1 Like

I think that’s a very useful generalization.

What I find particularly interesting is that many of the latent structures you listed may ultimately derive their power from the existence of persistent identity.

For example:

  • Ownership reconstruction becomes possible because assets accumulate under persistent identifiers.

  • Relationship reconstruction becomes possible because the same identifiers repeatedly interact.

  • Behavioral reconstruction becomes possible because actions can be aggregated across time.

  • Association reconstruction becomes possible because multiple activities become attached to a common identity surface.

Viewed from that angle, ownership, relationships, behavior, and associations may not be independent reconstruction targets. They may be downstream products of the same underlying phenomenon: persistent attribution.

A persistent identity acts as a compression mechanism for observers. It allows large amounts of otherwise disconnected information to collapse into a single reconstructable entity.

Once that entity exists, reconstruction becomes progressively easier because every new observation strengthens the model.

This is one of the reasons I became interested in ownership fragmentation as a privacy primitive.

Rather than primarily asking how to conceal information, the question becomes:

Can we prevent the formation of persistent attribution surfaces in the first place?

If observers cannot reliably establish continuity of ownership across time, many higher-order reconstructions become substantially more difficult because the stable anchor required to accumulate evidence is constantly disappearing.

In that sense, ownership reconstruction may be a particularly important latent structure because it often serves as the foundation upon which many other forms of reconstruction are built.

That said, I think there is an even more practical challenge.

Most privacy systems today treat privacy as an action.

Users must opt into it.
Users must understand it.
Users must maintain it.
Users must repeatedly make correct decisions to preserve it.

History suggests this is an extremely fragile model.

People rarely lose privacy because they consciously choose transparency. They lose privacy because maintaining privacy requires continuous effort while transparency is the default state.

To me, one of the most important questions is therefore not only how we disrupt reconstruction pathways, but whether privacy can become an emergent property of ordinary usage rather than a specialized activity users must constantly remember to perform.

The strongest privacy systems may ultimately be the ones that make privacy the path of least resistance rather than the path requiring the most discipline.

1 Like