Evaluate Ethereum's privacy technology program, zero-knowledge agreement, secure multi-party computing, and mixers who are better?

Foreword: When we talk about privacy, there is no magic bullet that solves all the problems, but we need to use different methods and mechanisms for specific use cases. This paper aims to evaluate the advantages and disadvantages of the various Ethereum privacy technology solutions and the applicable scenarios.

Original author: Dean Pierce (ConsenSys Diligence), Robert Drost (ConsenSys R & D) and Mason Nystrom (ConsenSys)

In a world where connections are getting closer, our information is copied, shared, and even used for sales purposes, and maintaining the level of privacy we want can be a challenge.

Like most things, privacy is not a binary opposition, but between full disclosure and complete secrecy. So when it comes to privacy issues, we have three issues that need further discussion.

  1. What is the level of privacy that consumers and businesses want?
  2. Are people willing to pay for privacy?
  3. What is the trade-off between private transactions on the public blockchain?

The purpose of this paper is to briefly examine the requirements for privacy on the public chain and discuss the trade-offs of implementing privacy solutions in a high dimension.


The first question: What level of privacy makes sense?

An example of privacy is anonymity, or privacy of identity. In the context of a public chain, anonymity refers to the ability of a party to exchange something (money, tokens, or data) without revealing information about itself or other trader's identity. Although this is only one aspect of privacy, it has become increasingly important as the blockchain evolves.

For cryptocurrencies such as Bitcoin and Ethereum, because the relevant transaction addresses and information are public, and the analytics are constantly evolving, people can associate these transactions with the out-of-chain identity, which makes these cryptocurrencies The identity of the user becomes more and more transparent.

For privacy, businesses and consumers have very different requirements. Businesses typically require privacy in the form of transactional data, such as product names, quantities, prices, addresses, personally identifiable financial information, and so on.

Network participants are usually known, but may need to retain their identity or be offered to other participants based on their role. For example, a freight forwarder may not need to know the contents of a shipping container, but only needs to know that the container has arrived. Banking regulations also limit who can access transaction data. Ernst & Young's Nightfall protocol , and JP Morgan's custom-made anonymous Zether protocol for Quorum, is a prime example of a company's privacy solution for Ethereum .

Compared to businesses (usually with strong commercial motives and regulation around privacy), consumer awareness and attention to privacy has generally been low. Of course, consumers also want to protect their identity, credit card information or other sensitive data to prevent fraud or identity theft. Sometimes, consumers want to use anonymous transactions, which requires the sender and recipient of the transaction to have privacy. However, privacy does not exist naturally in the daily lives of consumers, and most people voluntarily sacrifice their privacy (accept cookies, use free WiFi, etc.) for convenience or free access.

The second question: Is there a need for privacy?

Privacy typically occurs in the context of messaging to protect content sent between parties, and it is also used in a wider variety of configurations such as communication channels and underlying network layers.

But in the context of cryptocurrencies, the need for privacy does not seem as strong as people think.

Specifically, although Zcash has been around for three years, only about 5% of ZECs use SNARKs (about half of which are used in older versions of SNARKs), and about 95% of ZECs are stored in transparency with little privacy. In the address. With this low adoption, we can infer that perhaps most users do not have to pay for privacy (the cost is relatively high).

However, the final blockchain technology still needs privacy to become mainstream. The built-in privacy layer (such as SSL) makes the Internet a trusted business medium, which means that the privacy that consumers and businesses want is built into systems and applications.

The third question: the trade-offs of privacy

The third issue is more technology-oriented, which requires an in-depth review of the privacy technology scheme on the Ethereum platform, which also involves trade-offs between various mechanisms.

Inspiration from other privacy blockchains (Monroe and Zcash)

Before we discuss the privacy topic of Ethereum, let's take a look at the two main players in the privacy coin field: Monroe and Zcash. Monroe was special in the early days of the coin, because its code base was not derived from the Bitcoin code base, but was based on a completely unrelated cryptocurrency item, Bytecoin (which uses the reference design of the CryptoNote protocol). The original CryptoNote protocol was designed to achieve privacy by mixing the senders of a transaction (by mixing their signatures with many other bait signatures). Through this, combined with the invisible address output scheme, this brings a very strong privacy guarantee to Monroe. This "ring signature" scheme has long been hailed as a built-in mixer, but it is not mature.

In 2017, with the introduction of the RingCT technology solution, the ability of the ring signature scheme to hide transaction data was greatly improved. RingCT used zero-knowledge proof to increase the types of signatures that can be batch processed. The introduction of RingCT also enforces minimum blending requirements to reduce the correlation of earlier versions of Monroe. One of the biggest challenges in using the ring signature scheme is that it takes up a lot of disk space, which makes the Monroe blockchain very bloated. In addition, the ring signature scheme does not apply to large groups, which are currently limited to groups of 10-15 people.

And at the end of 2018, we saw the introduction of Bulletproof (Bulletproof) on the Monroe network, an exciting new zero-knowledge solution that improved the ring signature scheme and reduced the size required for transactions. This improvement has greatly reduced the cost of privacy transactions for Monroe.

Zcash is the first cryptocurrency to use zkSNARKs technology. With this zero-knowledge proof scheme, users can send completely private transactions that are only visible to the recipient, while for external observers, ZEC seems to be sent to a huge In the black box of passwords, when the recipient wants to move their coins back to a non-private address (like a bitcoin standard address), the coins seem to come out of nowhere, which makes no obvious difference between the sender and the receiver. contact. An important consideration for zero-knowledge proof is that it requires more computing power to run, which makes the transaction more expensive.

Threat to interchangeability

The Ethereum network provides pseudo anonymity (ie, the transaction links to the address corresponding to the private key held by the user), and its distributed and transparent nature makes many new technical capabilities possible.

However, similar to Bitcoin, Ethereum also inadvertently exposes information about users who use these digital assets.

Given the open nature of blockchains such as Bitcoin and Ethereum, naively using their built-in trading frameworks is like smashing breadcrumbs, which allows opponents to easily track your trading path.

Privacy gained through address generation

As privacy technologies continue to evolve, we can consider many more complex threat models. In 2012, BIP32 (Bitcoin Improvement Proposal) introduced a Hierarchical Deterministic Key (HD Key) that allows a seed phrase to generate a stream that continuously generates a new Bitcoin address. This allows users to generate new addresses each time they accept a transaction, all of which can be easily exported and imported into a new wallet via a seed phrase.

In Ethereum, the same function exists, even though the newly generated keys cannot interact directly with the smart contract (until they get the gas cost they need (ETH funding). This is complicated because many Based on the Ethereum system linking many aspects of the user's true identity to their address, this additional amount of metadata linked to the Ethereum address can make Ethereum particularly vulnerable to deanonymization attacks. Fortunately Smart contracts that expose Ethereum to these threats can also be used by cutting-edge new cryptography systems for secure and seamless privacy transactions.

ZK construction and trusted settings

Many zero-knowledge proof constructs use the so-called "Trusted Setup" , which means that the entire construct relies on the generation of special random numbers, and anyone who knows these random numbers has the ability to peep inside the operation. To alleviate these concerns, people have designed sophisticated methods to generate these random parameters to ensure that the construct can be trusted. This usually involves several trusted members in the community, each of whom derives their own private random data and combines them in a way (if either party deletes their key data, then the secret value It is safe. Therefore, all parties need to collude.)

It is worth noting that the “Bolletproof” used by Monroe does not require a trusted setup, but Zcash's zkSNARKs are needed. In addition, STARKs do not require trusted settings because they use Ha The Greek function is used as a "set" instead of any type of special number.

Zero Knowledge Note (ZK-Note)

AZTEC was an early promoter of Ethereum 's privacy arena, using a “zero knowledge note” system to track hidden financial conditions. These notes are visible on the Ethereum network (including the owner of each note), but in addition to the owner of the note, the amount of money stored on the note is hidden from everyone else.

When a note owner decides to perform a " joinSplit " operation, the magic of zero knowledge comes, which means they can write down any number of notes they control and create a set of output notes that may or may not Belongs to other people. Combined with invisible address technology, this allows each new note created to be owned by a completely clean Ethereum address. In a common use case, a "ZK-Asset" contract can be connected to any ERC20 compatible token, allowing users to store tokens to generate ZK-Note and allow users to burn ZK-Note for coins. This mechanism allows any existing asset on the Ethereum network to be traded in a manner that protects privacy.

The proof used by the AZTEC protocol is easier to use than the ZK-Snarks, but it still requires a trusted setup.

AZTEC is also approaching other new nascent solutions that require trusted settings. PLONK is a new and efficient ZK-SNARK architecture that can be reused by all programs. Because PLONK's gas demand is not large, it is more practical for Ethereum. In this regard, AZTEC CEO Tom Pocock believes that PLONK can be used to program complex logic statements to maintain perfect privacy.

ZK combined with secure multi-party computing (MPC)

In ZKBoo and the recent Ligero example, a zero-knowledge proof system was used in conjunction with Secure Multi-Party Computing (MPC). This requires the certifier to submit a record of the secure MPC protocol, and then ask the verifier to randomly evaluate one of the views and "compile" the secure multiparty computing protocol into a ZK-PCP system (one of the earliest probabilistic ZK systems). More importantly, it is possible to create a privacy smart contract using MPC.

Like ZK-STARKs, MPC-based proofs have:

  1. Transparency: The generation of random numbers is public information;
  2. Post-quantum security
  3. Scalability: MPC-based proofs have a (quasilinear) proof time and a verifier time, which improves the efficiency of staging and batch calculations;

Some trade-offs in using such techniques involve how to best make these technologies work for small and medium "circuits" or problems, which can lead to scalability issues with the verification program.

That is to say, MPC-based technologies have not been fully developed in the blockchain field, and these technologies will be much more common than existing ZK (zero-knowledge) technologies, especially in terms of the need for protection between the parties and the actual computing itself. In the case of confidential information. For example, MPC technology is useful for attempting to run a credit scoring algorithm to assess customer credit, neither the customer nor the bank wants to abandon the confidential information associated with its transaction history and the weight in the ML credit scoring model.

Hardware limitation

When Zcash first proposed the idea of ​​using zk-SNARKs to send transactions, there was a serious concern about the amount of computing power required to use invisible transactions, which would take hours or longer to generate a transaction. Since then, we've come a long way, and current implementations can do similar tasks in seconds on browsers and even on mobile devices.

Privacy mixer

A recent topic of concern is the mixer. As early as May of this year, Vitalik released an article on the motivation and rough outline of the Ethereum network next-generation mixer design .

Users need an Ethereum mixer to help them implement wallet or personal privacy transactions. Ethernet traceability means that specific transactions can be tracked and linked to other wallets, accounts, and so on. The mixer is used to exchange Ethereum to increase the privacy of the transaction.

Since then, many teams have been working to make the mixer more suitable for Ethereum. Below is a recent chart that calculates the cost of gas for related hybrid transactions.


A separate mixer in the application layer never gives the user absolute privacy, but only provides a probability guarantee. However, this may be sufficient to meet the privacy needs of most individuals and businesses.

Who pays for Gas?

However, there is a fatal flaw in these mixer methods, which is that someone needs to pay gas to confirm the output. Where did this part of the Ethereum come from? If the Ethercoin that pays the final confirmation output can be traced back to a user, then the user is equivalent to losing the anonymous protection, which destroys the entire privacy purpose.

This creates a privacy "chicken and egg" scenario where the only way to accept anonymous Ethereum is to have an anonymous Ethereum. In Vitalik's original mixer post, he solved the problem with a simple repeater registration contract, in which a relay operator who promised to publish an arbitrary transaction could register an HTTP endpoint so that the transaction could be published anonymously.

Finally, we also need to consider wallet and operational security issues, which need to protect users while not giving users too much trouble. All of these mixer solutions require a large number of participants to reasonably expect privacy, so tools need to be easy to use, but any shortcuts here can lead to some serious privacy violations.

These technologies, as well as many other technologies in development in the industry, are a sign that the privacy issues of the Ethereum network are getting more and more attention, and these technological advances may soon be greatly promoted. While it seems somewhat contradictory to implement privacy on the public blockchain, zero knowledge and other privacy technologies will make new, cutting-edge use cases possible.

Looking to the future

This article is not a complete overview of all of Ethereum's privacy practices. When we talk about privacy, there is no magic bullet to solve all the problems, but different methods and mechanisms for specific use cases.

Therefore, we will continue to review and evaluate Ethereum's privacy solutions to help science and promote the development of such technologies. This includes articles on specific privacy solutions and reports on various privacy technologies in the future, as well as a more in-depth analysis of the projects and companies that are currently building privacy solutions.

Disclosure: Consensus is still very interested in privacy and scalability technologies. Consensys Labs has invested in the Aztec protocol, Ligero and Starkware and will continue to look for projects that break through the limitations of this area.

Thanks to Min Teo, Joseph Chow, Zac Williamson, Amira Bouguera, Praneeth Srikanti, and Steve Marx for their help.