Talking about how to solve the privacy requirement on the public blockchain

In this increasingly connected world, our information is frequently copied, shared, and sold, so it's not easy to protect privacy.

Like most things, privacy is not a binary opposition, but between full disclosure and full privacy. Therefore, when it comes to privacy issues, we need to discuss three more issues.

1. What level of privacy do consumers and businesses want?

2. Are people willing to pay for privacy (cost and effort)?

3. What are the conditions for balancing private transactions on the public blockchain?

The purpose of this paper is to briefly examine the actual privacy needs of the public blockchain and discuss the trade-offs of implementing privacy solutions in a high dimension.

Question 1: What level of privacy is meaningful?

An example of privacy is anonymity, or identity privacy. In the context of a public blockchain, anonymity refers to the exchange of something (ie money, tokens or data) without the parties having to disclose information about themselves or other trader's identity. Although this is only one aspect of privacy, it has become increasingly important as the blockchain evolves.

Like cryptocurrencies such as Bitcoin and Ethereum, because of the openness of relevant transaction addresses and information, coupled with the continuous development of analytical methods, people can associate these transactions with the out-of-chain identity, making the users of these cryptocurrencies Identity has become more and more transparent.

In terms of privacy, businesses and consumers have very different needs. Businesses often require privacy in transactional data such as product name, quantity, price, address, personally identifiable financial information, and more.

Network participants are usually known, but depending on the role, it may be necessary to provide data to other participants. For example, a freight forwarder may not need to know what is in the shipping container, just know that the container has arrived. Bank regulations also limit who can access transaction data. The Nightfall agreement of Ernst & Young (a UK-based accounting firm) and the anonymous Zether protocol customized by JPMorgan Chase for Quorum (a blockchain platform built by JP Morgan Chase) are the main examples of companies developing privacy solutions for Ethereum. .

Consumers' perceptions and concerns about privacy have so far been generally low compared to companies that typically have strong commercial motivation or regulation in terms of privacy. Of course, consumers also want to protect their identity, credit card information or other sensitive data to prevent fraud or identity theft. Sometimes consumers want to be anonymous, and the sender and receiver of the transaction need to be private. However, privacy is not indispensable in the daily lives of consumers, and most people voluntarily sacrifice their privacy for convenience or free access (accepting cookies, using free wifi, tracking web surfing, etc.).

Question 2: Is there a need for privacy?

Privacy is often used for messaging to protect content sent between parties. It is also used in a wider range of communication channels and underlying network layer construction. Today's architectures range from public key cryptography and its adoption to other key exchange mechanisms that generate end-to-end secure network/transport layer protocols (IPSec v2, SSL). In addition, this ensures secure DNS queries and the adoption of Tor-based repeaters. Much work has spawned open standards for academic research and enterprise adoption to ensure privacy and confidentiality in the data transfer process, but many of these technologies have found their way out in the retail user technology stack to benefit end users.

Especially in the blockchain, although Zcash has been in existence for nearly three years, only about 5% of ZECs use SNARKs (about half of them use older versions of SNARKs). In addition, approximately 95% of ZECs are stored in transparent addresses with little privacy. In this low-profile scenario, we can deduce that perhaps most users have not felt the need to pay for the cost and effort of privacy.

However, the final blockchain technology still needs privacy to become mainstream. The success of the built-in privacy layer, such as SSL, makes the Internet a trusted business medium, indicating that the privacy that consumers and businesses want is built into systems and applications.

Question 3: Privacy trade-offs

The third issue is more technical and requires a deeper study of how to achieve privacy in Ethereum and the trade-offs between the various mechanisms involved. Blockchain networks need to be traded off between scalability and decentralization, while privacy mechanisms and technologies need to weigh themselves. This article will examine what other privacy-focused blockchains are for privacy, and then discuss some of the Ethereum network privacy solutions.

Lessons from other privacy-centric blockchains (Monroe and Zcash)

Before going into the details of Ethereum, let's talk about two typical examples of anonymous coins – Monroe and Zcash. In the early altcoin era, Monroe was very special because its code base was not derived from the Bitcoin code base, but was based on a completely unrelated cryptocurrency item, Bytecoin (using the CryptoNote protocol reference design). The original CryptoNote design achieves privacy by mixing the senders of a transaction (by mixing their signatures with many other bait signatures). Through this, combined with the hidden address scheme, Monroe brings a very strong privacy guarantee. This "ring signature" scheme has long been hailed as a built-in mixer, but it is not mature.

In 2017, with the introduction of RingCT technology, the ability of ring signatures to hide transaction data has been greatly improved. RingCT uses zero-knowledge proof to increase the number of signatures that can be processed in batches. The introduction of RingCT also enforces minimum mixing requirements to reduce linkable attacks that plagued early Monroe. Currently, one of the main challenges facing ring signatures is that they are stored on the Monroe blockchain and take up a lot of disk space. In addition, circular signatures are not suitable for large groups and are currently limited to groups of 10 to 15 people.

At the end of 2018, Monroe introduced the "bulletproof protocol", a new zero-knowledge scheme that is logarithmically expanded with the number of ring signatures, thereby reducing the size required for transactions. This greatly reduces Monroe's private transaction costs.

Zcash is the first cryptocurrency to use zkSNARKs technology. The user can send a transaction that is only completely visible to the recipient. For the third party, ZEC seems to be sent to a huge encrypted black box. When the receiver wants to move their coins back to a non-private address (very similar to a standard bitcoin address), the coins seem to pop out of thin air. Come on, this makes no obvious connection between the sender and the receiver. But there is one thing to note about zero-knowledge proof, its operation requires more computational power, so it also makes transaction costs more expensive.

Alternative threats

The Ethereum network provides pseudo anonymity (ie, the transaction links to the address corresponding to the private key held by the user), and its distributed nature and transparency enable many new technologies to be implemented.

However, like Bitcoin, Ethereum also inadvertently exposes information about users who use these digital assets.

One of the threats to privacy is that public and private keys can be associated with an identity. Given the blockchains like Bitcoin and Ethereum, using their built-in trading framework is like eating bread and losing breadcrumbs, and an attacker can track the trading path of all assets (even alternative assets).

Generate privacy by address

As privacy technologies advance, we can consider more and more complex threat models. In 2012, BIP32 introduced a hierarchical deterministic key, generated the primary private key through the seed, and then derived the private key and address. This allows users to generate new addresses each time they accept a transaction, and all of these addresses can be easily exported and imported into a new wallet without having to import separate randomly generated keys.

Ethereum also has the same function, although its newly generated key can only interact with smart contracts before getting the fuel fee ETH. This also makes the problem even more difficult by the fact that many systems built on Ethereum link the user's real-world identity to their address. The extra amount of metadata linked to the Ethereum address makes Ethereum particularly vulnerable to anonymizing attacks. Fortunately, smart contracts that expose Ethereum to these threats can also be used by cutting-edge new cryptography systems to enable secure and seamless privacy transactions.

ZK structure and pre-trust mechanism

Many zero-knowledge structures require a so-called "pre-trust mechanism." This means that the entire structure relies on the generation of special random numbers, and anyone who knows these random numbers can snoop on internal operations. Therefore, in order to alleviate these concerns, people have designed sophisticated methods to generate these random parameters to ensure that the structure can be trusted. This usually involves the participation of several trusted members of the community, each of whom has to derive their own private random data and combine them in some way, if any of the parties delete their keys. Data, then the secret value is safe. Therefore, all parties need to work together to protect the security of the structure.

It is worth noting that the bulletproof protocol used by Monroe does not require a pre-trust mechanism, and zkSNARK in Zcash is needed. The famous RadioLab podcast has a pre-trust mechanism for recording Zcash. However, STARK does not require a pre-trust mechanism because they use hash function selection as their "mechanism" rather than any special number.

Zero Knowledge Note (ZK-Note)

As a pioneer in the privacy of Ethereum, the AZTEC protocol uses a “zero knowledge note” system to track hidden financial conditions. These notes are visible on the Ethereum network, including the owner of each note, but the amount of money stored on the note, except for the note owner, is invisible to everyone else.

When a note owner decides to perform a "joinSplit" operation, zero-knowledge is characterized by the fact that they can write down any number of notes they control and create a set of output notes that may or may not belong to others. Combined with the invisible address technology, each new note created is owned by a completely clean Ethereum address (previously never used on the network). In a common use case, a "ZK-Asset" contract can be connected to any ERC20 compatible token, allowing users to store tokens to generate ZK-Note and allow users to burn ZK-Note for coins. This mechanism allows any existing asset on the Ethereum network to be traded in a manner that protects privacy. The proof used by the AZTEC protocol is easier to use than the ZK-Snarks, but a pre-trust mechanism is still required.

AZTEC is also exploring pre-trust mechanisms with other new solutions. PLONK is a new and efficient ZK-SNARK architecture that requires a pre-trust mechanism and can be reused by all programs. Because PLONK does not have a large demand for fuel, it is more practical for Ethereum. Therefore, Tom Pocock, CEO of AZTEC, believes that PLONK can be used to program complex logic statements to maintain perfect privacy.

ZK using secure MPC

In ZKBoo and the recent Ligero example, a zero-knowledge proof system was used in conjunction with Secure Multi-Party Computing (MPC). This requires the certifier to submit a record of the secure MPC protocol, and then the verifier randomly evaluates one of the views and "compiles" the secure multiparty computing protocol into a ZK-PCP system (one of the earliest probabilistic ZK systems). More importantly, it is possible to create a privacy smart contract using MPC.

Like ZK-STARK, the MPC-based proof has:

· Transparency – the generation of random numbers is public information

Post-quantum security—dependence on the availability of public randomness and hash functions is still a problem that quantum systems cannot solve on a large scale.

· Scalability – MPC-based proofs have a (quasilinear) proof time and a verifier time, which improves the efficiency of staging and batch calculations

Some trade-offs in using such techniques involve how to best make these technologies work for small and medium "circuits" or problems, which can lead to scalability issues with the verification program.

That is to say, MPC-based technologies have not been fully developed in the blockchain field, and these technologies will be more versatile than existing ZK technologies, especially where parties need to protect confidential information related to the actual computing itself. For example, the MPC technique is useful for attempting to run a credit scoring algorithm to assess customer credit, regardless of whether the customer or the bank does not want to abandon the confidential information associated with its transaction history and the weight in the ML credit scoring model.

Hardware limitation

When Zcash first proposed the idea of ​​using zk-SNARKs to send transactions, people were very worried about the computing power required to use hidden transactions (generating a transaction would take several hours or more). And by that time, we've made great strides, and modern implementations can now accomplish similar tasks in seconds on browsers and even mobile devices.

Privacy mixer

Mixers are a recent topic of great concern. As early as May of this year, Vitalik released the design motivation and rough outline of the Ethereum network next-generation mixer.

Users need an Ethereum mixer to help them implement a wallet or personal privacy transaction. The traceability of Ethereum means that a particular transaction can be tracked and linked to other wallets, accounts, and the like. The mixer is used to exchange Ethereum to increase the privacy of the transaction.

Since then, many teams have worked to make the mixer more suitable for Ethereum. Below is a recent chart that calculates the cost of fuel for the relevant hybrid transaction.

A single mixer at the application layer never gives the user absolute privacy, but only provides a guarantee of probability. However, this may be enough to meet the needs of most individuals and businesses.

Who pays for the fuel bill? – the emergence of repeaters

However, all of these mixer methods have a fatal flaw, which means that someone will eventually have to pay a fuel fee to confirm the output. Where did these etheric coins come from? If the final output of the Ethercoin can be traced back to a user, then the user is equivalent to losing the anonymous protection, which is contrary to the entire privacy purpose.

This is tantamount to creating a privacy-first "chicken or egg" scenario. In this case, the only way to accept anonymous Ethereum is to have an anonymous Ethereum. In Vitalik's original mixer post, he solved the problem with a simple repeater registration contract, in which a relay operator who promised to publish an arbitrary transaction could register an HTTP endpoint so that the transaction could be published anonymously.

Finally, we must also consider the security of the wallet and operation. This requires protecting users while not giving them too much trouble. This issue is still under discussion. All of these mixer solutions require a large number of participants to reasonably anticipate privacy, so tools need to be easy to use, but any shortcuts here can lead to some serious privacy violations. For example, a user mixes some Ethereum and uses some of the Ethereum for private transactions, but then forgets which wallet they use for private transactions, and then sends the remaining Ethereum back to a certain They are publicly associated with the address.

These technologies, as well as many other technologies being developed in the industry, indicate that the privacy issues of the Ethereum network have received increasing attention, and these technological advances may soon be greatly promoted. While it seems somewhat contradictory to implement privacy on the public blockchain, zero knowledge and other privacy technologies will make new, cutting-edge use cases possible. At the same time, these solutions will enhance the user's ability to reassure their financial privacy.

Looking to the future

While this article is not a complete overview of all of Ethereum's privacy practices, it examines the various ways to achieve corporate and consumer privacy needs. Many individuals in the cryptosystem are inspired by anti-censorship techniques that provide freedom. The ability to anonymously trade or protect personal information is critical to creating an encrypted native world. When it comes to privacy, there are no magic bullets that can solve all the problems, but different methods and mechanisms for different use cases.

Therefore, we will continue to research and evaluate Ethereum's privacy solutions to help science and promote the development of such technologies. In the future, we will post posts on specific privacy solutions, as well as reports explaining various privacy technologies, as well as a more in-depth analysis of the projects and companies that are currently building privacy solutions.

Author | This article is co-authored by Dean Pierce, Robert Drost and Mason Nystrom.

Translation | First Class (First.vip) Annie

Proofreading | First Class (First.vip) Gisele

Please reprint the information at the end of the article.