How to implement private transactions on Ethereum?

This article is produced by ConsenSys by Dean Pierce (ConsenSys Diligence), Robert Drost (ConsenSys R&D), and Mason Nystrom (ConsenSys), compiled exclusively by Encrypted Valley.

In this increasingly connected world, our information is increasingly categorized, replicated, shared, and sold, and maintaining a certain level of privacy becomes an important challenge.

Privacy is not a binary structure, but a category that fluctuates from full disclosure to full private ownership. Therefore, when it comes to privacy, there are three issues that need to be discussed first:

  • What privacy do consumers and businesses want to protect?
  • Are people willing to pay for privacy?
  • What is the trade-off between private transactions on the public blockchain?

The purpose of this paper is to briefly study the actual privacy requirements on the public blockchain and discuss the realities of privacy solutions.

One aspect of privacy is anonymity, or the ownership of identity. In the context of a public chain, anonymity refers to the ability of parties to exchange something (money, tokens, or data) without revealing their identity or their other transaction-related information. Although this is only one aspect of privacy, with the development of the blockchain, its importance has become increasingly prominent.

Encrypted assets such as BTC and ETH are increasingly being tracked, and through the public address in the associated transaction, the real identity of the address can be analyzed and linked during the conversion of the encrypted asset and fiat currency. The end result of this is that the identity of both parties to the transaction becomes public. Since public blockchains must provide a log of all transactions fundamentally, it is increasingly important to use encryption algorithms and protocols to protect the privacy of users and businesses.

Business and consumers have very different needs on privacy issues. Businesses often need to maintain the privacy of transaction data, such as product name, quantity, price, address, personally identifiable financial information, and so on.

The identity of a network participant is usually known, but depending on the identity of the role, it may be necessary to choose to keep or provide it to other participants.

For example, a freight forwarder may not need to know the contents of a shipping container, only need to know that the container has arrived. Bank regulations also limit who can access transaction data. Ernst & Young's Nightfall protocol, which uses zk-snarks for private transactions on Ethereum, and anonymousi-zether, developed by JPMorgan for Quorum, are typical examples of privacy solutions developed by companies for Ethereum.

Businesses often have strong business incentives or privacy regulations. By contrast, consumers' privacy awareness is often weak and attention is generally low . Consumers may only want to protect their identity, credit card information or other sensitive data to prevent fraud or identity theft. Sometimes, consumers want anonymous transactions, which requires the sender and receiver of the transaction to remain hidden. However, in daily life, privacy is often overlooked by users, and most people are willing to sacrifice their privacy rights for convenience or free access (accepting cookies, using free wifi, etc.).

In the process of messaging, privacy mechanisms are often used to protect content sent between parties. In addition, it is used in the construction of a wider range of communication channels and underlying network layers. From the evolution of public key cryptography and its adoption to other key exchange mechanisms, we have seen a variety of Internet Protocol suites (IPSec v2, SSL) designed to achieve end-to-end security. This also ensures secure DNS queries and security with Tor-based repeaters.

Through academic research and corporate adoption, many of the results have been derived from open standards, many of which have found their way of application in the individual user technology stack, ultimately benefiting end users.

As far as the blockchain is concerned, although Zcash has a history of nearly three years , only about 5% of the existing ZECs are stored using SNARKs . Approximately 95% of ZECs are stored in transparent addresses with little privacy. Based on this low adoption rate, we can infer that perhaps most users have not yet paid for the cost and effort of privacy.

In retrospect, the success of the built-in privacy layer (such as SSL) has made the Internet a credible commercial medium. Blockchain technology is ultimately adopted by the mainstream and still cannot be separated from the important issue of privacy.

Privacy trade-offs

This issue is more technical. We need to delve deeper into how to achieve privacy on Ethereum. The blockchain network trades for decentralization at the expense of scalability, and there is a trade-off between privacy mechanisms and technology. We will start by researching what other privacy-focused blockchains have achieved, and then discuss the Ethereum network privacy solution.

Other typical blockchain projects focused on privacy (Monero and Zcash)

Before introducing Ethereum in detail, we introduce Monero and Zcash, two main players in the privacy currency field.

In the early days of the coin era, Monero was special because its code was not based on BTC at all, but a completely unrelated encrypted asset project called Bytecoin (Bytecoin was the first encrypted asset to use the CryptoNote protocol).

The original CryptoNote design confuses the sender of the transaction by mixing the sender's signature with many other bait signatures. This, combined with the stealth address output, provides a very strong privacy guarantee. The "ring signature" scheme has long been considered an advanced built-in mixer, which is nothing new.

In 2017, with the introduction of RingCT, the ability of ring signatures to hide transaction data has been greatly improved. RingCT uses the Zero-Knowledge Range Proof (ZKRP) to increase the number of signatures that can be processed in batches.

The introduction of RingCT also enforces the minimum mixin requirements to mitigate connectivity attacks that plagued earlier versions of Monero. Currently, one of the main challenges of using ring signatures is that it takes up a lot of disk space to store the Monero blockchain. In addition, ring signatures cannot be extended to large groups and are currently limited to 10-15 participants.

At the end of 2018, we saw the introduction of “Bulletproofs” on the Monero network, an exciting new zero-knowledge structure that is logarithmically expanded with the number of signatures in the ring, reducing the need The size of the transaction. This improvement aligns Monero functionality with other blockchain projects.

Zcash is the first cryptographic asset to use zksnark. Using this technique, users can send completely private transactions that are only visible to the recipient. For external observers, the ZEC sent to a private address appears to disappear into a large encrypted black box. When the recipient wants to move their token back to a non-private address (similar to a standard BTC address), these tokens It seems to be out of thin air, there is no observable connection between the sender and the recipient.

An important note about zero-knowledge proof is that it requires more computing power to run, which in turn makes the transaction more expensive.

Alternative threat

The Ethereum network provides pseudo anonymity (ie, the transaction is linked to the public key address signed by the user holding the private key, not by the username/password), and its distributed nature and transparency make many new technical features may.

However, similar to BTC, Ethereum will also unwittingly expose some users who may not be aware of the breadth of their shared information when using alternative digital asset transfers.

One threat to privacy is that the user knows the identity associated with the public and private keys. Given the public nature of blockchains such as BTC and Ethereum, naively using their built-in trading frameworks is like leaving breadcrumbs, making it easier for others to track assets (even alternative assets).

Guarantee privacy by generating an address

As privacy technologies continue to evolve, many more sophisticated threat models can be considered. In 2012, BIP32 introduced Hierarchical Deterministic keys, which allowed a single seed phrase to generate a "new" BTC address stream that never stops. This allows users to generate new addresses each time they accept a transaction, and all of these addresses can be easily exported and imported into a new wallet without having to import multiple randomly generated keys.

Ethereum also has the same functionality, but the newly generated key cannot interact with the smart contract until it has the required ETH funds. Many systems built on Ethereum associate the user's real identity with the address, which complicates the problem . This extra metadata linked to the Ethereum address makes Ethereum particularly vulnerable to anonymization attacks. Fortunately, the smart contract feature that exposes Ethereum to these threats can also use cutting-edge cryptosystems to support secure, seamless, private transactions.

ZK structure and trusted initial settings

Many zero-knowledge structures require so-called "Trusted Setups". This means that the entire construct relies on the generation of special random numbers, and anyone who knows these random numbers can peep inside the operation.

To reduce this concern, developers have designed complex patterns to generate random parameters to ensure that the construct can be trusted. This usually involves several trusted members in the community, each of whom gets their own private random data and combines them in some way. If the "any" participants delete their key data, the secret value is safe. Therefore, only all participants can collude to make the structure at risk.

It's worth noting that the Bulletproofs used by Monero do not require a trusted initial setup, but zksnark in Zcash is required . Zcash's trusted initial settings are recorded in RadioLab. Instead, STARKs do not need to trust the initial settings because they choose to use a hash function as a "set" instead of any type of special number.

Zero-Knowledge Notes (ZK-Notes)

As a pioneer in the privacy of Ethereum, AZTEC Protocol uses the “zero-knowledge notes” system to track hidden financial information. These notes are visible on the Ethereum network, including the owner of each note, but the amount stored on each note is hidden from everyone except the owner of the note.

When a note owner decides to perform a "joinSplit" operation, the magic of zero knowledge comes up, which means they can get any number of notes they control and create a set of output notes that may or may not Belongs to other people. This, combined with invisible address technology, allows each newly created note to belong to an Ethereum address that has never been used on the network.

In a common use case, a "ZK-Asset" contract can be connected to any ERC-20 compatible token and allows the user to store tokens to generate ZK-Notes, or to burn ZK-Notes for extraction. This mechanism allows any existing asset on the Ethereum network to be traded in a way that protects privacy. The proof used by AZTEC Protocol is easier to use than zk-snark, but still requires a trusted initial setting.

Aztec is also using other novel solutions to build trusted settings. PLONK is a new and efficient ZK-SNARK architecture that requires a trusted setup that all programs can reuse. Due to the low demand for gas, PLONK is effective enough in the practical application of Ethereum.

AZTEC Protocol CEO Tom Pocock believes that PLONK can be used to write complex logic statements while maintaining perfect privacy.

ZK combined with secure multi-party computing (Secure MPC)

This method is implemented in ZKBoo and Ligero, enabling the verifier to "compile" the security protocol into the ZK-PCP system (one of the earliest probabilistic ZK systems) by requiring the prover to submit a copy of the secure multiparty computing protocol. Randomly evaluate the views of one of the parties. This means that entities with relevant data knowledge can arbitrarily simulate distributed computing between multiple parties and then display a calculated copy at a random evaluation point. More importantly, using MPC makes it possible to create private smart contracts.

Like ZK-STARK, MPC-based proofs have the following characteristics:

  • Transparent: The generation of random numbers is public information;
  • Post-quantum secure: public randomness and hash functions are still problems that quantum systems cannot solve on a large scale;
  • Scalable: MPC-based proofs have quasi-linear proof time and verifier time for efficient batch calculations;

Some trade-offs surrounding the use of such technologies involve how to optimize for small to medium "circuitry" issues, which can lead to scalability issues for verifiers.

That is to say, MPC-based technologies have not been fully developed in the blockchain field, and these technologies will be more versatile than existing ZK technologies, especially in cases where parties are required to protect confidential information related to the actual computing itself. . For example, MPC technology is useful for running a credit scoring algorithm to assess a customer's creditworthiness, but neither the customer nor the bank wants to abandon confidential information such as their trading history and the weight in the ML credit scoring model.

Hardware limitation

When Zcash first introduced the idea of ​​using zk-snark to send transactions, there was a serious concern about the computing power required to use covert transactions, as it took several hours or more to generate a transaction. But after that, we've made great strides, and now we're able to do similar tasks on browsers and even mobile devices in just a few seconds.

mixer

The topic of the mixer has also attracted a lot of attention. In May of this year, Vitalik released the design and general framework of the new generation of mixers on the Ethereum website.

The Ethereum Mixer helps to implement local private transactions for wallets or individuals. The traceability of ETH means that specific transactions can be tracked and linked to other wallets or accounts. The mixer is used to exchange ETH to further anonymize the transaction.

Many groups are working to make the Ethereum Mixer more practical. Below is the latest chart for storing and extracting mixed ETH calculations and gas charges.

61

A single mixer at the application layer may not currently provide absolute privacy to the user, but only provides a probability guarantee. However, this has already met the needs of most individuals and businesses.

Who pays for the Gas fee?

A fatal flaw in these methods is that, at the end of the day, someone needs to pay the gas fee for the output. Where did these ETHs come from? If the final payment of ETH can be traced back to a user, then the user can go to anonymize, which is against the purpose itself.

This creates a scenario of privacy "chicken or egg first". In this case, the only way to accept anonymous ETH is to have an anonymous ETH. In Vitalik's blog post about the mixer, he solved the problem with a simple repeater registration contract. In this agreement, a relay operator who promises to publish an arbitrary transaction can register an HTTP endpoint so that the transaction can be published anonymously.

Finally, wallet changes and operational security must be considered. How to find out the safe default settings to protect users without giving them a too much troublesome experience, this issue is still under discussion. All of these hybrid solutions require a large number of participants to reasonably expect privacy because the tools need to be easy to use. However, any shortcut can lead to some very serious privacy violations. For example, a user mixes some ETHs, spends some of them on something that should be private, and then may forget which wallet they use for private transactions, and then send the remaining ETH back to a public association with them. address.

These technological advances indicate that privacy issues on the Ethereum network have received increasing attention. While it seems contradictory to achieve privacy on the public blockchain, technologies such as zero-knowledge proofing will enable a variety of new frontier use cases. At the same time, these solutions will enhance the user's ability to reassure their financial privacy.

There is no magic bullet when it comes to privacy. In order to create an encrypted native world, the ability to anonymously trade or otherwise protect personal information is critical. While this article is not a complete overview of all the privacy features of Ethereum, it has covered various ways to achieve the privacy needs of businesses and consumers. The entire crypto-asset ecosystem is inspired by the freedom of anti-censorship technology.

We will continue to research and evaluate Ethereum's privacy solutions to help educate and advance the technology.

Dean Pierce, Robert Drost, Mason

Author: Nystrom

Translation: Flash Chan

Edit: Sonny Sun

Typesetting: Roy