Privacy may be the only thing DeFi fans and cypherpunks can agree on. In 2020, political censorship is motivating further adoption of cryptocurrencies which are anonymous - that means the senders’ and receivers’ identities are not linked on the blockchain. From the other side, the DeFi community is waking up to the need for confidential transactions, where the amount being sent is hidden. This will be essential for smart contract derivative instruments, peer-to-peer lending and the like.
So what privacy tools are available on Ethereum? As of today, not many. The past decade has seen lots of innovation around Bitcoin privacy and Privacy Coins, like Monero and Zcash, but Ethereum has yet to reap the benefits of this innovation.
This is changing. From lightweight mixing protocols to bleeding-edge zero knowledge proofs, Ethereum privacy is finally having its day. Here’s what you should know about and where things are headed.
If you’re new to blockchain, Ethereum or privacy coins, the Ivan On Tech Academy has dozens of courses that will turn you into a capable blockchain developer, trader, or professional. Try our course on Cryptography and Privacy Coins today.
The earliest proposal for private DeFi was to set up separate, non-public Ethereum blockchains. For example, a local government could set up a land title registry as a smart contract on the state’s internal Ethereum network. In this example, only the government is allowed to run nodes, and the consensus mechanism is ‘proof-of-authority’ -- authorized nodes can issue new blocks whenever they like.
One main benefit of this (besides privacy) is that records can be changed. In the case of land titles, if someone passes away and they haven’t designated an heir, the blockchain needs to be ‘manually updated’ so that the physical land can be put up for auction. However, these networks don’t support payment in mainnet currencies, so private Ethereum blockchains lose out on the network effects of global public blockchains.
Zether is a private cryptocurrency that lives within the Zether Smart Contract. Anyone can buy ZTH by depositing ETH to the Zether smart contract. When ZTH is transferred, the blockchain records long strings of numbers and letters from the user’s address to the contract which hide the amount and receiver, but are still verifiable. Zether also uses timing and decoys to expand the anonymity set.
Imagine a network of ATMs where, if you deposit $1, you receive a ‘token of deposit’ which you can use to withdraw $1 from any other ATM, at any time.
Tornado.cash is a smart contract that works in this way: when a user submits ETH, they receive a Note. That note can be exchanged back for the same amount of ETH - at any time, from any address. Importantly, the note proves it’s connected to some unspent deposit, but it doesn’t reveal which one -- so Alice isn’t directly linked to Bob. It also works for any ERC20 token, not just ETH.
Next, imagine you take these ‘tokens of deposit’, allow people to exchange them privately on a separate blockchain.
Incognito is a separate blockchain connected to the Ethereum mainnet by a smart contract bridge. You can ‘mint’ a privacy version of any ERC20 token on Incognito by depositing a real one (along with your Incognito address) to the ERC20 smart contract. After that, you can send and receive your private tokens on the Incognito network privately and cheaply. When you’re ready to withdraw, your privacy tokens will be burned and their public counterparts sent from the smart contract to an Ethereum address you choose.
Incognito runs a UTXO-based ledger similar to Monero with RingCT, Stealth Addresses and Bulletproofs. Because users can exchange tokens on the Incognito DEX, the anonymity set is potentially all the value held on Incognito, of any currency. As of this writing, there is over $750,000 in USD-T alone shielded and growing.
Now, imagine the sidechain’s bridge goes down. What happens to the ETH you deposited to the smart contract? We need a mechanism for the Ethereum network to maintain control even while other networks help with computation. We need fraud proofs. Back in 2017, Vitalk proposed just such a solution and called it Plasma. In his own words from 2019:
“Plasma chains are sidechains that have a non-custodial property: if there is any error in the Plasma chain, then the error can be detected, and users can safely exit the Plasma chain and prevent the attacker from doing any lasting damage.”
He was particularly interested in trust and liveliness. Users shouldn’t have to trust any additional parties beyond the Ethereum mainnet. If there’s a problem with the private blockchain, Ethereum mainnet will still let users withdraw from the contract. While some ideas were discussed, little progress was made on this idea before it was replaced with Vitalik’s next suggestion...
So how can the Ethereum mainnet police the sidechains? By making them post compact proofs of their own validity into ‘rolled-up’ transactions on the Ethereum mainnet. That way, if a transaction is invalid, the rolled-up transaction won’t be accepted. If the sidechain goes down, I can withdraw the amount I deposited to the contract +/- all accepted transactions.
But how is this more efficient than a regular transaction? Instead of sending transactions to the EVM (Ethereum Virtual Machine), a separate service (layer-2) does all validating and produces one “succinct” proof that the whole batch is correct. If the EVM can validate this proof, it will accept the whole batch and record it as metadata to the rollup transaction. If the EVM finds a problem in the proof, the whole batch is rejected. All of this is included in the phases of ETH 2.0.
We can combine ZoKrates with roll-ups to create highly-scalable Privacy Coins - which is exactly what the next two projects have done. We call these zk-rollups because they combine the two technologies. (RingCT anyone?) But keep two things in mind:
If either of the above is news to you, you should check out my Cryptography and Privacy Coins course on the IvanOnTech academy. You can try it free for 7 days, and tbh you can finish in that time if you work hard. See you there.
Ethereum 9 ¾ is one instantiation of rollups which uses MimbleWimble to hide even more information. MimbleWimble does away with accounts, and instead basically issues a unique spending key for every new output. Ethereum 9 ¾ also uses an ECC-encrypted data structure called a Pedersen Markle Mountain Range to reduce the size of the proof posted to mainnet.
Ethereum 9 ¾ is currently being developed part-time, but they have a trusted ceremony planned which they’re calling “Destroying Horcruxes.” For those struggling to keep up with Harry Potter references in the MimbleWimble ecosystem, a Horcrux is an object that grants immortality in exchange for a fragment of one’s soul. Keep an eye on “eth 934” this year.
Ernst & Young, the ‘Big-Four’ American consultancy produced their own version of a zk-rollup library called Nightfall and open-sourced the code. This was seen as a big step for traditional finance away from private Ethereum blockchains, which have seen a lot of attention in the past couple years, toward privacy solutions for public blockchains.
It looks useful, and brings the technical reputation of E&Y. Keep an eye out for developers using Nightfall to add privacy to their Dapps in 2020.
Where Nightfall takes some trusted setup as an input, Aztec comes pre-loaded with one. Anyone can generate and validate zk-proofs in their own child smart contracts by interacting with the ACE (Aztec Cryptography Engine) smart contract.
It’s important to note that Aztec is not a private Ethereum blockchain. It’s just a smart contract which can be called to create and validate zero knowledge proofs on the EVM. Aztec is also built on ZoKrates and was developed with financial instruments in mind. Private notes can represent ratios of other notes, such as interest payments or bond yields. Aztec focuses on confidentiality for now - obscuring the value of a transaction - and will add anonymity features in future versions.
When asked about privacy for Ethereum, Vitalk usually says that public blockchains play an irreplaceable role, and adequate privacy can be achieved through layer-2 solutions - like the ones described above - so it’s probably better for Ethereum to remain public. Lately, however, he includes ‘STARKS’ (Scalable, Transparent, Arguments of Knowledge) in his long-term vision of Ethereum 2.0. STARKs, unlike SNARKs, are based on cryptography which pre-dates ECC.
Another big proponent of STARKs is Eli Ben-Sasson, one of inventors of zkSNARKS and an author of the Zerocash paper. He co-founded StarkWare, who did a mainnet proof-of-concept just a couple days ago. It’s likely we’ll see more friendly collaboration between him, Vitalik and others as Ethereum looks for the right privacy solution to implement at a protocol level.
If you’re serious about privacy and want an intuitive understanding of Ethereum, private blockchain technology and cryptography, register for Cryptography and Privacy Coins now. We’ve certified hundreds of students already - what are you waiting for?
Get to work in a fast growing industry. Start learning blockchain together with our 20,000+ students today.
Use coupon code BLOG20 for 20% off.