Confidential Transactions on Ethereum

Transaction privacy is a fundamental requirement for many kinds of financial services, and the inability to provide this privacy has prevented Ethereum from providing compelling alternatives to traditional financial instruments. There are several blockchains and blockchain projects that use cryptographic techniques to provide this privacy, but this privacy is reserved for the ‘native’ cryptocurrency of the blockchain in question. This transaction privacy is not accessible for digital assets built on top of blockchain protocols. For example, I can’t code up a corporate bond smart contract on Ethereum, where ownership notionals are private.

Well, until now, that is.

Show and tell: the peculiar case of confidential DAI

Here, take a look at this:

{
    "gamma": "0x20a92d2a4f0dd850314a745719dde20934db69cc8e9b5b84b5819e062d66bb7500",
    "sigma": "0x17d62693c0c9a356e2fd6b0ce877b78c6a1f8a7f195e9db4c0b68e0693d73b3600"
}

This curious jumble of characters is a form of DAI, the dollar-pegged stablecoin created by MakerDAO. But it looks a little odd, doesn’t it? This would normally just be an ethereum address, and a number representing how much DAI that ethereum address has. But this isn’t normal DAI.

You see, when I sent this transaction, my ethereum address (zac.creditmint.eth) became the owner of this DAI, but here’s the thing: nobody can figure out how much DAI I have. Unlike almost every other DAI holder in the world, my DAI balance is encrypted and represented in the form of zero-knowledge AZTEC notes. I can spend this DAI at will by sending some to a different address, but when I do nobody will be able to figure out how much of it I’m sending. For example, I sent a colleague some of my DAI in this transaction and good luck figuring out how much they have.

This is all quite new, and I’m so very excited to be showing this to you and the wider Ethereum community. We’ve been developing this for almost a year now, but we’ve held off on making any formal announcements because I wanted to show you that specific, peculiar, jumble of hexademical characters.

Because this isn’t some imagined technology that will one-day be implemented.

It doesn’t require modifications to the Ethereum protocol.

It is a working demonstration that is live on the Ethereum main-net today, and that AZTEC zero-knowledge note is a real note that encrypts real DAI.

A breakdown of AZTEC confidential transactions

There are really two questions here: what is the AZTEC protocol and how does it work? I can only answer how by getting into the guts of elliptic curve cryptography, which is a topic for another blog article (you can read a formal description in our paper. For a lightning summary of how this thing works: it’s not a ZK-SNARK, it’s an algebraic zero-knowledge proof that utilizes Boneh-Boyen signatures to create a commitment scheme with a highly efficient range proof embedded into each commitment.

Right, well that’s cleared everything up then. So I’m going to focus on answering what the AZTEC protocol is. What is it doing when transactions are sent to it? To start with, we need to describe what we mean by ‘confidential transaction’.

A confidential transaction is a transfer of value between two or more entities, where the values being transferred are not visible to observers.

Confidential transactions have come in several forms, from ring signatures to ZK-SNARK circuits. Similar to ZCash, the AZTEC protocol uses the concept of encrypted ‘notes’ and join-split transactions.

Encrypted Digital Assets and the AZTEC note

The AZTEC protocol does not represent ‘value’ like a traditional balance, which maps owners to how much they own. Instead, value is represented by notes. A note contains the following public information:

  • An AZTEC commitment: an encrypted representation of how much ‘value’ the note holds

  • An Ethereum address of the note’s owner

A note has the following private information

  • The value of the note

  • The note’s viewing key. Knowledge of the viewing key enables a person to decrypt the note (but not spend it)

One owner can have multiple notes. A digital asset that conforms to the AZTEC protocol will contain a note registry, which allows a smart contract to recover the public information of every unspent note that currently exists.

How can AZTEC notes be spent?

An AZTEC note owner can ‘spend’ their notes in a join-split style confidential transaction. In this transaction, the note owner will destroy some unspent AZTEC notes they own. In their place, they will create a set of new notes. The sum of the values of the new notes must be equal to the sum of the values of the old notes, plus a public commitment (I’ll get to that in a bit, but for now let’s assume this is worth 0).

So imagine Alice has two AZTEC notes worth 100 tokens combined. If she wants to send Bob 20 tokens, Alice would create one or more notes owned by Bob, whose values sum to 20. She would then create one or more notes owned by her, the sum of which is 80 tokens.

She would then create an AZTEC zero-knowledge proof that proves this relationship in zero-knowledge (i.e. Alice does not reveal to anybody how much the notes are actually worth, just that the balancing relationship holds). The AZTEC token smart contract will then validate this zero-knowledge proof, destroy Alice’s input notes and then create the output notes in its note registry.

When Alice is creating Bob’s notes, she constructs note viewing keys that Bob will be able to identify, via a non-interactive secret-sharing protocol. Bob is dependent on Alice to act ‘trustfully’ in this regard and not provide viewing keys that can be decoded by observers. This is already implicitly required — after all Alice could broadcast to the world how much she is sending Bob if she did not want the transaction to be confidential.

How is note ‘ownership’ defined?

Every confidential transaction also requires digital signatures — a signature is required for every input note, signed by the input note’s owner. The message of the signature is a hash of the zero-knowledge proof. This provides an implicit acceptance that the note owners are satisfied with the outcome of the confidential transaction, and want the transaction to be processed.

How do we get value into AZTEC note form?

Confidentially transfering value is nice, but without a way of getting ‘value’ (let’s call this v) into the AZTEC cryptosystem it all seems a bit academic. This is done via that ‘public commitment’ in a confidential transaction. Assume that the AZTEC token is linked to a public ERC-20 token. If the AZTEC zero-knowledge proof requires a public commitment value v != 0 in order for the balancing equation to be correct, this means one of two things:

1. If v is negative, the output notes are worth -v more than the input notes

2. If v is positive, the input notes are worth v more than the output notes

If Alice issues a confidential transaction where v is negative, the AZTEC token smart contract will transfer -v public ERC-20 tokens from Alice to its own contract address. Effectively, the AZTEC token smart contract acts as a custodian of the ERC-20 tokens while they are in confidential note form. Naturally, if this token transfer is rejected (e.g. Alice doesn’t have enough tokens) then the transaction will be aborted.

If Alice issues a confidential transaction where v is positive, this represents a conversion from AZTEC notes into public ERC-20 tokens. The AZTEC token smart contract will transfer Alice v public ERC-20 tokens.

There’s one small caveat — the amount of tokens being transferred is actually v multiplied by a scaling factor. This is because the range of integers an AZTEC note supports is smaller than that of an ERC-20 token. Our proof of concept deployment to main-net supports numbers from 0 to about 1 million and our full implementation of the AZTEC protocol will support approximately 32-bit integers (more on that in a bit). ERC-20 token balances, on the other hand, are represented by 256-bit integers.

The scaling factor picked depends on the ERC-20 token being linked to. For our proof of concept confidential DAI deployment, an AZTEC note with value 1 is equal to 0.1 DAI.

What is the cost of all of this?

The AZTEC protocol uses a bespoke commitment scheme that enables highly efficient range proofs. As a result, the amount of computation required by the verification smart contract is much smaller than one might expect. The overwhelming contributor to a confidential transaction’s gas costs is the elliptic curve arithmetic required to validate the AZTEC zero knowledge proof. It costs 3i + 4j elliptic curve scalar multiplications to validate a proof, where i is the number of input notes and j is the number of output notes. Each confidentialTransfer transaction also requires a single elliptic curve bilinear pariing comparison to verify.

The reason I’m using such odd wording is because the gas costs of these arithmetic operations is likely to go down in the future due to protocol upgrades implemented by geth and parity (EIP-1108). It currently costs about 900,000 gas to issue a confidential transaction that contains 4 notes (this is the total gas cost, not just the cost of validating the cryptogrpahy of a transaction). If/when EIP-1108 goes live, the gas costs will fall to about 200,000–300,000.

What information can be gleaned from confidential transactions?

The AZTEC protocol has been something of a obsession of mine for the past 11 months and I wouldn’t be comfortable releasing this out into the wild without giving a full account of the protocol’s strengths and limitations, I believe that being up-front about this is important.

With that out of the way, any protocol that converts something public into something private will reveal information at the entry and exit points of the cryptosystem.

If you’re adding tokens into note form, an observer will know that the value of the output notes is at least the amount you’ve converted.

Similarly, after redeeming v tokens, an observer will know that the remaining AZTEC notes are worth v less than the input notes.

These problems can be ameliorated by combining public conversions with additional AZTEC notes. For example, imagine Bob has a note worth 100tokens that he wants to convert into public token form. Instead of just issuing a conversion, Bob should add additional input notes into his transaction and also generate some output notes, even if the extra input and output notes are worth 0. This will prevent an observer from figuring out how much of Bob’s confidential holdings he has converted, even if he has converted all of it and is left with a pile of notes worth nothing.

AZTEC notes have ‘owners’ defined by Ethereum addresses. On the surface, note ownership is not anonymous (e.g. people can see my ethereum addresshas a zero-knowledge DAI note); the AZTEC protocol includes a Monero-style stealth-address protocol to derive Ethereum addresses that are single-use and cannot be linked to any other Ethereum address (e.g. if you have an AZTEC wallet, I can ‘send’ a note to an Ethereum address you control, but nobody but you and me will know this is the case). The protocol supports both stealth addresses (which require a specific wallet to work; you need two public/private key pairs so a regular Ethereum account won’t work) and regular Ethereum addresses (which are not anonymous — if you own a note everybody will be able to see that).

The more users of a dual public/confidential asset, the greater the privacy provided. For example, when testing our main-net deployment, I converted 50 DAI into AZTEC notes and sent a bunch to my colleagues. Obviously, the sum of all the notes is 50 DAI so a single note can’t encrypt very much. Now imagine that somebody else created 1000 DAI worth of confidential notes, and we split and merged a few of our notes — it would be impossible to identify how much DAI any of these notes had, other than they would have 1050 DAI as a maximum.

To reduce this to extremes — if I converted 10 DAI into a single AZTEC note, this gives no privacy at all. The ability to create notes worth zero is important to maximize privacy — if you were going to convert 10 DAI and wanted a single note for ease-of-use, you should also create a few notes worth 0 DAI to mask how much each note is worth.

Naturally, a ‘lazy’ use of the protocol will leak information. For example, imagine you converted 10 DAI into 5 notes, where 4 were worth 0 DAI. If you then forgot about these notes and never used them in future transactions, it would be fairly obvious to observers that the un-used notes were worth nothing. Always issuing zero-value notes in join-split transactions, and using them in future join-split transactions minimizes the amount of information available to external observers.

The AZTEC protocol’s trusted setup

The reason the AZTEC protocol is highly efficient is that we combine Boneh-Boyen signature and Pedersen-style commitments into a single commitment scheme with a highly efficient range proof embedded into the commitment. This comes at the cost of requiring a database of elliptic curve points to be generated before the AZTEC protocol can be used. This database is required to construct proofs, but is not needed to verify them.

A bit like ZCash, this trusted setup generates a ‘toxic waste’ private key and if knowledge of that private key is leaked, it can be used to effectively double-spend, and the protocol becomes unusable.

So how do we deal with this? Well, for one we don’t just expect you to trust us. We have developed a scalable multiparty computation protocol that enables anybody to engage in the trusted setup process. If you participate, you generate a piece of ‘toxic waste’ that, naturally, should be destroyed. The trusted setup private key, the thing that must be destroyed at all costs, can only be recovered by piecing together every participant’s toxic waste. So if a single person acts honestly the scheme is completely secure and can only be ‘cracked’ by solving one of the discrete logarithm-based problems (of which the entireity of elliptic curve cryptography rests; if somebody cracks the discrete log problem we’ve all got bigger problems on our hands than the security of the AZTEC protocol!).

We will be announcing the formal description of our trusted setup process in the coming months and will begin to collect participants. It is similar to ZCash’s ‘powers of tau’ ceremony, albeit for a very different end as the AZTEC protocol is not a ZK-SNARK. We want the trusted setup protocol to be simple to take part in and we want to engage the wider Ethereum community in this process, to create a trusted setup database that has the trust and confidence of the community.

Our deployed proof-of-concept smart contracts use a trusted setup that was generated internally, as implementing our multiparty computation trusted setup is going to take several months. Until we have completed this phase the AZTEC protocol is very much use-at-your-own-risk. Whilst I naturally destroyed the toxic waste, there is no way to prove that I did.

One final point (zing…). The size of the trusted setup database grows linearly with the size of the protocol’s range proof. Our proof-of-concept database supports integers between 0 and 1,048,575 because I wanted a database small enough to fit inside a github repo without being a pain to download. Our full implementation will support a much larger range of integers.

Why is the AZTEC protocol important?

Well of course I’m going to say this is important, I’m the most biased person you could ask on this topic! But here’s why I think this is a real game changer: The AZTEC protocol enables the creation of generic confidential digital assets. We picked DAI to start with but with the press of a button the AZTEC protocol can be applied to any ERC-20 token. It also enables the construction of purely confidential assets that don’t have any kind of ERC-20 token equivalent. No extra cryptographic circuits required, no additional trusted setup processes needed. For the first time ever, it’s possible to create confidential digital assets on Ethereum, obtaining the immutability and decentralization benefits of public blockchains without sacrificing privacy.

AZTEC zero-knowledge proofs are also very efficient to construct, and are well within the capabilities of hardware wallets. This opens up the exciting possibility of issuing confidential transactions directly from hardware wallets and never exposing sensitive private keys.

What is in the AZTEC protocol’s future?

Of immediate relevance is releasing our AZTEC proof construction API, to accompany our smart contract verifiers and technical paper. We also have several extensions to the AZTEC protocol in the works, and will be releasing our full vision of the AZTEC protocol over the first half of 2019. This includes several important milestones:

1. A confidential decentralized exchange, where people can trade different AZTEC assets in complete confidentiality — neither the quantities or prices of orders can be gleaned from processed orders. The decentralized exchange uses the relayer pattern to acheive this, as well as a bespoke AZTEC DeX zero-knowledge proof (three actually, I’ll be talking about this in depth once our DeX paper is finalized).

2. Confidential weighted voting. Governance mechanics that respect the privacy of a user’s vote are essential a large range of financial applications and the AZTEC protocol’s efficient range proofs make this achievable.

3. Anonymous identity sharing schemes. Being able to prove that you’re part of a group, without revealing who in the group you are is an essential component for many compliance and KYC processes and our AZTEC token standard will support this kind of identity system.

Combined together, this will give builders the tools needed to create the next wave of decentralized financial services; digital assets with implicit privacy and confidential governance mechanics built in from the ground up.

Last updated