While our previous introductory article aimed at a general description of what Glyff is and aims to be, this publication should help understand how our Atum token standard and shielded transfers work under the hood. Let’s start!
Preface
What is Atum token and how does it enable shielded transfers? What is a shielded transfer? These are the starting questions of our dive into the world of privacy enhancing technologies (PETs). Nowadays privacy is a hot topic, and there are various ways to protect it within the scope of public blockchain technologies, as counterintuitive as that may initially seem. Glyff, like ZCash, uses zk-SNARKs, as opposed to Monero, which employs bulletproofs. There are several different techniques, but they all build upon, the common concept of a “commitment scheme” :
A computationally hiding and binding commitment scheme is a cryptographic primitive that allows one to commit to a chosen input in such a way that no informations are revealed about it, without knowledge of the trapdoor function (hiding), but preserving the ability to reveal the committed value at a later stage by revealing the trapdoor (binding).
Privacy and Atum
Atum token is Glyff privacy enabled crypto-asset standard that allows amounts and addresses transacted to remain shielded from public view. Within Atum tokens, shielded value is represented by a note. When initially issued, Atum tokens will be “transparent”, i.e., they will be visible on the ledger, like standard Ethereum ERC20 tokens. In order to enable shielded transfers, they must be converted to a note through a process dubbed “shielding”, which involves creating a “note commitment” and adding it to a data structure called “note commitment tree”. The main privacy property here consists of the fact that when a note is spent, the spender proves that he knows a secret used as part of the commitment scheme for one of the commitments in the commitment tree and reveals the “serial number,” which prevents double-spends and is part of the commitment scheme input, but is not enough alone to link the spending statement to any particular note. In practice, this means that a note cannot be linked to the transaction in which it was created and that from an adversarial point of view, the note “traceability set” equals to all notes that the adversary does not control or know to be spent, which yields superior privacy compared to other approaches.
Shielding and Un-shielding
Shielding is the act of taking value from the transparent value pool to transfer it to the shielded value pool. The value remaining in the pool cannot be negative (which is enforced as a consensus rule) and if positive is available as a block finder’s reward in the coinbase. Balance is ensured by the additively homomorphic property of the commitment scheme used and enforced by proving that the sum of the value commitments for the shielded inputs minus the shielded outputs commits to the net transparent value change. Un-shielding is defined as the redemption of notes for transparent value.
Shielded transfers
Shielded transfer is the act of spending a note, which is done via a zero-knowledge proof-of-knowledge of values derived from its position in the note commitment tree. Additionally, a serial number associated with the note must be disclosed publicly to prevent double-spending and a spend authorization signature is required to prove knowledge of the spending key. Value is transferred by splitting the note into multiple notes with different recipients and is spendable by the recipient who holds the spending key to a given “stealth” payment address. The operation is also known as “join-split”.
Feasibility and costs
All of these operations require a large number of arithmetic operations and don’t come without a burden. Currently, Glyff implements the heavy-lifting computation via native pre-compiled contracts, which helps to keep the costs at a reasonable level. Cost of a shielding/un-shielding operation is slightly more than 180k Gas, while a shielded transfer with a single input and output note peaks at 240k.
Better circuits
Atum relies on the SHA256 compression function to instantiate the pseudo-random functions, collision-resistant hash functions, and commitment schemes we currently use. SHA256 consists mostly of boolean operations and it is not efficient to evaluate inside a zk-SNARK circuit, making it the primary cost for our operations. Next planned upgrade will switch to the “Sapling” release of Zcash cryptography, which will bring in a number of improvements to the performance, security, and usability of shielded transactions.
Atum token demo
For those that want to fiddle around at this stage, we have made available a simple helper script, which includes all the functionalities described above. Spin up your own node instance and deploy your own Atum token on the Glyff network, shield and un-shield funds and execute shielded transfers, all from within the Glyff console. Still don’t have access to our private testnet? Request it here.
Glyff wallet
The Atum token standard and all of the above operations will be natively supported by our upcoming cross-platform wallet application. Users will be able to manage their stealth payment addresses, convert from transparent to shielded funds and vice-versa, as well as exchange funds via fully shielded transfers with other users of the Glyff network. Release of Glyff wallet is estimated in Q2 of this year. Meanwhile you can keep track of development on our official github repository.
