Confidential transactions have arrived, a dive into the AZTEC Protocol

Zac
Zac
Dec 4, 2018 · 13 min read

Transaction privacy is a fundamental requirement for many kinds of financial services, and the inability to provide this privacy has prevented Ethereum from providing compelling alternatives to traditional financial instruments. There are several blockchains and blockchain projects that use cryptographic techniques to provide this privacy, but this privacy is reserved for the ‘native’ cryptocurrency of the blockchain in question. This transaction privacy is not accessible for digital assets built on top of blockchain protocols. For example, I can’t code up a corporate bond smart contract on Ethereum, where ownership notionals are private.

Well, until now, that is.

Show and tell: the peculiar case of confidential DAI

{
"gamma": "0x20a92d2a4f0dd850314a745719dde20934db69cc8e9b5b84b5819e062d66bb7500",
"sigma": "0x17d62693c0c9a356e2fd6b0ce877b78c6a1f8a7f195e9db4c0b68e0693d73b3600"
}

This curious jumble of characters is a form of DAI, the dollar-pegged stablecoin created by MakerDAO. But it looks a little odd, doesn’t it? This would normally just be an ethereum address, and a number representing how much DAI that ethereum address has. But this isn’t normal DAI.

You see, when I sent this transaction, my ethereum address (zac.creditmint.eth) became the owner of this DAI, but here’s the thing: nobody can figure out how much DAI I have. Unlike almost every other DAI holder in the world, my DAI balance is encrypted and represented in the form of zero-knowledge AZTEC notes. I can spend this DAI at will by sending some to a different address, but when I do nobody will be able to figure out how much of it I’m sending. For example, I sent a colleague some of my DAI in this transaction and good luck figuring out how much they have.

This is all quite new, and I’m so very excited to be showing this to you and the wider Ethereum community. We’ve been developing this for almost a year now, but we’ve held off on making any formal announcements because I wanted to show you that specific, peculiar, jumble of hexademical characters.

Because this isn’t some imagined technology that will one-day be implemented.

It doesn’t require modifications to the Ethereum protocol.

It is a working demonstration that is live on the Ethereum main-net today, and that AZTEC zero-knowledge note is a real note that encrypts real DAI.

A breakdown of AZTEC confidential transactions

Right, well that’s cleared everything up then. So I’m going to focus on answering what the AZTEC protocol is. What is it doing when transactions are sent to it? To start with, we need to describe what we mean by ‘confidential transaction’.

A confidential transaction is a transfer of value between two or more entities, where the values being transferred are not visible to observers.

Confidential transactions have come in several forms, from ring signatures to ZK-SNARK circuits. Similar to ZCash, the AZTEC protocol uses the concept of encrypted ‘notes’ and join-split transactions.

Encrypted Digital Assets and the AZTEC note

  • An AZTEC commitment: an encrypted representation of how much ‘value’ the note holds
  • An Ethereum address of the note’s owner

A note has the following private information

  • The value of the note
  • The note’s viewing key. Knowledge of the viewing key enables a person to decrypt the note (but not spend it)

One owner can have multiple notes. A digital asset that conforms to the AZTEC protocol will contain a note registry, which allows a smart contract to recover the public information of every unspent note that currently exists.

How can AZTEC notes be spent?

So imagine Alice has two AZTEC notes worth 100 tokens combined. If she wants to send Bob 20 tokens, Alice would create one or more notes owned by Bob, whose values sum to 20. She would then create one or more notes owned by her, the sum of which is 80 tokens.

She would then create an AZTEC zero-knowledge proof that proves this relationship in zero-knowledge (i.e. Alice does not reveal to anybody how much the notes are actually worth, just that the balancing relationship holds). The AZTEC token smart contract will then validate this zero-knowledge proof, destroy Alice’s input notes and then create the output notes in its note registry.

When Alice is creating Bob’s notes, she constructs note viewing keys that Bob will be able to identify, via a non-interactive secret-sharing protocol. Bob is dependent on Alice to act ‘trustfully’ in this regard and not provide viewing keys that can be decoded by observers. This is already implicitly required — after all Alice could broadcast to the world how much she is sending Bob if she did not want the transaction to be confidential.

How is note ‘ownership’ defined?

How do we get value into AZTEC note form?

1. If v is negative, the output notes are worth -v more than the input notes

2. If v is positive, the input notes are worth v more than the output notes

If Alice issues a confidential transaction where v is negative, the AZTEC token smart contract will transfer -v public ERC-20 tokens from Alice to its own contract address. Effectively, the AZTEC token smart contract acts as a custodian of the ERC-20 tokens while they are in confidential note form. Naturally, if this token transfer is rejected (e.g. Alice doesn’t have enough tokens) then the transaction will be aborted.

If Alice issues a confidential transaction where v is positive, this represents a conversion from AZTEC notes into public ERC-20 tokens. The AZTEC token smart contract will transfer Alice v public ERC-20 tokens.

There’s one small caveat — the amount of tokens being transferred is actually v multiplied by a scaling factor. This is because the range of integers an AZTEC note supports is smaller than that of an ERC-20 token. Our proof of concept deployment to main-net supports numbers from 0 to about 1 million and our full implementation of the AZTEC protocol will support approximately 32-bit integers (more on that in a bit). ERC-20 token balances, on the other hand, are represented by 256-bit integers.

The scaling factor picked depends on the ERC-20 token being linked to. For our proof of concept confidential DAI deployment, an AZTEC note with value 1 is equal to 0.1 DAI.

What is the cost of all of this?

The reason I’m using such odd wording is because the gas costs of these arithmetic operations is likely to go down in the future due to protocol upgrades implemented by geth and parity (EIP-1108). It currently costs about 900,000 gas to issue a confidential transaction that contains 4 notes (this is the total gas cost, not just the cost of validating the cryptogrpahy of a transaction). If/when EIP-1108 goes live, the gas costs will fall to about 200,000–300,000.

What information can be gleaned from confidential transactions?

With that out of the way, any protocol that converts something public into something private will reveal information at the entry and exit points of the cryptosystem.

If you’re adding tokens into note form, an observer will know that the value of the output notes is at least the amount you’ve converted.

Similarly, after redeeming v tokens, an observer will know that the remaining AZTEC notes are worth v less than the input notes.

These problems can be ameliorated by combining public conversions with additional AZTEC notes. For example, imagine Bob has a note worth 100 tokens that he wants to convert into public token form. Instead of just issuing a conversion, Bob should add additional input notes into his transaction and also generate some output notes, even if the extra input and output notes are worth 0. This will prevent an observer from figuring out how much of Bob’s confidential holdings he has converted, even if he has converted all of it and is left with a pile of notes worth nothing.

AZTEC notes have ‘owners’ defined by Ethereum addresses. On the surface, note ownership is not anonymous (e.g. people can see my ethereum address has a zero-knowledge DAI note); the AZTEC protocol includes a Monero-style stealth-address protocol to derive Ethereum addresses that are single-use and cannot be linked to any other Ethereum address (e.g. if you have an AZTEC wallet, I can ‘send’ a note to an Ethereum address you control, but nobody but you and me will know this is the case). The protocol supports both stealth addresses (which require a specific wallet to work; you need two public/private key pairs so a regular Ethereum account won’t work) and regular Ethereum addresses (which are not anonymous — if you own a note everybody will be able to see that).

The more users of a dual public/confidential asset, the greater the privacy provided. For example, when testing our main-net deployment, I converted 50 DAI into AZTEC notes and sent a bunch to my colleagues. Obviously, the sum of all the notes is 50 DAI so a single note can’t encrypt very much. Now imagine that somebody else created 1000 DAI worth of confidential notes, and we split and merged a few of our notes — it would be impossible to identify how much DAI any of these notes had, other than they would have 1050 DAI as a maximum.

To reduce this to extremes — if I converted 10 DAI into a single AZTEC note, this gives no privacy at all. The ability to create notes worth zero is important to maximize privacy — if you were going to convert 10 DAI and wanted a single note for ease-of-use, you should also create a few notes worth 0 DAI to mask how much each note is worth.

Naturally, a ‘lazy’ use of the protocol will leak information. For example, imagine you converted 10 DAI into 5 notes, where 4 were worth 0 DAI. If you then forgot about these notes and never used them in future transactions, it would be fairly obvious to observers that the un-used notes were worth nothing. Always issuing zero-value notes in join-split transactions, and using them in future join-split transactions minimizes the amount of information available to external observers.

The AZTEC protocol’s trusted setup

A bit like ZCash, this trusted setup generates a ‘toxic waste’ private key and if knowledge of that private key is leaked, it can be used to effectively double-spend, and the protocol becomes unusable.

So how do we deal with this? Well, for one we don’t just expect you to trust us. We have developed a scalable multiparty computation protocol that enables anybody to engage in the trusted setup process. If you participate, you generate a piece of ‘toxic waste’ that, naturally, should be destroyed. The trusted setup private key, the thing that must be destroyed at all costs, can only be recovered by piecing together every participant’s toxic waste. So if a single person acts honestly the scheme is completely secure and can only be ‘cracked’ by solving one of the discrete logarithm-based problems (of which the entireity of elliptic curve cryptography rests; if somebody cracks the discrete log problem we’ve all got bigger problems on our hands than the security of the AZTEC protocol!).

We will be announcing the formal description of our trusted setup process in the coming months and will begin to collect participants. It is similar to ZCash’s ‘powers of tau’ ceremony, albeit for a very different end as the AZTEC protocol is not a ZK-SNARK. We want the trusted setup protocol to be simple to take part in and we want to engage the wider Ethereum community in this process, to create a trusted setup database that has the trust and confidence of the community.

Our deployed proof-of-concept smart contracts use a trusted setup that was generated internally, as implementing our multiparty computation trusted setup is going to take several months. Until we have completed this phase the AZTEC protocol is very much use-at-your-own-risk. Whilst I naturally destroyed the toxic waste, there is no way to prove that I did.

One final point (zing…). The size of the trusted setup database grows linearly with the size of the protocol’s range proof. Our proof-of-concept database supports integers between 0 and 1,048,575 because I wanted a database small enough to fit inside a github repo without being a pain to download. Our full implementation will support a much larger range of integers.

Why is the AZTEC protocol important?

AZTEC zero-knowledge proofs are also very efficient to construct, and are well within the capabilities of hardware wallets. This opens up the exciting possibility of issuing confidential transactions directly from hardware wallets and never exposing sensitive private keys.

What is in the AZTEC protocol’s future?

1. A confidential decentralized exchange, where people can trade different AZTEC assets in complete confidentiality — neither the quantities or prices of orders can be gleaned from processed orders. The decentralized exchange uses the relayer pattern to acheive this, as well as a bespoke AZTEC DeX zero-knowledge proof (three actually, I’ll be talking about this in depth once our DeX paper is finalized).

2. Confidential weighted voting. Governance mechanics that respect the privacy of a user’s vote are essential a large range of financial applications and the AZTEC protocol’s efficient range proofs make this achievable.

3. Anonymous identity sharing schemes. Being able to prove that you’re part of a group, without revealing who in the group you are is an essential component for many compliance and KYC processes and our AZTEC token standard will support this kind of identity system.

Combined together, this will give builders the tools needed to create the next wave of decentralized financial services; digital assets with implicit privacy and confidential governance mechanics built in from the ground up.

We’re going to be open-sourcing our technology to fully realize this vision — if you want to create private assets on Ethereum, AZTEC will provide the smart contracts, resources and tooling to make it a simple experience.

If you’re interested in building with the AZTEC protocol, drop us a line at hello@aztecprotocol.com. And if you’re a talented developer that wants to work with us on to build the future of decentralized finance, reach out to us because we’re also hiring :).

Cheers,

Zac.

Aztec Network

Private transaction network on Ethereum.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store