Thoughts on the design of Zeth Bearer Instruments (ZBIs)

Introduction

The Zeth protocol (see paper, specifications, and project) enables privacy-preserving state transitions on Ethereum-type systems. More precisely, Zeth implements a Zerocash-like Decentralized Anonymous Payment (DAP) scheme on top of Ethereum, and can easily be adapted to function on top of any smart-contract-enabled blockchain (e.g. Autonity). As such, Zeth allows to carry out privacy-preserving payments in which amount and recipient are cryptographically protected and not visible to the rest of the network (only visible by the recipient and the sender of the payment).
In fact, the Zeth protocol consists in converting publicly visible funds (e.g. ERC20/223 tokens — potentially stablecoins like Dai -, or ETH for instance) into Zeth Notes. In the protocol, these Notes are data structures with several attributes — among which a value and an ”owner”. In short, ownership is defined by the knowledge of a secret key associated to the public key used by the sender to derive the Zeth Note.
Informally, when doing a payment, input Notes — cryptographically bound to (i.e. “owned by”) the sender — are destroyed to create new Notes which are bound to their respective recipient. A cryptographic commitment (hiding/binding) of the spent Notes is recorded on the blockchain preventing double spending of the same input Notes.
More precisely, the current protocol parameters are such that, in each Zeth transactions, two input Notes are destroyed by the sender to create two new output Notes. This allows a user to transfer an arbitrary value to the recipient (i.e. both input Notes can be “combined” and some refund can be sent back to the sender if necessary via the second output Note. More generally, the combined input value can be split and spent to two distinct recipients — which can be used to carry out “multi-private-payments” via a single transaction). If a Zeth user wants to transact without owning two input Zeth Notes she can artificially and safely create 0-valued Notes to “pad” her transaction inputs and outputs.

In addition to “destroying and creating” Notes, each Zeth transaction can optionally take some public input value (i.e. some funds on a publicly visible Ethereum balance) and can optionally withdraw some funds from the Zeth contract (e.g. convert a Zeth Note — private funds — back to publicly visible funds). Being able to process publicly visible funds and private funds in a same transaction allows to support complex payment semantics.

Example.

Alice possesses one Zeth Note of 1.44 ETH and another Zeth Note of 2.55 ETH but wants to transfer 4 ETH to Bob via Zeth. Combining her two Notes yields an transfer value of 1.44 + 2.55 = 3.99 ETH. Leveraging the possibility to use publicly visible funds as inputs to a Zeth transaction, Alice can decide to provide the missing 0.01 ETH from her public Ethereum balance, hence “pouring” her input value of 0.01 + 1.44 + 2.55 = 4 ETH into 2 output Notes — e.g. one Note of “hidden face value” 4 ETH for Bob, and another Note of “hidden face value” 0 ETH for her. Network members will only see that Alice has deposited 0.01 ETH to the Zeth contract.

Informally, the protocol security is ensured by the use of an efficient Non-Interactive Zero-Knowledge proof system (NIZK) that proves — among others — that: “the sum of the values of the input Notes with the public input value equals the sum of the values of the output Notes with the public output value”. In other words, the protocol relies on an efficient zero-knowledge proof system to show that all transactions — which information is kept privately — are “balanced” and spend only existing funds (i.e. not value is created, no “double spending” occurs). Finally, payment notification (on the recipient side) leverages a “confidential receiver-anonymous channel” implemented by leveraging smart-contracts logs and using an IK-CCA (or “key private”) encryption scheme.
For a high-level explanation of the protocol, see this talk.

The limitations of the protocol

Privacy-preserving protocols are necessary for the wide adoption of blockchain-based systems. In fact, despite the regulatory challenges surrounding privacy-enabling cryptocurrencies (see this report for instance), not only is privacy a necessary thing to ensure asset fungibility (“removing reputation to an asset”), but it is also essential to design strong censorship resistant systems, not to mention carrying out any non-trivial business activity (i.e. exposing one’s trades to the rest of the network is absolutely unimaginable for business use cases).

Interestingly, not only using Zeth allows to achieve strong security guarantees on popular blockchains such as Ethereum, but it also allows to hide one’s wealth on the blockchain.
In fact, the mere fact of using Zeth (i.e. owning a Zeth Address — the “public/private keypair defining Notes ownership” we alluded to in the paragraph above) introduces noise related to one’s overall wealth on the system. In fact, once one uses Zeth (or publicly declare their public Zeth Address), this signals to the rest of the network that this user may have (or probably already has) received (or will receive) private funds in the form of Zeth Notes. As such, the (Zeth) user’s public Ethereum balance becomes a “lower bound” on her wealth. The exact balance of the user (= publicly visible balance + private funds) cannot be known by other network members.

While this lower bound can leak significant information (e.g. seeing that someone’s public balance is 1,000,000 ETH is meaningful), one may simply want to convert (almost) all her wealth to Zeth Notes. Doing such a deposit on the Zeth contract will be publicly observable (on the system, this will translate into a Zeth transaction which public input equals to, say, 999,999 ETH). Nevertheless, no information about the output Notes will be available to network members, and so, one may wonder:

1. a. Have the 999,999 ETH been “poured” into two Zeth Notes owned by the sender?
   b. If so, how have the funds been spread across the Notes?
2. Have some of the 999,999 ETH been sent to another user (i.e. is one of the output Note owned by another network member)?

Who knows! Only the sender and recipient(s) can know this (the only way for the network users to have an answer for (1.a.) is if they all collude against the sender and realize that none of them have received funds from the sender. Doing so assumes very strong trust between the colliding parties and is impractical is real life settings with large networks).

Hence, after converting publicly visible funds to Zeth Notes, the “state of the world” becomes quite blurred for network users who can’t access exact information and just need to guess how the system state evolves over time.

Remark.
Some of heuristic-based attacks to infer the system’s state can be pretty accurate when leveraging external data sources which may be correlated with the blockchain state. Being aware of this (and potential user bad practices) is the first step toward using Zeth optimally and securely. We refer to the “Zeth Protocol Specifications — Appendix C” for more information on this topic.

Now, the attentive reader must have realized that out of the 1,000,000 ETH in the example above, only 999,999 ETH have been converted to Zeth Notes. Why not converting all of them?

This touches on one major limitation of Zeth which is inherited from the base protocol (i.e. Ethereum). In fact, in order to counter some Denial of Services attacks, Ethereum transactions incur a fee that needs to be paid by the sender, and which is captured by the network miners (in addition to the block rewards). While simple transactions (i.e. transfers of ETH between Externally Owned Accounts (EOAs)) have an intrinsic cost of 21,000 gas, smart contract calls have a fee which is proportional to the “computational expensiveness” of the state transition on the system. All in all, no transaction is free on the system (this is for security reasons), and so, carrying out Zeth transactions is no immune to this fee. As such, and going back to the example above, converting one’s public wealth to private Zeth funds is recommended, but one needs to keep a small amount of funds on her Ethereum balance to pay for transaction fees necessary to manipulate the private funds (some arbitrary amount of one’s private funds can still be withdrawn back to her Ethereum account to “top up” the public balance if needed).

Drawbacks of fees

So what is the problem with fees? Surely they are a way around the “halting problem” and are another incentive for block validation, but, there is a but…

Zeth user anonymity.
The necessity to pay fees for each transactions makes it impossible to send a transaction from a newly created Ethereum account (one for which no “binding to real life users” is known by other network members). As such, and in the context of Zeth, this means that, for a Zeth user (having a Zeth Address) to send a transaction on-chain, this user needs to also have a funded Ethereum account (which must have received funds from somewhere — if not a miner -, and which “user identity” may be known by at least one network user). This means that at least one network member will be able to know when the Zeth user does a transaction (even though none of the transaction private data (amount, recipient) will be exposed). In most cases, this “bit of distinguishability” between Zeth users and Zeth non-users on the system will not be an issue. However, this constitutes a challenge for the adoption and use of such protocol in countries where the mere use of Privacy Enhancing Technologies (PETs) is prohibited.

Cash payments are “free”.
In addition to the anonymity issues for the Zeth transaction originators, the need to pay transaction fees is a great impediment to the design of “digital cash”. In fact, banknotes, as we know them, are bearer instruments (i.e. securities issued in physical form for which no ownership is recorded) which are free to exchange (i.e. there are no fees related to a cash payment). This is in stark contrast with other form of “electronic money” which commonly incur a fee on one of the transacting parties (or process and market transacting parties’ information as a substitute). For instance, credit card processing fees/merchant fees are paid by either the payment recipient or by the sender/customer (if internalized in the price of the exchanged commodity).

While Zeth Notes are untraceable and Zeth payments can be made unobservable (i.e. Zeth transactions are observable by design, but “dummy private payments to self” can be randomly emitted by Zeth wallets (e.g. see here) to create noise — at the expense of paying transaction fees for these — , making actual — real — Zeth payments from one sender to a recipient indistinguishable from “dummy payments”), these transactions cost a fee and expose the originating Ethereum account, preventing Zeth Notes from satisfying the set of characteristics of cash.

Can we do better?
Protocols like Zecale (see paper and project) can be used to lessen some of the issues aforementioned. Being primarily a privacy-preserving scalability solution, the Zecale aggregator may be used in different settings — see Section 5 — Applications (paper). For instance, Zecale can be used as a local aggregation engine which allows a user to “amortize” the transaction fees that are associated to her set of Zeth transactions. However, transaction fees (despite being smaller) still need to be paid, which only lessens the fee issue, without resolving it.

In another setting, the Zecale aggregator can be run on a relay node which may bridge an anonymous communication network with a blockchain network. Doing so, may not only enable anonymous Zeth users to send Zeth transaction payloads (i.e. a zk proof, a set of cryptographic commitments and the Notes ciphertexts) anonymously to a relay that will — trustlessly and securely — settle the “private payment instruction” on the blockchain, but it may also pave the way for additional “aggregation market” opportunities. Here again, while Zeth users may become anonymous, fees (potentially paid by the Zeth user via the “public output value” of the Zeth transaction payload) will still need to be paid to the relays for their “batching and settlement” of “private payment instructions” on the blockchain. Furthermore, high fee volatility on Ethereum is another challenge to face for the sound design of such solution (note however that, alternatives to the first-price auction model, constituting the current fee market for transaction inclusion on Ethereum, may help combat fee volatility and thus simplifying fee estimation algorithms. See EIP-1559 for instance).

Finally, it is worth mentioning that “Layer 1” solutions (i.e. changes to the Ethereum protocol) have been considered to address the requirement to hold funds in an Ethereum account to be able to carry out a transaction. Solutions like “account abstraction” (see EIP-859 and EIP-2938) have been discussed. Nevertheless, no such solution allows to carry out fee-less (i.e. “gas-less”) transactions (the fees need to be paid by someone), which does not entirely solve the problems faced in our quest to “emulate” cash on blockchain system.

Towards Blockchain-based Bearer Instruments?

As a way to move away from the need to pay transaction fees and get closer to how “cash” works, we are interested to see if there exist ”bridges” between the physical world and the digital world. In other words, can we “pour” the value of a cryptoasset into a physical object — which may be exchanged “hand-to-hand” off-chain like banknotes — which in turn can be manipulated back on digital systems?

This idea to bind cryptoassets (such as bitcoins) to physical objects is not new. In fact, this was discussed back in August 2010, when Gavin Andresen asked, on BitcoinTalk, if it was possible to “print out bitcoins to function as user-created paper money” (see this thread).

The overall mechanism relies on issued physical object which can securely store a private-key that can only be recovered by altering a tamper-evident seal on the object. As such, as long as this seal is in place, the object is assumed to hold the funds. Nevertheless, once the seal is removed, the physical properties of the object are altered which triggers a change in behavior (“flips a switch”) enabling to recover the private key and manipulate the funds (i.e. spend them).

Over the last decade, several designs have emerged (some of them abandoned) to obtain “Bitcoin Bearer Instruments” (e.g. Cascascius BTC, BitBanknotes, BitBills, and FirmCoins). Importantly, not all proposed solutions require the same level of hardware sophistication. In fact, while some designs rely on existing banknotes security mechanisms, other rely on tamper-resistant holograms or even on smart cards and secure cryptoprocessors.

Zeth Bearer Instruments (ZBIs)

Similarly to the various “physical Bitcoin” designs above-listed, we are interested to see how Zeth Notes may be embodied in the real-world as a way to carry out “cash-like” Zeth payments.
However it is worth, before doing so, clarifying why this is of interest as opposed to simply exchanging “tamper-resistant USB sticks storing private keys of Ethereum accounts”. In fact, in a setting where Ethereum accounts are single-use only, one may want to securely generate an account private key on a piece of hardware to carry out “hand-to-hand” exchanges. This comes with some drawbacks however. One major issue lies in the fact that accounts are publicly accessible data structures (part of the Ethereum public/global state). As such everyone can track when an account is used (account balance going “up and down”) — which may be valuable information for side-channel/heuristic-based attacks. Hence, in a scenario where:

1. UserA possesses a secure/tamper-resistant piece of hardware that stores an account private key, and sends X ETH to the account controlled by this hardware
2. UserA exchanges “hand-to-hand” the piece of hardware storing the X ETH with UserB for a commodity C
3. UserB exchanges “hand-to-hand” the piece of hardware storing the X ETH with UserC for a commodity D
4. UserC unseals the secure piece of hardware to gain control of the stored Ethereum account and carry out on-chain operations with the funds

UserA may not be able to know how many times the piece of hardware was exchanged off-chain, but is able to track when the funds are manipulated on-chain. This, coupled with other data sources and heuristics, can be used by previous holders of the instruments to infer pieces information related to future on-chain manipulations of the funds.

Example.
Following the scenario above, if the funds are manipulated on-chain 1 hour after UserA and UserB transacted, chances are that the observed on-chain transaction manipulating the funds is carried out by UserB or a relative/someone close to UserB (surely the USB stick can’t have been sent to and received by someone on the other side of the world in such a small amount of time). Likewise the nature of the transaction on-chain can leak extra information about the sender — say, the transaction recipient is a famous shoes shop, and UserA happen to know that UserB’s brother loves buying shoes, chances are — based on the timing information and UserA’s knowledge, that the transaction spending funds controlled by the ZBI originates from UserB’s brother. All in all, this simplistic example shows how seemingly harmless leakages can be exploited by using other sources of information and public knowledge.

Importantly, part of these leakages vanish if using a solution like Zeth instead. In fact, the inability to track (even by potential past senders) if/when recipients manipulate (i.e. spend) their Zeth Notes brings the protocol much closer to cash.

What would a ZBI look like?
While providing a fully fledged technical description of how to “materialize” Zeth Notes to exchange off-chain is outside of the scope of this document (many ideas can certainly be taken from some of the “physical Bitcoin” designs listed above), we will briefly sketch a ZBI design based on OpenDime.

In fact, most of the logic of such a tamper-resistant USB stick could be re-used to transact Zeth Notes.

1. Upon first connection of the USB stick, entropy is generated by the user which is then used, along with “baked-in” nonce/seed information, to generate the device’s key material and Zeth Address.
   a. The Zeth public address is read/exported to the user’s machine.
   b. The Zeth private address never leaves the device and can only be recovered/read by unsealing the device.
2. The user willing to “materialize” Zeth Notes uses the device’s exported Zeth public address as the recipient of an on-chain Zeth transaction. This operation costs a fee since a transaction is processed on the blockchain. Once the transaction is mined on-chain, the private key stored on the secure device will allow to manipulate the private Zeth funds.
3. The USB device can be exchanged as many times as necessary “hand-to-hand” (off-chain).
4. Upon receipt of the device, the holder may want to manipulate the digital representation of the Zeth Notes. This can be done by breaking the device’s seal, and using the now-readable private key to carry out a Zeth transaction.

Importantly, upon manipulation of the Zeth Notes on-chain, nothing, beyond the fact that a Zeth transaction is carried out by a given Ethereum address (which may be a “relayer” address), is leaked to other network members/observers.
(Remember: Zeth transactions protect — i.e. do not leak — which Zeth Notes it spends, it just contains the cryptographic material to prove that any spent Notes of non-zero value had never been spent before!)

The elephant in the room.
The above high-level protocol misses a very important point. How to determine the “face value” of a ZBI in a exchange?

In the same way as banknotes have a face value indicating unambiguously and precisely how valuable a note is, it is necessary for a ZBI recipient to check the amount of cryptoassets held/controlled by the device. This means that, there needs to exist a cheap and efficient way of querying the blockchain state, from a host machine (e.g. a phone or a laptop which may be “connected” to the ZBI — e.g. via USB, NFC, Bluetooth etc.) in order to check the “face value” of the device.

As mentioned at the beginning of this article, Zeth recipients are anonymous and can only be informed that they received a payment by scanning the chain and trying to decrypt the ciphertexts emitted by the Zeth contract (i.e. recipients “listen and decrypt” on the “confidential receiver-anonymous channel”). While carrying out such operation on modern laptops can be done efficiently (by caching and backing up received Notes, keeping additional state such as “checkpoints” to regularly scan chunks of the blockchain etc.), such operation can easily become inefficient on computationally restricted devices. Furthermore, such mechanism requires to query some blockchain state data to a blockchain node (e.g. via RPC), which may be a source of information leakages to this specific node.

As a consequence, additional mechanisms are necessary to efficiently expose the “face value” of a ZBI, which may consist in (non-exclusive and non-exhaustive list):

1. Storing additional information on the device (e.g. block hash of the block in which the Zeth Notes, controlled by the device, have been added). Safely and privately recovering a given block’s data would require to use techniques such as Private Information Retrieval (PIR) on the blockchain state (see here for instance).
2. Extend the tamper-proof device with a flashing LED which color would determine the “front value” of the device (e.g. the color would be bound to a “denomination” — or a “range of denominations” — as done with pound sterling banknotes for instance), or with a screen displaying the “face value” once the transaction “crediting” the device has successfully been verified, to be added on chain, on the host device. Importantly however, such functionalities would only be meaningful in a setting where “reorgs” are not possible (either because the underlying blockchain consensus algorithm provides (deterministic) finality or because the block in question is deemed “deep” enough than blockchain reorganizations are not practical). Likewise, the possibility to keep “loading funds” by using the device’s Zeth address as recipient of private payment along a chain of “hand-to-hand” transfers (to increase the “face value” of the device) is another thing to keep in mind and handle properly (more on the consequences of this in the next section below).

Importantly, checking the ZBI value still requires some network connectivity to carry out checks on the blockchain state (which acts as the “trust anchor”/”source of truth”).

Considerations for the design of ZBIs

Security

Similarly to security features of banknotes (see here for instance), the security of ZBIs is ensured under hardware assumptions as well as under connectivity assumptions (to establish the root of trust to the blockchain). As such, and in light of ever going progress on hardware attacks, strong and conservative security measures need to be taken into consideration for the choice of the physical object used to “materialize” Zeth Notes. This is all the more important in the case where Zeth Notes represent non stable assets (e.g. ETH) which can see their value appreciate over time, which (beyond slowing down the velocity of circulation of the asset) widens the gap between (hardware) attack cost and reward.

Physical robustness and ease of use

Furthermore, the physical properties of a ZBI device must be carefully considered to prevent lost funds due to hardware failures. Considering how easily can the instrument be carried and passed around, as well as, opting for a device that resists the elements with a high life expectancy are necessary. Similarly to banknotes, being able to carry the instrument in one’s pocket/wallet and being able to tell when the instrument is deteriorating are paramount (see also here for more information on the deterioration of banknotes in circulation).

Environmental impact

While the use of bearer instruments such as ZBIs to form “blockchain-rooted cash” based on a border-less censorship-resistant community-governed blockchain network is a significant paradigm shift from existing monetary systems, it is worth navigating the set of externalities (both positive and negative) of such solution.

Beyond the environmental impact of the blockchain network itself (which does not only reduce to the nature of the consensus algorithm — i.e. PoW, PoS etc. -, but also entails energy costs of network communications, energy/natural resource requirements for hardware manufacturing etc. — see e.g. here, the environmental externalities) associated to the large scale production of ZBIs must be taken into consideration and internalized to conclude about the social benefits of such a form of money. In fact, not only does manufacturing chips and processors incur non-negligible environmental impacts, but the production of such pieces of hardware (or their components) may also be the source of geopolitical tensions (e.g. see here) which are to be considered to keep a neutral balance of power.

Regulation and law enforcement

In the course of the last decade, innovations around blockchains and cryptoassets have brought a large set of regulatory challenges with regards to adjustments of existing AML/KYC/CFT processes and taxation (see e.g. here). Some of such challenges are often considered (not always rightfully so) exacerbated by the use of privacy-enhancing cryptoassets (see e.g. here, here, and here). What is sure however, is that regulations often lag behind technological innovation creating “grey areas” which loose surrounding legal frameworks are opportune to malicious activities.

While Zeth transactions, carried out on-chain, cryptographically protect the private/sensitive information of each payment, they still are included in the blockchain data (i.e. “mined into blocks”). Furthermore, the need to pay fees to carry out Zeth transactions (whether “dummy private transfers to self” or real payments) requiring the transaction to be emitted from an Ethereum account holding funds, constitutes a fertile ground for regulatory processes such as enhanced customer due diligence and ongoing monitoring by financial services providers for instance. The blockchain data (the “source of truth”) along with existing laws and regulations (e.g. the BSA in the US) can be leveraged to investigate activity suspected as fraudulent on the system.

The use of ZBIs to carry out “hand-to-hand” transactions however, constitutes yet another regulatory challenge. In fact, such devices can constitute valuable mediums to bypass regulations in a given jurisdiction. A ZBI (as described above) can “control” an arbitrary amount of cryptoassets (i.e. users may credit the Zeth address of the ZBI with as much assets as they control), enabling to “materialize” important funds into an easy-to-dissimulate device (enabling fraudulent users to move away from “bags of cash” to “small USB sticks”). Likewise, new funds can be added to the ZBI as it is “passed-around” (the “face value” of the device can only increase as it is passed around, since to redeem some of its on-chain funds one needs to unseal it). Not only this represents an challenge for law enforcement, and begs for the implementation of enhanced processes at specific “gates” (e.g. exchanges/brokers), but this can also affect the fungibility between Zeth Notes controlled by an address protected by a ZBI and those which are not (ZBIs would likely “sell” above their “face value” on the black market for instance).

Finally, and following the above, regulatory challenges would also be faced by ZBIs hardware manufacturers, as already faced by companies providing “physical bitcoins” issuance services (see e.g. this).

Further considerations

Appearance
In addition to the previously listed considerations on the design of “blockchain-based bearer instruments”/ZBIs, the design and appearance of the instruments is not to be neglected. In fact, beyond their embedded security features, banknotes embody a wide set of symbols promoting a shared identity and gathering cash users around core values (e.g. a country’s leading figures represented on banknotes, national symbols etc.). European banknotes, for instance, represent ”the European spirit of openness and cooperation” as well as ”communication between the people of Europe and between Europe and the rest of the world” while remaining neutral by representing nonexistent monuments and bridges on the banknotes (see here).

Designing ZBIs such that their appearances can reach heterogeneous communities (not only “tech-savvy” individuals) and embody/represent a set of internationally shared values is a challenge on its own.

Finally, as suggested by past studies (see e.g. here) the physical appearance of money matters more than traditionally thought, and can influence its spending. Making sure that issued instruments remain fungible throughout their life times is important.

Seignorage
With the potential for innovation in the financial sector and the increasing interest of central banks for blockchain technologies, some nascent projects such as the “digital euro” are starting to consider digital central-bank-issued money. Some of these projects are starting to think whether digitally-issued central bank money could be provided through dedicated physical devices such as smart cards.
Among the other points aforementioned, questions around “Seignorage” are starting to appear in this setting. In fact, whether blockchains/DLTs or Chaum’s ecash (see here and here) is used to build the system, distributing central bank money via the issuance of physical devices like smart cards is likely to reduce the seignorage since producing such devices is intrinsically more expensive (both environmentally and financially) than producing paper/polymer banknotes.

Conclusion

Cash is a wide-spread, cheap to produce, free to use, inclusive, (fairly) non-technological, central-bank issued bearer instrument offering strong privacy guarantees and inherently peer-to-peer. Being a key anchor of trust for the monetary system, cash faces competition in emerging forms of money — some of which paving the way for financial innovation and disrupting trust and societal structures.

In this article, we listed the characteristics provided by protocols like Zeth and studied how such protocol could be used to design “blockchain-rooted cash”. Then, we expressed some thoughts around the design of Zeth Bearer Instruments as a way to converge towards a form of off-chain money similar to “cash” which trust anchor would be shifted away from a central issuer to a blockchain system operated by a distributed set of “miners”. We listed several considerations to take into account for the design of such instruments, as well as open problems and challenges. Finally, we expanded the list of considerations to account for recent ongoing projects aiming to provide digital counterpart to “cash” (i.e. digital cash) that would pave the way for financial innovation while remaining issued by central banks.

Interested in what we do?

For more details on Clearmatics and more information on our research, see:

• https://clearmatics.com/
• https://clearmatics-research.io/
• https://github.com/clearmatics

Furthermore, you can now start using Zeth on our Autonity Bakerloo testnet https://bakerloo.autonity.network/