HCash, the software and hardware integrated solution for anonymous payment

Published in

HPB-Foundation

6 min readAug 9, 2021

Blockchain technology originated from Satoshi Nakamoto’s bitcoin, and its essence can be seen as a decentralized database. The content stored in this database is verified and stored by each node, that is, managed by all participants. Blockchain has the following characteristics: decentralization, openness, security (preventing from forging or tampering), anonymity.

After more than ten years development, a variety of blockchains based on different application scenarios have been proposed, such as: programmable blockchain, anonymous payment blockchain, high-performance blockchain, cross-chain blockchain, etc. Among them, anonymous payment gets a lot of attention by the community. Due to the shortcomings of the existing blockchain in the aspect of anonymity, many studies have proved that the relationship of users and assets can be obtained through tracing and clustering. How to achieve real anonymity has become a hot topic in both Industry and academia in recent years.

What is Anonymous Payment

Anonymous payment, just as its name, indicates the transaction is anonymous, which means hiding the address and amount of the transaction. The anonymity of the existing blockchain is not ideal. Taking the exchange as a breakthrough, the relationship of users and assets can be obtained through tracing and clustering. At the same time, anonymous applications related to blockchain also have many drawbacks. Taking the popular NFT anonymous auction as an example, it works as follows: During the bidding stage, bidders submit their bids secretly, so that no one knows what others bid; After everyone has submitted their bids, all the bids open, then determine the winner according to the bid price. If adapting Ethereum to implement the above protocol, it will require bidders to deposit more Ether in their accounts than the actual bid price, because all transaction amounts are public. However, it still leaks the ceiling of bid price.

There are industrial attempts to develop anonymous payment, for example: Monroe (monero), Dash, Zcash, etc. and also existing the academic theoretical exploration, such as: Zether, etc.

The bottleneck of anonymous payment

There still exist many bottlenecks to be solved, such as the high demands for anonymity and security. However, most concerns are from efficiency. The data volume of the range zero knowledge proof (e.g. Zk-snarks, Bulletproofs, etc.) that anonymous payment relying on is dozens of times than the normal ones, and the related calculation takes a long time. Although being optimized by many researchers, it has not been solved completely. Which results in that the excessive volume of transaction limits its coverage rate in the network, and time-consuming calculation further limits the throughput.

In summary, there are two main bottlenecks at present, one is the excessive volume of transaction and another is the time-consuming transaction calculation.

Anonymous Payment Solution, Zether

Zether, which we mentioned above, is the first anonymous payment solution with complete security proof provided by cryptographers. Its academic paper was published at International Conference on Financial Cryptography and Data Security. Its contributions are: optimizing the BulletProof and providing method deploying by smart contract. Which is the most popular anonymous payment scheme.

In short, Zether is an anonymous payment scheme based on smart contracts that can be deployed on any smart contract enabled blockchain. Its anonymous account is a public key generated by the ElGamal algorithm. After user obtaining an anonymous account, he can send anonymous transactions by deposit a certain number of tokens. Zether used the encrypted transaction amount and address, and validates the transfer amount and the balance of the account by a range zero knowledge proof. After passing the verification of miners, the transaction is confirmed and get into the blockchain.

Software and Hardware Integrated Solution, HCash

This project, HCash, also known as Accelerator of Anonymous Payment based on FPGA, optimized the Zether and adapted HPB to enjoy the calculation and network hardware acceleration features, which can effectively solve the above bottlenecks of anonymous payment.

For hardware, it consists of two parts: high-performance network adapter and hardware accelerator of cryptographic calculation. To be specific, through the high-performance network adapter, the transmission rate of transaction with excessive volume is improved, thus optimizing the network coverage. Through the hardware accelerator of cryptographic calculation, implements the related cryptography instruction set for anonymous payment, make the transaction calculation more efficient. In addition, the unified memory architecture improves the efficiency of data exchange between the CPU and memory. For software, the verification part of zero knowledge proof is implemented in main chain, so as to reduce Gas consumption of anonymous transactions and improve user experience greatly.

High-Performance Network Adapter

Compared with the normal transactions, the volume of anonymous payment transactions has been increased by dozens of times due to the range zero knowledge proof, which brings great pressure to the network transmission, resulting in the low network coverage rate. At present, the transaction throughput of blockchain is seriously insufficient, anonymous payment needs more optimization especially.

TCP/IP, as the actual standard of internet protocol, is composed of Application layer, Transport layer, Network layer and Network Interface layer. According to the architecture of the current computer system, multiple applications use one network adapter, and adapt the software to parse and process data packets, which including: protocol packet parsing, network link maintenance, data replication and interrupt processing. More importantly, the above procedures having nothing to do with the actual communication, wasting a lot of resources, which are our key optimization point.

We implement some functions of TCP/IP protocol (mainly for Transport layer and Network layer) in dedicated hardware to get a high-performance network adapter. Specifically, realizes some processing functions in FPGA, including the establishment, dismantling, control and maintenance of TCP sessions, the sending and receiving of TCP and UDP packets, as well as some auxiliary functions, such as ARP and ICMP protocol processing. Provides a 10G Ethernet interface to user side, which is connected to the PCIE interface of the mainboard, and a DRAM cache to optimize the efficiency. Wich meets the bandwidth requirements of million-level blockchain transactions.

Hardware Accelerator of Cryptographic Calculation

Similarly, due to the calculation of range zero knowledge proof taking a long time, we implement the cryptographic calculation related to anonymous payment (such as elliptic curve operation, large integer operation, etc.) in FPGA, and provide the interfaces for the upper layer anonymous payment applications. Another advantage of dedicated hardware cryptographic calculation is that the hardware isolation of sensitive information with higher security.

The concrete implementations include some calculation of elliptic curve (like: SECP256K1, SECP256R1, Curve25519, etc.) and large integer calculation, etc., which forms the corresponding cryptography instruction set. Compared with the standard computer instruction set, enjoys the simple, dedicated and efficient advantages. It communicates with processors through a PCIE interface and the upper layer anonymous payment application can directly call this instruction set when processing cryptographic procedures such as key negotiation, encryption and decryption, and signing and verification of signature.

Unified Memory Architecture

HCash also provides additional memory for these dedicated hardware and adapt the unified memory architecture. In traditional computer memeoy architecture, CPU and other applications share one memory to process different tasks, through some memory access schedule to compete the data bus, that is, a narrow pipe to do the data processing. In unified memory architecture, CPU and the dedicated hardware modules can access their own memory simultaneously. At the same time, in the traditional architecture, there exists a part of overhead to copy the data, but under the unified memory architecture, the memory can be directly access, which means the CPU and dedicated hardware modules can quickly exchange data with each other, which significantly improving the performance.

Stripping Verification of Zero Knowledge Proof

For the range zero knowledge proof, users can sign the signature by themselves which not consuming any Gas. However, due to Zether implementing the signature verification part in smart contract, it will spend a lot of Gas for users, which increases the entry threshold of anonymous payment. Considering this situation, HCash strips this part from the smart contract and implements it in main chain. When verifying the zero knowledge proof, the smart contract can call the main chain interface, thus saving this part of Gas.

About HPB

High Performance Blockchain (HPB) is a revolutionary permissionless blockchain architecture that combines HPB’s customized hardware Blockchain Offload Engine (BOE), with high-performance blockchain software, enabling unrivaled scalability.