Ethereum Besu and its privacy focused features
At Intech we develop blockchain solutions for our partners like Survcoin, MySardines and Tokeny. The blockchains behind those projects are using either a public Ethereum chain or a private one. The Luxembourgish state blockchain uses a private Ethereum for instance.
None of these solutions offers privacy. But as blockchain usage grows, we have noticed that privacy with a blockchain is something that is gaining interest. We experimented private transactions with Parity and talked about them at EthCC 2019 in Paris.
Today we are sharing our experiments with Ethereum Besu and its privacy and permissioning features.
Besu manages private transactions off-chain with a privacy marker submitted to the blockchain. This marker contains the enclave key, a pointer to the private transaction in Tessera (the privacy module). This marker can be signed with a new key unrelated to the private transaction to maintain the sender’s anonymity.
A Tessera node is required to enable privacy. This node manages the storage of the privacy groups state. This allows the public state of the chain to not include gas heavy transactions as parity private transactions do.
One point worth noting is that private transactions are expensive and the simple developers quick-start has trouble running on my single macbook pro. Hyperledger recommends having high availability for the Tessera nodes and to run them on a different instance than Besu because of memory constraints. (The simple quick-start requires at least 4GB of RAM with docker but even with 6GB I had issues). To successfully distribute a private transaction, all private transaction participants must be online. If any participant is offline when submitting the private transaction, the transaction is not attempted and you need to resubmit it. During my tests, a few transactions were dropped because of crashes due to a lack of resources on my computer.
Currently two forms of privacy group exist:
- EEA (Enterprise Ethereum Alliance) privacy with fixed members groups defined at creation.
- Besu extended privacy, which is still under development, but has working minimal API which allows to modify the members of a group during its lifetime. This is a huge improvement for easily adding new participants to an existing blockchain.
The API can be found here https://besu.hyperledger.org/en/stable/Reference/API-Methods/#priv-methods
Permissions on Besu can be managed locally, with allow/block lists, or within a smart contract to be applied to the whole chain. It also has the possibility to block any connection from unauthorized nodes which has to be done with firewall rules using other clients. These features are often necessary in a private enterprise blockchain but having it at a network level or a whole chain level is perfectly fine. For instance, using a standard Go-Ethereum instance, to have a allow-list account, you would have to do it with eth and set a gas price but that would not prevent eth transfert.
The API can be found here https://besu.hyperledger.org/en/stable/Reference/API-Methods/#perm-permissioning-methods
Overall we are extremely pleased with our tests. Hyperledger Besu is already our main choice of client for Ethereum based blockchains and the possibility to add privacy without having to recreate a new chain is a strong feature that will help us build more advanced solutions.
