Introducing privacy to blockchain networks has taken many forms, from Zcash's zk-SNARKs to StarkWare Technologies' transparency-focused variant, zk-STARKs. These examples, though different, share an important characteristic: They both feature zero-knowledge proofs.
The zero-knowledge flavor of cryptography has emerged within various efforts to improve Ethereum. For instance, Vitalik Buterin, in discussing potential second-layer solutions, suggested using zk-SNARKs to prove the validity of blocks created off-chain. Further, at the ETHSingapore hackathon this month, a team developed a zk-SNARK-based DAI transaction framework called ZkDai.
Within this realm of privacy research, the zero-knowledge protocol AZTEC (short for Anonymous Zero-knowledge Transactions with Efficient Communication) was recently launched to enable confidential Ethereum transactions. The protocol shares similarities with Zcash, but AZTEC does not use zk-SNARKs; rather, it includes a set of algebraic zero-knowledge proofs specific to AZTEC.
An AZTEC Primer
At its basic, AZTEC allows individuals to convert ERC20 tokens into notes, which are encrypted representations of value. A note can represent any token value, whether that be, for example, 10 DAI or 50 DAI. While the value and the viewing key (required to access the note's information) are private, the Ethereum address of each note's owner is public, so anybody can see that a transaction occurred but without knowledge of how much was transacted.
Users send and receive notes through join-split transactions, which means an input is destroyed to create an output. Zac Williamson, chief technology officer and creator of AZTEC, provided an example:
"[I]magine Alice has two AZTEC notes worth 100 tokens combined. If she wants to send Bob 20 tokens, Alice would create one or more notes owned by Bob, whose values sum to 20. She would then create one or more notes owned by her, the sum of which is 80 tokens."
This is where zero-knowledge proofs come into play. In the above example, Alice would construct an AZTEC proof to confirm her transactional relationship with Bob. After this is done, AZTEC's EDCC (aka smart contract) would validate the proof, destroy Alice's input notes, and then create the output notes (one or more equal to 20 tokens for Bob, and one or more equal to 80 tokens for Alice). In other words, the system redistributes the number of tokens.
The key phrasing here is "one or more." Technically, Alice could create one note with 20 tokens for Bob and one with 80 for herself. However, an onlooker could easily determine the value of each of these notes. That is why AZTEC enables users to create multiple notes with varying values, even those that are worth 0 tokens, to obscure the output value. If Alice's 80 tokens were spread across 10-20 notes with differing amounts, then it would be incredibly difficult to discern each note's value.
To initially transfer tokens into the AZTEC system, though, a public commitment value must be calculated to balance the system. Williamson used the example of DAI to explain the process to ETHNews:
"I wanted to convert 50 DAI into zero-knowledge notes, so I had zero input notes, and I wanted to make some output notes. That public commitment is kind of a balancing factor. The actual formula we use is we check that the sum of the input notes is equal to the sum of the output notes plus this public commitment value. It's a public integer that's sent inside the transaction where everyone can see it."
Because the integer can be either positive or negative, it accounts for withdrawals from or deposits into the AZTEC system. A positive value equals a withdrawal, whereas a negative value signals a deposit was made. In the case of a deposit, AZTEC's EDCC would transfer tokens equal to the negative commitment value into its own balance so that it can act as a custodian of the tokens while they are in zero-knowledge form. Thus, token balance is achieved.
The AZTEC framework also relies on a trusted setup. This process is like Zcash's multiparty computation ceremonies (MPCs), which are used to verify zero-knowledge proofs through the generation of public parameters. A recent Zcash MPC called Powers of Tau concluded in early 2018.
Within an MPC, participants sample random numbers (called toxic waste) and perform computations, which are added to a public transcript. This transcript is used to produce public parameters. At least one individual then destroys their toxic waste to secure the integrity of the parameters.
AZTEC's trusted setup follows in Zcash's footsteps, requiring the destruction of toxic waste by at least one person. As currently deployed, though, the AZTEC proof of concept uses an internal multiparty computation process. Williamson maintains that the system "is very much use-at-your-own-risk," as there is no way to prove that the destruction of toxic waste occurred. The trusted setup process, he continues, will be more fully implemented over the next several months.
Cool, but How Usable Is AZTEC?
Zero-knowledge proofs allow individuals to preserve their privacy while transacting on the public Ethereum network, and an MPC-type trusted setup allows various parties to participate in the proof-verification process. But using AZTEC (at this point, at least) appears more academic rather than practically implementable. How does one even construct a zero-knowledge proof?
To simplify the process, AZTEC has been working on an application programming interface (API) and other developer tools. The forthcoming AZTEC API, for instance, will handle much of the heavy lifting required to construct the zero-knowledge proofs core to the protocol. Rather than having to perform specific forms of elliptic curve arithmetic like in some zk-SNARK models (which may require special applications that use a lot of RAM), with the API, users will only need to input a few bits of information, such as the values of their tokens and their public keys. "Ideally, it should be pretty seamless when we've polished our API and our algorithms," said Williamson.
Still, he acknowledged the issues with public key delivery, noting:
"If there's one thing that's really on my mind right now when it comes to ease of use of our protocol is finding, maybe creating, a mechanism that makes it very easy and seamless for people to deliver us their public keys if they want to use our crypto system because right now, if you use it over Ethereum, you have to hand over your public key. We think we've cracked that, so we're quite excited about what we have."
Besides the construction of zero-knowledge proofs, there are ancillary components to consider when using the AZTEC protocol. One important detail is gas – it costs about 900,000 gas to issue a transaction containing four notes. With the eventual implementation of EIP 1108, which optimizes the gas costs of precompiled EDCCs, Williamson said the cost would drop to around 200,000-300,000 gas. "[EIP 1108] is probably going to take a while to work its way through the process and actually get introduced into a hard fork, but when that does happen, our gas costs are going to drop by a factor of five or more, which is extremely exciting for us," he explained.
AZTEC, as it exists in proof-of-concept form, has some usability kinks, but the team says it's working them out.
The Value of Privacy Coupled with Transparency
The conversion of ERC20 tokens into private notes is a compelling use case, especially for traditional financial actors looking to experiment with cryptocurrency but not willing to compromise their privacy. This sentiment, though, is where AZTEC's greatest potential value arises: The protocol provides privacy while still tapping into the benefits of the public Ethereum network. Tom Pocock, CEO of AZTEC, told ETHNews about the hybrid quality of the system and how the protocol grew out of his and Williamson's other Ethereum project, CreditMint:
"[I]f I'm going to send you a $5 million bond or whatever it might be, I want these data guarantees, I want guarantees of settlement, [and] I want the single source of data a public blockchain brings, but I need the privacy of a bank, so that's why we were wedded to using a public blockchain for the transactions that we're helping to create through CreditMint. AZTEC was the answer to … back-level privacy."
Indeed, though AZTEC is focused on confidentiality, Pocock said he would emphasize the "economic guarantee" provided by the public Ethereum chain when pitching the protocol to traditional financial actors interested in trying the technology. He pondered, "If you can put an economic guarantee, if you can afford that economic guarantee that [the] Ethereum mainnet gives you around all of the transactions that you've ever done, why wouldn't you opt to enjoy that guarantee given that it is the strongest possible record you could ever have of all of your financial interactions in your economic history?"
On a more technical level, the protocol, according to Williamson, "enables the construction of purely confidential assets that don't have any kind of ERC-20 token equivalent." Rather than requiring additional cryptographic circuits or different trusted setup processes to create these assets, individuals can do so on Ethereum. No RAM-depleting special applications are needed. Users are thus able to transact with their unique confidential assets while also benefiting from the immutability and decentralization that characterize Ethereum.
Taking AZTEC's potential a step further, the efficient construction of the protocol's zero-knowledge proofs means the transactions might be compatible with hardware wallets. Imagine – issuing confidential transactions directly from a hardware wallet.
If projects like AZTEC succeed, privacy and transparency can co-exist within the cryptospace.