Home / Ethereum / The AZTEC protocol: a zero-knowledge privacy system on Ethereum

The AZTEC protocol: a zero-knowledge privacy system on Ethereum



ETHNews spoke with AZTEC CTO Zac Williamson and the CEO Tom Pocock on how the zero-knowledge protocol could bring confidentiality to blockchain transactions while benefiting from the public nature of Ethereum.

The introduction of privacy in blockchain networks has taken many forms, from Zcash zk-SNARK to the variant focused on transparency of StarkWare Technologies, zk-STARKs. These examples, though different, share an important characteristic: both present evidence with zero knowledge.

The taste of zero knowledge of cryptography has emerged in the context of various efforts to improve Ethereum. For example, Vitalik Buterin, in discussing potential second-level solutions, suggested using zk-SNARKs to demonstrate the validity of blocks created outside the chain. In addition, at the ETHSingapore hackathon this month, a team developed a zk-SNARK based DAI transaction framework called ZkDai.

Within this realm of privacy research, the zero knowledge protocol AZTEC (short for Anonymous Zero-knowledge Transactions with Efficient Communication) was recently launched to allow confidential Ethereum transactions. The protocol shares similarities with Zcash, but AZTEC does not use zk-SNARKs; rather, it includes a set of zero-specific algebraic tests for AZTEC.

An AZTEC primer

At its core, AZTEC allows people to convert ERC20 tokens into notes, which are valuable cryptographic representations. A note can represent any token value, for example, 10 DAI or 50 DAI. While the value and the display key (required to access the note information) are private, the Ethereum address of the owner of each note is public, so that anyone can see that a transaction has occurred, but without knowledge of what has been done.

Users send and receive notes via split-join transactions, which means that an input is destroyed to create an output. Zac Williamson, chief technology officer and creator of AZTEC, gave an example:

"[I]magine Alice has two AZTEC notes of the value of 100 token combined. If you want to send Bob 20 tokens, Alice creates one or more notes owned by Bob, whose values ​​correspond to 20. Then create one or more notes of his property, the sum of which is 80 tokens. "

This is where evidence of zero knowledge comes into play. In the previous example, Alice built an AZTEC test to confirm her transactional relationship with Bob. After doing so, the EDCC of AZTEC (alias smart contract) validates the test, destroys the input notes of Alice and then creates the output notes (one or more equal to 20 tokens for Bob and one or more equal to 80 tokens for Alice). In other words, the system redistributes the number of tokens.

The key phrasing here is "one or more". Technically, Alice could make a note with 20 tokens for Bob and one with 80 for herself. However, a viewer could easily determine the value of each of these notes. That's why AZTEC allows users to create multiple notes with variable values, even those that are worth 0 tokens, to obscure the output value. If Alice's 80 tokens were spread over 10-20 notes with different amounts, it would be extremely difficult to distinguish the value of each note.

To initially transfer tokens into the AZTEC system, however, a public commitment value must be calculated equilibrium the system. Williamson used the DAI example to explain the process ETHNews:

"I wanted to convert 50 DAI to notes with zero knowledge, so I had zero input notes and I wanted to make some output notes. This public engagement is a kind of balancing factor. The current formula we use is that we check that the sum of the input is equal to the sum of the output notes plus this public engagement value.It is an integer public number sent to the transaction where everyone can see it. "

Since the integer can be positive or negative, it takes into account withdrawals or deposits in the AZTEC system. A positive value is equivalent to a withdrawal, while a negative value indicates that a deposit has been made. In the case of a deposit, AZTEC's EDCC will transfer tokens equal to the value of the negative commitment in its balance so that it can act as the keeper of the tokens while they are in a zero knowledge mode. In this way, the token balance is achieved.

The AZTEC framework is also based on a reliable configuration. This process is like the multiparty computation ceremonies of Zcash (MPC), which are used to verify evidence of zero knowledge through the generation of public parameters. A recent Zcash MPC called Tau's powers were concluded at the beginning of 2018.

Within an MPC, participants sample random numbers (called toxic waste) and perform calculations, which are added to a public transcription. This transcription is used to produce public parameters. At least one individual destroys his toxic waste to ensure the integrity of the parameters.

The trusted setting of AZTEC follows in the footsteps of Zcash, requiring the destruction of toxic waste by at least one person. As currently implemented, however, the AZTEC concept test uses an internal multiparty computation process. Williamson argues that the system "is widely used at your own risk", as there is no way to show that the destruction of toxic waste has occurred. The reliable, continuous installation process will be implemented more fully in the coming months.

Cool, but how useful is AZTEC?

The zero knowledge tests allow people to preserve their privacy during the transaction on the Ethereum public network and a reliable MPC configuration allows various parties to participate in the testing process. But using AZTEC (at this point, at least) seems more academic rather than practically implementable. How can you even build a test with zero knowledge?

To simplify the process, AZTEC worked on an application programming interface (API)) and other development tools. The next AZTEC API, for example, will handle much of the heavy work required to build the core of zero knowledge tests to the protocol. Rather than having to perform specific arithmetic forms of the elliptic curve as in some zk-SNARK models (which may require special applications that use a lot of RAM), with the API, users will only need to enter some information, such as the values ​​of their token and their audience keys. "Ideally, it should be pretty simple when we have optimized our API and our algorithms," said Williamson.

However, he recognized the problems with the delivery of public keys, noting:

"If there's one thing that's really on my mind right now, when it comes to the ease of use of our protocol, we're discovering, perhaps creating, a mechanism that makes it very easy and hassle-free for people give us their public keys if they want to use our cryptosystem because right now, if you use it on Ethereum, you have to hand over your public key, we think we've broken it, so we're pretty excited about what we have. "

In addition to making zero knowledge tests, there are auxiliary components to consider when using the AZTEC protocol. An important detail is gas: it costs around 900,000 gas to issue a transaction containing four banknotes. With the possible implementation of EIP 1108, which optimizes the gas costs of precompiled EDCCsWilliamson said the cost will drop to around 200,000-300,000 of gas. "[EIP 1108] it will probably take some time to go through the process and will actually be introduced into a difficult fork, but when that happens, our gas costs will fall by a factor of five or more, which is extremely exciting for us. , "He explained.

AZTEC, because it exists in proof-of-concept form, has some usability problems, but the team says it's working.

The value of privacy associated with transparency

Conversion of ERC20 tokens into private notes is a convincing case, especially for traditional financial actors who try to experiment with cryptocurrency but do not want to compromise their privacy. This feeling, however, is the point where the greatest potential value of AZTEC arises: the protocol guarantees privacy while continuing to exploit the advantages of the Ethereum public network. Tom Pocock, CEO of AZTEC, said ETHNews on the hybrid quality of the system and how the protocol grew with its Ethereum project and with Williamson, CreditMint:

"[I]I'm going to send you a $ 5 million bond or whatever it may be, I want this data to be guaranteed, I want liquidation guarantees, [and] I want the single data source to be a public blockchain, but I need the privacy of a bank, so that's why we got married to use a public blockchain for the transactions we're helping create through CreditMint. AZTEC was the answer to … secondary level privacy. "

In fact, although AZTEC is focused on confidentiality, Pocock said it will emphasize the "economic guarantee" provided by the Ethereum public chain when it launches the protocol to traditional financial actors interested in testing the technology. Rifletté: "If you can put an economic guarantee, if you can afford that economic guarantee [the] Ethereum mainnet gives you all the transactions you've ever done, why should not you choose to enjoy that guarantee as it is the strongest record you can ever have of all your financial interactions in your economic history? "

On a more technical level, the protocol, according to Williamson, "allows the construction of purely confidential activities that do not have any kind of ERC-20 equivalent token. "Instead of requiring additional cryptographic circuits or several trusted configuration processes to create these resources, individuals can do so on Ethereum. No special applications for RAM hair removal are required. Users are then able to make transactions with their confidential resources. unique at the same time benefiting from the immutability and decentralization that characterize Ethereum.

Taking AZTEC's potential a step further, the efficient construction of zero-proof protocol testing means that transactions could be compatible with hardware portfolios. Imagine issuing confidential transactions directly from a hardware portfolio.

If projects like AZTEC are successful, privacy and transparency can coexist within the cryptospace.


Source link