- Several Ethereum privacy projects have launched in recent months, both from startups and corporate research arms. This is a critical step towards real-world usage of public blockchains for financial applications
- Current projects have made innovative breakthroughs by adopting cutting-edge advances in cryptography to make confidential asset representation and private transactions possible
- Real-life implementations are still hamstrung by high gas costs that can only be solved by algorithmic advancements or protocol-level changes
by Larry Cermak
14 hrs ago · 9 min read
This free preview of The Block Genesis is offered to our loyal readers as a representation of the valuable research our Genesis members receive daily. If you’d like to receive all Genesis content on our site and via daily newsletter, join today.
One of the most promising uses for Ethereum has been for financial applications that use the distributed ledger and smart contracts to create programmable assets and instruments. MakerDAO, Compound and Uniswap have created a growing on-chain financial ecosystem that has grown astronomically. For a sense of scale, the Ethereum “DeFi” ecosystem has gone from $0 to almost $400 million in locked value within 18 months.
Yet for Ethereum to grow beyond a small community towards mainstream industry usage, there is a need to develop privacy options. Ethereum’s nature as a public blockchain requires transactions, accounts and state to be stored publicly and for computations to be transparent. For individuals, it’s a tough sell to have their net worth leak every time they make a grocery transaction. For companies, it’s a tough sell to have their data and transactions fully trackable by their competitors’ data analytics teams.
The dawn of on-chain private computation
Over the past few months, several Ethereum privacy projects have emerged to create the best of both worlds: the benefits of a global ledger, but with confidential asset holdings and private transactions. Argent, a popular wallet, has released a beta version of Hopper, an iOS app that offers user-friendly mixing service using zero-knowledge proofs to prevent transaction traceability. Heiswap, a similar project that uses linkable ring signatures, was built as a side project and deployed on the testnet by Kendrick Tan.
Yet the biggest privacy projects have been driven by enterprise teams within the financial industry. These teams realize how critical privacy is for enterprise adoption. Aztec‘s team was originally building CreditMint to issue and trade corporate debt on Ethereum, and came up with Aztec Protocol as a solution to industry’s need for private transactions. Nightfall was built out of Ernst & Young’s blockchain unit and is being worked into its blockchain product offering. JPMorgan’s Quorum has implemented parts of Benedikt Bünz’s Zether in Anonymous-Zether. Zeth, a proof-of-concept integrating ZCash concepts into Ethereum, is built by Clearmatics, a London-based blockchain R&D company.
“There are very few enterprise use cases that don’t depend on privacy” – Paul Brody, EY
Privacy is a critical need for real-world usage of blockchain. “There are very few enterprise use cases that don’t depend on privacy,” says Paul Brody from EY’s Nightfall team. Even in use cases that demand transparency such as product traceability, he notes that companies would still want to keep competitive information such as per-location sales numbers confidential. Aztec’s Tom Pocock points to a very practical example: employees’ salary numbers being fully public on a public network. “Most real world use cases for blockchain can’t run on public rails without privacy”, he says, “
“When we want to do genuinely important things on public networks – receive salary, pay rent, take out loans, buy and sell obligations – we need a way of doing logic on encrypted numbers” – Tom Pocock, Aztec
How on-chain privacy works
Public permissionless blockchains are bad at privacy by design: to achieve a shared ledger, consensus state must be stored publicly. In Ethereum’s case, any data stored in smart contracts can be easily accessed by a software engineer who knows his way around. The sender and recipient of each transaction is public along with the transaction data, making it easy for anyone to track and link intent to identity with a block explorer like Etherscan.
On-chain private computation projects build around these limitations. While each project’s implementation differs, they are built around the central idea of creating an on-chain “private zone” into which assets are deposited. This “private zone” implements homomorphic encryption, a specific encryption type that allows encrypted assets to be computed on (e.g. addition, subtraction, equality) without revealing their underlying value. In oversimplified terms, think of them as “encrypted numbers,” where addition and other mathematical operations still work.
Once the assets are encrypted in the “private zone”, they respond to encrypted instructions (“proofs”) such as transfers or queries. The magic of homomorphic encryption means that to an outsider, this all looks like random 1s and 0s acting on other random 1s and 0s. As all encrypted instructions are sent to the “private zone’s” smart contract, an outsider is unable to detect what the instruction is or what asset it acts on.
A “private zone” which computes on encrypted numbers enables many new use cases. Aztec’s Pocock gives an example: paying a person’s salary through private assets. A DeFi lender would then be able to use a zero-knowledge algorithm to check if the salary was above a minimum sum, without the person having to disclose the precise salary number to the lender or to the public. “In traditional finance, mortgage brokers and retail bankers and deposit accounts give us verification and privacy,” he says, “[in DeFi], zero-knowledge proofs are their replacement logic”.
The price of privacy
Yet significant issues remain. Homomorphic encryption is extremely computationally expensive, with each transaction requiring the sender to create cryptographic proofs which are then verified on-chain. The computationally expensive nature of proof construction prevents mobile phones and low-end computers from creating private transactions. In the case of Nightfall’s zk-snark toolkit, its Docker image requires a minimum of 8GB of memory, and the generation of zero-knowledge proofs creates ~7GB of files.
Once these proofs are constructed, they need to be verified on-chain for the transaction to be executed. These have to be done in the smart contract, and often contain expensive mathematical operations that consume large amounts of gas. Nightfall (3mn – 8mn gas), Zether (~7mn gas) demonstrate the upper bound of the gas costs. The high gas costs have caused teams to look for design tradeoffs. Aztec (800,000 gas) uses clever optimizations and algorithmic choices to bring down gas usage, but comes at the cost of a narrower class of computations that may limit its potential use cases.
There’s also the tricky issue of the block gas limit, currently at 8 million gas. Nightfall (~3-7 million gas) and Zether (~7 million gas) are dangerously close to it. The implication of this is that one or two private transactions would fill an entire block that typically holds 90 – 300 transactions. A few more private transactions would congest the network, and the ensuing gas price bidding war could easily double or triple the cost of a private transaction.
Private chains and Layer 2 solutions
With gas costs a main concern, many Ethereum privacy implementations have found traction in private enterprise chains where gas costs are less of a concern. Private chains have been a more forgiving environment for gas-intensive privacy implementations to be tested and used in real-life applications, and eventually transition into the public chain.
Leading the space is JPMorgan’s Quorum, which has quietly been implementing cutting edge privacy research in its open-source Ethereum implementation, albeit as a private chain. Quorum already has Tessera in production that enables private transactions, and has an implementation of Anonymous-Zether undergoing formal security review and deployed on the testnet. “What’s interesting about Ethereum privacy is that building a privacy protocol does more than simply turn Ethereum into ZCash or Monero”, says Oliver Harris, the team lead at JPMorgan’s Quorum, “it also makes possible things you couldn’t do with standalone private currencies, like cross-asset provably-atomic [private] swaps”.
Utilizing a private chain without the constraint of gas has allowed the Quorum team to experiment with different tradeoffs. Most of the public-chain focused privacy projects, driven by gas costs, have largely chosen to trade-off trusted setups and longer proof generation in exchange for cheap on-chain proof verification to lower gas consumption. The Quorum team’s Zether implementation instead explores a different tradeoff: non-constant proof verification time and larger proof sizes, in exchange for faster proof generation and complete trustlessness.
Another source of interesting innovation are second-layer solutions, which can implement more cryptographically expensive operations in their second layer while still being integrated to the main Ethereum chain. Enigma uses a decentralized network of nodes to run encrypted contracts and data that are run on specialized hardware known as trusted execution environments. Keep Network implements a way for smart contracts to interact with off-chain containers for private data. The POA Network runs a proof-of-authority version of Ethereum as a sidechain with very low gas costs, and recently launched a zero-knowledge fund to drive development of privacy-oriented applications on its network.
The fast pace of progress
Progress, though, is being made at an extraordinary rate. EY’s Nightfall and Aztec, who have open-sourced their implemented code, feature nascent developer communities which have started to tinker with improvements and extensions. The years that come will see some combination of Linus’ law and a variant of Moore’s law, where developer community momentum will find bugs while research community interest will produce more efficient algorithms. Order of magnitude gains are expected: EY’s Paul Brody says his team’s goal is to bring transaction privacy costs under $1 by the end of 2019, from the current cost of $8-10.
The research community is also alive and buzzing. Recent research advances such as Groth zkSNARK (2016) and Sigma Bulletproofs in the Zether paper (2019) come from an active cryptography and privacy research community that has seen a resurgence of interest and funding. Aztec’s Zac Williamson sees trustless zk-SNARK setups as a major research area, pointing to the SONIC paper as an example of recent advances. Alternative cryptographic approaches such as zk-STARKS (not to be confused with zk-SNARKS) have also seen active research within the community, with notable academics such as Eli Ben Sasson making the transition from academia to application with Starkware Industries.
At a protocol level, tweaks are being made to bring down the cost of cryptographic functions. Several projects mentioned EIP 1108 which reduces the price of elliptic curve arithmetic operations that are used in virtually every privacy project. This would have a drastic impact on gas costs and price: Aztec’s team estimates that it will reduce a transfer instruction’s gas usage by 75%. Antoine Rondelet from the Clearmatics team also points to adding ZCash’s BLS12-381 curve as a precompiled contract, which could possibly pave the way for more code re-use across the two projects. Olivier van den Biggelaar from the Argent team suggests additional precompiles for the MiMC and Pedersen hashes to make privacy functions more gas-efficient.
The journey to Ethereum privacy is just beginning, with progress being made quietly at the edge of research and with intelligent and determined teams. While current day real-life usage seems far off, the speed of research and the ability of the teams to improve is remarkable. It would not be wise to bet against them succeeding.