Read the new trends of ETH Fang in 2023: ZK and privacy

1. Background

Vitalik Buterin, co-founder of ETH Workshop, has made it clear that ETH Workshop will fail without a technological shift in privacy transition. Because all transactions are publicly visible, privacy sacrifices are too great for many users, and everyone is turning to centralized solutions that hide data at least to some extent.

In 2023, Vitalik conducted a series of studies on privacy protection and the advancement of zero-knowledge proofs (ZK) technologies. In the first half of the year, Vitalik published three articles on his website dedicated to ZK and privacy protection. In April, he also presented a study on Reddit on the privacy of wallet guardians. In September, he co-authored a paper with other professionals proposing a solution for balancing privacy and compliance.

In addition, ETH Fang Ecology is also actively promoting the discussion and popularization of this topic. At the ETHDenver event in March, a special event focused on privacy was held. At the annual EDCON (Ethereum Community Conference) conference in May, Vitalik emphasized that “ZK-SNARKs will be as important as blockchains in the next 10 years”.

This article tracks the latest developments in the ETH Fang ecosystem in 2023 in terms of using ZK technology to advance privacy protection. If you want to make it to the ETH ZK circuit, this article provides the necessary interpretation and guidance.

2. ETH ZK Circuit: Building a Privacy-Preserving Future

ETH transparency may put users’ personal information at risk of being compromised. There are no secrets on blockchains such as ETH, and all information is public, which includes other on-chain activities such as transactions, voting, etc. Such openness may result in specific transactions and addresses being traced and linked to real user identities. Therefore, it is important to implement privacy protection on ETH. Hiding on-chain information can be done through cryptography, but the challenge is to ensure that the validity of these transactions is verified while protecting privacy. ZK technology provides a solution to prove the authenticity of a transaction without revealing additional information, taking into account privacy and verifiability.

ETH place a high value on ZK-SNARKs, especially in certain key privacy-preserving use cases. This is evident in Vitalik’s research and proposals, where Salus collates the typical scenarios that Vitalik proposes in his research, namely private transactions and social recovery.

2.1 Private Transactions

When it comes to private transactions, Vitalik proposes two concepts: Stealth Addresses and Privacy Pools.

1. The privacy address scheme allows transactions to be made without hiding the identity of the transaction recipient. This approach provides privacy protection while ensuring transparency and auditability of transactions.

2. Based on the privacy pool protocol, users can prove that their trading funds belong to a known compliant source without disclosing historical transactions. This scheme allows users to conduct private transactions while complying with regulations.

Both of these scenarios are inseparable from ZK. In both scenarios, users are allowed to generate zero-knowledge proofs to prove the validity of their transactions.

2.1.1 Privacy Address

Let’s say Alice intends to transfer some kind of asset to Bob, and when Bob receives the asset, he doesn’t want the global public to know that he is the recipient. Although it is difficult to conceal the fact of the transfer of assets, it is possible to hide the identity of the recipient. It is in this context that the Privacy-Friendly Address scheme came into being, and its main problem is how to effectively hide the identity of the recipient of the transaction.

So, what is the difference between a privacy address and a normal ETH address, and how to use a ZK-based privacy address for private transactions? Salus will introduce them to you one by one.

(1) What is the difference between a private address and an ordinary ETH address?

A privacy address is an address that allows the sender of a transaction to be generated non-interactively and can only be accessed by its recipient. Let’s explain the difference between the privacy address and the ordinary ETH address from two dimensions: who generates it and who has access to it.

Generated by whom?

Ordinary ETH addresses are generated by the user himself based on encryption and hashing algorithms. A private address can be generated by the person or by the other party to the transaction. For example, when Alice sends a transfer to Bob, the address that Bob uses to accept the transfer can be generated by Bob or Alice, but only controlled by Bob.

Who can access?

The type, amount, and source of funds under an ordinary ETH account are publicly visible. Whereas, in transactions made with a shielded address, only the recipient has access to the funds stored in their stealth address. The observer cannot associate the recipient’s privacy address with their identity, protecting the recipient’s privacy.

(2) How to use ZK-based privacy addresses for private transactions?

If Alice wants to send assets to Bob’s privacy address to hide the recipient of the transaction. Here’s a detailed description of the trading process:

1. Generate a privacy address

• Bob generates and saves a spending key, which is a private key that can be used to spend funds sent to Bob’s privacy address.
• Bob uses the consumption key to generate a stealth meta-address, which can be used to compute a privacy address for a given recipient and pass the privacy meta-address to Alice. Alice calculates the privacy meta address to generate a privacy address that belongs to Bob.

2. Send assets to a privacy address

• Alice sends assets to Bob’s privacy address.
• Since Bob doesn’t know that the privacy address is his own, Alice also needs to publish some additional encrypted data (a temporary public key, ephmeral pubkey) on-chain to help Bob discover that the privacy address belongs to him.

The privacy address in the above process can also be constructed using zero-knowledge proofs constructed from hashes and public key cryptography. The smart contract code in the privacy address can be integrated with ZK. By embedding zero-knowledge proof verification logic, smart contracts are able to automatically verify the validity of transactions. This scheme for constructing a private address is simpler than other schemes, including elliptic curve cryptography, elliptic curve isogenies, lattices, and generic black-box primitives.

2.1.2 Privacy Pool

Whether private transactions are achieved by hiding the identity of the recipient of the transaction or other information about the transaction, there is a major problem: how can users prove that their transaction funds belong to a known compliant source without having to disclose their entire transaction history. ETH Place, as a public blockchain platform, must avoid becoming a medium for money laundering and other illegal activities.

Vitalik has proposed a solution called “Privacy Pool” that aims to balance the privacy protection and compliance needs of blockchains. However, what are the challenges of privacy protection and compliance, and how do you balance privacy and compliance? Salus provides an in-depth and instructive discussion on both issues.

(1) Privacy protection and compliance challenges

Ensuring transaction compliance while achieving privacy protection is a challenge, and this can be vividly demonstrated by analyzing the Tornado Cash case.

Tornado Cash is a cryptocurrency mixer that mixes a large number of deposits and withdrawals. After depositing tokens at one address, users can present ZK Proof to prove that they have deposited, and then withdraw funds from a new address. These two operations are public on the chain, but the correspondence between them is not public, so they are anonymous. While it can enhance the privacy of users, it is often used by illegal actors to launder money. As a result, the U.S. Treasury Department, OFAC, finally added Tornado Cash’s smart contract address to the sanctions list. Regulators believe that the agreement facilitates money laundering and is not conducive to the fight against financial crime.

Tornado Cash’s shortcomings in privacy protection are that there is no way to verify that the user’s token origin is compliant. In response to this problem, Tornado Cash provides a centralized server to help the user prove that his token is compliant. However, the server must obtain the details of the withdrawal provided by the user and determine which deposit the withdrawal corresponds to, in order to generate the proof. This centralized mechanism not only has the cost of trust assumptions, but also produces information asymmetry. Ultimately, the mechanism is barely used by users. While Tornado Cash implements privacy features, it doesn’t provide an effective mechanism to verify that the source of a user’s token is compliant, which is what criminals can exploit.

(2) How do you balance privacy and compliance?

Based on these challenges, Vitalik came up with the concept of Privacy Pools, which allows users to prove that their funding sources are compliant without revealing historical transaction information. This strikes a balance between privacy and compliance.

Privacy Pools are based on ZK and association sets, allowing users to generate and issue ZK-SNARK proofs that prove that their funds come from a known, compliant source. This means that the funds belong to a compliant association set, or they do not belong to a non-compliant association set.

Correlation collections are built by association collection providers based on specific policies:

1. Membership Proof: Put deposits from all trusted trading platforms into a correlation set and, moreover, there is conclusive evidence that they are low-risk.

2. Exclusion Proof: Identify a group of deposits that have been flagged as risky, or for which there is conclusive evidence that they are non-compliant funds. Construct an associated collection that contains all deposits except these deposits.

When making a deposit, users generate a secret through ZK and hash a public coin ID to mark their association with the funds. When withdrawing, the user submits a nullifier corresponding to the secret (the nullifier is a unique identifier derived from the secret), proving that the funds are theirs. In addition, users can prove that their funds belong to a known, compliant source by proving two merkle branches through ZK:

1. His coin ID belongs to the coin ID tree, which is a collection of all transactions that are currently taking place;

2. His coin ID belongs to an association set tree, which is a collection of transactions that the user considers to be compliant.

(3) What are the application scenarios of ZK in privacy pools?

1. Flexibility for private transactions: In order to process transfers of any denomination in private transactions, additional zero-knowledge proofs are attached to each transaction. This proof ensures that the total denomination of the created token does not exceed the total denomination of the token being consumed, thus ensuring the validity of the transaction. Second, ZK maintains transaction continuity and privacy by verifying each transaction’s commitment to the original deposit token ID, making it possible to guarantee that each withdrawal is associated with its corresponding original deposit, even in the case of partial withdrawals.

2. Balance-summing attacks: Balance summing attacks can be resisted by merging tokens and committing to a set of token IDs, as well as a union commitment of parent transactions to multiple input transactions. This approach relies on ZK to ensure that all committed token IDs are in their associated collections, enhancing the privacy of transactions.

2.2 Social Recovery

In real life, we may have more than one bank card account. Losing your card PIN means we can’t use the funds on our card. In this case, we usually go to the bank for help to retrieve the password.

Similarly, in blockchains such as ETH, we may have multiple addresses (accounts). A private key, like a bank card password, is the only tool you have to control your account’s funds. Once you lose your private key, you lose control of your account and can no longer access the funds in your account. Similar to real-world password recovery, blockchain wallets provide a social recovery mechanism to help users recover their lost private keys. This mechanism allows users to select a group of trusted individuals to act as guardians when creating a wallet. These guardians can help users regain control of their accounts by approving the reset of their private keys in the event that they lose their private keys.

Under this social recovery and guardianship mechanism, Vitalik proposes two privacy protection points that need to be paid attention to:

1. Hide the correlation between multiple addresses: To protect user privacy, we need to prevent the attribution of multiple addresses from being exposed when recovering multiple addresses with a single recovery phrase.

2. Protect the privacy of the user’s property from the guardian: We must ensure that the guardian cannot obtain the user’s asset information or observe the user’s transaction behavior during the process of approving the user’s operation, so as to prevent the user’s property privacy from being violated.

The key technology to achieve both types of privacy protections is zero-knowledge proofs.

2.2.1 Hide the correlation between multiple addresses of a user

(1) Privacy issues in social recovery: The correlation between addresses is disclosed

In blockchains such as ETH, users usually generate multiple addresses for various transactions in order to protect their privacy. By using different addresses for each transaction, you can prevent outside observers from easily associating these transactions with the same user.

However, if the user’s private key is lost, the funds generated by the private key under multiple addresses will not be recovered. In this case, social recovery is required. An easy way to recover is to recover multiple addresses with one click, where the user uses the same recovery phrase to recover multiple addresses generated by a single private key. However, this approach is not ideal, as users generate multiple addresses in order to prevent them from being associated with each other. If a user chooses to restore all addresses at the same time or at a similar time, this effectively reveals that the addresses are owned by the same user. This goes against the user’s original intent of creating multiple addresses to protect their privacy. This constitutes a privacy protection issue in the process of social recovery.

(2) ZK Solution: How to avoid the correlation of multiple addresses from being disclosed?

ZK technology can be used to hide the correlation between multiple addresses of a user on the blockchain, and solve the privacy problem of social recovery through an architecture that separates verification logic and asset holdings.

1. Verification logic: Users have multiple addresses on the blockchain, but the verification logic for all of them is connected to a major authentication contract (keystore contract).

2. Asset Holding and Trading: When users operate from any address, they leverage ZK technology to verify the permission to operate without revealing which address it is.

In this way, even if all addresses are connected to the same keystore contract, an outside observer cannot determine whether the addresses belong to the same user, thus achieving privacy between addresses.

It is important to design a private social recovery scheme that can recover multiple user addresses at the same time without revealing the correlation between them.

2.2.2 Protect the privacy of the user’s property from the infringement of guardians

(1) Privacy issue: the privilege of the guardian

In blockchains such as ETH, users can set multiple guardians when creating a wallet. Especially for multisig wallets and social recovery wallets, the role of guardian is crucial. Typically, a guardian is a collection of N addresses held by someone else, where any M addresses can approve an action.

What are the privileges of guardianship, such as:

1. For multisig wallets, each transaction must be signed by M of the N guardians before it can be processed.

2. For the Social Recovery Wallet, if the user’s private key is lost, then M of the N guardians must sign a message to reset the private key.

Guardians can approve your actions. In multisig, this would be any transaction. In the Social Recovery Wallet, this will be a reset of your account private key. One of the challenges facing the guardianship mechanism today is how to protect the user’s financial privacy from the guardian’s invasion.

(2) ZK Solution: Protect the privacy of users’ property from the infringement of guardians

In this article, Vitalik envisions that the guardian is not protecting your account, but rather a “lockbox” contract, and the link between your account and this safe is hidden. This means that guardians do not have direct access to the user’s account and can only do so through a hidden lockbox contract.

The main role of ZK is to provide an attestation system that allows guardians to prove that a statement is true without revealing the specifics of the statement. In this case, the guardian can use the ZK-SNARK to prove that they have the authority to perform an action without revealing any details related to the “link between the account and the lockbox”.

2.3 Exploration: A New Chapter of ZK and Privacy in the ETH Fang Ecosystem

While the ETH ZK track is still in the development stage, and many innovative ideas and concepts are still being conceived and studied, the ETH ecosystem has already launched a wider range of practical exploration activities.

(1) Funding from the ETH Foundation

In September, the ETH Ethereum Foundation funded two privacy-preserving projects, IoTeX and ZK-Team. IoTex is an abstract wallet for accounts based on zero-knowledge proofs, and ZK-Team is dedicated to enabling organizations to manage team members while maintaining personal privacy.

(2) Investment

In October, Vitalik, co-founder of ETH Place, invested in Nocturne Labs with the aim of bringing private accounts to ETH Place. Users will have ‘internal’ accounts in Nocturne and the method of receiving/spending funds from these accounts will be anonymous. With ZK technology, users can prove that they have enough funds for transactions, such as payments, staking, etc.

(3) Meetings and events

ETHDenver is considered one of the most important ETH and blockchain technology-related events in the world. In March of this year, ETHDenver hosted a special event focused on privacy. This event not only shows the ETH community’s concern about privacy issues, but also reflects the importance that the global blockchain community attaches to privacy protection. At this special event, nine privacy-related sessions were held, including Privacy by Design and Privacy vs Security.

EDCON (Ethereum Community Conference) is a global annual conference hosted by the ETH community, aiming to promote the development and innovation of ETH, and strengthen the connection and cooperation of the ETH community. At the EDCON conference in May of this year, Vitalik made an important statement, stating that “in the next 10 years, ZK-SNARKs will be as important as blockchain”. This statement highlights the importance of ZK-SNARKs in the development trend of blockchain technology.

(4) Projects

At present, some application-layer projects have begun to use ZK technology to provide privacy protection services for users and transactions. These application layer projects are called ZK Applications. For example, ZK Application, unyfy, a privacy asset exchange deployed on ETH. Here the prices of trading orders are hidden, and the integrity of these orders with hidden prices is verified by ZK technology. In addition to unyfy, there are a number of other ZK applications on L2s, such as ZigZag and Loopring, among others. While these ZK Applications are privacy-preserving based on ZK, they cannot be deployed on ETH because the EVM cannot run these ZK Applications directly.

(5) Research

In addition, the researchers have had a heated discussion on ZK technology and its applications on the Ethereum Research platform, including a research article from Salus dedicated to using ZK to promote the implementation of privacy protection at the application layer of ETH. This article tests the performance of several different ZK languages, Circom, Noir, and Halo 2, and the results show that Circom has better performance. The article also proposes a generic solution to integrate Circom in Solidity to implement a ZK-based ETH application layer project. This is of great significance for ETH Fang to achieve a privacy transition. This study has gained significant attention in 2023, ranking first on the list.

This research article is the most read study of 2023 on Ethereum Research— author Salus

3. Challenge

Although many of the existing ETH application layer projects urgently need to introduce a privacy-preserving mechanism based on ZK, this process faces a series of challenges.

1. Lack of talent resources in ZK: The study of ZK technology requires a solid theoretical foundation, especially in the fields of cryptography and mathematics. Since the implementation of ZK technology involves complex formulas, learners also need to have strong formula interpretation skills. But the problem is that there are relatively few people who focus on learning ZK technology.

2. Limitations of ZK development languages: Languages such as Rust, Cairo, and Halo 2 are used to develop ZK proof circuits, but they are usually only suitable for specific scenarios and are not suitable for application-layer projects. Some of these languages, such as Cairo, are still experimental, and there may be compatibility issues between different versions, which makes it difficult and complex to adopt them in real-world applications.

3. Difficulty in implementing ZK technology: Vitalik’s solution of applying ZK technology to privacy protection in ETH may face a variety of complex problems in actual implementation, such as how to avoid balance-summing attacks and double-spend attacks on private transactions. There is a certain technical difficulty in solving these problems.

4. Privacy vs. Compliance: While private transactions protect users’ identities and transaction details, they can also mask illegal activities, such as money laundering. In the future, it remains to be verified whether ZK Applications on ETH will be compliant in the process of implementing privacy protection.

Despite the challenges, ETH Place’s transition to privacy – a prerequisite for securing the transfer of funds that provide privacy protection, and ensuring that all other tools being developed (social recovery, identity, reputation) protect privacy – is to deploy ZK Applications extensively. As mentioned above, the research published by Salus is based on ZK technology to promote features such as privacy protection at the ETH application layer. Moreover, Salus proposed for the first time a universal solution that integrates Circom and Solidity and applies it to ETH application layer projects, implementing the ZK proof system off-chain based on Circom, and implementing smart contracts and ZK verification logic on the ETH based on Solidity. If you need support or have any questions, don’t hesitate to contact Salus.

4. Summary and outlook

In 2023, the ETH community, led by Vitalik Buterin, explored the potential of zero-knowledge proof technology with the goal of enhancing the platform’s privacy-preserving features. While these proposals are still in the research phase, Vitalik’s research and papers, particularly on balancing privacy and compliance, provide a theoretical foundation for zero-knowledge techniques to protect user privacy.

Although there are challenges in integrating zero-knowledge proof technology into ETH, it is expected that zero-knowledge proofs will play an even more important role in the ETH workshop ecosystem in the near future as the technology matures and the community continues to work hard. Therefore, timely engagement and active exploration in this area, taking advantage of early opportunities, will help to occupy a strong position in this emerging field.