One of the gre­at advan­ta­ges of block­chain tech­no­lo­gy is the trans­pa­r­en­cy of past tran­sac­tions. Any­thing that has ever been trans­fer­red or owned by an address and its coun­ter­parts is stored immu­ta­ble and infi­ni­te — retriev­a­ble via e.g. Etherscan.io. At the same time this advan­ta­ge turns into a big dis­ad­van­ta­ge, IMHO even the big­gest one, espe­ci­al­ly when it comes to data secu­ri­ty and pri­va­cy. Vita­lik Bute­rin asserts that the pri­va­cy issue is cur­r­ent­ly Ethereum’s most serious pro­blem. He pro­po­ses “ste­alth addres­ses” to make peer-to-peer NFT trans­fers and ENS regis­tra­ti­ons anony­mous – cal­ling pri­va­cy Ethereum’s “lar­gest remai­ning chal­len­ge”.

“In prac­tice, using the ent­i­re sui­te of Ethe­re­um app­li­ca­ti­ons invol­ves making a signi­fi­cant por­ti­on of your life public for anyo­ne to see and ana­ly­ze”, he said in his blog. Not every user wants to dis­play the owned assets free­ly and avail­ab­le to anyo­ne out the­re. I’m con­vin­ced the desi­re for more dis­cre­ti­on will beco­me increa­singly important as toke­ni­za­ti­on of assets of all kinds increa­se. Espe­ci­al­ly for high-net-value-inves­tors (HNVI) secrecy is a top prio­ri­ty and cur­r­ent­ly ano­t­her rea­son why (mass-)adoption hasn’t star­ted yet. No sur­pri­se EY ope­ra­tes on Poly­gon with Night­fall, its Opti­mistic-Rol­lup, enab­ling the deve­lop­ment of pri­va­cy-focu­sed enter­pri­se block­chain solu­ti­ons.

It’s qui­te easy if you can match a wal­let address to a per­son to find out about that person’s assets and spen­ding habits. For examp­le, here you can look up what tokens Vita­lik Bute­rin owns and which ones he issued when and to whom.

On DLT privacy seems to be an illusion!

Of cour­se, we don’t know if he owns any other wal­lets (which is to be assu­med, as almost any DLT-user seems to have bet­ween 5 and 10 dif­fe­rent wal­lets at least!!) and qui­te honest­ly, the pur­po­se of the emer­ging ENS pro­to­col is pre­cise­ly to trans­la­te addres­ses into a human-read­a­ble form and thus to assign them to a per­son if necessa­ry. So it’s obvious that behind the ENS vitalik.eth we will iden­ti­fy the indi­vi­du­um Vita­lik Bute­rin. If ENS names are also lin­ked to soci­al media accounts, the pro­ba­bi­li­ty of cor­rect iden­ti­fi­ca­ti­on is almost 100%.

I use andreashofmann.eth in public space and want to iden­ti­fy mys­elf with my ENS while using web3 app­li­ca­ti­ons like Unis­wap or zk.money. But I also use it as Nickname/Alias in web2 on Dis­cord or on Twit­ter. On top I have set­up DNSSEC and ENS so in case your brow­ser sup­ports ENS you will be direc­ted to my web­site, hence to the ENS dash­board. But: I don’t want the who­le world to be able to find out about the assets attri­bu­ta­ble to me!

In times whe­re ENS-names beco­me more and more important due to the emer­ging space of web3-app­li­ca­ti­ons, it’s obvious we face a seve­re pri­va­cy pro­blem. The­re­fo­re it would be desi­ra­ble to be able to sepa­ra­te one’s assets account from one’s expen­ses account and also not to have a direct con­nec­tion bet­ween the­se two addres­ses or to be able to iden­ti­fy them after­wards. Vita­lik is tal­king about ste­alth addres­ses in that regard and alt­hough I have heard the term zero-know­ledge-pro­of a long time ago, I did not ful­ly under­stand it or its pur­po­se — until I recent­ly stumb­led across zk.money and thought through the issue of pri­va­cy in the con­text of tran­sac­tions in detail. The arti­cle on the ENS forum was about how to send tokens to an ENS address using the zk.money approach without reve­aling the sen­der address. To enab­le this, the aut­hors wro­te a smart con­tract that could replace the ENS domain’s publi­c­Resol­ver and send all assets sent to that ENS address to the Aztec address in the back­ground. Sounds good, I thought, and took a look at zk.money — they pro­mi­se Ethe­re­um DeFi ser­vices with full pri­va­cy.

Sin­ce we are in the zk envi­ron­ment, it might be hel­pful focu­sing the basic princip­le behind zero-know­ledge first. Based on the fact that the ent­i­re BTC-block­chain has an enor­mous volu­me of data it’s obvious lea­ner solu­ti­ons are nee­ded. Around 450 GB, that’s the size of Bitcoin’s block­chain at the moment and even con­s­i­de­ring the fact that this huge data­ba­se now records almost twel­ve years’ worth of tran­sac­tions, that’s qui­te a lot. And that’s not the only block­chain, after all, becau­se Ethe­re­um, Lite­coin, Dash, Car­da­no and other cryp­to­cur­ren­ci­es are also decen­tra­li­zed. They all rely on a net­work of dis­tri­bu­t­ed com­pu­ters to veri­fy tran­sac­tions and other ent­ries for the respec­tive block­chain and to per­man­ent­ly con­firm their cor­rect­ness as DLT requi­res a mecha­nism to find a con­sen­sus or com­mon­ly accep­ted truth bet­ween all participants/nodes. The net­work is also essen­ti­al for use or even access, becau­se every sin­gle one of the­se com­pu­ters — cal­led nodes — must always main­tain the ent­i­re data­ba­se of the block­chain. The ever-gro­wing block­chain now ensu­res that nodes are hard­ly ope­ra­ted by regu­lar users but increa­singly by com­mer­ci­al com­pa­nies. In cer­tain pro­to­cols we have so cal­led light nodes, “which only down­load block hea­ders as they appe­ar and fetch other parts of the block­chain on-demand. They pro­vi­de full func­tio­na­li­ty in terms of safe­ly acces­sing the block­chain, but don’t take part in the con­sen­sus pro­cess”. In zk approa­ches, the data volu­me has been redu­ced even fur­t­her, and as far as I know MINA is the smal­lest block­chain to date with a total size of about 22kb.

With zk approa­ches it’s about pre­sen­ting some kind of pro­of that ent­it­les one to recei­ve or retrie­ve some­thing from ano­t­her wal­let. The pro­of was gene­ra­ted at the time the wal­let was crea­ted and access is gran­ted by pro­vi­ding it. It’s no lon­ger necessa­ry to store the ent­i­re tran­sac­tion histo­ry in which the address — and the assets con­tai­ned the­re — are stored but only the pro­of that was gene­ra­ted when it was crea­ted.

You can ima­gi­ne this as if someo­ne were to take a pic­tu­re of an ele­phant to pro­ve to someo­ne else that the­re is an ele­phant — ins­te­ad of deli­vering the ele­phant to them. Now, if the per­son who got the pic­tu­re is sup­po­sed to pro­ve to ano­t­her per­son that he has a pro­of (pic­tu­re) of an ele­phant, he snaps a pic­tu­re of him­s­elf with the pic­tu­re in his hand and sends it on. Behind this pro­cess is a rather com­plex mathe­ma­ti­cal pro­ce­du­re cal­led Zero-Know­ledge-Pro­of, which was deve­lo­ped back in the 1980s. And alt­hough this pro­of can con­tain an almost infi­ni­te amount of infor­ma­ti­on, it’s always the same size.

The idea with zk pro­to­cols is that the­re is no need to exchan­ge more infor­ma­ti­on bet­ween the two con­nec­ted wal­lets than necessa­ry – a second lay­er is nee­ded. Rather it’s about a kind of pro­of that the reques­ting wal­let must pro­vi­de to a veri­fier in order to gain access. Con­se­quent­ly it’s about pro­ving that a given state­ment is true while the requestor/prover avo­ids com­mu­ni­ca­ting any addi­tio­nal infor­ma­ti­on other than the fact that the state­ment is inde­ed true. The ele­phant exists becau­se it was pho­to­gra­phed.

Aztec Net­work is offe­ring kind of ste­alth addres­ses Vita­lik is tal­king about, hence they call it shiel­ded accounts and the encryp­ted Ethe­re­um tran­sac­tions are based on the L2 rol­lup cal­led zk.money. BTW Vita­lik is tal­king about one-time use addres­ses ins­te­ad of hiding on a second lay­er.

“Ste­alth addres­ses give the same pri­va­cy pro­per­ties as Bob gene­ra­ting a fresh address for each tran­sac­tion, but without requi­ring any inter­ac­tion from Bob.”

Aztec claims being on a mis­si­on to pro­tect indi­vi­du­al rights and pri­va­cy. They say that “in the cur­rent block­chain para­digm, users and ent­i­ties broad­cast data in the public, lea­ding to an unac­cep­ta­ble tra­de-off”. To sup­port pri­va­cy they have crea­ted a second lay­er (L2) which detaches sen­der and recei­ver addres­ses by pla­cing a third account in bet­ween. Its address starts with “aztec:0x…” and it’s able to tran­sact NFTs, ENS and all kind of ERC20 of cour­se.

» Here is my journey with zk.money and I have to admit honestly that I was surprised how smooth everything went through.

In order to enab­le com­ple­te­ly pri­va­te tran­sac­tion in the future a L2 wal­let with Ethe­re­um address in the for­mat 0x.….. must be crea­ted first, in my case I con­nec­ted to zk.money. To crea­te a new wal­let you need to sign a tran­sac­tion by the con­nec­ted account (via Meta­Mask, shield account) in order to con­nect the new Aztec wal­let to the (your) shield account wal­let.

A second tran­sac­tion needs to be signed to gene­ra­te the “Spen­ding-Key”. This is the “secret” that the per­son who wants to recei­ve or send from this zk-Wal­let has to pre­sent — the pic­tu­re of the ele­phant!

The pic­tu­re or the crea­ted Spen­ding-Key con­ta­ins a total of 3 dif­fe­rent addres­ses as well as an ali­as of your choice (if not taken alre­ady). Bes­i­des the Aztec address, which starts with aztec:0x.… and has a total of 136 cha­rac­ters, the account-gene­ra­tor-address and the key-gene­ra­tor-address are crea­ted.

After the tran­sac­tions have been signed and vali­da­ted, the account regis­tra­ti­on can be com­ple­ted by gene­ra­ting the pro­of requi­red for payout (ele­phant pic­tu­re) and lin­king it to the account.

An initi­al tran­sac­tion of at least 0.01 ETH requi­red for initia­li­za­ti­on is done free of char­ge (no Gas-fee). After vali­da­ti­on of this tran­sac­tion the zk-wal­let is ful­ly set up and anony­mous tran­sac­tions beco­me pos­si­ble. The wal­let con­nec­ted via Meta­Mask is your pro­tec­ted wal­let now, zk.money names it shiel­ded wal­let. I named it “Aztec” in my Meta­Mask account.

After I was able to suc­cess­ful­ly set up my zk-wal­let and the initi­al fun­ding, I’ve tested the anony­mous with­dra­wal of funds and to check what kind of infor­ma­ti­on about the tran­sac­tion part­ners is visi­ble.

If you with­draw, one can choo­se bet­ween L1 and L2. While the L2 tran­sac­tion is easi­ly avail­ab­le via the selec­ted ali­as, for a L1 tran­sac­tion you need to enter the recipient’s eth-address and select the time span wit­hin which the tran­sac­tion should be exe­cu­t­ed — default is set to 3 hours. (Side-note: ENS-names are not sup­por­ted yet, see initi­al Forum Post I stumb­led upon)

You should never, never-ever, send with­dra­wals back direct­ly to the fun­ding wal­let, as this will expo­se the shiel­ded wal­let — the tran­sac­tions are of cour­se visi­ble on the Aztec net­work just as they are on all other net­works.

It all went through very smooth­ly and I was suc­cess­ful at the first try – I have trans­fer­red ETH while hiding the pre­vious owner-address. By using L2 pri­va­cy-tools I’m able to keep my pri­va­cy, do not spread and store the word about my hol­dings and are able to sell or tra­de assets from an anony­mous account.

The zk-wal­let keeps recei­ving assets through one or more dif­fe­rent fun­ding wal­lets as long as tokens are sent to 0x…. . In the back­ground, the­se assets are also assi­gned to the aztec:0x.… wal­let. For examp­le, if you want to resell your assets, you can send them to an eth-wal­let and sell them from the­re without reve­aling the con­nec­tion to the ori­gi­nal eth-wal­let. On Ether­scan only the Aztec address is visi­ble (see above), but this does not allow any con­clu­si­on about the sen­der wal­let, only about the amount!

As men­tio­ned above solu­ti­ons pro­vi­ding 100% pri­va­cy – or anony­mi­ty – are very clo­se to money laun­de­ring prac­tices. If it’s pos­si­ble to trans­fer money without any infor­ma­ti­on about the sen­der you won’t be able to meet regu­la­ti­on at all. No won­der U.S. and EU aut­ho­ri­ties are cracking down on cryp­to anony­mi­zers they say assist money laun­de­ring. And the con­se­quen­ces are harsh…. think of Tor­na­do Cash and Ale­xey Pertsev, he is in jail while awai­ting tri­al on money laun­de­ring char­ges in The Nether­lands for hel­ping code Tor­na­do Cash.

Coin­ba­se is fun­ding a law­su­it chal­len­ging the U.S. desi­gna­ti­on of the decen­tra­li­zed mixing ser­vice as a sanc­tioned ent­i­ty. That means incorpo­ra­ting the­se pri­va­cy tools into the most wide­ly used smart-con­tract block­chain could have unin­ten­ded con­se­quen­ces. Recall that Lite­coin was ban­ned from some major South Korean exch­an­ges last June after adding opt-in pri­va­cy fea­tures. Shiel­ded accounts an IMHO the ste­alth addres­ses men­tio­ned by Vita­lik Bute­rin would do this for essen­ti­al­ly every ERC-20 token…. a regu­la­tors night­ma­re I’d say!