Privacy at the Edge — A first Try to Shield my Transactions
One of the great advantages of blockchain technology is the transparency of past transactions. Anything that has ever been transferred or owned by an address and its counterparts is stored immutable and infinite — retrievable via e.g. Etherscan.io. At the same time this advantage turns into a big disadvantage, IMHO even the biggest one, especially when it comes to data security and privacy. Vitalik Buterin asserts that the privacy issue is currently Ethereum’s most serious problem. He proposes “stealth addresses” to make peer-to-peer NFT transfers and ENS registrations anonymous – calling privacy Ethereum’s “largest remaining challenge”.
“In practice, using the entire suite of Ethereum applications involves making a significant portion of your life public for anyone to see and analyze”, he said in his blog. Not every user wants to display the owned assets freely and available to anyone out there. I’m convinced the desire for more discretion will become increasingly important as tokenization of assets of all kinds increase. Especially for high-net-value-investors (HNVI) secrecy is a top priority and currently another reason why (mass-)adoption hasn’t started yet. No surprise EY operates on Polygon with Nightfall, its Optimistic-Rollup, enabling the development of privacy-focused enterprise blockchain solutions.
Vitalik.eth owns approx. 11 Mio $ at the time of writing
It’s quite easy if you can match a wallet address to a person to find out about that person’s assets and spending habits. For example, here you can look up what tokens Vitalik Buterin owns and which ones he issued when and to whom.
On DLT privacy seems to be an illusion!
Of course, we don’t know if he owns any other wallets (which is to be assumed, as almost any DLT-user seems to have between 5 and 10 different wallets at least!!) and quite honestly, the purpose of the emerging ENS protocol is precisely to translate addresses into a human-readable form and thus to assign them to a person if necessary. So it’s obvious that behind the ENS vitalik.eth we will identify the individuum Vitalik Buterin. If ENS names are also linked to social media accounts, the probability of correct identification is almost 100%.
I use andreashofmann.eth in public space and want to identify myself with my ENS while using web3 applications like Uniswap or zk.money. But I also use it as Nickname/Alias in web2 on Discord or on Twitter. On top I have setup DNSSEC and ENS so in case your browser supports ENS you will be directed to my website, hence to the ENS dashboard. But: I don’t want the whole world to be able to find out about the assets attributable to me!
No Way to Hide?
In times where ENS-names become more and more important due to the emerging space of web3-applications, it’s obvious we face a severe privacy problem. Therefore it would be desirable to be able to separate one’s assets account from one’s expenses account and also not to have a direct connection between these two addresses or to be able to identify them afterwards. Vitalik is talking about stealth addresses in that regard and although I have heard the term zero-knowledge-proof a long time ago, I did not fully understand it or its purpose — until I recently stumbled across zk.money and thought through the issue of privacy in the context of transactions in detail. The article on the ENS forum was about how to send tokens to an ENS address using the zk.money approach without revealing the sender address. To enable this, the authors wrote a smart contract that could replace the ENS domain’s publicResolver and send all assets sent to that ENS address to the Aztec address in the background. Sounds good, I thought, and took a look at zk.money — they promise Ethereum DeFi services with full privacy.
Zero-knowledge — Zero clue?
Since we are in the zk environment, it might be helpful focusing the basic principle behind zero-knowledge first. Based on the fact that the entire BTC-blockchain has an enormous volume of data it’s obvious leaner solutions are needed. Around 450 GB, that’s the size of Bitcoin’s blockchain at the moment and even considering the fact that this huge database now records almost twelve years’ worth of transactions, that’s quite a lot. And that’s not the only blockchain, after all, because Ethereum, Litecoin, Dash, Cardano and other cryptocurrencies are also decentralized. They all rely on a network of distributed computers to verify transactions and other entries for the respective blockchain and to permanently confirm their correctness as DLT requires a mechanism to find a consensus or commonly accepted truth between all participants/nodes. The network is also essential for use or even access, because every single one of these computers — called nodes — must always maintain the entire database of the blockchain. The ever-growing blockchain now ensures that nodes are hardly operated by regular users but increasingly by commercial companies. In certain protocols we have so called light nodes, “which only download block headers as they appear and fetch other parts of the blockchain on-demand. They provide full functionality in terms of safely accessing the blockchain, but don’t take part in the consensus process”. In zk approaches, the data volume has been reduced even further, and as far as I know MINA is the smallest blockchain to date with a total size of about 22kb.
Entire blockchain is 22kb?
With zk approaches it’s about presenting some kind of proof that entitles one to receive or retrieve something from another wallet. The proof was generated at the time the wallet was created and access is granted by providing it. It’s no longer necessary to store the entire transaction history in which the address — and the assets contained there — are stored but only the proof that was generated when it was created.
You can imagine this as if someone were to take a picture of an elephant to prove to someone else that there is an elephant — instead of delivering the elephant to them. Now, if the person who got the picture is supposed to prove to another person that he has a proof (picture) of an elephant, he snaps a picture of himself with the picture in his hand and sends it on. Behind this process is a rather complex mathematical procedure called Zero-Knowledge-Proof, which was developed back in the 1980s. And although this proof can contain an almost infinite amount of information, it’s always the same size.
The idea with zk protocols is that there is no need to exchange more information between the two connected wallets than necessary – a second layer is needed. Rather it’s about a kind of proof that the requesting wallet must provide to a verifier in order to gain access. Consequently it’s about proving that a given statement is true while the requestor/prover avoids communicating any additional information other than the fact that the statement is indeed true. The elephant exists because it was photographed.
DIY – My Test-Run
Aztec Network is offering kind of stealth addresses Vitalik is talking about, hence they call it shielded accounts and the encrypted Ethereum transactions are based on the L2 rollup called zk.money. BTW Vitalik is talking about one-time use addresses instead of hiding on a second layer.
“Stealth addresses give the same privacy properties as Bob generating a fresh address for each transaction, but without requiring any interaction from Bob.”
Aztec claims being on a mission to protect individual rights and privacy. They say that “in the current blockchain paradigm, users and entities broadcast data in the public, leading to an unacceptable trade-off”. To support privacy they have created a second layer (L2) which detaches sender and receiver addresses by placing a third account in between. Its address starts with “aztec:0x…” and it’s able to transact NFTs, ENS and all kind of ERC20 of course.
» Here is my journey with zk.money and I have to admit honestly that I was surprised how smooth everything went through.
Start with L2 Wallet on Aztec-Protocol
In order to enable completely private transaction in the future a L2 wallet with Ethereum address in the format 0x.….. must be created first, in my case I connected to zk.money. To create a new wallet you need to sign a transaction by the connected account (via MetaMask, shield account) in order to connect the new Aztec wallet to the (your) shield account wallet.
The second signature creates the Spending-Key
A second transaction needs to be signed to generate the “Spending-Key”. This is the “secret” that the person who wants to receive or send from this zk-Wallet has to present — the picture of the elephant!
The picture or the created Spending-Key contains a total of 3 different addresses as well as an alias of your choice (if not taken already). Besides the Aztec address, which starts with aztec:0x.… and has a total of 136 characters, the account-generator-address and the key-generator-address are created.
An initial transaction of at least 0.01 ETH required for initialization is done free of charge (no Gas-fee). After validation of this transaction the zk-wallet is fully set up and anonymous transactions become possible. The wallet connected via MetaMask is your protected wallet now, zk.money names it shielded wallet. I named it “Aztec” in my MetaMask account.
Withdrawal – Anonymous Transaction Possible!
After I was able to successfully set up my zk-wallet and the initial funding, I’ve tested the anonymous withdrawal of funds and to check what kind of information about the transaction partners is visible.
If you withdraw, one can choose between L1 and L2. While the L2 transaction is easily available via the selected alias, for a L1 transaction you need to enter the recipient’s eth-address and select the time span within which the transaction should be executed — default is set to 3 hours. (Side-note: ENS-names are not supported yet, see initial Forum Post I stumbled upon)
Withdrawal to L1 – use different (!!) address than funding wallet
You should never, never-ever, send withdrawals back directly to the funding wallet, as this will expose the shielded wallet — the transactions are of course visible on the Aztec network just as they are on all other networks.
Withdrawal to L1 – receiving address is visible so use different (!!) address than funding wallet
3 Hours Later
3 hours later, it might have been even 4, I mean I have family ;-), I checked back and meanwhile the balance in my Aztec-wallet has changed.
The receiver-wallet (0x866… or andreashofmann.eth) has received the 0,05 ETH I had sent. You can check this in the tab “Internal txns” on etherscan.io. If you dig into the tx you won’t find anything interesting about the eth-wallet on the Aztec-Network. I successfully have completed an anonymous tx on Ethereum by using a L2-solution… cool, let’s start money-laundering…?!
Sender of the 0,005 ETH is Aztec Connect, no further specification of previous/real owner is available
It all went through very smoothly and I was successful at the first try – I have transferred ETH while hiding the previous owner-address. By using L2 privacy-tools I’m able to keep my privacy, do not spread and store the word about my holdings and are able to sell or trade assets from an anonymous account.
Once again for better understanding
The zk-wallet keeps receiving assets through one or more different funding wallets as long as tokens are sent to 0x…. . In the background, these assets are also assigned to the aztec:0x.… wallet. For example, if you want to resell your assets, you can send them to an eth-wallet and sell them from there without revealing the connection to the original eth-wallet. On Etherscan only the Aztec address is visible (see above), but this does not allow any conclusion about the sender wallet, only about the amount!
For keeping your privacy you need to withdraw to a different Ethereum address. Don’t use one you fund or register zk.money username with.
Wait.… is it legit?
As mentioned above solutions providing 100% privacy – or anonymity – are very close to money laundering practices. If it’s possible to transfer money without any information about the sender you won’t be able to meet regulation at all. No wonder U.S. and EU authorities are cracking down on crypto anonymizers they say assist money laundering. And the consequences are harsh…. think of Tornado Cash and Alexey Pertsev, he is in jail while awaiting trial on money laundering charges in The Netherlands for helping code Tornado Cash.
Coinbase is funding a lawsuit challenging the U.S. designation of the decentralized mixing service as a sanctioned entity. That means incorporating these privacy tools into the most widely used smart-contract blockchain could have unintended consequences. Recall that Litecoin was banned from some major South Korean exchanges last June after adding opt-in privacy features. Shielded accounts an IMHO the stealth addresses mentioned by Vitalik Buterin would do this for essentially every ERC-20 token…. a regulators nightmare I’d say!