All you need to know about the new trend of ZK and privacy in Ethereum

1. Background

Ethereum co-founder Vitalik Buterin has made it clear that “if a technological transition to privacy is not carried out, Ethereum will fail.” This is because all transactions are publicly visible, and for many users, the sacrifice of privacy is too great, leading them to turn to centralized solutions that at least to some extent hide data.

In 2023, Vitalik conducted a series of research on privacy protection and zero-knowledge proofs (ZK) technology. In the first half of the year, Vitalik published three articles on his website specifically discussing ZK and privacy protection. In April, he also presented a study on wallet custodian privacy issues on Reddit. In September, he co-authored a paper with other professionals proposing a solution to balance privacy and compliance.

In addition, the Ethereum ecosystem is actively promoting the discussion and popularization of this topic. A special event focusing on privacy was held at the ETHDenver event in March. At the annual Ethereum Community Conference (EDCON) in May, Vitalik emphasized that “over the next 10 years, ZK-SNARK will be as important as blockchain.”

This article tracks the latest developments in the Ethereum ecosystem in 2023 regarding the use of ZK technology to advance privacy protection. If you want to enter the Ethereum ZK track, this article can provide the necessary interpretation and guidance.

2. Ethereum ZK Track: Building the Future of Privacy Protection

Ethereum’s transparency may put users’ personal information at risk of being leaked.There are no secrets on blockchains such as Ethereum, and all information is public, including transactions, voting and other on-chain activities. Such publicity could lead to specific transactions and addresses being tracked and associated with real user identities. Therefore, implementing privacy protection on Ethereum becomes crucial. Hiding information on the chain can be achieved through encryption technology, but the challenge is to ensure that the validity of these transactions can be verified while protecting privacy. ZK technology provides a solution that can prove the authenticity of transactions without revealing additional information, taking into account privacy and verifiability.

Ethereum places great importance on ZK-SNARK, especially in certain key privacy protection use cases, where its significance is particularly pronounced. This is clearly reflected in Vitalik’s research and proposals. Salus has compiled the typical scenarios proposed by Vitalik in his research, namely privacy transactions and social recovery.

2.1 Private transactions

Regarding privacy transactions, Vitalik proposed two concepts: Stealth Addresses and Privacy Pools.

·Private address schemes allow transactions to be conducted while hiding the identity of the transaction recipient.This solution not only provides privacy protection functions, but also ensures the transparency and auditability of transactions.

·Based on the Privacy Pool protocol, users can prove that their transaction funds belong to known and compliant sources without disclosing historical transactions.This solution allows users to conduct private transactions while complying with regulations.

Both solutions are inseparable from ZK. In both scenarios, users are allowed to generate zero-knowledge proofs to prove the validity of their transactions.

2.1.1 Privacy address

Assuming Alice intends to transfer certain assets to Bob, when Bob receives the assets, he does not want the information to be known to the general public. Although it is difficult to conceal the fact of the asset transfer, there is a possibility to hide the identity of the recipient. It is in this context that privacy address schemes have emerged, primarily addressing the issue of how to effectively hide the identity of the transaction recipient.

So, what is the difference between a private address and a normal Ethereum address? How to use ZK-based private addresses for private transactions? Salus will introduce you to each of them.

(1) What is the difference between a private address and a normal Ethereum address?

A private address is an address that allows the sender of a transaction to generate it non-interactively and is only accessible to its recipient. We illustrate the difference between a private address and an ordinary Ethereum address from two dimensions: who generates it and who can access it.

Who generates it

Ordinary Ethereum addresses are generated by the user himself based on encryption and hashing algorithms. The privacy address can be generated by the person or the other party to the transaction. For example, when Alice transfers money to Bob, the address used by Bob to accept the transfer can be generated by Bob or Alice, but it can only be controlled by Bob.

Who can access it?

The types, amounts and sources of funds under ordinary Ethereum accounts are publicly visible. In transactions using private addresses, only the recipient can access the funds stored in their invisible address. Observers are unable to associate the recipient’s private address with their identity, thus protecting the recipient’s privacy.

(2) How to use ZK-based privacy addresses for private transactions?

If Alice wants to send assets to Bob’s private address to hide the recipient of the transaction. Below is a detailed description of the transaction process:

1) Generate private address

● Bob generates and saves a spending key, which is a private key that can be used to spend funds sent to Bob’s private address.

● Bob uses the consumption key to generate a privacy meta-address (stealth meta-address), which can be used to calculate a privacy address for a given recipient, and passes the privacy meta-address to Alice. Alice calculates the privacy meta-address and generates a private address belonging to Bob.

2) Send assets to private address

● Alice sends the assets to Bob’s private address.

● Since Bob does not know that this private address belongs to him at this time, Alice also needs to publish some additional encrypted data (a temporary public key, ephmeral pubkey) on the chain to help Bob discover that this private address belongs to him.

The privacy addresses in the above process can also be constructed using zero-knowledge proofs and public key encryption. The smart contract code in the privacy address can be integrated with ZK. By embedding the logic of zero-knowledge proof verification, the smart contract is able to automatically verify the validity of transactions. This scheme of constructing privacy addresses is simpler compared to other schemes, including elliptic curve cryptography, elliptic curve isogenies, lattices, and generic black-box primitives.

2.1.2 Privacy Pool

Whether private transactions are achieved by hiding the identity of the transaction recipient or other information about the transaction, there is a major problem: how users can prove that their transaction funds belong to a known compliant source without having to disclose their entire transaction history. As a public blockchain platform, Ethereum must avoid becoming a medium for money laundering and other illegal activities.

Vitalik proposed a solution called “Privacy Pool” that is dedicated to balancing the privacy protection and compliance needs of blockchain. However, what are the privacy protection and compliance challenges? How to balance privacy and compliance? On both issues, Salus provides in-depth and instructive discussions.

(1) Privacy protection and compliance challenges

The challenge of ensuring transaction compliance while achieving privacy protection is vividly demonstrated by analyzing the Tornado Cash case.

Tornado Cash is a cryptocurrency mixer that mixes together a large number of deposits and withdrawals. After the user deposits the token at an address, he or she must show ZK Proof to prove that he or she has deposited the token, and then use a new address to withdraw the money. These two operations are public on the chain, but the correspondence between them is not public, so they are anonymous. While it can enhance privacy for users, it is often used by illegal actors to launder money. As a result, OFAC, the U.S. Department of the Treasury, ultimately placed Tornado Cash’s smart contract address on the sanctions list. Regulators believe that the agreement facilitates money laundering and is not conducive to the fight against financial crime.

The shortcoming of Tornado Cash in privacy protection is that it cannot verify whether the user’s token source is compliant.To address this problem, Tornado Cash provides a centralized server to help users prove that their tokens are compliant. However, the server must obtain the specific information about the withdrawal provided by the user, determine which deposit the withdrawal corresponds to, and generate a certificate. This centralized mechanism not only has the cost of trust assumptions, but also creates information asymmetry. Ultimately, the mechanism was used by few users. Although Tornado Cash implements a hidden private function, it does not provide an effective mechanism to verify whether the source of user tokens is compliant, which allows criminals to take advantage of it.

(2) How to balance privacy and compliance?

Based on the above challenges, Vitalik proposed the concept of Privacy Pools, which allows users to prove that their fund sources are compliant without revealing historical transaction information. This creates a balance between privacy and compliance.

Privacy Pools are based on ZK and association sets, allowing users to generate and publish ZK-SNARK certificates proving that their funds come from known compliant sources.This means that the funds belong to a compliant association set, or they do not belong to a non-compliant association set.

Association collections are constructed by association collection providers according to specific strategies:

1) Membership Proof: Put deposits from all trusted trading platforms into an associated set, and there is definite evidence that they are low-risk.

2) Exclusion Proof: Identify a group of deposits that are marked as risky, or deposits that have definite evidence that they are non-compliant funds. Construct an associated collection containing all deposits except these deposits.

When making a deposit, the user generates a secret through ZK and hashes it to calculate a public coin ID to mark his association with the funds. When withdrawing money, the user submits a nullifier corresponding to the secret (nullifier is the unique identifier derived from the secret) to prove that the funds are theirs. Moreover, users use ZK to prove two merkle branches to prove that their funds belong to known compliant sources:

1) His coin ID belongs to the coin ID tree, which is the collection of all transactions currently occurring;

2) His coin ID belongs to the association set tree, which is a collection of some legitimate transactions that the user considers.

(3) What are the application scenarios of ZK in privacy pool?

1）Guaranteed flexibility in private transactions: In order to handle transfers of any denomination in private transactions, additional zero-knowledge proofs are attached to each transaction. This proof ensures that the total denomination of tokens created will not exceed the total denomination of tokens consumed, thereby ensuring the validity of the transaction. Secondly, ZK maintains the continuity and privacy of transactions by verifying each transaction’s commitment to the original deposit token ID, so that even in the case of partial withdrawals, each withdrawal is guaranteed to be associated with its corresponding original deposit.

2）Resist balance-summing attacks: By merging tokens and committing to a set of token IDs, and committing to the union of parent transactions for multiple input transactions, balance summation attacks can be resisted. This approach relies on ZK to ensure that all committed token IDs are in their associated set, thereby enhancing transaction privacy.

2.2 Social recovery

In real life, we may have multiple bank card accounts. Losing the bank card password means that we cannot use the funds in the bank card. In this case, we usually go to the bank and ask for help to recover the password.

Similarly, in blockchains such as Ethereum, we may have multiple addresses (accounts). The private key is like a bank card password and is the only tool to control account funds. Once you lose your private key, you lose control of your account and can no longer access the funds in your account. Similar to real-world password retrieval, blockchain wallets provide a social recovery mechanism to help users retrieve their lost private keys. This mechanism allows users to select a group of trusted individuals as guardians when creating a wallet. These guardians can help users regain control of their accounts by approving the reset of a user’s private key if it is lost.

Under this social recovery and guardian mechanism, Vitalik proposed two privacy protection points that need attention:

1）Hide the correlation between multiple addresses of a user: To protect user privacy, we need to prevent the ownership of multiple addresses from being exposed when using a single recovery phrase to recover them.

2）Protect user property privacy from intrusion by guardians: We must ensure that during the process of approving user operations, guardians cannot obtain the user’s asset information or observe their transaction behavior to prevent the user’s property privacy from being violated.

The key technology to achieve these two types of privacy protection is zero-knowledge proof.

2.2.1 Hide the correlation between multiple addresses of users

(1) Privacy issues in social recovery: correlations between addresses are disclosed

In blockchains such as Ethereum, in order to protect their privacy, users usually generate multiple addresses for various transactions. By using a different address for each transaction, you prevent outside observers from easily linking those transactions to the same user.

However, if the user’s private key is lost, the funds under multiple addresses generated by the private key will not be recovered. In this case, social recovery is needed. A simple recovery method is to recover multiple addresses with one click, where the user uses the same recovery phrase to recover multiple addresses generated by one private key. But this approach is not ideal, because the original intention of users generating multiple addresses is to prevent them from being related to each other. If a user chooses to restore all addresses at the same time or at a similar time, this is actually equivalent to revealing to the outside world that these addresses are owned by the same user. This practice defeats the original purpose of users creating multiple addresses to protect privacy. This constitutes a privacy protection issue in the social recovery process.

（2) ZK solution: How to prevent the correlation of multiple addresses from being disclosed?

ZK technology can be used to hide the correlation between multiple addresses of a user on the blockchain. Address privacy concerns during social recovery through an architecture that separates verification logic and asset holdings.

1) Verification logic: Users have multiple addresses on the blockchain, but the verification logic for all these addresses is connected to one main authentication contract (keystore contract).

2) Asset holding and trading: When users operate from any address, they use ZK technology to verify operation authority without revealing which address it is.

In this way, even if all addresses are connected to the same keystore contract, external observers cannot determine whether these addresses belong to the same user, thus achieving privacy protection between addresses.

It is very important to design a private social recovery solution that can recover multiple addresses of users at the same time without revealing the correlation between addresses.

2.2.2 Protect user property privacy from intrusion by guardians

(1) Privacy Issues: Guardian’s Privileges

In blockchains such as Ethereum, users can set up multiple guardians when creating a wallet. Especially for multisig wallets and social recovery wallets, the role of the guardian is crucial. Typically, a guardian is a collection of N addresses held by others, where any M addresses can approve an operation.

What privileges do guardians have? for example:

1) For a multi-signature wallet, each transaction must be signed by M of N guardians before it can proceed.

2) For the social recovery wallet, if the user’s private key is lost, then M out of N guardians must sign a message to reset the private key.

Guardians can approve your actions. In multisig, this would be any transaction. In social recovery wallets, this would be resetting your account’s private key. One of the challenges faced by the guardians mechanism today is how to protect user’s financial privacy from being violated by guardians?

(2) ZK solution: Protect user property privacy from guardian intrusion

Vitalik envisions in this article that what the guardian protects is not your account, but a “lockbox” contract, and the link between your account and this lockbox is hidden. This means that guardians cannot directly access the user’s account and can only operate through a hidden lockbox contract.

The main role of ZK is to provide a proof system that allows guardians to prove that a certain statement is true without revealing the specific details of the statement. In this case, Guardians can use ZK-SNARKs to prove they have permission to perform an action without revealing any details about the link between the account and the lockbox.

2.3 Exploration: A new chapter of ZK and privacy in the Ethereum ecosystem

Although the Ethereum ZK track is still in the development stage, and many innovative ideas and concepts are still being conceived and researched, the Ethereum ecosystem has already launched more extensive actual exploration activities.

(1) Funding from the Ethereum Foundation

In September this year, the Ethereum Foundation funded two projects on privacy protection, IoTeX and ZK-Team. IoTex is an account abstraction wallet based on zero-knowledge proofs, and ZK-Team is committed to enabling organizations to manage team members while maintaining personal privacy.

(2) Investment

In October this year, Ethereum co-founder Vitalik invested in Nocturne Labs, aiming to introduce private accounts to Ethereum. Users will have an “internal” account in Nocturne，The way funds are received/disbursed from these accounts is anonymous. Through ZK technology, users can prove that they have sufficient funds for payments, pledges and other transactions.

(3) Meetings and activities

ETHDenver is considered one of the most important Ethereum and blockchain technology-related events in the world. In March of this year, ETHDenver hosted a special event focused on privacy. This event not only demonstrates the Ethereum community’s concern for privacy issues, but also reflects the global blockchain community’s emphasis on privacy protection. In this special event, nine privacy-related themed conferences were held, including Privacy by Design and Privacy vs Security.

EDCON (Ethereum Community Conference) is a global annual conference hosted by the Ethereum community, aiming to promote the development and innovation of Ethereum and strengthen the connections and cooperation of the Ethereum community. At this year’s EDCON conference in May, Vitalik made an important statement, saying:“In the next 10 years, ZK-SNARKs will be as important as blockchain”. This statement emphasizes the important position of ZK-SNARKs in the development trend of blockchain technology.

(4) Project

At present, some application layer projects have begun to use ZK technology to provide privacy protection services for users and transactions. These application layer projects are called ZK Applications. For example, ZK Application deployed on Ethereum, unyfy, a private asset exchange. The prices of trading orders here are hidden, and the integrity of these orders with hidden prices is verified by ZK technology. In addition to unyfy, there are other ZK Applications on L2s, such as ZigZag and Loopring. Although these ZK Applications implement privacy protection functions based on ZK, they cannot currently be deployed on Ethereum because the EVM cannot directly run these ZK Applications.

(5) Research

Moreover, researchers have conducted heated discussions on ZK technology and its applications on the Ethereum Research platform. Among them, there is a research article from Salus dedicated toUse ZK to promote privacy protection and other implementations in the Ethereum application layer. This article testsThe performance of several different ZK languages, Circom, Noir and Halo2, was measured, and the results showed that Circom has better performance. This article also proposes a general solution to integrate Circom in Solidity to implement ZK-based Ethereum application layer projects. This has important implications for Ethereum’s privacy transition. This study gained significant traction in 2023, ranking at the top of the list.

This research article is the most read research of 2023 on Ethereum Research —- by Salus

3. Challenge

Although many existing Ethereum application layer projects urgently need to introduce ZK-based privacy protection mechanisms, this process faces a series of challenges.

1. ZK lacks human resources:The learning of ZK technology requires a solid theoretical foundation, especially in the fields of cryptography and mathematics. Since the implementation of ZK technology involves complex formulas, learners also need to have strong formula interpretation abilities. But the problem is that there are relatively few people dedicated to learning ZK technology.

2.Limitations of the ZK development language:Languages ​​such as Rust, Cairo, Halo2, etc. are used to develop ZK proof circuits, but they are usually only applicable to specific scenarios and are not suitable for application layer projects. Some of these languages, such as Cairo, are still in the experimental stage and may have compatibility issues between different versions, which increases the difficulty and complexity of adopting them in real-world applications.

3.ZK technology implementation difficulty:The solution proposed by Vitalik to apply ZK technology to Ethereum privacy protection may face a variety of complex problems in actual implementation, such as how to avoid private transactions from being subject to balance-summing attacks and double-spend attacks. wait. There are certain technical difficulties in solving these problems.

Privacy Protection vs. Compliance:Although private transactions can protect users’ identities and transaction details, they may also conceal illegal activities, such as money laundering. In the future, it remains to be verified whether ZK Applications on Ethereum can comply with regulations when implementing privacy protection.

Despite the challenges, a prerequisite for Ethereum’s privacy transformation - ensuring privacy-preserving fund transfers and ensuring that all other tools being developed (social recovery, identity, reputation) are privacy-preserving - is the widespread deployment of ZK Applications. As mentioned above, the research released by Salus is based on ZK technology to promote privacy protection and other functions of the Ethereum application layer. Moreover, Salus proposed for the first time a universal solution that integrates Circom and Solidity and is applied to Ethereum application layer projects. It implements the ZK proof system off-chain based on Circom and implements smart contracts and ZK verification logic on Ethereum based on Solidity. If you need support or have any questions, feel free to contact Salus.

4. Summary and outlook

In 2023, the Ethereum community, led by Vitalik Buterin, deeply explored the potential of zero-knowledge proof technology with the purpose of enhancing the privacy protection function of the platform. Although these proposals are still in the research stage, Vitalik’s research and papers, especially on the balance between privacy protection and compliance, lay a theoretical foundation for zero-knowledge technology to protect user privacy.

Although there are challenges in integrating zero-knowledge proof technology into Ethereum, as the technology matures and the community continues its efforts, it is expected that zero-knowledge proofs will play a more important role in the Ethereum ecosystem in the near future. Therefore, timely participation and active exploration of this field, taking advantage of early opportunities, will help to occupy a favorable position in this emerging field.

Disclaimer：

1. This article is reprinted from [theblockbeats]. All copyrights belong to the original author [LZ]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.