May 6, 2019

From Alice to Bob: A Tutorial on Running AZTEC Zero-Knowledge Transactions on Pantheon

This blog post was written by PegaSys Applied Researchers, Gautam Botrel and Thomas Piellard. In it, they cover how to use AZTEC, an efficient zero-knowledge privacy protocol, to create and trade an anonymous asset on a private network with the implementation of PegaSys’ Enterprise Ethereum client, Pantheon.

Introduction

Tokens represent the most powerful and widely adopted use case for blockchain. Yet, enterprises are often blocked from harnessing the power of tokens due to the public nature of balances and transaction amounts on public chains like Bitcoin and Ethereum. By partnering with AZTEC on this tutorial, we have sought to provide an efficient, simple solution for hiding the balances and amounts involved in token transactions on Pantheon. Our eventual goal is to enable zero-knowledge transactions in private networks that can achieve the 100+ TPS (transactions per second) throughput enterprises need.

Context

The typical requirements enterprises ask for related to privacy are:

  • “We want to hide participant’s balances”
  • “Participants to a transaction must be anonymous”
  • “We need to execute complex business logic privately”

PegaSys has taken a multi-faceted approach to privacy: we partnered with Web3 Labs to integrate Orion, a private transaction manager in Pantheon, and our R&D teams (sidechains, zero-knowledge computation) are advancing other research rapidly.

In this post, we’re going to explore how to use AZTEC, an efficient zero-knowledge privacy protocol, to create and trade an anonymous asset on a private network.

AZTEC enables private transactions on Ethereum mainnet using “lightweight” zero-knowledge proofs. It is implemented in Solidity and Javascript. The Javascript part is meant to be integrated on the dAPP side and offers APIs to construct valid AZTEC transactions. The Solidity part verifies them, and is fined-tuned for efficiency (gas-cost optimisations) to fit with AZTEC’s aim for implementation on mainnet. Nonetheless, this efficiency also helps make a private network more efficient.

We’re going to focus on a simple scenario: create and trade a token, while keeping balances hidden.

AZTEC on Pantheon Quickstart

We wrote 2 examples, with simple scenarios around confidential transactions:

1. Mint and trade confidential assets (no ERC20 counterpart)

2. Convert ERC20 tokens to confidential assets (aka ZkAsset or AZTEC notes)

You can check out the code here.

Run it

1.Start a Pantheon node

docker run -p 8545:8545  pegasyseng/pantheon:latest –miner-enabled –miner-coinbase fe3b557e8fb62b89f4916b721be55ceb828dbd73 –rpc-http-cors-origins=”all”  –rpc-http-enabled –network=dev

2. git clone [email protected]:pegasyseng/pantheon-aztec-quickstart.git && cd pantheon-aztec-quickstart

3. yarn install

4. yarn run zkasset

5. yarn run zkasset-erc20

How Does it Work?

At its core, AZTEC relies on “notes”, and similarly to Bitcoin or ZCash, follows the UTXO model. A valid transaction specifies a list of existing notes that are “destroyed” (spent) and a list of notes that are created.

from AZTEC whitepaper
from AZTEC whitepaper

A note is “owned” by who possesses knowledge of its viewing key. An AZTEC account is an ECC keypair on secp256k1 (like in Ethereum). The creator of a note specifies a public key belonging to the future note owner. The viewing key (key allowing the decryption of a note) is the result of a shared secret between the note’s creator and the note’s recipient, using a Diffie Hellman procedure between an ephemeral public/private key generated by the note’s creator and the note recipient’s public key.

Similarly to Confidential Transactions, Monero, ZCash or Grin the note values are blinded through a commitment scheme. Unlike these protocols, AZTEC don’t use Pedersen commitments but a scheme derived from Boneh – Boyen signatures.

Here is a high level sketch of an AZTEC confidential transaction, where Alice wants to transfer 150 AZTEC notes to Bob.

  1. Alice owns 2 notes of values 100 and 50
  2. She creates (off chain) 2 new notes using Bob’s public key of arbitrary values 75 and 75
  3. She constructs a zero-knowledge proof showing that Σinputs = Σoutputs+ kpublic and signs it
  4. She sends the transaction (input and output commitments, proof) on-chain
  5. AZTEC CryptoEngine (ACE.sol) verifies the proof, removes Alice’s notes from the note registry and adds Bob’s notes
  6. Bob receives an event “CreateNote” and uses his private key to reconstruct his notes

In step 3, Alice (the prover) constructs the zero-knowledge proof (without revealing either Σinputs nor Σoutputs)

Σinputs = Σoutputs + kpublic

If kpublic=0, the transaction involves only confidential notes. This is the case in our example (Alice has 150 notes that she transfers to Bob).

If kpublic<0, Σoutputs > Σinputs, and kpublic ERC20 tokens are “shielded” into notes.

If kpublic>0, Σoutputs < Σinputs, and kpublic notes are “unshielded” to ERC20 tokens.

[Note: in ZCash, kpublicis called vbalance and similarly indicates ZEC moving in and out of the Transparent/Sapling Pool]

AZTEC Zero-Knowledge Proof

The proof system created by AZTEC consists of a sigma protocol, a common technique used in zero-knowledge systems.

In a sigma protocol, the prover convinces a verifier that she knows some secret data “s” without revealing it. The flow is in three steps and matches the shape of capital “sigma” Greek letter:

  1. The prover sends public data “p” to verifier, depending on “s”,
  2. The verifier computes “w” depending only on “p” and “c”. He then sends a challenge “c” to the prover.
  3. The prover sends “r”, the result of a computation depending on “c” and “s”.

At the end, the verifier checks that some relation R between “w” ( = f(p,c) ) and “r” ( = g(c,s) ) holds. The protocol is designed such that R holds if and only if “r” is computed with the right “s” therefore it proves that the prover knows “s” without revealing it.

Such a thing is achievable because remember that “p” depends on “s” in the first place!

In practice, this sigma protocol is made non-interactive using a Fiat-Shamir heuristic. To dig deeper into the commitments and the zero-knowledge proof, please read our AZTEC protocol cheat sheet.

Is it fast?

Our benchmarks show that with the current implementation you can create joinSplit proofs (2 notes destroyed, 2 notes created) in 25ms and verification cost is about 1Million gas. On a private network, TPS (transactions per second) will depend on the settings (block size, block interval).

Is it really private?

Confidential transactions come in many flavours.

In AZTEC’s current implementation, amounts are hidden, and it is not possible for a party exterior to a transaction to decipher the values involved.

However, it does not enforce anonymity of participants. We consider anonymity “broken” because it is possible to analyze the transaction graph and deduct who is transacting with who in each transaction.

Three keys informations are available:

  1. Notes are tagged with their public key (available in “CreateNote” and “DestroyNote” events for example)
  2. ACE.sol (AZTEC crypto engine) when processing a transaction, inserts and deletes note commitments from the note registry
  3. Inherited from Ethereum’s design: an account funded with gas (linkable to an identity) is needed to sign the transactions

Hence, when a note is spent, it is possible to browse the previous transactions and see in which transaction the note was created, and by who it was signed. On private networks, we may mitigate this, if an issue at all.

Conclusion

AZTEC realized a tour de force, by making efficient confidential transactions available on Ethereum. The protocol paves the way for more complex use cases (loans, delegate calls…) — check out the specification, whitepaper and blog posts to know more.

Interested in more complex implementations? Please reach out to the author [email protected].

We are actively looking for customers and system integrators across industries to use Pantheon. If you want to discuss working with us, send us an email at [email protected].

Download Pantheon 1.1 and check out our updated documentation.

PegaSys is hiring! Check out our list of open roles.

To keep up to date on PegaSys’ progress, check out our GitHub, follow us on Twitter and sign up for our mailing list below.