Privacy may be the only thing DeFi fans and cypherpunks can agree on. In 2020, political censorship is motivating further adoption of cryptocurrencies which are anonymous – that means the senders’ and receivers’ identities are not linked on the blockchain. From the other side, the DeFi community is waking up to the need for confidential transactions, where the amount being sent is hidden. This will be essential for smart contract derivative instruments, peer-to-peer lending and the like.

Ethereum Privacy Tools for 2020

So what privacy tools are available on Ethereum? As of today, not many. The past decade has seen lots of innovation around Bitcoin privacy and Privacy Coins, like Monero and Zcash, but Ethereum has yet to reap the benefits of this innovation.

This is changing. From lightweight mixing protocols to bleeding-edge zero knowledge proofs, Ethereum privacy is finally having its day. Here’s what you should know about and where things are headed.

If you’re new to blockchain, Ethereum or privacy coins, the Ivan On Tech Academy has dozens of courses that will turn you into a capable blockchain developer, trader, or professional. Try our course on Cryptography and Privacy Coins today. 

  1. Private Ethereum Blockchains: trade network effects for mutability

The earliest proposal for private DeFi was to set up separate, non-public Ethereum blockchains. For example, a local government could set up a land title registry as a smart contract on the state’s internal Ethereum network. In this example, only the government is allowed to run nodes, and the consensus mechanism is ‘proof-of-authority’ — authorized nodes can issue new blocks whenever they like.

One main benefit of this (besides privacy) is that records can be changed. In the case of land titles, if someone passes away and they haven’t designated an heir, the blockchain needs to be ‘manually updated’ so that the physical land can be put up for auction. However, these networks don’t support payment in mainnet currencies, so private Ethereum blockchains lose out on the network effects of global public blockchains.

  1. Zether: A Privacy Coin on Ethereum

Zether is a private cryptocurrency that lives within the Zether Smart Contract. Anyone can buy ZTH by depositing ETH to the Zether smart contract. When ZTH is transferred, the blockchain records long strings of numbers and letters from the user’s address to the contract which hide the amount and receiver, but are still verifiable. Zether also uses timing and decoys to expand the anonymity set. 

  1. Tornado.cash: the Ethereum mixer

Imagine a network of ATMs where, if you deposit $1, you receive a ‘token of deposit’ which you can use to withdraw $1 from any other ATM, at any time. 

Tornado.cash is a smart contract that works in this way: when a user submits ETH, they receive a Note. That note can be exchanged back for the same amount of ETH – at any time, from any address. Importantly, the note proves it’s connected to some unspent deposit, but it doesn’t reveal which one — so Alice isn’t directly linked to Bob. It also works for any ERC20 token, not just ETH.

Tornado’s Notes are actually zk-SNARKs, a new-ish flavor of zero-knowledge proof put to use most notably by Zcash. But rather than start from scratch, Tornado uses snarkjs and circom, a pair of open-source Javascript libraries developed by iden3. They also took a novel approach to the trusted setup, crowdsourcing the ‘entropy’ of the network to over 1,000 volunteers. To date, they’ve accepted over 3,200 deposits for 0.1 ETH (the most commonly used denomination) and the account balance stands at 57.1 ETH.

  1. Incognito.org: a trustless sidechain for private ERC20 exchange

Next, imagine you take these ‘tokens of deposit’, allow people to exchange them privately on a separate blockchain.

Incognito is a separate blockchain connected to the Ethereum mainnet by a smart contract bridge. You can ‘mint’ a privacy version of any ERC20 token on Incognito by depositing a real one (along with your Incognito address) to the ERC20 smart contract. After that, you can send and receive your private tokens on the Incognito network privately and cheaply. When you’re ready to withdraw, your privacy tokens will be burned and their public counterparts sent from the smart contract to an Ethereum address you choose.

Incognito runs a UTXO-based ledger similar to Monero with RingCT, Stealth Addresses and Bulletproofs. Because users can exchange tokens on the Incognito DEX, the anonymity set is potentially all the value held on Incognito, of any currency. As of this writing, there is over $750,000 in USD-T alone shielded and growing.

  1. Plasma: an interface for Ethereum sidechains

Now, imagine the sidechain’s bridge goes down. What happens to the ETH you deposited to the smart contract? We need a mechanism for the Ethereum network to maintain control even while other networks help with computation. We need fraud proofs. Back in 2017, Vitalk proposed just such a solution and called it Plasma. In his own words from 2019: 

“Plasma chains are sidechains that have a non-custodial property: if there is any error in the Plasma chain, then the error can be detected, and users can safely exit the Plasma chain and prevent the attacker from doing any lasting damage.”

He was particularly interested in trust and liveliness. Users shouldn’t have to trust any additional parties beyond the Ethereum mainnet. If there’s a problem with the private blockchain, Ethereum mainnet will still let users withdraw from the contract. While some ideas were discussed, little progress was made on this idea before it was replaced with Vitalik’s next suggestion…

  1. Roll-ups: validate many transactions with one small proof and ETH 2.0

Source: https://forkast.news/vitalik-buterin-explains-ethereum-2-0s-four-phases-sharding-scaling-proof-of-stake-and-more/

So how can the Ethereum mainnet police the sidechains? By making them post compact proofs of their own validity into ‘rolled-up’ transactions on the Ethereum mainnet. That way, if a transaction is invalid, the rolled-up transaction won’t be accepted. If the sidechain goes down, I can withdraw the amount I deposited to the contract +/- all accepted transactions.

But how is this more efficient than a regular transaction? Instead of sending transactions to the EVM (Ethereum Virtual Machine), a separate service (layer-2) does all validating and produces one “succinct” proof that the whole batch is correct. If the EVM can validate this proof, it will accept the whole batch and record it as metadata to the rollup transaction. If the EVM finds a problem in the proof, the whole batch is rejected. All of this is included in the phases of ETH 2.0.

  1. ZoKrates: a toolbox for zkSNARKs on Ethereum

ZoKrates is a Javascript library and remix plugin that provides a high-level language for creating and validating zkSNARK proofs in Solidity. Because it’s high-level, you need an understanding of how to build and validate proofs in order to use it in your programs, but there are several online tutorials for doing just that.

We can combine ZoKrates with roll-ups to create highly-scalable Privacy Coins – which is exactly what the next two projects have done. We call these zk-rollups because they combine the two technologies. (RingCT anyone?) But keep two things in mind: 

  1. zkSNARK protocols always require a trusted setup. Zcash famously conducted its genesis ceremony in complete secrecy but kept meticulous records to prove its validity without opening themselves to interference. Tornado crowdsourced the issue by having volunteers contribute to the randomness which set the system. Other methods have been proposed and used.
  2. Any privacy solution is only as good as its anonymity set, and if the whitepaper says the anonymity set is 1050 but there are only 5,000 people using it, the anonymity set is 5,000.

If either of the above is news to you, you should check out my Cryptography and Privacy Coins course on the IvanOnTech academy. You can try it free for 7 days, and tbh you can finish in that time if you work hard. See you there.

  1. Ethereum 9 ¾: zk-rollup plus MimbleWimble

Ethereum 9 ¾ is one instantiation of rollups which uses MimbleWimble to hide even more information. MimbleWimble does away with accounts, and instead basically issues a unique spending key for every new output. Ethereum 9 ¾ also uses an ECC-encrypted data structure called a Pedersen Markle Mountain Range to reduce the size of the proof posted to mainnet.

Ethereum 9 ¾ is currently being developed part-time, but they have a trusted ceremony planned which they’re calling “Destroying Horcruxes.” For those struggling to keep up with Harry Potter references in the MimbleWimble ecosystem, a Horcrux is an object that grants immortality in exchange for a fragment of one’s soul. Keep an eye on “eth 934” this year.

  1. Nightfall: a zk-rollup library from E&Y

Ernst & Young, the ‘Big-Four’ American consultancy produced their own version of a zk-rollup library called Nightfall and open-sourced the code. This was seen as a big step for traditional finance away from private Ethereum blockchains, which have seen a lot of attention in the past couple years, toward privacy solutions for public blockchains. 

Nightfall basically a Javascript library which takes ‘trusted setup’ as an input and gives you a zerocash-like scheme where public token X can be freely exchanged to and from private token pX. Under this type of scheme, pX mint amounts are still visible, but transfer amounts usually are not, so transactions can have both anonymity and confidentiality. 

It looks useful, and brings the technical reputation of E&Y. Keep an eye out for developers using Nightfall to add privacy to their Dapps in 2020.

  1. Aztec, Plonks w common setup

Where Nightfall takes some trusted setup as an input, Aztec comes pre-loaded with one. Anyone can generate and validate zk-proofs in their own child smart contracts by interacting with the ACE (Aztec Cryptography Engine) smart contract.

It’s important to note that Aztec is not a private Ethereum blockchain. It’s just a smart contract which can be called to create and validate zero knowledge proofs on the EVM. Aztec is also built on ZoKrates and was developed with financial instruments in mind. Private notes can represent ratios of other notes, such as interest payments or bond yields. Aztec focuses on confidentiality for now – obscuring the value of a transaction – and will add anonymity features in future versions.

  1. STARKs: the future of Ethereum?

Source: https://medium.com/starkware/the-cambrian-explosion-of-crypto-proofs

When asked about privacy for Ethereum, Vitalk usually says that public blockchains play an irreplaceable role, and adequate privacy can be achieved through layer-2 solutions – like the ones described above – so it’s probably better for Ethereum to remain public. Lately, however, he includes ‘STARKS’ (Scalable, Transparent, Arguments of Knowledge) in his long-term vision of Ethereum 2.0. STARKs, unlike SNARKs, are based on cryptography which pre-dates ECC. 

Another big proponent of STARKs is Eli Ben-Sasson, one of inventors of zkSNARKS and an author of the Zerocash paper. He co-founded StarkWare, who did a mainnet proof-of-concept just a couple days ago. It’s likely we’ll see more friendly collaboration between him, Vitalik and others as Ethereum looks for the right privacy solution to implement at a protocol level.

If you’re serious about privacy and want an intuitive understanding of Ethereum, private blockchain technology and cryptography, register for Cryptography and Privacy Coins now. We’ve certified hundreds of students already – what are you waiting for?