An article reviews the new trends of ETH Fang in 2023: ZK and privacy

1. Background

Vitalik Buterin, co-founder of ETH Workshop, has made it clear that ETH Workshop will fail without a technological shift in privacy transition. Because all transactions are publicly visible, privacy sacrifices are too great for many users, and everyone will turn to centralized solutions that hide data at least to some extent.

In 2023, Vitalik conducted a series of studies on privacy protection and the advancement of zero-knowledge proofs (ZK) technologies. In the first half of the year, Vitalik published three articles on his website dedicated to ZK and privacy protection. In April, he also presented a study on Reddit on the privacy of wallet guardians. In September, he co-authored a paper with other professionals proposing a solution for balancing privacy and compliance.

In addition, ETH Fang Ecology is also actively promoting the discussion and popularization of this topic. At the ETHDenver event in March, a special event focused on privacy was held. At the annual EDCON (Ethereum Community Conference) conference in May, Vitalik highlighted that “ZK-SNARKs will be as important as blockchains in the next 10 years”.

This article tracks the latest developments in the ETH ecosystem in 2023 in terms of using ZK technology to promote privacy protection. If you want to make it to the ETH ZK circuit, this article can provide the necessary interpretation and guidance.

2. ETH ZK Track: Building the Future of Privacy Protection

**ETH transparency may put users’ personal information at risk of leakage. **There are no secrets on blockchains such as ETH Fang, and all information is public, which includes other on-chain activities such as transactions, voting, etc. Such openness may result in specific transactions and addresses being traced and linked to real user identities. Therefore, it is important to implement privacy protection on ETH. Hiding on-chain information can be done through cryptography, but the challenge is to ensure that the validity of these transactions is verified while protecting privacy. ZK technology provides a solution to prove the authenticity of a transaction without revealing additional information, taking into account privacy and verifiability.

ZK-SNARKs are highly valued by ETH, especially in certain key privacy-preserving application scenarios. This is evident in Vitalik’s research and proposals, where Salus collates the typical scenarios that Vitalik proposes in his research, namely private transactions and social recovery.

2.1 Private Transactions

Regarding private transactions, Vitalik proposes two concepts: Stealth Addresses and Privacy Pools.

1. The private address scheme allows transactions to be made without hiding the identity of the transaction recipient. **This solution provides privacy protection while ensuring transparency and auditability of transactions.

2. Based on the privacy pool protocol, users can prove that their trading funds belong to known compliant sources without disclosing historical transactions. This option allows users to conduct private transactions while complying with regulations.

Both of these schemes are inseparable from ZK. In both scenarios, users are allowed to generate zero-knowledge proofs to prove the validity of their transactions.

2.1.1 Privacy Address

Suppose Alice intends to transfer some kind of asset to Bob, and when Bob receives the asset, he doesn’t want the global public to know that he is the recipient. Although it is difficult to conceal the fact of the transfer of assets, it is possible to hide the identity of the recipient. It is in this context that the privacy address scheme came into being, and its main problem is how to effectively hide the identity of the recipient of the transaction.

So, what is the difference between a private address and an ordinary ETH address, and how to use a ZK-based privacy address for private transactions? Salus will introduce them to you one by one.

(1) What is the difference between a private address and an ordinary ETH address?

A privacy address is an address that allows the sender of a transaction to be generated in a non-interactive manner and can only be accessed by its recipient. **We explain the difference between a private address and a normal ETH address from two dimensions: who generates it and who has access to it.

Generated by whom?

Ordinary ETH addresses are generated by the user himself based on encryption and hashing algorithms. A private address can be generated by the person or by the other party to the transaction. For example, when Alice transfers money to Bob, the address that Bob uses to receive the transfer can be generated by Bob or Alice, but only controlled by Bob.

Who can access?

The type, amount, and source of funds under an ordinary ETH account are publicly visible. Whereas, in transactions made with a shielded address, only the recipient has access to the funds stored in their stealth address. The observer cannot associate the recipient’s privacy address with their identity, protecting the recipient’s privacy.

(2) How to use ZK-based privacy addresses for private transactions?**

If Alice wants to send assets to Bob’s private address, this is a way to hide the recipient of the transaction. Here’s a detailed description of the trading process:

1. Generate a privacy address

● Bob generates and saves a spending key, which is a private key that can be used to spend funds sent to Bob’s private address.

● Bob uses the consumption key to generate a stealth meta-address, which can be used to compute a privacy address for a given recipient and pass the privacy meta-address to Alice. Alice calculates the privacy meta address to generate a privacy address belonging to Bob.

2. Send assets to a privacy address

● Alice sends assets to Bob’s privacy address.

● Since Bob doesn’t know that this privacy address is his own, Alice also needs to publish some additional encrypted data (a temporary public key, ephmeral pubkey) on the chain to help Bob discover that this privacy address belongs to him.

The privacy address in the above process can also be constructed using zero-knowledge proofs constructed from hashes and public key cryptography. The smart contract code in the privacy address can be integrated with ZK. By embedding zero-knowledge proof verification logic, smart contracts are able to automatically verify the validity of transactions. **This scheme for constructing a private address is simpler than other schemes, including elliptic curve cryptography, elliptic curve isogenies, lattices, and generic black-box primitives.

2.1.2 Privacy Pool

Whether private transactions are achieved by hiding the identity of the recipient of the transaction or other information about the transaction, there is a major problem: how can users prove that their transaction funds belong to a known compliant source without having to disclose their entire transaction history. As a public blockchain platform, ETH must avoid becoming a medium for money laundering and other illegal activities.

Vitalik has proposed a solution called “Privacy Pool” that aims to balance the privacy protection and compliance needs of blockchains. However, what are the challenges of privacy protection and compliance, and how do you balance privacy and compliance? Salus provides an in-depth and instructive discussion on both issues.

(1) Privacy Protection and Compliance Challenges**

While achieving privacy, it is a challenge to ensure transaction compliance, which can be vividly demonstrated by analyzing the case of Tornado Cash.

Tornado Cash is a cryptocurrency mixer that mixes a large number of deposits and withdrawals. After depositing tokens at one address, users can present ZK Proof to prove that they have deposited, and then withdraw funds from a new address. These two operations are public on the chain, but the correspondence between them is not public, so they are anonymous. While it can enhance the privacy of users, it is often used by illegal actors to launder money. As a result, the U.S. Treasury Department’s OFAC finally added Tornado Cash’s smart contract address to the sanctions list. Regulators believe that the agreement facilitates money laundering and is not conducive to the fight against financial crime.

**Tornado Cash’s shortcomings in privacy protection are that there is no way to verify that the source of a user’s token is compliant. To address this issue, Tornado Cash provides a centralized server to help users prove that their tokens are compliant. However, the server must obtain the details of the withdrawal provided by the user and determine which deposit the withdrawal corresponds to, in order to generate the proof. This centralized mechanism not only has the cost of trust assumptions, but also produces information asymmetry. Ultimately, the mechanism is barely used by users. While Tornado Cash implements privacy features, it doesn’t provide an effective mechanism to verify that the origin of a user’s tokens is compliant, which is what criminals can exploit.

(2) How do you balance privacy and compliance?**

Based on these challenges, Vitalik proposed the concept of Privacy Pools, which allows users to prove that their funding sources are compliant without revealing historical transaction information. This strikes a balance between privacy and compliance.

Privacy Pools are based on ZK and association sets, allowing users to generate and publish ZK-SNARK proofs that prove that their funds come from a known, compliant source. This means that the funds belong to a compliant association set, or it does not belong to a non-compliant association set.

Correlation collections are built by association collection providers based on specific policies:

1.Membership Proof: Deposits from all trusted trading platforms are put into a correlation set, and, there is conclusive evidence that they are low-risk.

2.Exclusion Proof: Identify a group of deposits that have been flagged as risky, or for which there is conclusive evidence that they are non-compliant funds. Construct an associated collection that contains all deposits except these deposits.

When making a deposit, the user generates a secret through ZK and hashes a public coin ID to mark their association with the fund. When withdrawing, the user submits a nullifier corresponding to the secret (the nullifier is a unique identifier derived from the secret) to prove that the funds are their own. Moreover, users can prove that their funds belong to a known compliant source by proving two merkle branches through ZK:

1. His coin ID belongs to the coin ID tree, which is a collection of all transactions that are currently occurring;

2. His coin ID belongs to an association set tree, which is a collection of transactions that the user considers to be compliant.

(3) Application scenarios of ZK in privacy pools?**

1. Flexibility for private transactions: In order to process transfers of any denomination in private transactions, additional zero-knowledge proofs are attached to each transaction. This proof ensures that the total denomination of the created token does not exceed the total denomination of the token being consumed, thus ensuring the validity of the transaction. Second, ZK maintains transaction continuity and privacy by verifying each transaction’s commitment to the original deposit token ID, making it possible to guarantee that each withdrawal is associated with its corresponding original deposit, even in the case of partial withdrawals.

2. Balance-summing attacks: Balance summing attacks can be resisted by merging tokens and committing to a set of token IDs, as well as a union commitment to parent transactions for multiple input transactions. This approach relies on ZK to ensure that all committed token IDs are in their associated collections, enhancing the privacy of transactions.

2.2 Social Recovery

In real life, we may have more than one bank card account. Losing your card PIN means we can’t use the funds on our card. In this case, we usually go to the bank for help to retrieve the password.

Similarly, in blockchains such as ETH, we may have multiple addresses (accounts). A private key, like a bank card password, is the only tool you have to control your account’s funds. Once you lose your private key, you lose control of your account and can no longer access the funds in your account. Similar to real-world password recovery, blockchain wallets provide a social recovery mechanism to help users recover their lost private keys. This mechanism allows users to select a group of trusted individuals to act as guardians when creating a wallet. These guardians can help users regain control of their accounts by approving the reset of their private keys in the event that they lose their private keys.

Under this social recovery and guardianship mechanism, Vitalik proposes two privacy protection points to pay attention to:

1. Hide the correlation between multiple addresses of a user: To protect user privacy, we need to prevent the attribution of multiple addresses from being exposed when multiple addresses are restored using a single recovery phrase.

2. Protect the privacy of the user’s property from the infringement of the guardian: We must ensure that the guardian cannot obtain the user’s asset information or observe the user’s transaction behavior in the process of approving the user’s operation, so as to prevent the user’s property privacy from being violated.

The key technology to achieve both types of privacy protections is zero-knowledge proofs.

2.2.1 Hide the correlation between multiple addresses of a user

(1) Privacy Issues in Social Recovery: Correlation between addresses is disclosed

In blockchains such as ETH, users usually generate multiple addresses for various transactions in order to protect their privacy. By using different addresses for each transaction, you can prevent outside observers from easily associating these transactions with the same user.

However, if the user’s private key is lost, the funds generated by the private key under multiple addresses will not be recovered. In this case, social recovery is required. An easy way to recover is to recover multiple addresses with one click, where the user uses the same recovery phrase to recover multiple addresses generated by a single private key. However, this approach is not ideal, as users generate multiple addresses in order to prevent them from being associated with each other. If a user chooses to restore all addresses at the same time or at a similar time, this effectively reveals that the addresses are owned by the same user. This goes against the user’s original intent of creating multiple addresses to protect their privacy. This constitutes a privacy protection issue in the process of social recovery.

(2) ZK Solution: How to avoid the correlation of multiple addresses from being disclosed?**

ZK technology can be used to hide the correlation between multiple addresses of a user on the blockchain, and solve the privacy problem of social recovery through an architecture that separates verification logic and asset holdings. **

1. Verification logic: Users have multiple addresses on the blockchain, but the verification logic for all of them is connected to a major authentication contract (keystore contract).

2. Asset holding and trading: When users operate from any address, they use ZK technology to verify the operation authority without revealing which address it is.

In this way, even if all addresses are connected to the same keystore contract, an outside observer cannot determine whether these addresses belong to the same user, thus achieving privacy protection between addresses.

It is important to design a private social recovery scheme that can recover multiple user addresses at the same time without revealing the correlation between them.

2.2.2 Protect the privacy of the user’s property from the infringement of guardians

(1) Privacy Issue: Guardian’s Privilege

In blockchains such as ETH, users can set multiple guardians when creating a wallet. Especially for multisig wallets and social recovery wallets, the role of guardian is crucial. Usually, a guardian is a collection of N addresses held by someone else, of which any M addresses can approve an action.

What are the privileges of guardianship, such as:

1. For multisig wallets, each transaction must be signed by M of the N guardians before it can be processed.

2. For the Social Recovery Wallet, if the user’s private key is lost, then M of the N guardians must sign a message to reset the private key.

**Guardians can approve your actions. In multisig, this will be any transaction. In the Social Recovery Wallet, this will be a reset of your account private key. One of the challenges facing guardianship mechanisms today is, how can you protect your users’ financial privacy from being invaded by guardians?

(2) ZK Solution: Protect the privacy of users’ property from the infringement of guardians

In this article, Vitalik envisions that the guardian does not protect your account, but rather a “lockbox” contract, and the link between your account and the safe is hidden. This means that guardians do not have direct access to the user’s account and can only do so through a hidden lockbox contract.

The main role of ZK is to provide a proof system that allows guardians to prove that a statement is true without revealing the specific details of the statement. In this case, guardians can use ZK-SNARKs to prove that they have the authority to perform an action without revealing any details related to the “link between the account and the lockbox”. **

2.3 Exploration: A New Chapter of ZK and Privacy in the ETH Fang Ecosystem

Although the ETH ZK track is still in the development stage, and many innovative ideas and concepts are still being conceived and studied, the ETH ecosystem has launched a wider range of practical exploration activities.

(1) Funding from the ETH Foundation

In September, the ETH Ethereum Foundation funded two privacy-preserving projects, IoTeX and ZK-Team. IoTex is an abstract wallet for accounts based on zero-knowledge proofs, and ZK-Team aims to enable organizations to maintain personal privacy while managing team members.

(2) Investment

In October, Vitalik, co-founder of ETH, invested in Nocturne Labs with the aim of bringing private accounts to ETH. Users will have ‘internal’ accounts in Nocturne and the method of receiving/spending funds from these accounts will be anonymous. **With ZK technology, users can prove that they have enough funds for payments, staking, and other transactions. **

(3) Meetings and events

ETHDenver is considered one of the most important ETH workshops and blockchain technology-related events in the world. In March of this year, ETHDenver hosted a special event focused on privacy. This event not only shows the ETH community’s concern about privacy issues, but also reflects the importance that the global blockchain community attaches to privacy protection. At this special event, nine privacy-related sessions were held, including Privacy by Design and Privacy vs Security.

EDCON (Ethereum Community Conference) is a global annual conference hosted by the ETH community, aiming to promote the development and innovation of ETH, and strengthen the connection and cooperation of the ETH community. At the EDCON conference in May of this year, Vitalik made an important statement in which he said: “In the next 10 years, ZK-SNARKs will be as important as blockchains”. This statement underscores the importance of ZK-SNARKs in the development trend of blockchain technology.

(4) Projects

At present, some application-layer projects have begun to use ZK technology to provide privacy protection services for users and transactions. These application layer projects are called ZK Applications. For example, ZK Application, unyfy, a privacy asset exchange deployed on ETH. Here the prices of trading orders are hidden, and the integrity of these orders with hidden prices is verified by ZK technology. In addition to unyfy, there are a number of other ZK Applications on L2s, such as ZigZag and Loopring, among others. Although these ZK Applications are privacy-preserving based on ZK, they cannot be deployed on ETH because the EVM cannot run these ZK Applications directly.

(5) Research

In addition, researchers have had a heated discussion on ZK technology and its applications on the Ethereum Research platform, including a research article from Salus dedicated to using ZK to promote privacy protection at the ETH application layer. This article tests the performance of several different ZK languages, Circom, Noir, and Halo2, and the results show that Circom has better performance. This paper also proposes a generic solution to integrate Circom in Solidity to implement ZK-based ETH application layer projects. This is of great significance for ETH Fang to achieve a privacy transition. The study gained significant attention in 2023 and topped the list.

This research article is the most read study of 2023 on Ethereum Research— by Salus

3. Challenge

Although many of the existing ETH application layer projects urgently need to introduce ZK-based privacy protection mechanisms, this process faces a series of challenges.

1. Lack of talent resources in ZK: The study of ZK technology requires a solid theoretical foundation, especially in the fields of cryptography and mathematics. Since the implementation of ZK technology involves complex formulas, learners also need to have strong formula interpretation skills. But the problem is that there are relatively few people who focus on learning ZK technology.

2. Limitations of ZK development languages: Rust, Cairo, Halo2 and other languages are used to develop ZK proof circuits, but they are usually only suitable for specific scenarios and are not suitable for application layer projects. Some of these languages, such as Cairo, are still experimental, and there may be compatibility issues between different versions, which makes it difficult and complex to adopt them in real-world applications.

3. Difficulty in the implementation of ZK technology: Vitalik’s scheme of applying ZK technology to ETH privacy protection may face a variety of complex problems in actual implementation, such as how to avoid private transactions from balance-summing attacks, double-spend attacks, etc. There is a certain technical difficulty in solving these problems.

4. Privacy vs. Compliance: While private transactions protect a user’s identity and transaction details, they can also mask illegal activities, such as money laundering. In the future, it remains to be verified whether ZK Applications on ETH will be compliant in the process of implementing privacy protection.

Despite the challenges, ETH Place’s transition to privacy – securing the transfer of funds that provide privacy protection, and ensuring that all other tools under development (social recovery, identity, reputation) protect privacy – is a prerequisite for the widespread deployment of ZK Applications. As mentioned above, the research published by Salus is based on ZK technology to promote the privacy protection and other functions of the ETH application layer. Moreover, Salus proposed for the first time a universal solution that integrates Circom and Solidity and is applied to the application layer project of ETH, implementing the ZK proof system off-chain based on Circom, and the smart contract and ZK verification logic on the ETH based on Solidity. If you need support or have any questions, don’t hesitate to contact Salus.

4. Summary and outlook

In 2023, the ETH community, led by Vitalik Buterin, explored the potential of zero-knowledge proof technology with the aim of enhancing the platform’s privacy-preserving features. While these proposals are still in the research phase, Vitalik’s research and papers, particularly on balancing privacy protection and compliance, provide a theoretical foundation for zero-knowledge techniques to protect user privacy.

Although there are challenges in integrating zero-knowledge proof technology into ETH, it is expected that zero-knowledge proofs will play an even more important role in the ETH workshop ecosystem in the near future as the technology matures and the community continues to work hard. Therefore, timely engagement and active exploration in this area, taking advantage of early opportunities, will help to occupy a strong position in this emerging field.