Skip to main content

Master the Ethereum Trends of 2023: ZK and Privacy for the Future

Background

Ethereum co-founder Vitalik Buterin has clearly stated that without a technological transition to privacy, Ethereum is doomed to fail. This is because the visibility of all transactions to the public is too great a privacy sacrifice for many users, leading them to centralized solutions that at least somewhat conceal their data.

In 2023, Vitalik conducted a series of research on privacy protection and zero-knowledge proofs (ZK). He published three articles specifically discussing ZK and privacy protection. In April, he presented research on wallet custodian privacy issues on Reddit. In September, he co-authored a paper with other professionals, proposing a solution to balance privacy and regulatory compliance.

Additionally, the Ethereum ecosystem has been actively promoting the discussion and popularization of this topic. A special event focused on privacy was held at the ETHDenver event in March 2023. Shortly after that, at the EDCON (Ethereum Community Conference) annual meeting in May, Vitalik emphasized that "in the next ten years, ZK-SNARKs will be as important as blockchain."

This article tracks the latest developments in the Ethereum ecosystem in 2023, leveraging ZK technology to advance privacy protection. If you want to enter the Ethereum ZK track, this article can provide the necessary interpretation and guidance.

Ethereum ZK Track: Building a Future of Privacy Protection

The transparency of Ethereum might put users' personal information at risk of exposure. There are no secrets on blockchains like Ethereum; all information, including transactions, voting, and other on-chain activities, is public. Such openness can lead to specific transactions and addresses being traced and linked to real user identities. Therefore, implementing privacy protection on Ethereum becomes crucial. Hiding on-chain information can be achieved through encryption technologies, but the challenge lies in ensuring the validity of these transactions while protecting privacy. ZK technology offers a solution that proves the authenticity of transactions without revealing additional information, balancing privacy and verifiability.

Ethereum places high importance on ZK-SNARKs, especially in certain key privacy protection applications. This is clearly reflected in Vitalik's research and proposals. ZEROBASE has organized the typical scenarios proposed by Vitalik in his research, namely private transactions and social recovery.

Private Transactions

Regarding private transactions, Vitalik proposed two concepts: Stealth Addresses and Privacy Pools.

  • The Stealth Addresses scheme allows transactions to be conducted under the concealment of the recipient's identity. This scheme provides privacy protection while ensuring the transparency and auditability of transactions.

  • With the Privacy Pools protocol, users can prove that their transaction funds come from known, regulatory compliant sources without disclosing their transaction history. This scheme allows users to conduct private transactions while complying with regulations.

Both of these schemes rely on ZK. In these scenarios, users are allowed to generate zero-knowledge proofs to verify the validity of their transactions.

Stealth Addresses

Suppose Alice intends to transfer an asset to Bob, but Bob does not want the whole world to know that he is the recipient. While it may be challenging to conceal the fact of the asset transfer, hiding the identity of the recipient is feasible. It is in this context that the concept of stealth addresses comes into play, primarily addressing the issue of effectively concealing the identity of the transaction recipient.

So, what distinguishes stealth addresses from regular Ethereum addresses? How do ZK-based stealth addresses facilitate private transactions? ZEROBASE will introduce these aspects one by one.

(1) How do Stealth Addresses Differ From Regular Ethereum Addresses?

Stealth addresses are created in a non-interactive manner by the transaction sender and can only be accessed by the recipient. We explain the differences between stealth addresses and regular Ethereum addresses in terms of who generates them and who can access them.

Who generates them? Regular Ethereum addresses are generated by the user themselves based on cryptographic and hashing algorithms. In contrast, a stealth address can be generated by the person themselves or by the other party in the transaction. For example, when Alice sends funds to Bob, the address used by Bob to receive the funds can be generated by either Bob or Alice, but only Bob can control it.

Who can access them? The types, quantities, and sources of funds in a regular Ethereum account are publicly visible. However, in transactions using stealth addresses, only the recipient can access the funds stored in their stealth address. Observers cannot associate the recipient's stealth address with their identity, thereby protecting the recipient's privacy.

(2) How to Conduct Private Transactions Using ZK-based Stealth Addresses?

If Alice wishes to send assets to Bob's stealth address to conceal the transaction recipient, here is a detailed explanation of the process:

  1. Generating a Stealth Address

    • Bob generates and saves a spending key. This is a private key that can be used to spend funds sent to Bob's stealth address.

    • Bob uses the spending key to generate a stealth meta-address, which can be used to compute a stealth address for a given recipient and passes this stealth meta-address to Alice. Alice computes the stealth address belonging to Bob using the stealth meta-address.

  2. Sending Assets to the Stealth Address

    • Alice sends assets to Bob's stealth address.

    • As Bob is not aware that this stealth address belongs to him, Alice needs to publish some additional encrypted data on the blockchain (an ephemeral pubkey) to help Bob discover that the stealth address belongs to him.

The stealth address process described above can also be constructed using zero-knowledge proofs based on hash constructions and public-key encryption. The smart contract code in the stealth address can be integrated with ZK. By embedding zero-knowledge proof verification logic, the smart contract can automatically verify the validity of the transaction. This approach to building stealth addresses is simpler compared to other techniques, including elliptic curve cryptography, elliptic curve isogenies, lattices, and generic black-box primitives.

Privacy Pools

Whether achieved by hiding the identity of transaction recipients or other transaction details, one major issue in private transactions is how users can prove their transaction funds come from known regulatory-compliant sources without disclosing their entire transaction history. As an open blockchain platform, Ethereum must avoid becoming a medium for money laundering and other illegal activities.

Vitalik proposed a solution called "Privacy Pools," aimed at balancing blockchain's privacy protection with regulatory compliance needs. However, what are the challenges of privacy protection and regulatory compliance? How can privacy and regulatory compliance be balanced? ZEROBASE provides an in-depth and instructive discussion for these two questions.

(1) Challenges of Privacy Protection and Regulatory Compliance

Ensuring transaction regulatory compliance while achieving privacy protection is a challenge vividly illustrated by analyzing the Tornado Cash case.

Tornado Cash is a cryptocurrency mixer that mixes many deposit and withdrawal actions. Users deposit tokens at one address and then withdraw them using a new address after presenting a ZK Proof proving they made a deposit. These two operations are public on the blockchain, but the correspondence between them is not public, providing anonymity. Although this design could enhance user privacy, it is often used by illegal actors for money laundering. Consequently, the U.S. Treasury Department's OFAC eventually sanctioned Tornado Cash's smart contract addresses. The regulatory bodies considered the protocol to facilitate money laundering, hindering the fight against financial crime.

Tornado Cash's shortfall in privacy protection is its inability to verify whether a user's token source is regulatory compliant. To address this issue, Tornado Cash offered a centralized server to help users prove their tokens' regulatory compliance. However, the server must obtain specific information the user provides about the withdrawal, determining which deposit corresponds to this withdrawal to generate proof. This centralized mechanism not only involves trust assumptions but also creates information asymmetry. Eventually, this mechanism was hardly used by users. Although Tornado Cash achieved privacy functionality, it did not provide an effective mechanism to verify the regulatory compliance of users' token sources, thereby giving criminals an opportunity.

(2) How to Balance Privacy and Regulatory Compliance?

Based on the challenges mentioned above, Vitalik proposed the concept of Privacy Pools, allowing users to prove their funds come from known regulatory-compliant sources without revealing their transaction history, thus seeking a balance between privacy and regulatory compliance.

Privacy Pools are based on ZK and an association set, allowing users to generate and publish ZK-SNARK proof, so that users can prove their funds come from known regulatory-compliant sources. This means that the funds belong to a regulatory-compliant association set or do not belong to a non-compliant association set.

Association sets are constructed by association set providers according to specific strategies:

  • Membership Proof: Deposits from all trusted trading platforms are put into an association set, and there is concrete evidence that they are low-risk.

  • Exclusion Proof: Identifies a group of deposits marked as risky or deposits believed to be non-compliant funds. An association set is constructed that includes all deposits except these.

When depositing, users generate a secret using ZK and compute a public coin ID to mark their association with the funds. When withdrawing, users submit a nullifier corresponding to the secret (a unique identifier derived from the secret), proving the funds are theirs. Moreover, users use ZK to prove two Merkle branches, thus proving their funds belong to known regulatory compliant sources:

  • Their coin ID belongs to the coin ID tree, which is the collection of all current transactions;

  • Their coin ID belongs to the association set tree, a collection of some transactions the user considers regulatory compliant.

(3) ZK Use Cases in Privacy Pools?

  • Ensuring Flexibility in Private Transactions: To handle transfers of any denomination in private transactions, each transaction includes additional zero-knowledge proofs. These proofs ensure the total denomination of created tokens does not exceed the total denomination of consumed tokens, thereby ensuring the transaction's validity. Additionally, ZK maintains the continuity and privacy of transactions by verifying each transaction's commitment to the original deposit token ID, ensuring that each withdrawal is associated with its corresponding original deposit, even in partial withdrawal scenarios

  • esisting Balance-Summing Attacks: By merging tokens and committing to a group of token IDs, and by committing to the union of parent transactions for transactions with multiple inputs, balance-summing attacks can be resisted. This method relies on ZK to ensure all committed token IDs are in their association set, thereby enhancing transaction privacy.

Social Recovery

In real life, we may have multiple bank card accounts. Losing the password to a bank card means that we can't access the funds in it. In such cases, we usually go to the bank for help to retrieve our passwords.

Similarly, in blockchains like Ethereum, we might have multiple addresses (accounts). The private key, akin to a bank card's password, is the sole tool to control the account's funds. Once you lose your private key, you lose control of the account and can no longer access the funds in it. Comparable to the real-world password recovery process, blockchain wallets offer a social recovery mechanism to help users retrieve their lost private keys. This mechanism allows users to select a group of trusted individuals as guardians when creating a wallet. These guardians can authorize the operation to reset the user's private key in the event of a loss, thereby helping the user regain control over their account.

Under this social recovery and guardians mechanism, Vitalik pointed out two privacy protection aspects that need attention:

  • Hiding the association between multiple addresses of a user: To protect user privacy, it's necessary to prevent the exposure of the ownership relationship of these addresses when recovering multiple addresses using a single recovery phrase.

  • Protecting users' financial privacy from guardians: We must ensure that guardians cannot access users' asset information or observe their transaction activities during the approval process to prevent the invasion of users' financial privacy.

The key technology to achieve these two types of privacy protection is zero-knowledge proof.

Hiding the Association Between Multiple Addresses of a User

(1) Privacy Issues in Social Recovery: Exposure of Associations Between Addresses

In blockchains like Ethereum, users often generate multiple addresses for various transactions to protect their privacy. Using different addresses for each transaction prevents external observers from easily linking these transactions to the same user.

However, if a user loses their private key, the funds in all addresses generated by that private key become irretrievable. In such cases, social recovery is needed. A simple recovery method is to use one recovery phrase to restore multiple addresses created by one private key. But this method is not ideal because the original intention of generating multiple addresses is to prevent them from being linked to each other. If a user chooses to recover all addresses at the same time or close in time, it essentially reveals to the outside world that these addresses belong to the same user. This contradicts the original purpose of creating multiple addresses for privacy protection, constituting a privacy issue in the social recovery process.

(2) ZK Solution: How to Avoid Disclosure of Association Between Multiple Addresses?

ZK technology can be used to hide the association between multiple user addresses on the blockchain, solving the privacy issue in social recovery through an architecture that separates verification logic and asset holdings.

  • Verification Logic: Users have multiple addresses on the blockchain, but all these addresses are linked to a main identity verification contract (keystore contract).

  • Asset Holdings and Transactions: When users operate from any address, they use ZK technology to verify operating authorization without revealing the specific address they are using.

This way, even if all addresses are linked to the same keystore contract, external observers cannot determine if these addresses belong to the same user, thus achieving privacy protection between addresses.

Designing a privacy social recovery solution that can simultaneously recover multiple addresses of a user without revealing their association is of great importance.

Protecting Users' Financial Privacy from Guardians

(1) Privacy Issues: Privileges of Guardians

In blockchains like Ethereum, users can set up multiple guardians when creating wallets, especially for multisig wallets and social recovery wallets. Typically, guardians are a collection of N addresses held by others, where any M of these addresses can approve an operation.

What privileges do guardians have? For example:

  • For multisig wallets, each transaction must be signed by M of N guardians to proceed.

  • For social recovery wallets, if a user loses their private key, M of N guardians must sign a message to reset the private key.

Guardians can approve your operations. In multisig, this would be any transaction. In social recovery wallets, this would be resetting your account's private key. One of the challenges facing the guardian mechanism today is how to protect users' financial privacy from being invaded by guardians.

(2) ZK Solution: Protecting Users' Financial Privacy from Guardians

Vitalik envisions in this research that guardians protect not your account but a "lockbox" contract, and the link between your account and this lockbox is hidden. This means guardians cannot directly access users' accounts but can only operate through a hidden lockbox contract.

The main role of ZK is to provide a proof system that allows guardians to prove that a statement is true without revealing the specific details of the statement. In this case, guardians can use ZK-SNARK to prove they have the right to perform a certain operation without revealing any details related to "the link between the account and the lockbox."

Exploration: A New Chapter of ZK and Privacy in the Ethereum Ecosystem

Although the Ethereum ZK track is still in the development phase and many innovative ideas and concepts are in the conceptualization and research stage, the Ethereum ecosystem has already embarked on more extensive practical explorations.

(1) Grants by the Ethereum Foundation

In September this year, the Ethereum Foundation funded two privacy protection projects, IoTeX and ZK-Team. IoTex is a zero-knowledge proof-based account abstraction wallet, while ZK-Team is dedicated to enabling organizations to manage team members while maintaining personal privacy.

(2) Investment

In October, Ethereum co-founder Vitalik invested in Nocturne Labs, aiming to introduce private accounts into Ethereum. Users will have 'internal' accounts in Nocturne, where the method of receiving/spending funds is anonymous. Through ZK technology, users can prove they have sufficient funds for transactions like payments and staking.

(3) Conferences and Events

ETHDenver is considered one of the most important global events related to Ethereum and blockchain technology. In March this year, ETHDenver hosted a special event focused on privacy. This event not only highlighted the Ethereum community's concern for privacy issues but also reflected the global blockchain community's emphasis on privacy protection. During this special event, nine themed sessions related to privacy, such as Privacy by Design and Privacy vs Security, were held.

EDCON (Ethereum Community Conference), an annual global conference organized by the Ethereum community, aims to promote the development and innovation of Ethereum and strengthen the connections and cooperation within the Ethereum community. At the EDCON conference in May this year, Vitalik made a significant statement: "In the next 10 years, ZK-SNARKs will be as important as blockchain." This statement emphasizes the critical role of ZK-SNARKs in the future development trends of blockchain technology.

Projects:

Currently, some application-layer projects have begun using ZK technology to provide privacy protection services for users and transactions. These application-layer projects are known as ZK Applications. For example, unyfy, a privacy asset exchange deployed on Ethereum, where the order prices are hidden and the integrity of these hidden price orders is verified by ZK technology. Apart from unyfy, there are other ZK Applications on L2s, such as ZigZag and Loopring. Although these ZK Applications implement privacy protection functions based on ZK, they cannot currently be deployed on Ethereum directly because the EVM cannot run these ZK Applications directly.

Research:

Moreover, researchers have engaged in intense discussions on ZK technology and its applications on the Ethereum Research platform. Among them, a research from ZEROBASE dedicated to using ZK to promote privacy protection at the application layer of Ethereum. This article tested the performance of several different ZK languages, including Circom, Noir, and Halo2, showing that Circom has better performance. The article also proposed a universal solution integrating Circom in Solidity, enabling ZK-based Ethereum application-layer projects. This is significant for Ethereum's transition to privacy. This research gained significant attention in 2023, ranking at the top of the list.

Img

This research has the highest readership on EthResearch in 2023---authored by ZEROBASE

Challenges

Despite the urgent need for many existing Ethereum application-layer projects to introduce ZK-based privacy protection mechanisms, this process faces a series of challenges.

  • Scarcity of ZK Talent Resources: Learning ZK technology requires a solid theoretical foundation, especially in cryptography and mathematics. Due to the complex formulas involved in the implementation of ZK technology, learners also need strong formula interpretation skills. However, the problem is that the group of people focusing on learning ZK technology is relatively small.

  • Limitations of ZK Development Languages: Languages like Rust, Cairo, and Halo2 are used for developing ZK proof circuits, but they are typically only suitable for specific scenarios and not for application-layer projects. Some of these languages (like Cairo) are still in the experimental stage, and compatibility issues may exist between different versions, increasing the difficulty and complexity of adopting them in practical applications.

  • Challenges in Implementing ZK Technology: The solutions proposed by Vitalik to apply ZK technology for Ethereum's privacy protection may face various complex issues in practice, such as how to prevent private transactions from being subject to balance-summing attacks, double-spending attacks, etc. Addressing these issues poses certain technical challenges.

  • Privacy Protection vs. Regulatory Compliance: While private transactions can protect user identity and transaction details, they may also conceal illegal activities, such as money laundering. In the future, whether ZK Applications on Ethereum can achieve privacy protection in regulatory compliance remains to be verified.

Despite these challenges, Ethereum aims to achieve a privacy transformation—ensuring privacy-protected fund transfers and ensuring that all other tools under development (social recovery, identity, reputation) protect privacy—on the premise of widespread deployment of ZK Applications. The aforementioned research by ZEROBASE, based on ZK technology, aims to enhance privacy protection at the Ethereum application layer. Moreover, ZEROBASE first proposed a universal solution integrating Circom and Solidity, applied to Ethereum application-layer projects, implementing ZK proof systems off-chain with Circom and smart contract and ZK verification logic on Ethereum with Solidity. If you need support or have any inquiries, feel free to contact ZEROBASE.

Conclusion and Outlook

In 2023, under the leadership of Vitalik Buterin, the Ethereum community delved deeply into the potential of zero-knowledge proof technology, aiming to enhance the platform's privacy protection capabilities. Although these proposals are still in the research stage, Vitalik's research and papers, especially those about balancing privacy protection with regulatory compliance, have laid the theoretical foundation for zero-knowledge technology in protecting user privacy.

Despite the challenges in integrating zero-knowledge proof technology into Ethereum, with the maturation of the technology and the continuous efforts of the community, ZK proofs are expected to play an increasingly important role in the Ethereum ecosystem in the near future. Therefore, timely participation and active exploration in this field, and leveraging early opportunities, will help to secure a favorable position in this emerging field.