Editor’s Note: Recently, Qtum Quantum Chain launched the 2019 Global Online Privacy Hackathon. We received a lot of questions about the competition — how to integrate Qtum with existing privacy technologies? Which technologies are suitable for porting to Qtum? At what specific points can we develop? By combining Qtum and Zether, this paper hopes to inspire you with more privacy directions.


As we all know, transactions and contracts on blockchain are transparent and not suitable for some business applications. Zether enables blockchain to conduct private transactions through smart contracts, helping to privatize applications such as on-chain assets, voting and auctions. How can we reduce Gas and add precompiled contracts through Qtum?




Introduction to the

In the blockchain network, although the user’s address comes from the randomly generated private key, the corresponding relationship between the address and the entity may be leaked by exchanges and merchants, or even mined by the blockchain data capture and clustering algorithm. This degree of privacy limits the application of commercial scenarios.


The craze for privacy coins has seen the rise of public chains with privacy features, including Monero, ZCash, Grin and Beam, which have been accepted by most users. However, the methods they use require major changes to the blockchain system, which is difficult to implement on the existing blockchain.


Benedikt Bunz, a Stanford PhD student (one of the inventors of the Bulletproof protocol), Dan Boneh, a Stanford professor, and Visa research have proposed a privacy protocol based on ethereum smart contracts: Zether.


The basic idea behind Zether is to use smart contracts to enable private transactions — that is, to hide the amount of a transaction and the balance of an account — and eventually to be used in auctions, voting and other scenarios. In order to meet the account-based characteristics of smart contracts, it proposes mechanisms such as ElGamal Encryption, Pending transfer and Rolling over. To increase the interactivity between Zether and other contracts, it adds lock/ UNLOCK. To improve the Bulletproofs, it uses the new sigma-Bullets instead.


Zether received a lot of attention after it was proposed. JP Morgan is not only using it in its own Quorum blockchain system, but also trying to improve it further.


The initial design document for Zether is located at [1], and the authors have published part of the source code [2]. JP Morgan’s improved documentation is at [3] and the source code is at [4].




The principle of

Existing private transaction methods, such as Confidential Transactions[5] and its derivative method MimbleWimble[6], are implemented based on UTXO. Zether’s main idea is to apply this kind of approach to smart contracts, enabling account-based privacy transactions. To do this, it makes the following modifications to the existing methods.


UTXO to Account

If UTXO is implemented in smart contracts, it takes up a large amount of storage space. Therefore, a major task of Zether is to transform the UTXO model of Confidential Transactions into the Account model.


ElGamal encryption

Confidential Transactions uses Pedersen Commitments to hide the amount per UTXO. If a peer sends you a UTXO whose Pedersen commitments are misvalued, it will not affect your use of other UTXOs.


When the Account model is set to Account, the UTXO received by each user needs to be accumulated to obtain the final balance, which is stored in the contract. However, if Pedersen commitments are added directly, an error in one of them will result in an error in the final balance, affecting the use of all amounts.


So Zether uses ElGamal Encryption, which encrypts the amount of a transaction with the recipient’s public key. This way, the recipient can verify that the encrypted amount is correct and then add it to the balance.


Solve front-running problems

In the process of transaction, it is necessary to prove the scope of the transaction amount and the balance after the transaction. But in the Account model, if you initiate a transaction at the same time that another user sends you a transaction and blocks it before your transaction, the balance changes and the proof of scope in your transaction is no longer valid.


Therefore, Zether proposed the mechanisms of Pending transfers and Rolling over. That is, transactions received by the user are not added to the balance immediately, but periodically. Each cycle, when you interact with your account for the first time, accept the balance of the transaction. That is, only the owner of the account can change the balance of the account. This way, front-running does not happen.


Replay attack protection

Suppose the user initiates a transaction with a certain balance. When the user shows this balance again, the transaction can be validated again. This situation is called a Relay Attack. To prevent Relay attacks, Zether takes a page from Ethereum and adds a nonce to each account. The value of nonce increases each time a user initiates a transaction. All user transactions need to be signed by the Nonce, so that each transaction cannot be relayed.


Scope of certificate

Zether uses sigma-Bullets instead of Bulletproofs. Sigma-bullets are a combination of the Bulletproofs and sigma-Protocols. It is characterized by the ability to prove more complex statements, and the process of proof and verification is more efficient.




thinking

Evaluation Zether


The advantages of Zether are as follows:

1. Based on smart contract implementation, there is no need to change the underlying logic of blockchain

2. The modification is based on the Confidential Transactions scheme, which does not require the trusted initialization process like zkSNARK


The disadvantages of Zether are as follows:

1. High Gas consumption. As shown in the figure, each Transfer requires 7188K of Gas, among which 6455K is consumed in elliptic curve correlation calculation.




2. The address is not hidden. In contrast to MimbleWimble, Zether does not hide users’ addresses. Further improvement is required.


There are two more things to consider:

  1. Zether does not officially open source the implementation in the paper, so it cannot be fully verified. We can only try to verify JP Morgan’s improved algorithm in [4].

  2. It is necessary to consider whether Zether can be simplified to reduce the calculation times of elliptic curves and thus reduce the consumption of node computing resources.


Zether & Qtum


Zether cites four main application scenarios, These include Sealed-bid Auctions, Payment Channels, Stake Voting, privacy-preserving proof-of-stake. Among them, the first two are privacy-related business application scenarios, which are the current focus of Qtum. The latter two increase the privacy of PoS process and can be applied to the improvement of Qtum consensus mechanism.


Zether currently consumes too much Gas to be effective for Ethereum. Some of Ethereum’s EIP[7][8] can reduce its Gas, but it takes a long time to implement these improvements. The addition of a precompiled contract to implement some common privacy algorithms will also help Zether. These improvements can be implemented based on Qtum.


Future plans


First, you need to run Zether’s smart contract at Qtum to see its Gas consumption and true consumption of node computing resources. Secondly, it is necessary to conduct in-depth research on other privacy schemes based on smart contracts, such as AZTEC[9]. Finally, consider adding some privacy solutions based on Qtum’s upcoming x86 virtual machines.


Developers interested in privacy are welcome to join the 2019 Qtum Quantum Chain global online privacy hackathon and explore privacy-related solutions together. MimbleWimble, who represents key Beam and Grin developers with privacy protocols, was invited to judge the competition to communicate with the developers. For more details about hackathons, please visit the contest website:


https://hackathon.qtum.org/

(Click to read the original article or copy the link below.)


The official communication channel of the competition

Poke here to find teammates:

https://trello.com/b/g4LHnM5L/2019-qtum-privacy-hackathon-team-formation

Technical Discord. :

https://discord.gg/mFFNZhB

Consult Reddit for the contest:

https://www.reddit.com/r/Qtum/

(Hackathon-2019)

* Need scientific Internet




reference


[1] https://crypto.stanford.edu/~buenz/papers/zether.pdf.

[2]https://github.com/bbuenz/BulletProofLib/tree/master/src/test/java/edu/stanford/cs/crypto/efficientct/zether.

[3] https://github.com/jpmorganchase/anonymous-zether/blob/master/docs/AnonZether.pdf.

[4] https://github.com/jpmorganchase/anonymous-zether.

[5] https://elementsproject.org/features/confidential-transactions.

[6]https://github.com/mimblewimble/grin/blob/master/doc/intro.md

[7]https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1108.md.

[8]https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1109.md.

[9]https://github.com/AztecProtocol/AZTEC/blob/master/AZTEC.pdf.