A Deep Dive into AZTEC Protocol: Providing Privacy on the Ethereum Network
Privacy concerns have become major topics in the cryptocurrency community in recent times. These concerns have led to an increase in the popularity, usage, as well as the value of the leading privacy-centric digital currencies. In the same grain, the developer community has been consumed with introducing features that support confidential transactions in the prominent cryptocurrencies such as bitcoin and ether.
To this end, a group of developers operating under the name AZTEC, have published a paper describing a new protocol through which it is possible to keep hidden the amounts involved in a transaction. Moreover, the AZTEC protocol is not just a theory on a white paper; the developers have already built a working implementation of the protocol on the Ethereum network.
What Is the AZTEC Protocol?
The majority of privacy-centric cryptocurrencies utilize a form of zk-SNARKs. Initially created by the Zcash project, zk-SNARKs are a privacy-focused zero-knowledge cryptographic authentication method. Following the successful implementation of the protocol on the Zcash network, a number of blockchain projects have gone on to include the protocol in their underlying code to gain the privacy benefits.
As a result of the successful implementation of zk-SNARKs, it was expected that the application of privacy-centric features on the Ethereum network would come as a result of the Zcash-originated protocol. However, the AZTEC protocol is not a zk-SNARK.
While it has similarities to its privacy-supporting predecessor, it also has significant differences that make it better suited for the Ethereum network.
As is described in the project’s white paper, AZTEC is an acronym for the protocol designed by the project developers. It stands for Anonymous Zero-Knowledge Transactions with Efficient Communication and describes an intertwined system of zero-knowledge proofs. These proofs define the pathway that is mindful of privacy and supports confidential transactions.
It is important to note that, while the Ethereum network is the first blockchain where the protocol has gone live, the AZTEC protocol is designed for use within all blockchain protocols that support Turing-complete general-purpose computation. Turing completeness is a mathematical feature, named after its inventor Alan Turing, which describes the ability of a machine, whether physical or virtual, to compute any problem given enough resources. This feature helps a machine to support complex computations. In addition to Ethereum, Chinese smart contract platform NEO is also considered to be Turing complete.
The protocol supports the holding and transferring of data through the AZTEC note. The AZTEC note is defined as an “encrypted representation of abstract value,” and is created as a result of the commitment function utilized in the protocol. Contained in the note is “a tuple of elliptic curve commitments and three scalars: a viewing key, a spending key, and a message.”
Moreover, the components of the AZTEC note are further segregated into public and private elements. The public information included in a note is an AZTEC commitment as well as the address of the note’s owner. Commitments refer to the encrypted representation of how much “value” the note holds. To further clarify, the AZTEC note reveals that the address in question holds a hidden value. However, the observer is unable to verify how much of the total value that is hidden.
The AZTEC note keeps the value held in the note hidden. This is part of the private information. Additionally, the AZTEC note also holds the viewing key as part of the hidden data. The viewing key is an essential aspect because it is necessary to successfully decrypt the note and determining the value of the currency held within the note.
It is important to mention, however, that the viewing key does not allow the user to spend the tokens held in the note. Spending the tokens held in the note is dependent on the specific considerations outlined by the underlying code of the token. The AZTEC protocol provides a general outline governing the spending of the note. Knowledge of the viewing key is employed to create zero-knowledge proofs. In turn, these proofs are then signed by the spending key, which is inherent to the token’s network and is not part of the AZTEC protocol.
Moreover, the ratios or proportions that determine how much the value held in the AZTEC note are determined by the specific tokens software. The white paper explains:
“How this abstract representation maps to real quantities is a higher-level detail of digital assets that utilize the protocol.”
To spend the note, the AZTEC protocol employs a join-split style confidential transaction. The owner of the note commits unspent AZTEC notes to destruction. This is similar to the burn function utilized in a number of digital currencies. However, in place of the destroyed notes, new AZTEC notes are created. The value of the new notes must be equal to the value of the destroyed note, plus a public commitment.
In blockchains that do not support private transactions, a balance registry is typically used to store and prove the ownership of tokens or units of value. In balance registries, a wallet address is denoted as the identity which owns the balance held in the wallet. However, In the AZTEC protocol, this is replaced with a note registry. The note registry works similarly to traditional balance registries, except that an observer is unable to establish how much value is held by a note. It is important to keep in mind that each digital asset that utilizes the AZTEC protocol will have its own unique note registry.
How Do AZTEC Spends Work?
To demonstrate how AZTEC notes work, consider a scenario in which X is in possession of AZTEC notes with a total value of 100 tokens. X wants to transfer 40 tokens to Y and keep the rest. He would then destroy the notes she has been sent and in their place create new AZTEC notes. X would then specify that some notes, whose total value equals 40, are owned by Y. The value transferred to Y can be represented by a single AZTEC note or as many as the parties involved deem fit. The new AZTEC notes would also consist of notes, whose total value would be 60 tokens, that would remain under the possession of X.
As a result of the interaction, X creates an AZTEC zero-knowledge proof which proves the relationship between him and Y in zero-knowledge. This means that X does not reveal the value of the notes, only showing that the balancing relationship holds. The smart contract which controls the ownership and transfer of AZTEC tokens validates this zero-knowledge proof. Once the smart contract determines the zero-knowledge proof to be authentic and accepts the transaction, then it destroys X’s input notes and creates the output notes, composed of new notes owned by both X and Y in the note registry.
X also constructs the viewing keys connected to Y’s notes, simultaneously, as he creates the new AZTEC notes. Y is then able to identify the keys through a non-interactive secret-sharing feature inherent to the AZTEC protocol. At this juncture, Y must trust that X will act honestly and create viewing keys that are effective.
In this regard, acting honestly refers to creating viewing keys that are not easily decodable. However, the code of conduct in this scenario is also implicit seeing as there would be no point in undertaking the AZTEC protocol if the parties did not want to participate in a confidential transaction. They could simply use the underlying blockchain network as is and expose the transaction values.
The AZTEC protocol is a set of features and commitments which show how join-split transactions can be constructed, as well as, validated in zero-knowledge. It validates the legitimacy of a join-split transaction using a combination of homomorphic arithmetic and range proofs.
The AZTEC protocol relies on an algebraic zero-knowledge proof which employs Boneh-Boyen signatures. These signatures are in turn used to create a commitment scheme with a highly efficient range proof embedded into each commitment. The white paper explains:
“The protocol utilizes a commitment scheme that enables the efficient verification of range proofs. This is combined with a set of zero-knowledge Sigma protocols to enable efficiently verifiable confidential transactions.”
While the AZTEC protocol is undoubtedly highly innovative and well-designed, some considerations must be understood to utilize it most effectively.
The AZTEC protocol takes public information and changes it to restricted data. Any protocol that works in this manner will reveal information at the entry and exit points of the cryptosystem in which it is being utilized. In a Medium post, the developers explain:
“If you’re adding tokens into note form, an observer will know that the value of the output notes is at least the amount you’ve converted. Similarly, after redeeming v tokens, an observer will know that the remaining AZTEC notes are worth v less than the input notes.”
Due to this, the AZTEC protocol is most effective if users make use of their ability to create notes with no value. Zero-value notes are important because they make it difficult for an observer to calculate how much value is held in each note. For instance, if I want to change all the value held in my AZTEC notes back into their native cryptographic form, then it would be best for my transactional privacy to create additional AZTEC notes with no value so that it looks like my address still holds value in an encrypted amount. In this way, an observer is not able to gather any useful information.
Furthermore, the AZTEC protocol supports the use of Monero-style wallets designed for single use. The use of these stealth addresses further maximizes the privacy features of the AZTEC protocol, making it difficult for an observer to ascertain the identity of the address’ owner.
Also, the AZTEC protocol relies heavily on elliptic-curve cryptography. The major drawback of this method is that it requires a database of elliptic curve points to be created beforehand. The database is needed to construct proofs but not to verify them. The database is accessed through a private key. Sometimes called toxic waste, this key can be used to attack a network and perform double spends. Therefore, conventional wisdom is to destroy this private key upon its creation.
To prevent any eventualities, the AZTEC team has developed a scalable multi-party computation protocol, which allows anybody to engage in the trusted setup process. In this way, the private key is not held by a single party and can only be reconstructed by combining every participant’s portion of it. However, this action needs all the participant’s portions; thus if just one person destroys their toxic waste, then the network is secure.
Live on the Ethereum Mainnet
To demonstrate the validity of the AZTEC protocol, the developers launched it on the Ethereum mainnet on December 1, 2018. Using the DAI, a stablecoin pegged to the dollar created by Ethereum-based project Maker DAO; developers were able to transfer DAI in a confidential transaction.
In this transaction, an Ethereum address belonging to an AZTEC developer, named zac.creditmint.eth became the owner of DAI tokens. However, the number of DAI is not visible to the general public. The DAI balance is encrypted and represented in the form of AZTEC notes. To provide further proof, the developer then transferred some DAI to another party in this transaction. Similarly, an observer is unable to decipher how much the recipient is acquiring in the transaction.
As it stands, the confidential transactions created by AZTEC zero-knowledge proofs cost approximately 900,000 gas to verify on the Ethereum mainnet. This is the total cost of such a transaction. To provide context, sending tokens in a normal transaction will typically require 50,000 gas to 100,000 gas.
While confidential transactions prescribed by the AZTEC protocol are more pricey than their counterparts, the developers are confident that these costs are likely to go down in the future. Aztec developers believe that the implementation of proposed system upgrades, namely the EIP-1108, will result in the gas costs of the AZTEC confidential transactions to about 200,000 to 300,000 GWEI.
While it is relatively early, the AZTEC protocol is extremely promising. If it can scale well, then its developers have succeeded in ushering the cryptocurrency sector into a new age where transactional privacy will be the norm, not the exception.