An article completely exposed me. What can save, zero-knowledge proofs? !
Someone recently said that whoever masters blockchain technology masters wealth.
Well, I have a showdown, I am such a "rich man on the chain".
At the end of October, I saw myself in my favorite "Orange Book 📙" official account, but my heart was not happy, and I even felt a little cold behind my back. An article by Bowen - "The Life on the Chain of Top 10 DeFi Majors" completely exposed me.
I'm portrayed as a big guy. I don't like this word, it's a synonym for local tyrant in my dictionary. Solemnly declare that I am not a rich man, but a "rich man on the chain".
What's worse, every move was analyzed and recorded by others. Before the blockchain, everyone was equal, and the rich on the chain really didn't have any face. Anyone can see how I got rich and what I'm doing now. This is just a very simple analysis of human flesh. If it is combined with more advanced tools, I believe that there will be more in-depth skinning articles published soon.
Face is a small matter, the key is that it makes me feel very insecure. The last time I had a similar feeling was with The DAO, I don’t want to mention it, it was really a roller coaster experience.
The insecurity about "privacy" this time is also understandable. Although Ethereum/Blockchain is generally considered to have anonymity (Anonymity), it actually only provides a level of pseudonymity (Pseudonymity) protection, not real privacy protection. The transaction records on the account address are permanently and publicly stored, and anyone can analyze a lot of valuable information from these data. This is very different from traditional Alipay or bank card accounts (Satoshi Has No Clothes).
For example, as a "rich person on the chain", I dare not use my account to go to the supermarket to buy a bottle of happy water. As long as the transaction is sent, the other party may immediately know all my used addresses and total assets (for fear of being robbed).
For another example, I dare not use my account to shop online, because all the consumption history will be seen by the whole network (for fear of being hacked).
This lack of "privacy" on the chain obviously also hinders the implementation of the blockchain, resulting in the inability of the chain to interact with the real world on a large scale. The so-called "asset chaining" has become empty talk. What kind of assets would be willing to be on such a chain?
Hey, Ethereum, this platform that I love and hate. There were moments when I even wanted to sell.
My wine and meat friend Cong told me that you have to keep a low profile, and their Wang family has never been willing to touch the blockchain.
Not impulsive, for the sake of faith, I decided to find a sense of security by myself.
Mr 4242 is a very low-key user who pays attention to privacy and does not want others to track him through on-chain data.
The "Orange Book 📙" article mentions that user Mr 4242 "has used Coin Mixer and it is difficult to track previous transaction records".
I understand Mixer, commonly known as "coin mixer", and the principle can be explained in one sentence: mix your own assets with those of many other people, and then transfer them to a new address, thereby erasing the direct connection with the original address. connect.
For example, Brother Cong, Brother Jia, and Brother Luo all transferred 100 yuan to me, and then transferred it to the other three people through me. Then, other people will not be able to tell who wants to transfer money to whom based on the transfer records, and the new three people have no direct connection with the original three brothers. "I" plays the role of a Mixer in this example.
The well-known Monero, CoinJoin, and Mimblewimble are all based on this extremely simple logic to achieve privacy protection for transfers.
Now that the Mixer technique seems to make sense, I'll start with"Ethereum Mixer"Search for keywords to see if there are any useful products👇.
There are not many search results. However, the top two websites are quite exquisite, with various introductions and guarantees. The fatal problem is that they are centralized services, which of course we will not use.
Regarding the issue of centralized Mixer, let me continue to use the previous example to illustrate:
The three brothers Cong, Jia, and Luo all transferred money to me, and I can completely embezzle the money
I actually know the true transfer intention of each of them and can sell
So no matter how these Mixers advertise themselves, using them will not only fail to achieve the purpose, but also risk losing all the principal. They are all Mixers that need asset custody. An old saying: They may be interested in your principal!
In the blockchain world, in the face of asset security, we have to assume that all "centralized third parties" are evil😈 and will run away, and then carefully consider whether our assets are willing to bear this risk.
It is not difficult to imagine that smart contracts can perfectly replace centralized websites in this scenario and become a third party that does not need to be trusted. So, I turned my attention to smart contracts. There are quite a lot of various privacy solutions and projects. In order to focus, I first set a clear enough small goal-to find available solutions for decentralized Mixer based on smart contracts.
Soon, I found a very valuable information👇.
This is a survey report funded by Moloch DAO 👹, a pioneer in decentralized autonomous organizations, and Trent Van Epps summarizes the current status of the Mixer project in the Ethereum ecosystem as of 2019. If you want to learn more about Mixer's historical background and latest developments like me, this is a must-read.
As we all know, Ethereum, like most blockchain projects, has public ledgers (Satoshi Has No Clothes Again). This means that almost every transaction can be traced, with a transaction initiator and recipient. I say "almost" here because there is one exception - mining rewards can be considered "clean" and untraceable. But obviously, in the current Ethereum, it is difficult for ordinary people to directly participate in mining and get rewards, so the only opportunity to obtain clean assets does not exist.
A lot of useful information can be unearthed along the transaction chain. No matter how many addresses you have, as long as these addresses are related to each other, they can theoretically be discovered through analysis. Therefore, there is almost no privacy on the chain. An ordinary payment and an address exposure may make all the behaviors on your chain nowhere to hide.
In view of this background, Mixer technology is particularly important, which can protect privacy on the chain to a certain extent.
The above report lists all well-known Mixer projects in great detail👇.
Like a treasure, I decided to find the right product from this list.
There are actually quite a few Mixer projects. It can be considered that there are two types of Mixer, one based on zero-knowledge proof technology (mainly zk-SNARKs), and the other based on Ring Signature technology (Ring Signature).
Soon, I found that many project authors had abandoned their pits. This makes it easier for me, I only need to focus on those that are still actively developed and have actual products to try.
These are the four open source Mixer projects that I initially think are more reliable.
In fact, it is not difficult to find that almost all Mixer projects that are still actively developed have chosen the zero-knowledge proof technology.
As Guo Yu from Amby Lab said:
Zero-knowledge proof is a key technology to connect on-chain data and off-chain computing, and it is also an important way to realize on-chain data privacy protection.
First understanding of "zero knowledge" and "proof"First understanding of "zero knowledge" and "proof"》👇。
MicroMix, formerly known as Semaphore Mixer, was developed by a team of Barry Whitehat, Kobi, Wei Jie and other big Vs in the Ethereum community. It is based on the extension of Semaphore (a zero-knowledge anonymous cryptographic system). MicroMix utilizes the zk-SNARKs scheme, which has been deployed on the Kovan test network. The currently supported amount is 0.1 ETH or 20 DAI.
Hopper is a mobile-first/friendly Mixer developed by the Argent Wallet team based on HarryR's ethsnarks-miximus. Hopper is currently the only Mixer with a mobile client, but it only supports iOS for now. Hopper utilizes zk-SNARKs and has been deployed to the Ethereum mainnet and Ropsten testnet. It is a pity that the client cannot be installed conveniently at present, and can only be compiled and installed by the user. Perhaps because the installation process is not friendly enough, Hopper’s Mixer contracts on the Ethereum mainnet and testnet have not had any transactions in recent months. Therefore, the current iOS version is more like a POC product, and its core significance lies in broadening the types of Mixer clients. From another point of view, the scope and anonymity of mobile clients may be slightly inferior to desktop applications. The good news is that MolochDAO 👹 is currently funding another team, BlockX, to develop a Web UI for Hopper. Hopper's ultimate goal is to have as many client supports as possible, thereby expanding the number of Mixer participants.
Tornado Mixer, developed by the Peppersec team, is also based on zero-knowledge proofs, using zk-SNARKs technology, and has been deployed on both the main network and the Kovan test network. Peppersec itself is a security consulting company. The project was independently developed by the team, and then received two grants from MolochDAO 👹. The current supported amount is 0.1 ETH, and a larger amount will be opened later. The Tornado team is very active in development and has recently completed a third-party security audit of circuit code and smart contracts. This may be the first Mixer project to complete a full external security audit.
It is worth mentioning that during the development of Mixer, the Tornado team also discovered a "double spend vulnerability" that affects many zero-knowledge proof projects (including many Mixers). For specific discussions, please refer to the previous analysis article of Ambi Lab 👇.
https://sec-bit.github.io/blog/
Heiswap (black swap) was developed by Kendrick Tan. It is the only Mixer among the four based on ring signature and stealth address technology. These two technologies are a key part of the CryptoNote protocol and an important reason why Monero can achieve anonymity. Kendrick Tan believes that borrowing from mature technologies and products instead of using the latest technologies (such as zk-SNARKs), sometimes can get twice the result with half the effort. Heiswap is currently live on the Ropsten testnet, supporting an optional amount up to 64 ETH.
After carefully studying the design and implementation of the above projects, it is not difficult to find that the core ideas of the smart contract Mixer are very similar. By mixing the same amount of funds from multiple people into the same smart contract, an anonymous collection is constructed, and then evidence is provided to prove that there is a sum of funds in the contract that has not been withdrawn, and the contract is verified and transferred to the new withdrawal address. By introducing an anonymous collection, the direct connection between the originator of the original transfer and the payee is erased. The smart contract is responsible for saving the user's deposit record, verifying whether the user has actually deposited in the contract, and verifying whether a certain deposit has been withdrawn.
The principle is similar, and the focus and technical route of each project are slightly different.
Zero-knowledge proof technology enables the prover to prove a proposition to the verifier without revealing knowledge (secret). Corresponding to Mixer is to prove that the user has deposited an asset (ownership) in the smart contract and has never been withdrawn, and the best thing is that the proof process will not reveal which asset it is. This makes zero-knowledge proof technology inherently suitable for Mixer.
Projects based on zero-knowledge proof technology all rely on Merkle Tree to save Commitment (user deposit records). Therefore, the algorithm selection and implementation of Merkle Tree, the setting of the number of Tree layers, and the selection of Hash algorithm will all affect the upper limit and performance of Mixer. The maximum number of , the number of constraints in the circuit, the off-chain proof generation time, and the gas consumption on the chain. There are also different options for zk-SNARKs circuit code writing. Developers will choose the technology stack that suits them according to their needs in terms of performance, writing difficulty, and cross-platform support. For example, both MicroMix and Tornado have chosen Circom circuit language and snarkjs (zkSNARKs Javascript implementation), which have the advantages of low development and maintenance costs and are especially suitable for Web applications; while Hopper has chosen ethsnarks developed based on the more mature libsnark, which has better performance and more Easily ported to other platforms. In addition, the SNARKs scheme requires a trusted setup, which increases the cost of formally launching such mixers.
Projects based on ring signature technology can be considered to adopt more mature cryptography schemes in essence, and do not need trusted setup, and the generation of proofs (that is, signatures) will take much less time. The downside is that on-chain verification costs are proportional to the number of users in the anonymous set. In addition, the size of the anonymous set depends on the setting of the Ring size. For user experience, it is usually smaller than the anonymous set in the SNARKs scheme.
The core principles of Mixer are similar, and the implementation is not too complicated. From a technical perspective, it has reached the critical point of formal productization. But why is there no large-scale application for a long time? In fact, Ethereum's decentralized Mixer also faces common problems.
One problem that bears the brunt of this is the current low community participation. A key factor that determines the effect of Mixer is the size of the anonymous set. The more people participating, the better the protection effect.
As Vitalik said, the anonymous collection will always be much smaller than expected, which will eventually make the privacy model unreliable. Only when more and more people understand the privacy issues on the blockchain and realize that Mixer is a simple and feasible solution, can the number of participants in Mixer increase and it will become more and more secure.
If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets (eg. as done with ZK-SNARKs) are truly robustly secure.
The second problem is also determined by the characteristics of Mixer, that is, it can only handle assets with a fixed amount, and it is foreseeable that this amount will be difficult to increase significantly for a long period of time. Currently, Mixer on Ethereum can hide the transfer path, but cannot hide the transfer amount. However, if the amount of interaction with Mixer can be customized by the user, too much information will be exposed to the outside world, which can easily be used for analysis. For example, if a user transfers 1.71158 Ether to Mixer, and after a while someone withdraws the same amount from the Mixer contract, it is easy to see the original transfer intention.
Although the Mixer contract can easily support any number of fixed amounts, considering the size of the anonymous collection, Mixer operators often only choose to open the options with the largest number of users. So before the Mixer product is popular on a large scale, only a small option will be opened for trial operation (this is not necessarily a bad thing :P).
The third problem is that the use of Mixer has a higher threshold than ordinary transfers. Ordinary users still have a lot of new concepts to learn from choosing a Mixer product that suits them to being able to use it safely. It is more important to note that it is not possible to fully protect the privacy of transfers by using Mixer. For example, a user transfers a sum directly to Mixer, and then withdraws directly using the new address two minutes later. If the Mixer contract happens to be called by no one else during this period, it can be easily identified.
For this point, several major Mixers are emphasized on the page to remind users to avoid it. The details of the processing also reveal the differences in the ideas of various products.
For example, Tornado is more geeky, directly displaying the size of the current anonymous collection and the time of the last few transfers.
MicroMix is more considerate. The default setting is to require users to withdraw money at least after midnight. There is a countdown on the page, reminding users to keep the page open, and automatically prompting users when the time is up.
This processing of MicroMix can also prevent the problem of "anonymous set masquerade attack", that is, it is assumed that although Mixer has been used by different addresses in the recent period, the actual controller is the same person. In this attack mode, although the anonymous set looks relatively large to external observers, it is still small to the attacker, which is very helpful for the attacker to conduct data association analysis.
The fourth question is related to Relayer, a core role in Mixer. Since the interaction with the contract must consume Gas, and the user should normally use a brand new address when withdrawing from Mixer, where does the Gas for this address come from becomes a problem. The introduction of Relayer is to solve this "chicken and egg" problem. The Relayer will pay the gas fee for the user to adjust the contract, and get a certain reward accordingly. The user needs to send the Proof to the Relayer, and the Relayer is responsible for sending the transaction. During this process, user IP and new payment address may be exposed to Relayer (users need to hide themselves). At present, each Mixer product is trying different relayer solutions to reduce the dependence on a single relayer, and is trying to develop in the direction of forming a relayer ecology.
It can be seen that for small-amount scenarios, Mixer technology is relatively mature, but there are also many difficulties.
Although many technical teams have conducted POC, there are not many projects that have actually been put into operation, and the community attention is not enough.
However, it's good to see that projects like Tornado and MicroMix are working hard and continuing to polish the product. Ethereum will not provide privacy protection at the bottom layer in the short term (this makes Mr. Sun’s Tron “lead” again), and Mixer, as the most direct and effective solution to improve privacy on the chain, can only be played if more people are attracted to participate. its true power. Seeing is believing, why don't you experience it?
By the way, when it comes to Mixer, don’t forget that there are two other important issues: one is the asset compliance issue of the location, and the other is that technology is a double-edged sword, which can be used to protect oneself or be used to harm others.
image description
👆The source of the picture abovehttps://blog.chainalysis.com/
Spiritually, as a "rich person on the chain", I still really hope to see more privacy protection features in Ethereum itself, so that we can use various DeFi and DApp painlessly without worrying about privacy security issues. With the activation of several important proposals such as EIP-152, EIP-1108, EIP-1344, and EIP-2028 in the upgrade of Ethereum Istanbul, we should see more privacy projects based on zero-knowledge proof technology go online in the near future. You can even look forward to seeing the interoperability between Ethereum and ZCash. You must know that Mixer is only a testing ground for zero-knowledge proofs, and the true power of zero-knowledge proof technology is far from being brought into play. We might as well look forward, search together, and explore together.
(PS: Not only that, the zero-knowledge proof also brings new hope to the expansion of Ethereum. I can’t help but sigh: Zero-knowledge proof saves Ethereum, ZKP saves the world.)
This may be a critical first step. First, protect the privacy of the blockchain (Ethereum) itself, and then talk about using blockchain technology to solve the problems of data leakage and privacy protection in the traditional world.
This series is purely fictitious, and any similarities are made up.
Title picture: Richard testifying on US Congress, Silicon Valley S06E01
The author of this article is p0n1, and the article was first published on the WeChat public account Abby Labs (id: secbitlabs)
