Table of Contents
-
Key Ideas: fundamental concepts behind Privacy Pools, the use of zkSNARKs, the role of associated sets, the separating equilibrium.
-
Deep Dive into Privacy Pools: thorough walkthrough of how Privacy Pools work, the user's journey from deposit to withdrawal, how zkSNARKs facilitate the protocol.
-
Differences with Existing Solutions: contrast with Tornado Cash's evolution in privacy protocols; the unique features of Privacy Pools.
-
Associated Sets Explained: associated sets, their construction, and their utility.
-
Technical Mechanisms: arbitrary denominations; special cases-- re-proofing, bilateral direct proofs, and sequential proofs delves into the flexibility of the Privacy Pools.
Overall, I have structured this analysis in a way that progressively introduces you to the overview of Privacy Pools.
Earlier yesterday, Vitalik Buterin, Jacob Illum, Matthias Nadler, Fabian Schär, and Ameen Soleimani shared a new privacy paper exploring the concept of Privacy Pools, a novel smart contract-based privacy-enhancing protocol.
This paper proposes a method for achieving greater privacy while enabling regulatory compliance on public blockchains like Ethereum.
The key ideas:
-
Using zero-knowledge proofs to hide the link between deposits and withdrawals in a privacy protocol like Tornado Cash. This hides a user's transaction graph.
-
Allowing users to create "associated sets" - sets of deposits they claim their withdrawal could have come from. This preserves privacy within the set.
-
Users can prove membership in compliant association sets, e.g. excluding known illicit deposits, without revealing exactly which deposit was theirs.
-
Honest users are incentivized to prove membership in compliant sets, while illicit users cannot. This creates a separating equilibrium.
-
Association sets can be constructed in various ways, e.g. only including KYC'd users or excluding risky deposits. Different sets can satisfy different regulations.
-
Users don't reveal their association sets publicly, only a commitment. Sets are published by providers off-chain.
-
Users can still give direct proofs to counterparties if needed, but this requires trust.
-
For rapid re-spending, users propagate history to show the ultimate origin is compliant.
-
Special access or allowlisting creates centralization risks. The voluntary disclosure model is more flexible.
In summary, it allows for privacy within compliant association sets, avoids tainting between sets, and incentivizes honest behavior - aiming to balance privacy and regulation.
Let's dive deep into detail
Privacy Pools are the core mechanism proposed in this paper for achieving privacy while enabling regulatory compliance.
They are a modification of existing privacy protocols (Tornado Cash) that use ZKPs.
-
The key difference is allowing users to specify an "association set" - a set of deposits they claim their withdrawal could be associated with.
-
This set can be arbitrarily large or small to balance privacy and compliance. Users prove set membership with a ZKP.
-
Sets are generated by providers following certain rules, e.g. excluding known illicit deposits. Multiple providers can exist.
-
By proving membership in a compliant set, users can show regulatory compliance without fully revealing their transactions.
Tornado Cash faced regulatory issues because it did not have any built-in way for users to prove the legitimacy of their funds. So, it was essential to find a better equilibrium.
Privacy pools aim to show that with careful protocol design, privacy and regulation can coexist on public blockchains. The proposal tries to steer the conversation in a more constructive direction.
-
Users make deposits into the privacy pool as normal. Each deposit gets a unique secret/coin ID pair.
-
When making a withdrawal, the user specifies an association set - a set of deposits they claim the withdrawal could be associated with.
-
The user provides a zkSNARK proof showing:
-
Their coin ID is in the overall deposit tree.
-
Their coin ID is also in the association set tree.
-
-
The association set tree root is public, but the set members are not revealed.
-
Association sets are created by providers based on certain rules, e.g. excluding known illicit deposits.
-
By proving membership in a compliant association set, the user shows regulatory compliance without revealing exactly which deposit was theirs.
-
If needed, users can give direct proofs to counterparties to reveal the specific deposit. But this requires trust.
-
For rapid spending, users propagate history to show the ultimate origin is compliant.
-
Users are incentivized to prove membership in legitimate sets, while illicit users cannot provide this proof.
zkSNARKs for privacy pools
zkSNARKs (zero-knowledge succinct non-interactive arguments of knowledge) play a crucial role in enabling privacy pools:
-
They allow users to prove membership in an association set without revealing which specific deposit is theirs.
-
The zkSNARK proof shows the user's coin ID is in the overall deposit tree and their provided association set tree.
-
However the actual mapping between coin IDs and deposits stays hidden.
This preserves privacy within the association set while still allowing the membership proof to be verified publicly.
The core idea of Privacy Pools is this: instead of merely zero-knowledge-proving that their withdrawal is linked to some previously made deposit, a user proves membership in a more restrictive association set.
In Tornado Cash, when making a withdrawal, users submit a zero-knowledge proof that shows:
-
They are spending a valid coin (deposit) that exists in the system
-
The coin has not already been spent
This proves the withdrawal is linked to some previous deposit, without revealing which specific deposit it is.
The core idea in Privacy Pools is to make this more selective and flexible. Instead of proving linkage to the set of all possible previous deposits:
-
Users specify an association set - a subset of deposits they want to claim the withdrawal is associated with.
-
They then prove membership in this more restrictive set, not the full set of deposits.
For example:
-
The association set could be "all deposits from users located in India"
-
Or "all deposits from trusted exchanges"
-
Or "all deposits except those flagged as risky"
By allowing this flexibility, users can selectively disclose some information about the withdrawal's origin while still preserving privacy within the association set.
This is more restrictive than just proving linkage to any previous deposit. But it also enables regulatory compliance, avoiding the problem in Tornado Cash, where funds were completely mixed together.
zkSNARKs provides the zero-knowledge property that allows compliance proofs without full disclosure of a user's transactions.
Difference between Tornado Cash & Privacy Pools
Tornado Cash uses a universal anonymity set, meaning that all deposits and withdrawals are mixed together in one pool.
Privacy Pools uses a customizable anonymity set, meaning that users can choose which deposits and withdrawals they want to mix with based on their preferences and needs.
Now, what exactly are Association Sets?
To understand the importance and use case of association sets, we need to delve deeper into the problems they solve and how they operate.
Problem Statement:
1. Transparency vs. Privacy: Public blockchains, by design, are transparent. Every transaction is visible to anyone who wishes to see it. This transparency brings trust and security but comes at the cost of privacy.
2. Regulatory Compliance: As crypto gains popularity, regulatory authorities worldwide are increasing scrutiny. They want to ensure funds aren't used for illegal activities like money laundering or financing terrorism. This often requires users to prove the legitimacy of their funds.
3. Complete Anonymity Issues: If users were to anonymize their transactions entirely, it would be challenging to establish trust with counterparties or satisfy regulatory requirements.
--
Imagine a scenario where you need to prove that you've paid your taxes without revealing your exact income. Instead of showing your exact tax return, you present a range (e.g., "$30,000 - $40,000").
The tax authorities can verify you're in compliance without knowing the exact amount you made.
In this analogy, the range is akin to the association set—it offers proof without complete revelation.
--
An association set refers to:
-
A set of deposits that a user claims their withdrawal could be associated with.
-
The user proves their withdrawal is associated with some deposit in the set without revealing which one.
Some properties of association sets:
-
Can be arbitrarily large or small, balancing privacy and compliance.
-
Generated by providers based on specific rules, e.g., excluding known illicit deposits.
-
User proves membership via zkSNARK without revealing their actual deposit.
-
Sets aim to satisfy regulatory requirements, e.g., excluding risky deposits.
-
No need to reveal the entire transaction history, just the association set.
-
This allows users to prove regulatory compliance at a high level, without fully disclosing all their transactions.
Overall, association sets allow a flexible balance between privacy and selective disclosure to show compliance.
There are two main strategies for constructing Associated Sets
Inclusion (Membership):
-
Identify a specific set of "approved" or "low-risk" deposits.
-
For example, deposits from verified users or below a certain value threshold.
-
The association set only includes those approved deposits.
-
Proving membership shows the funds originate from approved sources.
Exclusion:
-
Identify specific high-risk or prohibited deposits.
-
For example, deposits connected to hacks, theft, or sanctioned entities.
-
The association set includes all deposits except those excluded ones.
-
Proving membership shows disconnection from the excluded ones.
This aspect of Privacy Pools refers to how users can prove membership in an association set without revealing their specific deposit information using zero-knowledge proofs.
Let me explain in more detail:
-
When a user wants to make a withdrawal, they first decide on an association set they want to claim membership in.
-
This set is represented as a Merkle tree, where each leaf is the hash of a deposit ID.
-
The user generates a zkSNARK proof that shows:1) Their deposit ID is somewhere in the full tree of all deposits.2) Their deposit ID is also somewhere in the association set tree.
-
The zkSNARK proof does not reveal WHICH leaf in the association set tree corresponds to their deposit.
-
It only proves that their deposit is somewhere in the association set tree.
-
Verifiers can check the proof is valid without learning the user's specific deposit ID.
-
So the user gets privacy within the set, while verifiers confirm the deposit is somewhere in the set.
-
The association set size bounds the potential deposit space, providing selective disclosure.
zkSNARKs allow users to prove membership without fully revealing their transactions - the essence of how Privacy Pools enables compliance without sacrificing privacy.
Privacy Pool protocols are very flexible and can be customized to suit a large variety of use cases by creating specific association sets, such as:
So, in summary, association sets allow privacy within a compliant group, avoiding full public disclosure. Users pick a set that matches their privacy and compliance needs.
In practice, users will not be manually picking and choosing deposits to include in their association set.
It would be infeasible for users to examine all deposits manually and selectively pick which ones to include in their association set. Instead, users will subscribe to ASPs that generate sets programmatically based on specific rules and criteria.
For example, an ASP might:
-
Exclude deposits linked to theft or sanctions to create a "clean" set.
-
Only include deposits from users who passed KYC checks for a "verified" set.
-
Build jurisdiction-specific sets that comply with local regulations.
The ASP handles all the set construction details on the user's behalf. Users simply choose an ASP they trust and use the set(s) it provides. The ASP becomes an intermediary that abstracts away the set building complexity. This allows users to rely on the ASP's expertise in constructing useful, compliant sets.
So, in summary, rather than building association sets manually, users will leverage trusted ASPs that provide pre-generated sets with desirable properties. This simplifies compliance for end users.
The paper further analyzes how Privacy Pools could support arbitrary denominations and some special use cases
Supporting Arbitrary Denominations:
Arbitrary denominations allow for more flexibility than fixed denominations. Instead of transactions occurring in fixed amounts, users can transact in any amount they desire.
Such a system would need mechanisms to handle operations like "splitting" and "merging" of amounts.
Currently, Privacy Pools only supports fixed-denomination coins.
To handle arbitrary amounts, the protocol can adopt a UTXO model like Zcash:
-
Transactions can have multiple coin ID inputs and outputs.
-
Values are encrypted, but input/output sums must balance.
-
Additional proofs are needed to prevent value fabrication.
Withdrawals become "partial spends" of deposits. This breaks the link between deposits and withdrawals.
To track deposit origins, commitments can propagate through transactions:
-
Commit to deposit coin ID + random nonce at each step.
-
Later withdrawals can omit early history that's added to the association set.
Merging coins can help prevent linking attacks. Users merge loose change before withdrawing.
Let me summarize the key points:
Zcash handles arbitrary amounts using a UTXO model with multiple inputs and outputs per transaction. Values are encrypted but input/output sums must balance.
Withdrawals become "partial spends" of deposits. This breaks the link between specific deposits and withdrawals.
To track deposit origins through partial spends, commitments can propagate through transactions:
Each transaction commits to original deposit coin ID + random nonce
ZK proof shows commitment matches parent transaction's
Withdrawals prove commitment is in their association set
Allowing coin merging helps privacy - users can merge loose change before withdrawing to prevent linking based on amounts.
Simply treating withdrawals as outputs and change as inputs (as in Zcash) is problematic - the "source" appears to be the prior change output, rather than the original deposit.
Propagating commitments fixes this by explicitly passing the original deposit ID through partial spend transactions.
Now each withdrawal can prove membership of the actual initial deposit, even through multiple partial spends.
Special Cases
Re-proofing: Privacy Pools protocol allows users to generate new proof against an updated version of the initial association set by keeping their secret information.
-
If I want to withdraw and publish a membership proof, I can later generate a new proof against an updated association set using my secret withdrawal data.
-
This gives flexibility if sets change. However, storing secrets long-term has risks.
Bilateral Direct Proofs: Privacy Pools protocol supports bilateral direct proofs, which allow a user to disclose the precise origin of their withdrawal to another party without revealing the entire set of deposits.
-
I can selectively disclose my specific deposit to a counterparty by creating a one-member association set.
-
More advanced option: Zero-knowledge proof of:
-
Membership in association set, OR
-
"I am the counterparty", OR
-
A timestamp showing the proof wasn't created too long ago.
-
-
This limits the potential for misuse of the proof.
Sequential Proofs: Privacy Pools protocol supports sequential proofs by allowing users to generate a new proof against an updated version of the initial association set.
-
Internal send transactions are added to enable rapid re-spending.
-
Senders propagate history to recipients to prove ultimate origin is compliant.
-
Older history can be omitted once it's added to the association set by the ASP.
In summary, supporting arbitrary amounts involves additional proofs and commitments. Special cases like re-proofing, bilateral disclosure, and sequential proofs can be enabled by modifying core protocol mechanics.
Privacy Pools protocol is a flexible and customizable privacy-enhancing protocol that can support arbitrary denominations and various special cases like re-proofing, bilateral direct proofs, and sequential proofs.
By using a Merkle tree to store the deposits and allowing users to generate zero-knowledge proofs, this protocol could create a separating equilibrium between honest and dishonest users while also enabling regulatory compliance without revealing entire transaction histories.
Furthermore, the proposal mentions that there are two key incentives that are expected to drive the adoption of Privacy Pools by honest users:
The desire for privacy
-
Public blockchains reveal all transaction details. This damages user privacy.
-
Privacy Pools hides transaction graphs and specifics, enhancing privacy.
-
Users motivated to use it to keep their financial transactions private.
The desire to avoid suspicion
-
Illicit activity on transparent blockchains raises suspicion and causes blacklisting issues.
-
Privacy Pools allow users to prove they aren't associated with illicit funds.
-
Honest users are incentivized to leverage this to avoid being suspected of wrongdoing or having their funds frozen.
-
Participation in the system demonstrates you aren't trying to hide illicit activity.
The incentives are aligned for mass adoption - both privacy seekers and regulatory compliers benefit from using Privacy Pools.
Thoughts
So, think of Privacy Pools as the perfect blend of keeping things private while still playing by the rules on public blockchains.
(for noobs) It's like they've taken some really smart crypto tech and combined it with practical design to give users an awesome experience. You get to keep your business to yourself and still show that you're on the right side of the law.
And as more people jump on the blockchain bandwagon, Privacy Pools is set to play a big role in making sure everything's safe, private, and above board for everyone involved. Cool, right?
Sources
Thank you for reading through, and subscribe below for regular post updates.
I’d also appreciate it if you shared this with your friends, who would enjoy reading this.
You can contact me here: Twitter and LinkedIn.
You can also buy my keys at friend.tech by searching for 0xArhat.
If you find this deep dive analysis useful, please consider donating to 0x1de17b6c736bcd00895655a177535c2a33c6feba (Arbitrum, Ethereum, Optimism) and/or by minting an NFT for this & other blog posts by me.