Examples used in this blog are simplified to help make technical concepts more understandable to our audiences. Therefore, please embrace them with an open mind.
Five o’clock in the morning.
Annoyingly loud police siren in front of the house.
Jack woke up and could not understand what was happening. Everything was like a real-life nightmare.
He was drawn out and treated as a criminal.
Totally helpless. He was innocent, but then how come his age, his date of birth, and even his bank account number all coincided with those of the criminal, just like somebody else has lived his life.
A stolen life.
The privacy of Jack has been severely violated, and now he is facing imprisonment for the rest of his life. Nevertheless, surprisingly, just days before the verdict is brought in, the jury has received an anonymous letter saying that Jack was not the true criminal and that the writer knows where the true criminal is but cannot reveal the name directly in this letter. If the jury and the letter’s writer arrange a private meeting, it will be difficult to make sure that they do not collude to accuse another innocent person of committing this crime.
Then how can the anonymous writer secretly reveal the true identity of the criminal to the jury in a more transparent manner?
Transparency can be ensured by blockchain, and privacy can be satisfied through some more specific mechanisms.
In this blog, we will introduce our readers to the mechanisms currently being used by some blockchain platforms to ensure the privacy of users in their networks.
Trusted Execution Environments (TEEs)
Basically, in a Trusted Execution Environment (TEE), the data will be isolated from other parts of the processor, thereby protecting them from attacks from outside actors. Regarding blockchain, this means that validators cannot reach the data computation under the hood when they are being used. Secret Network and Oasis Network are the platform blockchains that use this technology, specifically the SGX (Software Guard Extensions) processor of Intel, dedicated to providing a TEE for sensitive data.
Therefore, if the anonymous writer contacted the jury to reveal information about the real culprit through such blockchain platforms, he would not need to worry much about either the authenticity of the content in the letter to the jury or the information leakage as it is protected within the TEEs and the public can rest assured that neither party – the writer or the jury – are colluding to blame anyone else for doing the crimes.
However, there are still issues with TEEs. The SGX processor assumes that only the central processing unit (CPU) is trusted, so storing confidential information here and isolating them would be a safe solution. Taking advantage of this assumption, hackers will not directly attack the computer’s security system but instead take a bypass, attacking other channels of the system. This process can also be known as a side-channel attack.1
Another problem when applying TEEs in the blockchain is rollback attack. The main cause of this problem is that the state of a blockchain can always be rewinded, and the “privacy” provided by TEEs only exacerbates the issue,2 allowing them to leak confidential data to other people.
Mixnet is a mechanism used by the NYM Network. In the mixnet, the route of transactions will be “erased”, making it impossible for outsiders to find out detailed information of these transactions.
The mixnet is like an upgraded version of Onion Routing, a method of ensuring anonymity when communicating within a computer system. In this method, a message will be divided into many small packets, and these small packets will be encrypted through many layers in the process of being delivered to the destination. Mixnet goes a step further with this approach by re-ordering the encrypted packets, making it even harder to decrypt the original message.
After arriving at the destination, layers of encryption will be peeled off and arranged to the original for the sake of decrypting the original message.
For the anonymous writer, he would write a letter revealing the identity of the true criminal to the jury, then tear them down, mix them up and pack those pieces with three layers of envelopes and three special glues. Each time they pass through a mail station, only one layer of envelope will be peeled off. When all of these pieces reach the jury’s mailbox, the last envelope will be completely removed, and there will be a small hint for the jury to rearrange them in their right order so that they can read the original message.
Another transparency mechanism of this type is also used by Tornado Cash. Tornado Cash improves transaction privacy by breaking the on-chain link between the source and destination addresses. It uses a smart contract that accepts deposits of ETH and other tokens from one address and allows them to withdraw funds from another. When the transaction is completed, the transaction route from the sender to the receiver will be broken. However, privacy in this mechanism cannot be guaranteed absolutely.3
This is a method used by Monero, one of the pioneering privacy blockchain platforms in the space.
Back to Jack’s story, there will be an additional detail which says that the anonymous sender is actually a member of the Triads, whose leader is the real culprit in the crime which Jack is facing. The anonymous sender is feeling guilty and he wants to tell the truth but does not want to reveal his identity. On behalf of the Triads gang, he collected the public keys of its members and combined them with his private key to sign the letter sent to the jury. Thus, the jury can be confident that this letter was written by a member of the Triad, but no one, including other members of the gang, could know the identity of the sender of this letter.
The example above is a simplified demonstration of how ring signatures operate.
In the Monero network, privacy is also ensured through the use of stealth addresses. Stealth addresses are used both by the sender and recipient and can be used for only one time.
Zero-knowledge proof (ZKP)
This is a unique technology that helps an individual prove that he or she knows a certain truth without having to say it directly.
A fairly popular development branch of ZKP today is ZK-SNARKs. Examples of projects using zk-SNARKs include ZCash and Mina.
zk-SNARK refers to a structure in which a prover can prove the possession of some information via a secret key without disclosing that information and without any interaction between the prover and the verifier.
With the “non-interactive” structure, the cryptographic proof is only transferred once from the prover to the verifier but many times compared to the traditional method of ZKP.
In the case of the anonymous writer, when sending another letter to the jury to reveal the real identity of the criminal, he would only need to attach a cryptographic on the blockchain to prove to the public that what he knows about the criminal is completely true, and that he did not secretly communicate with the jury to blame other innocent people.
Currently, the most efficient way to create a zero-knowledge proof that has a “non-interactive” structure and is short enough to be published on the blockchain is for a structure to have an initial setup phase with a chain of references being shared between the system and the validators, known as the system’s public reference number.
Until recently, another variant of SNARKs emerged to mitigate the existing drawbacks in this technology: zk-STARKs. This solution has been developed by StarkWare, one of the famous layer 2 solutions for Ethereum.
STARK allows developers to move the computation and storage off-chain. These proofs are then put back on the chain so that any interested party can validate the calculation. Moving the bulk of the computation off-chain using STARKs allows the existing blockchain infrastructure to scale more quickly and efficiently. However, the size of the cryptographic proof of the zk-STARKs is larger than that of the zk-SNARKs, which on the one hand makes it less vulnerable to quantum computer algorithms but at the same time make it heavier for the memory space than zk-SNARKs.