Incognitee CLI tutorial

# Incognitee CLI tutorial ## Transfer PAS privately Our Incognitee testnet allows you to transfer PAS privately (Paseo relay chain native token). We will guide you through the process of creating a wallet, obtaining PAS and transferring with privacy. The very same process will be possible with DOT/KSM and even other fungible assets on the Asset Hubs once we release the productive sidechains. At this early stage we only provide command line tools and we assume you know your way around docker or linux. Stay tuned for a web UI for a clickable version of this tutorial. This tutorial will take you through all steps sketched in the following diagram: ![paseo-incognitee-test-flow.drawio](https://hackmd.io/_uploads/HJ7HhSiRp.png) ### setup #### using docker ```bash mkdir test-privacy && cd test-privacy alias sidechain-cli="docker run --rm -v ""$(pwd)"":/tmp -w /tmp -u $(id -u ${USER}):$(id -g ${USER}) integritee/sidechain-cli:v0.12.12" sidechain-cli --version # should say: integritee-cli 0.12.12 ``` (subsequent steps may fail on OSx. please stay tuned for [updates](https://github.com/integritee-network/worker/issues/1576)) #### using ubuntu 22.04 natively Download the CLI client from IPFS (needs Linux, i.e. ubuntu 22.04) ```bash mkdir test-privacy && cd test-privacy curl -o sidechain-cli https://crustipfs.live/ipfs/QmYbKhwQMLnfPLwBAMmmuTEuEnhYijkUf3EjpX8pq3uakx chmod +x sidechain-cli ./sidechain-cli --version # should say: integritee-cli 0.12.11 alias sidechain-cli="./sidechain-cli" ``` #### setup environment to use Paseo and Incognitee testnet ```bash export SHARD=5wePd1LYa5M49ghwgZXs55cepKbJKhj5xfzQGfPeMS7c export MRENCLAVE=7RuM6U4DLEtrTnVntDjDPBCAN4LbCGRpnmcTYUGhLqc7 alias incognitee="sidechain-cli -P 443 -U wss://scv1.paseo.api.incognitee.io trusted --mrenclave $MRENCLAVE --shard $SHARD" read VAULT <<< $(incognitee get-shard-vault) echo $VAULT # should say: 5CBWPstfcW7dPYGdUG4kVDZSQq9Q9Ed65LT2Eu1inhJRoY8e alias paseo="sidechain-cli -u wss://rpc.ibp.network/paseo -p 443" ``` ### create a wallet ```bash read ME_PUBLIC <<< $(paseo new-account) echo $ME_PUBLIC ``` now, go to the [paseo faucet](https://faucet.polkadot.io/paseo) and claim 100PAS for your new account. Select the following settings: * Network: Paseo * Chain: Paseo Relay Chain check your balance (allow for 30s): ```bash paseo balance $ME_PUBLIC # should say: 1000000000000 (PAS has 10 decimals) ``` Also, create a new incognito account ```bash read ME_PRIVATE <<< $(incognitee new-account) echo $ME_PRIVATE # make the public account usable by L2 keystore as well: cp my_keystore/* my_trusted_keystore/$SHARD/ ``` ### transfer PAS privately Your PAS now reside on Paseo relay chain. Let's shield 2 PAS to incognitee: ```bash paseo transfer $ME_PUBLIC $VAULT 20000000000 # wait a wee incognitee balance $ME_PUBLIC # should say: 19964973731 paseo balance $ME_PUBLIC ``` Your balance on Paseo should be ~2 PAS less and your balance on the same account on Incognitee should be almost 2 PAS So far, there's nothing private. But from now on, only you can query your balance on incognitee. If you try to query a balance from someone else, that will fail because you're not authorized: ```bash incognitee balance 5F4sDRQFyNiNz8BKGU3VxQtQtBBevRHVYNT8BNP2encsxEWr # should fail ``` Now, let's transfer 1.1 PAS to our incognito account. notice how fast this confirms ```bash incognitee --direct transfer $ME_PUBLIC $ME_PRIVATE 11000000000 incognitee balance $ME_PRIVATE # should say: 11000000000 ``` Now we have 1.1 PAS on our incognito account. If we send funds to someone, they don't learn our public key and they can't check our balance. We can just prove that we sent them the tokens. If at one point we'd like to go back to Paseo we can unshield funds again. If there is enough shielding and unshielding traffic with equal amounts, the unshielding will be unlinkable to the previous shielding if you chose a different address (k-anonymity) Let's create a fresh account on Paseo and unshield 1 PAS to that account ```bash read ALTER_EGO <<< $(paseo new-account) echo $ALTER_EGO incognitee --direct unshield-funds $ME_PRIVATE $ALTER_EGO 10000000000 # wait for one Paseo block paseo balance $ALTER_EGO # should say: 10000000000 ``` There you go. 1 PAS back on L1 on an account with no previous history Thank you for trying this out. Please [reach out](hello@integritee.network) if you have questions ## under the hood ### check sidechain activity Visit the [Integritee Network on Paseo explorer](https://polkadot.js.org/apps/?rpc=wss%3A%2F%2Fpaseo.api.integritee.network#/explorer) where you can see events whenever sidechain blocks get finalized: ![image](https://hackmd.io/_uploads/rJsCT-uFT.png) As privacy is our main feature, you can't see much more here. The `BlockHeaderHash` helps you proving that you sent funds to someone. By default, recipients just observe a change in their balance but they have no clue where the funds come from unless you tell them and provide a merkle proof for the sidechain block inclusion of your transfer. However, as shielding and unshielding events are publily happening on Paseo, you can [observe shielding/unshielding activity on the vault account on subscan](https://paseo.subscan.io/account/5CBWPstfcW7dPYGdUG4kVDZSQq9Q9Ed65LT2Eu1inhJRoY8e?tab=transfer) The balance of the vault account will always exactly match the total supply on the respective sidechain shard ### what are shards and mrenclaves? Each instance of an Incognitee sidechain is identified by a *shard identifier* and we'll need to tell the validators which shard we'd like to talk to. Think of it like the genesis hash of a L1 blockchain. The `MRENCLAVE` identifies the validator code which is executed in Intel SGX enclave (it's basically the hash of the enclave binary). Your call will only execute if the validator runs the code you expect it to run. ### why should I trust validators? Because they can't cheat and they can't see your data. That's what TEEs guarantee. But how should you know that the validators actually run the correct code in a TEE? You can authenticate validators thanks to Integritee's remote attestation registry at [enclaves.integritee.network](https://enclaves.integritee.network/?rpc=wss%3A%2F%2Fpaseo.api.integritee.network) There you can find the validator for this tutorial if you serch for the url you're using `wss://integritee-1.cluster.securitee.tech:2000` and it will tell you the verified MRENCLAVE which has been remotely attested using [our decentralized DCAP process](https://docs.integritee.network/4-development/4.5-attesteer)