Sin7y Tech Review (33): Principles of private transactions and regulatory compliance issues

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

In August 2022, the Office of Foreign Assets Control (OFAC) announced sanctions against Tornado Cash, which directly cast a shadow on protocols aiming to achieve privacy on public blockchains. This led to discouragement in the market towards privacy and raised regulatory concerns. However, Ola, an Ethereum Layer 2 network that supports programmable privacy utilizing its ZK-ZKVM architecture, still recognizes the urgent need for robust privacy across the blockchain space.

Ola is not the first project dedicated to bringing privacy to blockchains, nor will it be the last. As a member of the blockchain community, Ola is committed to interpreting the privacy technologies used in most projects and the regulatory compliance issues involved in privacy transactions, in order to help the market understand privacy on top of public blockchains more comprehensively.

1. Why was Tornado Cash banned?

The reason for Tornado Cash's blacklisting by OFAC is obvious: its transactions can not be tracked. This has made Tornado Cash widely used for illegal activities.

The principle of privacy in Tornado Cash differs from that of Zcash, which is entirely based on ZK technology. Tornado Cash combines coin mixing and ZK technology, with coin mixing making transactions untraceable. As the coin-mixing pool grows larger, the chances of tracking it approach zero. ZK is only used to realize its own asset proof once the coin mixing is complete.

Therefore, Tornado Cash is called a haven for hackers and black money, as it is impossible to track the addresses to which non-performing assets are withdrawn after entering the mixing pool. This is also the underlying reason for Tornado Cash's blacklisting. Many articles interpret the principle of coin-mixing in Tornado Cash, which readers can find for themselves.

In the following sections, we will explain how private transactions based solely on ZK technology can not only protect privacy but also allow transaction information to be reviewed and tracked when required (through the design of the view key).

2. Why do blockchains need privacy

Although blockchain technology provides anonymity to user identity, it does not offer privacy protection for data such as transaction volume. This leaves users vulnerable to revealing their real identity and intentions through behavior-based clustering analysis and other methods, which has led to various emerging fraud and attacks, such as front-running and replay attacks, causing significant losses to many users.

Furthermore, the lack of privacy on the blockchain limits its potential applications in real-world business scenarios. Without adequate privacy, the mainstream adoption of blockchain technology is unlikely. For instance, in financial infrastructure, if sensitive financial information such as users' salaries or payments for services like healthcare is publicly viewable, potential users of blockchain-based payment systems may be hesitant to use them. The same goes for social networking services, decentralized lending protocols, philanthropic platforms, and any other cases where users value the privacy of their information.

Currently, privacy and data protection have become some of the most discussed and concerning issues in various industries, and data protection is now being legislated in many countries. Consequently, adding privacy protection features will become the future development trend of blockchain technology. Numerous cross-disciplinary and cross-industry giants are focusing on privacy and data protection.

3. Definition of regulated private transactions

A blockchain transaction is primarily composed of sender information, transaction data (amount), and recipient information. Currently, blockchain transactions are open and transparent, allowing anyone to view and analyze transaction details at any time. Private transactions, on the other hand, use zero-knowledge technology and cryptography to conceal transaction information (sender information, transaction data, and recipient information) and protect user privacy.

The crackdown on Tornado Cash reveals the fact that the industry does require privacy, but it must be regulated, and private transaction information should be available if needed to enable tracking of private asset transfers. Zcash provides a good starting point for the privacy track, enabling both privacy and regulatory compliance. Zcash has published a separate article outlining the compliance of the project. Other ZK-based privacy projects like Ola, Aleo, Aztec, and the Manta network, which use similar privacy architectures to Zcash but with differences in programmability implementations, are on par with regulatory issues (See Design Principles of Private Transactions in Aleo and Zcash).

4. Implementation principle of private transactions

There are four technical solutions for private transactions: CoinJoin (DASH), hidden address + ring signature (Monero), Mimblewimble (Litecoin), and zero-knowledge proof (Zcash). In this article, we will only focus on the principle of private transactions based on zero-knowledge technology.

4.1 Encryption process of private transactions

A transaction typically consists of the sender address, the receiver address, and the transaction data (such as which method of the contract is called). In a private transaction, each of these three pieces of information is encrypted using various keys.

4.1.1 Introduction to the Key System

The key system is the basis for private transactions. The current key system of the latest version of Zcash is shown in Figure 1:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 1: Zcash Key System (Orchard)

The key system contains a variety of keys for different purposes, the most important of which are the following：

sk: Spending key, used to derive other keys, similar to the private key in Bitcoin, must not be shared with others
ask: Spend authorizing key, used to generate the signature spendAuthSig of Spend transfer, must not be shared with others
(ak, nk, rivk): Full viewing key, used to view all transactions of the user, needs to be shared with the delegator to generate zkSNARK proof
- ak: Spend validating key, used to verify the transfer signature spendAuthSig
- nk: The recipient's nullifier deriving key, used to generate the nullifier
- rivk: Used to generate shielded payment addresses
(dk, ivk): Incoming viewing key, used to view all transactions sent to the user, privacy will be leaked after disclosure
- dk: Diversifier key, used to generate diversified parameters in shielded payment addresses d
- ivk: Private key in the key agreement scheme, used to generate the symmetric encryption key, and transmission key
  $p k_{d}$
ovk: Outgoing viewing key, used to view transactions issued by all users, privacy will be leaked after disclosure
(d,
$p k_{d}$ ): Shielded payment address, used as the recipient's address of the transaction, needs to be given to the sender

4.1.2 The UTXO Model

Zcash uses the Unspent Transaction Output (UTXO) model, similar to Bitcoin, and expands on Bitcoin's transparent transfer mechanism. In Zcash, a user's funds are stored in a data structure called a note, with each note representing a certain amount of ZEC tokens. To transfer funds, the sender selects some notes received in previous transactions, destroys them (by calculating and revealing their nullifiers), creates new notes (by revealing their note commitments), encrypts these new notes, and sends the ciphertexts to the blockchain. The recipient can then use their viewing key to decrypt the note ciphertexts and view the amount, while others are unable to access the plaintext of the notes.

The newly created note can be expressed as

(d, p k_{d}, v, ρ, ψ, r c m)

, where：

(d,
$p k_{d}$ ): The owner address of the note, that is, the shielded payment address of the recipient
v: Value, i.e. the amount of ZEC tokens
$(ρ, ψ)$ : Two random numbers, used to generate a nullifier when the recipient consumes this note in the future
rcm: Used to check whether the note commitment is correct

4.1.3 Structure of transactions

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Zcash transactions comprise zero or more Action transfers, each of which is encoded into an Action description, representing a transfer that involves destroying an old note and creating a new one. Each Action description requires generating a proof, and the zero-knowledge proof algorithm is utilized to verify that the data is accurate. Eventually, all proofs are condensed into a final proof using the Halo2 algorithm and stored in the transaction.

The data contained in the Action description are the following:

$c v^{n e t}$ : Commitment to the change of the value in the pool after the transfer
- The committed value is the result of the input note's value minus the output note's value
$r t : {0. . q_{P} - 1}$ , the output treestate of a previous block
- Treestate contains a note commitment tree and a nullifier set
$n f ： {0. . q_{P} - 1}$ input note nullifier
rk: randomized validating key, used to validate spendAuthSig
spendAuthSig: a signature generated by the sender using ask
$c m_{x} : {0. . q_{P} - 1}$ , x coordinate of output note commitment on the elliptic curve
epk: Ephemeral public key used in the key agreement scheme
$C^{e n c}$ : ciphertext of the output note
- The recipient can decrypt it using his own full viewing key or incoming viewing key
$C^{o u t}$ : The recipient can use his own ock (outgoing cipher key) to decrypt it to get the
$p k_{d}$ and ephemeral private key
$e s k$ , and can further generate a symmetric encryption key to decrypt the entire note plaintext
enableSpends: 0 or 1. This flag is used to enable the non-zero-value function in Action Inputs
- 1 means there is an input note, and 0 means there is no input note
enableOutputs: 0 or 1. This flag is used to enable the non-zero-value function in Action Outputs
- 1 means there is an output note, and 0 means there is no output note
$π$ : The zkSNARK proof of the statement:
$(c v, r t^{O r c h a r d}, n f, r k, c m_{x}, e n a b l e S p e n d s, e n a b l e O u t p u t s)$

$r t, e n a b l e S p e n d s, O u t p u t S p e n d s$ are three attributes that are the same for all Action transfers within a transaction, so they are actually stored in the body of the transaction, not in the Action description.
$π$ is the aggregate proof of all Action proofs stored in the transaction's proofsOrchard field.

4.1.4 Process of sending a transaction

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

To initiate a transfer in Zcash, the sender needs to create a transaction that includes one or more Action descriptions. In order to encrypt the note plaintext, the sender generates an ephemeral key pair using the recipient's shielded payment address

(d, p k_{d})

and derives a symmetric encryption key by combining the ephemeral private key and the recipient's public key

p k_{d}

. The encryption process can be outlined as follows:

Let leadByte be 0x02
For each Action description, choose a value
$v$ and the recipient's shielded payment address
$(d, p k_{d})$
- Check
  $p k_{d}$
- Calculate
  $g_{d} = D i v e r s i f y H a s h (d)$
- Choose a uniformly random commitment trapdoor
  $r c v \leftarrow V a l u e C o m m i t . G e n T r a p d o o r ()$
- Choose uniformly random
  $r s e e d \leftarrow B^{Y^{32}}$
- Let
  $ρ = n f^{o l d}$ ,
  $\underset{―}{ρ} = I 2 L E O S P_{256} (ρ)$
- Calculate
  $e s k = T o S c a l a r (P R F_{r s e e d}^{e x p a n d} ([4] | | \underset{―}{ρ}))$
- Calculate
  $r c m = T o S c a l a r (P R F_{r s e e d}^{e x p a n d} ([5] | | \underset{―}{ρ}))$
- Calculate
  $ψ = T o B a s e (P R F_{r s e e d}^{e x p a n d} ([9] | | \underset{―}{ρ}))$
- Let cv net be the value commitment to the value of the input note minus the value v of the output note for this Action transfer, choose a uniformly random commitment trapdoor
  $r c v$
- Calculate
  $c m_{x} = E x t r a c t_{P}^{'} (N o t e C o m m i t_{r c m} (r e p r (g_{d}), r e p r (p k_{d}), v, ρ, ψ))$
- $n p = (l e a d B y t e, d, v, r s e e d, m e m o)$
  Use the recipient's shielded payment address
  $(g_{d}, p k_{d})$ and
  $o v k$ to encrypt the note, get the transmitted note ciphertext
  $(e p k, C^{e n c}, C^{o u t})$ . The process is as follows:
  - Let
    $P^{e n c}$ be the raw encoding of the note plaintext
  - $e p k = K A . D e r i v e P u b l i c (e s k, g_{d})$
  - $e p h e m e r a l K e y = L E B S 2 O S P_{l_{G}} (r e p r_{G} (e p k))$
  - $s h a r e d S e c r e t = K A . A g r e e (e s k, p k_{d})$
  - $K^{e n c} = K D F (s h a r e d S e c r e t, e p h e m e r a l K e y)$
  - $C^{e n c} = S y m . E n c r y p t_{k^{e n c}} (P^{e n c})$
  - $c v = L E B S 2 O S P (r e p r (c v))$
  - cv is value commitment
  - $c m x = L E B S 2 O S P_{256} (E x t r a c t_{G^{(r)}} (c m))$
  - cm is note commitment, cmx is x-coordinate of cm
  - $o c k = P R F_{o v k}^{o c k} (c v, c m x, e p h e m e r a l K e y)$
  - Outgoing cipher key, used to generate
    $C^{o u t}$
  - $o p = L E B S 2 O S P (r e p r_{G} (p k_{d}) | | I 2 L E B S P_{256} (e s k))$
  - $C^{o u t} = S y m . E n c r y p t_{o c k} (o p)$
  - Return
    $（ e p h e m e r a l K e y, C^{e n c}, C^{o u t} ）$
- Return zkSNARK proof
  $π$
- Return
  $(c v, c m_{x}, e p k, C^{e n c}, C^{o u t}, π)$
If there is no real note spent in this Action description, you need to create a dummy note to spend, using the nullifier of the dummy note as
$ρ$ .
Randomize the order of Action descriptions
Send the transaction to the network

4.1.5 Hiding sender information

The sender generates an ephemeral key pair each time and generates a symmetric encryption key

K^{n e c}

in the key agreement scheme, uses

K^{n e c}

to encrypt the note plaintext, and does not use his own sk (spending key) or ask (spend authorizing key), so the sender's information can be hidden.

4.1.6 Hiding recipient information

The recipient generates different new shielded payment addresses for different transactions, so the destination addresses in the transactions are different, and other users on the network can not decrypt the note ciphertext, nor can they see the recipient's address, so the recipient's information can be hidden.

4.1.7 Hiding the transfer amount

The transfer amount is stored in the note and encrypted by the sender using a symmetric encryption key, denoted as

K^{n e c}

, to generate a ciphertext of the note. This means that besides the sender and receiver, other users on the network, including the validator, can only verify that the input amount and output amount in the transaction are balanced, but can not view the specific transfer amount. Therefore, the transfer amount can be hidden.

4.2 Decryption process of private transactions

The recipient can use their incoming viewing key or full viewing key to decrypt the note ciphertext in the transaction. Additionally, the recipient can use the ephemeral public key stored by the sender in the transaction to generate the same symmetric encryption key

K^{n e c}

as the sender. By using the decryption algorithm in the symmetric encryption scheme, the recipient can generate the note plaintext.

4.2.1 Decrypting using an incoming viewing key

The decryption process using an incoming viewing key is as follows：

$i v k$ is the recipient's KA private key
$e p k = a b s t_{G} (e p h e m e r a l K e y)$
$s h a r e d S e c r e t = K A . A g r e e (i v k, e p k)$
$K^{e n c} = K D F (s h a r e d S e c r e t, e p h e m e r a l K e y)$
$P^{e n c} = S y m . D e c r y p t_{k^{e n c}} (C^{e n c})$
$n p = (l e a d B y t e, d, v, r s e e d, m e m o)$
$r c m = L E O S 2 I P_{256} (r s e e d)$
$g_{d} = D i v e r s i f y H a s h (d)$
$p k_{d} = K A . D e r i v e P u b l i c (i v k, g_{d})$
$n = (d, p k_{d}, v, ρ, ψ, r c m)$
check
$E x t r a c t (N o t e C o m m i t (n)) a n d c m x$ are equal

$ψ = T o B a s e (P R F_{r s e e d}^{e x p a n d} ([9] | | {\underset{―}{ρ}}^{o p t}))$

$ρ$ is used to calculate the nullifier in the future
return
$(n, m e m o)$

4.2.2 Decrypting using a full viewing key

The decryption process using a full viewing key is as follows：

$o v k$ is outgoing viewing key
$o c k = P R F_{o v k}^{o c k} (c v, c m x, e p h e m e r a l K e y)$
$o p = S u m . D e c r y p t_{o c k} (C^{o u t})$
$(p k *_{d}, \underset{―}{e s k}) = o p$
$e s k = L E O S 2 I P_{256} (\underset{―}{e s k})$
$p k_{d} = a b s t_{G} (p k *_{d})$
$s h a r e d S e c r e t = K A . A g r e e (e s k, p k_{d})$
$K^{e n c} = K D F (s h a r e d S e c r e t, e p h e m e r a l K e y)$
$P^{e n c} = S y m . D e c r y p t_{K^{e n c}} (C^{e n c})$
$n p = (l e a d B y t e, d, v, r s e e d, m e m o)$
$\underset{―}{r c m} = r s e e d$
$ρ = n f^{o l d}$
$r c m = L E O S 2 I P_{256} (\underset{―}{r c m})$
$g_{d} = D i v e r s i f y H a s h (d)$
$n = (d, p k_{d}, v, ρ, ψ, r c m)$

$ψ = T o B a s e (P R F_{r s e e d}^{e x p a n d} ([9] | | {\underset{―}{ρ}}^{o u t}))$
$c m^{'} = N o t e C o m m i e m n t (n)$
check (
$E x t r a c t (c m^{'}) a n d c m x$ are equal
return
$(n, m e m o)$

5. Compliance-Friendly Design in Ola

The purpose of private transactions in a blockchain setting is to address the issues of fraud, social engineering, asset theft by malicious actors as well as other attacks and manipulations of applications, all resulting from the complete transparency of current blockchains, as well as the potential risks associated with the exposure of sensitive financial data to third parties. It is essential to maintain regulatory and compliance standards to ensure the healthy development of the entire industry.

Ola has adopted a "view key" design that is friendly not only for developers and common users but also for regulatory compliance, as depicted in the figure below:

If you have any questions about regulatory compliance with private transactions, please feel free to contact us at <contact@sin7y.org >. Welcome to follow Ola's official Twitter, join our Discord server, and get the latest updates from Ola!

About
This report aims to provide an update on the latest developments and news related to Ola and zero-knowledge cryptography, which has the potential to revolutionize the way we approach privacy and security in the digital age. We will continue to monitor and report on the latest developments in this field. Please write to contact@sin7y.org if you’d like to join or partner with us.

Sin7y Tech Review (33): Principles of private transactions and regulatory compliance issues

1. Why was Tornado Cash banned?

2. Why do blockchains need privacy

3. Definition of regulated private transactions

4. Implementation principle of private transactions

4.1 Encryption process of private transactions

4.1.1 Introduction to the Key System

4.1.2 The UTXO Model

4.1.3 Structure of transactions

4.1.4 Process of sending a transaction

4.1.5 Hiding sender information

4.1.6 Hiding recipient information

4.1.7 Hiding the transfer amount

4.2 Decryption process of private transactions

4.2.1 Decrypting using an incoming viewing key

4.2.2 Decrypting using a full viewing key

5. Compliance-Friendly Design in Ola

Read more

Circle FFT and its implementation

Babylon: An Extremely Appealing Protocol Scaling Bitcoin to Secure PoS Chains

Onis Litepaper of Ola

A basic of Binius: Towers of Binary Fields