Furthermore, it’s become common practice to follow users’ holdings, particularly those with large sums, trying to discern their behavior and trading habits. At best, these kind of actions are a breach of individual privacy. At worse, the same techniques can be used by attackers to deanonymize and recognize individual honeypots, focusing their efforts on hacking their accounts. Importantly, these same risks extend to the token issuers, whose own retained tokens can become the target of malicious actors.

To make matters much worse, most ICOs today require their contributors to submit sensitive KYC/AML data, which includes your ID, among other things. If that information ever leaks, then it becomes trivial to link your real identity to your actual wallet holdings, exacerbating the risk to token holders. If you’re an avid crypto investor, you’re likely to participate in many projects over time, which linearly increases your exposure.

Given these substantial risks to our privacy and (more importantly) our security, we propose a re-design of ICOs so that they actually protect the privacy and security of all token holders. Enigma calls these Secret ICOs — and they also implicitly generate privacy tokens.

Privacy tokens, generated in a Secret ICO, can be seen as an extension to the existing ERC20 standard that relies on Enigma’s Secret Contracts capabilities adding privacy to smart contracts. This allows us to combine the flexibility and simplicity of ERC20-like tokens with the privacy and anonymity guarantees that privacy coins, which run their own full-blown blockchain, can offer. In addition, more interesting ideas, such as the DAICO, could be developed using Secret Contracts (thus, enabling Secret DAICOs).

It’s worth mentioning that this is an introduction to the idea of Secret ICOs and Privacy Tokens, and should not be considered a complete solution. Ensuring proper transactional privacy is an ongoing research endeavor. Even when using strong privacy technologies, deanonymization is still a concern, as has been shown in Monero and zCash.

So how could a Secret ICO work with Enigma? How do privacy tokens function? And what are the advantages for issuers and for contributors?

In the Beginning: the Token Generation Event

A Secret ICO starts with the token generation event. This is the actual mechanism by which a secret contract receives contributions based on whatever terms the contract developers choose, and then distributes the newly minted tokens based on the contributed amounts. The process of contribution can remain largely the same, but the contributor should supply an encrypted wallet address to be used for holding the tokens. This will break the link that allows identifying the token holder going forward. For better privacy, the contributing address should not be re-used as well.

Acting on the user’s contribution, the contract will add an encrypted entry to the balances map, thus issuing the correct amount of tokens to the contributor. However, the full balances map is also encrypted, preventing anyone to actually observe who owns tokens and how much.

We must also consider tokens that are retained or reserved (e.g., to the team and advisors). These could be added in a very similar way, with the contract owner specifying a list of encrypted addresses and amounts. Importantly, with Enigma, the “secret contract” can still run a computation over these encrypted inputs to ensure the contract owner does not distribute more tokens than those specified in the public contracts conditions — whether to the team or any other entity.

Creating Privacy Tokens

The token generation event ensures that no one can observe who owns how many tokens, while still guaranteeing that no one holds more tokens than they deserve. This alone creates a static state valid at the time of the initial offering, but this does not in itself guarantee the continued privacy of token holders.

To maintain privacy, we need to ensure that each token transfer also occurs as an encrypted computation. Essentially, every time a user wishes to send tokens to another user, it should encrypt the sender, receiver, and amount, and transmit it with a different one-time address to cover the gas. (Notice that this is a slight departure from the ERC20 standard, where the sender is implicitly obtained as the signer of the transaction.) This is all possible with secret contracts.

With this functionality implemented at issuance, all issued tokens could immediately become privacy tokens, with almost no additional effort. As mentioned before, this helps protect the identities of holders and dramatically reduces security risks.

Reducing KYC Risks

There are other advantages to Secret ICOs as well. With increasing regulation, it’s become common for ICOs to run a KYC process preceding it. This is generally a good thing, as it assists in filtering out bad actors and illicit activities, which help in legitimizing the space. However, given the rapid increase in ICOs, this also means that more and more small companies are being entrusted with extremely sensitive data that they are ill-equipped to handle. Given the proliferation of bad actors in the crypto space, this is extremely risky for companies and contributors.

A better solution is to ensure participants in the ICO never share their IDs (or other KYC related data) with the token issuer directly. Instead, a better approach is to enable the secret ICO contract to accept (a priori) encrypted IDs of users. The secret contract would then be able to execute an encrypted computation that digitizes the contents of the passports into textual data, which could further be used to determine whether an individual should be allowed to participate in the ICO. We have previously explored similar ideas in our posts on building on-chain reputation and identity, which also apply here.

Admittedly, this functionality would take more time to develop and will require both technical maturity and coordination with the appropriate authorities. However, with this mechanism, token issuers can prove to regulators that they were compliant, without unnecessarily risking sensitive user data (as even they cannot see it).

Establishing Accountability

Despite the clear advantages of Secret ICOs, experienced readers may have noticed an apparent drawback — while the privacy of token holders is preserved, we lose transparency. While token holders want to protect their security by not sharing their holdings or personal data, they also want to know, in aggregate, important metrics about their token. For example, understanding the overall distribution of tokens allows one to examine how centralized its holder base is. Similarly, the community should be able to see when team members sell their retained tokens, even if they can’t see their addresses directly. Other interesting conditions for added accountability in spending funds (e.g., the DAICO), could be implemented as well.

This is where tokens created by Secret ICOs show significant advantages compared to all existing privacy coins. Because the tokens are issued by a secret contract, it becomes trivial to add interesting functionality to the token. One such functionality could be these kind of accountability features, which prove that we don’t really need to sacrifice transparency for privacy.

But let’s think even further down the line for a moment. Combining ICOs with privacy properties while still retaining important accountability measures may be one of the cornerstones of making truly useful security tokens a reality. Secret ICOs can allow us to reduce the risk of outright money grabs and scams (due to the immutable rules of the contract), while not jeopardizing investors and projects by exposing their holdings or data to the public.