Issue #2

Qtum plans to support the issuance of confidential assets on the blockchain. In our previous article, we analyzed a representative project of confidential assets, Zether. This article focuses on existing works in this field and describes our motivations for supporting confidential assets.

On-chain Assets

Colored Coins

In the early days of Bitcoin, developers have been exploring how to store arbitrary data in Bitcoin transactions. Until the release of version 0.9.0 in 2013, the new opcode of OP_RETURN was added to the Bitcoin script. OP_RETURN allows up to 80 bytes of data to be recorded in the Bitcoin output script. After that, the number of transactions using OP_RETURN increased rapidly [1].

A series of protocols were born based on OP_RETURN, see [2] for details. These protocols take advantage of the open and immutable features of the blockchain, to store application data in specific formats in OP_RETURN, thus building a wide variety of applications. Among them, there is one category of protocols, such as Open Assets [3] and Omni Layer [4], allowing users to create new assets on the Bitcoin blockchain. The issuance, transfers, and other data of assets are stored in OP_RETURN. Take the Omni Layer as an example, whose supported data types are as follows:

As a result, a large number of assets on the Bitcoin appear. Most of them are pegged to assets in the real world, such as gold, diamonds, and so on. Such type of assets is also called Colored Coin. To date, the most famous Color Coin we know is USDT, which is pegged to US dollars and appears on most cryptocurrency exchanges.

There are many advantages to issuing assets on Bitcoin. The most important one is that the issuers can rely on the security and usability of Bitcoin without having to develop the blockchain system themselves.

ERC-20 and ERC-721

The biggest innovation of Ethereum is smart contracts. With smart contracts, developers can flexibly build Decentralized Applications (aka DApps) on the blockchain. Smart contracts are also often used to build on-chain assets. To standardize the form of interfaces of different assets on Ethereum, the community proposed the ERC-20 [5] standard.

ERC-20 defines a standard for token assets based on Ethereum smart contracts. The standard provides forms of interfaces like token transfer, allowance, etc., so that third parties, including wallets and exchanges, can reuse the same interface to manage different tokens. The famous USDT also has an implementation of ERC-20 on Ethereum. The specific interfaces of ERC-20 are as follows:

With the diversification of DApps on Ethereum, token assets no longer satisfy all their requirements. With the emerging of collectible DApps such as CryptoKitties, the community proposed the ERC-721 [6] standard. ERC-721 introduces the concept of NTF (Non-Fungible Token), which represents an asset with tokens different from each other, such as real estates, artworks, tickets, etc. On-chain assets have expanded from pure currency to a much more broad concept of assets.

Privacy Issue

While on-chain assets are widely used, privacy issues are gradually exposed. Information such as balances and transfers of assets is openly and permanently recorded on the blockchain, limiting further business applications of on-chain assets. In the case of USDT, its issuance, destruction, and transfer are usually monitored and interpreted by third parties. If you use USDT to transfer money to others, the balance of your account will be exposed to them, which is unacceptable, especially in some business scenarios.

Confidential Assets

In order to resolve the privacy issue of on-chain assets, many solutions have been proposed.

Solution on UTXO

Blockstream first introduced a confidential asset solution on UTXO in 2017 [7] and applied it to the Elements project. This solution uses Pedersen commitments to replace the original transaction amounts on the blockchain:

commitment = xG + a(H + rG)

Where a is the transaction amount. G and H are the generators of the elliptic curve. G is a constant. H represents the asset type and takes different values for different confidential assets. x and r are called blinding factor. They are set to different random values in each UTXO to hide the transaction amount and asset type further.

This approach allows the verifier to verify the balance of the input and output amounts for each asset in each transaction while knowing the commitment but not knowing the transaction amount and asset type. The transaction amount and asset type are sent from the sender to the receiver through encrypted on-chain data or off-chain p2p so that only the two parties of the transaction can know them.

In the process of asset issuance, transfer, and destruction, it is also necessary to introduce some ZKP (Zero-Knowledge Proof) processes to prove that the transaction amount and asset type have reasonable values without exposing these values. The proof for the transaction amount is called Range Proof and proves that its value is a positive number. The proof for the asset type is called Surjection Proof, which is used to prove that its value belongs to a specific set.

In the Elements project, this solution is applied to the Bitcoin system. It is also planned to be used in MimbleWimble systems in the future, such as Grin [8] and Beam [9]. The differences are:

In the Bitcoin-based implementation, the transaction process is non-interactive. That is, the transaction receiver does not need to be online to complete the transaction. The implementation based on MimbleWimble is the opposite. In the Bitcoin-based implementation, the addresses of both parties of the transaction are not hidden. They are hidden in the implementation based on MimbleWimble.

The advantage of this solution proposed by BlockStream is its strong privacy. The addresses, amounts, and asset types of each transaction can be hidden on the blockchain, and only the UTXO owner can know. But the shortcomings are also obvious:

The system changes a lot. It must be implemented through a new blockchain or by hard-forking the existing blockchain. No smart contracts. It’s not possible to add smart contracts to this solution, so there is no way to customize the logic of confidential assets or create on-chain applications based on confidential assets. Developers can only realize some simple logic through a solution called Scriptless Script.

Solutions on Smart Contracts

Many smart-contract-based solutions for confidential assets have been proposed to solve these problems, including AZTEC [10], Zether [11], Anonymous Zether [12], PGC [13], Nightfall [14] and so on. Their main work is to implement existing blockchain confidential transaction solutions (such as zk-SNARK, MimbleWimble, etc.) using smart contracts and improve them based on the features and limitations of smart contracts. With these solutions, anyone can launch their own ZCash or Grin, Beam on the blockchain. A comparison of these solutions is as follows:

Some terms in the table are explained below:

State Model. This refers to the storage manner of the account balance. UTXO means that the balance of each account is composed of several UTXO amounts, like the Bitcoin. Account means that the balance of each account is recorded by a single balance field, like the Ethereum. Existing blockchain confidential transaction solutions are all based on the UTXO model. However, the smart contract consumes a lot of gas for storing data, so ERC-20 tokens on Ethereum are mostly based on the account model. Zether, Anonymous Zether, and PGC thus chose to use the account model to implement confidential assets. ZKP Algorithm. In confidential assets, the role of ZKP is to allow the transaction creator to prove to the verifier that the transaction parameters, such as amounts, addresses, and asset types, all have reasonable values without exposing values of these parameters. The ZKP algorithm is the most important part of any confidential asset solution. The main difference among the algorithms is the proved statement form, computation amount, and security level. Since ZKP algorithms are all very complicated, they will not be explained too much here. Setup Type. Some confidential transaction solutions need a trusted setup process to initialize a set of parameters. The trusted setup is manually executed by one or several people, first generating a set of random numbers, then calculating the final required parameters, and finally deleting all the data generated during the calculation process. If the data are not deleted, they can be used to build illegal transactions that would not be detected by the verifier. Therefore, users must trust the executors of the trusted setup, which brings vulnerability to the algorithm.

The advantages of smart-contract-based privacy assets are:

Programmability. The logic of asset issuance, destruction, transfer, exchange, etc., can be modified by smart contracts, providing more functions and attributes to the confidential assets. Interoperability. Confidential assets can interact with other contracts like tokens, auctions, votings, etc., allowing more applications on confidential assets.

The implementation of these solutions benefits from the functionality of precompiled contracts related to the BN-128 elliptic curve on Ethereum. BN-128 is a pairing-friendly elliptic curve that was mainly used in zk-SNARK previously. Ethereum added three precompiled contracts through EIP-196 [15], EIP-197 [16], which implement the addition (ECADD), scalar multiplication (ECMUL), and pairing check of BN-128. These precompiled contracts greatly reduce the gas consumption of elliptic curve operations, allowing contract-based confidential asset solutions to be implemented.

However, Ethereum has an overall limit on the gas (about 8 M) of each block, which can be viewed from etherscan [17]. Compared with the table above, it can be seen that the gas of these solutions is very close to the gas limit of the block, so they can hardly run on the Ethereum. EIP-1108 [18] proposes to reduce the gas of the BN-128 precompiled contracts (as shown in the following table, Current Gas Cost is the gas cost of each precompiled contract currently, and Updated Gas Cost is the gas cost proposed by EIP-1108), and EIP- 1109 [19] proposes to reduce the gas of all precompiled contracts. However, these EIPs need to be applied to the Ethereum through a hard fork, so they take a long time to be implemented.

Qtum and Confidential Assets

Motivation

During the development of blockchain technology, we see that the demand for privacy in the blockchain is constantly promoting the innovation of privacy technology and the popularity of its applications.

First, to resolve the privacy issue in the blockchain, many new algorithms have been proposed, such as zk-SNARK, MimbleWimble, Bulletproof, etc. These algorithms make extensive use of basic cryptography techniques, such as elliptic curves, encryptions, and signatures, and have been carefully considered in aspects of security and performance. As a result, a large number of developers are motivated to study cryptography and make innovations.

Second, to implement privacy algorithms, people in the blockchain area have made a set of standards and developed, maintained the corresponding code libraries. For example, the Schnorr signature standard in [22] unifies the implementations of Schnorr signature in multiple blockchain systems like BCH, Grin, and Beam. Another example is the secp256k1-zkp codebase in [23], which implements algorithms of Pedersen commitment and Range Proof, developed and maintained by BlockStream and used by multiple projects.

Finally, we strongly feel that the use of confidential transactions and confidential assets will soon become widespread. Currently, because the transaction amounts and addresses on the blockchain are completely public, some applications will monitor transactions to alert large transfer actions [24], and some applications will try to mine the entities behind addresses [25]. These applications cause that there is no privacy when users use the blockchain to trade and pay. We have seen some business teams working on blockchain privacy solutions. For example, the Anonymous Zether project is developed by the JP Morgan team and will eventually be used in their payment system.

Technology

The smart contract environment on Qtum is based on the EVM of Ethereum. In the upcoming hard fork [20], an upgrade will be made to support the precompiled contracts of the BN-128 elliptic curve. Therefore, the above smart-contract-based confidential asset solutions can be directly applied to Qtum.

Besides, Qtum has a gas limit of 40 M for each block and a gas limit of 20 M for each transaction, which is much higher than Ethereum. These restrictions can also be modified on-chain by Qtum’s DGP (Decentralized Governance Protocol). So confidential assets don’t need to worry too much about high gas costs when running on Qtum.

Finally, as planned by QIP-19 [21], we can subsequently add more precompiled contracts to allow more confidential asset solutions to run on Qtum. For example, we can add precompiled contracts of the secp256k1 elliptic curve to increase the performance of Zether, Anonymous Zether, and PGC. Another example, we can add precompiled contracts of the Schnorr signature and Bulletproof, so that MimbleWimble can be run as smart contracts on Qtum.

Future Work

In the future, we will continue to explore how to apply confidential assets to Qtum. On the one hand, do more in-depth research on technical aspects like precompiled contracts, Range Proof, and MimbleWimble. On the other hand, try to cooperate with some technical teams of confidential assets to explore the future of this area.

References

[1] https://p2sh.info/dashboard/db/op_return-statistics?panelId=3&fullscreen&orgId=1&from=now-10y&to=now

[2] https://arxiv.org/pdf/1702.01024.pdf

[3] https://github.com/OpenAssets

[4] https://github.com/OmniLayer

[5] https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md

[6] https://github.com/ethereum/EIPs/blob/master/EIPS/eip-721.md

[7] https://elementsproject.org/features/issued-assets/investigation

[8] https://www.grin-forum.org/t/confidential-assets/1217

[9] https://medium.com/beam-mw/mimblewimble-confidential-assets-b33539eb7033

[10] https://github.com/AztecProtocol/AZTEC

[11] https://crypto.stanford.edu/~buenz/papers/zether.pdf

[12] https://github.com/jpmorganchase/anonymous-zether

[13] https://eprint.iacr.org/2019/319.pdf

[14] https://github.com/EYBlockchain/nightfall

[15] https://eips.ethereum.org/EIPS/eip-196

[16] https://eips.ethereum.org/EIPS/eip-197

[17] https://etherscan.io/blocks

[18] https://eips.ethereum.org/EIPS/eip-1108

[19] https://eips.ethereum.org/EIPS/eip-1109

[20] https://github.com/qtumproject/qips/issues/10

[21] https://github.com/qtumproject/qips/issues/19

[22] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

[23] https://github.com/ElementsProject/secp256k1-zkp

[24] https://chain.info/monitor

[25] https://www.blockchain.com/btc/tags

Thinking About Blockchain Privacy: Confidential Assets on the Blockchain was originally published in Qtum on Medium, where people are continuing the conversation by highlighting and responding to this story.