Vitalik’s latest paper is refined: How does Privacy Pools solve the impossible triangle problem of “privacy, decentralization, and compliance”?

Question

Yesterday, Vitalik and some scholars from the University of Basel jointly published a paper titled "Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium". It has attracted widespread attention.

Why should we pay attention to papers like this when the market is cold?

Vitalik's thinking and articles often influence the development direction of new narratives and technologies. In addition, well-known experts and scholars in other blockchain fields have unique insights into blockchain technology and development trends.

In addition, the blockchain privacy and compliance issues discussed in the paper are related to the future development direction of the encryption industry and the choice of compliance paths. Finding a balance between protecting user privacy and meeting regulatory requirements is an urgent problem for the encryption industry to solve.

After reading through the paper, we found that the Privacy Pools protocol proposed by it provides a feasible technical solution for achieving compatibility between privacy and compliance. It seems that the tragedy of Tornado Cash being thrown into hell due to supervision will not be repeated.

However, the paper is academic and technical, making it difficult to read, and some of its details and meanings are not easy for ordinary users to understand.

Therefore, the Deep Tide Research Institute has interpreted and refined the paper, trying to explain the core points of the paper through popular language, which can help more people understand the important issue of privacy and compliance, as well as its technical path and possible solutions.

Who are the authors?

First of all, the thesis was led by Vitalik and co-authored by professional counterparts from academic circles and practitioners.

Vitalik acts as first author. Due to Vitalik's important influence and reputation in the field of cryptocurrency, the proposal can gain more attention.

Other co-authors include:

*Jacob Illum, researcher at crypto industry research organization Chainalysis;

Mat Nadler, a doctoral candidate at the University of Basel, also has related DeFi and EVM development projects;
Fabian Schär, a professor at the University of Basel, researches on public chains and DeFi protocols;
Ameen Soleimani, the founder of several well-known encryption projects, has rich practical experience

Background: Contradictions between privacy and regulation, the tragedy of Tornado Cash

The design of the public blockchain is transaction transparent, anyone can verify the transaction without relying on a centralized third party. But this also creates privacy concerns, since all transactions for each address are recorded on the blockchain, which allows the addresses to be tracked and analyzed.
The Bitcoin white paper believes that blockchain can protect privacy through public key anonymity, but this protection has proven to be insufficient, and various blockchain analysis tools can correlate addresses and transactions. Therefore, more powerful encryption technology is needed to improve the privacy protection of public chains.
Systems using general zero-knowledge proofs, such as Zcash and Tornado Cash, can increase the anonymity set to all transactions and improve privacy protection. However, Tornado Cash was also abused by some hackers, and its smart contract address was eventually sanctioned by OFAC.

Regarding the issue of Tornado Cash, Shenchao also added some technical background to provide reference for readers who are not familiar with previous regulatory sanctions:

Tornado Cash is a privacy-enhancing protocol based on zero-knowledge proof that enables anonymous transactions. It allows users to deposit funds and then withdraw money from another address. Only deposits and withdrawals can be seen on the chain, but not the corresponding relationship between the two, so it is anonymous.
But this agreement is also abused by some hacker groups, who launder money through this agreement. For example, there is evidence that North Korean hacking groups launder money through Tornado Cash.
Therefore, OFAC, the U.S. Treasury Department, finally included Tornado Cash’s smart contract address on the sanctions list. Regulators believe that the agreement provides convenience for money laundering and is not conducive to combating financial crime.
**The key problem with Tornado Cash is that it is difficult for legitimate users to decouple themselves from the criminal activity that the protocol attracts. **
However, the creation of this proof requires the centralized server of Tornado Cash. The user needs to provide the server with the specific information of the withdrawal, and the server uses its own database to check which deposit the withdrawal actually corresponds to, and then generate this proof.

This requires relying on a centralized intermediary, because only Tornado Cash holds a complete database and can generate correct proofs. Ordinary users cannot check the correctness of the proof, and users and regulators can only choose to believe it.

**We urgently need a way to prove and convince regulators that my source of funds is clean and legal without exposing privacy and decentralization. **

Therefore, this paper proposes a feasible technical solution called the Privacy Pools protocol: allowing users to prove that funds come from a custom associated collection, which not only protects privacy, but also proves whether they come from certain illegal sources.

This could be the first step toward compatible coexistence of privacy and regulation.

zk+ association set, the key to solving the problem

Through the above background description, we have understood the problem that needs to be solved, which is to ensure privacy and decentralization at the same time to prove that one's funds are "innocent".

To ensure privacy, we can easily think of zk. Indeed, Vitalik's latest paper also affirmed zk, especially the value of zk-SNARK in solving privacy issues:

Zero-knowledge: Do not disclose private data, only prove that the statement is correct.
**Succinctness: **The proof is very short, the verification is fast, and it is efficient even if the calculation is complex.

However, zk-SNARK alone can only solve part of the problem: proving that this transaction occurred to me, but it can hide the transaction details.

To completely solve the problem, it is actually necessary to prove that the source of the transaction is correct while completely hiding the details of the transaction. **

Therefore, this paper connects zk with another method---Association Set.

The so-called association set is to allow users to prove that funds come from a custom set, rather than completely hiding or completely disclosing the source. For example, I transferred 1 BTC, but this 1 BTC was accumulated in multiple other transactions, so these other multiple transactions can become a related set.
The association set can be large or small, and the user can freely determine its composition and scope. It can be a large anon set to improve privacy, or a small set to prove compliance.

After understanding the concept of association sets, let's take a look at how zk+ association sets can both ensure privacy and prove the source of funds:

When a user makes a deposit, a secret (key) will be generated through zk, and then a public coin ID will be calculated. (Tag my association with money)
When the user withdraws money, he must submit a nullifier to prove that he has used this secret. (Prove that the money is mine)
Through zk technology, users only need to prove: my coin ID exists in both the total set and the association set I declared. (Proof that money's money is clean)
The outside can only see the number of transactions and the attribution collection of the money, but cannot get the specific information of the transfer parties.

If it is a little more technical, we can look at the schematic diagram of the Merkle tree in the original paper. The Merkle tree in the figure is actually a combination of Coin ID, that is, after the transaction itself is zk, we can’t see the details, and only store the Coin ID in the tree structure;

The tree on the left represents all the current transactions, which may contain some of my own money. Now, to prove that the source of funds for this money is okay, I need the tree on the right---this represents a custom association set that I have associated with my money and other transactions. As long as I clear the transaction history on the right, I can tell you the source of my current money.

In a big concept, this is like a privacy pool (privacy pool). The association set on the right has the ins and outs of my money, but because I have passed the zero-knowledge proof, I can prove to you that the ins and outs of the money are true, but I don’t need to tell you the details of the transaction.

Practical use cases for Privacy Pools

The paper gives a very vivid example to show the application of Privacy Pool.

Background settings:

There are five users: Alice, Bob, Carl, David and Eve.
The first four are honest, but Eve is a known thief.
While Eve’s true identity may be unknown, the public knows that the funds received by addresses labeled “Eve” are stolen funds.

User’s choices and games when withdrawing money:

When each user withdraws money, according to the paper method, they can choose the association set.
This association set must include their own deposits. This means that each user cannot exclude his or her own deposits when selecting an association set.
For four users, Alice, Bob, Carl, and David, to avoid being associated with Eve, a known bad actor, they can choose an association set that does not include Eve. This way, they can prove that they are not related to Eve.
However, Eve faces a problem: she cannot choose an association set that only includes herself, because that would immediately reveal her as a bad actor.
To try to hide her bad behavior, Eve might choose an association set that includes all five users, hoping to confuse observers;
However, since the other four users all chose association sets that did not include Eve, this made Eve's attempts futile, as one could determine by elimination that Eve was the bad actor.

result:

Through the selection of the association set, Alice, Bob, Carl and David can prove that they are not associated with Eve, a known bad actor.
Eve cannot hide her bad behavior because her association set includes everyone.

Figure 5 in the paper further illustrates the difference between the two proofs. A membership proof includes a specific set of deposits, while an exclusion proof's association set includes all deposits except a specific set of deposits.

Future Outlook

Although the above-mentioned privacy enhancement protocol based on zkSNARK and association sets has achieved a balance between compliance and privacy for blockchain technology, there are still some technical and governance challenges. The author proposes some future development directions:

** Further study of privacy properties: ** The privacy provided by these protocols depends on many different factors. The size of the correlation set, the appropriateness of root selection, and user error could allow a dedicated attacker to link a user's transactions.
Investigate the properties of separation equilibria: Further study the way good and bad actors behave under certain assumptions, and how the public proof of the former affects the privacy of the latter.
Legal Research: Jurists can further research specific disclosure requirements. The recommendations made in this paper are highly adaptable, and insights from legal experts can help adapt the protocol and the ecosystem around it to ensure compliance with various legal jurisdictions.

Finally, we believe that at this point in time, privacy and compliance are often seen as irreconcilable opposites.

The technology described in the paper finds a balance between the two and brings positive significance to the entire industry. It is hoped that more researchers and developers can be inspired by this technology and contribute to the healthy and sustainable development of the industry.

View Original