A novel Zero-knowledge Account-Based design by Dusk Network to address the issues of enhancing UTXO and Account-Based designs with privacy.
In this post we release details on our design for a novel fully private account-based model for layer 2 tokens and Zero-Knowledge smart contracts. Until now, there were only 2 models. UTXO and account-based. We introduce a 3rd: Zero-Knowledge Account-Based.
What can we do with this?
- This is the basis for zero-knowledge smart contracts within Dusk Network.
- Removes the need for ring signatures.
- Power on-chain governance features based on Bulletproofs to provide auditability and compliance prerequisites in Confidential Security Contracts (XSC).
- With Bulletproofs, there is no need for a trusted setup, thus enabling fully trust-less privacy.
- Create proofs of correctness
- Create policy proofs
Why we are excited
- Without this: cryptocurrencies are stuck in the smart contract middle ages with no support for layer 2 privacy tokens, have to rely on trusted setups, have to deal with centralized transaction restrictions and off-chain processing.
- With this: Dusk inaugurates the era of natively private and compliant layer 2 (security) tokens.
We will first dive into a small recap on the existing UTXO and Account-based model.
The first cryptocurrency Bitcoin defines transactions as a group of uniquely identified inputs and outputs, where the sums of inputs and outputs match, and where each input references a previously produced but yet unspent output. To spend an output one has to sign a spending transaction with a public key mentioned in the output. This model is called UTXO (unspent transaction outputs).
In Ethereum, Ripple, Stellar, Ethereum-based tokens, and some other cryptocurrencies a different approach is taken: each public key/address has its own balance, which is debited or credited explicitly in the protocol depending on the type of transaction (output or input, resp.) applied to the address. Such designs are called account-based cryptocurrencies.
Why do we need a zero-knowledge account based model?
Current models & problems with enhancing privacy
The distinction between UTXO and account-based cryptocurrencies becomes crucial when enhancing a cryptocurrency with value privacy (keeping the transaction value hidden but provably consistent with the balance change) and user privacy (keeping both the sender and the recipient anonymous). Whereas value privacy is relatively easy to add by using homomorphic commitments or other mechanisms, user privacy is more difficult.
To keep the user privacy in the UTXO model, one can either hide him in a subset of other users (called anonymity set in Monero) or store all outputs in a Merkle tree (like in Zcash) so that one can prove the knowledge of an output by providing a zero-knowledge proof of a Merkle opening using ZKSNARKs or other techniques. However, the accountability becomes a problem.
The problem is that it is difficult to assert that the user balance is equal to a certain value because a user may own a number of unspent outputs (for example by receiving multiple deposits into her wallet), which are difficult and expensive to be provably accumulated in a single value. This limits adoption of the UTXO model to privacy-enhanced currencies with restrictions on balances such as security tokens with caps on ownership (for example to limit one user from obtaining a majority of shares, as could be constituted in shareholder agreements). In turn, in account-based currencies, even if balances are hidden or encrypted, it is difficult to hide the balance change (when a user withdraws or deposits from its wallet) of a particular user as those whose balances do not change (other users wallets) can be easily ruled out from being potential spenders. If (almost) all balances are changed, it is again too expensive (computationally). If only a few balances are changed, the anonymity set is not full, which is not ideal either.
To summarize the problems with privacy enhancement in current UTXO & Account Based models
- Using the UTXO model it is difficult and computationally expensive to aggregate unspent amounts in a single user wallet. This would limit the possibility to enforce max. cap restrictions in XSC-Security Tokens
- In account-based currencies, it is difficult to keep balance changes confidential.
The Dusk Network solution
Dusk Network’s solution has been in the works for a long time and positively addresses the issues mentioned above, by merging the privacy approach of Zcash with the account model.
Concretely, we introduce two new concepts, which have their own merit:
(1) private memory, which enables fast proofs and provable updates for a designated owner, and;
(2) balance tree, which is a data structure with efficient reads, writes, and zero-knowledge proof of balance for any time in the past.
Providing an efficient implementation of these concepts with zero-knowledge friendly hash functions, we show how to build a token contract with full sender and value privacy, a whitelist of wallet addresses, and provably enforceable restrictions such as the personal cap (a restriction relevant for security tokens where an issuer may decide that any investor is not allowed to own more securities than a given threshold).
Each balance tree correctness proof has size logarithmic in the number of transactions for the user, whereas each opening proof for spent coins has size logaritmic in the total number of transactions, which clearly dominates the former proof. We thus estimate that our construction would be at least as fast as Zcash being instantiated with Bulletproofs instead of SNARKs, but probably much faster as the Poseidon hash function yields more efficient proofs than Pedersen Hash used in Zcash.