Privacy for Ethereum: Aztec vs. Tornado vs. Incognito

There are a few existing solutions designed to introduce privacy properties to public cryptocurrencies, especially those issued on the Ethereum blockchain. In this article, we analyze three approaches to deliver privacy on Ethereum: AZTEC, Tornado Cash, and Incognito.

Tornado Cash

Tornado’s approach is to break the link between the sender and receiver using a mixing technique. Transactions with the same amount are sent to a proxy, a smart contract. The receiver will withdraw the money from the proxy by providing a secret. Pairing-based zk-SNARK technology allows this to happen without revealing which exact deposit corresponds to this secret. In order to save gas, Tornado uses MiMC hash instead of SHA3. This is a trade-off between transaction fees and security.

Achievement:

Breaking the link between sender and receiver

Limitations:

  • Not able to hide the amount of a transaction, or the balance of an address.
  • Transaction delay. More than 24h expected to guarantee security.
  • Pairing-based zk-SNARK requires a trusted setup.

Aztec

Aztec also uses the Ethereum smart contracts to provide privacy properties. Aztec implements JoinSplit protocol, detailed in ZCash version 0.1, which can hide transaction amounts, but not the sender or receiver. To reduce the computational costs of verifying transactions, Aztec uses pairing-based zk-SNARK with trusted setup.

Achievement:

Hiding the amount of a transaction

Limitations:

  • Unable to hide sender and receiver addresses
  • Trusted setup
  • High transaction fees (estimated at 900,000 gas/tx)

Both Tornado Cash and Aztec implement privacy on top of the Ethereum blockchain. They thus inherit its advantages, but gas fees and speed are drawbacks for these approaches. To overcome this, they have to use a lighter computation approach which sacrifices security: pairing-based zk-SNARK with a trusted setup. It is generally agreed that a curve with paring property is not as safe as the ED25519 curve, as used in Incognito.

Incognito

Incognito takes a different approach. The Incognito-Ethereum bridge is designed for fully decentralized cross-chain interoperability. Implementations will enable cross-chain communication between the two blockchains, and enable the choice of “incognito mode” for transfers of crypto assets (ETH and ERC20 tokens). Using this bridge, anyone can turn on privacy for their tokens and shield their balances and activity.

How to send ETH and ERC20 privately

The bridge facilitates the transfer of crypto assets (e.g. tokens) between two blockchains by implementing locking, minting and burning mechanisms on each blockchain. When tokens are sent to a locking contract on Ethereum, Incognito needs to verify that the “locking” transaction was indeed confirmed on Ethereum, and upon the submission of the token lock transaction on Ethereum, proceed to mint a corresponding amount of privacy tokens (e.g., privacy Ether or privacy ERC20 tokens). When these privacy tokens are burned, the locking contract on Ethereum will verify the validity and unlock it upon submission of proof. This effectively maintains a 1:1 ratio between the privacy token on Incognito and the original token on Ethereum.

Incognito uses RingCT and Bulletproof techniques to provide full privacy – shielding the transaction amount, sender, and receiver. Incognito’s sharding technique improves transaction throughput – 100 tps vs. 15 tps of Ethereum, and transaction fees are extremely low.

Summary

Aztec Tornado Cash Incognito
Untraceable No Yes Yes
Shield tx amount Yes No Yes
Shield sender and receiver No Yes Yes
Non-trusted setup No No Yes
Transaction fee High High Low

The security of cryptography is proportional to the cost of computation. High gas fees present considerable difficulty for approaches implemented on Ethereum, and often, sacrifices have to be made in terms of security.

Incognito’s unique approach utilizes advanced cryptographic techniques, sharding, and bridging, in order to achieve a more robust, lower-cost privacy.

In Q3-2020, Incognito will provide a trustless decentralized bridge for non-ERC20 tokens. This will enable trustless exchanges of ERC20 and non-ERC20 tokens. In Q1-2021, confidential asset technique will be deployed to shield asset type.

24 Likes

I have a question about data leaks and the bridges.

  1. What prevents the bridge contract addresses from being blacklisted; if you go in and out using the bridge that cexs will close or flag your account similar to using mixers? For example the bridge contract on eth has one address even though the input addresses are rotated I believe

  2. Right now it is possible for people to make reasonable assumptions about users based on data that is exposed.

For example if someone shields 1000 usdt and then a trade for prv in the same amount is made in a short period of time after the shield, an observer can make reasonable assumptions that it is the same person based on observing the incognito chain. I see shielding and immediate trading happening all the time

Isn’t it better to shield with coins like monero so that the input into the incognito chain is hidden?

Is there a plan in place to make the immediate tracking of users from bridge to first trade harder?

Aztec is planning on creating hidden transactions on chain. Wouldn’t such a solution be a good idea to maintain privacy — that is that people are using incognito in the first place?

Right now incognito is great once you get on chain but entering the chain and first transactions are trackable and visible

4 Likes

I think they said that with confidential assets a lot of things will be improved in the privacy side of things. I was also suggesting if it was possible to give traders the options whether they wanna make trading history public or hidden.

2 Likes

Doesn’t Incognito also show the amount of a transaction?

Incognito shields both amount of a transaction and sender/receiver address.

Thank you @dungtran. I was thinking of pDex that shows the amounts not the transactions.

For more detailed information:

  1. Incognito chain shields tx amount, sender/receiver address.
  2. pDex currently doesn’t shield tx amount or sender/receiver address. The privacy v2 - to be deployed at the end of Q3/2020 - will shield sender/receiver address, not tx amount. However, when more traders join, and each trader randomly picks her trade amount, it’s hard to track the trade indeed.

Thank you for the clarification :sunglasses: