Privacy for Ethereum: Aztec vs. Tornado vs. Incognito

There are a few existing solutions designed to introduce privacy properties to public cryptocurrencies, especially those issued on the Ethereum blockchain. In this article, we analyze three approaches to deliver privacy on Ethereum: AZTEC, Tornado Cash, and Incognito.

Tornado Cash

Tornado’s approach is to break the link between the sender and receiver using a mixing technique. Transactions with the same amount are sent to a proxy, a smart contract. The receiver will withdraw the money from the proxy by providing a secret. Pairing-based zk-SNARK technology allows this to happen without revealing which exact deposit corresponds to this secret. In order to save gas, Tornado uses MiMC hash instead of SHA3. This is a trade-off between transaction fees and security.

Achievement:

Breaking the link between sender and receiver

Limitations:

  • Not able to hide the amount of a transaction, or the balance of an address.
  • Transaction delay. More than 24h expected to guarantee security.
  • Pairing-based zk-SNARK requires a trusted setup.

Aztec

Aztec also uses the Ethereum smart contracts to provide privacy properties. Aztec implements JoinSplit protocol, detailed in ZCash version 0.1, which can hide transaction amounts, but not the sender or receiver. To reduce the computational costs of verifying transactions, Aztec uses pairing-based zk-SNARK with trusted setup.

Achievement:

Hiding the amount of a transaction

Limitations:

  • Unable to hide sender and receiver addresses
  • Trusted setup
  • High transaction fees (estimated at 900,000 gas/tx)

Both Tornado Cash and Aztec implement privacy on top of the Ethereum blockchain. They thus inherit its advantages, but gas fees and speed are drawbacks for these approaches. To overcome this, they have to use a lighter computation approach which sacrifices security: pairing-based zk-SNARK with a trusted setup. It is generally agreed that a curve with paring property is not as safe as the ED25519 curve, as used in Incognito.

Incognito

Incognito takes a different approach. The Incognito-Ethereum bridge is designed for fully decentralized cross-chain interoperability. Implementations will enable cross-chain communication between the two blockchains, and enable the choice of “incognito mode” for transfers of crypto assets (ETH and ERC20 tokens). Using this bridge, anyone can turn on privacy for their tokens and shield their balances and activity.

How to send ETH and ERC20 privately

The bridge facilitates the transfer of crypto assets (e.g. tokens) between two blockchains by implementing locking, minting and burning mechanisms on each blockchain. When tokens are sent to a locking contract on Ethereum, Incognito needs to verify that the “locking” transaction was indeed confirmed on Ethereum, and upon the submission of the token lock transaction on Ethereum, proceed to mint a corresponding amount of privacy tokens (e.g., privacy Ether or privacy ERC20 tokens). When these privacy tokens are burned, the locking contract on Ethereum will verify the validity and unlock it upon submission of proof. This effectively maintains a 1:1 ratio between the privacy token on Incognito and the original token on Ethereum.

Incognito uses RingCT and Bulletproof techniques to provide full privacy – shielding the transaction amount, sender, and receiver. Incognito’s sharding technique improves transaction throughput – 100 tps vs. 15 tps of Ethereum, and transaction fees are extremely low.

Summary

Aztec Tornado Cash Incognito
Untraceable No Yes Yes
Shield tx amount Yes No Yes
Shield sender and receiver No Yes Yes
Non-trusted setup No No Yes
Transaction fee High High Low

The security of cryptography is proportional to the cost of computation. High gas fees present considerable difficulty for approaches implemented on Ethereum, and often, sacrifices have to be made in terms of security.

Incognito’s unique approach utilizes advanced cryptographic techniques, sharding, and bridging, in order to achieve a more robust, lower-cost privacy.

In Q3-2020, Incognito will provide a trustless decentralized bridge for non-ERC20 tokens. This will enable trustless exchanges of ERC20 and non-ERC20 tokens. In Q1-2021, confidential asset technique will be deployed to shield asset type.

11 Likes