Shielding Cryptocurrencies: Turning Any Cryptocurrency Into a Privacy Coin

Introduction: A Platform of Decentralized Privacy Coins ▸

Shielding any cryptocurrency into a privacy coin ▾

Shielding is the process of turning cryptocurrencies on other cryptonetworks (or “public coins”) into privacy coins on Incognito.

Privacy coins

Through Incognito, a public coin can be shielded to obtain its privacy coin counterpart of the same value. For example, BTC can be shielded to obtain the privacy coin pBTC. pBTC has the same value as BTC, so 1 pBTC can always be redeemed for 1 BTC and vice versa.1

Once shielded, privacy coin transactions are confidential and untraceable. A privacy coin enjoys the best of both worlds. It retains the value of its original counterpart and can be transacted confidentially on the Incognito network.

pBTC BTC 40,720
pUSDT USDT 13,809
pETH ETH 9,109

Table 1. The most popular privacy coins on the Incognito network from November 2019 to January 2020.


We have based the shielding mechanism on the experience of building our first-generation trustless bridge, between Incognito and Ethereum [Incognito, 2018]. In particular, we generalize it to enable a wider range of cryptonetworks to be interoperable with Incognito.

Current blockchain interoperability solutions mostly involve building ad-hoc bridges. BTC Relay [BTC Relay, 2019], WBTC [WBTC, 2019], and TBTC [TBTC, 2019] build ad hoc bridges between Bitcoin and Ethereum, while Kyber Network builds Waterloo [Baneth, 2019], an ad hoc bridge between Ethereum and EOS. For Incognito, doing it ad hoc – one bridge for every cryptonetwork – is not a scalable option.

Incognito takes a different approach: build once, work with any cryptonetwork. The shielding mechanism operates via a general bridge design that connects Incognito to any number of cryptonetworks, allowing for secure bi-directional transfers of cryptocurrencies whenever privacy is needed. This means any coin can now be a privacy coin. This approach is especially helpful for creating interoperability with cryptonetworks that do not support smart contracts, like Bitcoin and Binance Chain.

To obtain privacy coins, the user first submits a shielding request to the Bond smart contract with information about which public coins they want to shield and the amount. The Bond smart contract selects trustless custodians [Incognito, 2019] for the public coins and provides the user the custodians’ deposit addresses. Once the deposit is confirmed on the cryptonetwork of the public coins, the user initiates a shielding transaction on Incognito along with the deposit proof. A deposit proof on a cryptonetwork is often a Merkle branch linking the deposit transaction to the block it is time-stamped in, proving that the deposit transaction has been accepted by that cryptonetwork.

Figure 1. SPV in Bitcoin [Nakamoto, 2008]. Other cryptonetworks employ similar SPV methods. Note that while we have designed a general bi-directional bridge between Incognito and other cryptonetworks, we still need to implement the specific SPV logic for each cryptonetwork we add to the bridge, including relaying block headers from those cryptonetworks to Incognito and performing SPV on deposit proofs.

Incognito validators verify the shielding transaction and the deposit proof inside it in particular by using Simplified Payment Verification [Nakamoto, 2008]. Most cryptonetworks support Simplified Payment Verification with a few small differences in the underlying data structures. For example, Bitcoin and Binance implement Merkle Tree [Merkle, 1980] while Ethereum implements a modified Merkle Patricia Tree [Wood, 2014].

Once the deposit proof is verified, new privacy coins are minted at a 1:1 ratio.


Figure 2. Shielding BTC and minting pBTC. Other public coins follow the same shielding process. Note that we simplify step 5 to make it simple for readers to follow the main logic: the proof of deposit is not generated by the custodian, but by the miners of underlying cryptonetwork.


Unshielding is the reverse process of shielding: turning privacy coins back into public coins.

The user initiates an unshielding transaction on Incognito with information about which privacy coins they want to unshield and the amount.

Incognito validators verify the unshield transaction, burn the privacy coins, and issue a burn proof. A burn proof on Incognito is a cryptographic proof. When signed by more than ⅔ of Incognito validators, it proves that the privacy coins have been burned on the Incognito network.

The user then submits the burn proof to the Bond smart contract, which verifies the burn proof and instructs a custodian to release the public coins that back those privacy coins at a 1:1 ratio.

Once the release is confirmed on its respective cryptonetwork, the custodian submits the release proof to the Bond smart contract. Similar to the deposit proof, a release proof is a Merkle branch linking the release transaction to the block it is time-stamped in, proving that the release transaction has been accepted by that cryptonetwork.

After verifying the release proof, the Bond smart contract frees up the custodian’s collateral; custodians can withdraw their collateral or start taking new user deposits.


Figure 3. Unshielding pBTC and releasing BTC. Other public coins follow the same unshielding process.

We have proposed a mechanism for turning cryptocurrencies on other cryptonetworks (or “public coins”) into privacy coins, based on a set of trustless custodians [Incognito, 2019]. Once shielded, privacy coin transactions are confidential and untraceable. A privacy coin enjoys the best of both worlds. It retains the value of its original counterpart and can be transacted confidentially on the Incognito network.

1 An exception is addressed in the Auto-Liquidation section in the Trustless custodians
paper [Incognito, 2019].

Trustless Custodians: A Decentralized Approach to Cryptocurrency Custodianship ▸

Sending Cryptocurrencies Confidentially: Ring Signature, Homomorphic Commitment, and Zero-Knowledge Range Proofs ▸

Privacy at Scale with Sharding ▸

Consensus: A Combination of PoS, pBFT, and BLS ▸

Incognito Software Stack: Navigating the Incognito Source Code ▸

Incognito Performance ▸

Network Incentive: Privacy (PRV) ▸

User-Created Privacy Coins ▸

Use Cases: Privacy Stablecoins, Privacy DEX, Confidential Crypto Payroll, and more ▸

Future Work: Smart Contracts, Confidential Assets, Confidential IP, and more ▸

Conclusions, Acknowledgments, and References ▸


If i deposit BTC, later on at the time i want to withdraw the custodian don’t have any BTC, how can i withdraw BTC? Or do i have to withdraw some other coins with equivalent value, in this case who will set the price of the other coins?


Good question @dungtran! In Portal, custodians have benefits (earn shielding/unshielding fees and shield mining rewards) as well as responsibility (return public coins to users). And to become a custodian, one must bond some collateral (ETH or liquid ERC20) into the Bond smart contract with Collateral-to-Deposit ratio is initially set as 150%. So custodians do likely have a motivation to return original public coins to the redeemer. And yes, in the worst-case scenario, when a custodian doesn’t have public coins (say BTC or BNB, for example) to send back to a redeemer, custodian’s bonded collateral will be used to repay the redeemer. In this case, the public coins that redeemer receives – custodian’s collateral to be precise – may be different from the redeemer’s original public coin, but their total value is the same or greater than the value of redeemer’s original deposit. In your example, the redeemer can sell ETH or liquid ERC20 on any exchanges to get BTC back as desired.
The reference prices for the Portal is provided via an oracle, which collates price data from a number of external price feeds. In other words, Portal can obtain prices from it for the needed calculation.


For further information, please have a look at the following post to see how the Portal’s trustless custodians approach works.