Analysis

Bonus Content: AMA with Aztec

A platform inside Ethereum that can make your financial transactions private
Ryan Sean Adams Ryan Sean Adams Oct 18, 20199 min read
0
0
Bonus Content: AMA with Aztec

Dear Crypto Natives,

I’ve gotten permission from my friend Spencer Noon to share this recent Aztec Protocol AMA with paid Bankless subscribers (@spencernoon is a great follow on twitter btw).

AZTEC is a privacy platform embedded inside Ethereum as a smart-contract. It may be the most promising privacy tech in open finance today.

The big questions in my mind—does something like AZTEC make privacy coins such as ZCash and Monero obsolete?

How much in transaction fees will a private transaction cost?

Does this tech give us a private version for DAI?

Find the answers to these questions and more. Read the full AMA below.

- RSA


AMA with Balancer

Date: October 17, 2019

Reproduced for Bankless w/ the permission of Spencer Noon & Tom Walton-Pocock. Other attendee names have been anonymized.

Website:
https://www.aztecprotocol.com/

Participants:

  • Tom Walton-Pocock, Co-Founder & CEO of Aztec Protocol
  • Zac Williamson, Co-Founder & CTO of Aztec Protocol

Moderator:

Tom / Zac — could you start off by giving us a brief bio on your background as well as how you got started in crypto? And then a short overview of Aztec and a brief update on your progress to date? We’ll then be off to the races with questions!

Tom:

Tom & Zac here from AZTEC Protocol - looking forward to answering your questions.  AZTEC is a private transaction network running on Ethereum, and we’re a week and a half from commencing our MPC Ceremony, the trusted setup that will launch AZTEC. Our current proving system is based on a set membership proof that effects a range proof. A recent collaboration with Protocol Labs led to PLONK, a new universal SNARK that will form the basis for our future proving systems.

I was previously in banking, and Zac's a recovering physicist and trained as a C++ developer

We began building a credit platform on Ethereum, but lack privacy tools was a big problem, and we started focussing on this in December 2018

Zac:

Hello!

Anonymous:

Hey guys, What's the scalable use case for AZTEC ?

And what is your go to market strategy please

Tom:

Hello [Anonymous] - originally we were focussing on private capital execution. i.e. Ethereum as a clearing house without a balance sheet.

Moderator:

Thanks for starting us off- let's move into questions! Thanks for the introductions Tom & Zac.

Tom:

However we're now very much facing developers - building out the tooling for them to easily create proofs inside their apps, and design custom private assets and smart contracts on Ethereum

Currently AZTEC provides 5 private transaction proofs based on our original range proof - send, swap, mint, burn, and income - that pretty well allows you to describe any classical asset, make payments, etc

Anonymous:

Please elaborate. Where does the credit risk sit ?

Tom:

Ok so the credit risk is in the secondary markets - where assets trade after they've been originated

Our original platform was addressing the private capital markets (in particular, syndicated debt and direct lending), and giving them access to a clearing house to which they hadn't previously had access

We ended up focussing on the privacy system because obviously this technology addresses a much wider class of assets

And with PLONK, we'll be building something much more expressive than those 5 proofs - dark contracts

Moderator:

I'd like to take a little bit of a step back since we have a number of folks in this room who are not familiar with Aztec at all. So, you are building a private transaction network that is launching after an MPC ceremony in 1.5 weeks. Can you explain how each of the functions work (send, swap, mint, burn, and income)? How expensive is it going to be for developers to access your network?

Zac:

Our AZTEC proofs are designed to capture discrete bits of 'business logic' required to privately mediate digital assets

Whilst also ensuring our proofs were efficient and did not consume much gas - post Istanbul a typical AZTEC transaction will cost ~250,000 gas to verify

AZTEC represents 'value' in a manner similar to bitcoin, with UTXO-style 'notes'. In our case, the values of these notes are encrypted

You can use 'send' proofs to split up and combine notes together - you can also split a note into notes with different owners, which enables unilateral value transfers

our 'swap' proof achieves a similar effect for bilateral trades

Tom:

To give concrete examples of those 5 proofs - suppose you're coding up a consumer loan - you'll use 'mint' for the origination, 'burn' for the redemption, 'income' to pay private interest (and by the way we have a nice example of a loan issuance platform that streams private income, which we built to give engineers a demo of AZTEC in use). You'd then use the send / swap proofs to allow the lender to sell that loan asset if they want to.

Moderator:

Gotcha, makes sense. Can you expand on the developer experience? Will leveraging Aztec be as simple as copying pre-existing solidity code?

Zac:

We have created a series of template smart contracts that can be used to spin up AZTEC assets, alongside a browser extension that exposes a simple API to manage AZTEC wallets

Anonymous:

Each AZTEC instance would need to do it's own trusted setup?

Anonymous:

How do you plan to mitigate the potential risks from PLONK's trusted set up?

Zac:

We've also defined a standard by which AZTEC assets can be created/traded, as the ERC1724 standard

[Each instance with a trusted setup?] no we don't - that would be an unacceptable risk that our users would have to undertake.

All AZTEC assets can use the same singular trusted setup, which we were executing with our 'ignition' MPC ceremony

Anonymous:

Awesome, was hoping that was the case. I've signed up for it btws. Looking forward to participating. You mention above that the amount of different txs is shielded, but that implies that account is not?

Zac:

Coincidentally this is the same trusted setup that PLONK requires.

We're mitigating the risks by having a large number of distributed participants. Our trusted setup ceremony is constructed so that only a single participant has to act honestly for AZTEC's cryptosystem to be secure under conventional cryptographic assumptions

I like it!

Moderator:

Do you expect today's top DeFi projects to leverage Aztec? e.g. Maker, Compound

Tom:

There are sort of two answers to this

The first is - you can make tokens such as DAI private using shielding in AZTEC - obviously that doesn't thread privacy right the way through the MakerDAO system though, because CDPs and the underlying collateral would still be visible

But suppose you wanted to render MakerDAO completely invisible as a dark contract

There are quite a lot of additional overheads with which DarkMakerDAO has to contend - most importantly, how it now checks its entire system isn't underwater

i.e. that there's enough collateral in the system

Borrowers will now have to make lots of proofs around margin / overcollateralisation, and will have to do that all the time in a now-paranoid Tier 1 DeFi system such as Maker or Compound

That's certainly soluble but it's clearly not a straightforward matter of simply hiding the variables inside these lending systems

Anonymous:

I'm not too familiar with your protocol, but could you give some intuitions on how/if you've tackled the gas traceability problem?

Zac:

[Anonymous] we use third party relayers to 'solve' the gas traceability problem. While all gas payments must be made through public eth, there are few other alternatives

Anonymous:

How does plonk compare to things like sonics, super sonics, halo, marlin etc. What trade-offs do each of these make and are they even right comparisons?

Zac:

Comparing different proof systems is always a bit subjective, particularly because 'succinct' SONIC lacks an implementation. But there's a useful heuristic we can use here - the number of 'scalar multiplications' required to construct a proof. For PLONK, that number is 9 times the number of arithmetic gates. For SONIC, it's approximately 273 times. Health warning: what you can do with a 'gate' also varies between PLONK and SONIC, but it's still going to be about an order of manitude difference between PLONK and SONIC.

Halo enables recursive proof construction, but the verification algorithm runs in linear time, so it has limited viability on a computationally constrained platform like Ethereum, for the moment.

We can do a similar sort of comparison between PLONK and Marlin, but with a health warning that these systems define an arithmetic 'gate' a bit differently. Marlin requires, I believe, 21 times the number of arithmetic gates (for scalar muls)

We also have some benchmarks for our proof of concept PLONK prover, and we think they demonstrate that PLONK is more than fast enough to construct proofs over complex programs on very standard consumer hardware

PLONK can construct proofs involving over a million arithmetic gates, in under 23 seconds on a modern laptop

There's a lot of low hanging fruit to improve the speed of our PLONK prover as well - development is in a very early stage. Longer term, we're confident that we can enable complex private smart contracts, whose associated PLONK proofs can be constructed by consumers - and won't have to offload proof construction to a centralized service

Moderator:

There are some in the investor community who don't believe that strong privacy guarantees are all that necessary for the vast majority of people. What do you think will be some of the most pressing use-cases/applications for Aztec when it launches? Curious if you guys have identified any dapps running today that would have strong PMF

Also, does Aztec compete with mixers like Tornado? If so, what are the trade-offs to each approach?

Tom:

We had a fairly simple example of one of our employees paying another with Dai, and the recipient coming in the next morning with a full history of the first employee's on-chain spending habits

I think whilst we're not doing day-to-day, identifying activities on-chain, pseudoanonymity is probably good enough - but with adoption we of course expect that to change extremely quickly

Zac:

The key difference between AZTEC and mixers like tornado cash, is that we're building a system where value never has to leave the confidential ecosystem - where AZTEC zk-dapps can provide the same services one would use in the public realm.

Tom:

First use case will undoubtedly be private payments that can shift seamlessly between browsers, wallets, dapps, (zk stablecoins and other tokens)

Anonymous:

Can you please give some more concrete use case examples with existing protocols like Compound, Augur or Maker and how exactly AZTEC would fit into the flow?

How would this fit in with say MetaMask?

Zac:

We're building a browser extension that is designed to work in tandem with MetaMask. AZTEC transactions require zero-knowledge proofs that use some niche cryptography, that MetaMask currently does not support.

To create a strong separation of concerns, AZTEC notes have 'viewing' keys and 'spending' keys. The viewing keys can decrypt AZTEC notes, and are required to construct AZTEC proofs. Our extension handles this flow. However to authorize a spend transaction, the zero-knowledge proof must be countersigned by the note's spending key, which is authorized through Metamask and similar systems.

Anonymous:

Super helpful explanation, thanks!

Zac:

Existing protocols were designed to not require privacy, in a world where private transactions weren't even possible on Ethereum. To provide interopability between private assets and public systems like compound, we're constructing some template 'zero knowledge wrapper' smart contracts that can interact with existing DeFi.

Specifically, users can privately deposit AZTEC funds into these wrappers, where the aggregate sum is decrypted and deployed to an existing DeFi system like Compound. Users then receive zero-knowledge claims on the proceeds of their DeFi investment.

Moderator:

Can you explain how the UX works end-to-end here for both users?

Tom:

Do you mean the UX on the plugin?

Moderator:

Exactly. I'm wondering how the Dai users in your example would interact with Aztec to do this, as opposed to having their tx history exposed 😛

Tom:

So right now, the plugin is a zk note manager and optimally selects zk notes for spending, as well as administrating your viewing keys. It provides an API for integrators to build their own UX over the top of our 'ERC-20 zk equivalent' tokens - ERC-1724. Currently, when you come to sign a tx, you do so through Metamask.

We'll be getting this out very soon so everyone can see it and play around with shielded tokens

Zac:

The goal of the API is to abstract away the complexities of handling encrypted UTXO objects - integrators can call methods that mirror the ERC20 interface, and our front-end is designed to represent users balances as if they're ERC20 tokens

Moderator:

Got it. Thanks guys

Anonymous:

How does AZTEC plan to capture developers? Separately, do you have any favorite hackathon submissions built on AZTEC?

Tom:

We're building an SDK to make this really simple - developers shouldn't have to faff around with viewing keys, manage notes etc

We had a number of excellent submissions recently at ETHBoston and ETHBangalore

Zac:

We recently ran an AZTEC Hackathon at Eth Bangalore. One of the stand-out projects mixed nuCypher and AZTEC, so that you could create policies to give access to different AZTEC notes

Tom:

There was a great one in ETH New York - a salary payment app built by the polymath team

Like that - an identifying payment that will require privacy as an absolute prerequisite to travel on public rails

And at ETHIndia there was a nice ZK identity solution using two proofs I didn't mention earlier - our public and private range proofs

They're called ZKCreds and allows you to prove things like 'are you a doctor' but also less binary statements like 'is your income above £50k?'

Moderator:

Alright, time's up! Zac, Tom thanks a ton for joining us today. Can you tell us the best way to stay apprised of Aztec updates as well as the best way for folks to get in touch?

Zac:

Thanks for inviting us @spencernoon , it's been fun!

Tom:

Thanks Spencer!

And please sign up for the ceremony! http://eepurl.com/gzM6FH

Finally for those of you interested in a technical intro to PLONK, Vitalik wrote a great article on it here: https://vitalik.ca/general/2019/09/22/plonk.html


👉Send Bankless a DAI tip for today’s issue


Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.


Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. I’ll always disclose when this is the case

No Responses