Vitalik’s latest paper condenses How does Privacy Pools solve the impossible trilemma of privacy, decentralization, and compliance?

Yesterday, Vitalik and scholars from the University of Basel jointly published a paper titled “Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium”, which has attracted widespread attention on Twitter.

Why should we pay attention to such a paper when the market is sluggish?

Vitalik’s thoughts and articles often influence the direction of new narratives and technologies, and other well-known experts and scholars in the blockchain field have unique insights into blockchain technology and development trends.

• External turmoil has not yet subsided, and internal turmoil is gradually emerging Genesis sues its parent company DCG.
• What are the real risks of a centralized sorter?
• To attract more developers, Polygon has launched the CDK.

In addition, the issues of blockchain privacy and compliance discussed in the paper are related to the future development direction and compliance path selection of the encryption industry. Finding a balance between protecting user privacy and meeting regulatory requirements is a problem that the encryption industry urgently needs to solve.

After reading the paper, we found that the Privacy Pools protocol proposed in it provides a feasible technical solution for achieving privacy and compliance compatibility. This seems to prevent the tragedy of Tornado Cash being condemned by regulation from happening again.

However, the paper is more academic and technical, and it is difficult for ordinary users to understand some of the details and meanings.

Therefore, the Deep Tide Research Institute has interpreted and refined the paper, attempting to explain the core points of the paper in plain language, which can help more people understand the important issue of privacy and compliance, as well as the technical path and possible solutions.

Who are the authors?

Firstly, the paper was led by Vitalik, with participation from professionals in academia and the industry.

Vitalik acted as the first author. Due to his significant influence and reputation in the cryptocurrency field, it can attract more attention to the proposed solution.

Other co-authors include:

• Jacob Illum, researcher at Chainalysis, a research institution in the cryptocurrency industry;
• mat nadler, a PhD student at the University of Basel, also involved in related DeFi and EVM development projects;
• Fabian Schär, professor at the University of Basel, with research focus on public chains and DeFi protocols;
• Ameen Soleimani, founder of several well-known cryptocurrency projects, with extensive practical experience.

Background: Privacy and Regulatory Contradictions, the Tragedy of Tornado Cash

• The design of public blockchains is transparent, and anyone can verify transactions without relying on centralized third parties. However, this also brings privacy issues because the blockchain records all transactions of each address, making addresses traceable and analyzable.
• The Bitcoin whitepaper believes that blockchain can protect privacy through public key anonymity, but this protection has been proven insufficient, as various blockchain analysis tools can associate addresses with transactions. Therefore, stronger encryption technology is needed to enhance privacy protection for public chains.
• Systems that adopt universal zero-knowledge proofs, such as Zcash and Tornado Cash, can increase the anonymity set to cover all transactions and improve privacy protection. However, Tornado Cash was also abused by some hackers, and its smart contract address was eventually sanctioned by OFAC.

Regarding the issue of Tornado Cash, DeepWave also provided some technical background for readers who are not familiar with the regulatory sanctions before, for reference:

• Tornado Cash is a privacy-enhancing protocol based on zero-knowledge proofs, which can achieve anonymous transactions. It allows users to deposit funds and then withdraw them to another address. On the chain, only the deposit and withdrawal can be seen, but not the corresponding relationship between the two, so it has anonymity.
• However, this protocol has also been abused by some hacker organizations, who use it for money laundering. For example, there is evidence that North Korean hacker organizations have laundered money through Tornado Cash.
• Therefore, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) eventually included the smart contract address of Tornado Cash on the sanctions list. Regulatory agencies believe that this protocol provides convenience for money laundering and is not conducive to combating financial crimes.
• The key issue with Tornado Cash is that legitimate users find it difficult to separate themselves from the criminal activities attracted by the protocol.
• However, the creation of this proof relies on Tornado Cash’s centralized servers. Users need to provide specific information about the withdrawal to the server. The server uses its own database to check which deposit corresponds to this withdrawal, and then generates the proof.

This requires reliance on a centralized intermediary because only Tornado Cash holds the complete database and can generate the correct proof. Ordinary users cannot verify the correctness of the proof, so users and regulators can only choose to trust.

We urgently need a way to prove and convince regulators that the source of my funds is clean and legal without exposing privacy and without centralization.

Therefore, this paper proposes a feasible technical solution called the Privacy Pools protocol: it allows users to prove that funds come from a custom set of associations, protecting privacy and at the same time proving whether they come from illegal sources.

This may be the first step towards coexistence of privacy and regulation.

zk+Association Sets, the Key to Solving the Problem

From the background description above, we already understand the problem that needs to be solved, which is to simultaneously ensure privacy and decentralization to prove that our funds are “innocent”.

When it comes to ensuring privacy, we easily think of zk. Indeed, Vitalik also affirmed zk, especially the value of zk-SNARK in solving privacy problems, in his latest paper:

• Zero-knowledge: Does not reveal private data, only proves that the statement is correct.
• Succinctness: Proofs are short, verification is fast, even if the computation is complex, it is still efficient.

However, relying solely on zk-SNARK can only solve part of the problem: proving that I have made this transaction, but hiding transaction details.

To completely solve the problem, it is actually necessary to prove that this transaction is legitimate while hiding the transaction details.

So, this paper links zk and another method together – Association Set.

• The so-called Association Set allows users to prove that funds come from a custom set, rather than completely hiding or fully disclosing the source. For example, if I transfer 1 BTC, but this 1 BTC is accumulated from multiple other transactions, then these other multiple transactions can become an Association Set.
• Association Set can be large or small, and users are free to determine its composition and scope. It can be a large anon set to enhance privacy, or a small set to prove compliance.

After understanding the concept of Association Set, let’s take a look at how zk + Association Set can ensure privacy and prove the source of funds:

1. When a user deposits, a secret key is generated through zk, and then a public coin ID (marking the association between me and the money) is calculated.
2. When a user withdraws, they need to submit a nullifier to prove that I have used this secret key (proving that the money is mine).
3. Through zk technology, users only need to prove that their coin ID exists in both the overall set and the declared Association Set (proving that the money is clean).
4. Externally, only the number of transactions and the ownership set of the money can be seen, but specific information about the parties involved in the transfer cannot be obtained.

To be a bit more technical, we can look at the schematic diagram of the Merkle tree in the original paper. The Merkle tree in the diagram actually represents the combination of Coin IDs. After the transactions themselves are zk, we cannot see the details and only store Coin IDs in the tree structure;

The left tree represents all the transactions currently happening, which may include one of my own money. Now, to prove that the source of this money is fine, I need the right tree – which represents my custom Association Set, including the association between my money and other transactions. As long as I can explain the past transactions on the right side clearly, I can tell you the source of my current money.

In a broader sense, this is like a privacy pool. The Association Set on the right side contains the origin and history of my money. However, because it has passed zero-knowledge proof, I can prove to you that the origin and history of the money are true without telling you the transaction details.

Practical Use Cases of Privacy Pools

The paper provides a very vivid example to demonstrate the application of Privacy Pools.

Background:

• There are five users: Alice, Bob, Carl, David, and Eve.
• The first four are honest, but Eve is a known thief.
• Although Eve’s true identity may be unknown, the public knows that funds received at the address marked as “Eve” have been stolen.

Choices and games when users withdraw:

• When each user makes a withdrawal, they can choose an associated set according to the method described in the paper.
• This associated set must include their own deposit. This means that when each user selects an associated set, they cannot exclude their own deposit.
• For the four users Alice, Bob, Carl, and David, in order to avoid being associated with the known bad actor Eve, they can choose an associated set that does not include Eve. This way, they can prove that they are not associated with Eve.
• However, Eve faces a problem: she cannot choose an associated set that only includes herself, because this would immediately reveal her as a bad actor.

• In an attempt to hide her bad behavior, Eve may choose an associated set that includes all five users, hoping to confuse observers.
• However, since the other four users have chosen associated sets that do not include Eve, Eve’s attempt becomes futile, as people can determine that Eve is a bad actor through process of elimination.

Result:

• Through the selection of associated sets, Alice, Bob, Carl, and David can prove that they are not associated with the known bad actor Eve.
• Eve cannot hide her bad behavior because her associated set includes everyone.

Figure 5 in the paper further illustrates the difference between these two proofs. The membership proof includes a specific set of deposits, while the exclusion proof’s associated set includes all deposits except for a specific set.

Future Outlook

Although the privacy-enhancing protocols based on zkSNARK and associated sets described above have achieved a balance between compliance and privacy in blockchain technology, there are still some technical and governance challenges. The authors propose some future directions:

• Further research on privacy properties: The privacy provided by these protocols depends on many different factors. The size of the associated set, the appropriateness of root selection, and user errors may allow specialized attackers to link users’ transactions.
• Research on the properties of separation of balance: Further research on the behavior of good and bad actors under certain assumptions, and how the public proof of the former affects the privacy of the latter.
• Legal research: Legal experts can further study specific disclosure requirements. The suggestions proposed in this paper are highly adaptable, and the insights of legal experts can help adjust the protocols and the ecosystem surrounding them to ensure compliance with regulations in various jurisdictions.

Finally, we believe that at this point in time, privacy and compliance are often seen as irreconcilable opposites.

The technology described in the paper finds a balance point between the two, bringing positive meaning to the entire industry. We hope that more researchers and developers can be inspired by this technology and contribute to the health and sustainable development of the industry.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.