Public blockchain networks such as Bitcoin and Ethereum are transparent and offer pseudonymity rather than total anonymity. One of the most important design goals for Findora Network is that anyone can join and use the network. But an innate feature of this design is that everyone is able to scrutinize every single transaction recorded in the ledger. Transactions store information about pseudonymous identities (sender and receiver) of the participants in the transaction. In order to have stronger privacy, anonymity and censorship-resistance features, it is eminently desirable to mask this information corresponding to a transaction in tandem while cryptographically proving the integrity of the chain.
An anonymous transfer is often referred to as a triple masking because it hides three things:
- The identities of the sender and the receiver
- The amount being sent
- The asset type
Anonymous transfers are confidential transfers where the identities of the sender and receiver are also protected or shielded. Instead of storing transaction data in plain text on the public ledger, a cryptographic commitment to this data is publicly recorded. The person performing the transaction provides cryptographic proofs attesting to the authenticity and validity of this encrypted data. This feature is made possible by zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge).
For the simpler feature of hiding the amount and the asset type but not the identities of the sender/receiver, Findora uses Bulletproofs. This feature - known as confidential asset transfers - requires a sender to prove in zero knowledge that a certain committed amount falls within a certain range (usually ). This is a transparent scheme (i.e. no trusted setup). It hinges on the hardness of the discrete logarithm problem in elliptic curves, which is one of the oldest and most battle-tested hardness assumptions in cryptography.
While the same scheme can, in theory, also support an anonymous transfer, the verification time is linear in the size of the circuit, which is far too expensive for the complex statements that constitute an anonymous transfer. To this end, we use TurboPlonk, a pairing-based Snark which has a constant-sized proof and a constant verification time. While this scheme does require a trusted setup, it is far better suited for more complex statements. Furthermore, the trusted setup is universal and updateable.
The shielded values are carried out by Anonymous Blind Asset Records (ABARs) and are the fundamental building blocks with which the transaction for anonymous transfers is created. For each ABAR that is validated, there is an associated ABAR commitment with a fixed position in a Merkle tree of ABAR commitments. The commitments to the output ABARs are revealed to allow them to be spent in the future. Findora uses a 3-ary Merkle tree built with the ”Snark-friendly” Rescue hashing algorithm for this purpose.
The ABAR is also associated to a unique nullifier in order to prevent double spends. Computing the nullifier requires the associated private spending key and it is infeasible to correlate the ABAR commitment or the ABAR position to a nullifier without the knowledge of this private key. A valid unspent note, at a given point on the blockchain, is one for which the ABAR commitment has been publicly revealed prior to that point but the associated nullifier has not. This is the intuition why the nullifier is important to prevent double spending. The nullifier set, i.e. the set of all nullifiers revealed up to that point, is stored as a Merkle tree. Findora uses a binary sparse merkle tree built using the SHA-256 hashing algorithm for this purpose. Sparse Merkle trees allow for efficient non-membership proofs, which makes them suitable for storing the nullifier set. The nullifiers of the input ABARs are revealed to prevent them being spent again.