Crypto AMA with AZTEC (10.17.19)

Let’s give a warm welcome to Tom and Zac of Aztec Protocol!

As a reminder for everyone participating—please keep the discussion respectful at all times.

@tom @zac — could you start off by giving us a brief bio on your background as well as how you got started in crypto? And then a short overview of Aztec and a brief update on your progress to date? We’ll then be off to the races with questions!

Tom & Zac here from AZTEC Protocol - looking forward to answering your questions.  AZTEC is a private transaction network running on Ethereum, and we’re a week and a half from commencing our MPC Ceremony, the trusted setup that will launch AZTEC. Our current proving system is based on a set membership proof that effects a range proof. A recent collaboration with Protocol Labs led to PLONK, a new universal SNARK that will form the basis for our future proving systems.

I was previously in banking, and Zac's a recovering physicist and trained as a C++ developer

We began building a credit platform on Ethereum, but lack privacy tools was a big problem, and we started focussing on this in December 2018

Hello!

Hey guys , What's the scalable use case for AZTEC ?

And what is your go to market strategy please

Hello - originally we were focussing on private capital execution. i.e. Ethereum as a clearing house without a balance sheet.

However we're now very much facing developers - building out the tooling for them to easily create proofs inside their apps, and design custom private assets and smart contracts on Ethereum

Currently AZTEC provides 5 private transaction proofs based on our original range proof - send, swap, mint, burn, and income - that pretty well allows you to describe any classical asset, make payments, etc

Please elaborate. Where does the credit risk sit ?

Ok so the credit risk is in the secondary markets - where assets trade after they've been originated

Our original platform was addressing the private capital markets (in particular, syndicated debt and direct lending), and giving them access to a clearing house to which they hadn't previously had access

We ended up focussing on the privacy system because obviously this technology addresses a much wider class of assets

And with PLONK, we'll be building something much more expressive than those 5 proofs - dark contracts

I'd like to take a little bit of a step back since we have a number of folks in this room who are not familiar with Aztec at all. So, you are building a private transcation network that is launching after an MPC ceremony in 1.5 weeks. Can you explain how each of the functions work (send, swap, mint, burn, and income)? How expensive is it going to be for developers to access your network?

Our AZTEC proofs are designed to capture discrete bits of 'business logic' required to privately mediate digial assets

Whilst also ensuring our proofs were efficient and did not consume much gas - post Istanbul a typical AZTEC transaction will cost ~250,000 gas to verify

AZTEC represents 'value' in a manner similar to bitcoin, with UTXO-style 'notes'. In our case, the values of these notes are encrypted

You can use 'send' proofs to split up and combine notes together - you can also split a note into notes with different owners, which enables unilateral value transfers

our 'swap' proof achieves a similar effect for bilateral trades

To give concrete examples of those 5 proofs - suppose you're coding up a consumer loan - you'll use 'mint' for the origination, 'burn' for the redemption, 'income' to pay private interest (and by the way we have a nice example of a loan issuance platform that streams private income, which we built to give engineers a demo of AZTEC in use). You'd then use the send / swap proofs to allow the lender to sell that loan asset if they want to.

Gotcha, makes sense. Can you expand on the developer experience? Will leveraging Aztec be as simple as copying pre-existing solidity code?

We have created a series of template smart contracts that can be used to spin up AZTEC assets, alongside a browser extension that exposes a simple API to manage AZTEC wallets

Each AZTEC instance would need to do it's own trusted setup?

How do you plan to mitigate the potential risks from PLONK's trusted set up?

We've also defined a standard by which AZTEC assets can be created/traded, as the ERC1724 standard

no we don't - that would be an unacceptable risk that our users would have to undertake.

All AZTEC assets can use the same singular trusted setup, which we were executing with our 'ignition' MPC ceremony

Awesome, was hoping that was the case. I've signed up for it btws. Looking forward to participating. You mention above that the amount of different txs is shielded, but that implies that account is not?

Coincidentally this is the same trusted setup that PLONK requires.

We're mitigating the risks by having a large number of distributed participants. Our trusted setup ceremony is constructed so that only a single participant has to act honestly for AZTEC's cryptosystem to be secure under conventional cryptographic assumptions

that's correct. We're launching our protocol with a focus on hiding values, but not identities. We have a stealth address protocol in the works that will enable senders/recipients of AZTEC notes to be single-use pseudonymous accounts.

Longer term, we can use PLONK to break the transaction graph and fully shield both values and identities - even the digital asset type being transferred

You can view it at https://ignition.aztecprotocol.com/

Do you expect today's top DeFi projects to leverage Aztec? e.g. Maker, Compound

There are sort of two answers to this

just signed up

The first is - you can make tokens such as DAI private using shielding in AZTEC - obviously that doesn't thread privacy right the way through the MakerDAO system though, because CDPs and the underlying collateral would still be visible

excellent!

But suppose you wanted to render MakerDAO completely invisible as a dark contract

There are quite a lot of additional overheads with which DarkMakerDAO has to contend - most importantly, how it now checks its entire system isn't underwater

i.e. that there's enough collateral in the system

I'm not too familiar with your protocol, but could you give some intuitions on how/if you've tackled the gas traceability problem?

Borrowers will now have to make lots of proofs around margin / overcollateralisation, and will have to do that all the time in a now-paranoid Tier 1 DeFi system such as Maker or Compound

That's certainly soluble but it's clearly not a straightforward matter of simply hiding the variables inside these lending systems

we use third party relayers to 'solve' the gas traceability problem. While all gas payments must be made through public eth, there are few other alternatives

How does plonk compare to things like sonics, super sonics, halo, marlin etc. What trade-offs do each of these make and are they even right comparisons?

Comparing different proof systems is always a bit subjective, particularly because 'succinct' SONIC lacks an implementation. But there's a useful heuristic we can use here - the number of 'scalar multiplications' required to construct a proof. For PLONK, that number is 9 times the number of arithmetic gates. For SONIC, it's approximately 273 times. Health warning: what you can do with a 'gate' also varies between PLONK and SONIC, but it's still going to be about an order of manitude difference between PLONK and SONIC.

Halo enables recursive proof construction, but the verification algorithm runs in linear time, so it has limited viability on a computationally constrained platform like Ethereum, for the moment.

We can do a similar sort of comparison between PLONK and Marlin, but with a health warning that these systems define an arithmetic 'gate' a bit differently. Marlin requires, I believe, 21 times the number of arithmetic gates (for scalar muls)

We also have some benchmarks for our proof of concept PLONK prover, and we think they demonstrate that PLONK is more than fast enough to construct proofs over complex programs on very standard consumer hardware

PLONK can construct proofs involving over a million arithmetic gates, in under 23 seconds on a modern laptop

There's a lot of low hanging fruit to improve the speed of our PLONK prover as well - development is in a very early stage. Longer term, we're confident that we can enable complex private smart contracts, whose associated PLONK proofs can be constructed by consumers - and won't have to offload proof construction to a centralized service

There are some in the investor community who don't believe that strong privacy guarantees are all that necessary for the vast majority of people. What do you think will be some of the most pressing use-cases/applications for Aztec when it launches? Curious if you guys have identified any dapps running today that would have strong PMF

Also, does Aztec compete with mixers like Tornado? If so, what are the trade-offs to each approach?

We had a fairly simple example of one of our employees paying another with Dai, and the recipient coming in the next morning with a full history of the first employee's on-chain spending habits

🙈

I think whilst we're not doing day-to-day, identifying activities on-chain, pseudoanonymity is probably good enough - but with adoption we of course expect that to change extremely quickly

The key difference between AZTEC and mixers like tornado cash, is that we're building a system where value never has to leave the confidential ecosystem - where AZTEC zk-dapps can provide the same services one would use in the public realm.

First use case will undoubtedly be private payments that can shift seamlessly between browsers, wallets, dapps, (zk stablecoins and other tokens)

Can you please give some more concrete use case examples with existing protocols like Compound, Augur or Maker and how exactly AZTEC would fit into the flow?

(⚠️ also FYI everyone, the Aztec team has a hard stop at 2pm ET. Get your questions in!)

How would this fit in with say MetaMask?

We're building a browser extension that is designed to work in tandem with MetaMask. AZTEC transactions require zero-knowledge proofs that use some niche cryptography, that MetaMask currently does not support.

To create a strong separation of concerns, AZTEC notes have 'viewing' keys and 'spending' keys. The viewing keys can decrypt AZTEC notes, and are required to construct AZTEC proofs. Our extension handles this flow. However to authorize a spend transaction, the zero-knowledge proof must be countersigned by the note's spending key, which is authorized through Metamask and similar systems.

Super helpful explanation, thanks!

Existing protocols were designed to not require privacy, in a world where private transactions weren't even possible on Ethereum. To provide interopability between private assets and public systems like compound, we're constructing some template 'zero knowledge wrapper' smart contracts that can interact with existing DeFi.

Specifically, users can privately deposit AZTEC funds into these wrappers, where the aggregate sum is decrypted and deployed to an existing DeFi system like Compound. Users then receive zero-knowledge claims on the proceeds of their DeFi investment.

Can you explain how the UX works end-to-end here for both users?

Do you mean the UX on the plugin?

Exactly. I'm wondering how the Dai users in your example would interact with Aztec to do this, as opposed to having their tx history exposed 😛

10-minute warning folks!

So right now, the plugin is a zk note manager and optimally selects zk notes for spending, as well as administrating your viewing keys. It provides an API for integrators to build their own UX over the top of our 'ERC-20 zk equivalent' tokens - ERC-1724. Currently, when you come to sign a tx, you do so through Metamask.

We'll be getting this out very soon so everyone can see it and play around with shielded tokens

The goal of the API is to abstract away the complexities of handling encrypted UTXO objects - integrators can call methods that mirror the ERC20 interface, and our front-end is designed to represent users balances as if they're ERC20 tokens

Got it. Thanks guys

How does AZTEC plan to capture developers? Separately, do you have any favorite hackathon submissions built on AZTEC?

We're building an SDK to make this really simple - developers shouldn't have to faff around with viewing keys, manage notes etc

We had a number of excellent submissions recently at ETHBoston and ETHBangalore

We recently ran an AZTEC Hackathon at Eth Bangalore. One of the stand-out projects mixed nuCypher and AZTEC, so that you could create policies to give access to different AZTEC notes

There was a great one in ETH New York - a salary payment app built by the polymath team

Like that - an identifying payment that will require privacy as an absolute prerequisite to travel on public rails

And at ETHIndia there was a nice ZK identity solution using two proofs I didn't mention earlier - our public and private range proofs

Alright, time's up! @zac @tom thanks a ton for joining us today. Can you tell us the best way to stay apprised of Aztec updates as well as the best way for folks to get in touch?

They're called ZKCreds and allows you to prove things like 'are you a doctor' but also less binary statements like 'is your income above £50k?'

Thanks a bunch Tom & Zachary!

Awesome, just signed up myself. Thanks guys!