anonklub / anonklub Goto Github PK
View Code? Open in Web Editor NEWAnonymous Proof of Ethereum Address Ownership
Home Page: https://anonklub.xyz
License: GNU Affero General Public License v3.0
Anonymous Proof of Ethereum Address Ownership
Home Page: https://anonklub.xyz
License: GNU Affero General Public License v3.0
The proof of concept circuit is likely to take ~150s on a large machine, which basically requires outsourcing computation to a trusted server who would know your identity.
Halo2 will hopefully have faster prover time if properly optimised. We can tradeoff prover and verifier time in halo2 by changing the width of the circuit (details here), or changing the polynomial commitment (examples here)
Tornado cash is being censored at the validator level due to regulatory compliance issues, so it might be useful to create a way to get funds out while being compliant. One idea is a gateway contract that checks whether a withdrawal is legal, where the set of legal transactions is defined by the contract (and controlled by the regulators), and the withdrawer remains private amongst the legal transactions.
I argue that ECDSA is not necessary for a compliance gateway because the best design is a simple transaction whitelist.
There are 4 basic methods to implement this: user whitelist, user blacklist, tx whitelist, and tx blacklist.
Regulators probably won't accept blacklists because they are easy to beat if the attacker can withdraw their funds faster than the regulators update the blacklist. Less importantly, blacklists are slightly more complex, requiring 2 merkle proofs, whereas whitelists require 1.
I argue below that any user whitelist would have to implement a tx whitelist anyway, making the user whitelist redundant.
In a tx whitelist gateway, the contract contains the merkle root of all the explicitly permitted transactions. The user makes a zkp that proves knowledge of a note in the permitted merkle tree and outputs some nullifier. Then the gateway contract calls the tornado cash contract with the normal withdrawal zkp, provided that the nullifiers in both proofs are the same.
Naively, a user whitelist gateway is similar: the contract contains the merkle root of all the explicitly permitted users. The user makes a zkp proving they are allowed in the set using ecdsa. Then gateway contract calls the tornado cash contract with the normal withdrawal zkp.
However, in this naive implementation there is no link between the signer and the withdrawal. For example, an attacker could use a whitelisted account to withdraw funds they deposited with a non-whitelisted account. To implement a link between the signer and withdrawal you probably need tx whitelist, making the user whitelist redundant.
One application of zk-ecdsa is building a new version of tornado cash where the user doesn't need to manage the custody of a secret note (see product vision). In tornado cash the secret note is partially used as proof of membership, and partly as a nullifier to prevent double spend.
The obvious way to write an ecdsa-tornado circuit is to:
However, the a signature of a hash doesn't work as a nullifier because ECDSA is non deterministic in that a signer can make n
different signatures for the same messages (where n
is very large for secp256k1.
There might be some way to solve this with deterministic ECDSA.
Include pages to describe the design of circom circuit in the docusaurus website. (reuse blog content)
https://github.com/privacy-scaling-explorations/e2e-zk-ecdsa/tree/main/docs/docs
Explore performing membership proofs using KZK and caulk+.
Benefits:
Different approach:
helping people constructing polynomial commitments instead of merkle trees.
to expose proving server's http endpoint, which resides in private network, to the public internet
attach ELB to EC2 instance
https://github.com/privacy-scaling-explorations/e2e-zk-ecdsa/tree/main/apis/proving
using IaC tool like Pulumi to maintain infra configuration by code
note: 3000 port should be routed to public dns
A significant limitation of the current protocol is that strictly speaking, the proof is only valid for 1 block: the block at which the anonymity set was fetched.
Transactions post this block will alter blockchain state so that an address A
which was part of the anonymity set at block N
, may be out of at block N+1
.
So the claims are actually only "I was a member of this group at block N".
This is a weak claim to build any anonymous application on.
How could we strengthen this claim to turn into something closer to "I have been a member of this group since block N ..."?
Let N
be the latest block and N'
the block mined 1 year ago.
What about collecting the anonymity sets for multiple blocks between N
and N'
, build the corresponding proofs and finally aggregate them into a final proofs?
N
and N'
N
and N'
, 2 628 000 blocks are mined (24 * 3600 * 265 / 12s). For a token hold by ~1M addresses (e.g USDC), that is 2.628e12 balances data points.N
and N'
, aggregate corresponding proofs P
and P'
N
, N'
and a random block N''
between N
and N'
, aggregate corresponding proofs P
, P'
, P''
N
and N'
, without requiring fetching too much extra data.Protect access to zk proofs static files by e.g a JWT?
Right now we use a general purpose instance type.
See https://instances.vantage.sh/
We should pick an instance that has more CPU in the same price range: $100-$300/month.
It is more efficient (circuits have less constraints) to use public keys as inputs instead of addresses.
ethers.recoverPublicKey
).r, s, v
values) can be recovered for a given transaction with eth_getTransactionByHash
getTransactionByAddressAndNonce(address, nonce)
). So we need to either
no front end developed yet, create a dummy image to be able to test deploying the full app on a k8s cluster
Replace snarkjs by rapidsnark to generate proofs faster.
We can prove membership in a list of addresses by:
There are existing implementations in circom for poseidon merkle trees and ecdsa signature verification, and proving membership just requires combining the two together.
Add an expiration queue to automatically delete the zk proofs files on the server. Either after some time,
or after one GET requests has been made to fetch them.
Create or reuse an existing k8s cluster.
Dune free tier now includes api credits.
So no need to use custom dune-ts lib anymore. We can directly use a dune api key instead or a lib that needs the api key, eg https://github.com/cowprotocol/ts-dune-client
Docker image build in GH deployment workflows keep failing.
https://github.com/privacy-scaling-explorations/e2e-zk-ecdsa/actions/runs/5134613003/jobs/9238863928#step:4:197
To debug... as locally it works fine.
Apps need to be redeployed manually atm with:
flyctl deploy \
--config ui/fly-{prod,staging}.toml \
--dockerfile ui/Dockerfile \
--local-only
Description
Use snarkjs
npm lib instead of sync command.
See usage https://github.com/iden3/snarkjs#using-node
This way snarkjs doesn't need to be installed globally (makes remote server setup easier)
Circom prover API should handle bad requests errors.
#83 (comment)
#96
It is hard to debug why the server times out or crashes right now
Deploy anonklub app with the following architecture (to be confirmed):
graph TD
linkStyle default interpolate basis
ip((Client))<-.->router{<center>Ingress NGINX<br><br>http<strong>s</strong>://anonklub.xyz<br></center>}
subgraph k8s cluster
router--->|/|ui[<center>UI</center>]
router--->|/docs|docs[<center>Docs</center>]
router--->|/api/proof|proof[<center>Proof API</center>]
router--->|/api/query|query[<center>Query API</center>]
subgraph Pod + Service
ui(UI<br>container)
end
subgraph Pod + Service
docs(docs<br>container)
end
subgraph Pod + Service
proof(proof<br>container)
end
redis<-->proof
subgraph PVC + Pod + Service
redis[(Redis)]
end
subgraph Pod + Service
query(query<br>container)
end
end
Need to page over queries result.
Should be possible with graph-client
built-in auto-paging feature..
Otherwise will need to page over results manually.
Current /punk
endpoint return only 100 addresses while there are 3k+ crypto punks owner.
We can't just have the clients wait 5 - 8 min for the proof response to come back.
Because
http.request
instead)So we need to implement some kind of message queue (e.g https://www.rabbitmq.com/ ?)
Are broken
{"name":"TypeError","message":"Cannot read properties of null (reading 'punks')","stack":"TypeError: Cannot read properties of null (reading 'punks')\n at GraphRepository.getPunkOwners (/app/dist/api/repositories/GraphRepository.js:17:21)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"}
Probably newers versions of the subgraphs with a new schema were deployed.
Need to check and fix.
We can privately prove membership of some set with a merkle proof as per #34. There may be some cases where we want to prove non membership instead, such as proving you're not in a tornado cash blacklist (though a blacklist may not be the ideal way to gate tornado cash).
You can prove non membership in a sorted set by showing that your address would sit between two immediately adjacent addresses in a list:
a
is in the set (merkle proof)b
is in the set (merkle proof)indexof(a) + 1 = indexof(b)
(single constraint)a < address
and address > b
If the list is publicly available, as it would be for a blacklist, one can check that the list is sorted outside the circuit.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.