Origin: A Practical Confidential Payment System Origin Labs

Abstract

In this paper, we introduce Origin, a fully decentralized and confidential pay- ment mechanism compatible with Ethereum and other smart contract platforms. Unlike traditional systems, Origin operates on an account-based model akin to Ethereum, emphasizing efficiency and user-friendliness. Our novel smart con- tract maintains encrypted account balances and provides cryptographic proofs for depositing, transferring, and withdrawing funds.

Key features of Origin include robust defenses against replay attacks and front-running scenarios. We have also engineered a unique mechanism for seamless interoperability with a variety of smart contracts. This feature extends confiden- tiality to several mainstream applications, such as auctions, payment channels, and voting systems.

A significant advancement presented in this paper is Sigma-Bullets, an enhancement of the existing Bulletproofs zero-knowledge proof system. Sigma- Bullets has a greater compatibility with Sigma protocols, offering broader applicability and interest.

We have implemented Origin as a smart contract within the Ethereum frame- work. Our empirical analysis, focusing on the gas consumption of the Origin contract, demonstrates the practicality of our design. Furthermore, we discuss how minor modifications to the existing Ethereum infrastructure — already under independent consideration — could substantially lower these operational costs.

Keywords: Origin, Blockchain, Decentralized Privacy, Confidential Payment

1 Introduction

Blockchain-based smart contract platforms [1], exemplified by Ethereum, offer signifi- cant potential to eliminate the need for trust and enhance transparency in distributed applications. Ethereum, a notable platform in this domain, utilizes sophisticated programming languages like Solidity [2] to facilitate the creation of decentralized applications (DApps) with relative ease. However, these platforms currently lack straightforward methods to integrate meaningful privacy into these applications.

Consider, for instance, auction contracts on Ethereum. These can be constructed without significant difficulty, but the challenge arises when trying to implement a

1

sealed-bid auction mechanism. Sealed-bid auctions operate by allowing bidders to submit their bids confidentially [3–7] to an auctioneer, ensuring that no participant knows the amount bid by others. Following the bidding phase, these bids are unsealed for evaluation and selection of the winner. The inherent transparency of Ethereum’s transaction system poses a significant obstacle in maintaining the confidentiality of bid amounts in such an auction.

Several practical solutions have been adopted to circumvent this issue. The Ethereum Name Service, for instance, suggests that users submit only a hash of their bids and deposit an amount greater than their actual bid to register a name with the registrar. The official Solidity documentation offers another approach for blind auc- tions, where users submit multiple bids, including decoy bids, to obscure the true bid value [8, 9]. While these methods provide some level of privacy, they are not entirely effective in concealing bid values and impose additional complexities on users.

Beyond auctions, the concept of confidentiality is crucial in other applications like payment channels [10], considered key to enhancing the throughput of cryptocur- rencies. While setting up payment channels on a robust platform like Ethereum is straightforward, ensuring the confidentiality of such channels poses similar challenges.

Advanced cryptographic solutions have been proposed to execute smart contracts in a privacy-preserving manner [11]. However, these solutions often fall short in terms of decentralization or are prohibitively expensive for simpler contracts. This highlights the need for more efficient, fully decentralized methods to bring comprehensive privacy to smart contract platforms.

The concept of confidential transfers on Ethereum presents a compelling solu- tion to imbue crucial applications like auctions and payment channels with privacy. However, existing methods for confidential transactions predominantly adhere to the unspent transaction output (UTXO) model, a framework championed by Bitcoin. In the UTXO model, new transactions are formulated using unspent outputs from previ- ous transactions. This model, while effective in certain contexts, is not ideally suited for applications requiring the maintenance of state, a crucial aspect for smart contract platforms like Ethereum, which operate on an account-based model.

UTXO-based systems, initially proposed to address privacy concerns in Bitcoin, necessitate significant alterations to the fundamental design of Bitcoin. These changes are so substantial that they have often resulted in the creation of entirely new cryptocurrencies. In contrast, platforms like Ethereum offer the distinct advantage of enhancing core functionalities through the deployment of new applications. For instance, payment channels have been deployed on Ethereum to augment transaction throughput. Similarly, it is conceivable that deploying a novel payment application could enhance the confidentiality of payments and, potentially, other applications.

Despite this, implementing a UTXO-based mechanism within a contract on Ethereum is fraught with challenges, including increased storage costs, diminished con- fidentiality, limited interoperability with other contracts, and barriers to widespread adoption.

In response to these challenges, we introduce Origin, an efficient and fully decen- tralized confidential payment mechanism tailored for the account-based model. Origin does not necessitate any modifications to the foundational design of smart contract

2

platforms like Ethereum. Described as a smart contract, Origin can be executed inde- pendently or in conjunction with other smart contracts to facilitate the confidential exchange of token amounts, denoted as ZTH. The methodologies employed in Origin are adaptable to other account-based cryptocurrencies, independent of their specific consensus mechanisms.

Our contributions can be summarized as follows:

1. Confidentiality: Central to Origin is its inherent confidentiality. In our system, account balances remain encrypted perpetually, and users engage cryptographic proofs to transact with ZTH, ensuring a high level of privacy.

2. Zero-Knowledge Proofs: A pivotal component of Origin is the utilization of zero-knowledge (ZK) proofs. To optimize Origin, we introduce a novel ZK-proof mechanism named Sigma-Bullets. This mechanism synergizes the functionalities of Sigma-protocols [12] and Bulletproofs [13], allowing for the efficient amalgamation of Bulletproofs-based range proofs with ElGamal encryption. This development has potential applications beyond Origin.

3. Implementation: We have implemented Origin as a smart contract on Ethereum. Our analysis of the gas required for its execution demonstrates that Origin is not only viable in the current Ethereum framework but is poised to become even more efficient with forthcoming enhancements to the platform. An efficient implemen- tation of Bulletproofs on Ethereum, part of this process, is noteworthy in its own right.

4. Interoperability: A key feature of Origin is its interoperability, particularly its capability to lock funds in an account to a smart contract. This functional- ity greatly simplifies the incorporation of confidentiality into various significant applications. We demonstrate how Origin can be seamlessly integrated to develop applications such as sealed-bid auctions, confidential payment channels, confidential stake-voting, and private proof-of-stake systems.

5. Anonymity: Beyond confidentiality, we propose an extension to Origin that obscures the identities of transaction participants among a select group. While the overhead for this anonymity feature scales linearly with the group size, it requires no trusted setup and no alterations to the existing smart contract platform. This approach to anonymity is more akin to that of Monero [4] in the account-based model, as opposed to Zcash [14].

These advancements position Origin not only as a practical solution for today’s blockchain challenges but also as a pioneering step towards more secure, private, and efficient blockchain transactions in the future.