While researching on privacy solutions and applications of ZKP, we discovered a technique,
by which people can burn their digital asset (E.g ETH) by sending it to an unspendable address,
and later build a ZK proof showing that some amount of tokens reside in an account that are
unspendable, without revealing the account.
The EIP proposes to add a minting functionality to Ethereum, so that people can re-mint
Ethers they have purposefully burnt. The mentioned privacy solution will bring strong levels of
plausible deniability for the sender, since there is no way one can prove that the sender
has been participating in a privacy protocol. This will also make an anonymity pool that includes
all of the Ethereum accounts with zero outgoing transactions by default.
Specification
In Elliptic-Curve based digital signatures, normally there is a secret scalar $s$, from which
a public-key is calculated (By multiplying the generator point with the scalar: $s \times G$). An
Ethereum EOA-address is the keccak hash of a public-key.
Also, the funds in an Ethereum address might be spendable by a smart-contract, if the keccak hash
of the smart-contract’s parameters is equal with that address.
Therefore, an Ethereum address $A$ is spendable if and only if:
A private-key $s$ exists. such that $A = keccak(s \times G)$.
There exists a smart-contract $c$, such that $A = keccak(c_{params})$.
The preimage resistance property of hash functions implies that, you can’t find $x$ where $keccak(x)=r$,
in case $r$ is a random value. So the funds sent to a random Ethereum address $r$ is unspendable, but
how can other people be sure that $r$ is indeed random and not the result of calculating $s \times G$?
A great source of randomness is a hash function. If the address is equal with the hash of a secret preimage
$s$, we can conclude that the address is unspendable, since there isn’t a polynomially bounded algorithm
to find $x$ where $keccak(x)=h(s)$. This is only true if the second hash function is a different hash
function, and it assumes it is impossible to find $x_1$ and $x_2$ such that $h_1(x_1)=h_2(x_2)$ in case
$h_1$ and $h_2$ are different hash functions.
Using the help of Zero-Knowledge proofs, we can hide the value of $s$! We just need to prove that
we know a secret value $s$ where the address is $h(s)$. We can go even further. We can prove
that an Ethereum accounts exists in the state-root, which holds some amount of ETH and is unspendable.
By revealing this to the Ethereum blockchain and providing something like a nullifier
(E.g. $h(s | 123)$ so that double minting of same burnt tokens are not possible), we can add a new
minting functionality for ETH so that people can migrate their secretly burnt tokens to a
completely new address, without any trace on the blockchain. The target addresses can also be burn
addresses, keeping the re-minted funds in the anonymity pool.
Rationale
Cryptocurrency mixers like TornadoCash can successfully obfuscate Ethereum transactions, but it’s
easy for the governments to ban usage of them. Anybody who has interactions with a mixer contract,
whether the sender or receiver, can get marked. However this EIP tries to minimize the privacy leakage
of the senders, by requiring zero smart-contract interactions in order to send money, so
we only use plain EOA-to-EOA transfers. In order to have a “teleportation” mechanism we divide
the set of all Secp256k1 points $E(K)$ into two subsets/address-spaces:
The spendable address-space: $\{p \in \{0,1\}^{160}
\exists s : keccak(s \times G)=p \lor \exists c : keccak(c_{params})=p \}$
The unspendable address-space: $\{p \in \{0,1\}^{160}
\nexists s : keccak(s \times G)=p \land \nexists c : keccak(c_{params})=p \}$
The spendable/unspendable addresses are not distinguishable, so we can exploit this fact and define
a spendability rule for the money sent to addresses that can’t be spent using regular elliptic-curve
signatures. Using the help of Zero-Knowledge proofs, we can hide the transaction trace and design
a new privacy protocol, which is what this EIP is proposing.
Scalability Implications
In case the circuits are able to simultaneously re-mint the sum of multiple burns in a single-proof,
merchants and CEXs will be able to accept their payments in burn-addresses and accumulate their funds
in a single address by storing a single proof (And a bunch of nullifiers) on the blockchain, which
significantly reduces the transaction count on the blockchain. The people who will use this EIP as a
scalability solution, will also increase the privacy guarantees of the protocol.
Backwards Compatibility
The Ethers generated using the mint function should not have any difference with original Ethers.
People should be able to use those minted Ethers for paying the gas fees.
Reference Implementation
A reference implementation is not ready yet, but here is a design:
We will need to track all of the ETH transfers that are happening on the blockchain (Including those
initiated by smart-contracts), and add them to a ZK-friendly Sparse-Merkle-Tree. The amount sent should
also be included in the leaves.
We will need a new transaction type responsible for minting Ethers. The initiator should provide a proof
(Along with a nullifier) that proves he owns one of the leaves in the merkle-tree that has specific amount
of ETHers
Alternatively, we can use the already maintained state-trie and provide merkle-patricia-trie proofs, showing
that there exists some amount of ETH in an unspendable account, and mint them.
Security Considerations
In case of faulty implementation of this EIP, people may mint infinite amount of ETH, collapsing the price of Ethereum.