Table of Contents:
Privacy in DeFi is much needed.
In an ecosystem that grows bigger and more composable every day, the possibility for attackers to take advantage of blockchains' transparency to attack users increases. In contrast, automatic MEV attacks become more common by the day. If we want adoption to increase by orders of magnitude, users need to be guaranteed a base degree of privacy.
So, why has nobody succeeded (yet) in providing a base level of privacy? In this article, based on Anish Mohammed's (Panther Co-Founder, CTO, and Chief Scientist) talk at EthCC Paris 2022, we'll look into:
- The economic challenges behind private DeFi.
- How to price privacy correctly.
- The adversarial games that keep the clock ticking for blockchain privacy.
- What a solution to the current challenges might look like.
Illustrating the base difficulties of privacy in DeFi
To understand why DeFi privacy is inherently challenging, let’s look at one of the most widespread, straightforward models –Automated Market Makers.
In an AMM, there are two pools of assets, which users trade against. By withdrawing assets from one side of the pool and adding to the other, users drive price fluctuations for both assets, which stabilize the system through arbitrage opportunities.
Privacy for AMMs is difficult because obscuring balance and trade amounts from possible attackers is insufficient: by looking into on-chain data, it’s still possible to reconstruct the history of transactions.
To mitigate this, some proposed strategies include:
- Batching: It’s possible to merge a set of transactions into a batch. Rollups are essentially batching mechanisms with scalability and possibly privacy advantages.
- ZK rollups, which can provide privacy and batch transactions by default. In a batching scenario, an attacker doesn’t have information about individual transactions anymore, only about their average.
- Adding randomness in price: Akin to a noise-generation function, adding an element of uncertainty —essentially an error margin— can increase privacy. This occurs on each block, as a random offset is added to the price the constant function would give based on the pool’s parameters. An attacker would be no longer able to estimate the pool’s balance or trade amounts from the price difference between two blocks. This solution's costs mainly affect liquidity providers, as the user exchanging assets would know the price before making the trade.
- Differential privacy: Differential privacy, similarly to added randomness, muffles information about individual transactions while guaranteeing that the general properties of the dataset are not changed. This could be applied to many parts of the DeFi algorithm, with one implementation already theorized. Large trades within a block could be broken down into smaller trades and reordered, maintaining the average impact and protecting a user against being front-run.
Problems with batching (including batching in rollups)
One obvious issue with batching is that, by being unable to execute in real-time, DeFi users miss out on time-critical strategies, which become unfeasible with batching. In other words, in the time that it takes for a batch to gather all participants’ transactions, MEV attacks or other traders get a larger-than-usual window of opportunity.
Additionally, due to averages and the inability of traders to know the order of transactions in a batch, some participants will enjoy better prices than others. We can think of this as an associated inefficiency.
Problems with differential privacy in decentralized settings
Privacy under a decentralized setting has inherent cost disadvantages against privacy in centralized systems. It is harder to achieve privacy in decentralized systems because:
- Decentralized consensus has a cost. In a setting with no trusted parties, efforts need to be concentrated on making sure that the system is attack-proof. In other words, centralized systems only need to worry about executing a task and maintaining public trust, while decentralized systems have to bear the non-negligible cost of keeping decentralized.
- Unlike what is usually believed, communication overhead can also have a significant cost, especially for time-critical applications. Decentralized consensus requires that all participants are informed of everything going on, while a centralized service provider simply keeps a single, efficient internal database. The former requires constant communication between hundreds or thousands of participants, while the latter is virtually free of that overhead. An aggravating factor is that, at times, communication costs do not rise linearly; they worsen as the number of participants in a system increases.
The above considerations create an economic dilemma: assuming either no regulatory requirements such as GDPR, or that their impact is negligible, the cost of maintaining a private system is higher than that of maintaining a system without privacy. Similarly, decentralized privacy is more expensive to achieve than centralized privacy, albeit a centrally-controlled private system creates obvious less-than-ideal power dynamics.
Adversarial dynamics can be seen in technology, healthcare, and other areas of daily life. Corporations that (advertently or otherwise) collect data from users get to benefit from machine learning applications to improve their products and targeting.
Because of this, even in centralized competition, the honest competitor faces a disadvantage. However, there is a hope that, in a decentralized solution, the lack of overhead and cost spread can drive the “privacy disadvantage” to be lower than the added costs of collecting and processing data.
The need to price privacy
To succeed, at least from an economic standpoint, a decentralized privacy system must:
- Spread its costs as much as possible. It’s possible that a decentralized private system will never be the cheapest option available, but the cost could become bearable enough for its advantages to beat the associated costs (e.g., if the cost would be $0.1 per transaction). Users need to bear these costs for the system to be truly decentralized.
- Privacy comes in many layers. The costs of privacy will naturally be higher in extremely private applications. Nonetheless, each user’s risk tolerance will determine whether a weaker privacy solution is sufficient to shield them against their most likely attackers. Privacy tools should ideally be as flexible as possible to allow this privacy price discovery and maximize participation.
- Derive its privacy from user-driven actions. Similar to how Bitcoin miners earn from verifying blocks, a decentralized ecosystem can reward users for participating in a protocol, which aids overall privacy. In this system, users being rewarded for “feeding” a privacy algorithm substitutes the need to add artificial randomness.
In the condition set above, private system users “pay” for the rewards that the rest receive for creating the right conditions. As such, it’s even possible to devise a system in which there are several “tiers” of privacy, each with a separate cost, to create even more desirable conditions. This is illustrated in the table below, following the example of how data could be used to improve targeting and products:
A tool to solve seemingly contradicting needs
The privacy problem in DeFi presents the need for a tool that satisfies radically different –even contradictory– needs.
On the one hand, the radical transparency of Layer-1 blockchains has helped them arrive at their current growth stage in a decentralized fashion. On the other, privacy is the only way users can be fully safe utilizing them.
There is one way in which DeFi users can access total privacy that is fully compliant while retaining full control and ownership of their data. And as this technology and its game-theoretical design are no small feature, they are often referred to as moon math.
Introducing zero-knowledge proofs
First introduced in 1989, zero-knowledge proofs are a relatively new concept in the context of mathematics, cryptography, and computer science. In the last decade, the advancements in this field have been numerous. These breakthroughs allowed many practical applications to be developed, especially in the cryptocurrency space.
For those not already familiar with the term, a zero-knowledge proof (ZKP) is a proof for a statement that does not convey more knowledge than the mere fact that the statement is true.
Imagine magician A wants to prove to person B that A can leave a room without using the only door, but doesn’t want to reveal his secrets. A can simply ask to be let inside the room, for B to lock the door and keep an eye on it from outside, and then somehow A will appear outside the room. This proves the claim was correct, but no extra information about A’s methods was revealed: a zero-knowledge proof.
What are ZKPs good for?
Zero-knowledge proofs have been some of the most powerful tools to build crypto privacy solutions. Currently, they’re being utilized to scale blockchains by applying ZKPs to batch transactions off-chain, having privacy as an auspicious side-effect. Although, as we have seen, rollups create issues of their own.
The gains in scalability due to using rollups can be significant, as demonstrated by the table below:
The current applications for zero-knowledge proofs have just barely scratched the surface of what’s possible for them. As a general-purpose tool, ZKPs can be used in any situation that requires users to provide proof of status/ownership. They also enable them to prove the above without disclosing the underlying data, which from an economic and privacy perspective means that:
- DeFi users can be protected by default privacy (or access it in different layers) and then progressively pay for subsequent disclosures.
- These solutions can be accessed in a scalable, more affordable manner.
- A system with the right incentives can rely on ZKPs to create private batched transactions.
It remains a matter of speculation what the creation of such a system can achieve in a real-world setting. However, if executed correctly, it could result in an end-to-end private experience of utilizing DeFi for users, as well as a mechanism to put a price on privacy organically.
As we have seen, there is no such thing as a free lunch when it comes to blockchain privacy.
Competing on price with centralized systems is non-trivial, as existing privacy-preserving tech applications are not efficient enough. Alternatives like zkSNARKs and scalability solutions, however, make it more likely that this problem can be solved when approached from the right angle.
In a race to the bottom between privacy-preserving and non-privacy-preserving solutions, incentives are key to making the former stand a chance against products that can grow and iterate faster, becoming stronger.
Along with incentives, a dynamic pricing of privacy is also vital. If users have incentives to pay extra for higher privacy (therefore incentivizing strategies that provide privacy to others), it’s possible to lower the price of privacy for all, making the system more robust and attractive.
We are at a breaking point for the development and application of ZKPs. The next few years will be key in determining how far privacy in DeFi goes when aided by them.
Panther is a decentralized protocol that enables interoperable privacy in DeFi using zero-knowledge proofs.
Users can mint fully-collateralized, composable tokens called zAssets, which can be used to execute private, trusted DeFi transactions across multiple blockchains.
Panther helps investors protect their personal financial data and trading strategies, and provides financial institutions with a clear path to compliantly participate in DeFi.