Bear market is a great time to learn something new. Today I will share with you what I personally had the pleasure of delving into - the technical solution of @MantaNetwork product:
MantaPay - Decentralized Anonymous Payment
1/36
MantaPay - Decentralized Anonymous Payment
1/36
The Manta payment protocol is designed to protect the identities of people who make private transactions. It does this by hiding the type of asset being transferred so that attackers cannot figure out what is being transferred.
2/
2/
It also mixes all private transactions together in a single pool, which makes it harder for attackers to identify individual transactions. All processes are under protection of zero-knowledge proofs.
3/
3/
To use the protocol, a user generates a unique key pair that they will use to make transactions. They can generate as many key pairs as they want, but each one can only be used once.
4/
4/
When a user wants to create a private #crypto, they must initiate a transaction that includes a deposit of the public asset of equal value. The user then generates a random number that determines the "void number" of the asset, which is kept secret.
5/
5/
They then commit to a triple (public key, value, random number) in two phases, which creates a private coin. The coin includes information about the asset type, its value, and its owner, but this information is kept secret from everyone except the owner.
6/
6/
When the transaction is sent to a validator, they check that the sender has the assets they claim to have, and that the commitment matches the information in the transaction.
7/
7/
If everything checks out, the validator deducts the assets from the sender's account and adds the private coin to the ledger.
8/
8/
The cost of creating a private asset is mainly due to the commitment scheme used to keep the transaction secure. There is no need to use zero-knowledge proof operations, which would make the process more complicated.
9/
9/
Mint private assets. To create a private asset with a specific value, a user initiates a coin minting transaction with a deposit of the public asset.
10/
10/
They sample a random secret string to determine the void number, and commit to the triple (address key pair, value, secret string) in two phases.
11/
11/
They then mint a private coin with a unique tuple of values, which are needed to spend the coin at a later time. Validators verify the transaction and add the coin to the ledger, deducting the public asset from the sender's account.
12/
12/
This process does not involve any #ZKP operations and the cost is dominated by the commitment scheme.
13/
13/
Transfer private coins. The transfer operation takes a set of input private coins to be consumed and transfers their total value into a set of new output coins, where the total value of the output coins equals the total value of the input coins.
14/
14/
To illustrate, suppose a user wants to transfer their old coins to new coins. To create such a transfer transaction, the user samples trapdoors and computes several values using these trapdoors, which create new coins.
15/
15/
The user also produces a NIZK proof, which is called by the transfer operation to verify that the transaction is valid.
16/
16/
The transfer transaction includes information about the old coins, new coins, and secret keys needed for the transfer, as well as a proof of validity. Once the transfer is complete, the user sends the transaction to the network.
17/
17/
To prevent double spending, Manta using something called "commitments" which are like codes that represent the money.
Manta keeps two lists of these commitments.
18/
Manta keeps two lists of these commitments.
18/
One list has all the commitments that have ever been used, and the other list has commitments for all the money that has already been spent.
19/
19/
When someone wants to send money to someone else using Manta, they need to prove that they have the right amount of money by showing their commitment is on the first list, and that it hasn't already been spent by showing that the commitment isn't on the second list.
20/
20/
If the transaction is accepted, then the commitment for the spent money is added to the second list so that it can't be spent again.
21/
21/
Although there is a link between the old commitment and the new one, this doesn't reveal who sent the money or who received it, so people can still use Manta anonymously.
22/
22/
Reclaim public coins from private coins. The process involves using a modified version of the GenTransfer interface, where one of the output coins is made public. The output coins include a private coin, a public address for the asset identifier, and a value.
23/
23/
To reclaim coins, the user needs to prove that they have knowledge of the old coins and the secret keys, and that the new coins are well-formed and share the same asset identifier as the old coins.
24/
24/
The user sends a transaction to the ledger with information about the old and new coins, and the validators check the validity of the transaction by verifying the #zkSNARK proof and ensuring that the old coins have not been used in a previous transaction.
25/
25/
If the validation is successful, the validators will update the ledger and credit the public address with the reclaimed amount of the asset.
26/
26/
Security Proof. We will resort to the theorem. The given proof establishes that a proposed #decentralized anonymous payment scheme is private assuming some properties hold. These properties are:
27/
27/
- COMM is computationally hiding and binding: A method of commitment is used that is secure against attackers who can compute efficiently.
- zkSNARK scheme is zero-knowledge: A method of proving that a statement is true without revealing any additional information is used.
28/
- zkSNARK scheme is zero-knowledge: A method of proving that a statement is true without revealing any additional information is used.
28/
- PRF is pseudorandom: A function that generates random-looking outputs from an input is used.
29/
29/
The proof starts by constructing a simulator that satisfies a definition, and then it shows that an adversary cannot distinguish between the view in the real world and the view from the ideal world.
30/
30/
The proof further includes a lemma that looks at games with the same initial configurations and transaction op-codes. It shows that, for any instance of RealAdv and IdealAdv, the probability that a computationally efficient adversary can distinguish the two is negligible.
31/
31/
Finally, the proof uses a hybrid argument to show that, for any computationally efficient adversary, it cannot distinguish between the view from the real world and the view from the ideal world with a non-negligible probability.
32/
32/
It does this by constructing a series of intermediate states of the view and showing that there must be an i0 in [M] for which the probability of distinguishing is at least poly0(λ)/M. The proof then shows that this contradicts the assumption of the properties holding.
33/
33/
Here you'll find a complex form of explanations for #MantaPay with math algorithms for what I described earlier. Go and DYOR! github.com/Manta-Network/…
34/
34/
That's all, hope you enjoyed it. Here you can check out my previous overall review of #MantaNetwork.
35/
https://twitter.com/VladislavLiu/status/1628720355756867586?s=20
35/
Follow me @VladislavLiu for more.
Like/Retweet the first tweet below if you can.
36/36
Like/Retweet the first tweet below if you can.
https://twitter.com/VladislavLiu/status/1635257657530679298?s=20
36/36
• • •
Missing some Tweet in this thread? You can try to
force a refresh
