 Hi, I'm Osuke from RadioX and what I'm doing is some R&D works for privacy solutions to the blockchain network So all these two gem protocol is also the privacy-resolving blockchain So I'm happy to hear to talk about it Let's start off by briefly defining what is a privacy in the blockchain context We can think a whole blockchain system can be composed mainly two-part Networking layer and blockchain layer and just in this my talk, I'll let me define the Privacy feature itself can be mainly composed also the confidentiality features and anonymous features Confidentiality for the networking layer means our hiding transit method and anonymity for the networking layer means hiding IP addresses Whereas the confidentiality for the blockchain layer means hiding transfer demand So when you send a transfer token in the Ethereum, everyone will see how much you send is available to the data and anonymity for the blockchain layer means Hiding a transaction graph so again when you send a transaction Everyone see the transaction where it comes from or where to go So in this my talk, I'm gonna focusing on the privacy feature for this blockchain layer In the Bitcoin, when you send a transaction to the Blockchain and when you send a transaction to the send blockchain, it will be attached to one of the sender's private key public key and to verify the signature collection to verify the correctness of the signature But it always reveals that the transaction where come from and So in all of that type of the data linkage in the model uses a special signatures called ring signatures and The ring signatures basically allows it to be attached not just one sender private key, but multiple some dummy public key and these keys are fetched from the model of the network and These keys are also selected in the input selection algorithm So the ring signatures basically ensure that it's signed by one private key corresponding to one of the ring members in public key and other keys works as a dummy private key so this In this picture, the red one is only a sender actual Private key and as a key that works dummy private key and this is a way to overfocuss to give the anonymity feature for the sender another seed in the model protocol and Paul gives a confidentiality features to the model or sender sender value commitment instead of the low data of the value and It will be attached to the range groups based in the energy-proving systems and it will be Provides a variety of the within that value is in the valid range and the final is a stair services work so the anonymity features to give the Recipient Genesis in the ZCAS is also the like the UTXO right model in the blockchain and the idea is that The market tree not commitment is accumulated into the market tree and It works like a UTXO set in the blockchain so that Sender don't stand that actual value and it will be a committed to the not commitment and so it will be highly to the actual amount and The important thing is that this commit and this market tree is only active so if sender to a payment or it do it not Update that the not commitment Instead it will be added to the notify your data, which is a unique and recover to the specific the Consuming commitment and that notify your data will be added to the notifier set global notifier set and which is to Prevent from double-spending So that's a ZCAS next Prove that all these computational processes are quite to resume or without revealing the sensitive data such as Sender's private key and actual transfer amount So these are major Privacy focusing blockchain of takes a UTXO based approach But how can we achieve these features in the database approach so it means how can we achieve that? Confidential features for so when you send a transaction or how can we achieve the anonymous features for when you send the transactions So that's our way Zerotran is a privacy preserving blockchain and supporting the database approach and We are currently not on top of both sides. Isarium of we are top of on the service to it and We especially providing the sun substrate to our on-chain logics called the substrate modules and Some children for protecting the sensitive data, which is a star on chain and Let me jump into my other privacy Solutions in the Zerotran Let me talk a little bit about what is the substrate is Substrate is basically a blockchain framework or which is developed by parity technologies and The Assault rate provides a basic blockchain component or such as a database. So in the blockchain for starting transactions and P.r.dp networking to gossip the state transitions in the blockchain network and consensus mechanism to provide the incentive mechanism into the blockchain network and transaction here and so on and These blockchain component might be most complex and difficult part when you beat it your own blockchain But if you beat it on the substrate or you don't need to If you meant to do the complex complex component so all you need to do is that you just build some substrate modules and substrate running and This is a way to Configure the substrate modules into the substrate runtime there are a bunch of substrate modules and which modules provide the specific features of such as The 10th time module provides just a 10th time to win to the Blockchain and the balance is module provides that many things are fun to process to the blockchain system and especially we are providing the some privacy for focusing modules such as a Encrypted balances module provides the way to the confidential transfers in the runtime and anonymous balances module provides the anonymous transfers into the runtime and This is a certain the overview again, we are talking about on the top over on the substrate and the architecture is a implementation of the these are and also we use as it gets next as their knowledge building systems and We can on top of it we can build a privacy oriented applications top of on the blockchain protocol such as a confidential and anonymous payment applications and Privacy features financial systems applications on top of the blockchain protocol and What is the reason? this is a paper published by Valentines at all in early of this year and It is our basically an efficient free decentralized and Confidential payment mechanism. All that is a compatible with a smart contract or not for and the Basic idea is that a common fix give encryption scheme hide all transfer amount and account balances and Also, it takes a kind of based approach for the reason of the efficiency and some usability and so we can avoid the use of accumulations in the on-chain and But the origin these are used as a sigma bread called The signal factor which is kind of the denotation building systems, but we use is that dickie snacks But the statement itself and the dickie snacks are based on these are protocol But why we use dickie snacks? Because one of the problem of the anonymous these are it is so expensive. So we want to want a small proofs and efficient and succinct modifications in terms of the denotation and also dickie snacks has a Great community and a lot of project using a dickie snacks libraries and They are existing a lot of the Awesome libraries for dickie snacks But as you know the one of the downside is the necessity of the tracel set up And but these days some there are some solutions and some applications to To the tracel set up one thing is that much party computation, which is doing by the dickie's protocol and Sam universal and the database always so which is a lot of research have been doing recently And how it works actually in the confidential transfer function Let's think the simple case that's Alice and the ankle to three points to ball So again, we are take the counter by surplus. So on chair. Oh, we Alice has ten coins and the ball has five coins currently and but obviously to reveal that Everyone see how much they have now So if you all have to hide it, we need to encrypt it those amount by the lifted a lot of encryption and This is shown scheme has a whole big property So we can calculate to be the encrypted one. So I listen include the three coins to do the transaction and this this is added to the reality to the Bob's balances and sub selected from the Alice's balances and We can calculate it on chain with all cypher fixed way So no one cannot see those actual amount in the on-chain and Of course, Alice can see how on balance is by using her decryption key, which is one of the private key So this is a whole of a sky they are over the confidential transposed in the cell chain But the problem is that How a blockchain model can balance this equity to a month I mean This is our encrypted three coins looks actually just 64 divided away So or I see to convince that this 64 divided away is actually encrypted three coins by equity to correct collecting encryption key So in order to achieve this We use a ticket Because of the case next basically provide Provide some proofs that the statement to some statement is actually correct So in this context the statement is the transfer amount is within the valid range So that the transfer amount is not a negative amount or not overflowed or sender has enough balances and It's included by the correct and shown key so if it is statement is actually correct and this next not reveals a Not reveals a chalamand or sensitive data such as a private key and If these statements are actually collected by for your function on-chain returns to you and we can validate it on the on-chain and In the case of the anonymous transposed All processes are similar to the confidential transposed or as I explained earlier But the difference is that to some me some dummy addresses and some an critical amount to be added into the Transactions, so this is a similar way to the monies approach because it will be obfuscated Because of the Damian data So that's the point is that the people cannot tell the difference between the actual data such as a recipe and send dummy data and As for the on-chain operation after modifying They guess they give a lot of fun function Uploading the encrypt balances will be calculated in the on-chain and this changes will be the uniformly and This is our encrypt and encrypt amount for the dummy addresses is actually encrypt zero value, so The dummy addresses for the increased balances will not change the for the actual balances or this is changed just to several takes and this is a bench mass of the the chain as you see the Constraint size of of the DKS is a constant against anonymity size because of the Accumulated approach of which is I explained earlier Whereas the constant of the chain grows linearly against Anonymity size of because we need to utilize Yeah, it's unlimited size in bits What's the other limited size? Oh, I don't be sighs. There is a One of these sizes a number of the anonymity sets so in this so in this picture the 40 yes, it's quite small Yes, but I want to come I want to compare that the answer they just come Constraint and the general strength, so it's small so the Constraint of the general chain grows linearly against the anonymity size, so that's that's they'll change constantly takes over land 26 and 27 in the DKS Constraint and decides and as a reference Anonymity size is the model is 11 currently and We can achieve or they'll can achieve can the anonymity feature level of the Mono with half of the DKS constant that is 50,000 Constraint so by the way the constant rent is a competition complete complexity in the logical thing and Then the next thing I would like to talk about is all the beating for the privacy coins and Namely the selective disclosure because for real the world usage or some enterprise usage all the beating is so important aspect and and Because it will be need to comply with some regulations and need to be some protecting from the right-hand money laundering So it means a private entity should be able to all it to certain users minus flow in the financial time use cases and your touch it does such a All the beating features or we prepare some king component for getting those are ready and They are a bunch of key pairs But the importance key is this decryption key because all the transfer amount and the ankle to balance is we will be encrypted in this anchoring shun key and If user pass this decryption decryption key to some all it is all it has can decrypt It by using this decryption key But the order cannot Spend their users a coin because they don't have the spending key the Decryption key cannot be a spending key cannot be derived from this decryption key That's my meanings my me So as a summary what is a good point of the database approach The first of your thing is a on-gen storage rendering because you can implement the UTX based approach into the smart contract but With so expensive or you need to all UTX of set and all spent transactions such as a verifier data need to be Stroll into the smart contract and also we can choose a confidential capital token in the database approach for example or if So if you want to prove that Alice cannot have the security tokens over 4% of the total supply In a confidential amount, but in the UTX based approach or you need to Accumulate or collect all of the UTX of set on-gen so it's too expensive and It's easy or it is why is it way easy to get all the big features in the database approach Because in the UTX based approach all it I need to try to try to decrypt all several cases including the whole history of the transaction and so it's It's too expensive and but in the account based approach all it not just all fetches are specific or include the violence is from the blockchain network and Decrypt it and we get the single latest value And so we are all open source our implementation of the ocean and Implemented all implementation is written in last And but it's under development for the production ready. You can check page.com thrush So and this is a demo So we have the 700 one thousand points now and Left-hand sides are running the blockchain node running locally and the right side is a desktop client desktop and I'm gonna Send 100 coins to Alice and so make them calculated To the Zeraj proving and some encryption scheme and verify it within the Zera channel and the Transfer amount will be self-directed from my balances and I'm going to change the Default to other cities to the best the authorities Check other We can always get one hundred coins Thanks so much