Conversation
… poc implementation
use-cases/private-payments.md
Outdated
| See [private-stablecoins.md](private-stablecoins.md) for stablecoin-based privacy patterns. Additional considerations: | ||
| See [Approach: Private Payments](../approaches/approach-private-payments.md) for detailed solution architecture covering L1 shielded pools, Plasma/Intmax2 stateless rollups, privacy L2s, TEE, and MPC approaches with quantitative comparison from PoC validation. | ||
|
|
||
| **PoC Implementation:** [Private Payment PoC](https://github.com/ethereum/iptf-pocs/tree/master/pocs/private-payment). Two approaches validated: L1 Shielded Pool and Plasma/Intmax2. |
There was a problem hiding this comment.
We can remove mention of PoC here and just redirect to the approach page, then the reader can check recommended solutions there.
use-cases/private-payments.md
Outdated
| ## 6) Open Questions | ||
|
|
||
| - Where is the line between payment privacy and AML/CFT obligations? | ||
| - Where is the line between payment privacy and AML/CFT obligations? PoC approach: attestation-gated entry (ZK proof of KYC) demonstrates privacy-preserving compliance gating. |
There was a problem hiding this comment.
Not sure if we should answer the question here. Maybe it just needs a rephrase.
|
|
||
| 2. **Liquidity Fragmentation:** Multi-token transfers require same-token constraints in circuits, confirming per-token shielded pools. Remaining: cross-pool atomic swaps and multi-asset circuit designs. | ||
|
|
||
| 3. **Operational Recovery:** Dual-key architecture (spending + viewing) provides viewing-key-based balance inspection for recovery scenarios. Remaining: full business continuity workflows and key rotation under shielding. |
There was a problem hiding this comment.
Not sure to understand. Is Operational Recovery about audit?
| 6. **Verification Gas Viability:** At ~2.6M gas per on-chain verification for shielded pools, what payment volume threshold makes L2 amortization necessary? | ||
|
|
||
| 5. **Operational Recovery:** Key recovery and business continuity for institutional payment operations? | ||
| 7. **Network Timing Correlation:** Some approaches leak timing metadata. What is the acceptable latency overhead for [network anonymity](../patterns/pattern-network-anonymity.md) mitigations? |
There was a problem hiding this comment.
Isn't this mitigated by size of AS?
There was a problem hiding this comment.
not really, if someone joins the AS, and immediately a similar amount of tokens flows out, its possible to correlate
There was a problem hiding this comment.
Yeah, you'd need to round up notes. Fine to keep it as it is.
| | **Proof gen (operator)** | N/A | 42-49s | | ||
| | **Operator required** | No | Yes | | ||
|
|
||
| #### Cross-Cutting Findings |
There was a problem hiding this comment.
We should mention the issue with withdrawals, the fact that you need a fresh address with no gas, and therefore a relayer to pay for your gas. Add a CR level to the full shielding picture.
rymnc
force-pushed
the
chore/update-private-payments
branch
from
1ee96b9 to
bca42a0
Compare
|
|
||
| | Dimension | Shielded Pool (L1) | Plasma/Intmax2 (L2) | | ||
| |---|---|---| | ||
| | **Proving system** | UltraHonk | Plonky2 | |
There was a problem hiding this comment.
Can we add a link to Ultrahonk and Plonky2 in ref or as links to more details somewhere
oskarth
left a comment
oskarth
left a comment
There was a problem hiding this comment.
A few more questions:
- Plasma "Gas: withdraw" says "Via withdrawal server" — do we know the actual on-chain gas when the withdrawal lands on L1? Even if the server pays, the cost exists somewhere
- "MAX_ATTESTATION_TREE_DEPTH=20, supporting ~1M participants" — worth noting this is configurable? Otherwise readers might read it as a fundamental ceiling
- The old L1 section had "battle-tested infrastructure" which got removed — worth keeping that qualifier somewhere? The comparison table covers gas but not the maturity signal
addressed in a1c0a38 battle-tested infrastructure sounds way too superlative, removed it. |
| - **Dual-key architecture** (spending + viewing) works in both models, confirming selective disclosure is practical without granting transfer authority | ||
| - **Attestation-gated entry** via ZK proof of Merkle tree inclusion is feasible (MAX_ATTESTATION_TREE_DEPTH=20, supporting ~1M participants, configurable for larger participtants, but increases proving time) | ||
| - **Network timing correlation** is unmitigated in both approaches; see [Network-Level Anonymity](../patterns/pattern-network-anonymity.md) for mitigation patterns | ||
| - **Withdrawal to fresh addresses** requires a gas relayer since the recipient address has no ETH for gas; this adds a counterparty-risk dependency to the shielding model |
There was a problem hiding this comment.
I don't think it's a counterparty risk here; i.e., you can always deanonymize yourself and withdraw funds by sending direct tx to the contract.
It's a more the privacy feature of feeding a fresh address with gas through the relayer that could be censored, the relayer could refuse to transmit your tx.
|
|
||
| **Operator Complexity:** | ||
|
|
||
| - **Shielded Pool:** No operator needed; users interact directly with L1 contracts |
There was a problem hiding this comment.
Is the realyer considered an operator? Is the person in charge of upgrading the contracts considered as an operator?
There was a problem hiding this comment.
not exactly, it can be a third party vendor here too
There was a problem hiding this comment.
Yes, but my question is, does having the power to upgrade contracts, even though detained by a third party, make this third party an operator of the system?
Also, this might be tracked in another issue; i.e., pattern shielded pool from CROPS pov, where we address this in CR section. cf. #104.
There was a problem hiding this comment.
upgradeable contracts are a building block used across many patterns, with varying upgrading authorities (multisigs, single entities, etc.). rather than defining the trust level of upgradeable contracts in isolation, it's better handled at the vendor card level, since those reflect real-world deployments.
There was a problem hiding this comment.
Agree!
But this setting should also live at the pattern level, specifying a different architecture path to avoid assumptions that are linked to a pattern name.
Meyanis95
left a comment
Meyanis95
left a comment
There was a problem hiding this comment.
Overall look good, modulu latest comments.
3 participants
What are you adding?
Description
Phase 5 of the playbook, limited learnings, but the big one is operator liveness for plasma approaches
Checklist