Skip to content

porco-rosso-j/zk-ecdsAA

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AnonAA

icon2

*This project is built at the ETHPrague hackathon. Project Page.

Overview

AnonAA is an ERC4337-based social recovery wallet that conceals guardians' addresses to prevent their potential corruption. It also implements privacy-preserving features like private ownership and private ownership transfer. zk-ecdsa written in Noir, a generalized zkp language built by Aztec, enables these features.

Problems & Solutions

AnonAA has three distinct privacy features which solve different problems. All of the solutions below are made possible with zk-ecdsa, ecrecover carried out through a zero-knowledge circuit. The zk-proof is verified on-chain. it replaces the ecrecover function which is commonly used in transaction signature verification in smart contract wallets.

Secuirty-enhanced Social Recovery

One of the biggest unspoken risks associated with the current social recovery scheme is the possible corruption in which the "trusted" guardians communicate behind the scene and collude to take the account ownership and steal the owner's assets.

Imagine a social recovery wallet with 3 guardians (one is your backup address and the other two are people you trust, like your family members and close friends) and the threshold is 2. As long as the stored guardian addresses are publicly known, it's not difficult for guardians other than you to collude.

To prevent such actions, AnonAA allows you to store the guardian address masked(hashed) and they can interact with the wallet ( approve/ reject recovery proposals) without revealing their public identity ( eht address / public key ) so that they can't know who the other guardians are, making the corruption nearly impossible.

Private Ownership

AnonAA only stores encrypted addresses which helps the owner hide the ownership of the account. Hence, as long as the owner manages the account without making any link to his/her other addresses on-chain, nobody can guess/know who controls the smart contract wallet.

Private Inheritance

AnonAA allows for safe and private transfer of account ownership. Even if you are put into unexpected situations like death and imprisonment where you can't have access to your account/funds anymore, people such as your son, daughter, and wife can safely inherit your assets anonymously.

Technologies

  • Noir, a language for creating and verifying zk-proofs built by Aztec.
  • ERC4337, an Account Abstraction standard.

Inspiration & Credit

  • ecrecover-noir: ecrecover implementation in Noir.
  • DarkSafe : Shielded Safe with Noir ecrecover.
  • nplate: a template project with Noir proof generation in foundry test.

Deployed Contracts

Here is the list of the Account contract addresses deployed on each network.

Chain Address
Goerli 0x0C92B5E41FBAc2CbF1FAD8D72d5BC4F3f73dA104
Optimism Goerli 0xaFb4461a934574d33Ae5b759914E14226a3d168e
Chiago(Gnosis) 0x55b89639d847702d948E307B72651D6213efDb7A
Scroll alpha 0x542a0d82F98D1796A38a3382235c98C797eaC4F5
Base Goerli 0x3a52f22c59bbb86b85eba807cf6ebadbe298d9a3

Challenges

Building Frontend

Since Noir's JS library used for generating zk-proof is unusable as it hasn't been updated to the latest version of Noir, I couldn't build a fron-tend where users can locally generate proof and submit transactions to get his/her actions done.

Hashed Address, not Merkle root

AnonAA stores Pedersen-hashed addresses in smart contracts that are practically secure enough to preserve the privacy of the users: the owner, the guardians of social recovery, and the beneficiary of the inheritance. Of course, an attacker can brute-force compute all the public addresses to link them to the hash of the addresses above, but adding additional randomness, such as using secret salt for hashing, would make it nearly impossible.

Anyway, I think that using Merkle tree/root is a more desirable and elegant solution to manage the user's identity secretly and efficiently as it's more difficult to extract leaves from a root and also reduces storage costs as the amount of identity data increases. Though, unfortunately, this is impossible at this point as the Noir JS library is still out of date as I mentioned above.

Proving time and Verifying cost

Even though applying ZKP to privacy solutions is cool and effective, I think it's still hard to go in production as the proving time is too long ( abt 1.30mins for each ) and verifying the contract consumes tons of gas ( min. ~500k). But I believe that these bottlenecks will be eased and removed as the technologies improve in Noir and its underlying proving system.

Relayer

To make AnonAA purely private, there needs to be a relayer that can work as a relayer/paymaster so that users don't reveal its on-chain recorsds for paying gas. I couldn't build it whithin this hackathon period but this is the first thing that would be worked on next.

Deployments

compile
forge compile
test
chmod +x ./prove/prove_app_r.sh
chmod +x ./delete.sh
forge test --contracts zkECDSAATest --match-test test_approve_recovery -vv

Expected outcome would look like the below

Screenshot 2023-06-11 at 9 53 19
deploy
forge script script/Deploy4337.s.sol:DeployAccount --rpc-url <RPC_URL> --broadcast

About

ERC4337-based social recovery wallet with Noir zk-ecdsa

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published