Shielding any cryptocurrency into a privacy coin ▾
Shielding is the process of turning cryptocurrencies on other cryptonetworks (or “public coins”) into privacy coins on Incognito.
Through Incognito, a public coin can be shielded to obtain its privacy coin counterpart of the same value. For example, BTC can be shielded to obtain the privacy coin pBTC. pBTC has the same value as BTC, so 1 pBTC can always be redeemed for 1 BTC and vice versa.1
Once shielded, privacy coin transactions are confidential and untraceable. A privacy coin enjoys the best of both worlds. It retains the value of its original counterpart and can be transacted confidentially on the Incognito network.
|NUMBER OF TRANSACTIONS
Table 1. The most popular privacy coins on the Incognito network from November 2019 to January 2020.
We have based the shielding mechanism on the experience of building our first-generation trustless bridge, between Incognito and Ethereum [Incognito, 2018]. In particular, we generalize it to enable a wider range of cryptonetworks to be interoperable with Incognito.
Current blockchain interoperability solutions mostly involve building ad-hoc bridges. BTC Relay [BTC Relay, 2019], WBTC [WBTC, 2019], and TBTC [TBTC, 2019] build ad hoc bridges between Bitcoin and Ethereum, while Kyber Network builds Waterloo [Baneth, 2019], an ad hoc bridge between Ethereum and EOS. For Incognito, doing it ad hoc – one bridge for every cryptonetwork – is not a scalable option.
Incognito takes a different approach: build once, work with any cryptonetwork. The shielding mechanism operates via a general bridge design that connects Incognito to any number of cryptonetworks, allowing for secure bi-directional transfers of cryptocurrencies whenever privacy is needed. This means any coin can now be a privacy coin. This approach is especially helpful for creating interoperability with cryptonetworks that do not support smart contracts, like Bitcoin and Binance Chain.
To obtain privacy coins, the user first submits a shielding request to the Bond smart contract with information about which public coins they want to shield and the amount. The Bond smart contract selects trustless custodians [Incognito, 2019] for the public coins and provides the user the custodians’ deposit addresses. Once the deposit is confirmed on the cryptonetwork of the public coins, the user initiates a shielding transaction on Incognito along with the deposit proof. A deposit proof on a cryptonetwork is often a Merkle branch linking the deposit transaction to the block it is time-stamped in, proving that the deposit transaction has been accepted by that cryptonetwork.
Figure 1. SPV in Bitcoin [Nakamoto, 2008]. Other cryptonetworks employ similar SPV methods. Note that while we have designed a general bi-directional bridge between Incognito and other cryptonetworks, we still need to implement the specific SPV logic for each cryptonetwork we add to the bridge, including relaying block headers from those cryptonetworks to Incognito and performing SPV on deposit proofs.
Incognito validators verify the shielding transaction and the deposit proof inside it in particular by using Simplified Payment Verification [Nakamoto, 2008]. Most cryptonetworks support Simplified Payment Verification with a few small differences in the underlying data structures. For example, Bitcoin and Binance implement Merkle Tree [Merkle, 1980] while Ethereum implements a modified Merkle Patricia Tree [Wood, 2014].
Once the deposit proof is verified, new privacy coins are minted at a 1:1 ratio.
Figure 2. Shielding BTC and minting pBTC. Other public coins follow the same shielding process. Note that we simplify step 5 to make it simple for readers to follow the main logic: the proof of deposit is not generated by the custodian, but by the miners of the underlying crypto network.
Unshielding is the reverse process of shielding: turning privacy coins back into public coins.
The user initiates an unshielding transaction on Incognito with information about which privacy coins they want to unshield and the amount.
Incognito validators verify the unshield transaction, burn the privacy coins, and issue a burn-proof. A burn-proof on Incognito is a cryptographic proof. When signed by more than ⅔ of Incognito validators, it proves that the privacy coins have been burned on the Incognito network.
The user then submits the burn-proof to the Bond smart contract, which verifies the burn-proof and instructs a custodian to release the public coins that back those privacy coins at a 1:1 ratio.
Once the release is confirmed on its respective crypto network, the custodian submits the released proof to the Bond smart contract. Similar to the deposit proof, a release proof is a Merkle branch linking the release transaction to the block it is time-stamped in, proving that the release transaction has been accepted by that crypto network.
After verifying the released proof, the Bond smart contract frees up the custodian’s collateral; custodians can withdraw their collateral or start taking new user deposits.
Figure 3. Unshielding pBTC and releasing BTC. Other public coins follow the same unshielding process.
We have proposed a mechanism for turning cryptocurrencies on other crypto networks (or “public coins”) into privacy coins, based on a set of trustless custodians [Incognito, 2019]. Once shielded, privacy coin transactions are confidential and untraceable. A privacy coin enjoys the best of both worlds. It retains the value of its original counterpart and can be transacted confidentially on the Incognito network.
1 An exception is addressed in the Auto-Liquidation section in the Trustless custodians
paper [Incognito, 2019].