Vision
4 Dec
## min read

Confidential transactions have arrived, a dive into the AZTEC Protocol

Aztec is revolutionizing private transactions on the blockchain, and this is how we're doing it.

Share
Written by
Zac Williamson
Edited by

Transaction privacy is a fundamental requirement for many kinds of financial services, and the inability to provide this privacy has prevented Ethereum from providing compelling alternatives to traditional financial instruments. There are several blockchains and blockchain projects that use cryptographic techniques to provide this privacy, but this privacy is reserved for the ‘native’ cryptocurrency of the blockchain in question. This transaction privacy is not accessible for digital assets built on top of blockchain protocols. For example, I can’t code up a corporate bond smart contract on Ethereum, where ownership notionals are private.Well, until now, that is.

Maker on Twitter

Whoa. https://t.co/PY4IK0CiaY

{{blog_divider}}

Show and tell: the peculiar case of confidential DAI

Here, take a look at this:

{
   "gamma": "0x20a92d2a4f0dd850314a745719dde20934db69cc8e9b5b84b5819e062d66bb7500",
   "sigma": "0x17d62693c0c9a356e2fd6b0ce877b78c6a1f8a7f195e9db4c0b68e0693d73b3600"
}

This curious jumble of characters is a form of DAI, the dollar-pegged stablecoin created by MakerDAO. But it looks a little odd, doesn’t it? This would normally just be an ethereum address, and a number representing how much DAI that ethereum address has. But this isn’t normal DAI.

You see, when I sent this transaction, my ethereum address (zac.creditmint.eth) became the owner of this DAI, but here’s the thing: nobody can figure out how much DAI I have. Unlike almost every other DAI holder in the world, my DAI balance is encrypted and represented in the form of zero-knowledge AZTEC notes. I can spend this DAI at will by sending some to a different address, but when I do nobody will be able to figure out how much of it I’m sending. For example, I sent a colleague some of my DAI in this transaction and good luck figuring out how much they have.

This is all quite new, and I’m so very excited to be showing this to you and the wider Ethereum community. We’ve been developing this for almost a year now, but we’ve held off on making any formal announcements because I wanted to show you that specific, peculiar, jumble of hexademical characters.

Because this isn’t some imagined technology that will one-day be implemented.

It doesn’t require modifications to the Ethereum protocol.

It is a working demonstration that is live on the Ethereum main-net today, and that AZTEC zero-knowledge note is a real note that encrypts real DAI.

{{blog_divider}}

A breakdown of AZTEC confidential transactions

There are really two questions here: what is the AZTEC protocol and how does it work? I can only answer how by getting into the guts of elliptic curve cryptography, which is a topic for another blog article (you can read a formal description in our paper. For a lightning summary of how this thing works: it’s not a ZK-SNARK, it’s an algebraic zero-knowledge proof that utilizes Boneh-Boyen signatures to create a commitment scheme with a highly efficient range proof embedded into each commitment.

Right, well that’s cleared everything up then. So I’m going to focus on answering what the AZTEC protocol is. What is it doing when transactions are sent to it? To start with, we need to describe what we mean by ‘confidential transaction’.

A confidential transaction is a transfer of value between two or more entities, where the values being transferred are not visible to observers.

Confidential transactions have come in several forms, from ring signatures to ZK-SNARK circuits. Similar to ZCash, the AZTEC protocol uses the concept of encrypted ‘notes’ and join-split transactions.

{{blog_divider}}

Encrypted Digital Assets and the AZTEC note

The AZTEC protocol does not represent ‘value’ like a traditional balance, which maps owners to how much they own. Instead, value is represented by notes. A note contains the following public information:

  • An AZTEC commitment: an encrypted representation of how much ‘value’ the note holds
  • An Ethereum address of the note’s owner

A note has the following private information

  • The value of the note
  • The note’s viewing key. Knowledge of the viewing key enables a person to decrypt the note (but not spend it)

One owner can have multiple notes. A digital asset that conforms to the AZTEC protocol will contain a note registry, which allows a smart contract to recover the public information of every unspent note that currently exists.

{{blog_divider}}

How can AZTEC notes be spent?

An AZTEC note owner can ‘spend’ their notes in a join-split style confidential transaction. In this transaction, the note owner will destroy some unspent AZTEC notes they own. In their place, they will create a set of new notes. The sum of the values of the new notes must be equal to the sum of the values of the old notes, plus a public commitment (I’ll get to that in a bit, but for now let’s assume this is worth 0).

So imagine Alice has two AZTEC notes worth 100 tokens combined. If she wants to send Bob 20 tokens, Alice would create one or more notes owned by Bob, whose values sum to 20. She would then create one or more notes owned by her, the sum of which is 80 tokens.

She would then create an AZTEC zero-knowledge proof that proves this relationship in zero-knowledge (i.e. Alice does not reveal to anybody how much the notes are actually worth, just that the balancing relationship holds). The AZTEC token smart contract will then validate this zero-knowledge proof, destroy Alice’s input notes and then create the output notes in its note registry.

When Alice is creating Bob’s notes, she constructs note viewing keys that Bob will be able to identify, via a non-interactive secret-sharing protocol. Bob is dependent on Alice to act ‘trustfully’ in this regard and not provide viewing keys that can be decoded by observers. This is already implicitly required — after all Alice could broadcast to the world how much she is sending Bob if she did not want the transaction to be confidential.

{{blog_divider}}

How is note ‘ownership’ defined?

Every confidential transaction also requires digital signatures — a signature is required for every input note, signed by the input note’s owner. The message of the signature is a hash of the zero-knowledge proof. This provides an implicit acceptance that the note owners are satisfied with the outcome of the confidential transaction, and want the transaction to be processed.

{{blog_divider}}

How do we get value into AZTEC note form?

Confidentially transfering value is nice, but without a way of getting ‘value’ (let’s call this v) into the AZTEC cryptosystem it all seems a bit academic. This is done via that ‘public commitment’ in a confidential transaction. Assume that the AZTEC token is linked to a public ERC-20 token. If the AZTEC zero-knowledge proof requires a public commitment value v != 0 in order for the balancing equation to be correct, this means one of two things:

1. If v is negative, the output notes are worth -v more than the input notes

2. If v is positive, the input notes are worth v more than the output notes

If Alice issues a confidential transaction where v is negative, the AZTEC token smart contract will transfer -v public ERC-20 tokens from Alice to its own contract address. Effectively, the AZTEC token smart contract acts as a custodian of the ERC-20 tokens while they are in confidential note form. Naturally, if this token transfer is rejected (e.g. Alice doesn’t have enough tokens) then the transaction will be aborted.

If Alice issues a confidential transaction where v is positive, this represents a conversion from AZTEC notes into public ERC-20 tokens. The AZTEC token smart contract will transfer Alice v public ERC-20 tokens.

There’s one small caveat — the amount of tokens being transferred is actually v multiplied by a scaling factor. This is because the range of integers an AZTEC note supports is smaller than that of an ERC-20 token. Our proof of concept deployment to main-net supports numbers from 0 to about 1 million and our full implementation of the AZTEC protocol will support approximately 32-bit integers (more on that in a bit). ERC-20 token balances, on the other hand, are represented by 256-bit integers.

The scaling factor picked depends on the ERC-20 token being linked to. For our proof of concept confidential DAI deployment, an AZTEC note with value 1 is equal to 0.1 DAI.

{{blog_divider}}

What is the cost of all of this?

The AZTEC protocol uses a bespoke commitment scheme that enables highly efficient range proofs. As a result, the amount of computation required by the verification smart contract is much smaller than one might expect. The overwhelming contributor to a confidential transaction’s gas costs is the elliptic curve arithmetic required to validate the AZTEC zero knowledge proof. It costs 3i + 4j elliptic curve scalar multiplications to validate a proof, where i is the number of input notes and j is the number of output notes. Each confidentialTransfer transaction also requires a single elliptic curve bilinear pariing comparison to verify.

The reason I’m using such odd wording is because the gas costs of these arithmetic operations is likely to go down in the future due to protocol upgrades implemented by geth and parity (EIP-1108). It currently costs about 900,000 gas to issue a confidential transaction that contains 4 notes (this is the total gas cost, not just the cost of validating the cryptogrpahy of a transaction). If/when EIP-1108 goes live, the gas costs will fall to about 200,000–300,000.

{{blog_divider}}

What information can be gleaned from confidential transactions?

The AZTEC protocol has been something of a obsession of mine for the past 11 months and I wouldn’t be comfortable releasing this out into the wild without giving a full account of the protocol’s strengths and limitations, I believe that being up-front about this is important.

With that out of the way, any protocol that converts something public into something private will reveal information at the entry and exit points of the cryptosystem.

If you’re adding tokens into note form, an observer will know that the value of the output notes is at least the amount you’ve converted.

Similarly, after redeeming v tokens, an observer will know that the remaining AZTEC notes are worth v less than the input notes.

These problems can be ameliorated by combining public conversions with additional AZTEC notes. For example, imagine Bob has a note worth 100 tokens that he wants to convert into public token form. Instead of just issuing a conversion, Bob should add additional input notes into his transaction and also generate some output notes, even if the extra input and output notes are worth 0. This will prevent an observer from figuring out how much of Bob’s confidential holdings he has converted, even if he has converted all of it and is left with a pile of notes worth nothing.

AZTEC notes have ‘owners’ defined by Ethereum addresses. On the surface, note ownership is not anonymous (e.g. people can see my ethereum address has a zero-knowledge DAI note); the AZTEC protocol includes a Monero-style stealth-address protocol to derive Ethereum addresses that are single-use and cannot be linked to any other Ethereum address (e.g. if you have an AZTEC wallet, I can ‘send’ a note to an Ethereum address you control, but nobody but you and me will know this is the case). The protocol supports both stealth addresses (which require a specific wallet to work; you need two public/private key pairs so a regular Ethereum account won’t work) and regular Ethereum addresses (which are not anonymous — if you own a note everybody will be able to see that).

The more users of a dual public/confidential asset, the greater the privacy provided. For example, when testing our main-net deployment, I converted 50 DAI into AZTEC notes and sent a bunch to my colleagues. Obviously, the sum of all the notes is 50 DAI so a single note can’t encrypt very much. Now imagine that somebody else created 1000 DAI worth of confidential notes, and we split and merged a few of our notes — it would be impossible to identify how much DAI any of these notes had, other than they would have 1050 DAI as a maximum.

To reduce this to extremes — if I converted 10 DAI into a single AZTEC note, this gives no privacy at all. The ability to create notes worth zero is important to maximize privacy — if you were going to convert 10 DAI and wanted a single note for ease-of-use, you should also create a few notes worth 0 DAI to mask how much each note is worth.

Naturally, a ‘lazy’ use of the protocol will leak information. For example, imagine you converted 10 DAI into 5 notes, where 4 were worth 0 DAI. If you then forgot about these notes and never used them in future transactions, it would be fairly obvious to observers that the un-used notes were worth nothing. Always issuing zero-value notes in join-split transactions, and using them in future join-split transactions minimizes the amount of information available to external observers.

{{blog_divider}}

The AZTEC protocol’s trusted setup

The reason the AZTEC protocol is highly efficient is that we combine Boneh-Boyen signature and Pedersen-style commitments into a single commitment scheme with a highly efficient range proof embedded into the commitment. This comes at the cost of requiring a database of elliptic curve points to be generated before the AZTEC protocol can be used. This database is required to construct proofs, but is not needed to verify them.

A bit like ZCash, this trusted setup generates a ‘toxic waste’ private key and if knowledge of that private key is leaked, it can be used to effectively double-spend, and the protocol becomes unusable.

So how do we deal with this? Well, for one we don’t just expect you to trust us. We have developed a scalable multiparty computation protocol that enables anybody to engage in the trusted setup process. If you participate, you generate a piece of ‘toxic waste’ that, naturally, should be destroyed. The trusted setup private key, the thing that must be destroyed at all costs, can only be recovered by piecing together every participant’s toxic waste. So if a single person acts honestly the scheme is completely secure and can only be ‘cracked’ by solving one of the discrete logarithm-based problems (of which the entireity of elliptic curve cryptography rests; if somebody cracks the discrete log problem we’ve all got bigger problems on our hands than the security of the AZTEC protocol!).

We will be announcing the formal description of our trusted setup process in the coming months and will begin to collect participants. It is similar to ZCash’s ‘powers of tau’ ceremony, albeit for a very different end as the AZTEC protocol is not a ZK-SNARK. We want the trusted setup protocol to be simple to take part in and we want to engage the wider Ethereum community in this process, to create a trusted setup database that has the trust and confidence of the community.

Our deployed proof-of-concept smart contracts use a trusted setup that was generated internally, as implementing our multiparty computation trusted setup is going to take several months. Until we have completed this phase the AZTEC protocol is very much use-at-your-own-risk. Whilst I naturally destroyed the toxic waste, there is no way to prove that I did.

One final point (zing…). The size of the trusted setup database grows linearly with the size of the protocol’s range proof. Our proof-of-concept database supports integers between 0 and 1,048,575 because I wanted a database small enough to fit inside a github repo without being a pain to download. Our full implementation will support a much larger range of integers.

{{blog_divider}}

Why is the AZTEC protocol important?

Well of course I’m going to say this is important, I’m the most biased person you could ask on this topic! But here’s why I think this is a real game changer: The AZTEC protocol enables the creation of generic confidential digital assets. We picked DAI to start with but with the press of a button the AZTEC protocol can be applied to any ERC-20 token. It also enables the construction of purely confidential assets that don’t have any kind of ERC-20 token equivalent. No extra cryptographic circuits required, no additional trusted setup processes needed. For the first time ever, it’s possible to create confidential digital assets on Ethereum, obtaining the immutability and decentralization benefits of public blockchains without sacrificing privacy.

AZTEC zero-knowledge proofs are also very efficient to construct, and are well within the capabilities of hardware wallets. This opens up the exciting possibility of issuing confidential transactions directly from hardware wallets and never exposing sensitive private keys.

{{blog_divider}}

What is in the AZTEC protocol’s future?

Of immediate relevance is releasing our AZTEC proof construction API, to accompany our smart contract verifiers and technical paper. We also have several extensions to the AZTEC protocol in the works, and will be releasing our full vision of the AZTEC protocol over the first half of 2019. This includes several important milestones:

1. A confidential decentralized exchange, where people can trade different AZTEC assets in complete confidentiality — neither the quantities or prices of orders can be gleaned from processed orders. The decentralized exchange uses the relayer pattern to acheive this, as well as a bespoke AZTEC DeX zero-knowledge proof (three actually, I’ll be talking about this in depth once our DeX paper is finalized).

2. Confidential weighted voting. Governance mechanics that respect the privacy of a user’s vote are essential a large range of financial applications and the AZTEC protocol’s efficient range proofs make this achievable.

3. Anonymous identity sharing schemes. Being able to prove that you’re part of a group, without revealing who in the group you are is an essential component for many compliance and KYC processes and our AZTEC token standard will support this kind of identity system.

Combined together, this will give builders the tools needed to create the next wave of decentralized financial services; digital assets with implicit privacy and confidential governance mechanics built in from the ground up.

We’re going to be open-sourcing our technology to fully realize this vision — if you want to create private assets on Ethereum, AZTEC will provide the smart contracts, resources and tooling to make it a simple experience.

If you’re interested in building with the AZTEC protocol, drop us a line at hello@aztecprotocol.com. And if you’re a talented developer that wants to work with us on to build the future of decentralized finance, reach out to us because we’re also hiring :).

Cheers,

Zac.

Read more
Aztec Network
Aztec Network
22 Oct
xx min read

Bringing Private Over-The-Counter (OTC) Swaps to Crypto

Transparent OTC Trades Are Holding the Industry Back

OTC trading is fundamental to how crypto markets function. It enables better price negotiations than what you'll find on public order books and facilitates trading of illiquid assets that barely exist on exchanges. Without OTC markets, institutional crypto trading would be nearly impossible. But here's the massive problem: every single OTC transaction leaves a permanent, public trace. 

Let's say you're a fund manager who needs to sell 1,000 BTC for USDC on Base. In a traditional OTC trade, your Bitcoin leaves your wallet and becomes visible to everyone on Bitcoin's blockchain. Through cross-chain settlement, USDC then arrives in your Base wallet, which is also visible to everyone on Base's blockchain. 

At this point, block explorers and analytics firms can connect these transactions through pattern analysis. As a result, your trading patterns, position sizes, and timing become public data, exposing your entire strategy.

This isn't just about privacy; transparent OTC creates serious operational and strategic risks. These same concerns have moved a significant portion of traditional markets to private off-exchange trades. 

Why Traditional Finance Moved to Private Markets

In TradFi, institutions don't execute large trades on public order books for many reasons. In fact, ~13% of all stocks in the US are now traded in dark pools, and more than 50% of trades are now off-exchange. 

They use private networks, dark pools, and OTC desks specifically because:

  • Strategy Protection: Your competitors can't front-run your moves
  • Better Execution: No market impact from revealing large positions
  • Regulatory Compliance: Meet reporting requirements without public disclosure
  • Operational Security: Protect proprietary trading algorithms and relationships

While OTC trading is already a major part of the crypto industry, without privacy, true institutional participation will never be practical. 

Now, Aztec is making this possible. 

Moving Whale-Sized Bags Privately on Aztec

We built an open-source private OTC trading system using Aztec Network's programmable privacy features. Because Aztec allows users to have private, programmable, and composable private state, users aren’t limited to only owning and transferring digital assets privately, but also programming and composing them via smart contracts.

If you’re new to Aztec, you can think of the network as a private world computer, with full end-to-end programmable privacy. A private world computer extends Ethereum to add optional privacy at every level, from identity and transactions to the smart contracts themselves. 

To build a private OTC desk, we leveraged all these tools provided by Aztec to implement a working proof of concept. Our private OTC desk is non-custodial and leverages private smart contracts and client-side proving to allow for complete privacy of the seller and buyer of the OTC.

How It Actually Works

For Sellers:

  1. Deploy a private escrow contract (only you know it exists at this stage)
  2. Initialize contract and set the terms (asset type, quantity, price)
  3. Deposit your assets into the contract
  4. After it’s been deployed, call a private API (the order book service)

For Buyers:

  1. Discover available orders through our privacy-preserving API
  2. Select trades that match your criteria
  3. Complete the seller's partial note with your payment
  4. Execute atomic swap – you get their assets, they get your payment

The Magic: Partial Notes are the technical breakthrough that make collaborative, asynchronous private transactions possible. Sellers create incomplete payment commitments that buyers can finish without revealing the seller's identity. It's like leaving a blank check that only the right person can cash, but neither party knows who the other is.

Privacy guarantees include: 

  • Complete Privacy: Neither party knows who they're trading with
  • Strategy Protection: Your trading patterns stay private
  • Market Impact Minimization: No public signals about large movements
  • Non-custodial: Direct peer-to-peer settlement, no intermediaries

Key Innovations

Private Contract Deployment: Unlike public decentralized exchanges where smart contracts are visible on the blockchain, the escrow contracts in this system are deployed privately, meaning that only the participants involved in the transaction know these contracts exist.

Partial Note Mechanism: This system uses cryptographic primitives that enable incomplete commitments to be finalized or completed by third parties, all while preventing those third parties from revealing or accessing any pre-existing information that was part of the original commitment.

Privacy-Preserving Discovery: The orderflow service maintains knowledge of aggregate trading volumes and overall market activity, but it cannot see the details of individual traders, including their specific trade parameters or personal identities.

Atomic Execution: The smart contract logic is designed to ensure that both sides of a trade occur simultaneously in a single atomic operation, meaning that if any part of the transaction fails, the entire transaction is rolled back and neither party's assets are transferred.

Build with us!

Our prototype for this is open-sourced here, and you can read about the proof of concept directly from the developer here

We're inviting teams to explore, fork, and commercialize this idea. The infrastructure for private institutional trading needs to exist, and Aztec makes it possible today. Whether you're building a private DEX, upgrading your OTC desk, or exploring new DeFi primitives, this codebase is your starting point. 

The traditional finance world conducts trillions in private OTC trades. It's time to bring that scale to crypto, privately.

To stay up to date with the latest updates for network operators, join the Aztec Discord and follow Aztec on X.

Aztec Network
Aztec Network
15 Oct
xx min read

Your Private Money Yearns for a Private Economy

Watch this: Alice sends Zcash. Bob receives USDC on Aztec. Nobody, not even the system facilitating it, knows who Alice or Bob are.

And Bob can now do something with that money. Privately.

This is the connection between private money and a private economy where that money can actually be used.

Zcash has already achieved something monumental: truly private money. It’s the store of value that Bitcoin promised (but made transparent). Like, digital gold that actually stays hidden.

But here's the thing about gold - you don't buy coffee with gold bars. You need an economy where that value can flow, work, and grow. Privately.

Money Under the Mattress

While other projects are trying to bolt privacy onto existing chains as an afterthought, Zcash is one of the oldest privacy projects in Web3. It's achieved what dozens of projects are still chasing: a truly private store of value.

Total Shielded ZEC Value (USD): Sep 16 - Oct 14 | Source: zkp.baby/

This is critical infrastructure for freedom. The ability to store value privately is a fundamental right, a hedge against surveillance, and a given when using cash. We need a system that provides the same level of privacy guarantees as cash. Right now, there's over $1.1 billion sitting in Zcash's shielded pool, private wealth that's perfectly secure but essentially frozen.

Why frozen? Because the moment that shielded $ZEC tries to do anything beyond basic transfers: earn yield, get swapped for stablecoins, enter a liquidity pool, it must expose itself. The privacy in this format is destroyed.

This isn't Zcash's failure. They built exactly what they set out to build: the world's best private store of value. The failure is that the rest of crypto hasn't built where that value can actually work.

The Privacy Landscape Has an Imbalance

What happens when you want to do more than just send money? What happens when you want privacy after you transfer your money?

Private Digital Money (i.e., “Transfer Privacy,” largely solved by Zcash):

  • Zcash: est. 2016
  • Everyone else: building variants of digital money at the transaction or identity level
    • Monero
    • Ethereum privacy pools
    • 0xbow
    • Payy
    • Every privacy stablecoin project
    • Every confidential L2
    • Every privacy project you've ever heard of

Private World Computer (i.e., After-the-Transfer Privacy):

  • Aztec

Everyone else is competing to build better ways to hide money. Zcash has already built the private store of value, and Aztec has built the only way to use hidden money.

The Locked Liquidity Problem

Here's the trillion-dollar question: What good is private money if you can't use it?

Right now, Zcash's shielded pool contains billions in value. This is money in high-security vaults. But unlike gold in vaults that can be collateralized, borrowed against, or deployed, this private value just sits there.

Every $ZEC holder faces two impossible choices:

  1. Keep it shielded and forfeit all utility
  2. Unshield it to use it and forfeit all privacy

Our demo breaks this false sense of choice. For the first time, shielded value can move to a place where it remains private AND becomes useful.

The Private World Computer

Here's how you can identify whether you’re dealing with a private world computer, or just private digital money:

Without a private world computer (every other privacy solution):

  • Receive salary privately → Can't invest it
  • Store savings privately → Can't earn yield
  • Send money privately → Recipient can't use it privately

With a private world computer (only Aztec):

  • Receive salary privately → Invest it privately
  • Store savings privately → Earn APY privately
  • Send payment privately → Recipient spends it privately

This is basic financial common sense. Your money should grow. It should work. It should be useful.

The technical reality is that this requires private smart contracts. Aztec is building the only way to interact privately with smart contracts. These smart contracts themselves can remain completely hidden. Your private money can finally do what money is supposed to do: work for you.

What We Actually Built

Our demo proves these two worlds can connect:

  1. The Vault: Zcash
  2. The Engine: Aztec (where private money becomes useful)

We built the bridge between storing privately and doing privately.

The technical innovation - "partial notes" - are like temporary lockboxes that self-destruct after one use. Money can be put privately into these lockboxes, and a key can be privately handed to someone to unlock it. No one knows who put the money in, where the key came from, or who uses the key. You can read more about how they work here. But what matters isn't the mechanism. 

What matters is that Alice's Zcash can become Bob's working capital on Aztec without anyone knowing about either of them.

As a result, Bob receives USDC that he can:

  • Earn yield on
  • Trade with
  • Pay suppliers with
  • Build a business on
  • All privately

Why This Required Starting from Scratch (and 8 years of building)

You can't bolt privacy onto existing systems. You can't take Ethereum and make it private. You can't take a transparent smart contract platform and add privacy as a feature.

Aztec had to be built from the ground up as a private world computer because after-the-transfer privacy requires rethinking everything:

  • How state is managed
  • How contracts execute
  • How proofs are generated
  • How transactions are ordered

This is why there's only one name building fully private smart contracts. From the beginning, Aztec has been inspired by the work Zcash has done to create a private store of value. That’s what led to the vision for a private world computer.

Everyone else is iterating on the same transfer privacy problem. Aztec solves a fundamentally different problem.

The Obvious Future

Once you see it, you can't unsee it: Privacy without utility is only the first step.

Every privacy project will eventually need what Aztec built. Because their users will eventually ask: "Okay, my money is private... now what?"

  • Zcash users will want their $ZEC to earn yield
  • Privacy pool users will want to do more than just mix
  • Private stablecoin users will want to actually… use their stablecoins

This demo that connects Zcash to Aztec is the first connection between the old world (private transfers) and the new world (private everything else).

What This Means

For Zcash Holders: Your shielded $ZEC can finally do something without being exposed.

For Developers: Stop trying to build better mattresses to hide money under. Start building useful applications on the only platform that keeps them private. 

For the Industry: The privacy wars are over. There's transfer privacy (solved by Zcash) and after-the-transfer privacy (just Aztec).

What’s Next? 

This demo is live. The code is open source. The bridge between private money and useful private money exists.

But this is just the beginning. Every privacy project needs this bridge. Every private payment network needs somewhere for those payments to actually be used.

We're not competing with transfer privacy. We're continuing it.

Your private money yearns for the private economy.

Welcome to after-the-transfer privacy. Welcome to Aztec.

Aztec Network
Aztec Network
8 Oct
xx min read

Aztec: The Private World Computer

Privacy has emerged as a major driver for the crypto industry in 2025. We’ve seen the explosion of Zcash, the Ethereum Foundation’s refocusing of PSE, and the launch of Aztec’s testnet with over 24,000 validators powering the network. Many apps have also emerged to bring private transactions to Ethereum and Solana in various ways, and exciting technologies like ZKPassport that privately bring identity on-chain using Noir have become some of the most talked about developments for ushering in the next big movements to the space. 

Underpinning all of these developments is the emerging consensus that without privacy, blockchains will struggle to gain real-world adoption. 

Without privacy, institutions can’t bring assets on-chain in a compliant way or conduct complex swaps and trades without revealing their strategies. Without privacy, DeFi remains dominated and controlled by advanced traders who can see all upcoming transactions and manipulate the market. Without privacy, regular people will not want to move their lives on-chain for the entire world to see every detail about their every move. 

While there's been lots of talk about privacy, few can define it. In this piece we’ll outline the three pillars of privacy and gives you a framework for evaluating the privacy claims of any project. 

The Three Pillars of Privacy 

True privacy rests on three essential pillars: transaction privacy, identity privacy, and computational privacy. It is only when we have all three pillars that we see the emergence of a private world computer. 

Transaction: What is being sent?

Transaction privacy means that both inputs and outputs are not viewable by anyone other than the intended participants. Inputs include any asset, value, message, or function calldata that is being sent. Outputs include any state changes or transaction effects, or any transaction metadata caused by the transaction. Transaction privacy is often primarily achieved using a UTXO model (like Zcash or Aztec’s private state tree). If a project has only the option for this pillar, it can be said to be confidential, but not private. 

Identity: Who is involved?

Identity privacy means that the identities of those involved are not viewable by anyone other than the intended participants. This includes addresses or accounts and any information about the identity of the participants, such as tx.origin, msg.sender, or linking one’s private account to public accounts. Identity privacy can be achieved in several ways, including client-side proof generation that keeps all user info on the users’ devices. If a project has only the option for this pillar, it can be said to be anonymous, but not private. 

Computation: What happened? 

Computation privacy means that any activity that happens is not viewable by anyone other than the intended participants. This includes the contract code itself, function execution, contract address, and full callstack privacy. Additionally, any metadata generated by the transaction is able to be appropriately obfuscated (such as transaction effects, events are appropriately padded, inclusion block number are in appropriate sets). Callstack privacy includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, any subsequent functions that will be called after, and what the inputs to the function were. A project must have the option for this pillar to do anything privately other than basic transactions. 

From private money to a private world computer 

Bitcoin ushered in a new paradigm of digital money. As a permissionless, peer-to-peer currency and store of value, it changed the way value could be sent around the world and who could participate. Ethereum expanded this vision to bring us the world computer, a decentralized, general-purpose blockchain with programmable smart contracts. 

Given the limitations of running a transparent blockchain that exposes all user activity, accounts, and assets, it was clear that adding the option to preserve privacy would unlock many benefits (and more closely resemble real cash). But this was a very challenging problem. Zcash was one of the first to extend Bitcoin’s functionality with optional privacy, unlocking a new privacy-preserving UTXO model for transacting privately. As we’ll see below, many of the current privacy-focused projects are working on similar kinds of private digital money for Ethereum or other chains. 

Now, Aztec is bringing us the final missing piece: a private world computer.

A private world computer is fully decentralized, programmable, and permissionless like Ethereum and has optional privacy at every level. In other words, Aztec is extending all the functionality of Ethereum with optional transaction, identity, and computational privacy. This is the only approach that enables fully compliant, decentralized applications to be built that preserve user privacy, a new design space that we see as ushering in the next Renaissance for the space. 

Where are we now? 

Private digital money

Private digital money emerges when you have the first two privacy pillars covered - transactions and identity - but you don’t have the third - computation. Almost all projects today that claim some level of privacy are working on private digital money. This includes everything from privacy pools on Ethereum and L2s to newly emerging payment L1s like Tempo and Arc that are developing various degrees of transaction privacy 

When it comes to digital money, privacy exists on a spectrum. If your identity is hidden but your transactions are visible, that's what we call anonymous. If your transactions are hidden but your identity is known, that's confidential. And when both your identity and transactions are protected, that's true privacy. Projects are working on many different approaches to implement this, from PSE to Payy using Noir, the zkDSL built to make it intuitive to build zk applications using familiar Rust-like syntax. 

The Private World Computer 

Private digital money is designed to make payments private, but any interaction with more complex smart contracts than a straightforward payment transaction is fully exposed. 

What if we also want to build decentralized private apps using smart contracts (usually multiple that talk to each other)? For this, you need all three privacy pillars: transaction, identity, and compute. 

If you have these three pillars covered and you have decentralization, you have built a private world computer. Without decentralization, you are vulnerable to censorship, privileged backdoors and inevitable centralized control that can compromise privacy guarantees. 

Aztec: the Private World Computer 

What exactly is a private world computer? A private world computer extends all the functionality of Ethereum with optional privacy at every level, so developers can easily control which aspects they want public or private and users can selectively disclose information. With Aztec, developers can build apps with optional transaction, identity, and compute privacy on a fully decentralized network. Below, we’ll break down the main components of a private world computer.

Private Smart Contracts 

A private world computer is powered by private smart contracts. Private smart contracts have fully optional privacy and also enable seamless public and private function interaction. 

Private smart contracts simply extend the functionality of regular smart contracts with added privacy. 

As a developer, you can easily designate which functions you want to keep private and which you want to make public. For example, a voting app might allow users to privately cast votes and publicly display the result. Private smart contracts can also interact privately with other smart contracts, without needing to make it public which contracts have interacted. 

Aztec’s Three Pillars of Privacy

Transaction: Aztec supports the optionality for fully private inputs, including messages, state, and function calldata. Private state is updated via a private UTXO state tree.

Identity: Using client-side proofs and function execution, Aztec can optionally keep all user info private, including tx.origin and msg.sender for transactions. 

Computation: The contract code itself, function execution, and call stack can all be kept private. This includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, and what the inputs to the function were. 

Decentralization

A decentralized network must be made up of a permissionless network of operators who run the network and decide on upgrades. Aztec is run by a decentralized network of node operators who propose and attest to transactions. Rollup proofs on Aztec are also run by a decentralized prover network that can permissionlessly submit proofs and participate in block rewards. Finally, the Aztec network is governed by the sequencers, who propose, signal, vote, and execute network upgrades.

What Can You Build with a Private World Computer?

Private DeFi

A private world computer enables the creation of DeFi applications where accounts, transactions, order books, and swaps remain private. Users can protect their trading strategies and positions from public view, preventing front-running and maintaining competitive advantages. Additionally, users can bridge privately into cross-chain DeFi applications, allowing them to participate in DeFi across multiple blockchains while keeping their identity private despite being on an existing transparent blockchain.

Private Dark Pools

This technology makes it possible to bring institutional trading activity on-chain while maintaining the privacy that traditional finance requires. Institutions can privately trade with other institutions globally, without having to touch public markets, enjoying the benefits of blockchain technology such as fast settlement and reduced counterparty risk, without exposing their trading intentions or volumes to the broader market.

Private RWAs & Stablecoins

Organizations can bring client accounts and assets on-chain while maintaining full compliance. This infrastructure protects on-chain asset trading and settlement strategies, ensuring that sophisticated financial operations remain private. A private world computer also supports private stablecoin issuance and redemption, allowing financial institutions to manage digital currency operations without revealing sensitive business information.

Compliant Apps

Users have granular control over their privacy settings, allowing them to fine-tune privacy levels for their on-chain identity according to their specific needs. The system enables selective disclosure of on-chain activity, meaning users can choose to reveal certain transactions or holdings to regulators, auditors, or business partners while keeping other information private, meeting compliance requirements.

Let’s build

The shift from transparent blockchains to privacy-preserving infrastructure is the foundation for bringing the next billion users on-chain. Whether you're a developer building the future of private DeFi, an institution exploring compliant on-chain solutions, or simply someone who believes privacy is a fundamental right, now is the time to get involved.

Follow Aztec on X to stay updated on the latest developments in private smart contracts and decentralized privacy technology. Ready to contribute to the network? Run a node and help power the private world computer. 

The next Renaissance is here, and it’s being powered by the private world computer.

Aztec Network
Aztec Network
24 Sep
xx min read

Testnet Retro - 2.0.3 Network Upgrade

Special thanks to Santiago Palladino, Phil Windle, Alex Gherghisan, and Mitch Tracy for technical updates and review.

On September 17th, 2025, a new network upgrade was deployed, making Aztec more secure and flexible for home stakers. This upgrade, shipped with all the features needed for a fully decentralized network launch, includes a completely redesigned slashing system that allows inactive or malicious operators to be removed, and does not penalize home stakers for short outages. 

With over 23,000 operators running validators across 6 continents (in a variety of conditions), it is critical not to penalize nodes that temporarily drop due to internet connectivity issues. This is because users of the network are also found across the globe, some of whom might have older phones. A significant effort was put into shipping a low-memory proving mode that allows older mobile devices to send transactions and use privacy-preserving apps. 

The network was successfully deployed, and all active validators on the old testnet were added to the queue of the new testnet. This manual migration was only necessary because major upgrades to the governance contracts had gone in since the last testnet was deployed. The new testnet started producing blocks after the queue started to be “flushed,” moving validators into the rollup. Because the network is fully decentralized, the initial flush could have been called by anyone. The network produced ~2k blocks before an invalid block made it to the chain and temporarily stalled block production. Block production is now restored and the network is healthy. This post explains what caused the issue and provides an update on the current status of the network. 

Note: if you are a network operator, you must upgrade to version 2.0.3 and restart your node to participate in the latest testnet. If you want to run a node, it’s easy to get started.

What’s included in the upgrade? 

This upgrade was a team-wide effort that optimized performance and implemented all the mechanisms needed to launch Aztec as a fully decentralized network from day 1. 

Feature highlights include: 

  • Improved node stability: The Aztec node software is now far more stable. Users will see far fewer crashes and increased performance in terms of attestations and blocks produced. This translates into a far better experience using testnet, as transactions get included much faster.
  • Boneh–Lynn–Shacham (BLS) keys: When a validator registers on the rollup, they also provide keys that allow BLS signature aggregation. This unlocks future optimizations where signatures can be combined via p2p communication, then verified on Ethereum, while proving that the signatures come from block proposers.
  • Low-memory proving mode: The client-side proving requirements have dropped dramatically from 3.7GB to 1.3GB through a new low-memory proving mode, enabling older mobile devices to send Aztec transactions and use apps like zkPassport. 
  • AVM performance: The Aztec Virtual Machine (AVM) performance has seen major improvements with constraint coverage jumping from 0% to approximately 90-95%, providing far more secure AVM proving and more realistic proving performance numbers from provers. 
  • Flexible key management: The system now supports flexible key management through keystores, multi-EOA support, and remote signers, eliminating the need to pass private keys through environment variables and representing a significant step toward institutional readiness. 
  • Redesigned slashing: Slashing has been redesigned to provide much better consensus guarantees. Further, the new configuration allows nodes not to penalize home stakers for short outages, such as 20-minute interruptions. 
  • Slashing Vetoer: The Slasher contract now has an explicit vetoer: an address that can prevent slashing. At Mainnet, the initial vetoer will be operated by an independent group of security researchers who will also provide security assessments on upgrades. This acts as a failsafe in the event that nodes are erroneously trying to slash other nodes due to a bug.

With these updates in place, we’re ready to test a feature-complete network. 

What happened after deployment? 

As mentioned above, block production started when someone called the flush function and a minimum number of operators from the queue were let into the validator set. 

Shortly thereafter, while testing the network, a member of the Aztec Labs team spun up a “bad” sequencer that produced an invalid block proposal. Specifically, one of the state trees in the proposal was tampered with. 

Initial block production 

The expectation was that this would be detected immediately and the block rejected. Instead, a bug was discovered in the validator code where the invalid block proposal wasn't checked thoroughly enough. In effect, the proposal got enough attestations, so it was posted to the rollup. Due to extra checks in the nodes, when the nodes pulled the invalid block from Ethereum, they detected the tampered tree and refused to sync it. This is a good outcome as it prevented the attack. Additionally, prover nodes refused to prove the epoch containing the invalid block. This allowed the rollup to prune the entire bad epoch away. After the prune, the invalid state was reset to the last known good block.

Block production stalled

The prune revealed another, smaller bug, where, after a failed block sync, a prune does not get processed correctly, requiring a node restart to clear up. This led to a 90-minute outage from the moment the block proposal was posted until the testnet recovered. The time was equally split between waiting for pruning to happen and for the nodes to restart in order to process the prune.

The Fix

Validators were correctly re-executing all transactions in the block proposals and verifying that the world state root matched the one in the block proposal, but they failed to check that intermediate tree roots, which are included in the proposal and posted to the rollup contract on L1, were also correct. The attack tweaked one of these intermediate roots while proposing a correct world state root, so it went unnoticed by the attestors. 

As mentioned above, even though the block made it through the initial attestation and was posted to L1, the invalid block was caught by the validators, and the entire epoch was never proven as provers refused to generate a proof for the inconsistent state. 

A fix was pushed that resolved this issue and ensured that invalid block proposals would be caught and rejected. A second fix was pushed that ensures inconsistent state is removed from the uncommitted cache of the world state.

Block production restored

What’s Next

Block production is currently running smoothly, and the network health has been restored. 

Operators who had previously upgraded to version 2.0.3 will need to restart their nodes. Any operator who has not upgraded to 2.0.3 should do so immediately. 

Attestation and Block Production rate on the new rollup

Slashing has also been functioning as expected. Below you can see the slashing signals for each round. A single signal can contain votes for multiple validators, but a validator's attester needs to receive 65 votes to be slashed.

Votes on slashing signals

Join us this Thursday, September 25, 2025, at 4 PM CET on the Discord Town Hall to hear more about the 2.0.3 upgrade. To stay up to date with the latest updates for network operators, join the Aztec Discord and follow Aztec on X.