Is ZK-MPC-FHE-TEE a real creature?

Written by

Lisa A.

Edited by

Many thanks to Remi Gai, Hannes Huitula, Giacomo Corrias, Avishay Yanai, Santiago Palladino, ais, ji xueqian, Brecht Devos, Maciej Kalka, Chris Bender, Alex, Lukas Helminger, Dominik Schmid, 0xCrayon, Zac Williamson for inputs, discussions, and reviews.

‍

Contents

Introduction: why we are here and why this article should exist
Quick overview of each technology
1. Client-side proving
2. FHE
3. MPC
4. TEE
Does it make sense to combine any of them and is it feasible?
1. ZK-MPC
2. MPC-FHE
3. ZK-FHE
4. ZK-MPC-FHE
5. TEE-{everything}
Conclusions: what to use and under what circumstances
1. Comparison table
2. What are the most reasonable approaches for on-chain privacy?

‍

Prerequisites:

Zero-knowledge proofs

Introduction

Buzzwords are dangerous. They amuse and fascinate as cutting-edge, innovative, mesmerizing markers of new ideas and emerging mindsets. Even better if they are abbreviations, insider shorthand we can use to make ourselves look smarter and more progressive:

Using buzzwords can obfuscate the real scope and technical possibilities of technology. Furthermore, buzzwords might act as a gatekeeper making simple things look complex, or on the contrary, making complex things look simple (according to the Dunning-Kruger effect).

In this article, we will briefly review several suggested privacy-related abbreviations, their strong points, and their constraints. And after that, we’ll think about whether someone will benefit from combining them or not. We’ll look at different configurations and combinations.

Disclaimer: It’s not fair to compare the technologies we’re discussing since it won’t be an apples-to-apples comparison. The goal is to briefly describe each of them, highlighting their strong and weak points. Understanding this, we will be able to make some suggestions about combining these technologies in a meaningful way.

POV: a new dev enters the space.

Quick overview of each technology

Client-side ZKPs

Client-side ZKP is a specific category of zero-knowledge proofs (started in 1989). The exploration of general ZKPs in great depth is out-of-scope for this piece. If you're curious to learn about it, check this article.

Essentially, zero-knowledge protocol allows one party (prover) to prove to another party (verifier) that some given statement is true, while avoiding conveying any information beyond the mere fact of that statement's truth.

Client-side ZKPs enable generation of the proof on a user's device for the sake of privacy. A user makes some arbitrary computations and generates proof that whatever they computed was computed correctly. Then, this proof can be verified and utilized by external parties.

One of the most widely known use cases of the client-side ZKPs is a privacy preserving L2 on Ethereum where, thanks to client-side data processing, some functions and values in a smart-contract can be executed privately, while the rest are executed publicly. In this case, the client-side ZKP is generated by the user executing the transaction, then verified by the network sequencer.

However, client-side proof generation is not limited to Ethereum L2s, nor to blockchain at all. Whenever there are two or more parties who want to compute something privately and then verify each other’s computation and utilize their results for some public protocols, client-side ZKPs will be a good fit.

Check this article for more details on how client-side ZKPs work.

The main concern today about on-chain privacy by means of client-side proof generation is the lack of a private shared state. Potentially, it can be mitigated with an MPC committee (which we will cover in later sections).

Speaking of limitations of client-side proving, one should consider:

The memory constraint: inherited from WASM memory cap – 4Gb and in case of mobile proving each device has its own memory cap as well.
The maximum circuit size (derived from WASM memory cap): currently 2^20 for Aztec’s client-side proof generation (i.e. to prove any Noir program with Barretenberg in WASM).

What can we do with client-side ZKPs today:

According to HashCloak benchmarking, a client-side ZKP of an RSA signature in Noir is generated in 0.2s (using UltraHonk and a laptop with Intel(R) Core(TM) i7-13700H CPU and 32 GB of RAM).
According to Polygon Miden, a STARK ZKP for the Fibonacci calculator program for 2^20 cycles at 96-bit security level can be generated in 7 sec using Apple M1 Pro (16 threads).
According to ZKPrize winners’ benchmarks, it takes 10 minutes to prove the target of 50 signatures over 100B to 1kB messages on a consumer device (Macbook pro with 32GB of memory).

Whom to follow for client-side ZKPs updates: Aztec Labs, Miden, Aleo.

MPC (Multiparty computation)

Disclaimer: in this section, we discuss general-purpose MPC (i.e. allowing computations on arbitrary functions). There are also a bunch of specialized MPC protocols optimized for various use cases (i.e. designing customized functions) but those are out-of-scope for this article.

MPC enables a set of parties to interact and compute a joint function of their private inputs while revealing nothing but the output: f(input_1, input_2, …, input_n) → output.

For example, parties can be servers that hold a distributed database system and the function can be the database update. Or parties can be several people jointly managing a private key from an Ethereum account and the function can be a transaction signing mechanism.

One issue of concern with MPCs is that one or more parties participating in the protocol can be malicious. They can try to:

Learn private inputs of other parties;
Cause the result of computations to be incorrect.

Hence in the context of MPC security, one wants to ensure that:

All private inputs stay private (i.e. each party knows its input and nothing else);
The output was computed correctly and each party received its correct output.

To think about MPC security in an exhaustive way, we should consider three perspectives:

How many parties are assumed to be honest?
The specific methods of corrupting parties.
What can corrupted parties do?

How many parties are assumed to be honest?

Rather than requiring all parties in the computation to remain honest, MPC tolerates different levels of corruption depending on the underlying assumptions. Some models remain secure if less than 1/3 of parties are corrupt, some if less than 1/2 are corrupt, and some even have security guarantees even in the case that more than half of the parties are corrupt. For details, formal definition, and proof of MPC protocol security, check this paper.

The specific methods of corrupting parties

There are three main corruption strategies:

Static – parties are corrupted before the protocol starts and remain corrupted to the end.
Adaptive – parties can be corrupted at different stages of protocol execution and after execution remain corrupted to the end.
Proactive – parties can switch between malicious and honest behavior during the protocol execution an arbitrary number of times, etc.

Each of these assumptions will assume a different security model.

What can corrupted parties do?

Two definitions of malicious behavior are:

Semi-honest (also referred to as honest but curious, or passive adversary) – following the protocol as prescribed but trying to extract some additional information.
Malicious – deviating from the protocol.

When it comes to the definition of privacy, MPC guarantees that the computation process itself doesn’t reveal any information. However, it doesn’t guarantee that the output won’t reveal any information. For an extreme example, consider two people computing the average of their salaries. While it’s true that nothing but the average will be output, when each participant knows their own salary amount and the average of both salaries, they can derive the exact salary of the other person.

That is to say, while the core “value proposition” of MPC seems to be very attractive for a wide range of real world use cases, a whole bunch of nuances should be taken into account before it will actually provide a high enough security level. (It's important to clarify the problem statement and decide whether it is the right tool for this particular task.)

What can be done with MPC protocols today:

When we think about MPC performance, we should consider the following parameters: number of participating parties, witness size of each party, and function complexity.

According to the “Efficient Arithmetic in Garbled Circuits” paper, for general-purpose MPC, the computation costs are the following: at most O(n · ℓ · λ) bits per gate, with each multiplication gate using O(ℓ · λ) bits where ℓ is the bit length of values, λ is a computational security parameter, and n is the number of gates. A value can be translated from arithmetic to Boolean (and vice versa) at cost O(ℓ · λ) bits (e.g. to perform comparison operation).

Source

As a matter of illustration, we are also providing an example of a specialized MPC protocol:
According to dWallet Labs, their implementation of 2PC-MPC protocol (2-party ECDSA protocol) completes the signing phase in 1.23 and 12.703 seconds, for 256 and 1024 parties (emulating the second party in 2PC), respectively (claiming the number of parties can be scaled further).

Worldcoin jointly with TACEO made a number of optimizations to existing Secure Multi-Party Computation (SMPC) protocol, that enabled them to apply SMPC to the problem of iris code uniqueness. Early benchmarks show that one can achieve 10 iris uniqueness checks per second in ~6M database.

When it comes to using MPC in blockchain context, it’s important to consider message complexity, computational complexity, and such properties as public verifiability and abort identifiability (i.e. if a malicious party causes the protocol to prematurely halt, then they can be detected). For message distribution, the protocol relies either on P2P channels between each two parties (requires a large bandwidth) or broadcasting. Another concern arises around the permissionless nature of blockchain since MPC protocols often operate over permissioned sets of nodes.

Taking into account all that, it’s clear that MPC is a very nuanced technology on its own. And it becomes even more nuanced when combined with other technologies. Adding MPC to a specific blockchain protocol often requires designing a custom MPC protocol that will fit. And that design process often requires a room full of MPC PhDs who can not only design but also prove its security.

Whom to follow for MPC updates: dWallet Labs, TACEO, Fireblocks, Cursive, PSE, Fairblock, Soda Labs, Silence Laboratories, Nillion.

TEE

TEE stands for Trusted Execution Environment. TEE is an area on the main processor of a device that is separated from the system's main operating system (OS). It ensures data is stored, processed, and protected in a separate environment. One of the most widely known units of TEE (and one we often mention when discussing blockchain) is Software Guard Extensions (SGX) made by Intel.

SGX can be considered a type of private execution. For example, if a smart contract is run inside SGX, it’s executed privately.

SGX creates a non-addressable memory region of code and data (separated from RAM), and encrypts both at a hardware level.

How SGX works:

There are two areas in the hardware, trusted and untrusted.
The application creates an enclave in the trusted area and makes a call to the trusted function. (The function is a piece of code developed for working inside the enclave.) Only trusted functions are allowed to run in the enclave. All other attempts to access the enclave memory from outside the enclave are denied by the processor.
Once the function is called, the application is running in the trusted space and sees the enclave code and data as clear text.
When the trusted function returns, the enclave data remains in the trusted memory area.

It’s worth noting that there is a key pair: a secret key and a public key. The secret key is generated inside of the enclave and never leaves it. The public key is available to anyone: Users can encrypt a message using a public key so only the enclave can decrypt it.

An SGX feature often utilized in the blockchain context is attestations. Attestation is the process of demonstrating that a software executable has been properly instantiated on a platform. Remote Attestation allows a remote party to be confident that the intended software is securely running within an enclave on a fully patched, Intel SGX-enabled platform.

Core SGX concerns:

SGX is subject to side-channel attacks. Observing a program’s indirect effects on the system during execution might leak information if a program’s runtime behavior is correlated with the secret input content that it operates on. Different attack vectors include page access patterns, timing behavior, power usage, etc.
Using SGX requires trusting Intel. Users must assume that everything is fine since the hardware is delivered with the private key already inside the trusted enclave.
As a large enterprise, Intel is pretty slow in terms of patching new attacks. Check sgx.fail to find a list of publicly known SGX attacks that are yet to be fixed by Intel.
Application developers who use SGX are dependent on specific hardware produced by Intel. The company might eventually decide to deprecate or significantly change all or specific versions in ways that might make some or all applications incompatible. Or even break them. For example in 2021, SGX was deprecated on consumer CPUs.
It might be hard to detect cheating fast enough if it takes place in a private domain (like with SGX).
In the case of a network relying purely on TEE for privacy (i.e. a number of nodes run inside TEE and each node has complete information), exploiting one node in the network is enough to exploit the whole network (i.e. leak secrets).

Speaking of SGX cost, the proof generation cost can be considered free of charge. Though if one wants to use remote attestations, the initial one-time cost (once per SGX prover) for it is in the order of 1M gas (to make sure the code in SGX is running in the expected way).

Onchain verification cost equals to verifying an ECDSA signature (~5k gas while for ZK signature verification will cost ~300k gas).

When it comes to execution time, there is effectively no overhead. For example, for proving a zk-rollup block, it will be around 100ms.

Where SGX is utilized in blockchain today:

Taiko is running an execution client inside the SGX (utilizing TEE for integrity).
Secret Network’s validators run their code inside a TEE (utilizing TEE for privacy).
Flashbots are running SUAVE testnet on SGX.

Whom to follow for TEE updates: Secret Network, Flashbots, Andrew Miller, Oasis, Phala, Marlin, Automata, TEN.

FHE (Fully Homomorphic Encryption)

FHE enables encrypted data processing (i.e. computation on encrypted data).

The idea of FHE was proposed in 1978 by Rivest, Adleman, and Dertouzos. “Fully” means that both addition and multiplication can be performed on encrypted data. Let m be some plain text and E(m) be an encrypted text (ciphertext). Then additive homomorphism is E(m_1 + m_2) = E(m_1) + E(m_2) and multiplicative homomorphism is E(m_1 * m_2) = E(m_1) * E(m_2).

Additive Homomorphic Encryption was used for a while, but Multiplicative Homomorphic Encryption was still an issue. In 2009, Craig Gentry came up with the idea to use ideal lattices to tackle this problem. That made it possible to do both addition and multiplication, although it also made growing noise an issue.

How FHE works:

Plain text is encoded into ciphertext. Ciphertext consists of encrypted data and some noise.

That means when computations are done on ciphertext, they are done not purely on data but on data together with added noise. With each performed operation, the noise increases. After several operations, it starts overflowing on the bits of actual data, which might lead to incorrect results.

A number of tricks were proposed later on to handle the noise and make the FHE work more reliably. One of the most well-known tricks was bootstrapping, a special operation that reset the noise to its nominal level. However, bootstrapping is slow and costly (both in terms of memory consumption and computational cost).

Researchers rolled out even more workarounds to make bootstrapping efficient and took FHE several more steps forward. Further details are out-of-scope for this article, but if you’re interested in FHE history, check out this talk by mathematician Zvika Brakerski.

Core FHE concerns:

If the user (who encrypts information) outsources computations to an external party, they have to trust that the computations were done correctly.
To handle the trust issue, (i) theoretically ZK can be used (though practically it’s not feasible today), (ii) economic consensus can be used. However, as FHE requires custom hardware (as computations to be done are very heavy), the number of participants in the FHE consensus network will always be limited, which is a problem for security.

In the case of the FHE blockchain, there is one key for the whole network. Who holds the decryption key? The same will apply to dApps. For example, if an FHE computation modifies a liquidity pool total supply, that “total supply” must be decrypted at some point. But who possesses the key? (If you’re curious about FHE key attacks, check out this paper by Li and Micciancio).
If an external party provides encrypted input, how can the party performing computations be sure that the external party knows the input and that the input was encrypted correctly? (This can be mitigated with zero-knowledge proof of knowledge, which will be discussed in the ZK-FHE section).
While using FHE, one should ensure that the decrypted output doesn’t contain any private information that should not be revealed. Otherwise, formally it breaks privacy.
One should note that there are two different types of decryption: (i) to reveal the entire network (e.g. reveal cards at the end of the game), (ii) reencryption (i.e. decryption and encryption) as a view function (e.g. view your own cards).
FHE is “heavy.” When considering FHE computation cost (both in terms of computation volume and memory required), related considerations include (i) operations computation cost, (ii) communication cost, and (iii) evaluation keys size (a separate public key that is used to control the noise growth or the ciphertext expansion during homomorphic evaluation).
One might think about FHE hardware similar to Bitcoin hardware (highly performant ASICs).

‍
Compared to computations on plain text, the best per-operation overhead available today is polylogarithmic [GHS12b] where if n is the input size, by polylogarithmic we mean O(log^k(n)), k is a constant. For communication overhead, it’s reasonable if doing batching and unbatching of a number of ciphertexts but not reasonable otherwise.

For evaluation keys, key size is huge (larger than ciphertexts that are large as well). The evaluation key size is around 160,000,000 bits. Furthermore, one needs to permanently compute on these keys. Whenever homomorphic evaluation is done, you’ll need to access the evaluation key, bring it into the CPU (a regular data bus in a regular processor will be unable to bring it), and make computations on it.

‍
If you want to do something beyond addition and multiplication—a branch operation, for example—you have to break down this operation into a sequence of additions and multiplications. That’s pretty expensive. Imagine you have an encrypted database and an encrypted data chunk, and you want to insert this chunk into a specific position in the database. If you’re representing this operation as a circuit, the circuit will be as large as the whole database.

In the future, FHE performance is expected to be optimized both on the FHE side (new tricks discovered) and hardware side (acceleration and ASIC design). This promises to allow for more complex smart contract logics as well as more computation-intensive use cases such as AI/ML. A number of companies are working on designing and building FHE-specific FPGAs (e.g. Belfort).

“Misuse of FHE can lead to security faults.”

Source

What can be done with FHE today:

According to Ingonyama: With an LLM like GPT2, processing time for a single token is approximately 14.5 hours.
Token is a unit of text, for example, one english word ≈ 1.3 tokens. Each text request to GPT2 consists of a number of tokens. Based on the processing time of one token, one can define the processing time of the whole request.
With parallel processing, deploying 10,000 machines, the time is 5 seconds/token. With a custom ASIC designed, the time can be decreased to 0.1 second/token, but this would require huge initial investments in data centers and ASIC design.
According to Zvika Brakerski: When asked the question “Can we build production-level systems where FHE brings value?” he responds, “I don’t know the answer yet.”
According to Zama: A toy-implementation of Shazam (a music recognition app) with Zama FHE library takes 300 milliseconds to recognize a single song out of 1,000. But how will that change as the database grows? (The real Shazam library has 45M songs.)
According to Inco, FHE is usable today for simple blockchain use cases (i.e. smart contracts with simple logics). For example, in a confidential ERC-20 transfer that’s FHE-based, you are performing an FHE addition, subtraction, comparison, and conditional multiplexer (cmux/select) to update the balances of the sender and recipient. With CPU, Inco can do 10 TPS, and with GPU – 20-30 TPS.

Note: In all of these examples, we are talking about plain FHE, without any MPC or ZK superstructures handling the core FHE issues.

Whom to follow for FHE updates: Zama, Sunscreen, Zvika Brakerski, Inco, FHE Onchain.

Does it make sense to combine any of these, and is doing so feasible?

As we can see from the technology overview, these technologies are not exactly interchangeable. That said, they can complement each other. Now let’s think. Which ones should be combined, and for what reason?

Disclaimer: Each of the technologies we are talking about is pretty complex on its own. The combinations of them we discuss below are, to a large extent, theoretical and hypothetical. However, there are a number of teams working on combining them at the time of writing (both research and implementation).

ZK-MPC

In this section, we mostly describe two papers as examples and don’t claim to be exhaustive.

One of the possible applications of ZK-MPC is a collaborative zk-snark. This would allow users to jointly generate a proof over the witnesses of multiple, mutually distrusting parties. The proof generation algorithm is run as an MPC among N provers where function f is the circuit representation of a zk-SNARK proof generator.

Source

Collaborative zk-SNARKs also offer an efficient construction for a cryptographic primitive called a publicly auditable MPC (PA-MPC). This is an MPC that also produces a proof the public can use to verify that the computation was performed correctly with respect to commitments to the inputs.

ZK-MPC introduces the notion of MPC-friendly zk-SNARKs. That is to say, not just any MPC protocol or any zk-SNARK can feasibly be combined into ZK-MPC. This is because MPC protocols and zk-SNARK provers are each thousands of times slower than their underlying functionality, and their combination is likely to be millions of times slower.

For those familiar with elliptic curve cryptography, let’s think for a moment about why is ZK-MPC tricky:

If doing it naively, you could decompose an elliptic curve operation into operations over the curve’s base field; then there is an obvious way to perform them in an MPC. But curve additions require tens of field operations, and scalar products require thousands.

The core tricks suggested for use include:

MPC techniques applied directly to elliptic curves to make curve operations cheap.
The N shares are themselves elliptic curve points, and the secret is reconstructed by a weighted linear combination of a sufficient number of shares.
An optimized MPC protocol is utilized for computing sequences of partial products.

Essentially, ZK-MPC in general and collaborative zk-SNARKs in particular are not just about combining ZK and MPC. Getting these two technologies to work in concert is complex and requires a huge chunk of research.

According to one of the papers on this topic, for collaborative zk-SNARKs, over a 3Gb/s link, security against a malicious minority of provers can be achieved with approximately the same runtime as a single prover. Security against N−1 malicious provers requires only a 2x slowdown. Both TACEO and Renegade (launched mainnet on 04.09.24) teams are currently working on implementing this paper.

Another application of ZK-MPC is delegated zk-SNARKs. This enables a prover (called a delegator) to outsource proof generation to a set of workers for the sake of efficiency and engaging less powerful machines. This means that if at least one worker does not collude with other workers, no private information will be revealed to any worker.

This approach introduces a custom MPC protocol. The issues with using existing protocols are:

Existing state-of-the-art MPC protocols achieving malicious security against a dishonest majority of workers rely on relatively heavyweight public-key cryptography, which has a non-trivial computational overhead.
These MPC protocols require expressing the computation as an arithmetic circuit, including expressing complex operations such as elliptic curve multi-scalar multiplications and polynomial arithmetic that is expensive.

One of the papers on this topic suggests using SPDZ as a starting point and modifying it. A naive approach would be to use the zk-SNARK to succinctly check that the MPC execution is correct by having the delegator verify the zk-SNARK produced by the workers. However, this wouldn’t be knowledge-sound because the adversary can attempt to malleate its shares of the delegator’s valid witness (w) to produce a proof of a related statement. Even if the resulting proof is invalid, it can leak information about w. However, we can use the succinct verification properties of the underlying components of the zk-SNARK, the PIOP (Polynomial Interactive Oracle Proof) and the PC (Polynomial Commitment) scheme.

Other modifications correspond to optimizations, such as optimizing the number of multiplications in, and the multiplicative depth of circuits for these operations; and introducing a consistency checker for the PIOP to enable the delegator to efficiently check that the polynomials computed during the MPC execution are consistent with those that an honest prover would have computed.

According to one of the papers on this topic, “... when compared to local proving, using our protocols to delegate proof generation from a recent smartphone (a) reduces end-to-end latency by up to 26x, (b) lowers the delegator’s active computation time by up to 1447x, and (c) enables proving up to 256x larger instances.”

For a privacy-preserving blockchain, ZK-MPC can be utilized for collaboratively proving the correctness of state transition, where each party participating in generating proof has only a part of the witness. Hence the proof can be generated while no single party is aware of what they are proving. For this purpose, there should be an on-chain committee that will generate collaborative zk-SNARKs. It’s worth noting that even though we are using the term “committee,” this is still a purely cryptographic solution.

Whom to follow for ZK-MPC updates: TACEO, Renegade.

MPC-FHE

There are a number of ways to combine FHE and MPC and each serves a different goal. For example, MPC-FHE can be employed to tackle the issue “Who holds the decryption key?” This is relevant for an FHE network or an FHE DEX.

One approach is to have several parties jointly generate a global single FHE key. Another approach is multi-key FHE: the parties take their existing individual (multiple) FHE key pairs and combine them in order to perform an MPC-like computation.

As a concrete example, for an FHE network, the state decryption key can be distributed to multiple parties, with each party receiving one piece. While decrypting the state, each party does a partial decryption. The partial decryptions are aggregated to yield the full decrypted value. The security of this approach holds under an assumption of 2/3 honest validators.

The next question is, “How should other network participants (e.g. network nodes) access the decrypted data?” It can’t be done using a regular oracle (i.e. each node in the oracle consensus network must obtain the same result given the same input) since that would break privacy.

One possible solution is a two-round consensus mechanism (though this relies on social consensus, not pure cryptography). The first round is the consensus on what should be decrypted. That is, the oracle waits until most validators send it the same request for decryption. Next, the round of decryption. Then, the validators update the chain state and append the block to the blockchain.

Whom to follow for MPC-FHE updates: Gauss Labs (utilized by Cursive team).

ZK-FHE

MPC-FHE has two issues that can potentially be mitigated with ZK:

Were inputs encrypted correctly?
Were the computations on encrypted data performed correctly?

Without introducing ZK, both issues listed above make one fragment of private computations unverifiable. (That doesn’t quite work for most blockchain use cases).

Where are we today with ZK-FHE?

According to Zama, proof of one correct bootstrapping operation can be generated in 21 minutes on a huge AWS machine (c6i.metal). And that’s pretty much it. Hopefully, in the upcoming years we will see more research on ZK-FHE.

Whom to follow for ZK-FHE updates: Zama, Pado Labs.

ZK-MPC-FHE (a sum of MPC-FHE and ZK-FHE)

One issue with MPC-FHE we haven’t mentioned so far has to do with knowing for sure that an encrypted piece of information supplied by a specific party was encrypted by that same party. What if party A took a piece of information encrypted by party B and supplied it as its own input?

To handle this issue, each party can generate a ZKP that they know the plaintext they are sending in an encrypted way. Adding this ZK tweak with two ZK tweaks from the previous section (ZK-FHE), we will get verifiable privacy with ZK-MPC-FHE.

Whom to follow for ZK-MPC-FHE updates: Pado Labs, Greco.

TEE-{everything}

TL;DR: In general, when it comes to using any new technology, it makes sense to run it inside TEE since the attack vector with TEE is orders of magnitude smaller than on a regular computer:

Source

Using TEE as an execution environment (to construct ZK proofs and participate in MPC and FHE protocols) improves security at almost zero cost. In this case, secrets stay in TEE only within active computation and then they are discarded. However, using TEE for storing secrets is a bad idea. Trusting TEEs for a month is bad, trusting TEEs for 30 seconds is probably fine.

Another approach is to use TEE as a “training wheels,” for example, for multi-prover where computations are run both in a ZK circuit and TEE, and to be considered valid they should agree on the same result.

Whom to follow for TEE-{something} updates: Safeheron (TEE-MPC).

Conclusions: should we combine them all?

It might feel tempting to take all of the technologies we’ve mentioned and craft a zk-mpc-fhe-tee machine that will combine all their strengths:

However, the mere fact that we can combine technologies doesn’t mean we should combine them. We can combine ZK-MPC-FHE-TEE and then add quantum computers, restaking, and AI gummy bears on top. But for what reason?

Source

Each of these technologies adds its own overhead to the initial computations. 10 years ago, the blockchain, ZK, and FHE communities were mostly interested in proof of concept. But today, when it comes to blockchain applications, we are mostly interested in performance. That is to say we are curious to know if we combine a row of fancy technologies, what product/application could we build on it?

Let’s structure everything we discussed in a table:

Hence, if we are thinking about a privacy stack that will be expressive enough that developers can build any Web3 dApps they imagine, from everything we’ve mentioned in the article, we either have MPC-ZK (MPC is utilized for shared state) or ZK-MPC-FHE. As for today, client-side zero-knowledge proof generation is a proven concept and we are currently at the production stage. The same relates to ZK-MPC; a number of teams are working on its practical implementation.

At the same time, ZK-MPC-FHE is still at the research and proof-of-concept stage because when it comes to imposing zero-knowledge, it’s know how to zk-prove one bootstrapping operation but not arbitrary computations (i.e. circuit of arbitrary size). Without ZK, we lose the verifiability property necessary for blockchain.

Sources:

A paper, “Secure Multiparty Computation (MPC)” by Yehuda Lindell.
An article, “Introduction to FHE: What is FHE, how does FHE work, how is it connected to ZK and MPC, what are the FHE use cases in and outside of the blockchain, etc.”
A talk, “Trusted Execution Environments (TEEs) for Blockchain Applications” by Ari Juels.
An article, “Why multi-prover matters. SGX as a possible solution.”
A paper, “Experimenting with Collaborative zk-SNARKs: Zero-Knowledge Proofs for Distributed Secrets” by Alex Ozdemir and Dan Boneh.
A paper, “EOS: Efficient Private Delegation of zkSNARK Provers” by Alessandro Chiesa, Ryan Lehmkuhl, Pratyush Mishra, and Yinuo Zhang.
A paper, “Practical MPC+FHE with Applications in Secure Multi-Party Neural Network Evaluation” by Ruiyu Zhu, Changchang Ding, and Yan Huang.
An article, “Between a Rock and a Hard Place: Interpolating between MPC and FHE”
A talk, “Building Verifiable FHE using ZK with Zama.”
An article, “Client-side Proof Generation.”
An article, “Does zero-knowledge provide privacy?”

‍

Aztec Network

2 Jun

•

xx min read

Who controls your privacy off-switch?

Privacy has become a baseline requirement for L1s and L2s who care about bringing real-world users onchain. Users don't want their activity broadcast to competitors or the general public, but applications operating at scale also need some form of auditability, whether for regulators, compliance requirements, or tax reporting. Selective disclosure resolves that tension: privacy by default, with the ability to prove specific facts when required. What separates these networks is not whether they offer that switch, but who gets to hold it.

Aztec, Canton, Starknet, Tempo, and zkSync all offer some form of privacy with selective disclosure, but under the hood they make fundamentally different architectural decisions about who can see your data and who can turn your privacy off. Those decisions determine whether your privacy stays under your own control or sits behind a switch that someone else operates.

Three questions reveal where these networks actually diverge:

Who sees your data?
Who can prove the network followed its own rules?
Who controls when something gets disclosed?

The answers determine whether your privacy off-switch is held by a policy, by an operator's good behavior, or by you alone through a cryptographic proof. As you'll see in this post, there are legitimate reasons to use each one with different tradeoffs. Aztec is the only network, however, where that switch stays in the user's hands, answering all three questions without putting a permissioned set of operators or a standing viewing key in control of your privacy. That gives developers the flexibility to build apps that comply with applicable laws while still keeping full privacy under the user's control.

This article will compare the privacy approaches of Aztec, Canton, Starknet, Tempo, and zkSync to give developers insight into the privacy tradeoffs of each network.

TL;DR

Here’s how each network handles the selective disclosure privacy off-switch, and who has control over your privacy:

Aztec: Only you can see your data, client-side proofs settled to Ethereum let anyone verify every transaction without trusting an operator, and the off-switch stays in your hands, allowing you selectively share information.
Canton: Participant nodes read your data in plaintext, no outside party can verify the global ledger, and your off-switch sits with those nodes rather than with you, since disclosure depends on them staying honest.
Starknet: No operator ever sees your plaintext because proofs are generated client-side, and those proofs verify the rules, but your off-switch is a standing viewing key that a designated auditor can use to decrypt and trace your entire history on request.
Tempo: The zone operator sees every transaction in plaintext, mainnet validity proofs let anyone verify the zone ran correctly, and the operator holds the off-switch, so you are private from the public but not from the operator.
‍ zkSync: The operator reads every transaction in plaintext while a validity proof on Ethereum proves it cannot forge state, and the operator holds the off-switch over who sees what, giving you privacy from the outside world but not from the operator.

The Comparison In One View

Comparison chart of privacy on Aztec, Canton, Starknet, Tempo, and zkSync

‍

Comparing your privacy off-switch

Each of these networks offers privacy with selective disclosure, but each rests on a different network design with its own tradeoffs. We have ordered them by who holds your privacy off-switch, starting with designs where a third party controls access to your data and ending with designs where that control stays with you. At the top, the switch sits behind a policy promise and an honest operator, and further down it is replaced by proofs that the user generates and controls.

‍

Canton

Canton keeps data private by controlling viewing permissions for the various actors on its network. A transaction splits into per-participant views, so each party receives only the sub-transactions that name it, and the parts it is not entitled to never reach it. The sequencer and mediator move those views without reading them, which is real privacy against those roles.

However, the data is still read in plaintext by the participant nodes that host the relevant parties, and in the common regulated-asset pattern where the issuer is a signatory on its own token, the issuer's node sees every transfer. The harder gap is verification, because no third party can reconstruct the global ledger, so correctness rests on the confirming nodes staying honest and their keys staying safe. In practice the off-switch sits with those nodes rather than with you, since you cannot see when your data is read and cannot stop it.

‍

Tempo

Tempo is designed for payments and uses validity proofs to verify that each zone is executing correctly, while still giving the zone operator full plaintext visibility into every transaction within that zone. Privacy comes from Tempo Zones, which are parallel execution environments connected to the Tempo mainnet.

By design, the zone operator has visibility into all transactions within the zone, while users see only their own and the public sees only a proof that the zone is valid. Token issuers set compliance controls, allowlists, blocklists, and freezes, enforced across zones. The mainnet checks each zone's validity, so execution is verified, while the operator still reads every transaction in plaintext and holds the off-switch over what is revealed. Your privacy is from the public, not from the operator.

‍

zkSync Prividium

zkSync Prividium adds the verifiability piece that Canton lacks. Every batch produces a validity proof settled to Ethereum, so a compromised operator cannot forge state or mint tokens from nothing without also forging a proof, which it cannot do. The tradeoff is that the operator processes every transaction in plaintext and decides who sees what, which means the off-switch stays with the operator and your privacy is from the outside world rather than from the operator itself.

This tradeoff has legitimate uses in high-trust institutional environments. If Bank of America, JPMorgan, and Wells Fargo are transacting on a shared network, a zone where BofA's infrastructure processes BofA-originated transactions satisfies internal control requirements while still delivering genuine ZK privacy from the other banks and the rest of the world. Where this model breaks down is in lower-trust environments where giving an operator full plaintext access and the switch that comes with it holds back product design possibilities.

‍

Starknet STRK20

Starknet's STRK20 breaks from relying on an operator for privacy. It shields ERC-20 balances and transfers in a privacy pool, and every private transaction carries a zero-knowledge proof generated client-side, so no operator sees your plaintext in order to build it.

Disclosure is where STRK20 diverges from Aztec. To join the Starknet Privacy Pool, you register an encrypted viewing key onchain, and it sits there for the life of your participation. On a regulatory request, a designated auditing entity can decrypt that key and trace your complete transaction history, forwards and backwards. StarkWare calls this ‘not a backdoor’ but a carefully scoped access mechanism, and the safeguard is a policy promise that the auditor decrypts only when required. The privacy is cryptographic, but the off-switch is a standing key that someone else holds and can flip whether or not you are watching.

‍

Aztec

On Aztec your private state lives as encrypted private data that only you can decrypt. The contract developer can choose what state is public and what is private, and whether your encrypted private data is emitted onchain as a private log or shared off-chain instead.

Your transactions get proven client-side on your own device, so no sequencer or operator sees your unencrypted private data. Those proofs settle to Ethereum, which gives the same integrity anchor marketed by Prividium, with every transaction verified and no forged state, but without a single operator who reads your data. The base protocol decentralizes sequencing, proving, and governance, so there is no operator to choose and trust in the first place.

Disclosure is your choice too: you decide who learns your private data, and whether they learn it in encrypted or decrypted form. To grant discovery without readability, you share an app-specific tagging secret that lets an auditor find your data in encrypted form without being able to decrypt and read it. This is enough to prove things calculated from that data, such as a tax basis or a profit and loss figure. Granting permission to actually read the data works differently. There's no per-contract read key you can hand out, because decryption uses your master viewing key, which would unlock all your data across every contract. So instead of sharing a key, you share the data itself, plus a proof that your plaintext is what encrypts to the on-chain ciphertext.

Aztec has true selective disclosure in that you can selectively share it, and nothing else you don’t need to. This is app specific, meaning that private data discoverability access on one app does not grant access on another. Most importantly, the off-switch stays in your hands, and you never need to trust the network to handle access to any of your private data and activity.

This is not just conceptual: here is a working proof-of-concept of this model on Aztec. PrivPNL takes you from private DEX trades through a tagging-key disclosure to a browser-generated ZK proof of your PnL. The auditor verifies a proof while the prover only has to reveal the amount they owe, and your portfolio stays private.

‍

Users need to hold their own off-switch, not a promise to look away

Canton keeps the switch with the participant nodes that read your data in plaintext, so disclosure rests on those nodes staying honest rather than on anything you control. Tempo similarly gives the off-switch to a zone-based node operator, but allows you to verify the correctness of transactions using validity proofs. Prividium hardens that promise with a proof settled to Ethereum, a real improvement, but the operator still reads every transaction and still decides who sees what. This can work well for large institutions, but small to medium sized enterprises are left with the same privacy as their current banks unless they run their own Prividium nodes. STRK20 moves the switch into a standing viewing key and asks you to trust that a designated auditor reaches for it only when needed. In each of these models the real question is not whether your privacy can be switched off, but who gets to do the switching, and whether you would even know it happened.

Aztec takes the operator and the standing key out of the question entirely. You keep the data, you generate the proof, and you disclose the result, one fact at a time and only when you choose to. The off-switch never leaves your hands, and no operator, auditor, or node can reach it on your behalf. This is one of the benefits of a network that offers fully programmable, privacy-preserving smart contracts that put you in control.

Selective disclosure is how privacy survives contact with a regulator, and the model you pick decides who can open your history when you are not looking. On Aztec, that answer is no one but you.‍

‍

Let's Build

Dive into the technical details: Try a live demo of selective disclosure on Aztec and read the technical article on how it was built.

‍Integrate with Aztec: Reach out if you are interested in integrating privacy into your project.

Aztec Network

26 May

•

xx min read

The Aztec Stack

Aztec is built on one idea: smart contracts on Ethereum where developers choose what is public and what is private. That doesn't just mean shielded transactions. It means who acts (identity), what they transact (state), and how they execute (computation) can all be private. Aztec makes end-to-end privacy possible; even the contracts themselves can be private.

But privacy also has to be practical. Aztec integrates private and public execution in the same contract, so apps can seamlessly weave together private and public state. Every account is a smart contract, letting users grant granular, revocable access for selective disclosure, which is useful for compliance, tax reporting, or agent permissions.

Finally, Aztec is a decentralized L2, with 3,500+ sequencers participating in the network today. That permissionlessness is what makes Aztec a credible foundation for a global privacy layer.

In this article we’re going to explore the Aztec stack and how we make programmable privacy a reality. We’ll answer questions like ‘what can you do on Aztec?’, ‘how does it all work?’, and ‘what are the core layers of the system that makes it all possible?’

‍

TL;DR

The four layers of the Aztec stack, all live today on the Alpha network:

Noir: a programming language for writing private programs with simple, familiar syntax.

Aztec smart contracts: written in Noir using the Aztec.nr framework, allowing you to easily write smart contracts with both public and private state.

Aztec Network: a fully decentralized, privacy-preserving Ethereum L2 for building useful applications. Private state uses a UTXO model, public state uses an account-based model like Ethereum.

Ethereum: L2 txn rollup proofs are stored on Ethereum, inheriting strong economic security.

‍

Layer 1: Noir, the Universal Language of ZK

Aztec smart contracts are written in Noir, a programming language with Rust-like syntax optimized for writing private programs. Noir is an open-source project developed by Aztec and is now the industry-leading language for writing private apps using zero-knowledge proofs. Let’s dive into what Noir is, and why we use it as the building block for writing smart contracts.

Writing zk programs is extremely difficult without a background in cryptography. When developing Noir, our first goal was to create a highly optimized and easy-to-write zk Domain Specific Language (zkDSL) where developers don’t need to know any of the underlying mathematics. As a result, Noir handles all the cryptographic complexities, and will automatically convert your code into fancy zk circuits.

‍

Noir compiles down to the Abstract Circuit Intermediate Representation (ACIR), an adaptable intermediary language that makes it easy to plug in a variety of popular proving backends. These proving backends, such as Aztec’s Barretenberg proving system, take the compiled zero-knowledge circuits and generate proofs attesting to the validity of the program’s execution, all without revealing any private inputs. From authorization systems that keep a password on the user's device, to complex onchain state channels with recursive proofs to verify offchain state; Noir and a proving backend handle everything from compilation to cryptography for you.

In addition to simplifying the developer experience, we also wanted to make it intuitive to specify which elements you want to keep private and which you want to make public. With Noir, privacy is baked in as a default, so all variables and functions are automatically kept completely private, and executed on the user’s device.

If you want to make any part of your code public, you can do so by simply adding a pub attribute.

‍

*Using public and private inputs together*

‍

Noir on its own is great for writing programs that need to execute stateless functions, such as proving that you reside in a specific country based on passport data, or that you hold a certain number of tokens without revealing how many. Projects are already starting to build with Noir outside of Aztec on Base, Scroll, Starknet, and other chains. However, if you are looking to write privacy-preserving apps that store private state data onchain, it’s helpful to utilize a smart contract library that deliberately handles those complexities for you. That’s exactly what we’ve built at Aztec and what we’ll explore in the next section.

Layer 2: Smart Contracts

‍

Aztec smart contracts leverage Noir to create apps with onchain private and public state. This section covers how smart contracts work on Aztec and how you deploy and interact with your contracts.

An Aztec smart contract is a set of public and private functions written in Noir, deployed on the Aztec Network. They are written using the Aztec.nr framework which handles all the cryptography under the hood for managing private and public state and interacting with other contracts on the network.

To build useful applications, developers need to be able to incorporate both private and public components into their contracts. For example, an onchain voting contract might want to keep the information of the voter private and prevent someone from voting twice, but publicly display how many votes have been cast, and the outcome.

Because contracts are written in Noir, this functionality is as easy as adding a ‘private’ annotation above your function. The following function will be executed privately on the user device, allowing a user to cast a vote without revealing their address:

‍

‍

The output of this private, local execution will be sent to the network, where the correctness of execution is verified and public function calls are executed. The following function is designed to be executed publicly, adding a vote to the total tally without revealing where it came from.

‍

‍

To seamlessly weave together private and public components that can easily interact with onchain state, Aztec smart contracts utilize the Aztec.nr framework to execute private functions on the user’s device and bundle the proofs for these transactions together with the public functions that will be executed by the Aztec Virtual Machine (AVM).

This framework adds the functionality needed to build onchain, privacy-preserving apps, including defining contracts, accessing private or public context, and interacting with the Aztec Network. Similar to how a vanilla Noir program would compile down into zk circuits, Aztec smart contracts are compiled into zk circuits for private functions or AVM bytecode for public functions, and stored in the Aztec contract tree.

Aztec accounts are also written as smart contracts, implementing what is known as account abstraction. Account abstraction allows application developers to create programmable accounts to dramatically improve user experience, including social recovery, sponsored transactions, and multi-factor authentication. It also makes compliance practical, allowing for granular access controls on accounts.

‍

Layer 3: The Aztec Network

The Aztec Network is the only decentralized L2 on Ethereum. There are currently over 3,500 sequencers running the alpha network. View the live block explorer for the alpha network.

In order for a network to fully protect users and their data, it must guarantee three levels of privacy:

Private data: input and output values are hidden

Private identity: addresses are hidden

Private compute: contract functions are hidden

When you write Aztec smart contracts, everything listed above is taken care of for you. As discussed in the previous two sections, you can easily opt into privacy protections at a granular level by weaving together public and private functions.

To understand how all of these components fit together, let’s examine how a transaction is executed on the Aztec Network.

‍

‍

When a user interacts with your application, private functions are executed client-side on the user’s device: a phone, a personal computer, etc. This happens in a private execution environment (PXE) that is able to create highly-efficient zk proofs even on browsers and mobile devices. Any private state updates are added to the state of the network in an append-only database (UTXO tree). Because the proof is generated client-side, no information can be leaked about the inputs, outputs, accounts, or even the functions that were executed.

On the other hand, public transactions are bundled together with the private client-side proofs and sent off to the Aztec Network, powered by a decentralized network of independent community-run sequencers. Sequencers check the validity of private execution proofs, execute any public functions and update the public state, propose blocks, and publish state updates (“diffs”) to Ethereum L1. Sequencers also coordinate with a decentralized network of provers who compute the final proof for every Aztec “epoch” - defined as a contiguous sequence of 32 L2 blocks - and publish it to Ethereum. Any public functions executed by sequencers update an account-based database similar to Ethereum.

Sequencer and prover roles are fully permissionless. Anyone can spin up the required hardware and join the sequencer set or run provers and start bidding to produce proofs of Aztec epochs.

‍

Conclusion

Aztec delivers on a simple but powerful idea: smart contracts on Ethereum where you choose what's public and what's private across identity, data, and compute. The four layers we've walked through are what make that possible.

Noir gives developers a Rust-like language for writing zero-knowledge programs without a cryptography background, with privacy as the default. Aztec smart contracts build on Noir through the Aztec.nr framework, letting you weave private and public functions into a single contract and use account abstraction to unlock granular access controls for compliance, tax reporting, and selective disclosure. The Aztec Network is the only decentralized L2 on Ethereum, with over 3,500 sequencers powering end-to-end programmable privacy across data, identity, and compute. And it all settles to Ethereum, inheriting L1's economic security.

The result is the first practical platform for privacy on Ethereum, and a credible candidate to become the global settlement layer of the future.

Now it's your turn to build. Head to docs.aztec.network to ship your first privacy-preserving app.

Follow Aztec on X for updates on the current state of the network.

‍

Aztec Network

19 May

•

xx min read

10 Privacy Features Ethereum Devs Want. All of them live on Aztec.

Last week, PSE published an insightful and comprehensive user-research piece on private transfers on Ethereum. They interviewed 38 teams in the space and asked what's broken, what's missing, what builders wish they had. The list reads like a wishlist of features every privacy app on L1 is currently trying to engineer towards. It's the kind of rigorous, builder-grounded research the privacy ecosystem has needed.

We read the list. It's the list we've been building against for years.

Aztec solves all of these problems. Every requested feature already lives on Aztec. The proving system, the private contract language, the decentralized network, the privacy wallet architecture, the key model, the snark-friendliness: all of Aztec was built against this list before it was a list.

What follows is a walkthrough. For each of PSE's top technical findings, here's the feature builders are asking for, and how it works on Aztec today.

TL;DR

Slow client-side ZK proving: Aztec's client-side proving system (Chonk) is optimized specifically for fast recursive proving on resource-constrained devices such as phones (and even in the browser).
Expensive L1 proof verification: Aztec amortises the gas costs of L1 verification across thousands of users per rollup. Instead of “millions of gas per user” it costs hundreds of gas; that’s pennies per user transaction.
DeFi composability with private state: Private token contracts on Aztec can be unshielded to easily interact with Ethereum DeFi contracts, and the resulting state can be shielded, without leaking who did the interaction. Or you can just design composable private DeFi contracts within Aztec.
Deposit/withdrawal leakage: Aztec isn’t a basic shielded pool, so users don’t need to keep withdrawing to do useful things. Users can use their funds within private smart contracts. Privacy leakage doesn’t happen if all transaction activity stays in private-land.
No native wallet support: Of course Ethereum wallets don’t natively support privacy; Ethereum doesn’t have native privacy. There are a huge number of new concepts that are needed to design a private smart contract wallet. Aztec wallets are built from the ground up to enable a rich private onchain experience.
Reliance on external networks, TEEs, FHE, and relayers: The private and public execution environments of Aztec aren't reliant on external networks. Aztec is a fully decentralised L2, without these centralisation concerns.
Keccak is inefficient inside ZK circuits: The entire Aztec protocol uses Poseidon2, so complex private txs are rapid to prove on a phone.
Slow private state sync: Brute-force scanning of the entire chain’s history is not necessary. Aztec's tagging scheme lets recipients pinpoint their notes in seconds from a shared secret.
Fragmented privacy sets: All private smart contracts on Aztec share one global note tree and one global nullifier tree. All network activity contributes to and draws from a single privacy set.
No tooling or standards for private contracts: Aztec has a huge suite of tools to ship private contracts. Noir, a smart contract framework, a private state manager, a keystore, the PXE for executing contracts locally, a JS SDK, testing frameworks, local test networks, a CLI, and a slew of advanced private contract standards.

1. ZK proof generation time on user devices

Ethereum Problem: Proof generation is too slow on user devices, especially mobile. Elliptic-curve pairing operations are a specific bottleneck. Server-side proving is a censorship and privacy leak vector. Sub-second proving was the stated threshold.

Aztec solution: Proving on Aztec runs locally in the PXE (Private eXecution Environment, pronounced "pixie"), so no data ever leaves the user's device. Chonk, our client-side zk proving system, is ruthlessly optimised for fast recursive proving on low-memory devices like phones, native and in-browser. Years of optimization have already gone in, and we're still finding more. It’s best in class and we haven’t even merged-in GPU acceleration yet!

The slow pairing checks that PSE's interviewees called out as a bottleneck aren’t a problem with Aztec; pairings are simply batched together and deferred away from the user's device, handled by the more powerful network instead, without leaking any information. With such a powerful local prover, there’s little need to outsource proving to an untrusted party.

2. ZK proof verification gas on L1

Ethereum Problem: Verifying a ZK proof on Ethereum is prohibitively expensive. A Groth16 proof for a private transfer costs several hundred thousand L1 gas. A Halo2 (KZG Plonk) proof can cost approximately one million gas

Aztec solution: Aztec amortises L1 verification gas across all transactions in the rollup. At current network throughput, that cost is split across roughly 2,000 users per proof. Later this year, it’s slated to be split across ~20,000. Rollup costs are also partially subsidised by Aztec block rewards.

Net result: hundreds of L1 gas per user instead of millions. Plus cheap L2 gas. The user pays pennies for an Aztec transaction.

3. DeFi composability with private state

Ethereum Problem: Wrapping and unwrapping tokens leaks privacy and breaks composability. Smart contracts can't easily interact with encrypted balances. Private state is isolated; contract state is normally shared.

Aztec solution: Private state is not isolated on Aztec. The private state of one contract can be composed with that of another. This can unlock new privacy-preserving DeFi patterns directly on Aztec.

A single private transaction can call a stack of private functions across multiple contracts, with private inputs, private state transitions, and privacy over which functions were even executed and how many. Observers see that a transaction landed. They do not see what happened inside it. Stew on that for a second: a call stack of nested private functions across contracts written by different developers, each causing state transitions, all completely private.

Aztec also runs public functions, similar to Ethereum, inside the same smart contract, so you can build existing DeFi primitives on Aztec.

For Ethereum DeFi specifically, Aztec has a tidy L1-to-L2 messaging layer. Private balances can be unshielded to interact with L1 protocols and shielded back, without leaking who did the interaction and without leaky public gas payments. And for private DeFi primitives that need genuinely shared private state (state nobody knows the value of, but which anyone can mutate), people have built Aztec contracts that compose conventional Aztec private state with co-snark or FHE sidecars.

Private and public state are peers inside a single Aztec smart contract. Builders mix and match.

4. Deposit/withdrawal privacy leakage

Ethereum Problem: Entry and exit points are the dominant privacy leak, not the protocol itself. Depositing and quickly withdrawing makes identity analysis trivial.

Aztec solution: The main fix is to stop crossing the boundary so often. (Or even if you do cross the boundary, Aztec has leakage protections).

Imagine if thousands of private smart contracts lived on the same network and could call each other without leaking which contracts were called, which arguments were passed, or what was returned. Imagine they all shared one global note tree and one global nullifier tree. That's Aztec. Once funds are inside, users don't need to keep crossing the private/public boundary to do useful things: Aztec is its own rich environment for composable, private execution of smart contracts.

Even when a private function does need to call a public function – be it an L1 DeFi contract, or a native public function within Aztec – the developer controls the information they reveal; not the protocol. The call can even be "incognito" to hide msg_sender. A single environment for many private apps to thrive also means re-usable tooling for builders.

5. Lack of native wallet support

Ethereum Problem: Privacy features (per-dapp addresses, private transfers) aren't natively integrated into major wallets. Reliance on dapp-specific UIs damages UX.

Aztec solution: Ethereum wallets weren't built for any of this, and they don't need to be: the chain underneath them has no private state to protect. Aztec wallets are an entirely new category of software.

Aztec wallets are able to manage all these new privacy-centric concepts:

Authorize your transactions however you want, without revealing your identity to the world. Native account abstraction lets you choose any auth scheme you like, and that choice doesn't expose who you are.
Hold multiple specialized privacy keys. Distinct nullifier, viewing, and efficient message-signing keys.
Keep your full private state on your own device. An encrypted local database holds your notes and nullifiers (siloed by private contract address), along with private data, private messages, shared secrets, and private contract bytecode.
Fine-grained contract access control for your private data.. Access permissions for contracts to read your private data are granular and revocable, rather than all-or-nothing.
Run private contracts without cross-contract interference. Built-in protections can stop malicious private contracts from reading or manipulating the private state of other contracts.
Establish shared secrets with your counterparties. Wallets can support both on-chain and off-chain methods for setting these up.
Catch privacy leaks before you sign. Pre-flight transaction privacy analysis warns when your data might be leaked via public args, msg_sender, fee payment, or even through the shape of the tx.
Make your tx look like every other tx on the network. Random padding is added to notes, nullifiers, and logs, and gas settings, anchor blocks, and inclusion deadlines are randomized so every tx blends in with the crowd.
Submit transactions privately to the network. Txns can be submitted to the network through a private submission path.
Pay fees through generic private fee paymasters. This gives users convenience and enables experimentation over the best private token contract designs for different use cases.
Use your wallet to gatekeep which frontends can access which private data . Apps shouldn’t have unfettered access to everything; a wallet needs to protect users’ private data..
Get post-quantum hygiene warnings. Wallets are able to flag risky patterns around address reuse and ephemeral-key broadcasts.

Aztec wallets are in active development, and this is an area where we expect many teams to build different wallets that are customized to various user needs. An early wallet is already baked into the protocol for developers to start using today.

6. Reliance on relayers, FHE coprocessors, and TEEs

Ethereum Problem: Encrypted tokens and many privacy protocols depend on external networks for encryption, decryption, or relaying. Threshold-decryption committees and TEE hardware vendors are added trust assumptions on top of the chain itself.

Aztec solution: Aztec's private and public execution environments are not reliant on external networks. Aztec is its own decentralised network: ~4,000 validators stake on it, block proposers are randomly selected, a random committee attests, and a decentralised set of provers proves the rollup's execution. Validity is ultimately backed by cryptographic proofs settled on Ethereum.

External networks (co-snark networks, TEEs, MPC or FHE sidecars) become an opt-in choice for the specific case of private shared state. The trust tradeoffs there are something the contract developer signs up for explicitly, not a tax every user pays on every transaction by default.

7. Hash function inefficiency inside ZK circuits

Ethereum Problem: Keccak is inefficient to prove inside ZK circuits. There is no native support for a ZK-friendly hash like Poseidon.

Aztec solution: Poseidon2 is enshrined across the entire Aztec protocol, for rapid proving of every tx. Every Aztec state tree, the proving system, the innards of the protocol; everywhere. Reading and writing state inside a circuit is as cheap as it gets.

Keccak, SHA, and Blake hashes are still available through optimised Noir libraries when contracts need them for L1 interoperability. The default is ZK-friendly; the L1-friendly hashes are there when you reach for them.

8. Private state synchronisation

Ethereum Problem: Syncing private state (scanning for incoming notes and events) is a client-side bottleneck. Users wait for scans to complete before seeing their balance. Tachyon-style oblivious sync was cited as a path forward.

Aztec solution: Brute-force syncing of private state is rarely needed. Most real-world use cases involve a sender and recipient who can establish a shared secret offchain first.

From that shared secret, both parties can derive a sequence of random-looking “tags”. Each encrypted note log is prepended with the next tag in the sequence. The recipient already knows the next tag, so they know exactly what to query. Note discovery happens in seconds, not minutes. The scheme slots cleanly into PIR or mixnet approaches for extra privacy on the query itself, and smart contracts that don't trust senders to use the correct tag can just constrain it inside the circuit.

That’s not to say that Aztec requires interactivity between all senders and recipients. For genuinely non-interactive use cases (recipient can't talk to the sender before the transfer), Aztec enables devs to customize both their log emission and their note-discovery logic however they like. (Aztec also has ways to speed up the brute-force scanning approach from "scan the whole chain" to "scan a tiny subset of non-interactive handshake txs"

9. Fragmented privacy sets

Ethereum Problem: Shielded pools are fragmented across dapps and chains, reducing the effective privacy set for all users. Each new privacy protocol must bootstrap its own.

Aztec solution: There is one global note tree and one global nullifier tree on Aztec, shared by every smart contract on the network. Every private app contributes to and draws from the same privacy set. No per-app bootstrap. No walled gardens.

Private payments, private swaps, lending, payroll, treasury, identity attestations: all of them land in the same global commitment set, by construction.

10. Tooling and standards for private contracts

Ethereum Problem: Ethereum developer tooling lacks support for private transfers and private state. Standards for private tokens, compliance, and wallet interactions are missing. Many privacy teams are small, with short runway and expensive audits.

Aztec solution: Aztec ships the full toolchain for private contracts: Noir for writing private logic, the Aztec smart contract framework with macros that hide the protocol mess so devs can focus on app logic, the PXE for keys / state / syncing / proof generation, a JS SDK, a local node for testing, a CLI, and a real, live, decentralised L2.

The mental overhead of building a privacy protocol on Aztec collapses to "just write the app logic." Here is an example of a complete private transfer function on Aztec:

‍

#[authorize_once("from", "authwit_nonce")]
#[external("private")]

fn transfer_in_private(from: AztecAddress, to: AztecAddress, amount: u128, authwit_nonce: Field) {
    self.storage.balances.at(from).sub(amount).deliver(MessageDelivery.ONCHAIN_CONSTRAINED);
    self.storage.balances.at(to).add(amount).deliver(MessageDelivery.ONCHAIN_CONSTRAINED);
}

Look at how simple that is.

A two-line function body.

Two lines.

Aztec takes care of the rest.

Behind those #[...] macros, the framework handles: caller authorisation, note syncing, fetching notes from the user's private db, Merkle membership proofs against the global note tree, safe nullifier creation (without leaking master secrets to the circuit), randomness for new notes, encrypted ciphertext generation, log tagging for fast recipient discovery, and public-input population. The PXE handles key management, private state, and proof generation. The smart contract itself contains its own message-processing logic for log discovery, decryption, and storage on the recipient side.

If you want whitelists, blacklists, association sets, custom tx authorisation, viewing-key hierarchies, temporary view access, selective disclosure to specific counterparties, just import a Noir library. Want something more adventurous than private payments? Same toolchain.

What this adds up to

PSE's findings are not ten unrelated bugs. They're the same problem refracted ten ways: privacy retrofitted onto a chain that was not designed for it yields bad tradeoffs.

Aztec was designed against this list before it was a list. One global note tree and one global nullifier tree. Private and public state inside the same contract. Compose calls between private contracts without leaking anything. Fast client-side proving on phones via Chonk. Snark-friendliness everywhere. Rollup-amortised L1 gas costs, fractions of a cent per user. Native account abstraction with private fee paymasters. No painfully slow private state syncing: a tagging-based note discovery scheme that runs in seconds. An entirely new category of wallet that treats privacy as a first-class concern. Simple, high-level smart contract syntax that collapses a basic private token transfer function into two lines.

There were 10 privacy features Ethereum devs wanted, all of them live on Aztec. The infrastructure is in place. Build the thing.

Go to our docs to start building.

Aztec is the blockchain that solved the privacy problem. Start at docs.aztec.network or read the architecture deep-dive on The Best of Both Worlds: How Aztec Blends Private and Public State.

‍

Aztec Network

31 Mar

•

xx min read

Announcing the Alpha Network

Alpha is live: a fully feature-complete, privacy-first network. The infrastructure is in place, privacy is native to the protocol, and developers can now build truly private applications.

Nine years ago, we set out to redesign blockchain for privacy. The goal: create a system institutions can adopt while giving users true control of their digital lives. Privacy band-aids are coming to Ethereum (someday), but it’s clear we need privacy now, and there’s an arms race underway to build it. Privacy is complex, it’s not a feature you can bolt-on as an afterthought. It demands a ground-up approach, deep tech stack integration, and complete decentralization.

In November 2025, the Aztec Ignition Chain went live as the first decentralized L2 on Ethereum, it’s the coordination layer that the execution layer sits on top of. The network is not operated by the Aztec Labs or the Aztec Foundation, it’s run by the community, making it the true backbone of Aztec.

With the infrastructure in place and a unanimous community vote, the network enters Alpha.

What is the Alpha Network?

Alpha is the first Layer 2 with a full execution environment for private smart contracts. All accounts, transactions, and the execution itself can be completely private. Developers can now choose what they want public and what they want to keep private while building with the three privacy pillars we have in place across data, identity, and compute.

These privacy pillars, which can be used individually or combined, break down into three core layers:

Data: The data you hold or send remains private, enabling use cases such as private transactions, RWAs, payments and stablecoins.
Identity: Your identity remains private, enabling accounts that privately connect real world identities onchain, institutional compliance, or financial reporting where users selectively disclose information.
Compute: The actions you take remain private, enabling applications in private finance, gaming, and beyond.

The Key Components

Alpha is feature complete–meaning this is the only full-stack solution for adding privacy to your business or application. You build, and Aztec handles the cryptography under the hood.

It’s Composable. Private-preserving contracts are not isolated; they can talk to each other and seamlessly blend both private and public state across contracts. Privacy can be preserved across contract calls for full callstack privacy.

No backdoor access. Aztec is the only decentralized L2, and is launching as a fully decentralized rollup with a Layer 1 escape hatch.

It’s Compliant. Companies are missing out on the benefits of blockchains because transparent chains expose user data, while private networks protect it, but still offer fully customizable controls. Now they can build compliant apps that move value around the world instantly.

How Apps Work on Alpha

Write in Noir, an open-source Rust-like programming language for writing smart contracts. Build contracts with Aztec.nr and mark functions private or public.

Prove on a device. Users execute private logic locally and a ZK proof is generated.

Submit to Aztec. The proof goes to sequencers who validate without seeing the data. Any public aspects are then executed.

Settle on Ethereum. Proofs of transactions on Aztec are settled to Ethereum L1.

Developers can explore our privacy primitives across data, identity, and compute and start building with them using the documentation here. Note that this is an early version of the network with known vulnerabilities, see this post for details. While this is the first iteration of the network, there will be several upgrades that secure and harden the network on our path to Beta. If you’d like to learn more about how you can integrate privacy into your project, reach out here.

To hear directly from our Cofounders, join our live from Cannes Q&A on Tuesday, March 31st at 9:30 am ET. Follow us on X to get the latest updates from the Aztec Network.