Vitalik proposes private NFTs using ‘stealth addresses’ to hide owner’s identity
Vitalik Buterin suggests an idea to use stealth addresses to hide the identity of NFT owners without the need for ZK-SNARKs or Merkle trees
Ethereum Founder Vitalik Buterin suggests the idea of private NFTs whereby the owner would not be known through blockchain data.
The concept was added to an Ethereum Research post focused on adding an “ERC721 Extension for zk-SNARKs.”
Idea: stealth addresses for ERC721s.
A low-tech approach to add a significant amount of privacy to the NFT ecosystem.
So you would be able to eg. send an NFT to vitalik.eth without anyone except me (the new owner) being able to see who the new owner is.https://t.co/UdqK6NAYjn
— vitalik.eth (@VitalikButerin) August 8, 2022
ERC721 extension for zk-SNARKs
The extension to ERC721 (the NFT standard) was proposed by Nerolation, who stated that he believed his methodology was “the exact implementation of what Vitalik described” when talking about private POAPs.
Vitalik spoke about the potential need for private Soulbound tokens (SBTs) in his article introducing the SBT concept to the world. He stated,
“Privacy is an important part of making this kind of ecosystem work well… If, one day in the future, being vaccinated becomes a POAP, one of the worst things we could do would be to create a system where the POAP is automatically advertised… to let their medical decision be influenced by what would look cool in their particular social circle.”
The suggestion of using ZK-SNARK compatible ERC721 tokens attempts to solve this by using stealth addresses that include a hash of the user’s address, the token ID, and a secret of the user.
The information is then added to a Merkle tree on-chain, with the tokens being stored at “an address that is derived from the user’s leaf in the Merkle tree.”
To prove ownership of the token (NFT), an address would have to give the stealth address “access to a private key” so that when a message is signed, the collated information can be passed to a leaf of the Merkle tree. The circuit would then be able to compare the “calculated and user-provided roots for verification.”
Regular stealth addresses
In his response to Nerolation, Vitalik explained that he believes there is a more elegant and straightforward solution to the issue, which would use “much lighter-weight technology.” He proposed using “regular stealth addresses” without needing complex Merkle trees.
Vitalik explained that every user has a private key that can be used as the base point of an elliptical curve group to create a new private key, as is commonly done with regular stealth addresses.
A “one-time secret key” can then be generated, and the paired public key derived from the elliptical curve’s base.
The sender and receiver can then “compute a shared secret” by combining the private and secret keys.
A new address is generated using this shared secret by hashing together the above information.
The sender can send an ERC20 token to this address as Vitalik concludes;
“The recipient will scan all submitted Svalues, generate the corresponding address for each Svalue, and if they find an address containing an ERC721 token they will record the address and key so they can keep track of their ERC721s and send them quickly in the future.”
Vitalik asserted that Merkle trees or ZK-SNARKs are unnecessary as “there’s no possibility of creating an “anonymity set” for an ERC721.” His method means that on-chain data will show that an ERC721 has been sent to some address but would not reveal the valid owner of the token.
Costs involved
The solution comes with a cost that could make it impractical on the Ethereum mainnet. The gas fees involved in Vitalik’s method could require the sender to “send along enough ETH to pay fees 5-50 times to send it further.”
Whether Vitalik’s solution is a more elegant implementation or not will be left to the Ethereum open-source community to decide. Yet, it is interesting to note that Vitalik appears to have accepted the need for an element of privacy within the Ethereum ecosystem. His SBT revelation has opened up a world of possibilities for tokenized assets. Further, the need for the confidentiality of some assets has resurfaced in his thinking.
At a closed press conference on August 6, Vitalik explained that “my opinions on a lot of issues have definitely changed in the last ten years.” He continued to say,
“I think even today, I think we’re at the point where the Ethereum project can function completely without me. And I think it’s only going to go more and more that way.”
Vitalik has only contributed seven times to the Ethereum Research forum since January 2022. Whereas in January 2022, he posted nine comments in that month alone. He is clearly starting to move out of the way of other developers in the Ethereum ecosystem. However, if Vitalik was to step away entirely, it remains to be seen if investors would be as confident that Ethereum could continue without him.