Can zkRollups Like Aztec Win the War on Privacy?
An Intuitive Explainer of Aztec Network's Unique zkRollup
This research memo is for educational purposes only and not an inducement to invest in any asset. Subscribe to Blockcrunch VIP to receive in-depth project analysis, interactive token models and exclusive AMAs from our research team - all for the price of a coffee ☕ a day.
The War on Privacy
Founders in DeFi are having a rough time.
While founders who incur the wrath of CFTC or the SEC may find themselves escaping with a hefty fine and the support of those reasonable enough to push back against gross regulatory overreach, OFAC is a totally different animal.
Since the OFAC sanction on Tornado Cash, projects have erred on the side of extreme caution, to the point of censoring transactions at the blockchain level, in order to avoid spending time in a cell.
Is there any hope for privacy-focused projects in crypto? If so, what form might they take?
Aztec Network might be the answer. Aztec is a privacy project dressed as a scaling project, pushing for a “privacy by default” standard. By the end of this article, you will better understand:
What zkRollups are and why they’re not technically “private”
How Aztec Network’s zkRollup achieves privacy
What you can do on Aztec today and why you should care
Aztec’s positioning vs. other upcoming zkRollups e.g. StarkNET, zkSync
The drawbacks of Aztec’s market positioning
The topic of zkRollups is one of the most complex and bleeding-edge in crypto, involving discussions around moon math, deep cryptography and data availability. This memo will predominantly focus on the commercial and go-to-market aspect of Aztec as a product, but we will provide the requisite layman’s explanation for relevant technical concepts.
For those more technically inclined, we will include a list of relevant resources at the end.
(Blockcrunch has not received any compensation from Aztec, and none of Blockcrunch’s personnel have any exposure to Aztec Network).
Aztec, Explained As An Awkward Thanksgiving Party
Aztec Network is a privacy-first zero-knowledge rollup (zkRollup) i.e. a layer 2 solution built on Ethereum that allows decentralized applications and its users access to private and cheaper transactions. This is not dissimilar to a VPN network, built over Ethereum.
An elaborate analogy, if you’ll indulge me…
Imagine it’s Thanksgiving. Your family is hosting a get-together in the living room, but the less-than-sociable you are standing outside.
You’re thirsting for a drink. You know that in the middle of the living room is a table where all the drinks are placed, but alas! All the annoying relatives you are trying to avoid are in the room. They’ll surely strike up a conversation about the NFT Dickbutt you convinced them to buy at the top with their kids’ college savings, and that’s not a conversation you need to have today.
Fortunately for you, your cousin just so happens to be going into the living room to fetch drinks for himself and his friends. You sheepishly ask that he brings you a glass of water, to which he agrees. Success! You managed to quench your thirst, and managed to avoid the wrath of your relatives.
In Aztec’s context - Ethereum is the living room, where your every move is visible to everyone in there. Your friendly cousin is Aztec, who’s “batching” orders and executing them on your behalf.
Your relatives (anyone monitoring the Ethereum chain) see your cousin (Aztec) grabbing a bunch of drinks (batched orders), but they have no idea which belongs to whom, and don’t know that you even requested for a drink.
In fact, to be more precise, in Aztec, the cousin would not even know you ordered the water. In its current version, it will be more similar to the cousin passing a piece of paper around to get everyone’s drinks orders, without anyone putting down their name, and without the cousin seeing what anyone’s written down.
That is the solution offered by Aztec - particularly their latest Aztec Connect product (more below). Since launch, Aztec claims to have over 75,000 registered users transact over $80 million across 225,000+ transactions, all while being 96% cheaper than existing private transfer protocols.
A Brief Refresher: zkRollups vs. Optimistic Rollups
To understand whether Aztec’s commercial position can buck the trend of privacy projects in crypto - which to date has had lackluster adoption - we must first understand it at an intuitive level.
There is copious literature written about rollups already but here is a brief reminder for those who need it: as readers may know, one of the key ways with which layer 1 blockchains scale their throughput is via layer 2s, predominantly rollups.
In short, this is similar to keeping a bar tab (the rollup) for transactions before settling the bill all at once with the cashier (the L1 base chain), as opposed to settling the bill every time you order a drink. Batching thousands of transactions on a rollup into one transaction on the base chain help save on cost, and also allow for higher throughput.
Specifically, Aztec uses zkRollups when processing transactions. As a reminder, there are 2 distinct types of rollups: optimistic rollups and zero-knowledge rollups (zkRollups).
To give a bit more context:
Optimistic rollups batches transactions on a layer-2 rollup chain, and submits them without performing any verification - in other words, they “optimistically” assume that all transactions are valid until proven otherwise. There is then a challenge period wherein if someone thinks an invalid transaction has been submitted, they can submit a fraud proof to challenge the transaction. If it goes through, they get a reward. If the challenge period expires without challenge, the transactions are finalized.
The two main incumbents - Optimism and Arbitrum - mostly differ by how these fraud proofs are structured.zkRollups (or ZK-Rollups as they are sometimes styled), contrary to optimistic rollups, do not assume all transactions are valid. Every batch of transactions submitted to the Ethereum network from a zkRollup contains a mathematical proof that attests to the validity of the transactions, without revealing the transactions themselves (hence the “zero-knowledge”).
There’s two main types of validity proofs, namely ZK-SNARKs and ZK-STARKs. In general, ZK-STARKs are considered more scalable and transparent.
Of the two, zkRollups are often considered the “superior” solution over the long term as they:
Do not incur the lengthy challenge period that optimistic rollups do;
Are debatably more secure since every transaction is mathematically proven to be valid, and;
Can compress transaction data better than optimistic rollups, and as such need to take up less block space
However, in the short term, zkRollups are seen as less desirable because:
It’s expensive to compute zero-knowledge proofs! They are much more mathematically complex than fraud proofs and require a lot more resources to product;
Smart contract capabilities are easier to implement on optimistic rollups, and the complex computation required by proofs mostly limit transactions on zkRollups to direct transfers and exchange (for now).
Despite the technical challenges, zkRollups seem to be showing strong traction, with applications on market leader StarkEx (the solution built by market leader by most recent private valuation, Starkware) reporting ~40.46k daily active unique addresses, compared to the ~8.61k reported for Arbitrum and Optimism (both optimistic rollup solutions) combined.
In addition, StarkEX applications also boast a slightly higher 7-day moving average transaction count relative to Optimism and Arbitrum combined, according to data sourced from The Block (note that data does not include zkSync, another major zkRollup competitor. Readers can find that here).
However, it is important to note that the above comparison isn’t very fair. StarkEX is a permissioned scaling engine and not the permissionless, decentralized zkRollup, StarkNet, which remains un-launched. The intention from Starkware is to allow porting of applications of StarkEX to StarkNet, and for the purpose of the analysis we assumed a synonymous relationship between StarkEX and StarkNet for now.
Below, we’ll examine how Aztec’s zkRollups differ from the rest.
Aztec’s Flavor of zkRollups: An ELI5 Take
The main confusion around zkRollups is that transactions are all private.
This is not true!
zkRollups publish state data for every transaction to Ethereum, meaning anyone can reconstruct the rollup’s state independently. The “zero-knowledge” namesake only refers to the use of ZK-SNARKs/STARKs for validity proofs, not that no one can see what’s happening on a ZK-Rollup.
Aztec is the only zkRollup that offers transaction-level privacy for its users.
While other projects, such as zkSync (created by the second largest market leader by private valuation, Matter Labs), have noted privacy as a priority, it is a secondary, long-term goal rather than an immediate roadmap item.
So how does Aztec do this?
As everyone in crypto should know, Aztec achieves privacy by leverating Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge…
Just kidding.
Let’s speak human.
How is Aztec Different?
First, we must understand how Aztec differs at a foundational level.
Usually, zkRollups are structured similar to Ethereum - using an account-based model, where you have a ledger of accounts and their respective balances. Aztec is more similar to Bitcoin in that it uses a UTXO model.
In simple terms, instead of having a ledger of accounts and balances, coins on Aztec are stored as a list of transaction outputs.
The reason this structure is chosen is because of its simplicity: UTXO basically describes a ledger as an ongoing series of transactions, which means all Aztec has to do is encrypt those transactions. Contrast this with an accounts-based model, where Aztec needs to encrypt interactions between every account that has transacted each other, which can get complex really fast!
The known trade off is that more expressive smart contracts (i.e. more complex activities) are harder to do on a UTXO model (which we will touch on below).
How Does Aztec Encrypt Transactions?
Now that we know how Aztec structures transactions that happen in its rollup, let’s look at how it encrypts those transactions.
When a user sends another user assets on Aztec, it’s a bit different from how it’s done on say, Ethereum. Transactions are not broadcasted to miners and publicly viewable by all.
Instead, when Alice sends Bob $10 on Aztec Network, she doesn’t reveal any information publicly. Instead, Alice submits a validity proof to prove 2 things:
That she sent Bob some money;
That she had enough money to send Bob that $10 - without actually revealing the amount she sent
This is where the black magic of zero-knowledge proofs come in. When transacting on Aztec, Alice generates a zero-knowledge proof in her browser to prove the above. Specifically, Aztec uses a type of zero-knowledge proofs called PLONK, which the founders of Aztec invented themselves.
How Does Aztec Give Users Privacy on DeFi?
This is the cool part of Aztec - it recognizes that rebuilding DeFi applications on a zkRollup is going to be difficult and will take time given the fundamental limitations of writing smart contracts on a zkRollup.
So instead of rebuilding applications, Aztec decided - “why don’t we use the existing DeFi applications on L1?”
With Aztec Connect, Aztec essentially created a VPN for Ethereum. Users deposit assets from Ethereum onto Aztec’s zkRollup, then can proceed to use any integrated applications on L1 from within Aztec.
Simplistically, the user flow works a bit like this:
Alice wants to stake her ETH on Lido, a liquid staking platform on layer 1 Ethereum, but wants to do it privately
She deposits 1 ETH onto her Aztec account
She tells Aztec to deposit that 1 ETH for her onto Lido
Aztec batches her order along with 10 other users who want to deposit a total of 10 ETH onto Lido
Aztec then sends the 11 ETH (1 from Alice and 10 from others) from Aztec Network to Ethereum L1, and calls the deposit function on Lido and stakes the 11 ETH
This way, all anyone can see on Ethereum is a contract called “Aztec” deploying 11 ETH into Lido. No one knows how much Alice deposited into Lido - in fact, no one even knows Alice interacted with Lido at all!
Products live on Aztec
Now that we know how Aztec works - let’s look at what they’ve built so far:
Zk.Money
Zk.money is a privacy application that allows users to send and receive tokens privately. This is intended to be a showcase of what developers can build and what users can do on Aztec - a pre-cursor to the more generalized Aztec product.
When depositing into and withdrawing out of Aztec, there is only partial privacy:
Deposit address is visible to observers when depositing into Aztec
Recipient address is visible when withdrawing out of Aztec
Transaction amount is visible in both cases
For instance, on-chain sleuths can link users to different transactions. For example, suppose you deposited 1.269420 ETH onto Aztec and withdrew the same amount of ETH onto another wallet address. On-chain sleuths can deduce that the two accounts belong to the same user since the amount transferred is particular and unique.
On the other hand, if you transacted a common amount of, say 1 ETH, it is impossible to link you to one of the thousands of addresses that transferred 1 ETH, thereby still achieving anonymity.
Aztec Connect
Aztec Connect allows users with shielded assets on Aztec to interact directly with DeFi protocols on Ethereum. Users submit their transaction requests to Aztec’s rollup, which then aggregates users’ transactions before connecting with the Ethereum DeFi protocols via Aztec Connect bridge contracts. Users receive virtual assets in return, representing their stake in the DeFi position, e.g. their staked ETH in Lido.
The Aztec bridge contract interacts with Ethereum DeFi protocols on behalf of the users – essentially acting as a proxy service that preserves users’ privacy. Furthermore, despite interacting with the same Ethereum DeFi protocol, users pay less in transaction fees via Aztec Connect than in a regular DeFi transaction on Ethereum due to batched transactions.
Additionally, unlike alternate Layer 1s and other Layer 2 protocols, Aztec Connect does not require DeFi protocols to redeploy their contracts on its Layer 2, making it more convenient and cheaper for protocols to integrate with Aztec. The most valuable benefit of not redeploying is that the DeFi protocols retain their composability with other DeFi protocols, and users get access to the same levels of liquidity since there is no liquidity fragmentation.
In essence, users get to interact with their favorite DeFi protocols on Ethereum while enjoying private and cheap transactions – all with the same levels of liquidity and composability.
Traction Review
Since going live in March 2021, Aztec has reportedly facilitated (excluding renBTC transactions):
66,000 ETH and $28.9 million DAI total deposits
160,000 deposit transactions
109,000 users
With the launch of Aztec Connect back in July 2022, the Aztec network saw a bump in activity as users and deposits hit a daily peak of 600 ETH and 2100 users. Since then, daily performance has slowed down and returned to averaging 200 users and 250 ETH deposits.
The comparably low performance (to other alternate Layer 1s and Layer 2s like Polygon, Arbitrum and Zksync) can be attributed to the small set of activities currently available on Aztec. Apart from private asset transfers, users only have access to 5 different Ethereum DeFi protocols – Euler, 7 Day DCA, Yearn Finance, Lido and Element.
Aztec’s self-imposed per-transaction limits of 5 ETH and 10,000 DAI (to deter illicit activity) may also have contributed to lower performances.
Investors may also have noticed that Aztec’s Total Value Locked (TVL) is comparatively low. Even though TVL is commonly used to measure the performances of blockchains and applications, TVL is not suitable as a performance metric for Aztec.
This is because apart from internal transfers, most activities on Aztec involve withdrawing assets back to Ethereum – TVL on Aztec is low by design. Growth of total deposits and the number of users might be more suitable for tracking Aztec’s performance.
Our Assessment of Aztec
And now, for the part you all came here for - how do we view Aztec, and does it have a real shot at winning the war on privacy?
Market Positioning
In terms of positioning, Aztec is the only zkRollup built with end-to-end privacy in mind. Contrast this with zkSync, which has cited privacy as a secondary priority, and StarkNET, which also primarily focuses on scalability first.
Given the technical challenges of creating a functional, trustless and cost-efficient zkRollup, it is understandable that most zkRollups projects focus on scalability first. Aztec’s decision to launch with a zkRollup with no expressive smart contract capabilities yet (until the future Aztec 3.0, which purports to allow expressive smart contracts written directly into the zkRollup) enables them to come to market faster with an actual zkRollup (see left side of competitive comparison map below).
This also means Aztec is able to launch with live integrations (more below) with applications that have existing user bases on Ethereum L1, as opposed to needing to re-create or re-deploy applications natively on a zkRollup and attempt to bootstrap users, as other privacy-focused projects such as Secret Network have elected to do.
However, in light of the recent OFAC sanctions, sensitivity towards privacy-enhanced protocols is high. Recently, FTX has banned transactions from zk.Money, which calls into question whether users will continue to use Aztec should it mean they will be banned from protocol front ends, centralized exchanges - perhaps even censored at the L1 chain level, as validators who are OFAC-compliant will be able to see and censor transactions from Aztec Network deploying to L1, even if they cannot target individual users.
This leads us to our next point…
Cost Optimization
In our opinion, Aztec should focus on emphasizing its cost-saving capabilities given the current market climate - both for end-users and at the network level.
An often-overlooked aspect of Aztec’s product is its ability to save costs for users who wish to interact with L1 applications on Ethereum. By batching orders together with other users, every transaction submitted via Aztec should theoretically be lower than those submitted directly on L1 Ethereum. Assuming the user set grows on Aztec, the latency incurred in batching can be reduced as well.
In addition, though here is a high fixed cost to verify the validity of proof submitted, the computational cost is amortized across all transactions in the batch submitted. Over a large enough number of transactions, Aztec can quickly overcome its fixed cost disadvantage (over optimistic rollups) and offer lower transaction costs.
Aztec works on reducing a user’s share of the fixed rollup costs in two areas:
Reducing cost of posting a rollup and
Increase the number of transactions per rollup
When Aztec first started, the cost of posting a proof to Ethereum was approximately 750k gas. Since then, they improved their proving system and reduced the cost of posting to 550k gas – almost a 30% reduction. Their recent system upgrade also claims an 8x increase in throughput. Now, Aztec bundles 896 transactions instead of 112 transactions per rollup. Aztec bundles its transactions via its recursive zero-knowledge rollup design (also known as ZK-ZK rollup), whereby:
A user generates an in-browser zk-proof for their transaction
28 of such client proofs are aggregated into an “inner” rollup proof
32 (previously 4) “inner” proofs are further combined into an “outer” rollup proof
“Outer” rollup is verified to establish its validity, and the final proof is posted on-chain for posterity
In sum, the share of rollup costs per transaction fell by approximately 90% - from 6700 gas (750k / 112) to 614 gas (550k / 896). This fixed cost represents only a minority of a DeFi transaction, while call data represents the vast majority (up to 88.88%) of the gas cost. As Aztec further reduces proof verification costs and increases the number of transactions possible per rollup, call data will represent nearly 100% of transaction costs, and at that point, the only way to scale Aztec is to optimize Ethereum.
That being said, the above cost savings may only extend to a limited batch of protocols, which leads us to our next point…
Integrations and Liquidity Fragmentation
Because Aztec batches orders and submits them to L1, there is a necessary delay incurred for users, who need to wait for other users to come in for transactions to batch. The fewer users there are, the longer this batching process will have to be.
For instance, to fully enjoy the cost savings benefit of Aztec, a simple deposit into Lido via Aztec can take up to 5 hours (see below). This latency is simply not feasible for protocols where users have a higher time preference (e.g. any exchange).
In addition, even if users opt for the instant option, this will come at a higher cost (see cost analysis below), and the latency for executing a transaction via Aztec versus directly on L1 will still exist, meaning it will be hard to attract meaningful institutional or sophisticated capital with high sensitivity to execution pricing onto Aztec when it comes to exchange use cases, which account for a large fraction of DeFi uti.
This pes explains why most of Aztec’s upcoming integrations are with protocols that do not involve any type of trading:
On the flip side, compared to other zkRollups, applications need not redeploy their contracts, as Aztec interacts with them directly on L1. For some applications such as Lido, which requires direct interaction with the beacon chain at the L1 level, it is not possible for them to exist outside of their L1 context.
As such, Aztec’s way of interacting with DeFi preserves the liquidity on Ethereum and prevents fragmentation, and can service use cases that perhaps other zkRollups cannot.
TO BE FINALIZED
Extensibility
You could launch it on other chains if they are fully EVM compatible and there is a good way to pass messages between Aztec
It’s a bit like a VPN if every website you connect to via the VPN requires an integration with the VPN provider first, but Noir should change that.
Programmability
Noir and Aztec 3 allows people to write SNARK programs without being a cryptographer, and allows rollup to consume rollup circuits
Team
Finally, we would be remiss to not address Aztec’s team.
Aztec has one of the most technical teams across the zkRollup vertical currently. Aztec was founded in 2017 and is currently led by Zachary Williamson and Joe Andrews. Since its inception, Aztec has grown to a team size of 22 members.
Zachary is the current CEO and heads the cryptography team at Aztec. Zachary has attained his doctorate in Particle Physics from the University of Oxford, and was a former physicist at CERN, the largest and most respected centre for nuclear and scientific research. He was also the co-inventor of PLONK, a type of zero-knowledge technology that powers Aztec and other zero-knowledge protocols use.
Joe is also a CEO at Aztec and heads the engineering team. Joe attained his Bachelors in Engineering with Imperial College London. Before Aztec, Joe was the CTO and co-founder of Radish, a Silicon Valley food tech start-up which another food company later acquired. Both Zachary and Joe were cohort members of Entrepreneur First, a global founder network with a combined investment portfolio of $10 billion.
Overall, Aztec’s team is highly technical, with cryptographers and engineers with PhDs from renowned institutions and former experiences at Zcash, Dusk, Aave and others.
Final Thoughts
Aztec positions itself as a “VPN for Ethereum (and other L1s)”, which emphasizes adding privacy features to existing applications on L1, versus creating privacy-enhanced versions of existing applications.
This is in stark contrast to the strategy employed by Secret Network, which has created its own slew of messaging, exchange, games and NFT exchanges on its own separate Tendermint-based chain.
OFAC did provide more clarity on the sanction a month after, stating that “interacting with open-source code itself” is not illegal as long as it does not include a prohibited transaction. It still banned US citizens from engaging in transactions involving Tornado Cash – meaning Aztec is still at risk of regulatory pressure. However, Aztec’s team is committed to deterring illicit activities and plans to ramp up its efforts beyond just per-transaction limits with system-wide daily asset deposit caps, IP-specific deposit rate-limiting and more.
Additionally, Aztec has been able to onboard 100,000 users without using incentive programs, proving that privacy has a product-market fit amongst the crypto-natives. We expect the eventual release of Aztec tokens and incentive programs to onboard even more users onto Aztec.
We also look forward to seeing how Aztec might be able to remain compliant without further tightening its restrictions on transactional amounts – ideally even removing the cap.
Useful resources
Aztec
zkRollups
Data
For Blockcrunch interviews related to privacy, check out:
Is There Still a Bull Case for Privacy - with Aztec Network (Ep. 213)
The Bear Case for Privacy Cryptocurrencies - with Multicoin Capital (Ep. 74)
DISCLAIMER
The Blockcrunch Podcast (“Blockcrunch”) is an educational resource intended for informational purposes only. Blockcrunch produces a weekly podcast and newsletter that routinely covers projects in Web 3 and may discuss assets that the host or its guests have financial exposure to. Views held by Blockcrunch’s guests are their own. None of Blockcrunch, its registered entity or any of its affiliated personnel are licensed to provide any type of financial advice, and nothing on Blockcrunch’s podcast, newsletter, website and social media should be construed as financial advice. Blockcrunch also receives compensation from its sponsor; sponsorship messages do not constitute financial advice or endorsement.