The day before yesterday, Nocturne just announced that it had raised 6 million US dollars and received investment from Vitalik. Why do I call it a startup for Vitalik? Because the main technology of this project is privacy addresses. On January 20 of this year, Vitalik wrote a special article in his blog to discuss the feasibility of privacy addresses. I also disassembled and analyzed this article the next day. You can take a look at it for review.

Nocturne’s Twitter account first posted in May this year, five months after Vitalik discussed privacy addresses, and then received Vitalik’s investment five months later, so it was a successful case for Vitalik’s entrepreneurship.

Let’s talk about the privacy address separately, what it is used for, how to implement it, and what the effect is.

The core of the privacy address is to achieve anonymity in the process of Token transfer, which is the effect achieved by Tornado Cash before. Anonymous transfer is an eternal topic in Crypto and a very rigid demand. Next, I will explain how the privacy address is achieved as simply and detailed as possible, and how it is different from Tornado Cash.

But first of all, it should be made clear that privacy addresses are definitely not a new concept, but have existed for a long time and many projects and derivative protocols have been produced. Monero is actually based on the same principle, but Vitalik is an important promoter of its theoreticalization in the Ethereum ecosystem. In the Ethereum Researcher Forum in August 2022, Nerolation proposed whether ZK and ERC721 could be combined to achieve anonymous sending and receiving of NFTs. Vitalik replied that you are thinking too much, maybe it can be achieved in a simpler way, and temporarily called it ERC721S

Then Nerolation and Vitalik proposed EIP5564 to fully promote standardization

But in fact, there was already a project that productized the privacy address earlier, at least in terms of maturity, it has reached a usable state, but I don’t know why it didn’t get Vitalik’s favor... Instead, Nocturne, which came a year later, was favored.

The principle of privacy address is simply to generate a one-time new address for each transaction. The payer transfers the money to the new address, and the new address can only be controlled by the payee and thrown away after use. Manual operation is equivalent to A generating a new address, and then telling B the private key of the address, and A transfers 10U to it. Because only B knows the private key of this address, B can control this address and transfer 10U to the exchange. Therefore, from the public chain, you can only see that A transferred 10U to an empty address, and then this address transferred 10U to the exchange, but no one knows who transferred 10U to the exchange.

However, the above process relies on a lot of manual operations and involves the transfer of private keys, which is not only troublesome but also very risky. Is there any way to productize this process? The idea is to automatically realize the process of "A generates an address that only B can control".

This is the task that the privacy address needs to accomplish, and the idea of ​​ZK is also used here.

Let’s go back to the example just now. For example, A wants to transfer 10U to B. A already knows B’s public address, but A does not want others to know the transaction link between A and B. So A generates a pair of temporary private key and public key, and combines the temporary private key with B’s public address to generate a private address, and then A transfers 10U to the private address.

From the chain, A transferred 10U to a new address. Two problems arise at this time. First, how does B know that this new privacy address is created by A for B? Maybe A also sent 10U to C, D, E and other people. Second, even if B knows that the privacy address is created by A for him, how can B get the 10U of this new address or how to control the new address?

As mentioned earlier, when A generates a private address, he will first generate a pair of temporary private key and public key, where temporary private key + B public address = private address, and B private key + temporary public key is also equal to private address. So when A sends 10U to the private address, he will also publish the temporary public key on the chain. B will scan the public key registry. For each newly discovered temporary public key, B will combine his private key to generate a private address. If there happens to be money in it, it means that A gave it to him.

Then, B's own private key can be used to calculate the private key of the privacy address, and the private key of the privacy address can be used to control the privacy address for the next transfer transaction.

The effect from the chain is that A transferred 10U to a new address, and then 10U was transferred to the exchange, but who manipulated the new address to transfer it cannot be reflected on the chain. The new address is like a puppet controlled by a pair of hands behind it.

The above is the principle of privacy addresses. Up to now, Nocturne’s test network and main network have not been launched, and there is no roadmap, so whether Nocturne can achieve the effect of tornado cash remains to be seen.