A Privacy Sidechain for All Polkadot & Kusama Chains

Integritee has developed TEE-validated L2 sidechains and has demonstrated private transactions based on its SDK in Q1 2022. One year has passed and we are now close to providing this technology to all substrate-based L1 chains, as well as to the Polkadot and Kusama relay chains — without the need to change one line of code on L1 runtimes.

The Dotsama ecosystem is highly transparent nowadays. The information, who is transacting with whom and how much, who you nominate, how you vote, and whom you elect to the council is publicly visible to anyone. While this does have its advantages when it comes to accountability, it is not a sound setup for everyday actions.

The inherent linkability of everything that happens on transparent blockchains prohibits a wide range of use cases — or would you really want to disclose personal identity attributes on i.e. KILT in order to gain access to a certain service, if you know that this information can be linked back to your original DOT presale participation and trading history? Or your votes on a controversial topic on any other parachain, linkable through XCM? Follow the money and you’ll be able to retrieve a lot of personal sensitive information way beyond token balances.

Because of transaction fees, you can’t just start with a new account out of nothing. You need a minimum amount of tokens in order to get active on Dotsama chains — and most blockchains in general. This means you have to send funds from an existing account to your new one. Thereby, you’re linking all future events back to that original account with very weak deniability. You can use centralized exchanges to make it harder to link both of your accounts by following the money. But the linkable information then resides on that exchanges’ servers and is subject to arbitrary access by law enforcement or, occasionally, hackers.

As we will show in this article, Integritee is not opposed to adequate law enforcement insight. On the contrary: a possible future solution could be a system where the balance between maximum privacy and full insight for law enforcement is a matter of on-chain governance, selectively per account and information in question.

How it works

Alice would like to transfer funds from her account to Bob’s privately. She sends tokens to the sidechain’s vault account. The sidechain’s light client will subscribe to all transfers to its vault account and will endow the sender’s account with the amount received. Then, Alice can trigger all kinds of transactions on L2. In our example, she directly transfers tokens from her shielded account to Bob’s. Bob can then trigger unshielded tokens to his L1 account. After this process, there is no way to directly link information on L1.

In order to gain practical unlinkability, one has to avoid the linkability of amounts or timing of the process. Mixers can be used to hide the exact time and amount of transfers. This means that the degree of privacy enhancement depends on the number of users that are simultaneously active on our sidechain. The more users sending similar amounts, the better the k-anonymity.

Thanks to the Trusted Execution Environments (TEE) technology, not even the operators of the sidechain “validateers” can learn anything about L2 transactions on our sidechains. Validateers are Integritee’s own validators operating our second-layer sidechains — the block production and validation happen inside TEEs. This means validateers can trust each other and the consensus protocol is greatly simplified.

What is the role of the Integritee Network parachain in this use case?

Sidechain blocks are produced by validateers, asynchronously to layer one at a higher block rate. Despite the TEEs’ integrity guarantees, these blocks are not yet final because forks on the sidechain can still happen. Every sidechain block hash is anchored to the layer one blockchain and gets finalized on layer one with the block that includes its anchoring extrinsic.

Our sidechains support multiple validateers operating within TEEs, a hardware-encrypted area of a CPU securing data in use. The added value of our sidechains is that once verified, all validators can trust each other, thus enabling sub-second block times with up to 2,000 TPS on each sidechain. In combination, this provides a cumulative capacity of up to 1 million TPS over the entire Integritee Network for well-shardable use cases.

Computations done inside TEEs can be independent and isolated from the mainnet, providing developers with a set of attractive benefits: scalability, confidentiality, and independent economics on L2. If you’re interested in knowing more about our sidechains and their features, check out this article.

Do you need TEER tokens to use the privacy sidechain?

Sidechain validateer operators will pay fees for remote attestation and sidechain finality in TEER on the Integritee Network. The Integritee network treasury may, subject to its governance, offer TEER grants to common good validateer operators. The end users, on the other hand, need not care about TEER because our sidechains will use the native token of the target L1 as their native token, which is needed to pay fees on L2 (KSM in the case of Statemine). This greatly simplifies UX while still ensuring economic viability for sidechain operators.

Remote Attestation

Essential when deploying Trusted Execution Environments (TEEs), remote attestation is the process of authenticating the TEE and signing a report confirming its genuineness — it basically tells you that what’s running inside the secure environment is, in fact, what you intended.

This process also confirms the hash of the binary that the secured environment is executing. Such a report also includes the TEE’s public signing key, so we can rest assured that we are truly talking to the right TEE by verifying its signature. Remote attestation provides verification for three things: (1) the application’s fingerprint, (2) its integrity (that it has not been tampered with), and (3) that it is running securely within a genuine machine.

Integritee decouples this process from the TEE manufacturer, in our case Intel for the time being, such that no Intel attestation services are needed and the validation happens in a decentralized manner.

Reasonable Privacy vs. Law Enforcement Access

We aim to provide reasonable privacy for web3 users, but we are not interested in protecting and fostering criminal activity. That is why we plan to allow selective disclosure of data under well-defined circumstances. But who should decide who shall be granted access to sensitive data? Should there be a democratic vote for each request? One person-one-vote or token weighted? Should there be representative powers like judges and the police, represented by well-known accounts? And if so, from what national jurisdiction should they originate? Should they be granted X inquiries per day and subscriptions to a maximum of Y accounts to make sure the surveillance is limited?

These questions are beyond our pay grade and competence. We can just provide the tech to implement, what the community will request. And here comes the power of general-purpose TEEs: in contrast to pure cryptography like ZKP, TEEs can be programmed to be compliant with regulations — while still providing a reasonable amount of privacy for the masses.

Any insight authorization will be restricted: Integritee sidechains prune blocks after a short period of time. Therefore, historical queries are not easily possible a posteriori — by design. What is technically possible, is:

• Authorized queries of the actual state of the sidechain
• Authorized disclosure of transactions in the current block (i.e. involving a certain account)
• Authorized subscriptions for account activity

Roadmap

We will start with a pilot deployment on Statemine, Kusama’s common-good hub for tokenized assets of many kinds. As soon as we have a stable and well-tested deployment, our sidechain shall be deployed for Statemint on Polkadot as well.

Pilot 1: Battle-Test the Basics

The first incarnation will be a functional sidechain for transactions of KSM tokens only. No privacy will be available at this stage. In order to foster trust in our technology, we will start with a transparent deployment that allows all users to query the inner workings of the sidechain. This also allows us to rescue funds based on balance snapshots if necessary.

Moreover, we will only allow to shield limited amounts. This is a precaution in the beta phase against both loss and legal issues. Limits are set high enough to endow accounts and be active, but low enough to hinder money laundering once we switch on privacy.

From a user perspective, we will only offer a command line client for power users at this stage.

Pilot 2: Some Privacy

We will switch to a first privacy-enhancing mode. From now on you can only query your own account’s state along with some public information like sidechain block height.

Pilot 3: Better Privacy. More Assets. Better UX

In order to protect privacy further, we will provide tooling to assist mixing to obscure the trail left by amounts and timing from shielding to unshielding.

At this stage, we will open our sidechain to all fungible assets on Statemine. This means you will be able to transact stablecoins as well as all other tokens on Kusama and Polkadot parachains that are available on Statemint/e.

Our sidechain API will be compatible with js/api json-rpc at this point and integrate well with established wallets. This may involve that we upstream our authentication procedure for queries, so we will be looking for collaborations to make private transactions as smooth as can be.

Pilot 4: Enabling Law Enforcement Access

We shall allow law enforcement to request selective disclosure of certain data concerning certain accounts. A governance process needs to be specified that ensures due audit of such requests. We will seek community feedback as well as legal opinions on the requirements for compliance. After these questions are clarified, we may be able to lift amount limits for shielding transactions.

Outlook

While we will focus on Statemine and Statemint, our technology can be adopted by any substrate chain to get a private L2. There is no reason why our sidechains couldn’t also provide an L2 to Bitcoin and Ethereum, they could even host EVM or WASM smart contracts, as we have demonstrated with a PoC.

A Common Good

Integritee aims to let anyone use our technology and even operate competing sidechains in parallel. Our implementation will be open source under the Apache 2 license. Our sidechains will allow anyone to run a validateer who can pass remote attestation. For the best possible user experience, transaction fees on our sidechains will by default be payable in the target L1’s native token. Any parachain in the Dotsama ecosystem can deploy sidechains on their own.

As this technology can benefit the users of any para- or relay chain without requiring them to hold and pay TEER, we consider it a common good and we will seek treasury funding from Kusama and/or Polkadot, as highlighted in this Polkassembly post.