Ethereum homestead
Vitalik Buterin explains how state channels preserve privacy and use of ring signatures in payments Ethereum Homestead

Blockchains have to hide data in plain sight while allowing computations to be performed on that data, and they must do this while meeting the strict privacy requirements of banks and financial institutions. So how is this done?

Vitalik Buterin, chief scientist on the Ethereum project, has proposed an interesting solution involving state channels and smart contracts to tackle the problem, which also addresses scalability challenges.

He said: "State channels is a buzzword that I predict you are going to start hearing more and more over the next couple of years. Over in Bitcoin land it's also called payment channels, and there is also a technology called the Lightning Network. There are many projects doing state channels and a company building a lightning-like network on Ethereum as well."

Presenting problems within crypto-economics to a room of financial quants at a conference in London's Canary Wharf, Buterin began by pointing out that privacy in financial systems isn't just about paranoia. It isn't just about concerns that someone is snooping on everything and Big Brother is going to have a profile on you. "In a financial context, there are issues like market manipulation: if someone can see your orders before everyone else, then they can probably manipulate the market, they can front run."

State channels are used to handle transactions that are less than the fees to be paid to execute them – micropayments using the Bitcoin network, for example. Buterin illustrated how state channels could be used to preserving privacy of payments.

He said: "First, A sends 100 points of a currency into a smart contract. Now say A wants to make a payment to B; A and B both cryptographically sign a ticket, and that ticket essentially says '99 points goes to A, one point goes to B' – sequence number is zero.

"This ticket is not a transaction; it doesn't go on the blockchain. The only people who ever know that ticket exists are A and B. Now let's say A wants to make another payment; they sign another ticket that says 98 points goes to A, two points goes to B – sequence number one.

"To make a third payment, sign another ticket: 97 points to A, 3 points to B – sequence number two, and so forth.

"Now let's say at some point they want to sell. Let's say the last ticket says 80 points back to A, 20 points back to B – sequence number 14, or whatever. Both parties have an opportunity to publish the most recent ticket; both parties have the opportunity to publish what they see as the ticket with highest sequence number."

Buterin stressed that only the last transaction gets published and goes into the blockchain. The contract basically reads the ticket and gives people the amount of money back that the ticket says. "So everything in between never actually goes on chain – only the last bit goes on chain. If the two parties disagree, they can always just take the most recent ticket, publish it to the chain and the chain enforces it.

Buterin described the system as "a sort of cryptographic court". Courts in the real world make business transactions more secure because they guarantee that if someone tries to cheat you, you can sue them. But you don't have to actually sue people every time you conduct a business transaction.

He said the intermediate channel state can be complex. "Let's say you want to enter into a financial derivative, instead of sticking the entire thing on the blockchain you open a channel, stick the code into a channel. Then later on if you want to settle, you don't need to put that particular ticket on the chain.

"Both parties, if they agree on the output, they sign another ticket which says what the output is. That ticket goes on the chain, and nobody outside of those two parties necessarily even sees what the contents of that intermediate were; nobody needs to process that contract. So it preserves privacy, increases efficiency, increases scalability – all good."

He said that potentially the intermediate ticket might even contain a thousand computer programs. "So if you have two parties that are entering in to lots of financial contracts with each other all at once, you only need one transaction every 'X' hours in order to settle."

Ring signatures are another interesting privacy measure, which are being used now on Ethereum. It allows someone to sign a transaction, proving you are one of a given set of keys without revealing which one.

There is a standard example use case that cryptographers use to describe ring signatures: a scenario where someone is part of a political body that's negotiating some trade agreement that's really unfair. The member of this organisation wants to leak the trade agreement without being implicated, while also ensuring the leak is credible. Ring signatures guarantee this credibility without identifiability down to the last person.

This concept can be used to make digital transactions sent to the network untraceable by using the public keys of other members in the ring signature one will apply to the transaction. "There are systems that use ring signatures to ensure transaction privacy by hiding which specific coins are being spent in order to make a payment," said Buterin.