TL;DR: zkChannels is a Layer-2 anonymous payment channel solution coming to Tezos. Our protocol relies on cutting edge cryptographic primitives (on BLS12-381 curves in Edo) that will soon be introduced to Tezos. An implementation of the zChannels protocol is available for testing on Tezos (Edonet) and we are looking for feedback.
Why state channels?
Payment channels are a scaling solution for blockchains that allow users to perform cryptocurrency transactions off-chain without counterparty risk. By performing transactions off chain, transactions can be settled almost instantly and at a much lower cost. State channels are an extension of payment channels, allowing off-chain execution for any arbitrary smart contract.
A privacy advantage of using state channels is that the individual off-chain transactions are never broadcast or recorded on chain. A concern however is that the counterparty to the channel has full visibility of the actions occurring within the channel. For example, if a customer has a payment channel open with a merchant, the merchant would have the full history of payment transactions from the customer. zkChannels addresses this problem by implementing cutting edge cryptography to allow the merchant to verify the validity of incoming payments, but without being able to associate it to a specific customer.
Overview of zkChannels
zkChannels is a Layer-2 protocol that enables anonymous and scalable payments based on commitments, blind signatures and efficient zero-knowledge proofs. With zkChannels, off-chain transactions are inherently unlinkable, efficient, and applicable to payments and state channels.
zkChannels allows a customer and a merchant to open an asymmetric payment channel. The merchant is at most pseudonymous and remains identifiable across all channels; the customer is at most pseudonymous during channel establishment and closure, but has the ability to make payments anonymously as long as they have an open channel with sufficient balance. That is, the customer’s anonymity set for a payment is the set of all customers with whom the given merchant has a channel open.
In zkChannels, all payments must be initiated by the customer and our anonymous channels are bi-directional only in the sense that payment values can be positive or negative. At any point while the channel is open, the merchant or customer are able to initiate channel closure.
A complete description of the zkChannels smart contract design and entrypoints can be found here.
zkChannels would be suitable for any situation where customers want to make payments without their identity being linked to the transaction. For these situations, the service or good being paid for is something that can be provided digitally and anonymously online. Such use cases include paying for access to a VPN service or purchasing digital content.
What’s the status?
Currently, zkChannels relies on a randomizable signature scheme with efficient zero-knowledge protocols. Our randomizable signature scheme is based on Pointcheval-Sanders (PS) and instantiated on BLS12-381 being introduced on Edonet. When the Edo proposal is injected on mainnet, zkChannels will be deployable on Tezos.
Smart contract development
A proof of concept, fully functional implementation of zkChannels has been developed. The on-chain code consists of two smart contracts. The first, main contract, escrows the customer’s funds (and merchant’s if it is dual funded) and contains the logic behind the closing flows to ensure that both parties are able to close down the channel and claim their balances, provided that they have acted honestly. The second contract performs the Pointcheval-Sanders (PS) signature verification, using the BLS12-381 instructions. When the customer initiates a channel closure via an entrypoint on the main contract, the main contract will perform an inter-contract call to the PS-sig contract to verify the merchant’s signature. The channel closure will only be allowed if the merchant’s signature is valid.