# Adding Privacy to the UTXO model

How to use the slides - Full screen (new tab)

**Slides Content**

# Adding Privacy to the UTXO model

## Input/Output-based Cryptocurrencies

- Transactions have a list of unspent transaction outputs (UTXOs) as its inputs
- Each input is signed
- The transaction is allowed to spend as much funds as the sum of its inputs
- The transaction spends funds by creating outputs and by paying a fee

## Input/Output-based Cryptocurrencies

- Inputs must only refer to actually existing outputs (membership)
- The output spent must not be prior spent (linkability)
- The output's owner must consent to this transaction (ownership)
- The transaction's inputs and outputs must be balanced (sum check)

## Bitcoin

- Bitcoin specifies the spent output. This satisfies membership and linkability
- Each Bitcoin output has a small, non-Turing complete program (Script) specifying how it can be spent
- Each input has a
`scriptSig`

which proves the script is satisfied and this is an authorized spend (ownership) - The outputs cannot exceed the inputs, and the remainder becomes the fee (sum check)

## ZK Proofs

- ZK-SNARKs - A small proof that's fast to verify (<= $O(\sqrt{n})$)
- ZK-sNARKs - A small proof that's not fast to verify (>= $O(n)$, frequently $O(n log n)$)
- ZK-STARKs - A small proof that's fast to verify, based on hash functions
- All of these can prove the execution of an arbitrary program (via an arithmetic circuit)
- None of these reveal anything about the arguments to the program

## Merkle Proofs

- Merkle proofs support logarithmically proving an item exists in a tree
- For 2**20 items, the proof only requires 20 steps
- Even if a ZK proof is superlinear, it's a superlinear encoding of a logarithmic solution

## Private Membership

- When an output is created on-chain, add it to the Merkle tree
- When an input specifies an output, it directly includes the output it's spending
- It also includes a Merkle proof the output exists
*somewhere*on chain, embedded in a ZK proof

## Pedersen Commitments

- A Pedersen commitment has a value (some number) and a mask (also some number)
- There's as many masks as there private keys, hiding the contained value
- Pedersen commitments can be extended to support multiple values

## A New Output Definition

- ID
- Amount
- Owner
- Mask
- All in a single

Pedersen commitment

## Private Membership

- We don't prove the included output exists on chain
- We prove an output with identical fields exists on chain
*yet with a different mask* - This allows spending a specific output without revealing which it is

## Ownership and linkability

- A ZK proof can take the output ID and apply some transformation
- For every output ID, the transformation should output a single, unique ID
- Not just anyone should be able to perform this transformation
- This provides linkability, and if only the owner can perform the transformation, ownership

## Sum check

- One final ZK proof can demonstrate the sum of inputs - the sum of outputs = fee
- There are much more efficient ways to prove this