March 3, 2020

Private money streaming with NoteStream

A lesson on naming hackathon projects... (among other things)

Private money streaming with NoteStream

This post got a bit long so I'm splitting it into three. The structure is:

  1. "Private money streaming with NoteStream": This post! Just some general explanation about NoteStream
  2. "Verifying Aztec ZK proofs onchain": a run through of how the NoteStream smart contracts verifies withdrawals without knowing their value.
  3. "Generating Aztec ZK proofs": A look at how you can generate ZK proofs in the frontend of your dapp using aztec.js

ETHLondon + Quachtli

These posts are going to review my project Quachtli which won as a finalist of the ETHLondon hackathon in February and what I learned about AZTEC Protocol from it.

Why "Quachtli"?

We wanted a punny name which combined Aztecs and the concept of streaming. I failed at that but while doing some googling for inspiration we found out about Quachtli, Aztec money in the form of standardised lengths of cotton cloth. This seemed somewhat similar to the idea of AZTEC's "notes" so became a temporary name until we could think of something better.

Based on how everyone butchered it's pronunciation (including us!) we should have changed it but this came second to trying to get withdrawals implemented so Quachtli just stuck.

Since the hackathon, we've renamed the project NoteStream.

Inspiration

This project took a huge amount of inspiration from the project which first introduced money streaming on Ethereum, Sablier as created by PaulRBerg.

Among other use-cases Paul expects Sablier to be used as a new method of payroll. One which does away with "payday" as you can at anytime withdraw the money for you have earned to date.

How is NoteStream different?

A pretty sizeable stumbling block for Sablier is that Ethereum is just too transparent. If a company were to perform payroll through it, anyone in the world could see how much it pays its employees.

NoteStream gets around this by taking advantage of AZTEC Protocol's privacy solution. Through using zero-knowledge proofs, it's possible to make transactions for which the amount is obscured for anyone but the sender and receiver. On top of this, they have built zkDAI: a flavour of DAI for which nobody can tell how much you hold or spend. Perfect for streaming as a salary!

How does it work?

There's an obvious issue with performing money streaming in zero-knowledge:

How can you ensure that the receiver isn't withdrawing more money than they are entitled to without publishing how much that is?

Short answer: ZK magic

Short but useful answer: A Dividend proof allows us to verify the ratio of the value between two AZTEC notes without revealing what their actual values are. All that is made known to the smart contract is what fraction of the money in the stream the user wants to withdraw. We can then compare this to the fraction of the streaming period which has passed to ensure that the recipient has access to this fraction of the stream.

Long answer:

For that you'll have to read part two...

But first...

Big thanks to everyone from AZTEC

Shout out to everyone from AZTEC at ETHLondon who helped us so much over the weekend, in particular Joe and Arnaud who worked with the Quachtli team to help fix our proof generation code in between our judging sessions.