Skip to main content

Private transactions (Sapling)

Sapling is a protocol that enhances privacy for transactions of fungible tokens. It creates a set of transactions that can be viewed only by specific entities.

The key steps are as follows:

  1. A shielded set is created within a contract which a number of users can call to perform transactions whilst keeping details private.
  2. The users send tokens to this shielded set, which is called shielding tokens. Information about these transactions is public.
  3. Users perform shielded transactions, in such a way that the amounts, senders, and receivers of each transaction are not revealed publicly. Only the origin and destination of each transaction have access to information about shielded transactions.
  4. Later, users may get some or all of their tokens out of the set by unshielding their tokens. Information about these transactions is public.

Users can also create and share viewing keys, which allow other accounts to view all transactions made by that user. Viewing keys allow accounts to perform shielded transactions while also complying with regulatory requirements.

To make Sapling protocol transactions with a high degree of privacy, users must take precautions, including:

  • Making sure that there are enough members in the set to ensure anonymity. For example, if there are only two members, it becomes very easy to identify the source and destination of transactions.
  • Adding dummy transactions, or dummy inputs and outputs of transactions, to prevent outside observers from deducing information about the actual transactions.
  • Making sure to use shielded tokens in multiple transactions. For example, if a user shields exactly 16.32 tokens and another user later unshields exactly 16.32 tokens, the transaction may be traceable.
  • Being careful about information that can be deduced from the timing of transactions.
  • Using a proxy account to make and pay for the shielded transactions to prevent outside observers from linking shielded transactions to accounts
note

There is no canonical shielded set on Tezos. Any user or smart contract can deploy shielded sets.

It is not possible to transfer across shielded sets without unshielding.

Different applications or wallets may not be interoperable, that is, they may support different shielded sets or different ways to derive shielded accounts. It is up to users to make sure that the intended source and destination are within the same pool for ensuring privacy.

The internals of Sapling are quite technical. The system is based on an UTXO (bitcoin-like) transaction system, where each transaction consumes some unspent output and produces new unspent outputs. It uses a system of cryptographic commitments in place of public amounts and addresses, that can then be "consumed" using a system of nullifiers. The process uses a mix of cryptographic tools including SNARKs, incremental Merkle trees, and Diffie-Hellman key exchanges.

Implementation information

Last updated on