The Ethereum blockchain allows users to transfer funds and interact with code on the Ethereum Virtual Machine (EVM), publishing all transactions and smart contract interactions to the public ledger. Over the years, as the audience for blockchains has grown, so has the need for privacy on-chain. However, private transfers are not available on Ethereum, forcing users to achieve privacy through other means. Offshift uses zero-knowledge proofs to enable on chain privacy for its users. Additionally, Offshift's synthetic assets allow for private exposure to popular off-chain assets without leaving the comfort and liquidity of the Ethereum blockchain.
---
## Introduction
Privacy, and enabling privacy through zero-knowledge proofs, is not a new concept to blockchain technology as a whole. The original serious attempts at privacy preservation on-chain trace back to 2013, with the introduction of the ZeroCoin protocol proposal. Initially meant to be an extension of Bitcoin, it was never implemented into the base layer; instead, users have opted to use "CoinJoin" methods for on-chain Bitcoin privacy to this day. The development of the ZeroCoin specifications did, however, directly lead to projects like Monero and Zcash being developed. Being the first true tests of zero-knowledge proofs in the blockchain space, they sought to provide privacy to users using new networks specific to this task. On the Ethereum blockchain, "zero-knowledge decentralized applications" have begun to spring up, enabling privacy for individual applications. Offshift's new protocol is one such application, introducing synthetic assets and the ability to allow exposure to on-chain \& off-chain assets such as Bitcoin, Gold, the US Dollar, and a privacy preserving version of the native Ether asset - all without having to leave the security of the Ethereum blockchain. By leveraging the liquidity available to Offshift's native asset, XFT, we use a burn-mint mechanism to produce private synthetic assets whose properties can be shielded within the context of a global anonymizing set shared across all synthetic assets and inter-protocol transfers. Compared to Offshift's first iteration, "zkAssets" are non-tokenized assets whose protocol functions similarly to privacy preserving chains like Monero or Zcash, but for oracle backed synthetics. Additionally, "anonAssets" from the original protocol will continue to function alongside the newer "zkAssets", including being exchangeable at a 1:1 ratio.
---
## Privacy Layer - Momiji
To start, we give a short summary of Offshift's anon platform. The original platform uses zkSNARKS and MiMC-hash Merkle trees to implement anonymity sets and set membership proofs to allow for anonymous "shifting" from the platform's native token, XFT, into price pegged "anonAssets". The values committed into the anonymity set include a randomly generated 31 byte "secret" - used as a blinding factor, and a randomly generated 31 byte nullifier. When a withdrawal is carried out on the platform, the concatenated secret and nullifier is used to generate a proof of membership for that particular commitment, without revealing the contents of the commitment or its location in the tree. To prevent double spending, the Keccak256 hash of the nullifier is then "spent" on-chain, making it unusable for any future deposits or for re-spending the same commitment.
The Offshift v2 platform will function similarly to the anon platform, using a Merkle tree implementation for note deposits and zero knowledge proofs to perform withdrawals. This way, a user can access funds inside the protocol without revealing the contents of the original deposit or its location in the Merkle tree. But unlike the anon platform, the values committed are not constrained to a secret and nullifier. By encoding the note's value into a commitment, as well as the asset and oracle price, users can commit this value into the Merkle tree when creating a deposit. This way, users can prove ownership of the assets encoded within while proving set membership of the deposit. This will allow users to carry out shielded transfers within the system, as well as partial asset withdrawals instead of requiring fixed denominations. The Offshift v2 platform will again use zkSNARKS to implement the proving scheme for this protocol, aiming to take advantage of advancements in proving times while maintaining constant-time verification for on-chain verifier contracts.
Offshift v2 will take advantage of recent developments and improvements in the privacy space. Utilizing the new Noir domain language, written by the developers and cryptographers behind Aztec, Offshift v2 will introduce a complete solution for synthetic asset exposure while protecting its users from having their privacy compromised. Its cryptographic primitives include the BN254 curve, upon which Pedersen hashes are calculated, as well as the MiMC and Poseidon hashing algorithms for Merkle tree implementations. In addition, Noir programs can be used in conjunction with Typescript interfaces. This means that testing and version control can be streamlined with packages such as Hardhat, making for easier open-source development on top of Offshift v2. But, perhaps more importantly, Typescript integration allows for direct implementation in browser-based applications, so that user experience can go hand-in-hand with the latest advancements in the zero knowledge space. Using Noir, we can construct a full UTXO style transactions system (e.g. Zcash; Monero), allowing for full privacy preservation.
## Synthetic Assets
Unlike private cryptocurrency protocols which only allow for transfers of their native tokens, Offshift employs a synthetic asset model, which mints an amount of assets corresponding to the value of XFT burned in the shift. This means that for each Wei worth of XFT burned, the protocol mints one Wei worth of the selected asset, and vice versa when burning the synthetic asset to mint XFT. In effect, this allows the user to enter a position in the synthetic asset in a way resembling an over-the-counter (OTC) trade, with virtually no market slippage encountered. Additionally, the Offshift anon platform employs a "flex fee" mechanism, which scales down the amount of XFT minted if the chosen anonAsset is trading below 97.5\% of its asset's market price. The introduction of a flex fee removes the incentive to "death spiral" the protocol, and increases incentive to restore the price peg as quickly as possible. Since trades are OTC-like, pegging the price also introduces incentive directly to market makers.
## Tokenomics & Liquidity
The Offshift v2 platform will employ a new synthetic asset system that does not tokenize its assets. Instead, the user will enter and exit through the XFT token or through anonAssets, with the synthetic assets taking the form of unspent commitments. By using commitment-only assets, users can enter and exit the protocol with no liquidity requirements other than that of the native token, XFT, while maintaining the same dollar-to-dollar pricing used in Offshift anon. Price pegging will be done similarly to Offshift anon, where the peg is determined by a time-weighted average price of XFT/ETH, and a Chainlink price for the chosen asset.
As users enter and exit the native token, XFT is burned or minted proportionally to the value of the chosen zkAsset. As usage of the protocol is increased, more of the native token is burned, and the available supply on the open market decreases. Conversely, as users exit the platform, the supply inflates proportionally. This ongoing equilibrium ensures that the native platform asset is algorithmically tied to the platform's actual utility, instead of perceived utility. As usage rises, supply is diminished; as users exit their private holdings, supply is increased. Exit liquidity is provided by the funds available on the decentralized open market.
## Protocol Migration
Zero knowledge assets will serve as a standalone addition to the Offshift protocol and ecosystem. While the privacy element of the anonymous assets' mint and burn mechanism (through the original denominated privacy pools) will never cease to function, the new recommended method of preserving privacy will be through Offshift's new global anonymity set - Momiji. The new protocol will allow users to shield amounts and enable completely private transfers to other users within the platform. By extending the anonAsset mint capability to v2, users will also be able to enter and exit tokenized synthetic asset positions either through the anon platform or through a confidential shielded asset platform.
Alongside continued support of the original protocol, the anonAsset ERC20 tokens will be fully compatible with the v2 platform. Users will have the ability to enter and exit the new protocol using anonAsset tokens in addition to the native XFT token.
