Incognito mode for Ethereum

Incognito is a privacy blockchain. This post presents the fully decentralized Incognito-Ethereum bridge that allows anyone to send, receive and store ETH/ERC20 tokens with complete privacy. Our team would love to get everyone’s feedback on the bridge design and implementation.


Our team will be at Devcon next week to if you want to connect and chat in person.




Is this just a two-way atomic swap system, with the Incognito blockchain itself supporting ZK transfers internally?


re: atomic swap system

it’s actually a two-way relay bridge that lets you transfer assets from ethereum to incognito and vice versa. when someone converts ETH to pETH (private ETH), they aren’t swapping their asset with someone else’s. instead, ETH is locked in a smart contract and new pETH is minted on incognito. When the pETH are burned (to maintain a 1:1 ratio), the locking contract on ethereum will verify the validity and unlock it upon submission of burn proof.

for example, you can convert 1000 “public” DAI (on ethereum) to 1000 “private DAI” pDAI (on incognito) via ethereum -> incognito relay. once you have 1000 pDAI, on the incognito chain, you can send 500 pDAI to alice privately, send 300 pDAI to bob privately, and then convert the remaining 200 pDAI back to “public” DAI whenever you want via incognito -> ethereum relay.

re: support ZK transfers internally

yes, but not just that, incognito makes private transactions run fast too.

on the client side, incognito implements ZK proof generation for android and ios (so users can generate ZK proof under 15s right on their phone).

on the blockchain side, incognito implements a full-sharded architecture (based on to omniledger). currently on the testnet, incognito is running with 1 beacon chain and 8 shards (32 nodes per shard). we hope to scale it to 64 shards (with 100 nodes per shard) in november.




let us know what you think!


The most interesting/challenging part of sidechains is always the part of brining assets back to Ethereum.

Effectively ETH/tokens here are held in a “m/n” multisig. What is your strategy to find the right validators? Will there be any form of “slashing” of validators for malicious behaviour?

The proof is only considered valid when more than ⅔ of the current number of validators have signed it. On the Ethereum side, the list of validators is stored and continually updated to mirror Incognito’s.

Have you explored schemes where the correctness of state transitions of the side-chain is validated on Ethereum?

In any case - cool project! Everything that helps to bring privacy to Ethereum is very welcome and much needed!


What is your strategy to find the right validators?

On Incognito, validators are chosen using PoS (the stake is in the native coin ‘PRV’). Validators are randomly shuffled every epoch (approx every few hours) to prevent collusion. These validators are authorized to sign a proof to bring the asset back to Ethereum when an equivalent amount has been burned on Incognito.

Will there be any form of “slashing” of validators for malicious behaviour?

Once a validator produces a burn proof, that proof will be included in a block and verified by the other validators in a committee. If a burn proof is rejected by the committee and deemed malicious, it will not be included in a finalized block. We’re currently considering a reasonable slashing mechanism in the event of malicious behavior, to be implemented probably in the next milestone.

Have you explored schemes where the correctness of state transitions of the side-chain is validated on Ethereum?

This is pretty similar to the “unlocking” scheme mentioned above. Once a new list of validators is proposed, validators in the current committee will sign on a “SwapConfirm” proof (this process happens periodically). The signed proof will be submitted to and verified by the Ethereum smart contract. The contract always holds a list of the last committee’s public keys, so it’s easy to validate the correctness of state transitions and make sure its committee is up to date with Incognito’s.

Our team is at Devcon. Happy to chat more about the bridge as well as use cases of privacy tokens.

1 Like

If Ethereum will be supporting “incognito mode” (e.g., aztec, zk rollup), it is less valuable to have a zk-enabled side chain, as it is less secure, carries less assets, and thus offers a lower degree of privacy.

i’konw lay2 is savely ,lay1 is account use.

1 Like