Shielding the Multichain: How Namada’s Data Protection Works

Published |10min read
Zach Cavanaugh
Print

Namada introduces a novel approach to blockchain data protection based on an asset agnostic, unified shielded set enabled by the network’s Multi-Asset Shielded Pool (MASP). Additionally, Namada makes data protection a public good, rewarding users with NAM shielding rewards for protecting their data and thereby strengthening Namada’s privacy guarantees for everyone.

By enabling a single shared privacy set for all assets and blockchains, Namada can serve as the composable privacy layer for all of Web3. This means existing blockchains and applications can integrate Namada to give their users control over their data rather than being forced to broadcast all of their financial and personally identifiable information to the world by default. 

Building meaningful data protection into blockchain networks is not easy. Public blockchains like Ethereum and Bitcoin would typically need to be rebuilt from the ground up to make it possible. But by plugging into Namada, existing networks and services can add privacy and data sovereignty features without needing to make substantial changes to their technology.

Beyond retrofitting data protection to existing services, Namada’s SDK can be used by Web3 developers to integrate privacy when building new applications. Namada’s shielded actions are a new development primitive — like privacy legos — that can be used to incorporate shielded transactions into applications for a wide range of use cases, from DeFi to payments and gaming.

The need for data protection 

The inability of public blockchains and their applications to protect user data means we’re forced into a binary choice of broadcasting our sensitive financial information publicly or not using blockchains at all. While many crypto users may have become used to this trade-off, those seeking a degree of control over what they share are forced into inconvenient workarounds like juggling multiple addresses and making transfers from centralized exchanges.

Many crypto users are simply unaware of just how much information can be deduced from their on-chain activity and associated off-chain data. For this reason, they are unable to reason about the risks involved in using public chains and intermediary tools like wallets and RPC providers. A full exploration of the information that can be known about you based on your use of blockchains is beyond the scope of this blog, but just to give you an idea, by applying analytics tools to the on- and off-chain data leaked when using common blockchain services, external parties can potentially deduce:

  • Your full history and portfolio
  • Your real-world identity
  • Your online activities and even social media accounts
  • Your location, movement patterns, and potentially even your home address
  • Your behavioral, spending, and trading patterns
  • Your income sources
  • Your social network and business relationships
  • Your political affiliations and donations

Just leaking some of this data can expose you to targeted attacks, including phishing and physical robberies, social and financial surveillance, legal scrutiny, political persecution, and more. Especially for users who live under authoritarian regimes, in places without strong human rights protections, and for social activists and political opposition groups, the risks of exposing this data can be life threatening. 

Even if users are not particularly concerned about the risks of pervasive financial surveillance by bad actors, there are plenty of practical, mundane reasons to want freedom over what information you share. Whether using crypto to make a purchase online, transact with a business partner, or split the cost of dinner with friends, many of us do not want the people we interact with on-chain to see all of our transaction history, balances, charitable or political donations, memecoin trades, or NFTs. If crypto is ever to serve as a meaningful alternative to the existing financial system, the ability to control what we share with whom is a bare minimum requirement.

Especially when considering the adoption of blockchain technology by organizations, governments, and institutional users, the lack of control is a non-starter that represents a major barrier to adoption. No discerning organization is going to adopt Web3 if it means exposing their organization’s most sensitive financial data or trade secrets. No nation state will want to bring their country’s economy on-chain if it means exposing their citizens’ financial data to potential adversaries. No traditional financial institution will conduct serious activity on-chain if it means broadcasting their positions and trades through public networks for everyone to see.

On an even more fundamental level, having control over what information you share with others is a necessary precondition for freedom. Just as in everyday conversations you have the ability to choose what information you share with whom, having control over your financial information is a matter of human rights, dignity, and sovereignty. Our freedoms should not end where the digital world begins.

How shielding works on Namada

Inspired by the design of Zcash, Namada protects user data by using zero-knowledge cryptography, is capable of shielding any asset (fungible and non-fungible), and supports shielded cross-chain transactions for protecting users’ personally identifiable information as they interact across the multichain landscape. 

The MASP
The MASP is a zero-knowledge circuit (zk-SNARK) that extends the Zcash Sapling circuit to make it capable of supporting any asset, rather than being limited to a single asset as in the case of Zcash. 

Assets can be sent from one address to another within the MASP while shielding the sender’s and receiver’s personally identifiable information (these are called shielded transfers on Namada). From an outside perspective, all transactions within the MASP are indistinguishable from one another.

Assets can also be transferred out of the MASP to public blockchains—for example to be used in DeFi applications—while keeping information about the user’s account of origin shielded. While assets themselves are no longer shielded once they leave the MASP, and certain information about a user’s activity can be deduced by what they then do on public blockchains, there is no linkability with their account on Namada, providing functional privacy for cross-chain activity.

Selective disclosure
An important feature of Namada is selective disclosure—the ability for users to choose what data they want to reveal for specific purposes. Users can keep both shielded and unshielded accounts, and can choose to disclose their data to specific parties by sharing their account’s viewing keys. Viewing keys enable users to give specific parties the ability to view an account’s transaction history without the ability to make any transactions. This allows the sharing of data with third parties, for example for accounting or compliance purposes, while maintaining privacy from the broader public view.

Size matters
With shielded sets like the one enabled by Namada’s MASP, size matters. The larger the shielded set, meaning the more assets it contains and the more transactions users conduct, the stronger the data protection guarantees. To maintain strong privacy guarantees, the total amount of any given asset in the MASP must be large enough to adequately obscure individual transactions. If you send 1000 tokens into a shielded set that only contains 3000 total tokens, the ability to deanonymize you is trivial. The larger the shielded set grows, the lower the probability of deanonymizing any individual user. 

Namada enables the strongest possible data protection guarantees by having a unified shielded set for all assets across the multichain. Since Namada gets stronger the more people store assets within the MASP, users are rewarded for shielding their data with NAM shielding rewards, making data protection on Namada a public good.

Shielded actions
Namada also enables shielded actions – cross-chain actions that can be conducted from the MASP to shield interactions for any type of application, such as DeFi transactions. For example, shielded swaps with Osmosis will enable users to swap assets on Osmosis while keeping their personally identifiable information shielded. In this case, users will initiate a swap within a Namada UI like Namadillo, assets will be sent out of the MASP to an Osmosis smart contract via IBC, swapped, and automatically sent back into the MASP. Assets are never associated with a transparent account, so no account information is leaked. Shielded actions are a development primitive that builders can use to incorporate privacy into applications for a wide range of use cases, without needing to make changes to existing transparent blockchains.

These features are what enables Namada to serve as the composable privacy layer for all of Web3.

What data does Namada protect?

Depending on the type of transfer, Namada can protect personally identifiable data associated with the sending and/or receiving address. There are 4 basic transfer types on Namada:

  • Shielding Transfers: Transfers from a transparent address outside the MASP to a shielded address inside the MASP. In this case, data about the sending address is unshielded, but data about the receiving address is shielded. 
  • Shielded Transfers: Transfers between shielded addresses within the MASP. In this case, data about both the sending and receiving addresses is shielded.
  • Unshielding Transfers: Transfers from a shielded address within the MASP to an unshielded address outside the MASP. In this case, data about the sending address is shielded, but data about the receiving address is unshielded. 
  • Transparent Transfers: Transfers between transparent addresses. In this case, all transaction data is public.

The following table outlines the data revealed depending on the type of transfer being made:

Data revealed by type of transfer

More personal information is exposed when transferring funds into and out of Namada’s MASP, and whenever a transparent address is involved. The least data is revealed when interactions remain within the shielded set.

Because the size of the shielded set determines the degree of protection, tokens with lower liquidity and those with a lower total amount contained within the MASP will offer a lower degree of protection. Assets with the highest degree of protection are those with high liquidity and those with a large total amount contained within the MASP. Users should not rely on having complete privacy when using Namada in the initial period following launch, when the shielded set is still growing.

How to use Namada’s shielding features

You can shield assets in the MASP using a Namada interface like Namadillo.  

Shielding transfers

Shielding transfers over IBC in the Namadillo IBC Transfer module

To get assets into the MASP, conduct an IBC transfer to your shielded address. Start by connecting your chosen Namada interface to your Keplr wallet, then choose your source chain and asset, select your shielded address as the destination, and submit the transaction. Additional IBC wallet integrations beyond Keplr are planned for the future, as are connections to additional ecosystems beyond IBC.

You can also conduct internal shielding transfers to shield assets contained within your transparent Namada account. 

Shielded transfers

Conduct shielded transfers in the Namadillo Transfer module

To conduct a shielded transfer on Namadillo, go to the transfer module, select your shielded address as the origin address, choose the desired asset, add the recipient’s shielded (znam address), submit and sign the transaction. You can also choose which asset you want to pay gas fees with.

Unshielding transfers

Conduct unshielding transfers in the Namadillo MASP module

To unshield assets to your transparent Namada account, go to the MASP module or click ‘Unshield’ from the top bar. Select your desired asset to unshield, and change the asset for paying transaction fees if necessary.

Unshielding transfers over IBC via the Namadillo IBC Transfer module (IBC withdrawals)

You can also unshield assets over IBC to an external account. To do this, go to the IBC transfer module, select ‘From Namada’ from the top tab, choose your desired asset to send, confirm the destination address, and change the asset for paying fees if necessary. 

Future additions

Additional features are being discussed by the community for future integration into the Namadillo interface, including shielded actions like Osmosis shielded swaps. Stay tuned on Namada’s X and by subscribing to the Namada Newsletter to find out when new features go live. 

Best practices for protecting your data 

To make sure you get the best degree of protection possible, keep in mind the following rules of thumb:

  • Use a different public address to bridge funds into Namada than used for other exposed transactions.
  • Don’t reuse the same transparent address for many transactions.
  • Try to randomize transaction values and times to make it harder to draw conclusions about their linkability.
  • Don’t always use the same shielded (znam) address to receive payments (at the time of writing, generating multiple znam addresses is possible in the CLI but not possible on Namada Keychain extension, though it will soon be possible with a near-future upgrade).
  • Be aware of the total amount of any given asset in the MASP when conducting transactions. As a rough rule of thumb, MASP transactions for any asset should not exceed 5% of the total amount of that asset contained within the MASP. Total amounts of assets stored within the MASP can be viewed on Namada Explorers (SproutStake, Explorer 75). 
  • If you want to shield lower liquidity tokens, you can first bridge a highly liquid generic token into the MASP. Once in the MASP, you can then perform a shielded action to acquire lower liquidity tokens.
  • Use a VPN - A VPN can mask your IP address, encrypt your internet connection and make your browsing activity more anonymous.
  • Use a TOR browser - Tor protects personal privacy by concealing a user's location and usage from anyone performing network surveillance or traffic analysis.
  • Be careful about timing, especially when bridging in and out of the MASP. Withdrawing soon after deposing can expose you. If you do a shielded action after depositing, don’t do it for the same amount. 
  • Generating a new transparent address for every transaction is the ultimate best practice.

The road ahead

Namada’s five-phase mainnet launch is just the beginning of the journey to bring data protection to the multichain landscape. The community is currently discussing the post-mainnet roadmap, including expanding Namada to new assets, blockchains, and ecosystems beyond IBC, such as Ethereum, Bitcoin, and Solana. Additional shielding features are also being discussed, including shielded actions like shielded Osmosis swaps and outside the box ideas like shielded staking, shielded DeFi management, shielded bonds, shielded airdrops, and more. Namada’s development is driven by the community via on-chain governance, so be sure to participate in ongoing discussions to help shape the network’s future. 

Namada is well on its way to realize its vision of serving as the composable privacy layer for all of Web3. As Namada expands to new assets and ecosystems, the size of its unified shielded set will grow, increasing the level of protection for everyone. By working together to make the Shielded Ecosystem an unstoppable force, we can finally ensure that blockchain technology reflects the freedom and the right to reveal ourselves on our own terms. 

Shields up!

Live
Mainnet phase 3
Shielding Party
Mainnet Roadmap