Incognite User Testing Campaign

The incognitee user testing campaing just launched and is available for the next 2 weeks until 21st of May. Participate, complete the whole flow and get eligble for one of the prizes. Follow the link : https://try.incognitee.io

Incognitee CLI tutorial

Transfer PAS privately

Our Incognitee testnet allows you to transfer PAS privately (Paseo relay chain native token). We will guide you through the process of creating a wallet, obtaining PAS and transferring with privacy. The very same process will be possible with DOT/KSM and even other fungible assets on the Asset Hubs once we release the productive sidechains.

At this early stage we only provide command line tools and we assume you know your way around docker or linux. Stay tuned for a web UI for a clickable version of this tutorial.

This tutorial will take you through all steps sketched in the following diagram:

Setup

Using docker

mkdir test-privacy && cd test-privacy
alias sidechain-cli="docker run --rm -v ""$(pwd)"":/tmp -w /tmp -u $(id -u ${USER}):$(id -g ${USER}) integritee/sidechain-cli:v0.12.12"
sidechain-cli --version
# should say: integritee-cli 0.12.11

(subsequent steps may fail on OSx. please stay tuned for updates) Using ubuntu 22.04 natively

Download the CLI client from IPFS (needs Linux, i.e. ubuntu 22.04).

mkdir test-privacy && cd test-privacy
curl -o sidechain-cli https://crustipfs.live/ipfs/QmYbKhwQMLnfPLwBAMmmuTEuEnhYijkUf3EjpX8pq3uakx
chmod +x sidechain-cli
./sidechain-cli --version
# should say: integritee-cli 0.12.11
alias sidechain-cli="./sidechain-cli"

Setup environment to use Paseo and Incognitee testnet

export SHARD=5wePd1LYa5M49ghwgZXs55cepKbJKhj5xfzQGfPeMS7c
export MRENCLAVE=5urwaCtiRLZQT9AQUhkNDsSAQGvtGJQtBGXbTRM7xEyy
alias incognitee="sidechain-cli -U wss://integritee-1.cluster.securitee.tech trusted --mrenclave $MRENCLAVE --shard $SHARD"
read VAULT <<< $(incognitee get-shard-vault)
echo $VAULT
# should say: 5FHADJdNrxVsBdQRcNzDqvy7xdPEQL1peU21bDXW1ivjoD2Q
alias paseo="sidechain-cli -u wss://rpc.ibp.network/paseo -p 443"

Create a wallet

read ME_PUBLIC <<< $(paseo new-account)
echo $ME_PUBLIC

Now, go to the paseo faucet and claim 100PAS for your new account. Select the following settings:

• Network: Paseo Relay Chain

• Chain: Paseo

Check your balance (allow for 30s):

paseo balance $ME_PUBLIC
# should say: 1000000000000 (PAS has 10 decimals)

Also, create a new incognito account.

read ME_PRIVATE <<< $(incognitee new-account)
echo $ME_PRIVATE
# make the public account usable by L2 keystore as well:
cp my_keystore/* my_trusted_keystore/$SHARD/

Transfer PAS privately

Your PAS now reside on Paseo relay chain. Let's shield 2 PAS to incognitee:

paseo transfer $ME_PUBLIC $VAULT 20000000000
# wait a wee
incognitee balance $ME_PUBLIC
# should say: 19964973731
paseo balance $ME_PUBLIC

Your balance on Paseo should be ~2 PAS less and your balance on the same account on Incognitee should be 2 PAS.

So far, there’s nothing private. But from now on, only you can query your balance on incognitee. If you try to query a balance from someone else, that will fail because you’re not authorized:

incognitee balance 5F4sDRQFyNiNz8BKGU3VxQtQtBBevRHVYNT8BNP2encsxEWr
# should fail

Now, let’s transfer 1.1 PAS to our incognito account. notice how fast this confirms.

incognitee --direct transfer $ME_PUBLIC $ME_PRIVATE 1100000000000
incognitee balance $ME_PRIVATE
# should say: 1100000000000

Now we have 1.1 PAS on our incognito account. If we send funds to someone, they don’t learn our public key and they can’t check our balance. We can just prove that we sent them the tokens.

If at one point we’d like to go back to Paseo we can unshield funds again. If there is enough shielding and unshielding traffic with equal amounts, the unshielding will be unlinkable to the previous shielding if you chose a different address (k-anonymity).

Let’s create a fresh account on Paseo and unshield 1PAS to that account.

read ALTER_EGO <<< $(paseo new-account)
echo $ALTER_EGO
incognitee --direct unshield-funds $ME_PRIVATE $ALTER_EGO 10000000000
# wait for one Paseo block
paseo balance $ALTER_EGO
# should say: 10000000000

There you go. 1 PAS back on L1 on an account with no previous history.

Thank you for trying this out. Please reach out if you have questions.

Under the hood

Check sidechain activity

Visit the Integritee Network on Paseo explorer where you can see events whenever sidechain blocks get finalized:

As privacy is our main feature, you can’t see much more here. The BlockHeaderHash helps you proving that you sent funds to someone. By default, recipients just observe a change in their balance but they have no clue where the funds come from unless you tell them and provide a merkle proof for the sidechain block inclusion of your transfer.

However, as shielding and unshielding events are publily happening on Paseo, you can observe shielding/unshielding activity on the vault account on subscan.

The balance of the vault account will always exactly match the total supply on the respective sidechain shard.

What are shards and mrenclaves?

Each instance of an Incognitee sidechain is identified by a shard identifier and we’ll need to tell the validators which shard we’d like to talk to. Think of it like the genesis hash of a L1 blockchain.

The MRENCLAVE identifies the validator code which is executed in Intel SGX enclave (it’s basically the hash of the enclave binary). Your call will only execute if the validator runs the code you expect it to run.

Why should I trust validators?

Because they can’t cheat and they can’t see your data. That’s what TEEs guarantee. But how should you know that the validators actually run the correct code in a TEE? You can authenticate validators thanks to Integritee’s remote attestation registry at enclaves.integritee.network.

There you can find the validator for this tutorial if you serch for the url you’re using wss://integritee-1.cluster.securitee.tech:2000 and it will tell you the verified MRENCLAVE which has been remotely attested using our decentralized DCAP process.