Privacy-Preserving Cryptographic Bridge: Enabling Trust-Minimized Cross-Chain Interoperability for Aztec

Aztec
,
1

Title

Privacy-Preserving Cryptographic Bridge: Enabling Trust-Minimized Cross-Chain Interoperability for Aztec

Contact Details

Email: kisso@krnl.xyz
Telegram: @kisso_selvan
Signal: @kisso.01

Summary

We propose building a privacy-preserving, trust-minimized cross-chain bridge that enables secure transactions between Aztec and any chain using elliptic curve signature schemes (ECDSC, EdDSA, or BLS). This solution leverages KRNL Labs’ established cryptographic bridge and enhances it by integrating aztec.js functionality as an adapter. The modification enables the use of PXE from the node, thereby increasing pre-validation, security, and efficiency.

Immediate Scope

The proposal outlines the development of an MVP that demonstrates secure, confidential cross-chain asset transfers (native and ERC20) between Aztec and selected Ethereum L2s (e.g. Base, Arbitrum, Optimism), with a roadmap for broader interoperability.

Start and End Date

Our team will commence work on 1 April 2025 and deliver a functional privacy-preserving cross-chain bridge solution on the Aztec Testnet by June 2025.

Context on the KRNL Protocol

The KRNL Protocol enables modular execution sharding through orchestrating computation across multiple optimized VM environments on behalf of a dApp. The orchestration takes place on the RPC node (Geth) and a key innovation is the ability to secure the execution cryptographically rather than through (re)staking or consensus. This allows for a more efficient and flexible architecture.

The protocol transforms any on-chain or off-chain function into execution shards, called kernels. Kernels can be stateless or stateful, lightweight, resilient, and independently deployable, allowing them to reside on different chains, or entirely off-chain. This is akin to npm, where developers can access pre-built libraries and integrate them seamlessly.

To accelerate adoption, KRNL Labs has partnered with industry leaders to bring their pre-built functions to Web3 developers as kernels, eliminating the need for rebuilding redundant functionality across multiple networks.

KRNL Labs has developed the POC for a Cryptographic Bridge - a game-changer for cross-chain swaps. This bridge delivers instantaneous cross-chain transactions with minimal confirmation time, supporting all major networks, including Bitcoin. The result: lower fees, enhanced security, and a unified provider for seamless interoperability.

POC Video - recorded in real-time.

The user starts by entering the amount of ETH they want to swap for BTC. After confirming, they initiate the deposit on Ethereum. The bridge then detects the transaction, fetches the BTC/ETH conversion rate from an oracle, calculates risk and premium, and checks liquidity.

Once everything is verified, the bridge constructs a Bitcoin UTXO transaction. After cryptographic validation, BTC is securely released to the specified address - ensuring a seamless and trust-minimized swap.

After the swap is initiated, the user can track the transaction on both Ethereum and Bitcoin networks:

  1. On Ethereum Sepolia, they see the deposit confirmation and bridge processing status.
  2. On Bitcoin, they can check mempool.space to verify the UTXO transaction.

Once finalized, BTC is confirmed in their wallet. This ensures full transparency, allowing users to monitor every step of the cross-chain swap in real time.

Please reach out to get access to the Cryptographic Bridge GitHub Repo.

Read more on our technical docs here.

Team

Tahir Mahmood - Co-founder
Tahir Mahmood started at Microsoft as a Technical Lead for OS and Programming Languages in 1989. Throughout his career, he has been the inventor of 40+ patents in Web3, Smart Clothing, loT, Al, Telecoms including “Push Mail” (BlackBerry).

Asim Ahmad, CFA - Co-founder
Asim Ahmad has 15 years of experience in the investment industry and has been active in Web3 since 2016. He is a CFA Charterholder, ex-BlackRock, and Founding Partner of the blockchain venture capital firm Eterna Capital.

Kittinan Ounlum - Lead Blockchain Engineer
Kittinan Ounlum is a seasoned blockchain developer with 6 years of experience across decentralized identity, custodial wallets, GameFi, NFTs, smart contracts, and protocol design. Skilled in cryptography, consensus algorithms, and node operations. Currently building modular execution sharding at KRNL Labs.

KRNL Labs is a venture backed company and has recently closed a seed funding round. Its product will be at public testnet at the end of April and mainnet will launch ahead of the Aztec mainnet. The wider KRNL Labs team consists of over 20 team members with the majority of them specializing in Web3 and core node development.

Product Architecture

Figure 1: Deposit architecture design of the privacy-preserving cryptographic bridge.
Figure 1: Deposit architecture design of the privacy-preserving cryptographic bridge.2142×694 65.8 KB

Step-by-step deposit flow:

  1. The User initiates a token transfer via the bridge dApp which inherits the krnl.js SDK
  2. The tokens are transferred to the Liquidity Provider (Implicit Account) on the L2 blockchain.
  3. Subsequently, using the executeKernels function in krnl.js, the dApp will make an atomic RPC call to the KRNL Geth RPC node (henceforth referred to as the KRNL node).
  4. The KRNL node executes the kernels. The deposit transaction is verified by a kernel. The risk oracle kernel gets the premium from a series of risk providers. The price oracle kernel gets the exchange rate from an aggregate of price sources. The liquidity verifier kernel checks the liquidity of the Liquidity Provider (smart contract account) on the Aztec (destination) chain. The execution results of the kernels are returned to the KRNL node.
  5. The results are attested by an attestor acting in a decentralized TEE network (e.g. Oasis Sapphire). The attestor is a smart contract with private logic that provides a ERC-1271 attestation of the runtime-digest of the node ensuring tamperproof execution of the kernels.
  6. The cryptographically signed attestation is returned to the KRNL node.
  7. The KRNL node uses the aztec.js adapter to prepare a token release transaction on the Aztec chain. The aztec.js adapter is a post-execution handler for the Aztec network.
  8. The Paymaster signs the prepared token release transaction to sponsor gas.
  9. The Aztec transaction is simulated and a proof of correct execution is submitted.
  10. The tokens from the Liquidity Provider’s account on Aztec are transferred to the User’s contract account on Aztec.

Figure 2: Withdrawal architecture design of the privacy-preserving cryptographic bridge.
Figure 2: Withdrawal architecture design of the privacy-preserving cryptographic bridge.2914×1604 228 KB

Step-by-step withdrawal flow:

  1. The User initiates a token transfer via the bridge dApp which inherits the krnl.js and aztec.js SDKs
  2. The transaction will be simulated and a proof of correct execution will be provided.
  3. Subsequently, using the executeKernels function in krnl.js, the dApp will make an atomic RPC call to the KRNL Geth RPC node (henceforth referred to as the KRNL node).
  4. The KRNL node executes the kernels. The withdrawal transaction is verified by a kernel. The risk oracle kernel gets the premium from a series of risk providers. The price oracle kernel gets the exchange rate from an aggregate of price sources. The liquidity verifier kernel checks the liquidity of the Liquidity Provider (Implicit Account) on the Ethereum L2 (destination) chain. The execution results of the kernels are returned to the KRNL node.
  5. The results are attested by an attestor acting in a decentralized TEE network (e.g. Oasis Sapphire). The attestor is a smart contract with private logic that provides a ERC-1271 attestation of the runtime-digest of the node ensuring tamperproof execution of the kernels.
  6. The cryptographically signed attestation is returned to the KRNL node.
  7. The KRNL node uses the Signet Adapter to prepare a token release transaction on the destination chain.
  8. The Paymaster signs the token release transaction to sponsor gas.
  9. The Signet Adapter requests a signature to prepare the token release from the Sig Network MPC (any decentralized MPC network e.g. Ika, Lit Protocol, etc are also viable solutions). The Signet adapter is a post-execution handler for the Sig Network MPC signer.
  10. The KRNL node via the Signet Adapter requests a token release to the bridge smart contract (chain signatures smart contract) on the NEAR L1.
  11. The bridge smart contract verifies the attestation and then releases the tokens from the Liquidity Provider (LP) on the destination chain.
  12. The User’s EOA is transferred tokens by the LP on the destination chain.

Additional Notes:

The additional functions introduced by krnl.js are outlined here, primarily:

  1. getKernelsCost(…)
  2. executeKernels(…)

The attester is secured through running in a Trusted Execution Environment (TEE). TEEs isolate sensitive operations and data within a hardware-protected space, preventing unauthorized access or manipulation, even if the main operating system is compromised.

How will the design meet Aztec’s requirements?

The cryptographic bridge enables seamless bridging between Aztec and any blockchain using ECDSA, EdDSA, and BLS. For the purposes of this MVP, we will focus on bridging between Ethereum EVM L2s such as Base and the Aztec network whilst preserving privacy.

Private deposits and withdrawals are enabled by obscuring the on-chain trail between the Ethereum L2 and the Aztec network through leveraging the existing PXE infrastructure for constructing private transactions on Aztec.

The UX is seamless and compatible between many other solutions requiring only a single signature from the user’s EOA for deposits and withdrawals. The bridge execution time is minimized as once the liquidity provider transaction has sufficient confirmations, the user receives the tokens.

Grant Milestones and Roadmap

April - June 2025

MVP-ready cross-chain bridge deployed between Aztec testnet and Ethereum EVM L2s (Base, Arbitrum and Optimism).

Milestones

dApp Frontend Implementation:

  • Create modified krnl.js module with inherited aztec.js functionalities ensuring compatibility with PXE.

Infrastructure Setup:

  • Implement the PXE privacy mechanism within the bridging workflow.
  • Production-grade adapters for Aztec and Sig Network
  • Consolidate price oracle kernels for all major asset pairs.
  • Implement the risk premium oracle and source providers.

UI Development:

  • Build a frontend interface for cross-chain bridging and swapping.
  • Develop both low-fidelity and high-fidelity wireframes for iterative design and testing.

Testnet Deployment:

  • Deploy the solution on Aztec and major Ethereum EVM L2 Testnets.
  • Launch public beta, gather feedback, and refine the solution.

H2 2025

Milestones

Smart Contract Audits:

  • Complete comprehensive audits to ensure robust security and adherence to best practices.

Enhanced Routing & Pricing:

  • Implement dynamic routing across asset pairs to secure optimal pricing for exotic trading pairs.

Mainnet Launch:

  • Transition from testnet to a full-scale mainnet deployment.

H1 2026

Milestones:

Toggleable Privacy-Preserving RPC:

  • Develop and deploy clusters of privacy-preserving KRNL RPC nodes.
  • Enable users to select their preferred level of privacy (noting the trade-off with throughput compared to regular KRNL RPC nodes).

Support non-EVM Chains:

  • Create adapters for non-EVM networks to allow for verification of deposits, and preparation and broadcasting of transactions.

Long-Term Roadmap:

  • Continue developing additional features, including further decentralization of the RPC clusters, broader interoperability with other non-EVM chains, and ongoing performance and security enhancements.

Grant Amount Requested:

$50,000

Grant Budget Rationale:

The requested grant is essential to deliver our MVP-ready cross-chain bridge between the Aztec testnet and Ethereum EVM L2s (Base, Arbitrum, and Optimism) by June 2025. This funding will cover:

  • Infrastructure Setup:
    Implementing the PXE privacy mechanism, building production-grade adapters for Aztec and the Sig Network, consolidating price oracle kernels, and integrating a risk premium oracle.
  • dApp Frontend Implementation:
    Developing a modified krnl.js module that inherits aztec.js functionalities for PXE pre-validation.
  • UI Development:
    Creating a user-friendly frontend interface with iterative low-fidelity and high-fidelity prototypes.
  • Testnet Deployment:
    Deploying on Aztec and major Ethereum L2 testnets, launching a public beta, gathering feedback, and refining the solution.

Each milestone is critical for ensuring a secure, efficient, and trust-minimized cross-chain bridging solution that aligns with Aztec’s RFP.

The timeline allows for focused development with a dedicated team of 3 engineers (1 node, 1 smart contract, 1 frontend) working on the project, prioritizing security and reliability while meeting the June 2025 deadline.

Appendix

Context

Sig Network is developing an innovative MPC account abstraction solution that simplifies cross-chain transactions for any blockchain (using an ECDSA, EDDSA, or BLS signature scheme). By creating this flexible security framework, Sig will enable users to seamlessly move digital assets across all compatible blockchains.

Through the strategic, technological, and integral partnership with KRNL Labs, Sig Network can now verify and attest to the state of other blockchains. This allows for seamless native cross-chain bridging and swapping solutions without intermediaries - a notable technical breakthrough in cryptographically-secure bridge architecture.

This development between Sig Network and KRNL Labs represents a technical breakthrough in bridge architecture and blockchain interoperability. Users can now fund an NFT key representing a liquidity pool on one chain and receive token spending authority from a shared pool on another chain. The protocol allows seamless cross-chain interactions, using any standard Externally Owned Account (EOA), simplifying the user experience and expanding accessibility. The outcome is that users can access and spend tokens across different chains without needing their own Sig Network wallet.

NFT Chain Keys Smart Contract

The NFT Chain Keys contract leverages the NEP-171 standard to manage MPC (Multi-Party Computation) keys as transferable NFTs, enabling secure and flexible key management between users. It allows accounts to mint unlimited NFT-based chain keys after registering for storage and supports generating cryptographic signatures through the ckt_sign_hash function. While adhering to NEAR standards like NEP-145 (Storage Management), NEP-171 (NFT Core), NEP-177 (Metadata), NEP-178 (Approval Management), and NEP-181 (Enumeration), the contract also introduces bespoke approval functions for using NFTs, distinct from standard NFT transfers. These functions enable accounts to issue, revoke, and manage approvals for signature usage, ensuring granular control over the operational capabilities of the NFTs. This contract thus combines robust NFT functionality with advanced key management features, creating a scalable and secure solution for decentralised key operations.

The NFT Chain Keys contract enforces precise control over key usage by requiring that keys hold the exact amount needed for a transaction. Additionally, keys must have a nonce of zero, ensuring they have never been used before and preventing the reuse or unauthorised spending of keys post-swapping. The system supports the creation of unlimited keys, with each key capable of managing an unlimited number of addresses, providing flexibility and scalability for complex dApps.

The Sig Network team is working on bringing the solution to all major chains such that the marketplace contract and NFT keys contract will be able to exist on any chain.