ZkVM: Fast, Flexible Blockchain Contracts

Transcript

1. FAST, PRIVATE, FLEXIBLE BLOCKCHAIN CONTRACTS Oleg Andreev Cathie Yun
 Split,

   Croatia June 23, 2019

2. THE PROBLEM How to make live on the internet? ...

   tokens receipts derivatives currencies tickets stocks bonds ...

3. THE PROBLEM How to make live on the internet? ...

   tokens receipts derivatives currencies tickets stocks bonds ... ownable by computers

4. WHY How come we have vending machines for physical property,


   but not for the digital one?

5. HOW Need to simulate the universe in which these things

   can exist:

6. UNIVERSE OF ASSETS =
 BLOCKCHAIN Blockchain protocol is a set

   of rules for defining tokens, authorizing transfers, and preventing double-spends.

7. UNIVERSE OF ASSETS
 IS HEAVY Blockchain protocol is a set

   of rules for defining tokens, authorizing transfers, and preventing double-spends ... that every participant verifies.

8. PROBLEMS WITH SHARED DATA Blockchain makes sense if everyone plays

   the same game. how do we scale this? how do we protect private data? how do we build upon it?

9. scalability performance confidentiality flexibility HUGE COMMUNITY EFFORT payment channels zcash

   bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto

10. ZkVM = HYBRID SOLUTION scalability performance confidentiality flexibility payment channels

    zcash bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto

11. ZkVM ARCHITECTURE

12. TRANSACTIONS Tx = program that transfers assets from inputs to

    outputs.
 Transactions can also issue arbitrary assets. tx 1 input input output tx 2 input output output tx 3 input output output

13. PROGRAM EXECUTION Transaction is a program, cryptographic proof and some

    metadata. TX program zk proof

14. PROGRAM EXECUTION VM instantiated per transaction; discarded after tx is

    processed. High-level instructions enforce network rules. Not turing-complete by design. VM program stack txlog constraint system TX program zk proof run

15. PROGRAM EXECUTION Instructions build a constraint system (CS) on the

    fly. CS enforces both network rules and custom, per-contract rules. Single aggregated proof is used to verify all the constraints. VM program stack txlog constraint system TX program zk proof verify run

16. PROGRAM EXECUTION Transaction verification is stateless. Created/deleted outputs are recorded

    in the transaction log. Transactions log is applied to the blockchain state separately. VM program stack txlog constraint system apply TX program zk proof run blockchain
 state

17. CONTRACTS Each unspent output is a contract object. Contract has

    arbitrary payload (assets, data) protected by a predicate. Saved via output instruction, loaded via input instruction. contract predicate item 1 item 2 item 3

18. CONTRACTS Predicate is satisfied with either a signature... contract predicate

    item 1 item 2 item 3 item 1 item 2 item 3 verify signature unlock

19. CONTRACTS Predicate is satisfied with either a signature or a

    sub-program. contract predicate item 1 item 2 item 3 item 1 item 2 item 3 execute sub-program unlock

20. P = K + hash(K, R)·B TAPROOT pubkey K =

    k·B program 1 program 2 program 3 program 4 Compresses contract logic into a single public key. Either sign with K, or reveal a branch and execute it.

21. INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt

    Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify

22. INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt

    Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify Bitcoin: 88 Ethereum: 77 TxVM: 65 ZkVM: 32 instructions

23. Zk+VM Cathie Yun

24. CRYPTOGRAPHY STACK Vectorized elliptic curve operations. Curve25519-Dalek

25. Ristretto255 Vectorized elliptic curve operations. Safe prime order group. CRYPTOGRAPHY

    STACK Curve25519-Dalek

26. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. CRYPTOGRAPHY STACK Curve25519-Dalek

27. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Network rules. CRYPTOGRAPHY STACK Curve25519-Dalek

28. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Network rules + custom rules. CRYPTOGRAPHY STACK Curve25519-Dalek

29. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Instructions Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek

30. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. Vaults, payment channels, order books, ... CRYPTOGRAPHY STACK Curve25519-Dalek

31. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. pure Rust Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek Vaults, payment channels, order books, ...

32. CONSTRAINTS (P = B + R·T) OR (X = Y)

    Custom composition of arithmetic and boolean expressions: R T mul B add P eq X Y eq or verify

33. CONSTRAINTS

34. Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify


    EX: CUSTOM CONSTRAINTS Create variables from commitments, make expressions, form constraints and add them to the constraint system. Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k


35. Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log


    signtx
 call
 delegate Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify EX: CUSTOM CONSTRAINTS A variable defines a payment constraint with borrow + output.
 Negative value is mixed with an actual payment in the cloak. +V –V Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Stack push:n:x program:n:x
 drop
 dup:k
 roll:k


36. LINEAR TYPES + CAPABILITIES In ZkVM contracts imperatively express their

    requirements,
 entirely avoiding bugs like confused deputy problem.

37. CONFIDENTIALITY 1 2 Data security Data flow security

38. DATA SECURITY All data is encrypted by default: account identifiers

    (via blinded keys), asset quantities and types, contract parameters: prices, time, rates. Contract logic is protected by Taproot: cooperation: single signature does not reveal parties or conditions, dispute: only a specific branch is revealed. 1

39. DATA FLOW SECURITY Transaction graph is public to permit compression

    of UTXOs. Within a transaction, asset flow is fully hidden with Cloak. Aggregation of transfers improves security, also makes tx smaller+faster. Further improvements possible without changes to base protocol. 2

40. PERFORMANCE

41. PERFORMANCE Fast 1 <1 ms per output (up to 1000

    tx/sec). • vectorized implementation of Curve25519, • signature aggregation, • state of the art multi-scalar multiplication, • ≈1.5 Kb/proof, marginal cost 0.2–0.5 Kb/transfer.

42. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. • rangeproofs for output values bear most of the cost, • signatures and custom constraints: 1-5% overhead. <1 ms per output (up to 1000 tx/sec).

43. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. • proof size is log(N), marginal cost goes to zero, • larger batches of ECC operations take N/log(N) time. <1 ms per output (up to 1000 tx/sec).

44. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. • storage costs log(N) (≈1 kilobyte without caching), • bandwidth overhead is 5-10% with caching
 (+ tens of megabytes) <1 ms per output (up to 1000 tx/sec).

45. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. SPV-friendly 5 Bandwidth savings for mobile devices. <1 ms per output (up to 1000 tx/sec).

46. CONCLUSION ZkVM is a transaction format for a multi-asset blockchain

    that scales to global use, protects data on-chain and provides programmable constraints to enable custom protocols.

47. LEARN MORE & PARTICIPATE Specifications, code, whitepaper: https://github.com/stellar/slingshot Related projects:

    https://interstellar.com/protocol

48. THANK YOU Oleg Andreev @oleganza ZkVM bulletproofs Cathie Yun @cathieyun

    Project Slingshot is sponsored by
 Inter/stellar and Stellar Development Foundation.