Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ZkVM: Fast, Flexible Blockchain Contracts

ZkVM: Fast, Flexible Blockchain Contracts

These are the slides from the talk that Oleg Andreev and I gave at Zcon1, Zcash's annual privacy conference.

Cathie Yun

June 23, 2019
Tweet

More Decks by Cathie Yun

Other Decks in Programming

Transcript

  1. FAST, PRIVATE, FLEXIBLE BLOCKCHAIN CONTRACTS Oleg Andreev Cathie Yun
 Split,

    Croatia June 23, 2019
  2. THE PROBLEM How to make live on the internet? ...

    tokens receipts derivatives currencies tickets stocks bonds ...
  3. THE PROBLEM How to make live on the internet? ...

    tokens receipts derivatives currencies tickets stocks bonds ... ownable by computers
  4. WHY How come we have vending machines for physical property,


    but not for the digital one?
  5. HOW Need to simulate the universe in which these things

    can exist:
  6. UNIVERSE OF ASSETS =
 BLOCKCHAIN Blockchain protocol is a set

    of rules for defining tokens, authorizing transfers, and preventing double-spends.
  7. UNIVERSE OF ASSETS
 IS HEAVY Blockchain protocol is a set

    of rules for defining tokens, authorizing transfers, and preventing double-spends ... that every participant verifies.
  8. PROBLEMS WITH SHARED DATA Blockchain makes sense if everyone plays

    the same game. how do we scale this? how do we protect private data? how do we build upon it?
  9. scalability performance confidentiality flexibility HUGE COMMUNITY EFFORT payment channels zcash

    bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto
  10. ZkVM = HYBRID SOLUTION scalability performance confidentiality flexibility payment channels

    zcash bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto
  11. ZkVM ARCHITECTURE

  12. TRANSACTIONS Tx = program that transfers assets from inputs to

    outputs.
 Transactions can also issue arbitrary assets. tx 1 input input output tx 2 input output output tx 3 input output output
  13. PROGRAM EXECUTION Transaction is a program, cryptographic proof and some

    metadata. TX program zk proof
  14. PROGRAM EXECUTION VM instantiated per transaction; discarded after tx is

    processed. High-level instructions enforce network rules. Not turing-complete by design. VM program stack txlog constraint system TX program zk proof run
  15. PROGRAM EXECUTION Instructions build a constraint system (CS) on the

    fly. CS enforces both network rules and custom, per-contract rules. Single aggregated proof is used to verify all the constraints. VM program stack txlog constraint system TX program zk proof verify run
  16. PROGRAM EXECUTION Transaction verification is stateless. Created/deleted outputs are recorded

    in the transaction log. Transactions log is applied to the blockchain state separately. VM program stack txlog constraint system apply TX program zk proof run blockchain
 state
  17. CONTRACTS Each unspent output is a contract object. Contract has

    arbitrary payload (assets, data) protected by a predicate. Saved via output instruction, loaded via input instruction. contract predicate item 1 item 2 item 3
  18. CONTRACTS Predicate is satisfied with either a signature... contract predicate

    item 1 item 2 item 3 item 1 item 2 item 3 verify signature unlock
  19. CONTRACTS Predicate is satisfied with either a signature or a

    sub-program. contract predicate item 1 item 2 item 3 item 1 item 2 item 3 execute sub-program unlock
  20. P = K + hash(K, R)·B TAPROOT pubkey K =

    k·B program 1 program 2 program 3 program 4 Compresses contract logic into a single public key. Either sign with K, or reveal a branch and execute it.
  21. INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt

    Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify
  22. INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt

    Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify Bitcoin: 88 Ethereum: 77 TxVM: 65 ZkVM: 32 instructions
  23. Zk+VM Cathie Yun

  24. CRYPTOGRAPHY STACK Vectorized elliptic curve operations. Curve25519-Dalek

  25. Ristretto255 Vectorized elliptic curve operations. Safe prime order group. CRYPTOGRAPHY

    STACK Curve25519-Dalek
  26. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. CRYPTOGRAPHY STACK Curve25519-Dalek
  27. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Network rules. CRYPTOGRAPHY STACK Curve25519-Dalek
  28. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Network rules + custom rules. CRYPTOGRAPHY STACK Curve25519-Dalek
  29. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Instructions Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek
  30. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. Vaults, payment channels, order books, ... CRYPTOGRAPHY STACK Curve25519-Dalek
  31. Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group.

    Versatile zero-knowledge proof system. pure Rust Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek Vaults, payment channels, order books, ...
  32. CONSTRAINTS (P = B + R·T) OR (X = Y)

    Custom composition of arithmetic and boolean expressions: R T mul B add P eq X Y eq or verify
  33. CONSTRAINTS

  34. Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify


    EX: CUSTOM CONSTRAINTS Create variables from commitments, make expressions, form constraints and add them to the constraint system. Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k

  35. Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log


    signtx
 call
 delegate Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify EX: CUSTOM CONSTRAINTS A variable defines a payment constraint with borrow + output.
 Negative value is mixed with an actual payment in the cloak. +V –V Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Stack push:n:x program:n:x
 drop
 dup:k
 roll:k

  36. LINEAR TYPES + CAPABILITIES In ZkVM contracts imperatively express their

    requirements,
 entirely avoiding bugs like confused deputy problem.
  37. CONFIDENTIALITY 1 2 Data security Data flow security

  38. DATA SECURITY All data is encrypted by default: account identifiers

    (via blinded keys), asset quantities and types, contract parameters: prices, time, rates. Contract logic is protected by Taproot: cooperation: single signature does not reveal parties or conditions, dispute: only a specific branch is revealed. 1
  39. DATA FLOW SECURITY Transaction graph is public to permit compression

    of UTXOs. Within a transaction, asset flow is fully hidden with Cloak. Aggregation of transfers improves security, also makes tx smaller+faster. Further improvements possible without changes to base protocol. 2
  40. PERFORMANCE

  41. PERFORMANCE Fast 1 <1 ms per output (up to 1000

    tx/sec). • vectorized implementation of Curve25519, • signature aggregation, • state of the art multi-scalar multiplication, • ≈1.5 Kb/proof, marginal cost 0.2–0.5 Kb/transfer.
  42. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. • rangeproofs for output values bear most of the cost, • signatures and custom constraints: 1-5% overhead. <1 ms per output (up to 1000 tx/sec).
  43. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. • proof size is log(N), marginal cost goes to zero, • larger batches of ECC operations take N/log(N) time. <1 ms per output (up to 1000 tx/sec).
  44. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. • storage costs log(N) (≈1 kilobyte without caching), • bandwidth overhead is 5-10% with caching
 (+ tens of megabytes) <1 ms per output (up to 1000 tx/sec).
  45. PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively

    cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. SPV-friendly 5 Bandwidth savings for mobile devices. <1 ms per output (up to 1000 tx/sec).
  46. CONCLUSION ZkVM is a transaction format for a multi-asset blockchain

    that scales to global use, protects data on-chain and provides programmable constraints to enable custom protocols.
  47. LEARN MORE & PARTICIPATE Specifications, code, whitepaper: https://github.com/stellar/slingshot Related projects:

    https://interstellar.com/protocol
  48. THANK YOU Oleg Andreev @oleganza ZkVM bulletproofs Cathie Yun @cathieyun

    Project Slingshot is sponsored by
 Inter/stellar and Stellar Development Foundation.