zk Magic

Transcript

1. Zero Knowledge Proofs (ZKP) Is it really black magic? I

   know that I learn nothing. Edi Sinovčić [email protected] twitter.com/edisinovcic linkedin.com/in/edi-sinovcic/

2. Agenda • What are ZKPs? • Real world example •

   Why ZKPs? • ZKP implementations ◦ SNARKS, STARKS, Bulletproofs, SNORKS • Projects using ZKPs • Rollups • ZoKrates ◦ Intro ◦ Proof of preimage example • Presentation is on link: http://bit.ly/zk-magic • Hackmd is on: https://hackmd.io/@0Y_-khwIRDCGImsY0ILMqQ/zk-magic/edit

3. What are ZKPs? The ability to prove honest computation without

   revealing inputs

4. A “real world” example • Telecom magnate deploying a new

   cellular network • Graph is structure of the network • Edges are connections between locations of cells where they overlap! -> Interference

5. A “real world” example (2) • Solution? • 3 different

   frequency bands! • Graph three-coloring problem • NP-complete • 11 towers… -> I can do this by hand! -> Easy!

6. A “real world” example (3) • USA ~ 100000 cellular

   towers! • Google? • They are expensive… • We won’t pay them until they deliver • They won’t deliver until we pay… • Solution? Layers, escrows ◦ Nah ◦ Let’s go crazy!

7. A “real world” example (4) • Let’s take big warehouse,

   papers, crayons and hats! • Let’s draw a blank cell network graph • We go out • Google enters and makes random assignment of 3 colors and colors papers • In the end Google covers all the vertices with hats!

8. A “real world” example (5) • Okay, but how we

   know that google has done this properly? • Let’s challenge them! • Let’s pick a random edge and Google will remove hats connection them • Result? ◦ We found invalid solution -> Google is lying! ◦ Different colors -> Google might not be lying

9. A “real world” example (6) • Okay, now we can

   say that maybe Google has found a solution • How to be sure? • Let’s try again! • Google shuffles colors • We choose one edge at random • Repeat until? • ~ E^2 iterations - we can be “sure” that Google is not lying • 1 iteration = (E-1)/E

10. A “real world” example (7) • Where is zero knowledge

    in all of this? • 3 properties: ◦ Completeness: If Google is telling the truth, they will eventually convince me (with high probability) ◦ Soundness: Google can only convince me if they are telling the truth! ◦ Zero-knowledgeness: I don’t learn anything else about Google’s solution

11. A “real world” example (8) • Real life hats? Computers!

    :) • Digital commitment scheme ◦ One party commits to a message while keeping it secret ◦ Later opens the commitment to reveal what’s inside • Prover encodes vertex coloring as a set of digital messages • Commitments are sent to Verifier • Verifier challenges on an edge, Prover reveals opening values • Prover = Google, Verifier = We • Zero knowledge part? Verifier is computer program that gets Provers input and computes it • We start program over and over until we are pretty sure (E^2 times)

12. Interactive vs Non-interactive proofs • Previous example was example of

    Interactive proof • Verifier online and interacting with us! • From Schnorr to Fiat and Shamir • NIZK - Non interactive zero knowledge proof • Let’s replace Verifier with hash function (random oracle) • Not just proof but also signature scheme - based on EdDSA ◦ https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange ◦ https://en.wikipedia.org/wiki/Digital_Signature_Algorithm

13. Why ZKPs? Because we can?

14. generality privacy Privacy

15. On-chain processing TX TX TX TX TX TX TX verify

    TX verify TX verify TX TX verify TX Scalability Off-chain processing

16. ZKP implementations • SNARKs • STARKs • Bulletproofs • SNORKs

17. • Succinct Non-interactive ARguments of Knowledge (with Trusted Setup) •

    Steps: ◦ Computation ◦ Arithmetic Circuit ◦ R1CS ◦ QAP - Quadratic Arithmetic Program ◦ zk-SNARK • efficient trustless SNARKs - future? SNARKS

18. STARKS • Succinct (Scalable) Transparent ARguments of Knowledge • STARKs

    are SNARKs without Trusted Setup • Quantum resistant cryptography

19. Bulletproofs • Non-interactive zero knowledge proofs (no trusted setup) •

    More time consuming than SNARKs • Enabling efficient confidential transaction in Bitcoin (UTXO based) • Range proofs • No pairings • Works with elliptic curves • Convertible to R1CS

20. SNORK • Succinct Oecumenical (Universal) ARguments of Knowledge • Polynomial

    commitment schemes • Trusted setup! - it is now universal and updatable! - can be reused • Sonic • PLONK • Marlin
21. None

22. Common Knowledge: Trusted Setup • Cryptographic system that is generated

    by certain initial parameters which are later destroyed • We trust the person to actually destroy the parameters -> trusted setup • MPC - multi party computation • Powers of Tau - constructs partial zkSNARK parameteres for all circuits ◦ Takes a step that is performed by all zkSNARK MPCs and does it in just one single ceremony ◦ BLS12-381 elliptic curve - https://github.com/zkcrypto/pairing/tree/master/src/bls12_381

23. Projects using ZKPs • Zcash • SNARKs • Zcash supports

    Shielded Transactions ◦ Shielded addresses (use zk-SNARKs) ▪ Transaction address (private) ▪ Amount (private) ▪ Memo field (private) ◦ Transparent addresses ▪ Everything is public ◦ No interoperability between shielded and transparent addresses (only shielded to shielded or transparent to transparent) • Ceremony for the trusted setup per circuit upgrade ◦ Painpoint or feature? :) • Libsnark (C++) -> Bellman (Sapling upgrade)

24. Projects using ZKPs • Monero • Bulletproofs • Transaction mixin

    ◦ Adding other user’s funds so that real sender cannot be detected ◦ Mixin level (fee) ◦ Ring CT (Ring confidential Transactions) ▪ Source (private) ▪ Amount (private) ▪ Only sender and receiver know this values

25. Projects using ZKPs • STARKs • Off-chain order relay with

    on-chain settlement • DEX ◦ (batching transactions off-chain)

26. Projects using ZKPs • Grin - scalable MimbleWimble chain implementation

    (Bulletproofs) • Beam - private and scalable coin based on MimbleWimble • SNARK based permission database ◦ Rollup by BarryWhitehat • Gnosis dFusion ◦ DEX on SNARKs • Loopring DEX protocol • zkPoD ◦ Practical decentralized system for data exchange • Etc.

27. Rollups • Matter Labs • Sidechain (maintained by users and

    operators offchain) - no L1 storage! ◦ Plasma problem -> availability • Rollup contract on the mainchain • Optimistic ◦ New state root published by operator without being checked by Rollup smart contract ◦ We hope state transition is correct! :O ◦ Others can point to malicious transaction and slash malicious operator ◦ ~ 500 TPS ◦ 1-2 weeks fraud proof challenge window!

28. Rollups (2) • ZK-Rollup ◦ Specialized (token transfers, atomic swaps...)

    ◦ No efficient technique for succinct recursive proof composition of ZKPs ▪ Different smart contracts in a single block ◦ Groth16 ▪ Cycles of elliptic curves - https://arxiv.org/abs/1803.02067 - inefficient for large computation ▪ Trusted setup - for every smart contract and every update! (Impossible in practice) ▪ FRI-based STARKs (limited in scope) - without trusted setup ◦ EVM support (Istanbul upgrade) ◦ ~ 2000 TPS ◦ For a block of 1000 tx ~ 20 minutes proof generation time ▪ GPU optimization - 10x - ASICs? • Instant transaction confirmation by operators - staking security deposit

29. ZoKrates • A high-level language • A compiler, which transforms

    programs to constraint systems provable with zkSNARKs • Tools for ◦ Setup phase ◦ Witness computation ◦ Proof generation ◦ Generation of Verification Smart Contract ◦ ... High Level Language PROVER VERIFIER.SOL

30. The ZoKrates Language • Imperative DSL • Python-inspired Syntax •

    Does not expose non-determinism to the programmer // Primitive Types field a = 42 bool b // Composite Types field[256] c = [0; 256] Point p = { x = 0, y = 1 }

31. Verification Smart Contract Overview compile setup compute- witness generate-proof export-verifier

    ZoKrates Code Flattened Code Witness Verification Key Proving Key Program Result + Proof

32. Zokrates - Proof of preimage • Example: https://zokrates.github.io/sha256example.html • Proving

    knowledge of the preimage for a given hash digest • Preimage = inverse image • Hash digest -> output of the hash • sha256packed - SHA256 optimized for ZoKrates DSL • 4 x 128bit inputs that represent 512 long input of sha256 ◦ Field can only hold 254 bits

33. ZoKrates - Proof of preimage - Verifier generation • Person

    A is Verifier • Person B is Prover • Person A computes the hash of the input value ◦ Compile ◦ Compute witness (0,0,0,5) • Person A adds the hash to the code ◦ h[0] == 263561599766550617289250058199814760685 ◦ h[1] == 65303172752238645975888084098459749904 ◦ And checks that hash is compatible with the requested one • Person A then generates the verification and proving key with setup • Person A than calls export verifier which generates solidity contract representation

34. ZoKrates - Proof of preimage - Verifier generation (2) •

    Person A than deploys smart contract on the network (in this case Rinkeby) • https://github.com/blockchain-it-hr/proof-of-preimage ◦ There are hash and hashspecific folders ◦ Hashspecific contains hash generated by input parameters: 0, 0, 0, 5 which are then checked against

35. ZoKrates - Proof of preimage - Proof generation • Person

    B is Prover • Person B wants to prove that he/she knows a preimage for a digest chosen by Person A • Person B has received proving key from Person A! • Person B provides a correct pre-image as an argument to the compute-witness (0,0,0,5) • Then person B generates proof that it will send to smart contract • Proofs consists of public inputs (without private ones! -> zero knowledge feature), 3 elliptic curve points and output of the computation • Proof generated like this is send to verifyTx function inside deployed smart contract • Person A listens to Verified event which is emitted upon successful verification

36. Q&A Edi Sinovčić [email protected] twitter.com/edisinovcic linkedin.com/in/edi-sinovcic/