영지식 증명과 블록체인

1분 요약
안녕하세요,

저는 클레인튼의 코어개발팀의 아이언입니다.

이번 발표에서는 근래에 블록체인에서 화두가 되고 있는 영지식 증명기술에 대해 이야기를 드리고자 합니다.

영지식 기술이 무엇이고, 영지식 기술을 통해 블록체인의 프라이버시, 확장성, 상호운영성의 문제를 어떻게 해
결하는지에 대해 설명을 드리고자 합니다.

본 발표는 블록체인에 관심이 있으셨던분들이 영지식 기술을 이해할 수 있도록 쉽게 구성이 되어있습니다.

많은 관심 부탁 드립니다. 감사합니다.

View Slide

: #೥కೞక #৔૑ध੉ # ࠶۾୓ੋীࢲ
Copyright 2022. Kakao Corp. All rights reserved. Redistribution or public display is not permitted without written permission from Kakao.
৔૑ध ૐݺҗ ࠶۾୓ੋ
ઑࣻജ iron.cho
௼۞झ౟ ਬפߡझ
if(kakao)2022

View Slide

־ҳࣁਃ ?
Klaytn Core Dev Team| Research Part
Iron.cho
✓ 3FTFBSDIPOUIF"EWBODFE5FDIOPMPHZ3FRVJSFEGPS,MBZUO$PSF3FTFBSDIPO
;,1SFMBUFE*OUFSPQFSBCJMJUZ 4DBMBCJMJUZ BOE1SJWBDZ

✓ Activating the Blockchain Research Community: Planning and Implementation of the
Blockchain Research Center(BRC) Program #Ӗ۽ߥ ࠶۾୓ੋ োҳ ݍ૘ # ਬݎ઱
• Ph.d Computer Science -Research Blockchain
• Emblock - Blockchain core and application tech
• Microsoft - Testing windows 8.1 project

View Slide

1. ৔૑ध ૐݺ (zero knowledge proof, Zkp )?
2. Zkp Research – Privacy
3. zkp Research - Scalability
4. Zkp Research – Interoperability

View Slide

이 발표 내용구성은 zkp를 쉽게 설명하기위해 구성 되어있습니다.

(zkp 기술은 난이도가 조금 있고 ? 사전지식이 많이 필요로 합니다.)

정확한 기술의 구성과 용어들은 참조 자료들을 꼭 봐주세요 !

View Slide

1. ৔૑ध ૐݺ (zero knowledge proof, Zkp )?

View Slide

블록체인의 Mass Adoption에 뭐선 129
Scalability, Privacy, Interoperability ….
탈중앙화 (Decentralized)

합의 (Consensus)

투명성 (Transparency)

안전하게 (Secure)

View Slide

ZKP
How ?

View Slide

Zero knowledge Proof #알리바바 동글

증명하는데 지식이 없다.

Alice
Bob
나의 어떠한 사실 또는 정보가 참이라는것을 증명 하고 싶어

Alice의 어떠한 사실 또는 정보를 몰라도 나는 참인지 알수가 있어

View Slide

Alice
Bob
Age = 23

Balance = 100 Klay

Degree = M.S
?
Age = 23

Balance = 100 Klay

Degree = M.S
Alice Age = 23 True

Balance = 100 Klay True

Degree = M.S True

View Slide

Alice Bob
Age = 23

Balance = 100 Klay

Degree = M.S
Age = 23

Balance = 100 Klay

Degree = M.S
Trust : Service
Age True

Balance True

Degree True
Alice

View Slide

Alice Bob
Age = 23

Balance = 100 Klay

Degree = M.S
Blockchain[Cypress]
Age True

Balance True

Degree True
Age = 23

Balance = 100 Klay

Degree = M.S
Alice

View Slide

Alice Bob
Age = 23

Balance = 100 Klay

Degree = M.S
Age True

Balance True

Degree True
π ≈ Proof
?
Alice
?
Blockchain[Cypress]

View Slide

Z K P
In [1] cryptography, a zero
-
knowledge proof or zero
-
knowledge protocol is a method by
which one party (the prover) can prove to another party (the veri
fi
er) that a given
statement is true while the prover avoids conveying any additional information apart
from the fact that the statement is indeed true. The essence of zero
-
knowledge proofs
is that it is trivial to prove that one possesses knowledge of certain information by
simply revealing it; the challenge is to prove such possession without revealing the
information itself or any additional information

Completeness: true
->
honest prove, honest veri
fi
er

Soundness : false
->
dishonest prove, veri
fi
er

Zero
-
knowledge : veri
fi
er , zero Zero
-
knowledge

Property
Ref[1] :https://en.wikipedia.org/wiki/Zero-knowledge_proof#cite_note-:0-1

View Slide

Non-Interactive Zero-Knowledge Proof system
Non-Interactive zero-knowledge proof system, Prover sends Proof to Verifier only once
✓ Send a message only once
✓ Connectionless
Blockchain
Zk Snarks [2]
Zk SNARK zero-knowledge Succinct Non-interactive Argument of Knowledges
Non- interactive Succinctness
✓ Assume verifier has limited computational resources
✓ Reduce ZKP's proof size and verify quickly
✓ Maximize the practicality of non-interactive ZKP
Ref[2]: https://eprint.iacr.org/2016/260.pdf

View Slide

Z K P
How ?
Zero Knowledge Proof
prove and verify
݃ߨ

View Slide

Zk Snark
Algebraic Circuit
Problem

(Code)
R1CS
QAP (Quadratic Arithmetic Program)
Elliptic Curve Pairings
f(x): y= x³+2x²+x+1.
(x=2, y=19)
Code
Gate1: x*(x+2) = sym1
Gate2: sym1*x = sym2
Gate3: (sym2 + x +1) * 1 = y
(~out)
C= A*B
Circuit
0 1 0 0 0
0 0 1 0 0
1 1 0 1 0
2 1 0 0 0
0 1 0 0 0
1 0 0 0 0
0 0 1 0 0
0 0 0 1 0
0 0 0 0 1
A B
C
(A • S) (B • S) - C • S = 0
੗ࣁೠ zk snark ੄ ਗܻח ଵઑ ੗ܐ [2]ܳ ଵઑ೧઱ࣁਃ !
1 4 -3 1 0
-1.5 -4 4 -1.5 0
0.5 1 -1 0.5 0
A[t]
B[t]
C[t]
7 0 0 0 0
-6.5 1.5 0 0 0
1.5 -0.5 0 0 0
0 0 3 -3 1
0 0 -2.5 4 -1.5
0 0 0.5 -1 0.5
A(t_0) * B(t_0) — C(t_0) = H(t_0) * Z(t_0)
Trusted Party (t_0)
A(t_0), B(t_0), C(t_0), H(t_0)
Discrete Logarithm Problem

e(G,G) A(t_0)*B(t_0)-C(t_0)
= e(G,G) H(t_0)* Z(t_0)
e(π_a, π_b) / e(π_c, G) = e (π_h, Z(t_0) * G)
1) Check QAP divisibility
2)Check validity of knowledge commitments forA,B,C:
3)Check same coefficients were used
π_a, π_b, π_c, π_h
π_a', π_b', π_c', π_s'
Bilinear Pairing
Verifier
Proof
A[t], B[t], C[t], Z(t)
݃ߨ

View Slide

Zk Snark Magic
Algebraic Circuit
R1CS
QAP
Elliptic Curve Pairings
✓F( ) = Original Problem

✓x = secret (witness)

✓y = result

✓F(x) = y
✓F’( ) = Transform Problem

-> Proving , Verifying

✓Proving (x) = π (Proof)

✓Verify (π) = result (True | False)
≈ zkp੄ ޙઁ߸ച

View Slide

CRS common reference string ≈ Proving Key(Pk), Verifying Key (Vk)
Alice = Prover
Age == 23
Balance == 100 Klay
Degree == M.S
Problem = F()
λ) : security parameter
(Toxic wasted)
Zk Snark Magic
≈ Transform the problem into zero knowledge proof
X=23
Balance = 100 Klay
Degree = M.S
w= witness
Trust Party
Transform Problem = F’()

Proving(), Verifying()
Proving (w, pk ) = π (proof)
Verifying(π, vk)
Cypress-Blockchain
True | False
Verifying Contract
Compile
Generate Proof
Generate Verifying Contract
Verifying Proof
Setup

View Slide

zkp੄ ؊ ݆਷ ੿ࠁܳ ਗೞन׮ݶ ?
Klay Makers zkp Workshop
• Awesome : https://github.com/matter-labs/awesome-zero-knowledge-proofs
• https://eprint.iacr.org/2016/260.pdf
• Zcash ZKP : https://z.cash/technology/zksnarks/
• Vitalik Buterin's blog series on SNARKs
• https://www.youtube.com/user/hhanh01/videos
• https://www.youtube.com/watch?v=_6TqUNVLChc

View Slide

2. Zkp Research – Privacy

View Slide

Blockchain Privacy
Transparent Privacy

View Slide

> not broadcast private data on public network
> not privacy friendly
Web 2.0 Web 3.0
Apps DApps
privacy friendly

View Slide

Digital Asset
Native Coin, Token
Transaction ≈ Sender, Receiver, amount
+ Ownership (Digital Signature)

View Slide

Segregating Unlinking Hiding
Off-payment channel
Onetime Address
Mixing
Ring Signature
Ledger Segregating Transaction ≈ Sender, Receiver, amount

View Slide

Blockchain
Wallet
Bob(EOA)
Alice(EOA)
100 Klay
Alice(EOA)
Alice state Update
Bob state Update
Tx = Alice Sig, Alice addr, Bob addr , 100
If tx valid :
1. Owner Ship (Signature)
2. Balance (Integrity)
3. Double Spending
4. Protocol Rule

View Slide

যڌѱ ৔૑ध ૐݺਵ۽ ?
zero-knowledge proof
≈ no any information except whether the statement is true or false.
Transaction -> Valid?
Blockchain
π

View Slide

ޙઁ 1 : Hiding Transaction ≈ Sender, Receiver, amount
Balance,Sender, Receiver, amount
KLAYTN (State Model)
Contract
>cryptography
UTXO Model
To

Address
Alice

Address
Alice
V
V = V’ + V’’
Unspent
Spent
Balance,Sender, Receiver, amount

View Slide

ޙઁ 2 : Transaction validation & update
Cypress-Blockchain
Verify () if π is valid
Balance , Sig
Sender, Receiver, amount
Update

View Slide

CM := Hash(v||addr||o) Commitment
Alice(EOA)
Cypress-Blockchain
Bob(EOA)
CM1
= Hash(100Klay|Alice | O)
CM2= Hash(100Klay|Bob | O)
CM1
CM2
Update
How to ?
3. Double Spending
4. Protocol Rule

View Slide

How to ?
> Owner Ship (Signature)
> Double Spending
4. Protocol Rule
Alice(EOA)
Cypress-Blockchain
Bob(EOA)
CM1
CM2
= Hash(100Klay|Bob | O)
Nullifier
COM
CM1
CM2
CM3
CM4
,,,
..
Nf Double Spending
Nf = Hash (Skown
,cm1
)
Ownership
Skown
Skown

View Slide

How to ?
> Balance (Integrity)
3. Double Spending
4. Protocol Rule
Alice(EOA)
Cypress-Blockchain
Bob(EOA)
CM1= Hash(100Klay|Alice | O)
CM2= Hash(100Klay|Bob | O)
Co-Path = A,B, Cm1
Cm1
A
B
Membership Proof
RT

View Slide

How to ?
3. Double Spending
> Protocol Rule
✓ Membership proof (rt, Cm1, Path)
✓ CM1

✓ CM2
= Hash(100Klay|Bob | O)
✓ nf1 = Hash (Skown
,Cm1
)

✓ PCT bob

✓ PCT Audit

✓ Update process
ZKP
π (proof)
Verify :

✓ CM2

✓ rt

✓ nf
1
✓ If π is valid : Update
✓ Cypress-Blockchain

View Slide

money laundering drug trafficking
Audit
Cypress-Blockchain
Zkp

Privacy
money laundering drug trafficking
Blockchain
Zkp

Privacy
“Azeroth [3] [Auditable Zero-knowledge Transactions in Smart Contracts] ”
Performance + Audit
https://www.zkrypto.com/

Zkp core, tech.

Rollup

Privacy,

Voting,

did
[3] : Azeroth https://eprint.iacr.org/2022/211.pdf

View Slide

Transaction Type Proof Generate time Gas
Zether[4]
transfer 17.9 sec 606 million
withdraw 8.5 sec 245 million
Zeth[5]
transfer 13.2 sec 142 million
withdraw 13.5 sec 145million
Azeroth
zkTrasnfer(transfer,withdra
w)
0.9 sec 150 million
• Private Network Solo Consensus Node CN 1 / PN 1 / EN 1 (local
network): macmini i7
• Zether(sigma-bulletproof)
• Zeth (GROTH16)
• Azeroth (GROTH16)
• Azeroth (GROTH16) Tx_Latency : 3.5 sec (Client : 1.9 + KLAYTN Blockchain : 1.6 )

• Zk Freindly cryptography, Optimization

Ref[4] : https://crypto.stanford.edu/~buenz/papers/zether.pdf
Ref[5] : https://arxiv.org/pdf/1904.00905.pdf

View Slide

Research on improvement of Azeroth
✓ Usability
✓ Wallet support
✓ Security
✓ Performance (Gas) : Layer 2 , Membership proof, Structure
Next !

View Slide

3. zkp Research - Scalability

View Slide

Blockchain Scalability
탈중앙화 (Decentralized)

합의 (Consensus)

투명성 (Transparency)

안전하게 (Secure)
Low TPS, High gas Cost, Storage ….

View Slide

Sharding, Consensus, Network, Storage, cryptography EVM…
Mainchain L1
Lightning network, state channel, side chain, Plasma..
..
And
..
Rollup
L2 Solution(L1 offchain)

View Slide

Cypress-
Blockchain
Layer 1 Layer 2 Tx1
Tx2
Tx3
Tx4
Tx5
Tx6
..
.
Contract
Batch
StateRoot
Data (Highly compression )
Single Transaction L2 1000 Transaction
>
Valid ?

View Slide

যڌѱ ৔૑ध ૐݺਵ۽ ?
≈ no any information except whether the statement is true or false.
≈ L2 Transactions Transactions ->ZKP ->π (Proof)
Layer1
Contract
Verify

View Slide

zk Rollup Structure
]
• L1 Trust L2 Zkp proof -> L1 verify
• Compression effect on transaction execution and validation
Layer1 Layer 2
π (proof)
Tx1
Tx2
Tx3
Tx4
Tx5
Tx6
..
.
ERC20, ETHER

Transfer

Deposit

Withdraw
Tx verification
conditions
Circuit Constraint
Block1
Block2
Block3
π (proof)
π (proof)
Πblock
Data

State Root
Aggregate
Verify (Πblock
)

View Slide

zk Rollup Structure
Alice Bob
Deposit
Withdraw
(Full Exit)
Alice Bob
Layer2
L2 State
Deposit
Withdraw

(Full Exit)
Layer1
Contract
L1 Transaction L1 -> L2-> L2 –Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state

L2 Transaction L2-> L2 -> L2-Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state
Zkp proof -> Verify Block & finalize state
L1 Transaction
L2
Transaction
Server Prover
State Merkle Tree
Transaction state : Committed, Verified

View Slide

zk Rollup Structure
▪Data Availability : The L2 data update for every block is published over the mainchain network
▪Users can always retrieve the funds from the Rollup even if validator(s) stop cooperating because the data is
available -> Modular Blockchain
▪On chain Operation -> withdraw
▪ Opcode,
▪ Account,
▪ Amount
▪ …
▪ ..
▪L2 Data (Highly compression )

View Slide

zk EVM (2.0)
• zkEVM : virtual machine that runs zero-knowledge proofs in a manner compatible with zero-knowledge proof
computations.
• Zkp complexity -> Smart Contract Deploy (lang support) -> Proof , Circuit , verify
• Supports smart contract development toolz
• zk-friendly : Hash function (SHA256, Keccak256), cryptographic , computation

View Slide

• Rollup & Zk EVM
• L2 Cost & Block Commit (block size chunk), zk Snark 1 ≈ 1000
• Tps & Tx Latency

View Slide

4. Zkp Research – Interoperability

View Slide

Blockchain
Interoperability
Bridge

View Slide

Bridge
Contract Contract
Trust party
Service provider
Operator, Validator
Security threats
Blockchain A Blockchain B
Contract Contract
Trustless

View Slide

How can we make a trustless bridge?

 
no any information except whether the statement is true or false.
Blockchain A
Blockchain B
Blockchain B
Blockchain B
π
π
Alice(EOA)
Alice(EOA)
Contract Contract
π
>> Each isolated chain only trusts zkp Proof

 

View Slide

যڌѱೞݶনଃ୓ੋীࢲ౟ے੥࣌੉ৢ߄ܰѱ୊ܻоغ঻Ҋ࠶۾ীನೣ੉غ঻חо

#MPDL)FBEFSℵ$POTFOTVT/PEF
> Blockchain Consensus
>Transaction Execution
! Difficult (Consensus)
! High computation cost off chain (Cryptography)
! Non-ZKP
Next
)FBEFSSFDFJQUT3PPUNFSLMF3PPU 5Y@SFDFJQU .FSLMF
1BUI

5Y@SFDFJQU-PH<*EY>'SPN6TFS.$

5Y@SFDFJQU-PH<*EY>5P#SJEHF"EES.$
IBSEDPEFE

5Y@SFDFJQU-PH<*EY>"NPVOU"NPVOU

5Y@SFDFJQU-PH<*EY>%FTUJOBUJPO#SJEHF"EES4$
IBSE
DPEFE

5Y@SFDFJQU-PH<*EY>4$@"DDPVOU6TFS4$

5Y@SFDFJQU4UBUVT IBSEDPEFE

View Slide

View Slide

영지식 증명과 블록체인

영지식 증명과 블록체인

kakao
PRO

More Decks by kakao

Other Decks in Programming

Featured

Transcript

영지식 증명과 블록체인

영지식 증명과 블록체인

kakao PRO

More Decks by kakao

Other Decks in Programming

Featured

Transcript

kakao
PRO