1분 요약 안녕하세요, 저는 클레인튼의 코어개발팀의 아이언입니다. 이번 발표에서는 근래에 블록체인에서 화두가 되고 있는 영지식 증명기술에 대해 이야기를 드리고자 합니다. 영지식 기술이 무엇이고, 영지식 기술을 통해 블록체인의 프라이버시, 확장성, 상호운영성의 문제를 어떻게 해 결하는지에 대해 설명을 드리고자 합니다. 본 발표는 블록체인에 관심이 있으셨던분들이 영지식 기술을 이해할 수 있도록 쉽게 구성이 되어있습니다. 많은 관심 부탁 드립니다. 감사합니다. 

: #೥కೞక #৔૑ध੉ # ࠶۾୓ੋীࢲ Copyright 2022. Kakao Corp. All rights reserved. Redistribution or public display is not permitted without written permission from Kakao. ৔૑ध ૐݺҗ ࠶۾୓ੋ ઑࣻജ iron.cho ௼۞झ౟ ਬפߡझ if(kakao)2022 

־ҳࣁਃ ? Klaytn Core Dev Team| Research Part Iron.cho ✓ 3FTFBSDI
PO
UIF
"EWBODFE
5FDIOPMPHZ
3FRVJSFE
GPS
,MBZUO
$PSF

3FTFBSDI
PO
;,1SFMBUFE
*OUFSPQFSBCJMJUZ
4DBMBCJMJUZ
BOE
1SJWBDZ ✓ Activating the Blockchain Research Community: Planning and Implementation of the Blockchain Research Center(BRC) Program #Ӗ۽ߥ ࠶۾୓ੋ োҳ ݍ૘ # ਬݎ઱ • Ph.d Computer Science -Research Blockchain • Emblock - Blockchain core and application tech • Microsoft - Testing windows 8.1 project 

1. ৔૑ध ૐݺ (zero knowledge proof, Zkp )? 2. Zkp Research – Privacy 3. zkp Research - Scalability 4. Zkp Research – Interoperability 

이 발표 내용구성은 zkp를 쉽게 설명하기위해 구성 되어있습니다. (zkp 기술은 난이도가 조금 있고 ? 사전지식이 많이 필요로 합니다.) 정확한 기술의 구성과 용어들은 참조 자료들을 꼭 봐주세요 ! 

1. ৔૑ध ૐݺ (zero knowledge proof, Zkp )? 

블록체인의 Mass Adoption에 뭐선 129 Scalability, Privacy, Interoperability …. 탈중앙화 (Decentralized) 합의 (Consensus) 투명성 (Transparency) 안전하게 (Secure) 

ZKP How ? 

Zero knowledge Proof #알리바바 동글 증명하는데 지식이 없다. Alice Bob 나의 어떠한 사실 또는 정보가 참이라는것을 증명 하고 싶어 Alice의 어떠한 사실 또는 정보를 몰라도 나는 참인지 알수가 있어 

Alice Bob Age = 23 Balance = 100 Klay Degree = M.S ? Age = 23 Balance = 100 Klay Degree = M.S Alice Age = 23 True Balance = 100 Klay True Degree = M.S True 

Alice Bob Age = 23 Balance = 100 Klay Degree = M.S Age = 23 Balance = 100 Klay Degree = M.S Trust : Service Age True Balance True Degree True Alice 

Alice Bob Age = 23 Balance = 100 Klay Degree = M.S Blockchain[Cypress] Age True Balance True Degree True Age = 23 Balance = 100 Klay Degree = M.S Alice 

Alice Bob Age = 23 Balance = 100 Klay Degree = M.S Age True Balance True Degree True π ≈ Proof ? Alice ? Blockchain[Cypress] 

Z K P In [1] cryptography, a zero - knowledge proof or zero - knowledge protocol is a method by which one party (the prover) can prove to another party (the veri fi er) that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true. The essence of zero - knowledge proofs is that it is trivial to prove that one possesses knowledge of certain information by simply revealing it; the challenge is to prove such possession without revealing the information itself or any additional information Completeness: true -> honest prove, honest veri fi er Soundness : false -> dishonest prove, veri fi er Zero - knowledge : veri fi er , zero Zero - knowledge Property Ref[1] :https://en.wikipedia.org/wiki/Zero-knowledge_proof#cite_note-:0-1 

Non-Interactive Zero-Knowledge Proof system Non-Interactive zero-knowledge proof system, Prover sends Proof to Verifier only once ✓ Send a message only once ✓ Connectionless Blockchain Zk Snarks [2] Zk SNARK zero-knowledge Succinct Non-interactive Argument of Knowledges Non- interactive Succinctness ✓ Assume verifier has limited computational resources ✓ Reduce ZKP's proof size and verify quickly ✓ Maximize the practicality of non-interactive ZKP Ref[2]: https://eprint.iacr.org/2016/260.pdf 

Z K P How ? Zero Knowledge Proof prove and verify ݃ߨ 

Zk Snark Algebraic Circuit Problem (Code) R1CS QAP (Quadratic Arithmetic Program) Elliptic Curve Pairings f(x): y= x³+2x²+x+1. (x=2, y=19) Code Gate1: x*(x+2) = sym1 Gate2: sym1*x = sym2 Gate3: (sym2 + x +1) * 1 = y (~out) C= A*B Circuit 0 1 0 0 0 0 0 1 0 0 1 1 0 1 0 2 1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 A B C (A • S) (B • S) - C • S = 0 ੗ࣁೠ zk snark ੄ ਗܻח ଵઑ ੗ܐ [2]ܳ ଵઑ೧઱ࣁਃ ! 1 4 -3 1 0 -1.5 -4 4 -1.5 0 0.5 1 -1 0.5 0 A[t] B[t] C[t] 7 0 0 0 0 -6.5 1.5 0 0 0 1.5 -0.5 0 0 0 0 0 3 -3 1 0 0 -2.5 4 -1.5 0 0 0.5 -1 0.5 A(t_0) * B(t_0) — C(t_0) = H(t_0) * Z(t_0) Trusted Party (t_0) A(t_0), B(t_0), C(t_0), H(t_0) Discrete Logarithm Problem e(G,G) A(t_0)*B(t_0)-C(t_0) = e(G,G) H(t_0)* Z(t_0) e(π_a, π_b) / e(π_c, G) = e (π_h, Z(t_0) * G) 1) Check QAP divisibility 2)Check validity of knowledge commitments forA,B,C: 3)Check same coefficients were used π_a, π_b, π_c, π_h π_a', π_b', π_c', π_s' Bilinear Pairing Verifier Proof A[t], B[t], C[t], Z(t) ݃ߨ 

Zk Snark Magic Algebraic Circuit R1CS QAP Elliptic Curve Pairings ✓F( ) = Original Problem ✓x = secret (witness) ✓y = result ✓F(x) = y ✓F’( ) = Transform Problem -> Proving , Verifying ✓Proving (x) = π (Proof) ✓Verify (π) = result (True | False) ≈ zkp੄ ޙઁ߸ച 

CRS common reference string ≈ Proving Key(Pk), Verifying Key (Vk) Alice = Prover Age == 23 Balance == 100 Klay Degree == M.S Problem = F() λ) : security parameter (Toxic wasted) Zk Snark Magic ≈ Transform the problem into zero knowledge proof X=23 Balance = 100 Klay Degree = M.S w= witness Trust Party Transform Problem = F’() Proving(), Verifying() Proving (w, pk ) = π (proof) Verifying(π, vk) Cypress-Blockchain True | False Verifying Contract Compile Generate Proof Generate Verifying Contract Verifying Proof Setup 

zkp੄ ؊ ݆਷ ੿ࠁܳ ਗೞन׮ݶ ? Klay Makers zkp Workshop • Awesome : https://github.com/matter-labs/awesome-zero-knowledge-proofs • https://eprint.iacr.org/2016/260.pdf • Zcash ZKP : https://z.cash/technology/zksnarks/ • Vitalik Buterin's blog series on SNARKs • https://eprint.iacr.org/2013/879.pdf • https://www.youtube.com/user/hhanh01/videos • https://www.youtube.com/watch?v=_6TqUNVLChc • https://eprint.iacr.org/2013/279.pdf 

2. Zkp Research – Privacy 

Blockchain Privacy Transparent Privacy 

> not broadcast private data on public network > not privacy friendly Web 2.0 Web 3.0 Apps DApps privacy friendly 

Digital Asset Native Coin, Token Transaction ≈ Sender, Receiver, amount + Ownership (Digital Signature) 

Segregating Unlinking Hiding Off-payment channel Onetime Address Mixing Ring Signature Ledger Segregating Transaction ≈ Sender, Receiver, amount + Ownership (Digital Signature) 

Blockchain Wallet Bob(EOA) Alice(EOA) 100 Klay Alice(EOA) Transaction ≈ Sender, Receiver, amount + Ownership (Digital Signature) Alice state Update Bob state Update Tx = Alice Sig, Alice addr, Bob addr , 100 If tx valid : 1. Owner Ship (Signature) 2. Balance (Integrity) 3. Double Spending 4. Protocol Rule 

যڌѱ ৔૑ध ૐݺਵ۽ ? zero-knowledge proof ≈ no any information except whether the statement is true or false. Transaction ≈ Sender, Receiver, amount Transaction -> Valid? Blockchain + Ownership (Digital Signature) π 

ޙઁ 1 : Hiding Transaction ≈ Sender, Receiver, amount Balance,Sender, Receiver, amount KLAYTN (State Model) Contract >cryptography UTXO Model To Address Alice Address Alice V V = V’ + V’’ Unspent Spent Balance,Sender, Receiver, amount 

ޙઁ 2 : Transaction validation & update Cypress-Blockchain Verify () if π is valid Balance , Sig Sender, Receiver, amount Update 

CM := Hash(v||addr||o) Commitment Alice(EOA) Cypress-Blockchain Bob(EOA) CM1 = Hash(100Klay|Alice | O) CM2= Hash(100Klay|Bob | O) CM1 CM2 Update How to ? 1. Owner Ship (Signature) 2. Balance (Integrity) 3. Double Spending 4. Protocol Rule 

How to ? > Owner Ship (Signature) 2. Balance (Integrity) > Double Spending 4. Protocol Rule Alice(EOA) Cypress-Blockchain Bob(EOA) CM1 = Hash(100Klay|Alice | O) CM2 = Hash(100Klay|Bob | O) Nullifier COM CM1 CM2 CM3 CM4 ,,, .. Nf Double Spending Nf = Hash (Skown ,cm1 ) Ownership Skown Skown 

How to ? 1. Owner Ship (Signature) > Balance (Integrity) 3. Double Spending 4. Protocol Rule Alice(EOA) Cypress-Blockchain Bob(EOA) CM1= Hash(100Klay|Alice | O) CM2= Hash(100Klay|Bob | O) Co-Path = A,B, Cm1 Cm1 A B Membership Proof RT 

How to ? 1. Owner Ship (Signature) 2. Balance (Integrity) 3. Double Spending > Protocol Rule ✓ Membership proof (rt, Cm1, Path) ✓ CM1 = Hash(100Klay|Alice | O) ✓ CM2 = Hash(100Klay|Bob | O) ✓ nf1 = Hash (Skown ,Cm1 ) ✓ PCT bob ✓ PCT Audit ✓ Update process ZKP π (proof) Verify : ✓ CM2 ✓ rt ✓ nf 1 ✓ If π is valid : Update ✓ Cypress-Blockchain 

money laundering drug trafficking Audit Cypress-Blockchain Zkp Privacy money laundering drug trafficking Blockchain Zkp Privacy “Azeroth [3] [Auditable Zero-knowledge Transactions in Smart Contracts] ” Performance + Audit https://www.zkrypto.com/ Zkp core, tech. Rollup Privacy, Voting, did [3] : Azeroth https://eprint.iacr.org/2022/211.pdf 

Transaction Type Proof Generate time Gas Zether[4] transfer 17.9 sec 606 million withdraw 8.5 sec 245 million Zeth[5] transfer 13.2 sec 142 million withdraw 13.5 sec 145million Azeroth zkTrasnfer(transfer,withdra w) 0.9 sec 150 million • Private Network Solo Consensus Node CN 1 / PN 1 / EN 1 (local network): macmini i7 • Zether(sigma-bulletproof) • Zeth (GROTH16) • Azeroth (GROTH16) • Azeroth (GROTH16) Tx_Latency : 3.5 sec (Client : 1.9 + KLAYTN Blockchain : 1.6 ) • Zk Freindly cryptography, Optimization Ref[4] : https://crypto.stanford.edu/~buenz/papers/zether.pdf Ref[5] : https://arxiv.org/pdf/1904.00905.pdf 

Research on improvement of Azeroth ✓ Usability ✓ Wallet support ✓ Security ✓ Performance (Gas) : Layer 2 , Membership proof, Structure Next ! 

3. zkp Research - Scalability 

Blockchain Scalability 탈중앙화 (Decentralized) 합의 (Consensus) 투명성 (Transparency) 안전하게 (Secure) Low TPS, High gas Cost, Storage …. 

Sharding, Consensus, Network, Storage, cryptography EVM… Mainchain L1 Lightning network, state channel, side chain, Plasma.. .. And .. Rollup L2 Solution(L1 offchain) 

Cypress- Blockchain Layer 1 Layer 2 Tx1 Tx2 Tx3 Tx4 Tx5 Tx6 .. . Contract Batch StateRoot Data (Highly compression ) Single Transaction L2 1000 Transaction > Valid ? 

যڌѱ ৔૑ध ૐݺਵ۽ ? zero-knowledge proof ≈ no any information except whether the statement is true or false. ≈ L2 Transactions Transactions ->ZKP ->π (Proof) Layer1 Contract Verify 

zk Rollup Structure ] • L1 Trust L2 Zkp proof -> L1 verify • Compression effect on transaction execution and validation Layer1 Layer 2 π (proof) Tx1 Tx2 Tx3 Tx4 Tx5 Tx6 .. . ERC20, ETHER Transfer Deposit Withdraw Tx verification conditions Circuit Constraint Block1 Block2 Block3 π (proof) π (proof) Πblock Data State Root Aggregate Verify (Πblock ) 

zk Rollup Structure Alice Bob Deposit Withdraw (Full Exit) Alice Bob Layer2 L2 State Deposit Withdraw (Full Exit) Layer1 Contract L1 Transaction L1 -> L2-> L2 –Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state L2 Transaction L2-> L2 -> L2-Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state Zkp proof -> Verify Block & finalize state L1 Transaction L2 Transaction Server Prover State Merkle Tree Transaction state : Committed, Verified 

zk Rollup Structure Alice Bob Deposit Withdraw (Full Exit) Alice Bob Layer2 L2 State Deposit Withdraw (Full Exit) Layer1 Contract L1 Transaction L1 -> L2-> L2 –Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state L2 Transaction L2-> L2 -> L2-Block Commit (stateRoot, L2 data), commit proof -> L1-verify -> Finalize state Zkp proof -> Verify Block & finalize state L1 Transaction L2 Transaction Server Prover State Merkle Tree Transaction state : Committed, Verified 

zk Rollup Structure ▪Data Availability : The L2 data update for every block is published over the mainchain network ▪Users can always retrieve the funds from the Rollup even if validator(s) stop cooperating because the data is available -> Modular Blockchain ▪On chain Operation -> withdraw ▪ Opcode, ▪ Account, ▪ Amount ▪ … ▪ .. ▪L2 Data (Highly compression ) 

zk EVM (2.0) • zkEVM : virtual machine that runs zero-knowledge proofs in a manner compatible with zero-knowledge proof computations. • Zkp complexity -> Smart Contract Deploy (lang support) -> Proof , Circuit , verify • Supports smart contract development toolz • zk-friendly : Hash function (SHA256, Keccak256), cryptographic , computation 

• Rollup & Zk EVM • L2 Cost & Block Commit (block size chunk), zk Snark 1 ≈ 1000 • Tps & Tx Latency 

4. Zkp Research – Interoperability 

Blockchain Interoperability Bridge 

Bridge Contract Contract Trust party Service provider Operator, Validator Security threats Blockchain A Blockchain B Contract Contract Trustless Blockchain A Blockchain B 

How can we make a trustless bridge? 
 zero-knowledge proof no any information except whether the statement is true or false. Blockchain A Blockchain B Blockchain B Blockchain B π π Alice(EOA) Alice(EOA) Contract Contract Blockchain A Blockchain B π >> Each isolated chain only trusts zkp Proof 
 

যڌѱ
ೞݶ
ন
ଃ୓ੋীࢲ
౟ے੥࣌੉
ৢ߄ܰѱ
୊ܻо
غ঻Ҋ
࠶۾ী
ನೣ੉
غ঻חо
#MPDL
)FBEFS

ℵ
$POTFOTVT
/PEF > Blockchain Consensus >Transaction Execution ! Difficult (Consensus) ! High computation cost off chain (Cryptography) ! Non-ZKP Next )FBEFSSFDFJQUT3PPU

NFSLMF3PPU 5Y@SFDFJQU
.FSLMF
1BUI 5Y@SFDFJQU-PH<*EY>'SPN













6TFS.$ 5Y@SFDFJQU-PH<*EY>5P


















#SJEHF
"EES.$
IBSE
DPEFE 5Y@SFDFJQU-PH<*EY>"NPVOU









"NPVOU 5Y@SFDFJQU-PH<*EY>%FTUJOBUJPO




#SJEHF
"EES4$
IBSE
DPEFE 5Y@SFDFJQU-PH<*EY>4$@"DDPVOU


6TFS4$ 5Y@SFDFJQU4UBUVT



























IBSE
DPEFE 

No content