Tweet
Tweet

Slide 1

Slide 1 text

FAST, PRIVATE, FLEXIBLE BLOCKCHAIN CONTRACTS Oleg Andreev Cathie Yun
 Split, Croatia June 23, 2019

Slide 2

Slide 2 text

THE PROBLEM How to make live on the internet? ... tokens receipts derivatives currencies tickets stocks bonds ...

Slide 3

Slide 3 text

THE PROBLEM How to make live on the internet? ... tokens receipts derivatives currencies tickets stocks bonds ... ownable by computers

Slide 4

Slide 4 text

WHY How come we have vending machines for physical property,
 but not for the digital one?

Slide 5

Slide 5 text

HOW Need to simulate the universe in which these things can exist:

Slide 6

Slide 6 text

UNIVERSE OF ASSETS =
 BLOCKCHAIN Blockchain protocol is a set of rules for defining tokens, authorizing transfers, and preventing double-spends.

Slide 7

Slide 7 text

UNIVERSE OF ASSETS
 IS HEAVY Blockchain protocol is a set of rules for defining tokens, authorizing transfers, and preventing double-spends ... that every participant verifies.

Slide 8

Slide 8 text

PROBLEMS WITH SHARED DATA Blockchain makes sense if everyone plays the same game. how do we scale this? how do we protect private data? how do we build upon it?

Slide 9

Slide 9 text

scalability performance confidentiality flexibility HUGE COMMUNITY EFFORT payment channels zcash bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto

Slide 10

Slide 10 text

ZkVM = HYBRID SOLUTION scalability performance confidentiality flexibility payment channels zcash bitcoin ethereum monero coinjoin zksnarks ring signatures mimblewimble bulletproofs utreexo musig bls signatures taproot txo mmr recursive snarks object capabilities linear types ristretto

Slide 11

Slide 11 text

ZkVM ARCHITECTURE

Slide 12

Slide 12 text

TRANSACTIONS Tx = program that transfers assets from inputs to outputs.
 Transactions can also issue arbitrary assets. tx 1 input input output tx 2 input output output tx 3 input output output

Slide 13

Slide 13 text

PROGRAM EXECUTION Transaction is a program, cryptographic proof and some metadata. TX program zk proof

Slide 14

Slide 14 text

PROGRAM EXECUTION VM instantiated per transaction; discarded after tx is processed. High-level instructions enforce network rules. Not turing-complete by design. VM program stack txlog constraint system TX program zk proof run

Slide 15

Slide 15 text

PROGRAM EXECUTION Instructions build a constraint system (CS) on the fly. CS enforces both network rules and custom, per-contract rules. Single aggregated proof is used to verify all the constraints. VM program stack txlog constraint system TX program zk proof verify run

Slide 16

Slide 16 text

PROGRAM EXECUTION Transaction verification is stateless. Created/deleted outputs are recorded in the transaction log. Transactions log is applied to the blockchain state separately. VM program stack txlog constraint system apply TX program zk proof run blockchain
 state

Slide 17

Slide 17 text

CONTRACTS Each unspent output is a contract object. Contract has arbitrary payload (assets, data) protected by a predicate. Saved via output instruction, loaded via input instruction. contract predicate item 1 item 2 item 3

Slide 18

Slide 18 text

CONTRACTS Predicate is satisfied with either a signature... contract predicate item 1 item 2 item 3 item 1 item 2 item 3 verify signature unlock

Slide 19

Slide 19 text

CONTRACTS Predicate is satisfied with either a signature or a sub-program. contract predicate item 1 item 2 item 3 item 1 item 2 item 3 execute sub-program unlock

Slide 20

Slide 20 text

P = K + hash(K, R)·B TAPROOT pubkey K = k·B program 1 program 2 program 3 program 4 Compresses contract logic into a single public key. Either sign with K, or reveal a branch and execute it.

Slide 21

Slide 21 text

INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify

Slide 22

Slide 22 text

INSTRUCTIONS Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k
 Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify Bitcoin: 88 Ethereum: 77 TxVM: 65 ZkVM: 32 instructions

Slide 23

Slide 23 text

Zk+VM Cathie Yun

Slide 24

Slide 24 text

CRYPTOGRAPHY STACK Vectorized elliptic curve operations. Curve25519-Dalek

Slide 25

Slide 25 text

Ristretto255 Vectorized elliptic curve operations. Safe prime order group. CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 26

Slide 26 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 27

Slide 27 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. Cloak Network rules. CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 28

Slide 28 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. Cloak Constraints Network rules + custom rules. CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 29

Slide 29 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. Cloak Constraints Instructions Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 30

Slide 30 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. Vaults, payment channels, order books, ... CRYPTOGRAPHY STACK Curve25519-Dalek

Slide 31

Slide 31 text

Ristretto255 Bulletproofs Vectorized elliptic curve operations. Safe prime order group. Versatile zero-knowledge proof system. pure Rust Cloak Constraints Instructions Your protocol Network rules + custom rules. Arithmetic + boolean operations. CRYPTOGRAPHY STACK Curve25519-Dalek Vaults, payment channels, order books, ...

Slide 32

Slide 32 text

CONSTRAINTS (P = B + R·T) OR (X = Y) Custom composition of arithmetic and boolean expressions: R T mul B add P eq X Y eq or verify

Slide 33

Slide 33 text

CONSTRAINTS

Slide 34

Slide 34 text

Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify
 EX: CUSTOM CONSTRAINTS Create variables from commitments, make expressions, form constraints and add them to the constraint system. Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Stack push:n:x program:n:x
 drop
 dup:k
 roll:k


Slide 35

Slide 35 text

Values issue
 borrow
 retire
 cloak:m:n
 Contracts input
 output:k
 contract:k
 log
 signtx
 call
 delegate Constraints neg
 add
 mul
 eq
 range:n
 and
 or not
 verify EX: CUSTOM CONSTRAINTS A variable defines a payment constraint with borrow + output.
 Negative value is mixed with an actual payment in the cloak. +V –V Variables const
 var
 alloc
 mintime
 maxtime
 unblind encrypt:n decrypt Stack push:n:x program:n:x
 drop
 dup:k
 roll:k


Slide 36

Slide 36 text

LINEAR TYPES + CAPABILITIES In ZkVM contracts imperatively express their requirements,
 entirely avoiding bugs like confused deputy problem.

Slide 37

Slide 37 text

CONFIDENTIALITY 1 2 Data security Data flow security

Slide 38

Slide 38 text

DATA SECURITY All data is encrypted by default: account identifiers (via blinded keys), asset quantities and types, contract parameters: prices, time, rates. Contract logic is protected by Taproot: cooperation: single signature does not reveal parties or conditions, dispute: only a specific branch is revealed. 1

Slide 39

Slide 39 text

DATA FLOW SECURITY Transaction graph is public to permit compression of UTXOs. Within a transaction, asset flow is fully hidden with Cloak. Aggregation of transfers improves security, also makes tx smaller+faster. Further improvements possible without changes to base protocol. 2

Slide 40

Slide 40 text

PERFORMANCE

Slide 41

Slide 41 text

PERFORMANCE Fast 1 <1 ms per output (up to 1000 tx/sec). • vectorized implementation of Curve25519, • signature aggregation, • state of the art multi-scalar multiplication, • ≈1.5 Kb/proof, marginal cost 0.2–0.5 Kb/transfer.

Slide 42

Slide 42 text

PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively cheap. • rangeproofs for output values bear most of the cost, • signatures and custom constraints: 1-5% overhead. <1 ms per output (up to 1000 tx/sec).

Slide 43

Slide 43 text

PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively cheap. Scales with privacy 3 Aggregation saves space and time. • proof size is log(N), marginal cost goes to zero, • larger batches of ECC operations take N/log(N) time. <1 ms per output (up to 1000 tx/sec).

Slide 44

Slide 44 text

PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. • storage costs log(N) (≈1 kilobyte without caching), • bandwidth overhead is 5-10% with caching
 (+ tens of megabytes) <1 ms per output (up to 1000 tx/sec).

Slide 45

Slide 45 text

PERFORMANCE Fast 1 Always fast 2 Custom constraints are relatively cheap. Scales with privacy 3 Aggregation saves space and time. Free storage 4 Utreexo makes storage costs negligible. SPV-friendly 5 Bandwidth savings for mobile devices. <1 ms per output (up to 1000 tx/sec).

Slide 46

Slide 46 text

CONCLUSION ZkVM is a transaction format for a multi-asset blockchain that scales to global use, protects data on-chain and provides programmable constraints to enable custom protocols.

Slide 47

Slide 47 text

LEARN MORE & PARTICIPATE Specifications, code, whitepaper: https://github.com/stellar/slingshot Related projects: https://interstellar.com/protocol

Slide 48

Slide 48 text

THANK YOU Oleg Andreev @oleganza ZkVM bulletproofs Cathie Yun @cathieyun Project Slingshot is sponsored by
 Inter/stellar and Stellar Development Foundation.