Bulletproofs

Transcript

1. BULLETPROOFS HACON

2. Agenda • Speaker’s Introduction • Blockchain Fundamentals Refresher • Public

   Blockchains & Privacy • So, does Blockchain ensure Data Privacy? • Bitcoin Transactions & Pseudo-Anonymity • GDPR and Blockchain: End of Blockchain? • Zero Knowledge Proofs • zk - SNARKS • ZCash Enhances Bitcoin • zk - STARKS • BulletProofs

3. Speaker’s Introduction • Penetration Tester • Blockchain Security Researcher •

   Founder | RazzorSec • YouTuber | Razzor Sharp • Malware Analyst • CyberSecurity Enthusiast Tejaswa Rastogi Twitter: @razzor_tweet

4. Fundamentals Refresher

5. Centralization & Control

6. Blockchain the Saviour

7. Public Blockchain and Transparency Transparency: the major feature of many

   Blockchains Decentralization: the power and control is distributed among the participants Any participating node can be selected as a Validator Every node stores all the transaction data, that is why the Transaction Data is Public Anyone can download the whole Blockchain, and see the Transaction History

8. Network Wide Consensus & Decentralized Security

9. So, does Blockchain ensure Data Privacy?

10. Confusion with Hashing and Public Key Cryptography

11. Bitcoin Transactions & Pseudo-Anonymity

12. Private Blockchains & Business Use Case

13. Private Blockchains and Privacy Grants more privacy to Users No

    Decentralized Security and Network Wide Consensus Transparency for a Toss Control has been put back into hands of Centralized Authorities

14. GDPR and Blockchain End of Blockchain?

15. Zero Knowledge Proofs Magic

16. I Know “Something” What’s That? I Know. Show me, so

    that I can Verify I won’t, It’s Secret Then, Why should I trust you, if I can’t see? Senorita, I can do Magic….

17. Abracadabra GilliGilliChu

18. Zero Knowledge Proofs Three Parameters to Satisfy: • Completeness –

    If a statement is true then the verifier will be convinced that prover possesses the correct input • Soundness – If a statement is false then no dishonest prover can convince verifier that they have the correct input • Zero knowledge - if a statement is true then no verifier learns anything other than the fact that the statement is true

19. Zero Knowledge Proofs General Structure • Witness:The fact that A

    knows the secret determines some set of the questions, which always can be answered by A correctly. At first, A chooses randomly any question from the set and calculates a proof. Then, A sends the proof to B. • Challenge. After that, B chooses a question from the set and asks A to answer it. • Response. A calculates the answer and sends it back to B. The received answer allows B to check that A really knows the secret.The procedure can be repeated as many times as you want, until the probability that A makes guesses rather than knows the correct answers becomes low enough. https://www.altoros.com/blog/zero-knowledge-proof-improving-privacy-for-a-blockchain/

20. Commitments & ZKP

21. Non Interactive Proofs Consider a situation, where users P and

    V are mathematicians, and they employ regular (snail) mail to communicate with each other. Mathematician P wants to travel the world and prove new theorems to mathematician V without disclosing the essence of the proof. In this scenario, we need to come up with some noninteractive protocol, since mathematician P may not have a fixed address and may move before receiving the next answer. Blum, Feldman, and Micali suggested a noninteractive ZKP, where users P and V have a shared secret key, which is enough to prove that P knows some secret information without revealing the information itself. https://www.altoros.com/blog/zero-knowledge-proof-improving-privacy-for-a-blockchain/

22. Non Interactive Proofs Unlike a regular zero-knowledge proof, a general

    structure of a noninteractive ZKP consists of just a single action between participants P and V, and this action is a witness. P passes the secret information as an argument to a special function—“make a proof” (see the image below). The output is some value of “proof.” After that, P sends “proof” to user V. Then, V can check if P knows the secret information using the “proof” and another special function—“check a proof.” https://www.altoros.com/blog/zero-knowledge-proof-improving-privacy-for-a-blockchain/

23. ZCash Enhances Bitcoin

24. Zk- SNARKS Succinct: the evidence is smaller and can be

    verified faster than in older versions of zero knowledge protocols. Non-Interactive: the verifier does not have to exchange multiple messages (as in older versions), but only one proof. ARguments: dishonest actors have virtually no way to crack the encryption due to today’s limited computing power. Quantum Computers are a threat though. Knowledge: it is impossible for anyone to construct the evidence without actually possessing the information. https://www.crypto-news-flash.com/what-is-zcash/

25. t addresses vs z addresses

26. zs shielded addresses

27. Zk- STARKS Zero-Knowledge Scalable Transparent ARguments of Knowledge Alternate Version

    of zk-SNARK Proofs. Efficient, Faster and Cheaper Zk- STARKS are stronger because they are transparent and Do Not require a trusted setup This approach also eliminates the number-theoretic assumptions of zk-SNARKs that are computationally expensive and theoretically prone to attack by quantum computers, because a prover with enough computational power could create fake proof zk-STARKs on the other hand is currently constructed using quantum-resistant primitives so it is supposed to be post-quantum secure.

28. BULLETPROOFS

29. A new non-interactive zero-knowledge proof protocol with very short proofs

    and without a trusted setup

30. Proposed by Stanford’s Applied Cryptography Group (ACG) in December 2017

    with contributions from the University College of London and Blockstream Short, non-interactive zero-knowledge proofs that do not require a trusted setup Especially suited for the distributed and trustless nature of blockchains and can create substantial long-term cost savings, enormous space savings, lower fees, and faster verification times than current implementations of range proofs

31. Range Proofs

32. According to the Stanford paper at the time, “All current

    implementations of confidential transactions use range proofs over committed values, where the proof size is linear in n.”

33. Advantages Bulletproofs rely on the discrete logarithm assumption for security

    and use the Fiat-Shamir heuristic in order to become non-interactive This leads to bulletproofs increasing in size only logarithmically with the number of outputs and size of the range’s proof. The result is that the size of transactions that implement Confidential Transactions can be substantially reduced Multiple Range Proofs for transactions with multiple outputs can be aggregated into a single, short proof by a Prover Bulletproofs efficiently support a simple MPC protocol that “allows multiple parties with secret committed values to jointly generate a single small range proof for all their values, without revealing their secret values to each other.” https://blockonomi.com/bullet-proofs/

34. The proofs of bulletproofs are much shorter than other range

    proofs and “allow inputs to be Pedersen commitments to elements of the witness.”

35. Bulletproofs being short proofs can provide data privacy without requiring

    a trusted setup