Ethcon Korea 2023 "ZK Email: On-chain verification of emails using ZKP"

Transcript

1. ZK Email: On-chain verification of emails using ZKP Sora Suegami,

   with Aayush Guputa, Rasul Ibragimov, Saleel Pichen, Sampriti Panda, Teeramet (Jern) Kunpittaya, Tyler (AtHeartEngineer), Vivek Bhupatiraju (alphabet-order) 1

2. 2 Problem: To interact with Ethereum, everyone needs to create

   an ethereum account. • To receive crypto assets, a recipient needs to create an ethereum account. • Smart contracts cannot import data published by trusted persons or companies without additional trust assumptions if they don’t support Ethereum. (e.g., API3 and Chainlink) Problem: everyone needs an ethereum account now

3. 3 Problem: To interact with Ethereum, everyone needs to create

   an ethereum account. Problem: everyone needs an ethereum account now Solution: Make every email address an Ethereum account by verifying emails on-chain. • All the recipient needs is an email address. • Smart contracts can directly read the contents of the emails as oracle data without the help of custodians or data providers. • To receive crypto assets, a recipient needs to create an ethereum account. • Smart contracts cannot import data published by trusted persons or companies without additional trust assumptions if they don’t support Ethereum. (e.g., API3 and Chainlink)

4. Outline 4 1. Basic Idea 2. Circuit Implementation 3. Applications

5. Outline 5 1. Basic Idea 2. Circuit Implementation 3. Applications

6. ZK Email: Verifying emails with ZKP on-chain [1,2] 6 Email

   Email Proof Ethereum Blockchain Proved Verified An email address in the from field is [email protected].

7. How ZK Email works [1,2] 7 Email domain servers supporting

   the DKIM protocol such as Gmail attach RSA digital signatures to claim that the sender and contents of the email are not forged. Email RSA digital signature Email Domain Server SHA256(from:[email protected], subject:~,…) RSA Private Key

8. Email RSA digital signature User Email Domain Server Attached ZKP

   Email Proof Ethereum Blockchain Broadcast How ZK Email works [1,2] 8

9. Outline 9 1. Basic Idea 2. Circuit Implementation 3. Applications

10. 10 Design of the Email Verification circuit RSA digital signature

    Email Header RSA Verification Chip Regex Verification Chip Dynamic-length SHA256 Chip Substrings (e.g., email address in the from field) Assert the output is valid RSA public key for the domain * The email body is also verified with the regex verification chip, and its base64-encoded SHA256 hash is compared to the bodyhash in the email header.

11. 11 How to build your regex verification chip [1] 1.Convert

    a regex definition into an equivalent deterministic finite automaton (DFA). 2.Specify state transitions corresponding to substrings to be exposed. 3.Generate a circuit specific to the DFA and the substring state transitions. zkregex.com/min_dfa

12. 12 I want to expose a substring matching with “(0|1|2)+”

    in the regex “hello(0|1|2)+world”. Specify 6->7 and 7->7 as the substring state transitions. How to build your regex verification chip [1]

13. 13 1. Move states according to the input string. (ex.)

    hello21world How your regex verification chip works [1]

14. 14 (ex.) hello21world How your regex verification chip works [1]

    1. Move states according to the input string.

15. 15 (ex.) hello21world How your regex verification chip works [1]

    1. Move states according to the input string.

16. 16 (ex.) hello21world How your regex verification chip works [1]

    1. Move states according to the input string.

17. 17 (ex.) hello21world How your regex verification chip works [1]

    1. Move states according to the input string.

18. 18 2. Assert that final state is the accepted state.

    (ex.) hello21world How your regex verification chip works [1]

19. 19 (ex.) hello21world 3. Output the characters whose state transitions

    are specified as substrings. How your regex verification chip works [1]

20. Regex in Practice: Visualizing a DFA of your Regex '(¥r¥n|¥x80)(to|from):([A-Za-z0-9

    _."@-]+<)?[a-zA-Z0-9_.-]+@[a-zA-Z0-9_.]+>?¥r¥n'; Regex -> DFA -> AND/OR Gates -> Autogenerated Circom Code https://zkregex.com/min_dfa 20

21. Regex in Practice: Decomposed Regex Definition Regex: ”Transfer ([0-9]|.)+ [A-Z]+”

    (e.g., “Transfer 1.2 ETH”) 21

22. Regex in Practice: Decomposed Regex Definition Regex: ”Transfer ([0-9]|.)+ [A-Z]+”

    (e.g., “Transfer 1.2 ETH”) Substring 1 (e.g., “1.2”) Substring 2 (e.g., “ETH”) 22

23. Outline 1. Basic Idea 2. Circuit Implementation 3. Applications 23

24. 24 Application Class 1: Anonymous Proof of Identity [1,5] Prove

    that you received an email from Twitter to reset a password of the twitter account. Proof of the twitter account ownership

25. Other Proof of Identity Applications [1,5] Try our demos! https://prove.email/

    25

26. Try our demos! https://prove.email/ 26 Other Proof of Identity Applications

    [1,5]

27. Try our demos! https://prove.email/ 27 Other Proof of Identity Applications

    [1,5]

28. Application 2: Contract Wallet using Emails (Email Wallet) [3] Interpreting

    an email as an Ethereum transaction allows users to send crypto assets by simply sending emails. 28

29. Application 2: Contract Wallet using Emails (Email Wallet) [3] Live

    Goerli demo at https://sendeth.org 29

30. Application 2: Contract Wallet using Emails (Email Wallet) [3] Live

    Goerli demo at https://sendeth.org 30

31. Application 2: Contract Wallet using Emails (Email Wallet) [3] 31

32. Application 2: Contract Wallet using Emails (Email Wallet) [3] 32

33. Application 2: Contract Wallet using Emails (Email Wallet) [3] Live

    Goerli demo at https://sendeth.org 33

34. 34 A wallet contract stores each user’s email address and

    balance per currency unit. A user can transfer the user’s crypto assets deposited to the contract wallet by sending an email with the message “Send X ETH to [email protected]”, without any actions from the recipient. A user can exchange the user’s ETH for DAI via Uniswap by sending an email with the message “Swap X ETH to DAI”. Example 1 Example 2 [email protected] [email protected] [email protected] [email protected] [email protected] Application 2: Contract Wallet using Emails (Email Wallet) [3] Send 0.1 ETH to … Swap 0.2 ETH to DAI

35. 35 System Architecture of Email Wallet [3] A relayer does

    additional work in Email Wallet, i.e., proof generation and interaction with contracts. Relayer Domain Server User Contract Send an email to the relayer’s email address. Attach a digital signature. (DKIM) Generate a proof and submit it to the wallet contract. • Users do not need to install new software unlike existing wallet applications. • Existing domain servers that adopt the DKIM protocol can be used without modification.

36. 36 Application 3: Public Goods Funding for Non-Crypto People Email

    Research Paper ZK Email Researcher Send the funding to the researcher’s email address through Email Wallet Evaluate a contribution of the paper PGF Contract Public goods funding (PGF) for individuals/organizations who have never used Ethereum. e.g., PGF for researchers in non-crypto fields! It can automatically give % of money to paper citations. The email address is included in the paper.

37. 37 Other Applications • ZKP2P: Fiat to Crypto On-Ramp From

    Venmo [4 - Sachin, Alex S, Brian W, Richard] By verifying proof of payment made on Venmo/Revolut, a popular P2P payment service, you can convert USD on Venmo to USDC on Ethereum, and USDC -> Venmo, KYC-free. https://zkp2p.xyz • ZK Glassdoor [5] You prove you work at a particular company and so can provide firsthand information on what it’s like to work there. Done – we mentored a team to build atop our code and they [Sehyun, Emma, Kaylee] deployed at https://nozee.xyz! • On-chain DocuSign [5] Base-64 decode the attachments on a confirmation email from DocuSign to prove you signed a legal document with certain properties: a tax return for a given amount, or a proof of residence in a given city, or a term sheet from a VC. You can use these proofs to add credibility to your anonymous speech. • Email as Multisig Signer 2FA on chain for transactions • Edward Snowden-style Whistleblowing • Oracle style signed price feeds

38. 38 Conclusion: ZK Email is Trust Scaling Technology ZK Email

    scales trust in emails. Smart contracts on Ethereum can read existing emails as oracle data.

39. 39 Conclusion: ZK Email is Trust Scaling Technology Users can

    make Ethereum transactions by simply sending emails. ZK Email scales trust in emails.

40. 40 Conclusion: ZK Email is Trust Scaling Technology Users and

    smart contracts can designate individuals/organizations by email addresses instead of ethereum addresses. ZK Email scales trust in emails. Email address: [email protected]

41. 41 Our ZK Email Libraries 1. zk-email-verify: circom circuit https://github.com/zkemail/zk-email-verify

    2. halo2-zk-email: halo2 circuit https://github.com/zkemail/halo2-zk-email Github organization page: https://github.com/zkemail Our ZK Email org is continuing to mentor projects using our libraries, reach out if you have an idea! :)

42. 42 Our ZK Email Libraries zk-email-verify: circom circuit 😄 Faster

    prover with rapidsnark. 😄 Cheaper on-chain verification cost with Groth16. 😢 Large memory cost. 😢 New trusted setup is necessary with Groth16. => Server-side proof generation halo2-zk-email: halo2 circuit 😄 Adjustable parameters to balance proving and verifying costs. 😄 It will support webassembly prover on browser in September. 😢 Slower prover. 😢 More expensive on-chain verification cost. => Client-side proof generation

43. References 43 1. A. Gupta, “An ecdsa nullifier scheme and

    a proof of identity application,” Master’s thesis, Massachusetts Institute of Technology, September 2022. 2. S. Suegami, “Rsa verification circuit in halo2 and its applications - privacy and scaling explorations,” 2022. [Online]. Available: https://mirror.xyz/privacy-scaling- explorations.eth/mmkG4uB2PR_peGucULAa7zHag-jz1Y5biZH8W6K2LYM (Accessed 13 August 2023). 3. S. Suegami and K. Shibano, "Contract Wallet Using Emails," 2023 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Dubai, United Arab Emirates, 2023, pp. 1-2, doi: 10.1109/ICBC56567.2023.10174932. (Slides: https://speakerdeck.com/sorasuegami/icbc2023-contract-wallet-using-emails) 4. ZKP2P, “ZKP2P, Fiat to Crypto On-Ramp From Venmo,” n.d. [Online]. Available: https://zkp2p.xyz/ (Accessed 13 August 2023). 5. A. Gupta, “ZK Email,” Dec, 2022. [Online]. Available: https://blog.aayushg.com/posts/zkemail/ (Accessed 13 August 2023).