Embed Size (px)
Citation preview
zkSNARKs in Ethereum,and Baby ZoE
Privacy issues ofblockchain transactions
Why privacy is an issuefundamental human right
necessary for people exercise unique moralchoices
privacy which our societies evolved around ishealthy, and makes it more resilient and morehumane
3
Why privacy is an issueIndustrial blockchain business requiresimproved privacy before they can useblockchain technology.
People do not want their contracts andtransactions be exposed to enemies,competitors, criminals, hackers.
4
Why privacy is an issue
A company wants to protect informationregarding its supply chain from competitors
An individual doesn't want it publicly knownthat she is paying a bankruptcy lawyer or adivorce lawyer for advice
A family that wishes to shield from employersand insurers, for fear of discrimination, the factthat their child has a chronic medical conditionor genetic problem.
A wealthy individual who doesn't want criminalelements to see their activities and possiblyattempt to extort value from them. 5
Why privacy is an issue
A trading desk, or other middleman companybetween buyers and sellers of differentcommodities, that wants to prevent getting cutout of the trade.
Banks, hedge funds, and other types of financialentities that trade financial instruments(securities, bonds, derivatives); if externalagents can figure out what their position orinterest is, it can be used to the traders'disadvantage and affect their ability to tradewell.
6
Anonymity should have unlinkability of pseudonyms
7
Anonymity should have unlinkability of pseudonyms
8
Anonymity should have unlinkability of pseudonyms
9
Adapt zero knowledge proof methodology
EIP 86 (account security abstraction) helps theadaption
An highlight in Metropolis
move the logic for verifying signatures andnonces into contracts, allowingdevelopers to experiment with newsignature schemes, privacy-preservingtechnologies and modifications to parts ofthe protocol without requiring furtherhard forks or support at the protocollevel. Also allows contracts to pay for gas.
10
Zero knowledge proof
What is zero knowledge proofA ZKP is a cryptographic technique which allowstwo parties ( a prover and a verifier ) to provethat a proposition is true, without revealing anyinformation about that thing apart from it beingtrue.
12
What is zero knowledge proofcompleteness: if the statement is true, thehonest verifier (the one following the protocolproperly) will be convinced of this fact by anhonest prover.
soundness: if the statement is true, no cheatingprover can convince the honest verifier that it istrue, except with some small probability.
zero-knowledge: if the statement is true, nocheating verifier learns anything other than thefact the statement is true.
13
ZKP examples
where's waldo
counting leaves
the secret cave
14
zero knowledge proof usagesused for verifying transactions
Zcash
used for verifying smart contracts
Hawk
15
zkSNARKszero-knowledge Succinct Non-interactive
ARguments of Knowledge
prosSuccinct non-interactive zero-knowledge proof
easy to verify
protect completeness of computations
do not bring too much overhead to non-participants of the proof
17
What is zkSNARKsSuccinct
Non-interactive
ARgument
of Knowledge
zero-knowledge
18
What is zkSNARKssuccinct
the sizes of the messages are tiny incomparison to the length of the actualcomputation
19
What is zkSNARKsnon-interactive
there is no or only little interaction. ForzkSNARKs, there is usually a setup phase andafter that a single message from the prover tothe verifier. Furthermore, SNARKs often havethe so-called "public verifier" propertymeaning that anyone can verify withoutinteracting anew, which is important forblockchains.
20
What is zkSNARKsarguments
the verifier is only protected againstcomputationally limited provers. Provers withenough computational power can createproofs/arguments about wrong statements(Note that with enough computational power,any public-key encryption can be broken).This is also called "computationalsoundness", as opposed to "perfectsoundness"
21
What is zkSNARKsof knowledge
it is not possible for the prover to construct aproof/argument without knowing a certain so-called witness (for example the address shewants to spend from, the preimage of a hashfunction or the path to a certain Merkle-treenode).
22
What is zkSNARKszero knowledge
during the interaction, the verifier learnsnothing apart from the validity of thestatement. The verifier especially does notlearn the witness string
23
What is zkSNARKswitness string
consider transaction validation computation:f(σ_1, σ_2, s, r, v, p_s, p_r, v) = 1
where σ_1 and σ_2 are the root hashes ofaccount Merkle-trees (pre- and post- state)
s and r are sender and receiver accounts. p_s, p_r are Merkle-tree proofs. v is thethreshold in the test of Merkle-tree proof.
When turning f into a zkSNARK where only σ_1 and σ_2 are publicly known. Then (s,r,v,p_s,p_r,v) is the witness string. 24
Current implementation of zkSNARKs
Four main ingrediant
Encoding as a polynomial problem
Succinctness by random sampling
Homomorphic encoding / encryption
Zero knowledge
25
Current implementation of zkSNARKs
Encoding as a polynomial problem
The program that is to be checked iscompiled into a quadratic equation ofpolynomials: t(x) h(x) = w(x) v(x), where theequality holds iff the program is computedcorrectly. The prover wants to convince theverifier that this equality holds.
26
Current implementation of zkSNARKs
Succinctness by random sampling
The verifier chooses a secret evaluation point s to reduce the problem from multiplyingpolynomials and verifying polynomialfunction equality to simple multiplication andequality check on numbers: t(s) h(s) = w(s) v(s)
This reduces both the proof size and theverification time tremendously.
27
Current implementation of zkSNARKs
Homomorphic encoding / encryption
An encoding/encryption function E is usedthat has some homomorphic properties (butis not fully homomorphic, which is not yetpractical).
This allows the prover to compute E(t(s)), E(h(s)), E(w(s)), E(v(s)) without knowing s,she only knows E(s) and some other helpfulencrypted values.
28
Current implementation of zkSNARKs
Zero knowledge
The prover permutes the values E(t(s)), E(h(s)), E(w(s)), E(v(s)) by multiplying with anumber so that the verifier can still checktheir correct structure without knowing theactual encoded values.
Roughly speaking, check t(s)h(s) = w(s)v(s) isidentical to check t(s)h(s)k = w(s)v(s)k arandom secret non-zero number k. And if youare sent only the numbers (t(s)h(s)k) and (w(s)v(s)k), it is impossible to derive t(s)h(s)or w(s)v(s). 29
conscurrently (Zcash implementation) costs between45 seconds to 1 minute to generate new proofand move money from someone else.
suffer from big scalability issues
currently (Zcash implementation) need onespecific party for trust
30
Combine privacy and programmability
Add privacy to Ethereum
BabyZoE
Add programmability to Zcash
Programmable Zcash
Connect the Zcash and Ethereum blockchains
Project Alchemy
31
Bringing zkSNARKs to EthereumSmart contracts where some of computation isperformed off-blockchain
Without sacrificing integrity
With zero knowledge
Scalability
Privacy-preserving cryptocurrency
Zerocash over Ethereum (ZoE)
First milestone: Baby ZoE
32
Baby ZoEfirst step towards Zerocash over Ethereum
What is Baby ZoESimple coin mixer contract
Can deposit and later withdraw privately
Fixed denomination
Protocol based on commitments and Merkletrees
34
Implementation componentsArithmetic circuit expressing the NP statementfor the zkSNARK
Contract
Extend the Ethereum VM to support nativeSNARK verification
Wallet
35
Implementation componentsNative SNARK verification
snarkverify(vk, proof, public_input)
Verifies the zkSNARK proof with theverification key, given the public input
Parity EVM patch
Rust wrapper for libsnark
36
Implementation components
- ZoE Circuit
- Given serial, addr, rt, and MAC,there exists sk such that
- cm := SHA256(sk||serial)
- cm appears in the depth-4merkle tree with root rt
- MAC = SHA256(addr||sk)
37
BabyZoE contract: internal state
Internal Merkle tree for commitments
Verification key for zkSNARK
List of spent serial numbers
List of past Merkle tree roots
38
BabyZoE contract: code
contract Mixer mapping (bytes32 => bool) public serials; mapping (bytes32 => bool) public roots; SnarkPrecompile zksnark = SnarkPrecompile(0x0000000000000000000000000000000000000005 struct Mtree uint cur; bytes32[16] leaves; Mtree public MT; bytes public vk; function Mixer(bytes _vk) vk = _vk; MT.cur = 0; for (uint i = 0; i < 16; i++﴿ MT.leaves[i] = 0x0; ... 39
BabyZoE contract: code
function insert(bytes32 com) returns (bool res) if (MT.cur == 16) return false; MT.leaves[MT.cur] = com; MT.cur++; return true;
40
BabyZoE contract: code
function deposit(bytes32 com) returns (bool res) if (msg.value != 1 ether) msg.sender.send(msg.value); return false; if (!insert(com)) msg.sender.send(msg.value); return false; bytes32 rt = getRoot(); roots[rt] = true; return true;
41
BabyZoE contract: code
function withdraw(bytes32 serial, address addr, bytes32 rt, bytes32 mac, bytes proof) success = false; bytes20 addr_byte = bytes20(addr); bytes memory pub = new bytes(128); uint i; for (i = 0; i < 32; i++) pub[i] = serial[i]; for (i = 0; i < 20; i++) pub[32 + i] = addr_byte[i]; for (i = 20; i < 32; i++) pub[32 + i] = 0; for (i = 0; i < 32; i++) pub[32*2 + i] = rt[i]; for (i = 0; i < 32; i++) pub[32*3 + i] = mac[i]; if (roots[rt] == true) if (!serials[serial]) if (!zksnark.verify_proof(vk, proof, pub)) return false; serials[serial] = true; if (!addr.send(1 ether)) throw; else success = true; else return; else return; 42
RoadmapGrown-up ZoE
Variable denomination
Splitting and joining coins
Payment destinations
EIP (Ethereum improvement proposal) for snarkverify precompile
Full wallet
Hawk over Ethereum
Cool contracts43
References一文讀懂區塊鏈上的隱私與監管問題
Zcash + ethereum
Zero knowledge proof
The trend towards blockchain privacy: zeroknowledge proofs
Privacy on the blockchain
zkSNARKs in a nutshell
Baby ZoE
44
Q&A
