Introduce how Zero knowledge proof deal with the privacy issues in blockchain transactions. Introduce how to integrate zkSNARKs on Ethereum, and introduce Baby ZoE.

1. zkSNARKs in Ethereum,
and Baby ZoE

2. Privacy issues of
blockchain transactions

3. Why privacy is an issue
fundamental human right
necessary for people exercise unique moral
choices
privacy which our societies evolved around is
healthy, and makes it more resilient and more
humane
3

4. Why privacy is an issue
Industrial blockchain business requires
improved privacy before they can use
blockchain technology.
People do not want their contracts and
transactions be exposed to enemies,
competitors, criminals, hackers.
4

5. Why privacy is an issue
A company wants to protect information
regarding its supply chain from competitors
An individual doesn't want it publicly known
that she is paying a bankruptcy lawyer or a
divorce lawyer for advice
A family that wishes to shield from employers
and insurers, for fear of discrimination, the fact
that their child has a chronic medical condition
or genetic problem.
A wealthy individual who doesn't want criminal
elements to see their activities and possibly
attempt to extort value from them. 5

6. Why privacy is an issue
A trading desk, or other middleman company
between buyers and sellers of different
commodities, that wants to prevent getting cut
out of the trade.
Banks, hedge funds, and other types of financial
entities that trade financial instruments
(securities, bonds, derivatives); if external
agents can figure out what their position or
interest is, it can be used to the traders'
disadvantage and affect their ability to trade
well.
6

7. Anonymity should have unlinkability of pseudonyms
7

8. Anonymity should have unlinkability of pseudonyms
8

9. Anonymity should have unlinkability of pseudonyms
9

10. Adapt zero knowledge proof methodology
EIP 86 (account security abstraction) helps the
adaption
An highlight in Metropolis
move the logic for verifying signatures and
nonces into contracts, allowing
developers to experiment with new
signature schemes, privacy-preserving
technologies and modifications to parts of
the protocol without requiring further
hard forks or support at the protocol
level. Also allows contracts to pay for gas.
10

11. Zero knowledge proof

12. What is zero knowledge proof
A ZKP is a cryptographic technique which allows
two parties ( a prover and a verifier ) to prove
that a proposition is true, without revealing any
information about that thing apart from it being
true.
12

13. What is zero knowledge proof
completeness: if the statement is true, the
honest verifier (the one following the protocol
properly) will be convinced of this fact by an
honest prover.
soundness: if the statement is true, no cheating
prover can convince the honest verifier that it is
true, except with some small probability.
zero-knowledge: if the statement is true, no
cheating verifier learns anything other than the
fact the statement is true.
13

14. ZKP examples
where's waldo
counting leaves
the secret cave
14

15. zero knowledge proof usages
used for verifying transactions
Zcash
used for verifying smart contracts
Hawk
15

16. zkSNARKs
zero-knowledge Succinct Non-interactive
ARguments of Knowledge

17. pros
Succinct non-interactive zero-knowledge proof
easy to verify
protect completeness of computations
do not bring too much overhead to non-
participants of the proof
17

18. What is zkSNARKs
Succinct
Non-interactive
ARgument
of Knowledge
zero-knowledge
18

19. What is zkSNARKs
succinct
the sizes of the messages are tiny in
comparison to the length of the actual
computation
19

20. What is zkSNARKs
non-interactive
there is no or only little interaction. For
zkSNARKs, there is usually a setup phase and
after that a single message from the prover to
the verifier. Furthermore, SNARKs often have
the so-called "public verifier" property
meaning that anyone can verify without
interacting anew, which is important for
blockchains.
20

21. What is zkSNARKs
arguments
the verifier is only protected against
computationally limited provers. Provers with
enough computational power can create
proofs/arguments about wrong statements
(Note that with enough computational power,
any public-key encryption can be broken).
This is also called "computational
soundness", as opposed to "perfect
soundness"
21

22. What is zkSNARKs
of knowledge
it is not possible for the prover to construct a
proof/argument without knowing a certain so-
called witness (for example the address she
wants to spend from, the preimage of a hash
function or the path to a certain Merkle-tree
node).
22

23. What is zkSNARKs
zero knowledge
during the interaction, the verifier learns
nothing apart from the validity of the
statement. The verifier especially does not
learn the witness string
23

24. What is zkSNARKs
witness string
consider transaction validation computation:
f(σ_1, σ_2, s, r, v, p_s, p_r, v) = 1
where σ_1 and σ_2 are the root hashes of
account Merkle-trees (pre- and post- state)
s and r are sender and receiver accounts.
p_s, p_r are Merkle-tree proofs. v is the
threshold in the test of Merkle-tree proof.
When turning f into a zkSNARK where only
σ_1 and σ_2 are publicly known. Then
(s,r,v,p_s,p_r,v) is the witness string. 24

25. Current implementation of zkSNARKs
Four main ingrediant
Encoding as a polynomial problem
Succinctness by random sampling
Homomorphic encoding / encryption
Zero knowledge
25

26. Current implementation of zkSNARKs
Encoding as a polynomial problem
The program that is to be checked is
compiled into a quadratic equation of
polynomials: t(x) h(x) = w(x) v(x), where the
equality holds iff the program is computed
correctly. The prover wants to convince the
verifier that this equality holds.
26

27. Current implementation of zkSNARKs
Succinctness by random sampling
The verifier chooses a secret evaluation point
s to reduce the problem from multiplying
polynomials and verifying polynomial
function equality to simple multiplication and
equality check on numbers:
t(s) h(s) = w(s) v(s)
This reduces both the proof size and the
verification time tremendously.
27

28. Current implementation of zkSNARKs
Homomorphic encoding / encryption
An encoding/encryption function E is used
that has some homomorphic properties (but
is not fully homomorphic, which is not yet
practical).
This allows the prover to compute E(t(s)),
E(h(s)), E(w(s)), E(v(s)) without knowing s,
she only knows E(s) and some other helpful
encrypted values.
28

29. Current implementation of zkSNARKs
Zero knowledge
The prover permutes the values E(t(s)),
E(h(s)), E(w(s)), E(v(s)) by multiplying with a
number so that the verifier can still check
their correct structure without knowing the
actual encoded values.
Roughly speaking, check t(s)h(s) = w(s)v(s) is
identical to check t(s)h(s)k = w(s)v(s)k a
random secret non-zero number k. And if you
are sent only the numbers (t(s)h(s)k) and
(w(s)v(s)k), it is impossible to derive t(s)h(s)
or w(s)v(s). 29

30. cons
currently (Zcash implementation) costs between
45 seconds to 1 minute to generate new proof
and move money from someone else.
suffer from big scalability issues
currently (Zcash implementation) need one
specific party for trust
30

31. Combine privacy and programmability
Add privacy to Ethereum
BabyZoE
Add programmability to Zcash
Programmable Zcash
Connect the Zcash and Ethereum blockchains
Project Alchemy
31

32. Bringing zkSNARKs to Ethereum
Smart contracts where some of computation is
performed off-blockchain
Without sacrificing integrity
With zero knowledge
Scalability
Privacy-preserving cryptocurrency
Zerocash over Ethereum (ZoE)
First milestone: Baby ZoE
32

33. Baby ZoE
first step towards Zerocash over Ethereum

34. What is Baby ZoE
Simple coin mixer contract
Can deposit and later withdraw privately
Fixed denomination
Protocol based on commitments and Merkle
trees
34

35. Implementation components
Arithmetic circuit expressing the NP statement
for the zkSNARK
Contract
Extend the Ethereum VM to support native
SNARK verification
Wallet
35

36. Implementation components
Native SNARK verification
snarkverify(vk, proof, public_input)
Verifies the zkSNARK proof with the
verification key, given the public input
Parity EVM patch
Rust wrapper for libsnark
36

37. Implementation components
- ZoE Circuit
- Given serial, addr, rt, and MAC,
there exists sk such that
- cm := SHA256(sk||serial)
- cm appears in the depth-4
merkle tree with root rt
- MAC = SHA256(addr||sk)
37

38. BabyZoE contract: internal state
Internal Merkle tree for commitments
Verification key for zkSNARK
List of spent serial numbers
List of past Merkle tree roots
38

39. BabyZoE contract: code
contract Mixer {
mapping (bytes32 => bool) public serials;
mapping (bytes32 => bool) public roots;
SnarkPrecompile zksnark = SnarkPrecompile(0x000000000000000000
struct Mtree {
uint cur;
bytes32[16] leaves;
}
Mtree public MT;
bytes public vk;
function Mixer(bytes _vk) {
vk = _vk;
MT.cur = 0;
for (uint i = 0; i < 16; i++﴿ MT.leaves[i] = 0x0;
}
...
}
39

40. BabyZoE contract: code
function insert(bytes32 com) returns (bool res) {
if (MT.cur == 16) {
return false;
}
MT.leaves[MT.cur] = com;
MT.cur++;
return true;
}
40

41. BabyZoE contract: code
function deposit(bytes32 com) returns (bool res) {
if (msg.value != 1 ether) {
msg.sender.send(msg.value);
return false;
}
if (!insert(com)) {
msg.sender.send(msg.value);
return false;
}
bytes32 rt = getRoot();
roots[rt] = true;
return true;
}
41

42. BabyZoE contract: code
function withdraw(bytes32 serial, address addr, bytes32 rt, byte
success = false;
bytes20 addr_byte = bytes20(addr);
bytes memory pub = new bytes(128);
uint i;
for (i = 0; i < 32; i++) pub[i] = serial[i];
for (i = 0; i < 20; i++) pub[32 + i] = addr_byte[i];
for (i = 20; i < 32; i++) pub[32 + i] = 0;
for (i = 0; i < 32; i++) pub[32*2 + i] = rt[i];
for (i = 0; i < 32; i++) pub[32*3 + i] = mac[i];
if (roots[rt] == true) {
if (!serials[serial]) {
if (!zksnark.verify_proof(vk, proof, pub)) { return false;
serials[serial] = true;
if (!addr.send(1 ether)) { throw; }
else { success = true; }
} else { return; }
} else { return; }
} 42

43. Roadmap
Grown-up ZoE
Variable denomination
Splitting and joining coins
Payment destinations
EIP (Ethereum improvement proposal) for
snarkverify precompile
Full wallet
Hawk over Ethereum
Cool contracts
43

44. References
一文讀懂區塊鏈上的隱私與監管問題
Zcash + ethereum
Zero knowledge proof
The trend towards blockchain privacy: zero
knowledge proofs
Privacy on the blockchain
zkSNARKs in a nutshell
Baby ZoE
44

45. Q&A