Watch / Towards a Feature-Complete and Backwards-Compatible Privacy Layer for Ethereum
Speaker: Wei Dai, Kyle Charbonnet
Event: Devcon 6
Date: Oct 2022
Software Security Engineer at the Privacy & Scaling Explorations Team
Wei Dai is a Cryptographer at Bain Capital Crypto. He is **not** the inventor of b-money, who the unit of Ethereum and the Maker stablecoin is named after. Nevertheless, he aspires to contribute enough to the R&D of blockchains so that he may one day become "the Wei Dai."
Zcash + Ethereum = ❤
This presentation focuses on how Zcash uses zero-knowledge proofs to add private transactions to a public blockchain, and how Zcash and Ethereum will grow together. Zcash is a new cryptocurrency that provides private transactions — the sender’s and receiver’s addresses are not publicly visible in the blockchain, nor is the amount transferred. Zcash posts that private information to the blockchain in encrypted form, and uses zero-knowledge proofs to cryptographically guarantee the validity of transactions without exposing the private information. This results in “Selective Transparency”. It’s not all-dark-all-the-time — it’s that each encrypted transaction in the blockchain can be revealed by its creator to selected third parties. Zcash is developed by a VC-funded, highly skilled development team and a widespread and active open source community. There are three paths forward for integrating Ethereum’s programmability with Zcash’s privacy. The Zcash team is actively contributing to all three paths. 1. Programmable Zcash — add Ethereum-style programmability to the Zcash blockchain 2. Private Ethereum — add Zcash-style privacy to the Ethereum blockchain 3. Project Alchemy — interoperation between the Ethereum and Zcash
Cryptography on the Blockchain
I have a LocalCrypto.sol library (i.e. all in solidity) that supports El Gamal Encryption, One out of Two ZKP (i.e. either yes or no is encrypted), Pederson Commitments, Inequality proof (i.e. two commitments DO NOT commit to the same data), Equality proofs (i.e. two commitments DO commit to the same data), Discrete log equality proofs, and publicly verifiable secret sharing. I’m currently organising the code for public release (let others experiment with cryptography on the blockchain) – i’d like to present the library, its capability, some projects I have used it in and how people can start using it today.
Protecting your Privacy within the Blockchain Ecosystem
Robertas Visinskis gives their talk titled, "Protecting your Privacy within the Blockchain Ecosystem"
Whisper: Achieving Darkness
Vlad Gluhovsky & Guillaume Ballet give their talk titled, "Whisper: Achieving Darkness"
Vlad Gluhovsky, Guillaume Ballet
Enigma: Privacy-preserving Smart Contracts for Ethereum
Enigma is a privacy protocol to enable privacy preserving smart contracts on Ethereum. Enigma utilizes secret contracts - smart contracts that let you use private and sensitive data in decentralized applications. Enigma is building a network for privacy preserving computations. Nodes in the Enigma network that execute secret contracts never see the data that is used in their computations. In this talk, we would like to give an overview of the first version of Enigma network, which is currently on testnet, and present the roadmap with specific focus on privacy preserving cryptographic methods including Multiparty Computation (MPC) and Zero Knowledge Proofs. Computing over private data is considered one of the “holy grails” of computer science. With secret contracts, Enigma focuses on building blocks for the Ethereum network, such as voting / governance and auctions, in the short term. Longer term, Enigma enables applications on Ethereum that work with sensitive user data to compete with centralized solutions such as Uber. Enigma can also harden the privacy and resiliency of popular solutions like on-chain voting and sealed-bid auctions. Without privacy, applications and users must turn to centralized solutions or accept severe trade-offs.
Guy Zyskind, Isan Rivkin
IDEN3: Scalable distributed identity infrastructure using zero-knowledge proofs to guarantee privacy
IDEN3 is NOT an ICO. It has no token at all. It is an open source permissionless identity layer built on top of Ethereum that we expect many projects will be able to use as a foundational layer for their own identity solution. It is a simple system that allows any identity to make a claim about any other identity. Our talk at DevCon4 will cover these topics: - We will introduce the idea of a decentralised identity management system and the challenges and needs for this solution. We will explain how IDEN3 can deploy millions of identities on blockchain without almost any expenditure of gas, allowing the system to scale to become a global solution with Ethereum as it is today. We will show how the claims are managed off-chain and validated on-chain and off-chain. We will explain how to generate proofs to validate claims that are valid only for a specific recipient and not reusable. We will show how to create proofs of those claims anonymously without revealing unnecessary data by using zero knowledge proofs. Finally we will talk about the status of the current development, our roadmap, milestones, the team, etc.
LibSubmarine - Temporarily hide transactions on Ethereum
LibSubmarine is a modular implementation of the Submarine Sends framework proposed by the team at IC3. While a standard commit-reveal scheme allows users to temporarily obfuscate data included in their transaction, Submarine Sends allow users to completely hide their transaction until revealed in a later block. Notable use cases include preventing frontrunning on DEXs, working sealed-bid auctions, and private voting with public tally. This is an open source and gas efficient implementation which anyone can add to their project. Built by the community, for the community. Slides: https://goo.gl/ncn3xG
Stephane Gosselin, Shayan Eskandari, Tyler Kell, Lorenz Breidenbach
New hash functions for Ethereum, SNARKs, and STARKs
Traditional cryptographic hash functions such as SHA-256 are well known in the Ethereum community and are well regarded for security and performance. However, they are not quite suited for SNARKs and STARKs as their circuits are too complex and slow in SNARK/STARK-friendly fields. That's why Zcash proofs originally took more than 40 seconds to create. In this talk we present and call for new designs that will make all the SNARK/STARK crypto much faster and thus bring better privacyto Ethereum. In particular, we cover: -Existing algebraic hash functions such as MIMC. -Merkle tree enhancements: wide functions and trees with feedback; -improved algebraic function design using ideas from AES and SASAS schemes. -performance overview; -how new designs will affect EVM and smart contract programming. We will also present other directions and potential research bounties that can be offered to motivate the hash research, crucial for SNARKs, STARKs, and Ethereum.
P4: Private Periodic Payments Protocol
P4 aims to solve the problem of subscription services offering end-to-end private cryptocurrency payments. This protocol introduces periodicity to cryptocurrency payments through an ongoing relationship between the merchant and the customer without unintentionally disclosing personally identifiable information. We are creating this protocol to allow us to offer a truely end-to-end private subscription data storage solution built with Tahoe-LAFS. By sharing it, we hope that other subscription services will implement our protocol and further the adoption of cryptocurrency payments in real world retail use cases. Although this protocol is currently a work in progress, we have already specified some design decisions. For periodicity, we are avoiding a payment pre-authorization design to keep the user in control of their keys. And for privacy we are utilizing Zcash shielded transactions and the coming improvements in the Sapling release. This protocol is being created by the Least Authority team with support from the Zcash team.
Privacy Preserving Smart Contracts
An overview of the privacy-preserving smart contract landscape. Examines the 3 main approaches: trusted execution environments (TEE), secure multi-party computation (sMPC), and zero-knowledge proofs (ZKP), and their respective tradeoffs to achieving computation over private data. I talk about the different companies doing each approach and I propose a way to synthesize all 3 approaches coherently. There is a full blog post about the topic here: http://juliankohtx.com/privacy-preserving-smart-contracts/
Plugging the metadata leaks in the Ethereum ecosystem
Current generation blockchains are by definition public... but how much public is too public? There is ample research going into making transactions private, hiding users' balances and computing verifiably off chain. However, nobody really focuses on the alarming amount of metadata we leave behind us with every one of our chain, explorer and/or dapp interactions. Even running our own nodes can expose a lot more about us to the world than most people realize or would feel confident with. In this talk I'd like to highlight some of the issues I see around metadata privacy within the Ethereum ecosystem, how those seemingly innocuous data leaks could be amassed and abused by aggregating actors and what we collectively might try to do to protect our users and the safety of our community members in the coming years.
Privacy-preserving Smart Contracts at Scale
In this talk we'll describe Oasis, a platform for privacy-preserving smart contracts at scale. Oasis addresses two critical issues of today's platforms: poor scalability and a requirement that all data is public. These platforms cannot support many exciting use-cases which have complex application logic (e.g. machine learning) or require protection of user or application secrets (e.g. data markets). Oasis is a layer 1 blockchain platform that scales to complex workloads such as machine learning and protects data via secure computing techniques. Oasis's scalability stems from the novel separation of computation and consensus in a layered design. This design allow transactions to execute in parallel before validation by the consensus layer, thus alleviating a major source of congestion and enabling new verifiable computing techniques that dramatically reduce replication needed to ensure integrity. Oasis uses a proof-of-stake consensus algorithm tailored for this architecture and supports multiple secure computing models (trusted hardware, multi-party computation, zero-knowledge proof) based on security and performance requirements. We'll summarize the Oasis protocol and discuss real-world applications built on Oasis in as credit scoring, medical data sharing, and blockchain-based games. We'll describe how Oasis enables these exciting applications to run directly on-chain, avoiding the need for off-chain computation.
Privacy for Everyone
Zooko Wilcox speaks about Zcash & recent advances in Privacy.
Satoshi Has No Clothes: Failures in On-Chain Privacy
Payments in Ethereum and Bitcoin are, by default, transparent. Transactions are conducted between pseudonyms with the sender, recipient and value exposed. While this transparency enhances auditability and decentralization, it is a major privacy issue. A growing volume of research shows that these pseudonymous identities are easily linkable. This is a major issue for privacy, fungibility, and a free market. A variety of techniques have been proposed to alleviate these issues. These include but are not limited to Confidential transactions + Conjoin, RingCT/Cryptnote, Zerocoin, Zerocash, Hawk, and Solidus. These techniques span a large multidimensional performance envelope in terms of transactions generation and validation time, size, as well as a range of cryptographic assumptions and data retention requirements. At the same time, these protocols offer markedly different levels of privacy against various threat models. Which one should we use? If performance were the sole issue, then systems without such enhancements would likely be preferred. Clearly some amount of privacy is necessary and the cost of getting it acceptable. The question is thus, which approaches provide sufficient privacy, in what contexts, and at what cost?
The Entire History of You Is Being Sold
Every moment, servers are logging, cataloging, and selling your personal, private information. Your utility bill payments, cell phone records, insurance payments, auto history, court records, credit score, identity information, social security records, address history and hundreds of other pieces of information are amassed into giant data warehouses where it’s packaged and sold to data farms, lenders, and banks. A Blockchain Solution: The data industry is a murky one. With the right direction, businesses are ready to adopt Blockchain technology TODAY as Blockchain can offer practical solutions to GDPR and Data privacy. Riddled with scams, dark markets, and illegal underground sources of data, the problem is getting worse. 10,000+ different companies report information about you to major bureaus. Analysts’ figures show that number climbing to more than 30,000 in the next 10 years. This is where Blockchain is needed. Developing the Future: In the past, consumers had little recourse, calling central data collection firms are a “necessary evil”. Blockchain gives users the power to own their own data, and decide how it’s used, how it’s sold. How you can develop systems that get adoption today? What businesses are ready to integrate now? Simple solutions to big problems.
The State of Whisper
Whisper is the Ethereum Foundation's secure communications protocol. It has been designed to ensure darkness, i.e. guarantee that neither a message's content nor its metadata can be captured by an attacker. With the release of version 6 last spring, it is now also used to prototype the switch of the P2P stack from DevP2P to libp2p. This talk will start with a summary of the protocol, followed by in-depth coverage of two upcoming features that will improve its usability: 1) insights into the libp2p switch, and 2) compiling it to WASM to run directly inside a browser, thus bypassing the confusing RPC interface.
A trustless Ethereum mixer using zero-knowledge signalling
Since Ethereum transactions are fully visible on-chain, it is possible to trace value transfers and surveil users' financial activity. This state of affairs deprives users of privacy beyond mere pseudonymity. Some workarounds, like using a centralised exchange wallet or a custodial mixing service, however, introduce a high degree of counterparty risk. The Ethereum ecosystem needs a noncustodial mixer which works through strong cryptography, rather than blind trust. To solve this, we present a trustless mixer for Ether and ERC20 tokens. It builds upon Semaphore, a zero-knowledge signalling system by Barry WhiteHat and Kobi Gurkan. Additionally, it employs a burn relay registry which incentivises third parties to pay gas fees on behalf of mixer users. In this presentation, I will show a high-level architectural overview of the mixer, dive into its underlying zero-knowledge circuits, and discuss other applications of zero-knowledge signalling.
Kobi Gurkan, Wei Jie Koh, Barry WhiteHat
An introduction to privacy and anonymous communication: A hands-on workshop
This workshop will go over the basics of privacy, starting with anonymity and unlinkability. We'll show that privacy is a 'holistic' systems-level concept, and not just an application of zkSNARKs on-chain. Various types of privacy notions (unlinkability, undetectability), and threat models, will be explored, as well as the various levels where privacy leaks happen (layer 0 on the network level, layer 1 on the chain, and layer 2 application issues). The workshop will then invite coders to describe their own privacy problems, and we'll offer advise and hands-on work through with systems like mix-networks (Loopix), anonymous credentials (Nym), and other systems.
Dave Hrycyszyn, Jedrzej Stuczynski
David Chaum gives a brief history of his experience in Cryptography, and presents Elixxir and Praxxis.
Decentralizing Transaction Abstraction for On Chain Privacy
Transaction abstraction (or meta transactions, if you prefer) isn't a new idea in Ethereum. The idea, roughly, is that users sometimes want a 3rd party, called relayers, to pay gas for their transactions for them. To support on-chain privacy apps like the MicroMix mixer, we've designed a decentralized transaction abstraction system with 2 particularly novel ideas:a transaction simulation engine that allows anyone to run a relayer with minimal configurationa trustless reputation/spam-prevention system for relayers, that we call the 'burn registry' In this talk, I'll:present the design space of transaction abstraction and some of the crypto-economic challenges in building such a systempresent the solution we've built for MicroMix and finally, share software that you can run today to be a relayer on our network.
Decentralizing Ethereum Data with VulcanizeDB
Ethereum is a robust platform for decentralized applications, but the same data structures and encodings that make it effective and trustless also complicate data accessibility and usability. How do you know token balances were updated correctly after you sent your transaction? Is an address authorized to seize your assets? How have system parameters changed over time? To answer these questions, we’ve traditionally depended on centralized APIs and block explorers to capture and serve historical data in a performant way. But what if those services shut down or returned modified results? VulcanizeDB has been working hard to address this problem - aiming to make it easier for anyone to set up, maintain, and query their own data directly. The good news: it is possible to keep track of the historical state of smart contracts without storing petabytes of data! The tricky part: you need to be intentional about how you track information, and you need to aggregate data from disparate sources to provide a holistic view. This workshop will provide a demo and hands-on experience walking through how VulcanizeDB simplifies the process of developing and interacting with smart contracts while keeping our applications and data independent of centralized third parties.
Ethereum 9¾: MimbleWimble for ERC20 with ZK Snark
Ethereum 9¾ is an entrance to the magical world to send ERC20s privately. It hides the transaction histories using MimbleWimble and ZK Snark. A user enters into the magical world by depositing ERC20 tokens with a valid MimbleWimble output. As Ethereum 9¾ appends it as a coin-base to the Merkle Mountain Range tree, the user becomes able to use MimbleWimble spell to send ERC20 privately. The contract only accepts MW spells which include an unlinkable spent tag, result outputs, and a ZK proof. The proof should pass the ZK-circuit which ensures that the tag is derived from an output which definitely exists in the MMR tree while the sum of spent and resulting outputs satisfies the MimbleWimble equation. Then, the spent tag prevents double-spending and ZK Snark secures deposited ERC20s by proving that the sum of inflow and outflow is zero by MimbleWimble protocol without revealing details. Or the user can go back to the muggle world anonymously and withdraw ERC20s by providing an unlinkable spent tag and a ZK proof. Because MimbleWimble doesn't reveal the value during transactions and we also don't know which output has been spent, it becomes hard to link the deposit and withdrawal.
Hodor - open source zkSTARKs library by Matter Labs
"Hodor" (let's be original and don't use Marvel Universe) is an open source implementation of zkSTARKs over prime field (initially) that is currently being developed by Matter Labs and expected to be released early-mid September. In this workshop I'd like to cover some information about zkSTARKs such as arithmetization and prover/verifier work, as well as give concrete examples how to use "Hodor".
Konstantin Panarin, Alexander Vlasov
Hands-on applications of zero-knowledge signalling
Semaphore is a generalised zero-knowledge signalling system which can be deployed to fulfil various privacy use cases, such as a mixer and anonymous whistleblowing. This hands-on workshop will guide participants through a high-level explanation of how Semaphore and zero-knowledge proofs work, and guide them through an anonymous chat app integrated with POAP tokens which can generate and verify said proofs. No programming or zk-SNARK knowledge is needed.
Wei Jie Koh
How scaling impacts privacy
This will be a presentation or panel discussing the positive and negative privacy consequences of scaling to mainstream use. By considering the data stored on blockchains, now, we can speculate about the use of it in the future and how it can be analyzed at scale. We will explore specific data types and common use cases, including data mining. The goal of this session is to help the community know how privacy will be impacted when cryptocurrency reaches mainstream use and explore the societal consequences of personal data collection and decentralization of systems.
KeySpace: End-to-End Encryption using Ethereum and IPFS
Mixing based privacy mechanisms are insufficient
Mixing based privacy-preserving mechanisms like trustless coinjoin used by Wasabi wallet and ring signatures used by Monero are noble and might work for the average Joe, but they don't provide privacy required for mission-critical things. The talk will briefly cover some of the attack vectors against such mechanisms and provide tips on improving your privacy within such systems.
Network level privacy with HOPR - fixing Ethereum's Achilles' heel
Multiple projects currently focus on on-chain privacy but at network level, Ethereum utilizes broadcasting of messages in a P2P setting which is known to have inferior privacy-guarantees compared to mixnets. Beyond the core layer, dapps running on top of Ethereum or users interfacing these dapps and communicating with one another need a go-to protocol that allows them to exchange data without leaking private metadata that allows for de-anonymizing them while using a dapp.In this talk we highlight some attacks that collect network metadata in order to de-anonymize senders of a transaction. We then show how a mixnet like HOPR can be used to establish network-level metadata privacy. HOPR is a mixnet that allows participating nodes to earn ETH for relaying messages and thereby provide privacy. As HOPR requires cooperation of downstream nodes to unlock a payment, traditional payment channels would lead to race conditions that allow relayers to exploit the network. We will present an alternative to common payment channel implementations, building on commutative properties of elliptic curves for efficiently closing payment channels.
Off-Chain Trusted Compute Overlay testnet for Blockchain Privacy, Scalability and Adaptability.
During Devcon 4 we introduced potential for Trusted Compute as an option for addressing scalability and privacy challenges faced by blockchains. Since then Enterprise Ethereum Alliance (EEA) has released version 1.0 of Off-chain Trusted Compute specification. As part of the workshop we will introduce an Enterprise Ethereum network connected to EEA compliant Trusted Computing pool; both hosted on Azure cloud. In addition we will demonstrate one sample real-world usage scenario and give examples of more. During the workshop developers will be provided scripts to recreate the setup on their local laptops and guidance on how to create private test setups on Azure cloud. Developers will walk away with background on leveraging Trusted Compute in context of their decentralized applications for addressing privacy, scalability and/or adaptability.
Sanjay Bakshi, Jean-charles Cabelguen, Andreas Freund, Marley Gray, Anand Pashupathy, Yevgeniy Yarmosh, Lei Zhang, Jim Zhang
Nightfall - The Open Source Privacy Solution for Ethereum
We believe that public blockchain is the future of business to business transactions. However, two issues - privacy and scalability - will need to be solved if this vision is to be fully realised. This talk will explain the motivations behind the open-source nightfall code and how it is intended to tackle the first of these issues. We cover the operation of the protocol, the method by which it provides complete privacy, and how developers can use it to build their own applications by making use of its smart contract infrastructure and the ZoKrates framework. We will also present our modelling of transaction costs, which shows that nightfall can already provide a cost-competitive alternative to private blockchains for many situations and how that will be true for a growing number of use cases in the near future.
Duncan Westland, Chaitanya Konda, Michael Connor, Paul Brody
Privacy by design in a world with universal SNARKs
ZK-SNARKs are an innovative method of verifying that a computation has been performed correctly. They form the backbone of many proposed scaling and privacy solutions for Ethereum. PLONK is a new ZK-SNARK construction, developed by AZTEC and Protocol Labs, that is 'universal'; only one 'trusted setup' is required, and different ZK-SNARK programs do not require additional trusted setups to be performed. This construction is the first universal ZK-SNARK construction that is practical enough for use in smart-contracts. In this talk, we will provide an overview of how ZK-SNARKs can be used to solve Ethereum's scaling and privacy challenges, and how PLONK opens up a world of zero-knowledge dapps.
Private and Reliable Data Sync for Messaging Over Whisper
How do we achieve user friendly data sync in a p2p network for resource restricted devices? In this talk we go over the problem space, do a brief survey of existing work, and propose a solution combining several of the most promising technologies. This talk will include a demo of a data sync protocol being developed. We’ll also cover things such as: - dealing with mostly-offline devices, - dealing with large sync contexts, such as group chats - making the protocol transport-agnostic. Finally, we’ll show how data sync fits into the larger picture, from transport layer to end user applications, and highlight some of the work that still needs to be done, and who is working on it.
Dean Eigenmann, Oskar Thoren
Minimum Viable Privacy: Introducing Hopper
Hopper is an Open-Source Mixer for Mobile-friendly private transfers on Ethereum. It allows the private transfer of value from one Ethereum account to another, via an iOS client. Users can deposit notes of 1 ETH into a mixer smart contract and withdraw them later to a different account by only providing a Zero-Knowledge proof (zkSNARK) that they previously deposited a note into the mixer, without revealing from which account that note was sent. Relayers are used to post transactions to the blockchain so that the recipient of a private transfer can withdraw a private note from the mixer without needing any prior ether. This project is based on previous work on trustless Ethereum mixers by @barryWhiteHat and @HarryR. This talk will discuss the development of Hopper, how others can contribute, and the next steps to make it a true utility for the community.
Privacy in Ethereum
From mixer to anonDAO, anonSocial media to journalism under authoritarian regimes ethereum offers ways to provide privacy to people who need it most. Come hear what we have done and what we want to do. How *YOU* can help us move forward.
Path to Seedless Recovery
Private key management is one of the key issues to be solved on the road to mass adoption of blockchains like Ethereum. Smart contract based wallets like the Gnosis Safe are laying the foundation to solve this problem by allowing different types of access control. The talk gives an overview of the different approaches developed to allow account recovery beyond seed backups and explains how to implement social recovery to ensure recoverability without compromising privacy.
Satoshi Has No Clothes, What About Szabo?: Smart Contracts, Privacy, and Practicality
This talk will explore the possibilities for privacy preserving smart contracts in terms of both cryptography and functionality. It will give an overview of known approaches, including a detailed discussion of zk-proof based schemes such as Zexe (my work) and an overview of other approaches including refereed computation as seen in systems like Truebit and Arbitrum, multi-party computation, secret sharing, and fully homomorphic encryption. More fundamentally, it will explore what a private smart contract really is. Do we need to hide which contract is running? Do we really want privacy in most cases?
Shrubs - A New Gas Efficient Privacy Protocol
ERC20 tokens that offer high levels of privacy to their users have been a longtime goal in the Ethereum ecosystem. To implement a privacy protocol that offers very strong privacy guarantees such as those of Zcash, it's necessary to maintain a large Merkle tree of commitments. Unfortunately, doing so in a smart contract can be expensive. For example, to support the same number of total transactions as Zerocash (2^64), one would require a tree depth of 64, and thus 64 storage updates per transaction, which is prohibitively expensive gas-wise. In this work, we introduce a new Merkle tree variant, which is defined not by the root, but by the path to the rightmost non-empty leaf node (or frontier), in a tree filled from left to right. This allows commitments to be inserted with O(1) amortized updates, at the expense of a slightly more complicated zk-SNARK proof, used to prove that the commitment is in the tree. We use this new data structure to create ShrubsToken, a new gas efficient privacy token, with Zcash-like privacy. Based on our experiments, we estimate that Shrubs will use around 500,000 gas per transaction, after the next Ethereum hard fork.
Alex Gluchowski, Kobi Gurkan, Marek Olszewski, Eran Tromer, Alexander Vlasov
The Commodification of You
Corporate interests monitor and harvest our every contact and click, exploiting the fact that we rely on the internet for nearly every facet of our lives. They delve deep into our digital selves so that they can commodify our identities. For years, they’ve succeeded with only a whisper of pushback. What can we do to know what is happening to us and take back some control from our digital identities? In this talk, attendees will learn: Recent scandals highlighting the danger of the current collect-predict-sell data monetization model; Where technology can and can’t help us as we navigate our digital lives; What we can do to educate ourselves and others to sway public opinion on privacy.
The Future of Privacy-Preserving Smart Contracts
Ethereum is unable to support the development of privacy-preserving smart contracts in its current state. What do we need from Ethereum 2.0 to build arbitrary privacy-preserving smart contracts? What cryptographic building blocks are required? We’ll begin by diving into recent efforts both in academia and industry towards building PPSCs and some of the fundamental flaws with these approaches. We’ll also cover the trade-offs that need to be considered and the lessons learned from previous attempts in this space. Furthermore, we will discuss the limitations on use cases for each approach.Attendees of the presentation will leave with a better understanding of the state of the art for PPSCs in Ethereum and the wider blockchain space.
John Pacific, Ravital Solomon
You Too Can Build a Ethereum Mixer!
Cryptography is maths, and maths is scary. There's information overload, you don't know where you start, there's smarter people telling you how your solution(s) isn't perfect and how it has a theoretical limit / flaw / weakness, and how it's not "safe" to do xyz.So how can one with no academic background in cryptography start building cryptographic protocols to be then ultilized in higher-level applications? This talk will focus on my anecdotal process of building a Heiswap, Ethereum Mixer, with a Research vs Engineering perspective.
Zero Knowledge: Privacy and Transparency's beautiful co-existence
Zero Knowledge Systems are often imagined as the enabler technologies for a privacy-centric world in which an individual can operate freely, away from public scrutiny. In these proposals, we focus primarily on an individual's right to own and protect their private data. While this is an important topic to us all and a model that is already being explored by projects like Zcash, I believe that the Zero Knowledge paradigm actually offers an opportunity for something even more powerful: that is secure systems providing both privacy and at the same time transparency for individuals and organisations. In this talk, I aim to explore what this balance can look like using zero knowledge systems, how valuable this could be in our personal and business lives, and showcase projects aiming to develop tools in this spirit.
ZoKrates - Privacy for dApps
In this talk, we provide an update on the state, future, and vision of ZoKrates, the programming language and toolbox to bring zkSNARKs to Ethereum developers to enable privacy and scalability of their dApps. We describe the evolution of the ZoKrates language, standard library, and tooling before outlining our view on ZoKrates’ role within the Ethereum ecosystem of the future. To support this vision, we share insights gained from use case implementations where we enhanced the privacy of decentralized applications with ZoKrates.
Jacob Eberhardt, Thibaut Schaeffer
Zerochain: Using zk-SNARKs for an account based privacy-preserving blockchain
Zerochain is a privacy-protecting layer on top of any smart contract platforms like Substrate and Ethereum. As a high-level overview, Zerochain is based on Zether protocol(https://crypto.stanford.edu/~buenz/papers/zether.pdf) which is privacy-oriented payment protocol on top of smart contracts. Though this original specification uses Sigma-bullets as zero-knowledge proving systems, instead we use zk-SNARKs for the efficiency reason. I would like to talk about how it works, how we can integrate privacy into the account-based approach.Currently supported for the only Substrate, but it can be supported for Ethereum as well because Zerochain and Zether protocols can be compatible with any smart contract platforms. Here is our GitHub page: https://github.com/LayerXcom/zero-chainand blog post: https://medium.com/layerx/announcing-zerochain-5b08e158355d
ZETH: On Integrating Zerocash on Ethereum
Transaction privacy is a hard problem on an account-based blockchain such as Ethereum. While Ben-Sasson et al. presented the Zerocash protocol [BCG+14] as a decentralized anonymous payment (DAP) scheme standing on top of Bitcoin, no study about the integration of such DAP on top of a ledger defined in the account model was provided. In this paper we aim to fill this gap and propose ZETH, an adaptation of Zerocash that can be deployed on top of Ethereum without making any change to the base layer. Our study shows that not only ZETH could be used to transfer Ether, the base currency of Ethereum, but it could also be used to transfer other types of smart contract-based digital assets. We propose an analysis of ZETH's privacy promises and argue that information leakages intrinsic to the use of this protocol are controlled and well-defined, which makes it a viable solution to support private transactions in the context of public and permissioned chains.
Antoine Rondelet, Michal Zajac
A SNARKs Tale: A Story of Building SNARK Solutions on Mainnet
We tell the story of deploying a real-world solution using SNARKs as a core primitive; highlighting many cutting edge SNARKs and their limitations in the hope to identify opportunities for the community to make Ethereum more SNARK friendly, creating a diverse ecosystem where SNARKs built upon a variety of unique primitives can thrive.
Jackson Blazensky, Severiano Sisneros
A ZoKrates Update
zkSNARKs are becoming a cornerstone of decentralised technologies. Yet they are often considered impenetrable to newcomers. We will present an update on the ZoKrates toolbox, a set of tools aimed at making developing zkSNARK applications easier using a high-level language instead of handcrafted circuits.
A new DeFi Primitive - Private Trading with Aztec Connect
Trading on decentralised exchanges is missing a key primitive, **privacy**. In traditional markets, an OTC desk enables large orders to trade without moving the price on chain this is missing and everyone can see everything. ZKP's deployed in production allow us to implement private trading on Ethereum. This talk looks into: 1. How to uses ZKP's to give privacy on Ethereum 2. How to build a private dollar cost averaging smart contract using Aztec Connect 3. A code walkthrough and a demo
Joe Andrews, Jan Beneš
Anonymous Signalling on Ethereum
Semaphore is a protocol, designed to be a simple and generic privacy layer for Ethereum DApps. Using zero knowledge, Ethereum users can prove their membership of a group and send signals such as votes or endorsements without revealing their original identity. The talk will describe the protocol, the main concepts and some use cases. A simple demo will also likely be used to show how Semaphore can be used to create DApps and solve real problems in the ecosystem.
Are Your Zero-Knowledge Proofs Correct?
Recent efforts have made it possible to write zero-knowledge proofs without having deep expertise in cryptography. Nevertheless, these proofs can be subtly wrong and result in situations where the application erroneously “verifies” bogus information from an attacker. In this talk, we will give an overview of our research that can be used to reason about the correctness of zero-knowledge proofs and highlight some of the open-source tools that Veridise has developed to find bugs in ZK circuits.
Auditing Strategy for zkEVM
A panel discussing approaches to auditing the zkEVM.
Building a Unirep ecosystem
What does an identity ecosystem built on top of Unirep look like? Learn how reputation works in a system where participants are anonymous and how it can be used to build applications.
Building Privacy-Protecting Infrastructure
In this talk we'll go over how to build privacy-protecting infrastructure. What is it, why do we need it and how can we build it? We'll look at Waku, the communication layer for Web3. We'll see how it uses ZKPs to incentivize and protect the Waku network. We'll also look at Zerokit, a library that makes it easier to use ZKPs in different environments. After this talk, I hope you'll better understand the importance of privacy-protecting infrastructure and how we can build it.
Crypt-Keeper ZK Identity Wallet
We demo the Crypt-Keeper identity commitment and zk proof generation wallet for semaphore, RLN, and other ZK identities.
Cryptographic Optimizations in Aztec
Designing Public Goods Using ZKPs
In this talk, designers reflect on the common threads that run through a constellation of tools and applications built with ZKPs. We share mental models being explored and strategies for fluidly navigating an evolving space. By offering real examples from our design workshops and dApps, we will explore the question – How might we materialize abstract concepts to enable internal and external teams to build with ZKPs?
ELI5: Zero Knowledge
Demoing heyanon, an open-source app allowing you to anonymously tweet as a verified member of on and off-chain groups. We’ll talk about how you can submit your own groups, our work on improving the ECDSA group experience, and our many ideas for extensions!
Improving Performance of Provable Computations Using Rust
We reimplemented the Cairo VM in Rust to increase its performance. We will show an MVP that is between 10 and 100 times faster than the previous Python implementation. Executing a program with this VM outputs a trace which can later be used to generate a Proof of the program's execution. Combining Zero Knowledge Proofs with Rollups allow us to have scalability without compromising the security of blockchains.
Herman Obst, Federica Sofía Moletta
Introduction to Circom2.0
The workshop aims to explain the basics of Circom2.0, the new features respect Circom1.0, the tool stack and explain a simple project about the following topics: - Zk-Rollup + Mixer: Put a mixer in the withdraw of Hermez1.0. - Polygon ID: Explain some of the Circom circuits of polygonID and how can be used. - NFT project: A project that aims to airdrop an NFT to some address that accomplish certain conditions without reveal the address.
Jesus Ligero, Carlos Matallana
Interep: An Identity Bridge from Web2 to Web3
Interep aims to provide an identity solution for Ethereum users by bridging from an established digital identity source, typically a web2 platform. The product provides an identity layer in an application stack, and integrates with a privacy-focussed layer using the Semaphore framework. Interep can be used to to qualify users, or as an anti-sybil service.
Lessons from the Field: Threat Modeling for the Everyday Use of Digital Currency
[GiveDirectly](https://givedirectly.org) is a charity that sends money directly to people living in poverty. Over the past decade, GD has transferred hundreds of millions of dollars to recipients using centralized digital currency systems, specifically telco-operated mobile money. Andrew will share some of the measures GD takes to reduce fraud and offer suggestions about how better privacy could drive the everyday use of Ethereum.
Maze - Aggregation Tool for Circom-PLONK Proofs
The session aims to demo Maze, a CLI-based tool for aggregating several circom-plonk proofs into a single aggregated proof developed using Halo2 library. The session will also include a high level explanation of aggregation of plonk proofs using Proof Carrying Data (PCD).
Little Things I’ve Learned in Developing Halo2 Circuits
We will share some Plonkish circuit designing patterns we learned during the zkevm development.
Non-interactive, Unique Nullifiers: The Key to The Next Era of ZK
ZK app systems are being held back because there isn't an anonymous way to prove that you aren't double claiming/double posting. In this talk, we explore the variety of nullifiers and present a new signature scheme that would enable things like zk airdrops or other zk systems that require uniqueness.
Next-Generation DSLs and IRs
We discuss the future of higher-level langauges and circuit representations with developers from a number of toolstacks.
Jordi Baylina, Ying Tong, Louis Guthmann, Brandon Kase, Kev
Optimizing Cryptographic Algorithms used in Gnark
Youssef El Housni
Penumbra: Building a Private DEX with ZKPs and Threshold Cryptography
ZKPs allow transactions to prove their state transition was valid, without revealing anything about what it was. But this isn't enough, because useful applications require shared state, which ZKPs can't provide. In this talk, we'll describe how to break this barrier by combining ZKPs with flow encryption, a new threshold crypto primitive, to allow private interaction with public shared state, and how Penumbra uses this technique to build a private DEX.
Henry de Valence
Privacy & Scaling Exploration — What We Do and How to Collaborate
Private Exchange on ZKOPRU
Give a presentation about private-exchange application on zkopru which consists of three different zero knowledge protocols including socialist millionaire problem, blind find, and zkopru. In the presentation, I will show how the private exchange works.
Proof Systems for zkRollups
Public Goods and Experiments, the journey of Zkopru
Zkopru is one of the inital projects of EF's PSE team. During the development and experiements PSE team could establish the own ethos for the public goods and experiments. This talk introduces Zkopru project's journey from the beginning to its sunset of the 1st version. Also it introduces the achievements and the future plans.
Learn about the challenges of designing a private execution layer for Ethereum. Previously, smart contract execution (L1 & L2) has been fully public. Some apps provide basic private functionality for a single private state (e.g. privacy coins). We'll discuss ways to execute general private and public state changes across multiple smart contracts in one transaction, within a zk-rollup. This unlocks programmable private smart contracts.
Rate Limiting Nullifier
RLN (Rate limiting nullifier) is a construct based on zero-knowledge proofs that enable spam prevention mechanisms for decentralized, anonymous environments.
Private Value Transfer in 10 Lines
Demonstration of how drawing from a standard cryptographic library can reduce zero knowledge circuit implementations to simple programs of as few as 3 lines. The Join split circuit is a popular circuit that originated from Zcash and is being used in Aztec. Using the Aztec Noir standard library, we reconstruct the join split in 10 lines hiding all of the circuit complexities involved.
Recursive ZK Applications and Affordances
Recursive zkSNARKs are poised to hit production in the next two years. We discuss how to think about the new affordances and potential applications that recursion unlocks for both scalability and privacy. These include proofs-of-proofs-of-knowledge like ETHdos, on-the-fly "programmable" SNARKs, incrementally verifiable computation, distributed proving, and tactics for reducing verification cost or proof size.
Ying Tong, Nalin Bhardwaj
Scalability is Boring, Privacy is Dead: ZK-Proofs, What are They Good for?
The first mainstream uses of zero-knowledge(zk) proofs were for private payments in systems like Zcash and then scalability. In both, we hide data to improve privacy or validation costs. But private payments, unfortunately, have seen limited direct demand. And scalability needs faster proofs but not even zero-knowledge. What are practical zk proofs good for? This talk considers zk proofs + blockchains as a tool both for cryptocurrency and broader applications.
Scaling up Trustless Neural Network Inference with Zero-Knowledge Proofs
We present the first ZK-SNARK proof of valid inference for a full resolution ImageNet model. We will describe the arithmetization and quantization optimizations enabling us to SNARK large neural networks as well as a software package enabling transpilation from off-the-shelf models to halo2 circuits. We design protocols using our circuits to verify machine learning model predictions and accuracy and present concrete estimates of overhead costs based on our circuit implementations. This is joint
Scaling Privacy with Starlight
Five years ago, at DevCon in Prague, EY took the wraps off Nightfall, our open source public domain approach to privacy. Now it's live on Ethereum as a layer 2 privacy-enabled ZK-optimistic roll-up solution called Polygon Nightfall. That's only half the story though - we also need private smart contracts. This talk will cover our roadmap to that end, including our newest tool in development (also open source) called Starlight.
Paul Brody, Chaitanya Konda
Solidity Dev to ZK Dev: Why and How You Should Start ZK Dev Now
This talk discusses why working on zero knowledge (ZK) cryptography is important.
Jack Gilcrest, Ian Brighton
SNARK Light Clients
During this session, we'll go over basic components of Miden VM and describe how we've implemented them using the STARK proving system. We'll also provide a high-level overview of Miden VM features, and compare them against other ZK virtual machines.
STARKs in SNARKs
We'll create a ZK circuit live, build a STARK, and build a SNARK that verifies the STARK.
Unirep Social - A demo application of Unirep protocol
Unirep is a private reputation system. In this session we will use a social media app called Unirep Social to demo the Unirep protocol.
Using ZKP for better p2p messaging with Waku
In this short demo we'll look at Waku, the communication layer for Web3, and how it uses ZK for its service network. We'll demo using Waku with RLN for private, economic spam protection and what this means for you as a user and node operator. We'll also briefly look at how we can incentivize other services in the network in a private manner. Finally we'll show how you can actively participate in and contribute to the network yourself as a node operator, developer or end user.
Vampire, a Novel, Cheap to Verify, zkSNARK
In this talk, I would like to introduce Vampire (https://eprint.iacr.org/2022/406) -- a novel zkSNARK that has the smallest communication complexity and on-chain verification cost of all known updatable zkSNARKs.
What to know about Zero Knowledge
Zero Knowledge, aka ZK, has become a catch-all term to represent much of "modern" or "advanced" cryptography -- especially cryptography that's relevant to the future of blockchains. In this panel, we will share our perspectives on ZK -- how to think about it, what to look out for, and what to focus in on. We'll also discuss how ZK may alter and complement Ethereum's own future.
gubsheep, Albert Ni, Barry Whitehat, Vitalik Buterin
Why We Need Threshold FHE for Blockchains
There is a fundamental limit to building privacy-preserving applications in ZK. For example, we do not know how to replicate applications such as Uniswap and Aave in zero knowledge where complete privacy for users is achieved. This talk introduces how threshold FHE can help fill the gap ZK tech leave us desiring--privacy for shared-state applications.
ZK Circuits for Elliptic Curve Operations in Halo2
We present halo2-ecc, a ZK circuit library for elliptic curve operations in halo2. Our library implements multi-scalar multiplication, optimal Ate pairing, and ECDSA verification on curves including BN254 and Secp256k1. We will show benchmarks for these operations as well as applications to recursion and aggregation of halo2 proofs. This is joint work with Jonathan Wang.
ZK Application Design Patterns
We build a brief mental model of zkSNARKs and give an overview of application design patterns and techniques for ZK-enabled apps. We discuss the overall landscape of proving environments and applications of each: the affordances of browser proving, mobile proving, server proving, GPU proving, etc. We'll go over the current state of the art and key benchmarks, and how improvements across the landscape can unlock new applications of both privacy and succinctness.
Yi Sun, Lakshman Sankar
Zero-Knowledge Machine Learning
ZKML could be the key to giving the blockchain eyes, letting smart contracts exercise judgment, one-person oracles, and generally getting data on-chain in a scalable way. I'll discuss applications, how to quickly convert PyTorch models to zero-knowledge proofs, and the roadmap.
zkemail: Decentralized ID Verification on Chain Without Servers
We demo zk-email, a new primitive that lets you verify emails trustlessly. We demo a simple trustless Twitter badge on chain, and show how almost any data in web2 can be turned into trustless badges or zk badges on a blockchain. Launching with Personae Labs!
Aayush Gupta, Sampriti Panda
ZK Proof Performance and Security Characteristics
ZK tech gets almost mystifying treatment from both regular users & devs. However, beyond the moon math, quantifiable differences between the zkps deployed in the Ethereum ecosystem can help users and builders understand what they are interacting with. Join me as I explain our methodology for collecting and quantifying these differences in a format digestible for the non-math professor.
Brian Wilkes, CFA
ZK Badges: A new primitive for self sovereign identities
How to prove that you donated to Gitcoin grants or that you voted for a specific DAO proposal without giving out your Ethereum address? How to aggregate your reputation from multiple wallets? Built as a new primitive, ZK Badges enable you to: - Import reputation from an account to another - Selectively reveal personal data - Aggregate your personal data from multiple accounts
ZKPs and "Programmable Cryptography"
Historically, cryptographic protocols have been built special-purpose for specific kinds of claims or information hiding mechanisms. zkSNARKs and other new cryptographic tools move us to a world of "general-purpose" cryptography, where we have expressive languages to express claims about digital identity, reputation, and more. We discuss a high-level framework for thinking about where and why ZK and related technologies might (or might not) be useful for digital applications.
Zkitter - Anonymous Social Network
A brief overview of Zkitter, an anonymous social network built using ZK technology. Learn how you can start posting and chatting anonymously while using your real life reputation.