Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

A Zero-Knowledge Proof: Improving Privacy on a Blockchain

2.025 Aufrufe

Veröffentlicht am

These slides explore how zero-knowledge proof enables blockchain transactions to be verified, while maintaining user anonymity.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

A Zero-Knowledge Proof: Improving Privacy on a Blockchain

  1. 1. A Zero-Knowledge Proof: Improving Privacy on a Blockchain Dmitry Lavrenov Senior Blockchain R&D Engineer ALTOROS @altoros
  2. 2. @altoros The situation ● you need to prove your identity ● you only have your driver’s license Driver License First Name: Dmitry Last Name: Lavrenov Date of Birth: 21.08.1995 City: Minsk
  3. 3. @altoros Wouldn’t it be better to have an option that hides your private information, but still keeps the driver’s license valid? Driver License First Name: Dmitry Last Name: Lavrenov Date of Birth: 21.08.1995 City: Minsk
  4. 4. @altoros Zero-Knowledge Proof can help
  5. 5. @altoros Zero-knowledge proof 01 What is it ? Cryptographic protocol
  6. 6. @altoros Zero-knowledge proof 02 Participants ? The Prover The Verifier
  7. 7. @altoros Zero-knowledge proof 03 Goal ? The Prover has a secret value X The Goal is to prove it to the Verifier without revealing any information about X
  8. 8. @altoros ZKP conditions Completeness If the statement is true, then the honest verifier — the one that is following the protocol properly — will be convinced of this fact by an honest prover.
  9. 9. @altoros ZKP conditions Soundness If the statement is false, then no cheating prover can convince the honest verifier that it is true, except for some small probability.
  10. 10. @altoros ZKP conditions Zero knowledge If the statement is true, then no verifier learns anything, except the fact that the statements is true.
  11. 11. @altoros ZKP Zero knowledge proof is probabilistic rather than deterministic.
  12. 12. @altoros The general structure of a ZKP ● witness ● challenge ● response
  13. 13. @altoros The general structure of a ZKP Witness Proof P V Questions 02 Calculate a proof 03 Send the proof to V 01 Choose a question
  14. 14. @altoros The general structure of a ZKP Challenge 02 Please, give the answer for the question 01 Choose a question P V Questions
  15. 15. @altoros The general structure of a ZKP Response Send the answer for the questionP V
  16. 16. @altoros Ali Baba cave example ● Peggy acts as the Prover ● Victor acts as the Verifier
  17. 17. @altoros Ali Baba cave example A B
  18. 18. @altoros Ali Baba cave example A A B
  19. 19. @altoros Ali Baba cave example Ok
  20. 20. @altoros A non interactive ZKP ● Note that interaction between users is required for general ZKP ● What can be done if interaction between users is not an option?
  21. 21. @altoros The general structure of a non interactive ZKP Witness P Function “Make a proof” 02 Get the proof 03 Send the proof 01 Send a confidential info Function “Check a proof” 05 Get the result 04 Check the proof V
  22. 22. @altoros zk-SNARK Zero-knowledge succinct noninteractive argument of knowledge
  23. 23. @altoros zk-SNARK Succinct The size of the proof is small enough to be verified in a few milliseconds.
  24. 24. @altoros zk-SNARK Noninteractive Only one set of information is sent to the verifier for verification, therefore there is no back and forth communication between the prover and verifier.
  25. 25. @altoros zk-SNARK Argument of knowledge A computationally sound proof: soundness holds against a prover that leverages polynomial-time, i.e. bounded computation.
  26. 26. @altoros Where can ZKP be applied ? ● Authentication systems ● Ethical behaviour ● Confidentiality ● Checking personal information ● Anonymity
  27. 27. @altoros Zcash zk-SNARK - based Bitcoin transactions are fully transparent. Everyone can use a Bitcoin block explorer to check transaction that has been sent from one BTC address to another BTC address. Bitcoin vs Zcash Zcash transactions can be private only if the user chooses z-address. A special view key can provide selective transparency. 1FeexV6 bAHb8ybZjqQMjJrcCrHGW9sb6uF 5 BTC nothing to see here 1JCe8z4jJVNXSjohjM4i9Hh813dLCNx2Sy nothing to see here Sender’s address ??? ZEC Unknown amount “shielded ZEC” Recipient’s address unkown address unkown address
  28. 28. @altoros Zcash Bitcoin, UTXO ● Bitcoin tracks UTXOs to determine what transactions are spendable and validates it BUT: All UTXO’s information is open and public.
  29. 29. @altoros Commitments Nullifies Com_1 Com_2 Com_3 Com_4 Nul_1 Nul_2 Nul_3 Nul_4 Zcash
  30. 30. @altoros Zcash recipient address amount rho r CommitmentHash function
  31. 31. @altoros Zcash spending key rho NullifierHash function
  32. 32. @altoros Zcash ● the sum of the input values is equal to the sum of the output values for each shielded transfer ● the sender proves that they have the private spending keys of the input notes, giving them the authority to spend
  33. 33. @altoros Zcash ● the private spending keys of the input notes are cryptographically linked to a signature over the whole transaction ● for each input note, a revealed commitment exists
  34. 34. @altoros Zcash ● the nullifiers and note commitments are computed correctly ● it is infeasible for the nullifier of an output note to collide with the nullifier of any other note
  35. 35. @altoros Ethereum ● zk-SNARK-based solution can potentially increase transaction processing to 500 tx/sec ● transaction cost is about 600,000 gas ● goal is to reduce the total transaction cost
  36. 36. @altoros Ethereum. AZTEC protocol ● zk-SNARK-based solution on smart-contract level in Ethereum ● confidential Transfer function ● transaction cost is between 800,000-900,000 gas (a simple transaction cost is about 21,000 gas)
  37. 37. @altoros Identity Mixer (Idemix) ● ZKP-based cryptographic protocol ● Based on Camenisch-Lysyanskaya signature scheme ● Flexible public keys ● Flexible credentials
  38. 38. @altoros Idemix and Hyperledger Fabric Identity Mixer MSP Implementation Peer Identity Mixer crypto package KeyGen Presentation Issuance Verification Revocation Audit Fabric-CA Implementation Sign/Verify Enroll/Register/Revoke Sign/Verify Transaction (MSP interface) Issue/Revoke ECert
  39. 39. @altoros Idemix and Hyperledger Indy Indy-anoncreds. ZKP-based on the Idemix protocol.
  40. 40. @altoros Idemix and Hyperledger Indy Issuer Issuer’s wallet Prover Prover’s wallet Verifier Ledger 01 Create master key create master key store master key
  41. 41. @altoros Idemix and Hyperledger Indy Issuer Issuer’s wallet Prover Prover’s wallet Verifier Ledger 02 Create, request and issue credentials get master secret return master secret send credential offer send signed credential request send credential store credential
  42. 42. @altoros Idemix and Hyperledger Indy Issuer Issuer’s wallet Prover Prover’s wallet Verifier Ledger 03 Present credential to 3rd Party create proof send proof request return proof send proof verify proof
  43. 43. @altoros Idemix implementation in Go AttributeNames := [ ]string{"First Name", "Last Name", "Age", "City"} data := [ ]string{"Dmitry00000000000000000000000000", "Lavrenov000000000000000000000000", "23000000000000000000000000000000", "Minsk000000000000000000000000000"}
  44. 44. @altoros Idemix implementation in Go. //1. The prover creates keys and credential request to the issuer. sk := idemix.RandModOrder(rng) ni := idemix.RandModOrder(rng) m := idemix.NewCredRequest(sk, idemix.BigToBytes(ni), key.Ipk, rng)
  45. 45. @altoros Idemix implementation in Go. //2. The issuer creates credentials for the prover. cred, err := idemix.NewCredential(key, m, attrs, rng)
  46. 46. @altoros Idemix implementation in Go. // 3. The prover signs the credentials without disclosure Age and City. disclosure = [ ]byte{1, 1, 0, 0} sig, err = idemix.NewSignature(cred, sk, Nym, RandNym, key.Ipk, disclosure, msg, rhindex, cri, rng) attrs[2] = FP256BN.NewBIGint(0) attrs[3] = FP256BN.NewBIGint(1)
  47. 47. @altoros Idemix implementation in Go. // 4. The verifier checks the signature using the Issuer’s public key. err = sig.Ver(disclosure, key.Ipk, msg, attrs, rhindex, &revocationKey.PublicKey, epoch)
  48. 48. THANK YOU! @altoros website blog