Concern: Privacy/Secrecy

• intrinsic feature of public blockchains is that information gets stored by public addresses.
• logic of smart contracts is visible to all
• => firms have need of secrecy, individuals have rights to privacy

Root problem

Solutions

• large numbers of wallets/addresses
• coinjoin
• ring signatures
• zero knowledge proofs
  
   

Zero Knowledge Proof: The Schnorr Identification Protocol

• \(p\) any prime number.
• \(q\) factor of \(p-1\).
• \(a\) an integer such that \(a^q = 1 \text{ mod } p\).
• Now need public-private keys \(v\) and secret \(s\)
  • \(\to\) \(s\) any integer such that \(0<s<q\)
  • \(\to\) \(v=a^{-s} \text{ mod } q\)
• Note: if need be, adjust \(q\) for whatever \(s\) you want.
• \(p,q,a,v\) are public knowledge.
• \(M\) is a message.

• We'll ignore the \(\text{mod}\) part :-) in much of the math
• The sender wants to sign the message but not reveal the public key \(v\)
•  
• \(a\) an integer such that \(a^q = 1 \text{ mod } p\).
• Now need public-private keys \(v\) and secret \(s\)
  • \(\to\) \(s\) any integer such that \(0<s<q\)
  • \(\to\) \(v=a^{-s} \text{ mod } q\)
• Note: if need be, adjust \(q\) for whatever \(s\) you want.
• \(p,q,a,v\) are public knowledge.
• \(M\) is a message.

Coin-Join

• Note: some tricks like coinjoin aren't enough.
• See: "When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies" by Goldfeder, Kalodner, Reismany, Narayanan

Concern: Privacy/Secrecy

Zero Knowledge Proof

• Basic feature of blockchain:
  • public-private key signatures to prove ownership
  • Why? concern that the signatory is fraudulent

• Idea of Zero knowledge:
  • the verifier may be fraudulent
  • reveal that you are the owner of information without revealing the information
  • essentially, send a validate-able signature without sending the public key \(\to\) without revealing your blockchain identity

Zero Knowledge Proof

processing a transaction is equivalent to validating two statements:

1. the transaction signature is compatible with the respective public-key;
2. there is a sufficient balance associated with the public-key wallet to enable this transaction.

​

• validation can be done between two parties who need to run computations (will take tens of seconds)
• "proof" here is a probabilistic statement, not a mathematical proof of a definitive truth

example: showing that you know something without revealing what something is

http://mathoverflow.net/questions/22624/example-of-a-good-zero-knowledge-proof​

• Imagine your friend is color-blind.
   
• You have two billiard balls; one is red, one is green, but they are otherwise identical.
   
• To your friend, they seem completely identical, and he is skeptical that they are actually distinguishable. You want to prove to him that they are in fact differently-colored. On the other hand,
  
  you do not want him to learn which is red and which is green.

example: I know "something"

http://mathoverflow.net/questions/22624/example-of-a-good-zero-knowledge-proof​

• ​You give the two balls to your friend so that he is holding one in each hand.
   
• You can see the balls at this point, but you don't tell him which is which.
   
• Your friend then puts both hands behind his back. Next, he either switches the balls between his hands, or leaves them be, with probability 1/2 each.
   
• Finally, he brings them out from behind his back. You now have to "guess" whether or not he switched the balls.

Problem: This is not fit for "mainnet" action! 

• occurence of transaction is still visible
• on Ethereum, consumes a lot of "gas"
  1. ZK Snark = 1,800,000 gas
  2. transaction = 21,000 gas
  3. 0.20 cent transaction => $17 for ZKs
     $1.5 (current median tx fee) => $130 for ZK

• Can be used with "central" verifier one a side-channel
• (why? \(\to\) back-and-forth between two parties only
• \(\to\) currently used this way by zKSync