# ZKP Workshop Real World Examples

This technology has proved useful in providing

1. Privacy
2. Scalability - proofs of computation can be used to show that the result of a (costly) computation is correct without having to repeat the computation.

### Privacy

1. Tokens such as ZCash a cryptocurrency using zkSNARKS.
A typical cryptocurrency such as bitcoin uses transactions that are visible and hence verifiable by participants in the system. This provides transparency, but does mean that anyone can know the accounts that are sending and receiving the currency, and the amount transferred.
In ZCash it is possible to have shielded transactions, where although the transaction can be verified as correct, no information is given about the sender, receiver or amount transferred.
2. Age range verification
3. KYC
4. Electronic voting
5. Electronic Auctions
6. Board Membership using ZKSM and ring signatures
7. AML - FAFT can produce whitelists and blacklists that are verified by ZKSM

### Scalability

The Coda protocol uses zero knowledge proofs to create a more scalable blockchain.
In their own words : 'Coda is the first cryptocurrency protocol with a succinct blockchain’
We are used to blockchains increasing in size to the point where for an ordinary user, running a node is impractical.

### ZCash in more detail

We have a merkle tree of commitment notes

These follow a similar principle to the UTXO model used in Bitcoin
The note is a pedersen hash of a value and an owner
Notes are only additive, spending notes does not remove them, that is the role of the nullifier
Miners update their copy of the merkle tree based upon incoming transactions

#### Nullifier

A set of serial numbers that disables spent notes from being spent again.

https://electriccoin.co/blog/zcash-private-transactions/

#### Transactions

Each transaction has a list of Spend and Output Descriptions
Output Descriptions create new notes
Only sender’s outgoing view key and recipient’s incoming view key can decrypt
Only the recipient can spend
Spend Descriptions spend existing notes , the spender proves in zero knowledge that
* The note exists
* The spender owns the note
* The note has not been spent before, by computing a nullifier unique to that note and checking this against the nullifier set.
Which note was used is not revealed
Who the sender, recipient, or the amount is not revealed
The nullifier is unique to each note, and is revealed when spent

Balancing is also done to check the transaction, achieved with pedersen hashes and blinding

### ID Schemes

An Identity Escrow scheme allows users to identify themselves as members of a group with zero knowledge.

See Camenisch and Lysyanskaya for identity schemes using accumulators to prove set membership and non membership.

### Qedit - DLT + ZKP solution, proofs verify correctness of asset transactions.

• Commitments and verified computation are used
• The also have an identity layer and an SDK
• They have built supply chains for diamonds and for cigars
• White Paper

### Aztec

The AZTEC protocol can enable confidential transactions for any generic digital asset on Ethereum, including existing assets.
Aztec Documentation
Aztec Slides
Aztec is built around range proofs - On an elliptic curve, a negative number is in fact a very large positive number and a range proof is used to ensure that any point is within a usable range and to prevent double spend attacks by wrapping around the modulo
Aztec follows a UTXO model, tracking the state of 'Notes’
Aztec provides a number of proofs with financial semantics that can be used to prove the validity of financial assets, these include :

• Join Split
• Mint
• Burn
• Dividend proof

Using normal Ethereum addresses the transaction graph of AZTEC is not anonymous. However anonymous transactions are possible. The protocol is forward compatible stealth addresses and as AZTEC does not mandate the transaction sender to be a party in the transaction, the transaction graph can be hidden.
Combining stealth addresses and a trusted party to relay transactions achieves full anonymity. Using a trusted third party hides the payment of gas and provides full anonymity. Future updates to the protocol will allow the relay of transactions whilst obscuring the payment of gas in a decentralised manor. At that point fully private transactions will be possible.

Their work has prompted the Ethereum Standard for Confidential Tokens : https://github.com/ethereum/EIPs/issues/1724

### ZETH

An alternative ZKP implelementstion on Ethereum - ZETH
ZCash on Ethereum : Paper

### Enigma - Decentralised Computation platform with proven privacy

• Overview
• Based on MPC using secret sharing schemes
• Enigma connects to blockchains to off load private and intensive computation to an off chain network
• Code execute on Enigma ensures privacy and correctness, uses TEEs

### Mimblewimble

MimbleWimble is a blockchain format and protocol that provides extremely good scalability, privacy and fungibility by relying on strong cryptographic primitives. It addresses gaps existing in almost all current blockchain implementations.

Grin is an open source software project that implements a MimbleWimble blockchain and fills the gaps required for a full blockchain and cryptocurrency deployment.

Documentation

### Monero

• uses bulletproofs

### Recent improvements to ZKSNARKS

Universal and updateable common reference strings.
Sonic
Plonk

### Distributed Zero Knowledge Proofs - DIZK

[Paper] (https://eprint.iacr.org/2018/691.pdf)
* Distributed generation of proofs
* DIZK scales to computations of up to billions of logical gates (100×larger than prior art) at a cost of10μs per gate

• The setup and the prover in DIZK are distributed jobs on a cluster; $F$$F$, $p{k}_{F}$$pk_F$ (proving key), and $w$$w$ (witness) are stored as data structures distributed across multiple machines. The verifier remains unchanged from the vanilla protocol as it is inexpensive, enabling DIZK’s proofs to be verified by existing implementations of the verifier. The underlying zkSNARK protocol that we implement is due to Groth16

• Lag is a variant of lagrangian interpolation for polynomial evaluation.

• fixMSM - Fixed-base multi-scalar multiplication

• varMSM - Variable-base multi-scalar multiplication

### Zero Knowledge Database queries

zkvSQL - a zero knowledge version of vSQL : verifiying SQL queries on outsourced databases

### Jana - Private Data as a Service via MPC

Private Data as a Service