This technology has proved useful in providing
The Coda protocol uses zero knowledge proofs to create a more scalable blockchain.
In their own words : 'Coda is the first cryptocurrency protocol with a succinct blockchain’
We are used to blockchains increasing in size to the point where for an ordinary user, running a node is impractical.
We have a merkle tree of commitment notes
These follow a similar principle to the UTXO model used in Bitcoin
The note is a pedersen hash of a value and an owner
Notes are only additive, spending notes does not remove them, that is the role of the nullifier
Miners update their copy of the merkle tree based upon incoming transactions
A set of serial numbers that disables spent notes from being spent again.
Each transaction has a list of Spend and Output Descriptions
Output Descriptions create new notes
Only sender’s outgoing view key and recipient’s incoming view key can decrypt
Only the recipient can spend
Spend Descriptions spend existing notes , the spender proves in zero knowledge that
* The note exists
* The spender owns the note
* The note has not been spent before, by computing a nullifier unique to that note and checking this against the nullifier set.
Which note was used is not revealed
Who the sender, recipient, or the amount is not revealed
The nullifier is unique to each note, and is revealed when spent
Balancing is also done to check the transaction, achieved with pedersen hashes and blinding
An Identity Escrow scheme allows users to identify themselves as members of a group with zero knowledge.
See Camenisch and Lysyanskaya for identity schemes using accumulators to prove set membership and non membership.
The AZTEC protocol can enable confidential transactions for any generic digital asset on Ethereum, including existing assets.
Aztec is built around range proofs - On an elliptic curve, a negative number is in fact a very large positive number and a range proof is used to ensure that any point is within a usable range and to prevent double spend attacks by wrapping around the modulo
Aztec follows a UTXO model, tracking the state of 'Notes’
Aztec provides a number of proofs with financial semantics that can be used to prove the validity of financial assets, these include :
Using normal Ethereum addresses the transaction graph of AZTEC is not anonymous. However anonymous transactions are possible. The protocol is forward compatible stealth addresses and as AZTEC does not mandate the transaction sender to be a party in the transaction, the transaction graph can be hidden.
Combining stealth addresses and a trusted party to relay transactions achieves full anonymity. Using a trusted third party hides the payment of gas and provides full anonymity. Future updates to the protocol will allow the relay of transactions whilst obscuring the payment of gas in a decentralised manor. At that point fully private transactions will be possible.
Their work has prompted the Ethereum Standard for Confidential Tokens : https://github.com/ethereum/EIPs/issues/1724
An alternative ZKP implelementstion on Ethereum - ZETH
ZCash on Ethereum : Paper
MimbleWimble is a blockchain format and protocol that provides extremely good scalability, privacy and fungibility by relying on strong cryptographic primitives. It addresses gaps existing in almost all current blockchain implementations.
Grin is an open source software project that implements a MimbleWimble blockchain and fills the gaps required for a full blockchain and cryptocurrency deployment.
* Distributed generation of proofs
* DIZK scales to computations of up to billions of logical gates (100×larger than prior art) at a cost of10μs per gate
The setup and the prover in DIZK are distributed jobs on a cluster; , (proving key), and (witness) are stored as data structures distributed across multiple machines. The verifier remains unchanged from the vanilla protocol as it is inexpensive, enabling DIZK’s proofs to be verified by existing implementations of the verifier. The underlying zkSNARK protocol that we implement is due to Groth16
Lag is a variant of lagrangian interpolation for polynomial evaluation.
fixMSM - Fixed-base multi-scalar multiplication
varMSM - Variable-base multi-scalar multiplication