280 likes | 289 Views
Zcash enhances Bitcoin's decentralization by adding privacy through shielded transactions that conceal sender, receiver, and amounts while maintaining transaction validity. The process involves using zk-SNARKs and homomorphic hidings to prove ownership without revealing confidential data.
E N D
A very brief description of how Zcash private transactions workAriel Gabizon,
Zcash adds privacy to Bitcoin’s decentralization Shielded (private) transactions reveal no information about sender, receiver, amount ..yet miners can still distinguish between valid and non-valid transactions!
Recall Bitcoin’s set of unspent transaction outputs. (PK1,2.3BTC), (PK2, 0.4BTC),.. To spend money Alice signs a message with the secret key corresponding to a public address in an output: “Move my BTC from PK1 to PK4” (signed by sk1)
For simplicity, assume each output/note is exactly 1 BTC. Each node stores:
Now think of each note as containing a randomly picked ``serial number’’ ri.
For privacy..the node database will only contain hashes of the notes
For privacy, the node will continue to store Hieven after Notei has been spent. The node also stores a nullifier setthat contains the hashes of all serial numbers of notes previously spent Nullifier set after Note2has been spent:
To spend a note, Alice sends a zk-SNARK proving she knows the secret key of a note s.t. -It’s Hash is in the table -The hash of its serial number is not in the nullifier set Nullifier set after Note2has been spent:
zk-SNARKs(zero-knowledge Succinct Non-interactive Arguments of Knowledge) Short proofs that let you to prove possession of information, e.g. a secret key, without revealing that information. In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions
Main ingredient: Homomorphic Hidings(HH) Mapping E such that - Given E(x) hard to find x - x≠y → E(x)≠E(y) - from E(x),E(y) can compute E(x+y),E(x*y)
(over)Simple zk-SNARK example using HH Alice wants to prove to Bob she knows a,b s.t. a+b=7 1. She sends E(a),E(b) to Bob. 2. Bob computes E(7) and E(a+b) using E(a), E(b). 3. Bob checks that E(7)=E(a+b).
how to construct HH? If only need E(x+y) use x→gx in group with hard DL problem. If want bothE(x+y) and E(x*y)..need pairings in elliptic curve groups.
more detailed SNARK example, leading to QAPs 1.want to prove know a,b with a+b=7 mod p g – generator of group of order p where DL is hard. Prover: send A=ga, B= gb Verifier: Check that A*B=ga+b = g7 2. Prove we know a,b,c with (a+b)*c = 7 mod p Need: Bi-linear pairings: Map e:G⨯G → GT such that e(ga,gb)=gTa*b (Exists for some elliptic curve groups)
1.want to prove know a,b with a+b=7 mod p heck that A*B=ga+b = g7 2. Prove we know a,b,c with (a+b)*c = 7 mod p Need: Bi-linear pairings: Map e:G⨯G → GT such that e(ga,gb)=gTa*b (Exists for some elliptic curve groups)
more detailed SNARK example, leading to QAPs Prover: Send A=ga, B=gb, C=gc Verifier: Check that e(A*B,C) = (gT)7 e(A*B,C) = e(ga+b,gc) = gT(a+b)c 3. Prove you know a,b,c,d with (a+b)*bc = 7 mod p
(a+b)*b*c x + x a b c Label multiplication gates: g2 g1
x + x a b c Label wires in certain way: w5 g2 w4 g1 w1 w2 w3 What we want to prove is that we have legal assignment to wires with w5=7.
w5 g2 x w4 g1 + x w1 w2 w3 a b c Define degree 2 polys A1,..,A5 Ai(j)=1 if wi is left input of gj , 0 otherwise i.e. A1(2)=A2(1)=1, otherwise Ai(j)=0 Bi’s , Ci’s defined sim. for right input and output wires
Define A(X):= sumi=1..5wiAi(X) B(X):= sumi=1..5wiBi(X) C(X):= sumi=1..5wiBi(X) For example A(1) = w2, B(1)=w3, C(1)=w4 We have that w1,…,w5 is legal assignment iff P(X):=A*B-C is divisible by t(X):=(X-1)*(X-2). If so, there exists h(X) such that P(X)≡t(X)*h(X)
Idea: Verifier will check equality on random s not known to the prover: Verifier: choose rand s, send gs,gs^2,,...,gs^d Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s) Verifier: Check that e(A*B,1/C) = e(H,gt(s))
Idea: Verifier will check equality on random s not known to the prover: Verifier: choose rand s, send gs,gs^2,,...,gs^d Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s) Verifier: Check that e(A*B,1/C) = e(H,gt(s)) e(A*B,1/C) = gA(s)*B(s)-C(s)=gP(s) e(H,gt(s)) = gh(s)*t(s)=gP(s)
Zero-Knowledge (ZK) proofs are to encryption/hashing as a dimmer to a light switch. Decide what and how much you want to reveal about the plaintext/hash preimage.
Example: Alice can use a ZK-proof to prove she knows a SHA-2 preimage of z with msb1(and not reveal anything else about preimage). zz ZK proof Reveal preimage 1XX 100
zk-SNARKs-ZK proofs with all the dream features • Succinct: verification time very quick, proof length very short -a few 100 bytes. • Non-interactive-just one messagefrom Prover(requires setup phase) • Argument of Knowledge In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions
A few minutes about how zk-SNARKs work. Ingredient one: Convert what you want to prove to knowing a solution to some algebraic equations I know SHA-2 preimage of z with msb1 I know x,y such that x3+y5=2
Ingredient two: Homomorphic encryption Given encryptions of x,y can obtain the encryption of any arithmetic expression in x,y. E(x3+y5) E(x),E(y)
Proving possession of x,y satisfying x3+y5=2: (without revealing x,y) Prover: Send E(x),E(y) Verifier: Compute E(x3+y5), and E(2), check that they are equal.