Are privacy coins private enough? This is another reason to care about Zero-Knowledge Proofs. Some privacy coins use ZKP.

1. Are Privacy Coins
Private Enough?
Clare Nelson, CISSP, CIPP/E
VP Business Development & Product Strategy,
North America
Sedicii
@Safe_SaaS
Another Reason to Care
about Zero-Knowledge Proofs
Texas Bitcoin Conference
Austin, TX
October 28, 2018

2. What are Privacy Coins?

3. Privacy Coins
https://web.stanford.edu/~buenz/pubs/bulletproofs.pdf
Privacy for payments
Anonymity
• Hide identities of sender,
receiver
Confidentiality
• Hide amount transferred
Graphic: https://medium.com/@habs/is-the-future-of-cryptocurrency-the-use-of-privacy-coins-2fe4739a1ef2
How Achieve Privacy?
• Some privacy coins use Zero-
Knowledge Proofs

4. What are Zero-Knowledge Proofs?

5. Zero-Knowledge Proofs
One of the most powerful tools
cryptographers have ever
devised
https://z.cash/team.html
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/
– Matthew Green
Professor at Johns Hopkins University
Co-founder of Zcash

6. Definition of Zero-Knowledge Proof
Enable a Prover to convince a
Verifier of the validity of a
statement
• Yields nothing beyond validity of
the statement
• Incorporates randomness
• Is probabilistic
o Does not provide absolute
certainty
http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf
http://www.austinmohr.com/work/files/zkp.pdf
Prover Verifier
Statement

7. ZKP Requirements
Completeness
• If statement is true, verifier will be
convinced by prover
Soundness
• If statement is false, a cheating prover
cannot convince verifier it is true
o Except with some small probability
Zero-Knowledge
• Verifier learns nothing beyond the
statement’s validity
http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf
http://www.austinmohr.com/work/files/zkp.pdf
http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html
Graphic: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker

8. ZKP Applications
Constructs
• Range proofs
• Set membership
• Comparison
• Computational integrity
Preserve
Privacy
Variety of Use Cases
• Secure computation
• Authentication with
anonymous credentials
• Transaction validation
Fundamental
Tool of
Cryptography

9. 007 Wants to Read the News
Credit to Anna Lysyanskaya for the 007 metaphor
Graphic: http://www.007.com/characters/the-bonds/
I can tell you.
But then I’ll have to kill you.
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?

10. 007 Uses Subscription
My subscription is
#4309115
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
007 Reveals Personal Data:
- Zip code when he looks up the weather
- Date of birth when he reads his horoscope
- More data when he browses the personal ads
Credit to Anna Lysyanskaya for the 007 metaphor
Graphic: http://www.007.com/characters/the-bonds/

11. Completeness: Telegraph Accepts Proof
Here is a
Zero-Knowledge Proof
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
Credit to Anna Lysyanskaya for the 007 metaphor
Graphic: http://www.007.com/characters/the-bonds/

12. Soundness
Credit to Anna Lysyanskaya for the 007 metaphor
Graphic: https://en.wikipedia.org/wiki/M_(James_Bond)
It’s Bond. James Bond. www.telegraph.co.uk
Today’s news?
Rejected
Who are you?
Do you have a subscription?
(M fails because
she can’t prove to
Telegraph)

13. zk-STARK Example
(Ben-Sasson, Bentov, Horesh, Riabzev)
https://eprint.iacr.org/2018/046.pdf
National Offender DNA Database Presidential Candidate, Jaffa
Prove to public that Jaffa is not in offender database
Graphic: https://www.linkedin.com/in/jaffaedwards/, with permission May 25, 2018.
No reliance on any external trusted party

14. Examples of ZKP Variants
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N
https://www.starkware.co/
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
https://eprint.iacr.org/2017/1066.pdf, Bulletproofs
https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch
ZKP
NIZKP
zk-SNARK
zk-STARK
Designated Verifier
Lattice-Based
Interactive, multiple messages, need stable communication channel
Not interactive, one message
Need one-time, trusted setup to generate key at launch
No setup, working on memory issues, I or NI, post-quantum secure
No setup, 188 bytes, not post-quantum secure
Lattice-based cryptography, post-quantum secure, research
Graph Isomorphism
zk-STIK
Bulletproof
Interactive, compare graphs, efficient computation
Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge
DVNIZK, not just any entity can be verifier, verifier must know secret
Ligero
Aurora

15. Trusted Setup
https://z.cash/technology/paramgen
https://z.cash/blog/the-design-of-the-ceremony/
https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch
Multi-Party Computation (MPC)
Ceremonies
Zcash Sprout (2016)*
• 6 participants in the
ceremony
Zcash Sapling (2017-2018)
• 87 Participants
Generating zk-SNARK public parameters
• Keep public key
• Destroy private key shards
If attacker gets copy of private key
• Create counterfeit Zcash
• Not violate anyone else’s privacy
• Not steal other people’s Zcash
*October 28, 2016

16. Zcash and Monero

17. Zcash
https://z.cash/
Privacy is Optional
• Allow transactions to be
verified without revealing
o Sender
o Receiver
o Transaction amount
Graphic: https://briandcolwell.com/2017/08/zcash-stash-or-trash-if-bitcoin-is-http-for-money-then-zcash-is-https/.html

18. Monero
https://getmonero.org/2018/10/11/monero-0.13.0-released.html
https://www.reddit.com/r/Monero/comments/9lcdme/preliminary_information_thread_regarding_the/
Graphic: https://hackernoon.com/what-is-monero-an-in-depth-guide-5d43f1917178
Multiple mechanisms
• Stealth addresses
• Ring signatures
• Bulletproofs
o Replace Ring Confidential
Transactions
Private by Default

19. Monero
https://www.coindesk.com/monero-to-become-first-billion-dollar-crypto-to-implement-bulletproofs-tech/
https://twitter.com/monero, October 18, 2018
Bulletproofs
• Reduce transaction size ~80%
• Reduce fees

20. zk-SNARKs vs Bulletproofs
https://web.stanford.edu/~buenz/pubs/bulletproofs.pdf
https://z.cash/technology/zksnarks/
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
zk-SNARKs Bulletproofs
Transparent
(no trusted setup required)
No Yes
Proof Size 288 bytes 188 bytes
Verification time Few milliseconds, depends Little longer, depends
Seminal Paper May 2014 2017
Authors • Eli Ben-Sasson (Technion)
• Alessandro Chiesa (MIT)
• Eran Tromer (Tel Aviv)
• Madars Virza (MIT)
• Benedikt Bünz (Stanford)
• Jonathan Bootle (U. College London)
• Dan Boneh (Stanford)
• Andrew Poelstra (Blockstream)
Post-Quantum Secure? No No

21. Are Privacy Coins Private Enough?

22. ZEXE (Zero knowledge EXEcution)
https://eprint.iacr.org/2018/962.pdf, October 8, 2018
Ledger-Based System
• Supports offline computations
• Provides publicly-verifiable transactions that
attest to the correctness of these offline
executions
o Privacy
§ A transaction reveals no
information about the offline
computation
§ Except an upper bound on the
number of consumed inputs and
created outputs
Prior work achieves
data privacy but not
function privacy
Graphic: https://www.edie.net/news/4/Water-companies-losing-vast-amounts-through-leakage--as-
drought-fears-rise/

23. ZEXE (Zero knowledge EXEcution)
https://eprint.iacr.org/2018/962.pdf, October 8, 2018
Ethereum supports thousands of
ERC-20 token contracts
• Each represents a distinct currency
• Even if these contracts adopted
Zerocash protocol to hide details
about token payments, the
corresponding transactions would
still reveal which token was being
exchanged
• Leakage of this information would
substantially reduce the anonymity
of those paymentsGraphic: https://codeburst.io/build-your-first-ethereum-smart-contract-with-solidity-tutorial-94171d6b1c4b

24. @Safe_SaaS
Questions?
www.slideshare.net/eralcnoslen/presentations
Clare_Nelson @ ClearMark . biz

25. Bulletproof
https://blog.chain.com/faster-bulletproofs-with-ristretto-avx2-29450b4490cd
Range Proof Protocol

26. Financial Blockchain Shenzhen Consortium
(FISCO)
• Open source blockchain platform
• Challenging Hyperledger Fabric
Protect User Privacy
• Zero-knowledge proofs
• Homomorphic encryption
• Group signature
• Ring signature
https://www.fisco.com.cn/indexEN.html#page1
https://www.prnewswire.com/news-releases/fisco-bcos-challenging-hyperledger-fabric-with-a-consortium-chain-from-china-300733474.html
Consortium Chain from China

27. Gratitude
ZKP Inventors, Pioneers

28. We Stand on the Shoulders of Giants
https://www.csail.mit.edu/user/733
https://people.csail.mit.edu/silvio/
https://cyberweek.tau.ac.il/2017/about/speakers/item/207-eli-ben-sasson
https://z.cash/team.html
Shafi Goldwasser Eli Ben-Sasson
Silvio Micali Matthew Green

29. Backup Slides

30. Resources

31. ZKP Resources
• ISO/IEC 9798-5
• Letter to NIST
• Code
o libSNARK C++ library
o libSTARK C++ library
o Bulletproofs using Ristretto, Rust library
• Succinct Computational Integrity and
Privacy Research (SCIPR) Lab
• Stanford Applied Cryptography
• ZKP Science
• ZKP Standards Organization
• References: 4 backup slides at end of this
presentation
https://zkp.science/docs/Letter-to-NIST-20160613-Advanced-Crypto.pdf
https://github.com/chain/ristretto-bulletproofs/
A Hands-On Tutorial for Zero-
Knowledge Proofs: Part I-III
http://www.shirpeled.com/201
8/10/a-hands-on-tutorial-for-
zero-knowledge.html
September-October, 2018

32. Known Vulnerabilities
An Example

33. Zero-Knowledge Range Proof (ZKRP)
Validate
• Person is 18-65 years old
o Without disclosing the age
• Person is in Europe
o Without disclosing the exact location
https://github.com/ing-bank/zkrangeproof

34. ZKRP Vulnerability
• Madars Virza
• “The publicly computable value y/t is roughly
the same magnitude (in expectation) as w^2 *
(m-a+1)(b-m+1). However, w^2 has fixed bit
length (again, in expectation) and thus for a
fixed range, this value leaks the magnitude of
the committed value.”
• The proof is not zero knowledge
• Response: will find alternative ZKP
https://github.com/ing-bank/zkrangeproof
Graphic: https://www.pexels.com/photo/milkweed-bug-perching-on-pink-flower-in-close-up-photography-
1085549/

35. Source: https://www.usenix.org/legacy/event/hotsec08/tech/full_papers/parno/parno_html/index.html
If you have a PC,
you may have touched
Zero-Knowledge Proof
(TPM 1.2)
Graphic: https://www.windowscentral.com/best-dell-laptop

36. Considerations

37. ZKP Considerations
Depends on Implementation or Use Cases
1. Transparent
• Setup with no reliance on any third
party
• No trapdoors
2. Scalable
• Verify proofs exponentially faster than
database size
3. Succinct
4. Universal
5. Compliant with upcoming ZKP
standards
6. Interactive, non-interactive
7. Support for IoT or cars
8. Security (threat model)
• Code bugs, compromise during deployment,
side channel attacks, tampering attacks,
MiTM
• Manual review, proof sketches, re-use
gadgets, emerging tools for formal
verification, testing
• ZKP protocol breach, how detect breach?
9. Third-party audit
• Monero audits: Kudelski Security $30K,
Benedikt Bünz, QuarksLab
10. Post-quantum secure
https://eprint.iacr.org/2018/046.pdf
https://forum.getmonero.org/22/completed-tasks/90007/bulletproofs-audit-fundraising

38. References
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017).
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017).
• Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013).
• Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin, http://zerocash-
project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014).
• Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance,
https://eprint.iacr.org/2016/213.pdf (September 2016).
• Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications,
https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Zero%20Knowledge/Noninteractive_Zero-Knowkedge.pdf (1991).
• Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press,
http://www.credentica.com/the_mit_pressbook.html (2000).
• Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More,
https://eprint.iacr.org/2017/1066.pdf (2017).
• Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in Proceedings of the
9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30.
• Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based
authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).

39. References
• Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems,
http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015).
• Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, http://www.jmest.org/wp-
content/uploads/JMESTN42351827.pdf (2016).
• Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs,
https://eprint.iacr.org/2017/935.pdf (2017).
• Ganev, Valentin; Deml, Stefan. Introduction to zk-SNAKRs (Part 1), https://blog.decentriq.ch/zk-snarks-primer-part-one/ (2018).
• Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge Proof,
https://link.springer.com/chapter/10.1007/978-3-319-03107-1_2 (2014).
• Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-more-
secure-than-passwords.html (July 25, 2017).
• Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017).
• Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has extensive
reference list (2010).
• Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems,
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940.
• Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911 (1985).
• Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-
proofs-illustrated-primer/ (November 2014).

40. References
• Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments, http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010).
• Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,”
http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006).
• Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge,
http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf (2011).
• Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf (1998).
• Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero-knowledge-proof-
of-balance-demo/ (June 2017).
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-
Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques,
https://www.iso.org/standard/50456.html (2015).
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96-
6db2085a28ff&v=&b=&from_search=3 (July 2017).

41. References
• Lindell, Yehudi. Efficient Zero-Knowledge Proof, https://www.youtube.com/watch?v=Vahw28dValA, (2015).
• Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication,
http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012).
• Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero-Knowledge Proofs
for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016).
• Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography, http://www.austinmohr.com/work/files/zkp.pdf.
• Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic Proof,
http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013).
• Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System,
https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014).
• Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, http://digital-
library.theiet.org/content/conferences/10.1049/cp.2014.0697 (2014).
• Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, https://arxiv.org/pdf/1604.02804.pdf (2016).
• Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015).
• Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge-the-future-
of-privacy-ea18479295f4 (February 21, 2017).
• Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications.
https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).

42. EUROCRYPT 2018
Efficient Designated-Verifier Non-Interactive Zero-
Knowledge Proofs of Knowledge
• Pyrros Chaidos (University of Athens), Geoffroy
Couteau (Karlsruhe Institute of Technology)
Quasi-Optimal SNARGs via Linear Multi-Prover
Interactive Proofs
• Dan Boneh (Stanford), Yuval Ishai (Technion and
UCLA), Amit Sahai (UCLA), David J. Wu (Stanford)
https://eurocrypt.iacr.org/2018/acceptedpapers.html
On the Existence of Three Round Zero-Knowledge
Proofs
• Nils Fleischhacker (Johns Hopkins University and
Carnegie Mellon University), Vipul Goyal (Carnegie
Mellon University), Abhishek Jain (Johns Hopkins
University)
An Efficiency-Preserving Transformation from
Honest-Verifier Statistical Zero-Knowledge to
Statistical Zero-Knowledge
• Pavel Hubáček (Charles University in Prague), Alon
Rosen (IDC Herzliya), Margarita Vald (Tel-Aviv
University)
Partially Splitting Rings for Faster Lattice-Based Zero-
Knowledge Proofs
• Vadim Lyubashevsky (IBM Research - Zurich), Gregor
Seiler (IBM Research - Zurich)

43. The Schnorr NIZK proof is obtained from
the interactive Schnorr identification
scheme through a Fiat-Shamir
transformation
• This transformation involves using a
secure cryptographic hash function to
issue the challenge instead
https://tools.ietf.org/html/draft-hao-schnorr-01
Schnorr NIZK (IETF Draft)
Graphic: https://www.bswllc.com/resources-articles-preparing-
for-the-2013-coso-internal-framework

44. Zero-Knowledge Proof, Formal Definition
http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
An interactive proof system (P, V) for a language L is zero-knowledge if
for any PPT verifier V∗ there exists an expected PPT simulator S such
that
∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z)
As usual, P has unlimited computation power (in practice, P must be a
randomized TM).
Intuitively, the definition states that an interactive proof system (P, V)
is zero-knowledge if for any verifier V∗ there exists an efficient
simulator S that can essentially produce a transcript of the
conversation that would have taken place between P and V∗ on any
given input.

45. ZKPOK
I can’t tell you my
secret,
but I can prove to
you
that I know the
secret
Source: J. Chou, SC700 A2 Internet Information Protocols (2001)
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations

46. https://www.symantec.com/connect/blogs/you-can-t-have-privacy-without-security
https://www.microsoft.com/en-us/research/research-area/security-privacy-cryptography/
You can have security
without privacy,
but you can’t have privacy
without security.
— Carolyn Herzog, EVP and General
Counsel, ARM

47. • One-Round ZKP
• Pairing-Based Non-Interactive Arguments
• Perfect ZKPs
• Private-coin ZKP
• Public-coin ZKP
• Scalable Transparent Argument of Knowledge (STARK)
• Scalable Transparent IOP of Knowledge (STIK)
• Schnorr Non-Interactive Zero-Knowledge Proof
• Statistical Zero-Knowledge
• Succinct Interactive Proof (SCIP)
• Succinct Non-Interactive Argument (SNARG)
• Succinct Non-Interactive Argument of Knowledge (SNARK)
• Super-Perfect ZKP
• Symbolic Zero-Knowledge Proof
• Three-Round ZKP
• ZK Arguments
• ZKP Based on Graph Isomorphism
• ZKP of Proximity (ZKPP)
https://ieeexplore.ieee.org/document/1524082/
https://eprint.iacr.org/2018/167.pdf
https://eurocrypt.iacr.org/2018/acceptedpapers.html
http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf
https://eprint.iacr.org/2017/114.pdf
http://www.jmest.org/wp-content/uploads/JMESTN42351827.pdf
Examples: ZKP Variations, Terminology
• Approximate Zero-Knowledge Proof
• Bulletproof
• Computationally sound implementations of Symbolic Zero-
Knowledge Proof
• Concurrent ZKP
• Designated-Verifier Non-Interactive Zero-Knowledge Proof
(DVNIZK)
• Double Advance ZKP
• !-zero-knowledge (weaker notion of ZKP)
• Five-Round ZKP
• Honest-Verifier Statistical Zero-Knowledge
• Implicit Zero-Knowledge Arguments
• Lattice-Based ZKPs
• Lepinski’s 3-round ZK proof protocol
• Non-Interactive Zero-Knowledge Arguments
• Non-Interactive Proofs of Kowledge (NI)ZKPoKs

48. Non-Interactive Zero-Knowledge Proof
http://slideplayer.com/slide/2891428/
zk-SNARK Proof

49. Attack Resilience (From Academia)
http://repository.ust.hk/ir/bitstream/1783.1-6277/1/pseudo.pdf
Attack Description Mitigation
Impersonation A malicious impersonator, for either party Need secret, completeness
and soundness
Replay Attack Malicious peer or attacker collects previous
proofs, and resends these
Challenge message required
Man in the
Middle (MITM)
Intruder is able to access and modify
messages between prover and verifier
(without them knowing)
It depends, implementation
specific
Collaborated
Attack
Subverted nodes collaborate to enact
identity fraud, or co-conspirator
It depends, requires
reputation auditing design
Denial of
Service (Dos)
Renders networks, hosts, and other systems
unusable by consuming bandwidth or
deluging with huge number of requests to
overload systems
Could happen during
authentication setup

50. ZKP Challenges
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.starkware.co/#jobs
• Requires expertise and experience
o PhD mathematics or cryptography
o Algebraic cryptography, high-performance
computation in finite fields
o Applications of modern algebra to algorithms
and computer science
• Correct usage
• Security, threat model
• Audited code, formal verification
• Known bugs and vulnerabilities
Graphic: http://www.digifotopro.nl/content/beklimming-mount-everest-360-graden-vastgelegd

51. Definition of Zero-Knowledge Proof
Proof System, not Geometry Proof
http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf
http://www.austinmohr.com/work/files/zkp.pdf
Proof system, not a
geometry proof

52. • Artificial Intelligence (OpenMined)
• Digital Identity
• Digital Watermarks
• Ethereum
• E-Voting
• Gaming
• Genomics
• Location
• Mimblewimble
• Private Messaging
• Sealed Auctions
• Smart Contracts (Hawk)
• Supply Chain Transparency
• Trusted Platform Module (TPM)
• Zero-Knowledge Blockchain
Scope
Out of Scope
Cryptocurrency
• Zcash
• Monero
• …
In Scope

53. What Are Privacy Coins?
What Problems Are We Solving?

54. Zero-Knowledge Proofs
If your personal data
is never collected, it
cannot be stolen.
https://www.zurich.ibm.com/identity_mixer/
https://www.ted.com/talks/maria_dubovitskaya_take_back_control_of_your_personal_data, TED Talk
– Maria Dubovitskaya Cryptographer,
Research Staff Member, IBM Zurich
Research Laboratory, Ph.D. in
cryptography and privacy from ETH
Zurich
Graphic: https://www.youtube.com/watch?v=jp_QGwXsoXM

55. 1985
Goldwasser, Micali,
Rackoff paper
2018
ZKP Standards
Organization
2012
Goldwasser, Micali
win Turing Award
https://groups.csail.mit.edu/cis/pubs/shafi/1985-stoc.pdf
https://zkproof.org/
Timeline
It is Still Early Days

56. ZKP Standards
https://zkproof.org/
https://zkproof.org/documents.html
*https://zkproof.org/zcon0_notes.pdf
I think you should be more
explicit here in step two
ZKProof.org
• Open initiative
• Industry, academia
• Framework for a formal standard of
Zero-Knowledge Proofs
• Working drafts:
o Security
o Implementation
o Applications
Cartoonist: Sydney Harris
Source: https://www.art.com/products/p15063445373-sa-i6847848/sidney-harris-i-think-you-
should-be-more-explicit-here-in-step-two-cartoon.htm

57. ZKP Standards
https://zkproof.org/
https://zkproof.org/documents.html
*https://zkproof.org/zcon0_notes.pdf (June 2018)
ZKProof Workshop at Zcon0
• Legal questions
o If a robber shows a ZKP that they
hold my coins, who legally owns
them?*
• Trust
Graphic: https://www.pymnts.com/fraud-attack/2018/payment-details-north-korean-hack-cyberattack-security/

58. Trust
https://zkproof.org/zcon0.html
Graphic: http://www.criticbrain.com/articles/india-needs-to-bridge-gap-between-academia-and-industry
Technical people that
trust ZKPs because they
understand the math
Non-technical
people who trust
the technical people
How bridge this gap?

59. ZKP Illustration
Interactive ZKP

60. Zero-Knowledge Proof Illustration
Matthew Green
Telecom Company
• Cell towers
• Vertices
• Avoid signal overlap
• Use 1 of 3 signals
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

61. Zero-Knowledge Proof Illustration
Matthew Green
3-Color Graph Problem
• Use colors to represent
frequency bands
• Solve for 1,000 towers
• Hire Brain Consulting
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

62. Zero-Knowledge Proof Illustration
Matthew Green
Proof of Solution
• Prove have solution without
revealing it
• Hats hide the solution
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

63. Zero-Knowledge Proof Illustration
Matthew Green
Proof of Solution
• Remove any two hats
• See vertices are different
colors
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

64. 6
4
Zero-Knowledge Proof Illustration
Matthew Green
Repeat this process
• Clear previous solution
• (Add randomness)
• Solve again
• Telecom removes two hats
Accept or Reject
• Complete for preset number of
rounds
• Telecom accepts or rejects
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

65. Interactive Zero-Knowledge Proof
Derived from http://blog.stratumn.com/zkp-hash-chains/
VerifierProver
Construct
ZKP
Verify
ZKP
Proof
Non-Interactive ZKP
Transform multiple
messages into one
message, or string

66. Zero-Knowledge Proofs (ZKPs) Enhance Privacy
https://docs.google.com/document/d/1spgtYG8iXZ_NjUXdN8AEdKdGmaulE8r-mf7NsQ-_y4E/edit#
Personal
Privacy
Institutional
Integrity
Graphic: https://scattering-ashes.co.uk/ashes-help-and-advice/much-ash-cremation/

67. zk-STARKs Paper
Scalable, transparent, and post-quantum secure computational integrity
(March 2018)
https://eprint.iacr.org/2018/046.pdf
Human dignity demands that personal
information, like medical and forensic data, be
hidden from the public.
But veils of secrecy designed to preserve
privacy may also be abused to cover up lies
and deceit by institutions entrusted with Data,
unjustly harming citizens and eroding trust in
central institutions.
Zero knowledge (ZK) proof systems are an
ingenious cryptographic solution to this tension
between the ideals of personal privacy and
institutional integrity, enforcing the latter in a way
that does not compromise the former.
– Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev

68. Cryptocurrency
https://eprint.iacr.org/2018/962.pdf
The main strength of distributed
ledgers is also their main
weakness: the history of all events
is available for anyone to read.

69. Zcash
https://z.cash/
https://blockexplorer.com/
Services tracking Zcash blockchain activity such as block
explorers will be able to distinguish the type of shielded
address used (legacy vs Sapling)
They could even add new labels to the interfaces so users can
distinguish as well
Block Explorer
Bitcoin Block Explorer is an open source web tool that allows you to view
information about blocks, addresses, and transactions on the Bitcoin
blockchain. The source code is on GitHub.
insight is an open-source Zcash blockchain explorerwith complete REST
and websocket APIs that can be used for writing web wallets and other
apps that need more advanced blockchain queries than provided by
zcashd RPC. Check out the source code.

70. Cryptocurrency
https://web.stanford.edu/~buenz/pubs/bulletproofs.pdf
Global, distributed, synchronized
ledger
• Peer-to-peer electronic transfer
• Transaction details are public
o Sender
o Receiver
o Amount transferred
Graphic: https://www.ccn.com/whats-next-for-cryptocurrencies-tokens-purpose/

71. Privacy Coins, 50+
Out of Scope
In Scope

72. Contents
1. What are Privacy Coins?
2. What are Zero-Knowledge Proofs?
3. Zcash and Monero
• zk-SNARKs versus Bulletproofs
4. The Future
Graphic: https://www.equifax.com.au/personal/articles/what-identity-watch