Introducing K0: zero knowledge proof assets for multiple enterprise blockchains
Today we’re launching an alpha release of a zero knowledge proof library that we’ve been developing for a while. K0 (pronounced “K-zero”) sets out to generate private digital assets compatible with multiple enterprise blockchains.
What was the motivation behind building K0?
We set out to solve two problems.
1. We felt that most enterprise blockchain platforms solve privacy by isolating transactions to very small validator sets (typically only the parties involved in a transaction, and perhaps a notary), at the expense of security provided by a larger validator set.
2. We felt that diverging enterprise blockchain technologies are creating a technology integration gap that will become harder to bridge, and we believe that networks will need bridging in order to maximise business value and potential.
Isn’t someone else already doing this?
We looked around, and noticed that:
a) Blockchain platforms (Quorum, Corda, Fabric) started using zero knowledge proof technology to improve 1, but not 2.
b) There was already some great work on privacy and zero knowledge proofs for public blockchains (see zCash, Mimble Wimble, Coda, STARKware, AZTEC), but not private, business networks that our customers use.
Why base K0 on the Zerocash scheme?
So, in 2018 we set out to find out what zero knowledge proofs are, how they work and how we could use them to solve the aforementioned problems stated above for our clients. When doing this inevitably one soon stumbles across the Zerocash scheme, which is a concept for a private and anonymous cryptocurrency. It is also the only widely deployed application of zero knowledge proofs in its implementation in Zcash. Studying Zerocash allowed us to get an understanding of how zero knowledge proofs can fit into an application by looking at an actual project. A lot of the available information on ZKPs is daunting to uninitiated non-cryptographers, but it helps massively to see a working example.
In a cryptocurrency like Bitcoin, the state of the system, ie. the account balances (or in more technical terms, the UTXO set), is completely public. That is, every observer of the system can see “who owns what”. A transaction is then an instruction sent to the system by a holder of certain funds to transfer some of them to somebody else. The blockchain miners, who execute the transaction, can verify that the sender (unambiguously identified through their digital signature) indeed holds the necessary account balance and thus the transaction is valid. They add some data to the system state which deducts the specified amount from the sender’s account balance and adds it to the recipient’s balance.
In Zerocash, there is also a system state representing account balances (we’re making very broad generalisations here for the sake of simplicity). However, the information is not public as in Bitcoin, but stored in “encrypted” form (to be more precise, as cryptographic “commitments”). The point is that individual users of the system know about and have at their disposal only their own funds and do not know about anybody else’s. A transaction, similar to Bitcoin, adds data to the state which essentially moves funds from one account to another, but contains no actual information about the identity of the participants or the amount being transferred.
But how can the validators of the system still determine that the transaction is valid? This is where the magic of zero knowledge proofs comes in: The transaction contains a proof that the data added to the state represents a valid transfer, in particular that the sender indeed holds the necessary funds, and that the transaction changes the state in a way that afterwards the sender has exactly the amount less in their account that the recipient was awarded (ie. no money is lost or created).
What about smart contracts?
Since most of our projects are built on Ethereum, we implemented a prototype of this scheme on Ethereum. It should be noted that in the meantime two other projects were published which do more or less the same thing: Zeth and Nightfall. It soon became clear that the “on-chain” part of the scheme (ie. the verification of the transaction proofs and storing state data) is generic enough to be applied to many smart contract platforms, so we ported our implementation to Fabric.
While it is nice to have an implementation of Zerocash for smart contract platforms, what we’re really interested in is private smart contract applications, for example a trading system in which most of the transactional data is hidden but participants can trust that all transactions conform to some known, agreed-on business logic. A first step towards being able to realise something like this was trying to find a way to extend Zerocash a bit so that payments can be used as triggers to actions in other smart contracts, in other words that a user can use a Zerocash payment to “pay for something” a smart contract does.
We found a solution for use cases where a user expects a certain payment. By tweaking the protocol a little bit we allow the recipient of the expected payment to precompute before the transaction happens some of the data that will be added to the system state once it actually happens (the part that adds the expected value to their account). They can then register this bit of data in a smart contract. Another change we made in our implementation is that in a transaction a user can specify a smart contract which should be informed about the data created in the transaction (we require that the underlying smart contract platform allows smart contracts to communicate with each other). By specifying the smart contract the designated recipient earlier registered the data in, the sender can make their payment trigger some action in that smart contract. This final step is not private, in that the action that gets triggered is typically a standard smart contract action. However the amount being transferred is still hidden.
The same zero knowledge asset running on both Ethereum and Fabric
The current implementation enables creation and movement of zero knowledge assets on both Ethereum and Fabric, with trading the zero knowledge fungible asset for a visible non-fungible asset enabled on Ethereum.
This is just the first step in our exploration of zero knowledge proofs for private smart contracts on multiple enterprise blockchain platforms.