The State of ZApps First Edition — ZCon0 Conference Notes
I’d argue that Zero Knowledge Proofs are some of the most exciting developments in cryptography since private/public key encryption but they have yet to take off. However I also believe that privacy enabling technologies are a major missing feature that most blockchains are lacking, something which can be done with zero knowledge proofs. Without privacy, cryptocurrencies can’t (and shouldn’t) succeed. Zcash has for a long time had a very special place in my heart because of that. They’ve managed to bring zkSNARKs to the masses and built a cryptocurrency with working privacy. Zcash won’t be the only blockchain using zero knowledge proofs to enable privacy, but they are definitely the first. I’m very happy to report my highlights from Zcon0 last week in Montreal.
Day 0: Overwinter Release!
Hats off to the Zcash Company’s developers who started the conference with activating the Overwinter hard fork the day before the conference. This release was mainly preparation for the Sapling release. It is the first hard fork Zcash did and the main goal was to test the features around hard forks and introduce replay protection.
Day 1: All about Zcash
Josh Cincinnati’s opening remarks
Josh Cincinnati’s opening remarks were unfortunately not live due to him being on the way to to become a father as the conference was going on. The event, organized by the Zcash Foundation had approximately 270 attendants, Of those 56% identified as practitioners, 10.4% researchers/academia and 11.3% community members an 12% non-tech influencers (investors, business people). The conference didn’t have any outside sponsorship and the attendees were curated by Zcash foundation. This made for 3 days of exciting conversations in an environment free of any ICO pumping, business development or hiring pitches. Instead you were more likely to find 5 cryptographers huddled together discussing optimisations of circuits, exchanging notes on their implementations of newest curves.
In his opening remarks, Josh set the stage for lots of talk about privacy and crypto:
You are here because you care about privacy. Privacy is a fundamental right. And while some of us are lucky enough to live in countries that afford that protection legally, we’ve seen many of those protections steadily erode, either overtly remove by jingoistic cries or that hollow surveillance for safety trade or subtly slowly pulled out from under us by corporations that claim a fairer trade for the invasion of privacy if you call the creature comforts afforded by enabling our thermostats to connect to the internet a fair trade. I don’t want to live in a world where those protections continue to slip away from us. —Excerpt from Josh Cincinatti’s Opening Remarks
Zooko’s Keynote
In line with the day’s theme on Zcash, the keynote by Zooko focused on Zcash and the Zcash Company. He revealed a few interesting things about the Zcash Company financials and what their roadmap is. Unlike other cryptocurrencies, Zcash didn’t do a presale/premine but actually rewards its founders and the Zcash Company with a percentage of each block mined for two more years (a total of four years). They currently have 26 employees and a burn rate of $500k/mo which is roughly half of their mining reward of 6125ZEC at the current ZECUSD price.
Zcash is one of the few cryptocurrencies that were awarded with a BitLicense by the New York Department of Financial Services. Zcash Co successfully argued for not just transparent addresses but also shielded addresses.
We believe that user protecting technology is part of the solution, not part of the problem. That user protecting technology is a building block of a well governed democracy. That it serves the purpose that they have to protect their people from criminals…”— @zooko
Matt Green: From Zerocoin to Zcash
Following Zooko’s keynote, Matt Green, one of the seven scientists who designed Zerocash. Before giving a bit of a background on the Zerocoin paper he jokingly started out with two book recommendations as the source for most of his inspiration: Applied Cryptography by Bruce Schneier and Cryptonomicon by Neal Stephenson.
The real beginning of private cash online goes all the way back into the nineties. Ecash at the time had innovative crypto but also required trust in a centralized entity, the issuing bank. It gave you anonymity but lacked the censorship resistance and trustlessness of cryptocurrencies. Only with the Nakamoto Consensus principle and the notion of a decentralized ledger became the idea of Zerocoin, a truly trustless anonymous cash a possibility.
It comes to no surprise, that the NSA had ways to deanonymize Bitcoin transactions with it’s tool MONKEYROCKET a VPN service that conveniently logged all traffic and helped them track bitcoin transactions from users that thought they were using the privacy of a VPN.
Also funny was the part where he talked about how some people copied their proof of concept code (along with the warning that was written in all capital letters in the README of the repo) and deployed it. A typo in the code resulted in a loss of 370’000 zerocoins. *doh* Nevertheless, Zerocoin while not performant enough, it proves that the concept can work and was the groundwork for Zerocash, which Zcash is based on.
Outlook on Sapling
Sapling’s the next release slated for release by end of this year. It’s a combination of many improvements that all in all will bring huge improvements to the usability and performance but also security. By choosing better optimized hash functions and different private key schemes, shielded transactions take a few seconds instead of 40 and doing it on a mobile device is feasible as the RAM usage went down from a 3–4 GB to 1GB. In addition, the trusted setup for sapling was done sequentially by many participants around the globe instead of the original 6 who participated in the original Sprout trusted setup. This means that instead of having to rely on one out of six participants to be honest and destroy their secret randomness that was used to generate it, now only one out of the 80 or so participants of the Powers of Tau ceremony & the Sapling MPC has to be honest.
Without going into too much detail, the most exciting thing about Sapling is that it makes shielded transfers cheap enough that clients can now push private balances to be the default which will greatly increase the privacy for everyone in the system.
There were two interesting sessions on Sapling, Sean Bowe, creator of the Bellman library talked about the details of the performance improvements and Ariel Gabizon’s talk on the security of the Sapling Protocol.
Usability & Privacy by default
Linda Naeun Lee shared her experiences of transacting using Zcash and showed what a long way we still have to go to making cryptocurrencies usable for the general public. However in the end she did succeed buying a T-Shirt on OB1 and sending it to Venezuele. The talk by Mary Maller was somewhat related. Using transaction analysis they greatly reduced the anonymity set of the shielded transactions and showed a few interesting stats. In short, unless shielded transactions are the default (or requirement) it’s likely that people who don’t really need them will use them reduces the anonymity set down to just the people who really need shielded transactions.
Day 1 Workshops
Each day there were workshops on various topics, notes are here: https://github.com/ZcashFoundation/zcon0-workshop-notes and a summary by the participants is here: https://www.youtube.com/watch?v=GB834x96S1M&index=9&list=PL40dyJ0UYTLK507afWUMgzUYeh-i4qQWS
Day 2: Zero Knowledge Proofs
Who’s actually using this stuff?
The theme of day two was all about zero knowledge proofs and use cases outside of Zcash. Looking back at the time when I first started out reading Vitalik’s three part series (I, II, III) last fall, the probably most exciting thing to talk about is the evolvement of the ecosystem since then. While zkSNARKs are still not really used on Ethereum much or anywhere else, this is starting to change. Zcon0 was a chance to meet some of the people actively involved in integrating zero knowledge proofs into their product. Here’s my incomplete list of some of the awesome projects that use it:
- Jonathan Rouach on QED-it: QED-it’s working on bringing zkSNARKs to the masses. QED-it prototyped an interesting use case for trustless tax payments on Ethereum
- Ian Meeker talked about Coda Protocol: A blockchain using recursive snarks to verify the entire blockchain by just verifying a single zkSNARK
- Nicola Greco talked about Filecoin: are using zkSNARKs as a compression function for their proof of storage. Very ingenious way of using snarks for something other than
- Thibaut Schaeffer’s update on ZoKrates: If you’re going to try to use zkSNARKs on Ethereum, this will most likely be your starting point. ZoKrates’ DSL is a great fit for engineers who want to use all this fancy crypto without having to understand the underlying toolchain and math.
Looking beyond zkSNARKS Benedikt Bunz talked about bulletproofs. Notably absent was Starkware, it remains to be seen what they will release.
Towards better development tooling and interoperability
Looking at the ecosystem today, it’s encouraging to see the direction it is going in and the momentum it’s been picking up. The cryptography behind zero knowledge proofs is quite exhaustive and getting into it is quite an endeavour. A big focus of mine at the conference has been to work on improving the developer tooling and interoperability of the different tools. Producing performant circuits is not trivial and having access to optimized gadgets to do calculations within a zkSNARK become very important. ZoKrates’ most optimized SHA256 hash function at the moment is ~250'000 constraints while libsnark’s version is 27'000. While it would obviously be possible to add the kind of low level optimizations libsnark has to ZoKrates, by far better would be to allow easy embedding of different so called gadgets independent of the original library these were created in. I’m looking forward to see what we can all come up with together to drive greater adoption of zero knowledge proofs.
Barry’s probably the first developer to release a Dapp using Ethereum that makes use of zkSNARKs on Ethereum creating a trustless ETH mixer. Source code is on GitHub:
All in all, the conference was probably one of the more interesting events this year. Can’t wait for Zcon1!
Thanks for getting that far. Are you working on privacy enabling technology such as zkSNARKs? Hit me up, I’d love to hear about what you’re working on.