Last week I went to Real World Crypto (RWC aka my personal favorite IACR conference) and the High Assurance Crypto Symposium (HACS).

RWC - Real World Crypto

RWC is a unique opportunity that brings theorists and implementors together. It ends up featuring a diverse set of talks that span from post quantum signature schemes to zero knowledge proofs in cryptocurrency. All of the talks are posted to the youtube channel

There were a lot of excellent talks, so I’ll try to write about a selection of my favorites. Surprisingly, I’ll start with one about ZCash.

Zero-Knowledge Proofs

ZK proofs are a way for one party to prove that they know something without having to disclose it. For example, Alice wants to buy a sudoku solution from Bob, but doesn’t want to pay until she knows that his solution works. Bob doesn’t want to give Alice the solution until she pays. Instead of gridlocking, Bob wants to prove to Alice that his solution will work. Then she’ll pay him and she’ll solve her puzzle.

The problem with most cryptocurrencies is that everything about the blockchain is public–you’re exposing every transaction you make.

Schnorr identification

One practical application of this is Schnorr identification/signatures. Alice wants to prove that she knows the secret key a, but she doesn’t want to leak her secret key in the process. You can see a full description here. It relies on an interactive protocol. By using hash functions, you can make this non-interactive.

ZCash

ZCash is a privacy-preserving cryptocurrency. It uses zkSNARKs to non-interactively prove that a valid transaction has occurred without revealing any knowledge about addresses or values. In order to do this, it requires secure parameters.

Yes. There’s a ceremony. And it was apparently crazy. It was a 6 person multi-party computation (MPC), and they drove around rural canada while doing the computations to make sure no one was following them. It’s the perfect combination of ridiculous (you have to pick people before hand, plus the aforementioned ceremony) and cool (it’s secure even if 5/6 parties are dishonest). However, it’s not scalable or sustainable. So, they’ve come up with a new MPC, Powers of Tau.

Ok, now we’ve done our ceremony to the ZK gods, and we’re off to prove some things! One important thing to note: ZK requires that we can’t tell the difference between parameters generated honestly and backdoored parameters. That said, let’s consider ZK contingent payments (aka Alice, Bob and the great sudoku solution). The buyer has to generate the parameters, which protects them from a dishonest seller. However, the seller is vulnerable to a malicious buyer.

Subversion-resistance

This scenario is called subversion, and it’s a problem. If the trusted setup is subverted, then an adversary can create false proofs…which means they can mint money! Luckily, it doesn’t break anonymity, but it will break everything else when someone makes a bunch of fake ZCash.

Luckily, subversion-resistance ZK SNARKs are here to rescue us! Maybe I’ll write about it after I write about all of the other cool things at RWC.