January 20, 2023
Arjun Padmajan

Building Zero Knowledge: Blockchain Workshop

Building Zero Knowledge: Blockchain Workshop

Aleo and Leo Wallet co-hosted a developer workshop in San Francisco.
This blog contains the transcripts from that workshop:


Hey, thanks everyone for joining us tonight. Let's get started. So the goal of the next like 25 ish minutes is I want to give a high level overview of what Zero knowledge proofs are, what you can build with them today. And the next talk after me is actually going to like, show you some code examples, really get into the weeds. So this is meant to be, uh, a high level overview and let's jump into it.  


So the first thing that I want to like correct as a misconception is that the way that blockchains work right now, like Ethereum and Bitcoin are probably the most dystopian thing you can imagine. If you send someone a dollar, they know all of your assets, they know all of your trade history. And it's really crazy to imagine that like the future financial system is gonna work this way. Um, there's this idea of pseudo anonymity, right? You have something that's like a private ish address, but once that's connected to your real identity, it's there permanently forever for everyone to kind of like look into the details of everything you've done.


So let's give an example of this. Um, you see this address right here? It, it looks kind of private, but this person decided to buy an N F T and post it as their Twitter profile picture. So does anyone know who this is?


It's Snoop Dogg.  

Right? So now we can like dive into his history.


We can see that he's transacted over 31 million. He currently has over 2 million. Like I can give you timing. I could build his social graph, and if I did this, I would be a billion dollar unicorn named Chain Analysis who sells this government, uh, this data to governments. They sell it to private industries. Um, it creates so many problems, right? Maybe, maybe Snoop Dogg's, like a really smart N F T investor. Well, now I can front run all of his trades, uh, forever. And there's nothing he can do if he moves money to another Wallet, right? I'm still following him.  

Question, what about mixers?  

Uh, so I'll, I'll talk about that in a second. But with mixers, like there are weaknesses. So it's, we'll, we'll dive into it in a second. Like tornado cash is a zero knowledge proof, right? So that's, that's one of the applications.


Um, so how do we actually get privacy on blockchains? Zero knowledge proofs are not the only way, right? You hear a lot about, uh, zero knowledge proofs, but there's also secure enclaves. So this is things like Intel, S G X, the way that, you know, your iPhone stores, your face ID is actually like in a secure chip. Now, the reason we can't use these systems, even though some people are, uh, for blockchains, is because they have the self defeat problem. They are vulnerable to someone attacking their own chip. So they don't work for trustless systems. The next approach we have is zero knowledge proofs and zero knowledge proofs you can think of as secured by math.  

So there could be problems in the implementation, there could be problems in the code that people write, but they have theoretical guarantees. And as long as our assumptions hold true, we can be confident that these are safe and they're private. And these are, this is like the bleeding edge of what's currently being implemented right now. And the last kind of step is fully homomorphic encryption. This is the future. So this is like the most advanced version of cryptography where you can have entire programs, everything encrypted, multiple parties interacting. And the reason no one uses it right now is because it's about a factor of a thousand to a million times slower than zero knowledge groups. There are people working on making these more practical, but it's still very academic right now.  


So if we think about like what is a zero knowledge proof doing it, it's really basic. So the way that Ethereum works is you have a function, you have some inputs and you have some outputs. And the way that everyone makes sure that you did the right thing is they just all run the function with the same, the same inputs, and they make sure they got the same outputs and then they vote on it. And the future of zero knowledge proofs is you can now have encrypted inputs and encrypted outputs, and you also generate a proof that people can verify to ensure that these inputs and outputs were generated in a valid way. So they're encrypted, you don't reveal them to other people, they can be given to everyone, and it's as safe as any other encrypted data.  


So like, how does this actually work? Um, the answer is, uh, a lot of comp, complicated number theory, but I want to kind of like build up to that intuition. So the first thing that you do is you take a problem and you formulate it into a hard problem. And then because you are able to formulate it to a hard problem, you prove with a high probability that you know the answer to that hard problem. And the verifier then can check and say, okay, he knows with high probability an answer to that, high prob that hard problem.  


So we're gonna give like kind of a simple example of a zero knowledge proof. I don't know about you, but as a kid, uh, sometimes these were challenging to me. And where's Waldo? There's like this guy in a red hat, red white striped sweater hiding somewhere in this image. Uh, he's not under the text. I'm not that cruel. And you know, I would like struggle with these. They can have really big ones. And how can you be sure that there's actually waldo somewhere in this photo, right? Like, how, how could I prove to you that waldo's in this photo without telling you exactly where he was, I got him. Oh, don't tell anyone yet. I'll release the slides later. But you, this is actually how zero knowledge works, right? So if the picture's too small, it's too easy. So like what the math is doing is making this picture like trillions of times bigger.  


So what I could do to prove that he's somewhere in this picture is I could get an even bigger sheet of paper. I could cut a Waldo size hole in it. I could line up that image some, you know, secretly behind it to just expose where Waldo was because you didn't know the alignment of how that picture was set up with the hole.


You can be sure that he's somewhere in here, right? He's somewhere there, but you still don't know where he is. And this is, this is what zero knowledge proofs are doing. And that prob, you know, unless you already found it, it probably didn't help you that much.  


So in terms of like, how does this turn into actual programming languages and real math, right? Like, how do we, how do we actually do that? The, the simple answer is that there isn't one. Um, this is an active area of research. There are many different schemes that have many different cryptographic primitives, and there isn't really a unified consensus on the best way to do this yet. Uh, generally speaking, what you're doing is creating an arithmetic circuit. So you can think of like every circuit element as like multiplying or adding numbers, and you're proving that you kind of know a solution to that circuit.  


And to just give you an idea of some of the complexity, uh, this only goes up to 2019. It's like exploded, you know, and most, most proofs are kind of variance at this point. But I want to take a second and just kind of like point out what's important, right? How do we judge one proof system as being better than another? And some of the most important parts are like the proof or runtime. How long does it take to generate a proof? Are you able to generate a proof on a phone or do you need a supercomputer? Uh, how long does it take to verify, right? So the one is constant time. Uh, if you're familiar with like asymptotics, that's what these are. Um, basically lower is always better, right? And if you can verify things in constant time, that's a huge advantage. Uh, the proof size is another really important thing, right?  

If you're storing it on a blockchain, then the size of the proof needs to be constant because blockchains are not great at handling like dynamically sized data. Uh, another factor is the trusted setup. Uh, there's an idea where you can make something a lot more efficient by having things like a ceremony. I'm not sure if you guys are familiar with like the K Z G ceremony happening in Ethereum right now. Um, you can go and contribute to it if you want. You might get an N F T later, I don't know. Uh, and like, is it updateable? Can you update that ceremony later? Aleo uses the marlin system. It's actually a, a variant, but you can notice that it has really nice properties. The biggest is that the proof size is constant. So this means no matter how complicated your program, no matter how difficult of a zero knowledge proof you're implementing, um, you're always gonna have a constant time proof.  


So let's talk about, uh, some of the zero knowledge proofs that exist today. Uh, probably the most famous are Zcash and tornado cash Zcash is like Bitcoin, but private. So unlike Bitcoin, um, where everything is pseudo anonymous, right? If you look at, uh, section 10 of the Bitcoin paper, it's labeled privacy. And it says, well, we think like pseudo anonymous is pretty good, but whatever. Um, this, it wasn't actually possible to implement a private Bitcoin until 2015 when Zcash was invented. Um, tornado cash was another popular application of a zero knowledge proof. And also a great example of why we need to build private L one s, uh, the tornado cash developers in jail. Uh, Zcash, you can buy on Kraken. And for CloudFlare, you know, these have applications outside of cryptocurrencies. I don't want you to think that this technology is only useful for crypto.  

Um, it's useful for any setting where you need to prove something, maybe like an identity. Uh, and you don't want to give, you know, details about it. And like a really simple example of a zero knowledge proof most of you are familiar with is like a key signature sign in. So right now, when you sign into a website, you give them your password. Um, that's kind of concerning, right? Riot. What if you use the same password multiple places they have your email. So what if instead you prove that you knew a password, right? And that's all a key signature is. So a key signature is just saying, Hey, sign this unique message and you can prove that you know the password without revealing it, right? So that's like a super simple example of a zero knowledge proof.


There are a lot of limitations though, right? So I don't wanna like over-promise. You know, proof generation is hard. It's hard to do operations over encrypted data. It can be pretty expensive, but the rate of acceleration is crazy. And we think that these are like actually practical systems now where you can do things like create light clients that you can run on your phone. This wasn't possible like two years ago.  

I really gotta click through for each of these transitions <laugh>. All right? So I'm just gonna kind of group these up. So, uh, a big thing is like privacy leaks. Just because you use a zero knowledge proof doesn't guarantee privacy. So a really common example is tornado cash. Um, to describe what tornado cash is, is you could basically deposit Ethereum into a smart contract, use a zero knowledge proof to withdraw it to another address, and no one would know that those addresses were, you know, linked unless you did it too quickly, right? If you deposited quickly and you withdrew really quickly, or if you deposited, uh, a certain number of coins. So they had to do fixed amounts of like different pools. And if you did the same, you know, if you did like 67 deposits and then 67 withdraws, they know it's probably you and over 50% of tornado cash, like probably higher, but at least 50% of tornado cash, uh, transactions have been statistically defeated.  

So it's kind of like another reason to create an L1 where you have privacy to by default. And another big, really big like problem that people don't understand is zero knowledge is zero Knowledge proofs do not solve every problem, right? You can't do every sort of program. And the most simple examples are like swaps and escrows, right? Buying an NFT is like a swap. Simple escrows aren't possible. So we're gonna talk later about how do we get around some of these issues, right? How do we build systems that are private but require public state to do anything interesting?  


And, and this is kind of like what was the inspiration for for Aleo? So, you know, this is a really simple graphic. It's just you can do, you know, z z cash's private Bitcoin Aleo is private Ethereum, right? You have the programmability of Ethereum, but you have the ability to maintain privacy, which we think is like, you know, you, you really want to ask yourself like very deeply if you're introducing like another blockchain, like why it's like, are there, are there enough Blockchains probably right? Why, why would you want to create another is like the TTS hire, like in, in all honesty, like this sort of privacy technology, it's going to have wide ranging applications outside, it's like fundamental advancements in math that are being applied to computers and it, it advances, you know, technology far outside of the scope. And we're lucky enough that cryptocurrency has been a way to advance this research much faster than, you know, we would advance it without.  


So kind of like to just summarize what Aleo is, it's a, it's a proof of stake blockchain and it validates zero knowledge proofs. So instead of like submitting all the details of your transactions, you submit a zero knowledge proof. And it also has a high level programming language, uh, perk from the Aleo engineering team is gonna take you guys through some code, give you some examples, show you how to build your own programs today, and it leverages state plus EKS so that you can do basically everything Ethereum does, um, but maintain privacy.


So another, you know, like this, this first point of preserving the anonymity set, I think a really reasonable question is why don't you just launch Aleo as like an L two on Ethereum, right? Why, why isn't it just like another layer on top? Like be an ETH maxi? And really privacy comes down to this question of like the anonymity set, which is the number of people you could be confused with.  

If I'm the only one using Aleo, if you see an Aleo transaction, it was me, right? So when you interact and you integrate with a public chain and you can see all the flows in and all the flows out, it really decreases the size of the anonymity set. So you, you only have one choice, which is to do things slower, right? So that you can kind of be grouped in with other people. And this was the downfall of tornado cash and why it was so easy to break. Um, having first class support for Z KPS is really important too. Having a high level programming language. Cuz honestly, if I have to explain this to every single developer who uses Aleo, Aleo is not gonna get anywhere, right? It has to be simple. There has to be technology that you just trust that it works, right?  

And a big thing to understand, like you've maybe heard the word zk, E V M, um, you know, things like different L two s building it for, you know, scalability as opposed to privacy. And that that can be kind of confusing. Zero knowledge proofs have two properties. They allow you to be private and they allow you to be succinct, right? So most of the projects you hear about using Z kps are actually using the succinct property. You're submitting your transactions publicly, but you're submitting them to a centralized proof generator who then orders them and then puts them on a, a pub public blockchain, right? So if you hear about like a zk E V M, it's almost guaranteed to not be private. Uh, the one counter example is like Aztec, which is another really cool project that you should check out if you're interested.  


So given that like we have zk PS and we have public state, how do you actually do things privately and how do we make this user experience as seamless and as possible? Uh, you know, so I'm building like the Leo Wallet,, which is the thing that we're hoping like normal consumers interact with, and we don't want to expose them to any of this complexity. We want this to be simple. We want this to be easy, but we also want it to be privacy. And we're trying to build like the first real private programmable Wallet. So the way that you do this is use an hd Wallet HD stands for hierarchical derivation, which means that you have a single seed phrase and you can get as many Wallet addresses as you want. You do public, uh, transactions with single use addresses, and then you fund them with where you're holding your main assets.  


So let me show you for example, how you can buy an N F T privately and how Snoop Dogg should have of, you know, protected his identity from me. Um, the first thing that you do is use like your main Wallet address that's holding all of your funds. And you fund, you can do transfers privately. So whatever token is necessary to buy the asset, you can fund it privately. That second address can do the public thing and then it transfers it back. And then for that address B, you just never use it again. And because, you know, we're working with programmable money in our Wallet, all of this will be automated. It will be a check box that says, Hey, do this privately and it's gonna cost you 10 cents more.  


And I think this kind of like gets at the heart of why we're building another Wallet just like, like building another blockchain, right? We have to ask ourselves like, why should we build another Wallet there? There are so many out there, right? Like, are we really differentiated? What, why are we doing this? And I think it's really important to build a privacy preserving Wallet because there's so much new complexity added with zero knowledge proofs. It, it truly is a, like, revolutionary technology. It's not just crypto. And to, to hide that complexity to make it user friendly is, uh, an entirely new problem. And that's really what inspired us to build the Leo Wallet,.  


So you can see like a little example, um, we're in a private alpha right now, but you can register and we'll give you access.


And so yeah. Um, and then we have another QR code, uh, here where if you wanna start programming, if you wanna start building with zero knowledge proofs, you can do that right now. And Prav, uh, from the Aleo team is gonna show you guys how. So that is it for me. Um, I do have some time for questions, so if you have any questions? Yeah, let's, let's, let's do it.

The recording of the event can be found here: