1. A very brief description of how Zcash private transactions work Ariel Gabizon,

2. Zcash adds privacy to Bitcoin’s decentralization
Shielded (private) transactions reveal no information about sender, receiver, amount
..yet miners can still distinguish between valid and non-valid transactions!

3. Recall Bitcoin’s set of unspent transaction outputs.
(PK1,2.3BTC), (PK2, 0.4BTC),..
To spend money Alice signs a message with the secret key corresponding to a public address in an output:
“Move my BTC from PK1 to PK4” (signed by sk1)

4. For simplicity, assume each output/note is exactly 1 BTC.
Each node stores:
Note1=(PK1)
Note2=(PK2)
Note3=(PK3)

5. Now think of each note as containing a randomly picked ``serial number’’ ri.
Note1=(PK1,r1)
Note2=(PK2,r2)
Note3=(PK3,r3)

6. For privacy..the node database will only contain hashes of the notes
H1=HASH(PK1,r1)
H2=HASH(PK2,r2)
H3=HASH(PK3,r3)

7. For privacy, the node will continue to store Hi even after Notei has been spent.
The node also stores a nullifier set that contains the hashes of all serial numbers of notes previously spent
Nullifier set after Note2 has been spent:
H1=HASH(PK1,r1)
H2=HASH(PK2,r2)
H3=HASH(PK3,r3)
nf1=HASH(r2)

8. To spend a note, Alice sends a zk-SNARK proving she knows the secret key of a note s.t.
-It’s Hash is in the table
-The hash of its serial number is not in the nullifier set
Nullifier set after Note2 has been spent:
H1=HASH(PK1,r1)
H2=HASH(PK2,r2)
H3=HASH(PK3,r3)
nf1=HASH(r2)

9. zk-SNARKs(zero-knowledge Succinct Non-interactive Arguments of Knowledge)
Short proofs that let you to prove possession of information, e.g. a secret key, without revealing that information.
In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions

10. Main ingredient: Homomorphic Hidings(HH)
Mapping E such that
- Given E(x) hard to find x
- x≠y­ → E(x)­≠E(y)
- from E(x),E(y) can compute E(x+y),E(x*y)

11. (over)Simple zk-SNARK example using HH
Alice wants to prove to Bob she knows a,b s.t. a+b=7
1. She sends E(a),E(b) to Bob.
2. Bob computes E(7) and E(a+b) using E(a), E(b).
3. Bob checks that E(7)=E(a+b).

12. how to construct HH?
If only need E(x+y) use x→gx
in group with hard DL problem.
If want both E(x+y) and E(x*y)..need pairings in elliptic curve groups.

13. Thanks!

14. more detailed SNARK example, leading to QAPs
1.want to prove know a,b with a+b=7 mod p
g – generator of group of order p where DL is hard.
Prover: send A=ga, B= gb
Verifier: Check that
A*B=ga+b = g7
2. Prove we know a,b,c with (a+b)*c = 7 mod p
Need: Bi-linear pairings:
Map e:G⨯G → GT such that e(ga,gb)=gTa*b
(Exists for some elliptic curve groups)

15. 1.want to prove know a,b with a+b=7 mod p
heck that
A*B=ga+b = g7
2. Prove we know a,b,c with (a+b)*c = 7 mod p
Need: Bi-linear pairings:
Map e:G⨯G → GT such that e(ga,gb)=gTa*b
(Exists for some elliptic curve groups)

16. more detailed SNARK example, leading to QAPs
Prover: Send A=ga, B=gb, C=gc
Verifier: Check that
e(A*B,C) = (gT)7
e(A*B,C) = e(ga+b,gc) = gT(a+b)c
3. Prove you know a,b,c,d with (a+b)*bc = 7 mod p

17. Label multiplication gates:+ x a b c
(a+b)*b*c g2 g1

18. x + a b c w5 g2 w4 g1 w1 w2 w3 Label wires in certain way:
What we want to prove is that we have legal assignment to wires with w5=7.

19. x + a b c Define degree 2 polys A1,..,A5w1 w2 w3 w4 w5
Define degree 2 polys A1,..,A5
Ai(j)=1 if wi is left input of gj , 0 otherwise
i.e. A1(2)=A2(1)=1, otherwise Ai(j)=0
Bi’s , Ci’s defined sim. for right input and output wires

20. Define A(X):= sumi=1..5wiAi(X)
B(X):= sumi=1..5wiBi(X)
C(X):= sumi=1..5wiBi(X)
For example A(1) = w2, B(1)=w3, C(1)=w4
We have that w1,…,w5 is legal assignment iff
P(X):=A*B-C is divisible by t(X):=(X-1)*(X-2).
If so, there exists h(X) such that
P(X)≡t(X)*h(X)

21. Idea: Verifier will check equality on random s not known to the prover:
Verifier: choose rand s, send gs,gs^2,,...,gs^d
Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s)
Verifier: Check that e(A*B,1/C) = e(H,gt(s))

22. Idea: Verifier will check equality on random s not known to the prover:
Verifier: choose rand s, send gs,gs^2,,...,gs^d
Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s)
Verifier: Check that e(A*B,1/C) = e(H,gt(s))
e(A*B,1/C) = gA(s)*B(s)-C(s)=gP(s)
e(H,gt(s)) = gh(s)*t(s)=gP(s)

23. Zero-Knowledge (ZK) proofs are to encryption/hashing as a dimmer to a light switch.
Decide what and how much you want to reveal about the plaintext/hash preimage.

24. Example: Alice can use a ZK-proof to prove she knows a SHA-2 preimage of z with msb 1 (and not reveal anything else about preimage).
z z
Reveal preimage
ZK proof
100
1XX

25. Non-interactive-just one message from Prover (requires setup phase)
zk-SNARKs-ZK proofs with all the dream features
Succinct: verification time very quick, proof length very short -a few 100 bytes.
Non-interactive-just one message from Prover (requires setup phase)
Argument of Knowledge
In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions

26. A few minutes about how zk-SNARKs work.
Ingredient one: Convert what you want to prove to knowing a solution to some algebraic equations
I know SHA-2 preimage of z with msb 1
I know x,y such that x3+y5=2

27. Ingredient two: Homomorphic encryption
Given encryptions of x,y can obtain the encryption of any arithmetic expression in x,y.
E(x3+y5)
E(x),E(y)

28. Proving possession of x,y satisfying x3+y5=2: (without revealing x,y)
Prover: Send E(x),E(y)
Verifier: Compute E(x3+y5), and E(2), check that they are equal.