 So, hi all. I am Remco from a crazy project called Worldcoin. You might have seen some of these funky sci-fi looking devices around. They are very conveniently round. I'm going to talk a bit about where we apply ZKP in our stack, because it turns out there's actually a ton of really cool applications for what we're trying to do. Now, a little bit of what we're actually trying to do, we're trying to create bootstrap universal basic income through crypto. And one of the things you need to do as soon as you start handing out free stuff, which UBI basically is, is make sure that people cannot fraudulently claim it. Basically, civil protection. So we have to solve the civil protection problem. There's a couple of approaches you can do. KYC is one of them, but not very privacy preserving. And we are all CKP people, so we like privacy. Turns out that the only feasible strategy up to, let's say, a billion people is to use iris-based biometrics. And you need really good hardware to do that, better than what you can currently find on the market. So that is what this device is. Now, the way it works is you take your wallet, you download the app on your phone. It generates a public private key pair in a system called Semaphore that I'll go to soon. You show the public key as a QR code to the device. The device interacts with you. Make sure you're a live human being. Take your iris. And that's the iris through a neural network, all on this hardware. In a 128 dimensional factor and then signs the public key, this short factor as a message goes to our server. We make sure that it's sufficiently distant from everyone who signed up before. Add the factor to the database and then just send the public key to the Semaphore smart contract where it gets added to the on-chain Merkle tree. Now, that's the signup part. After this, it's just you, your wallet, and the blockchain were no longer really involved. It's from there on, it's fully trustless and decentralized. And the way you use this system is your wallet creates Grot 16 zero-knowledge proofs that prove that you know the private key to one of the public keys in the Merkle tree. You don't actually reveal which public key that is. You're completely anonymous in that sense. You generate a unique nullifier, which is kind of like a pseudo random number for the specific context that you're using to make sure that you haven't done the particular thing before. And then you can attach a message to the thing. So you can sign some message with this concept. So where can you use this, for example? Now, we use this to airdrop tokens to our users. They can claim a token by generating proof that they haven't, that they're a unique human being and haven't claimed this token before. Another really cool use case is for DAOs, where you can vote on proposals and you can build mechanisms like one person one vote or quadratic voting and have the proper simple protections actually make this work. Now, the way the anonymity actually pans out is so strong that even if you vote on multiple proposals, you wouldn't even be able to trace that behavior back to the same human being. So privacy is extremely well preserved in this system. So this is where we are now, but there's a couple of things we would like to do better. One thing we need to do is right now the public key gets added to the Merkle tree on chain, which costs about a million gas, which is completely not feasible on a theory main net where we want to launch this thing. So the first thing we did is build God 16 proves that aggregate multiple insertions and create a batch insertion operation and basically turn the insert part of the whole stack into a CK roll up thing. So there's like a back end server, a sequencer that creates these batches and sends them. Now, the second part where we could do this is in the claim part, which is currently individual proofs 300 K gas, probably good enough for now, but we can also help out there by allowing people to deploy the apps that want to use it to deploy their own sequencers, have proof aggregation going on and get that cost of usage down as well, which for voting you want because you want fees to participate in downs to be as low as possible. There things already get more complicated because now we need to have a recursive proof system. The users produce these proofs on their wallet and then we want to batch them together in God 16. This is currently very hard. So one of the things we're working on right now is migrating the semaphore proof system over to plonky two and then have recursive plonky two proves and then have a final God 16 fair fire of the plonky two proof that turns it into a God 16 proof that can be very easily verified on chain. So now you have a proof system where you have very fast proofs which plonky two which plonky two allows. You can recurse those proofs and then in the end you can turn it into a God 16 proof and you get all the benefits of the cheap verification and the white support that God 16 has really excited about that thing. What else is going on? So another thing. Another thing that's going on is we want to sign up a billion people and right now Ethereum L2's simply don't have the capacity to handle that. We're also going to sign up people with relatively low balances. We want this to be very inclusive so assume the average user has a $10 balance and wants to use that on L2. Right now on Ethereum that is like five cents per transaction which is kind of okay is but it's because of the bear market. A year ago it was $2 per transaction so that's not good enough. So how can we fix this? Well there is a plan on the roadmap already. It is called Danksharding and Proto Danksharding. So we're very actively involved in the client development around 4824. The EIP that implements this. We've been helping out implementing the trusted setup ceremony that Carl presented during the opening ceremony and we're going to be helping out the clients implementing the crypto there just to get Danksharding in just so that we can launch on an EVM compatible L2 and still have something our users can use. Another area where cryptography comes into the equation is right now the neural network basically runs on trusted hardware. But like you've heard in the past two talks we can actually do better than that. ZKML is feasible. A year ago I was experimenting with running a machine learning small little network in a Plunky 2 Proof and I got I managed to do 10 million parameters on my laptop in less than a minute. So technology seems like and that was without any significant optimization. So presumably we can get much further than this and this is good enough to do the biometric stuff on your wallet. Now what is the advantage there and how do we get there in the first place? Like right now if we update the neural network, which will happen a couple of times, we would need to ask all our users to go back to the hardware so that they can trustlessly create the updated vectors. If instead we turn the orb into an authenticating camera like Jason mentioned, the orb will just sign your raw data, send it to your wallet, you can keep it on your wallet, self custody, you're in control and then whenever we have a new version of the neural network we can just boost the parameters to your phone and you can just recompute the thing locally and then send us a zero knowledge proof that, hey, I have this raw biometric data, it's authentic, it's signed by an orb, and here is the updated embedding and we can update it in the system. Another cool area is looking at NPCs to get rid of the central database and make it a little bit more decentralized. We're not actively doing that actually at the moment. What we are actively looking at is using mixed nets or private information retrieval to make sure that when you query one of our servers, for example, to help you generate the merkle proof instead of downloading all the raw data from the chain, make sure that we don't learn your IP address in the process. Yes, one more application of the ZKML stuff longer term. So right now what I've described here is a way to do a scalable privacy preserving proof of personhood that we can deploy on a tier main net, scales to a billion people and then can be used on all the chains that we can copy state to, which is basically any smart contract enabled blockchain out there. But proof of personhood is only the beginning. You would kind of soon as want to do a little bit more like that. You would, for example, want to make sure that someone is in a country that your the app is legally allowed to support. I don't know. There will be applications that require such things. How could we integrate that? So one of the things we were thinking all of this. We could have the orb also take an authenticated image of your face. Just like with the Iris image, send that authenticated image to your phone. You can scan your passports. All modern passports have signed data on it, which includes like this stuff that is basically on the front of the passport, your photo, your date of birth, your nationality and so on. And what you can then do is use a zero knowledge machine learning to verify that the two faces are the same. The one that we know is you because of the orb and the one that is on the passport, verify that those two are the same, verify that the passport is signed by a key from some government or like is in the list of non-government root certificates basically. And then you can, you have a chain of trust established and now you can fulfill arbitrary queries. Like is the name in the overall list? Is the nationality in the approval set? You name it. And I think that covers what we've been doing so far in terms of applied CKP at Worldcoin and what we're planning to do in the next couple of months, years probably. And I'm opening for any questions. Thank you and we have time for a couple if there any questions. What stops me from stealing your eyes? Yeah, this is a very common misconception about biometrics. People think of them as sort of a private key. Like if I somehow get access to your fingerprints I can steal your accounts. Doesn't work like that. Your fingerprints are not secret. You leave them on every single glass on every restaurant you've ever been to. The thing that uniquely identifies you is that you have that fingerprint on a real life finger. So it's very important that you check what is known as the lifeness check. That you make sure that the data you're reading actually comes from a real life human being and not from a print out or whatever. Fingerprints are actually not that good. They're only unique up to a million people. We really need irises for that. Iris have a couple more advantages. You don't leave them at restaurants. It's actually really hard to get someone's iris accurately. So it's quite consensual the process. Like you need to actively participate in order to get a good capture of this information. Go and thank you for the talk. Can you explain one more time the example of a digital camera attesting to the data prior to being sent and how that gets around the issue of your face changing? Your face changing? Or having to take a picture having to redo it. So we so there's two parts where we do this authenticated data game. The first is just to make the user experience of updating the model better. Like instead of having to go to the trusted hardware again we can now trust you to do it yourself correctly because of the zero knowledge machine learning. The second example I gave is that well what if we have a proof that this face belongs to this public key and then we can create a chain of proofs that oh we know that this public key becomes this this face because the orbs signed to that fact then this face belongs to this passport because we have a zero knowledge proof that those spaces are the same and then we can do all sorts of further claims based on the fact that we now know that this public that this public key belongs to this name and all of that happens self-custody on your wallet so none of this information ever leaves your domain. Thank you so much we're gonna well we're gonna cut for a quick break so I guess we might as well take one more quick question. Going back to the question about stealing people's eyeballs what's stopping someone like let's say an african warlord taking an orb and scanning entire villages eyeballs and then taking their accounts. I mean ultimately on the social level this this problem applies to any any kind of system like if you have a super oppressive regime people can make you do anything. What we do about it is we're just simply not going to those places. Yeah we we we our goal is to be as widely distributed as possible and be everywhere on earth. We're not specifically targeting in such areas we're just as active in europe and america and you name it. Yes it does a lot of lifeness checks. This is actually another interesting discussion that we keep having is the hardware is going to be open source the firmware is going to be open source all of this is open source except for two parts that we're considering keeping private which is like the exact nature of the liveness check because we're confident that they are very very hard to circumvent but still everyone is just better off if if we use security to obscurity here and the same thing goes for the hardware tampering like there's a bunch of booby traps in there that prevent you from taking out the signing key and also there we made the decision that security to obscurity here is better. It's one of the unfortunate things you need to deal with once you do try to connect cryptography to the real world you need to deal with the fact that the laws of physics don't have a nice Diffie Hellman handshake in them.