 I wrote the first papers on using zero-knowledge proofs and then ZK Snarks for blockchains. This was the work on zero coin and zero cash. This turned into Zcash, and it also happens to be the protocols that underpin basically every second generation privacy coin that's coming online now. In other words, I've spent about the last 10 years working on zero-knowledge proofs for privacy in blockchains. And today I'm going to give you a talk entitled, Privacy is Dead, Scalability is Boring, Water ZK Proofs Good For. So obviously privacy in dead is dead is clickbait. Apologies if I got you in here for the wrong reasons. Privacy is really important. I spent the last 10 years of my life working on this stuff, but we haven't seen a large amount of demand for private consumer payments, right? Minero launched, Zcash launched, other things launched. They exist, they're great, they aren't really moving the needle. And so I've found myself wondering, as I work as a professor on like, what's the next thing we do? You know, what happens if demand for this kind of stuff is 10 years plus out? One of my co-authors, Aaron Tromer, sort of described it as follows. Selling privacy for people for blockchain payments is kind of like selling seatbelts for cars in the 1920s. Sure, we can all kind of figure out that in the future you're going to need it, but until you end up with the actual interstate highway system and people crashing cars at 60 miles an hour, it's kind of hard to sell people in the future. So what do we do? Second problem is in terms of research, right? For everybody who likes to get excited about new technical stuff and new cryptography, there isn't much here anymore. The techniques to do this are known. They're done. We worked them out, and this is now a thing to work out in industrial applications, right? The approach for how you build private payments is a zero knowledge proof plus an accumulator, typically ZK Snark plus a Merkle tree. This was developed in zero cash in my PhD thesis. It ended up in Z-cash. It's now in pretty much every single other thing that's coming online now, Aztec, Anoma, Panambra, Railgun. They all have features on top of this. They're not clones, but that's the base thing for privacy for payments. And so, sure, you can build tweaks. You can change the accumulator. You can change the proof systems. You can claim it something completely new. You can add extra features. That's quite valid. But this kind of feels to me like we're leaving behind the main things that make zero knowledge proofs really cool. Because the thing to me that's fascinated me since I was 12 is the zero knowledge bits that were hiding things. If nobody cares about privacy, well, we should move to something else as an application. Obviously, privacy is not dead everywhere. It's definitely not dead everywhere in cryptocurrency. So if you're one of these second gen privacy coins, don't kill me for killing your pitch deck, there are other things that are happening. Probably we need privacy for DeFi. It seems like traders do need that. You might be able to use ZK proofs to get out of MEV or front running. The jury's still out on that. You could have an interesting argument with Phil Diane if you don't believe me. But nonetheless, the core protocols for doing zero knowledge proofs are still like the same as far as private payments go even for these applications. So from a research perspective, there's nothing new here. So what do we do? Well, I hope this isn't too offensive to any of you are, but blockchains are slow. So that's a whole problem. And well, OK, zero knowledge proofs are supposed to be everything a growing blockchain needs. There are a lot of people working on scalability for blockchains doing ZK rollups, ZK VMs. This is a lot of research. It's a lot of funding. It's probably several billion dollars worth of value from venture capital for this. And this is where all the excitement is right now. But if you haven't seen this, well, how do these things work? In a rollup, you have a server that is taking transactions that users generate. Users submit those transactions to the server. The server takes them and compresses them down using a zero knowledge proof. The zero knowledge proof says, hey, all of these transactions are correct. And then the server generates this proof and sort of throws it over the wall to the blockchain. And so the server is, in effect, saving the blockchain work. This proof is succinct, at least somewhat. And so it's easier for the blockchain to check that than it is to check all the proofs. And so then it doesn't matter if your blockchain is slow and does 10 transactions per second. If each one of those transactions is a zero knowledge proof saying that 10,000 transactions are correct in payments. That's the theory. That's the pitch deck everyone's raising off of. Okay, this is great. There's really nothing wrong with you. This is a lot of brilliant work has been done on this. I don't mean to lie people on it. This just, as a cryptography professor, thing that kind of bothers me. ZKPMs and ZK-rollups aren't zero knowledge. They compress transactions on blockchains. You don't need to hide what's going on to do that. You just need things that are faster and smaller to verify. There's no notion that this has to hide what's going on. And in fact, they likely aren't gonna hide your data. And so this is gonna be surprising to some of you. Of course, ZK-rollups usually reveal the miracle hash of the data they're dealing with. That's kind of obvious. There's a zero knowledge proof about it, but they're revealing the miracle hash. And that hash actually reveals a bunch of data. In much the same way that, say, publishing the hash of your password is gonna reveal your password. People can brute force these things. And it wouldn't matter if you, when you publish the hash of your passwords that uses zero knowledge proof that it meets whatever ridiculous password policy there is. Three uppercase characters, a symbol, and hey, let's throw into my emojis for good effort. That's not gonna help with the privacy problem here. And so this is gonna become an issue. Maybe it's just in theory. Maybe it's hard to brute force this stuff. On the other hand, Ethereum just moved to proof of stake. So there were a lot of angry miners, which a bunch of hashing hardware who don't know what to do with it. So if this ends up being an MEV thing, you might have some problems. Either way, it's not zero knowledge. And so in my perspective, this is kind of boring from a ZK standpoint because it just isn't using the thing that's cool and fascinating about zero knowledge proofs. Sure, you need faster proofs. That's quite nice. This will get you all kinds of cool technology and I'm glad it exists, but it's skipping the interesting bits. And so at the end of the day, ZK VMs are not a significant source of zero knowledge. They're sort of nutritionally defunct from this perspective. They don't give us what we want. And again, this is not to say this stuff isn't useful. It's driving serious innovation in zero knowledge proofs. The things I worked on in 2012, in 2017, when we wrote ZXI, which were like implausibly slow at the time, are now practical in part because of the R&D that's been funded by the companies doing this. And so that's incredibly useful. It's a bunch of tooling that I, as a researcher, can use. And so I sort of think about this like the 1980s and 1990s when people are building faster computer processors. These things were tools we could use to do anything we wanted. What was driving people doing them was faster spreadsheets for offices, kind of like what's driving people now is faster spreadsheets on a blockchain. So you can do this, that's great. There's nothing wrong with it. You can also nerd out on exactly what you're gonna do for the zero knowledge proofs and just go, I don't care what anyone's building on an application. That's also fine. But some people should dream bigger, right? Just like we did with microprocessors, build the internet, build the metaverse, build something. I don't know what it is, but we should be thinking about it. And so we need to figure out what the combination of ZQ proofs plus blockchains can do that isn't just faster spreadsheets on a blockchain. It's gonna be part of it, but it's not gonna be everything. So this brings me to the question, and this is where the sort of technical content of this talk stops. This is this sort of theory question. What is this stuff good for, right? What are we gonna do with a zero knowledge proof? And if you went and took a cryptography class, probably even if you took my cryptography class because I'm lazy about writing slides, you would get a definition like this which said a zero knowledge proof is a thing with correctness, soundness and zero knowledge. And this is a very sort of textbook academic thing. It's very dry. It does not relate what these things really do. So I think we kind of should start thinking about them in different terms. So in deliberately non-standard terminology, what is a zero knowledge proof doing? Well, in my mind, it's three things. The first one is confidentiality. It hides data. And so that's how we got Zcash, that's how we got Tornado Cash, that's how you get Aztec, you get everything else. We were trying to hide data to get private payments because blockchains are Twitter for your bank account, and that sounds like a horrendous idea. Okay, that's thing one. Thing two, for Zcase and Arc specifically, is compression, right? They take a bunch of data and it's easier to verify than doing the linear paths that the actual verification would do without the proof. That's nice, that's how you get scalability, right? This is what's driving people's quest to save money on gas for blockchains. But the third point is that it provides something which we can think of as credibility, right? So a zero knowledge proof from the photography standpoint is sound. It gives you some guarantee that some statement is correct. It doesn't tell you anything about what you can do with it. Credibility is this point, if I give you a piece of data, I can use a zero knowledge proof to show to you that it really is the data you're supposed to be looking at. It really was computed on correctly. And this actually, okay. So the idea here comes from a piece of research done by some of my collaborators back before. I knew them called Proof Carrying Data in 2010. And this was really before blockchains were a major thing, at least in academia. And the idea was you have data. Never mind where, again, they didn't know about blockchains. And the data has proofs attached to it that the computations are correct that was done to produce the data. So you have some data. Proof here says data is whatever. Someone comes along and computes a function on the data, gives you the output, gives you proof that that's correct. And then later somebody else can come along and compute another function on the result of that, give you a proof that that's correct. And you can just sort of imagine some kind of state machine going forwards. Looks kind of like a smart contract, I guess, but it involves zero knowledge proofs. And of course, because it involves zero knowledge proofs, you can also hide anything you want in the process of doing this. So this is great. It's a nice piece of work. But first of all, how do you agree on what this data is? Did everyone saw it? Second of all, what is this good for? This paper does not answer that question. It just proposes this academic mechanism. So we're back to the question of what is zero knowledge proofs good for? And so in my mind, the thing that a zero knowledge proof combined with a blockchain, and that combination is crucial, gives you is credibility. That piece of data, if it's on a blockchain, can tell you that everyone agreed on this. This is what's out there. And then I can give you a proof that it was correct, I didn't see anything else that I wasn't supposed to when I was computing on it, and that the operation I did was done correctly. And then we all get a shared consensus on this because it's on a blockchain. I can't equivocate on what I did. I can't double spin something if there's something in this data. This is privacy-preserving smart contracts, for any of you who've looked at this stuff. But at a level of what's the property that a normal person might care about? So what do we do with this? Well, in general, what is zero knowledge proofs good for? And in this talk, I'm gonna give you some low-level things of like immediate problems, some very high-level things that are, you know, what was on my mind at the time, and then back to some low-level things of identity. So the first thing that you really do need zero knowledge proofs for is credible safety for or from, depending on how cynical you are, roll-up operators. The Bitcoin people would call this censorship resistance. Because if you have a roll-up, if the roll-up is taking these transactions, the server's sitting here, it sees everything that's in those transactions, right? These are normal, Ethereum, or Bitcoin, or whatever it is, transactions. They are completely transparent to the server. Server can see what's going on. Okay, fine, why does that matter? Blockchains are that way anyway. The problem is that the server's getting these from a bunch of people, and it gets to choose which ones it takes and which ones it doesn't. And the problem is that that's gonna be obvious to everybody, and so the server's gonna be held responsible at some point by somebody for something it failed to exclude. In other words, ZKVMs and ZK-roll-ups, at least if you naively do them in a single server model, aren't censorship resistant. The consequence of this is you really better not mint any NFTs or some meme a government doesn't like. You probably shouldn't take payments to activists that a government doesn't like. If you're a roll-up operator sitting in Texas, I probably wouldn't take donations to an abortion fund right now, it might get you in a bit of trouble. Because if you do, you're a nice ZK block compactor and to make things efficient isn't gonna be a block compactor, it's going to be a trash compactor on fire. You're gonna just have major problems with transactions you process. So this is not safe, this is not good, and this is a major problem for all people trying to get blockchains to scale. So what do you do about this? Well, you replace the individual user transactions with zero-knowledge proofs so that those transactions are now opaque. And as a result, the roll-up operator can't see what's going on. And so they're a dumb pipe and they have some limited ability to manipulate transaction ordering, but again, they don't really know what's going on. They have a degree of deniability. And so this gives you a minimal amount of safety. It doesn't solve everything. But this is the thing that you need to be building into your ZK roll-ups. And this is things that various people are building. I believe the original people who came up with this idea, I don't follow these things too closely, Aztec currently has this out there, Alio company I'm involved with is also building this. I'm sure there are others, but nobody's really broadcasting these features as a thing that goes on very well. And part of that is because it has a really bad name. This gets called a ZK ZK roll-up, which is kind of a mouthful. And every time I hear it, all I can think of is this bad meme from like not quite the 90s, but it's pretty old. So you should be doing this and somebody should please, please come up with a better name for this that's catchy so that people can market it. Because I'm sure I left off some people who are building this. But this poses an interesting problem for those of you who are working on zero-knowledge proofs because these proofs need to be built on phones. And that doesn't necessarily work with every ZK proof system that's out there, right? I don't know the full breadth of these things. I don't play with most of them. Most of my stuff's still in graph 16. But I do know that some of these things are slower than others and are suited to other cases. And so there's some risk factors that you might want to consider if you're looking at ZK tech and trying to figure out what we should use. A lot of these systems, the provers are architected to running data centers on big iron, right? This may be fundamental to the way the proof system works. It may just be who your devs were and what they knew how to do. Be the way, it's not clear they're gonna run efficiently on a mobile phone or a laptop. Secondly, for the proof systems, they may be amortized only over lots of transactions. So they're not really efficient unless you put a thousand transactions into this proof and check them. And then you get some amortized savings, which is fine for a server compressing transactions to do a rollup. But again, in these cases, you need phones to be generating proofs, laptops to be generating proofs so the server doesn't see what's going on. And that's only gonna have one transaction in it. And lastly, the proofs in a lot of these things are very large, which is gonna cause all kinds of problems for mobile data, for your gossip protocols, for transaction distributions. This is also a warning sign. And so the way to think about this, or at least I think about this, is you may remember that there's been this big problem with Intel and X86 for the past about 15 years where Intel built these wonderful server chips and then they found out the future of the world was mobile devices and they've been trying to play catch up with getting their chips to work on mobile. And there's some business development things there, there's some fundamental technical things or some positioning that have causing them problems. And so we may end up in a similar situation with ZK proofs where you can't get these to work in the right settings you want and then you're gonna have to do a nested ZK thing. You have to add another ZK proof under your ZK proof in a different system. That's gonna up your costs and up your complexity. So food for thought for those of you who are working on these things. So okay, that's the basic pressing issue today, but looking more broadly, what else can we use zero knowledge proofs for? If we have this notion of credibility carrying data, what can we use it for? And I think you can more broadly do this for markets like competition, decentralization, migrating data around is gonna be a big one. And obviously you can also use it for like preventing money laundering. So starting with the last one of those, cryptocurrency has a theft problem, right? This is stuff gets stolen now by nation states, the nation states actually go get in trouble. Tornado cash got taken down because of this. Actually the tornado cash developer is in prison right now in the Netherlands because of this, which is kind of crazy for, you know, thing that came out of a paper I started writing 10 years ago. But this is what's going on. And it would be good if we had some way to deal with this. So what if you wanted to prove to somebody when you make a payment that the money you had wasn't stolen? And you wanted to show them that the money wasn't stolen when you got it from somebody. And when that person got it from somebody, that money wasn't stolen then either, right? Add infinitum all the way back. This is impossible if you're just asking questions. You can't do this without cryptography, right? If you just do KYC or whatever, you'll stop at just who you are, who's giving you the money and you won't really get a good notion of what's going on. But ZK proofs compose recursively, right? So I actually can build a zero-knowledge proof that not only is my money not on a list of stolen money, but it wasn't on a list of stolen money when it was paid to me and that wasn't on a list of stolen money before that, before that, all the way back in time. So we can have this sort of credible money where despite the fact that I'm anonymous, you actually know that it's not stolen, right? So that's one thing you could build. Details are somewhat complex by the way, but it is possible. More broadly, you can do all kinds of compliance, right? You want to comply with anti-money laundering rules, currency transaction reports that you're not sending more than $10,000 through a system. You can do that, right? In theory, we knew how to do this in 2016. So the paper I wrote at Financial Cryptography, but now they're actually companies building this because again, we have more practical zero-knowledge proofs in part because of the people working on roll-ups. You want to show you're not on the sanctions list. We can do that. So this is again, you can get credibility for what's going on with money. More broadly though, right? Let's not just think about payments. What else could you do? What could you possibly want to prove to somebody? Well, we're all trying to build decentralized ecosystems, right? There's a whole question of whether those are really going to be on a blockchain or they're going to be some oligopoly of servers where people try to move from one server to another to another, migrate their data from one thing to another. And in those settings, it would probably be pretty useful if when you took your data from server A to server B, you sort of said that, here I can prove to you it's correct. All right, similarly speaking, you might want to prove that an auction you're doing is not tampered with. Google recently got in trouble because allegedly, according to several states, Attorney General, they were manipulating their ad auctions. Instead of running a, they said they were running a second price sealed bid auction, where if you win, you pay what the second price is and so you should bid your value. And instead, they were running something that was approximately a first price sealed bid auction because if you won, they lied and said there was a bid right under where yours was and basically charged you what you were willing to pay. And this is a problem with Google, a semi trusted guy in a legal setting where there are places to prosecute them. If you try to run an auction on decentralized, wild west of blockchains, this is gonna come up. So you probably want to be able to prove your options are correct. Similarly, you might want to run a matching market for some rideshare system like Uber. You can do this with a zero knowledge proof in theory, right? Thinking even more broadly, you might want to be able to say like, hey, if we're running a decentralized social media system, I have a newsfeed, I'd like to know that my newsfeed wasn't manipulated. That somebody isn't, for example, feeding me outrageous stuff just because it generates clicks or making clickbait titles for Ethereum DevCon talks. You might want zero knowledge proof to do that and the thing here is these are all sort of high in the sky dreams, but we're gonna need to do things like this because if you're trying to decentralize existing services, organizations and institutions, it's kind of essential because people kind of trust these existing things for better or worse and so if you move to something that's completely crazy and new, you're gonna need to convince those people to trust your new thing and you can't just publish everything. That's not how the world works. So this is sort of hard to think about as a concrete thing so use a concrete version of this. Standard tale about internet gaming, right? There's some awesome game. It's an online game. There's a server, there's a great community. Everybody loves the thing. And then it gets a little too popular. Thing goes down the toilet. The devs get greedy or bought by some company, Blizzard, and they somehow ruin the game. Nevermind how. And so in classic Futurama, Bindu, we're gonna make our own with better things. What you wanna do is take all your data and go to a new server with the same game but your existing game state. And for this to work, the game has to be open source but even if it is, you're gonna run into some problems here, right? When you take that level 50 sword or whatever it is from server A to server B, why is anyone gonna believe that you actually earned that, that you didn't just make it up, right? For the server, how are we gonna know that they won't play in funny business and secretly running a play to play game, right? How are you gonna know that the economy of that server and the way the items are distributed is correct, right? You wanna be able to prevent these guys from like toileting this game. You wanna be able to move to another server but you need all of your data to be credible when you do this and move it around. And so the only way you're gonna do this is by committing to the data on a blockchain and attaching zero knowledge proofs to all of this stuff. Again, pie in the sky, you can't get this to scale now but it's an interesting idea and this approach is broadly feasible to not just gaming. You don't need to just do this about a sword, you could do this about any number of things, right? If you're running a crowd-friending platform that has like a word, something like Patreon, Patreon goes under, you can move to another server and take the awards you've gotten and prove you actually got them. So, okay, well what if we thought even bigger? Recently there was a headline that the IRS had gotten in trouble for manipulating their audit process and under the Trump administration auditing senior FBI officials who mysteriously had also been investigating the Trump administration. So this was regardless of the tampering of those stuff. What would it take to make tax audit processes credible? And this is just sort of a hypothetical, right? How would you know that this is working? You'd have to commit to an audit policy in advance, you'd have to put up all of the tax returns committed in some blockchain permission ledger and then you'd have to show that your audit process was applied correctly. And the thing is, in the process of doing this, you cannot reveal any of that data. You can't tell people what will get your taxes audited, you can't tell people what other people's tax returns are but if you want everybody to know and trust that when they get audited by the IRS or some other institution that it was actually done according to a fixed procedure and the rule of law or whatever it is, you're gonna have to do something. And so maybe, again, hypothetically, if you added zero knowledge proof in a blockchain, you could do this. So as I was writing this talk, I kept thinking of this idea that like verifiability enables cooperation. So during the Cold War, the US and the USSR wanted to disarm somewhat. They wanted to have less nukes because they could save money on it and it was better for the planet. But there was this problem of if US gets rid of their nukes they wanna verify that the Russians are also getting rid of theirs. And that was kind of hard. So one of the limits for arms control treaties was that it was hard to verify what was going on and what happened was as spy satellites got better and as spy planes got better and more pervasive, the Russians and the US were capable of verifying that disarmament was happening and so they could actually cooperate. And there actually are now treaties about being able to fly planes over other people's territory to verify this stuff. It's called the Open Skies Act, excuse me. So technical advances can enable better verification and more cooperation. But of course, spy satellites don't work for this kind of stuff on the internet. We can't just publish everyone's data out there for everyone to see. And so to do this in this case, we'd need zero-knowledge proofs. So what are zero-knowledge proofs good for? These three things on a more concrete thing, you can also use them for identity, moderation, decentralization. So we need to prove all kinds of things about our identity online that were not North Korean money-lenders, for example, that were not a bot Elon Musk, or that were over 18 to view a video. And so that's time, but I have some work on this that would kind of be interesting. So with that, I guess I will take questions.