 If you are already familiar with the journalist proof, then I strongly recommend you to listen here in this session, the Designing Public Goods Using ZKPs, which is running by Rachel, who is a super designer of the International Foundation's PSC team. She has designed a lot. She has designed in three years at the team and designed a lot of ZKP-related user experiences and user interfaces. So it might be very, very inspiring. Yeah, so let's start with thinking about where the ZKPs are mostly used. So we use zero knowledge proof when you want to prove a fact, but you don't want to share the information. I want to give you an example about more detail. So let's think about some example at immigration at the airport. Let's assume that I'm an immigration officer here and there's an entrant here. When you go to the airport, the immigration officer says, where are you from? Then I say, like, I'm from Korea and from Korea. Then the immigration officer says, like, North or South? I definitely say, I'm from South. But unfortunately, this immigration officer doesn't trust me that much. So he says, like, huh, my really think you look like from North. Give me your passport. This poor Korean guy wants to keep the freedom to keep my personal information. So I say, like, oh, there's my personal information. I don't want to keep my passport. Then, OK, what happens? They just kick him out, kick him out. In this situation, what should I have to do here? What should I do? What can I do here? Yeah, actually, I can show some passport number. I can show my nationality or passport card on the cover. But if we give a zero knowledge proof that I can prove that I'm a part of the South Korean, yeah. This is just an example, which can be really happened in the future. Let's think about what happens here. So we can call the immigration officer here as the verifier, the entrant, the poor South Korean, as the prover. Then the prover prepares the witness using my passport, which means, witness means I have some passport number here and I have my email and my number in Korea, something like that, a birthday, et cetera. And then generates a ZK proof and give it to the verifier, which means the immigration officer here. Then the verifier, the officer says, OK, I'm going to verify this proof using the existing database we have. Actually, this is pretty possible. And we're going to take a look at the details later about how we can prove the membership of that I'm a part of the South Korean people. Let's see what is witness and what is information we have to share here. So there are some information you can see here. And maybe there is a passport number that I don't want to share with the immigration officer. Actually, it totally doesn't make sense. So I recall these values as private inputs. But I'm going to just say I'm a part of the South Korean, so I just opened my nationality. This is the public input. And to prove that I'm a part of the people, I just culturally some mathematical values using the inputs there. So we call these intermediate values, including all the private inputs and the public inputs as witness here. And this is just a basic model of how zero knowledge proving system works. So we have private inputs and we have public inputs. And also, we have the circuit here. The circuit is about the relations. What was the relations here in the immigration situation? It's like I don't reveal my passport number, but my passport number is definitely a part of the registered existing database of the Korean people's passport number. So it's kind of a membership proof. There's a database. And I don't want to share my information, but this definitely exists in the database. So this relation is the circuit here. And using all the private inputs and public inputs and circuits, the prover makes a zero knowledge proof. And then the verifier verifies this zero knowledge proof using the circuit, using the same circuit, using the given circuit to verify that I am a part of the Korean people. OK, then let's think about how and why it works. Yeah, to start with it, I think I should explain about what is ZK-Synaric. Actually, maybe I think some of people here in this room might be pretty familiar with what is ZK-Synaric. And some of us are not familiar with this. So I'm going to explain pretty in detail. So sometimes it's not four or five years old, I think. So please understand. I'm going to start with the classic example. Maybe many of you heard about, when you just search Google what is ZK-P, then you might see some example of Alibaba there. Then here's an example that here's a very extremely smart rhino. And he's arguing that he knows the magic phrase of the Alibaba cave. Can you trust him? Can you believe it? It's pretty hard to believe, isn't it? So we are the very fire. And by the way, this argument that this rhino is doing is called the argument of knowledge. Because this rhino is arguing that he knows the magic phrase. This is called the argument of knowledge. By the way, because this is pretty hard to believe, the very fire comes up with an idea and says to the rhino that, OK, go to the cave and wait for me there. Then rhino goes to the cave. So you can see how the Alibaba cave looks like here. So there is a gate at the between of the two gates. Then if the rhino really knows the magic phrase, is there anyone who knows the magic phrase here? So if rhino can say the open sesame magic phrase, then rhino can just enter through the gate because it'll get up in there. So rhino gets into the cave. So maybe it just depends on his choice. He can go into the left gate or he can go to the right gate there. And the very fire comes here and says like, hey, try to come out from the right gate. Then to come out from the right gate, rhino goes to the door and says the open sesame and open the door and should come out from the right gate. Then we can think like, oh, I think rhino really knows the magic phrase. Maybe some of us realize there is some problem here. Yeah, so we're going to ask about the left gate situation. In this case, actually rhino just went to the left gate at first. Then the very fire has come out from the left gate and actually it doesn't need to say the magic phrase there. So actually, you can think like this is very probabilistic. This case is called false positive. So the probability of the false positive here is 50%. Then how about if we repeat this process, as you said, 10 times here? Then the probability of the false positive becomes less than 0.1%. We can just repeat this like 1,000 times. Then we can think, OK, there might be the probability of the false positive is extremely low. Then we call this as the soundness. So soundness is a pretty important concept in ZK Snorriq. And I'm going to tell you about why it is important to gain later. The verifier asks and the rhino answers here. And actually, the set of rhino's answers is the ZKP. How can we compute the size of the ZKP here? It definitely depends on the repetition number. So if the proof size is very big, then do we have the soundness there? Yes, we have the soundness there. If the proof size is too small, we cannot have the soundness. The false positive is the probability of the false positive is too high. So the proof size is pretty important here. But imagine if we do this 1,000 times at immigration. So immigration says, OK, just tell me you'll measure something. OK, actually, it totally doesn't make sense. So we need the non-interactive system here. Any idea how to make the non-interactive system? OK, let's go back to the rhino case. In this case, this verifier tried to make the random question every time. But what if we generate some random set of questions before this proving happens, just like this? Left, left, right, left, right, left. What is the problem here? Yeah, right. Rhino can turn us just using the value. So we need to homomorphically increase those values. Actually, today we're not going to deal with the homomorphic concept here. But we should encrypt this in a verifiable way. By the before we go to the next slide, I just want to say here, this is called command reference string because verifier already made this for the prover. So this string is shared between the prover and the verifier. So commonly shared string, which can be the reference for the proving system. So this is called command reference string. By the way, because we need to encrypt those values, I'm going to encrypt this in Korean. Maybe there might be a little people who can read this word. But actually, this is saying about go left and go right. And if you go left and go right twice, something else. So let's assume there is something that can interpret this encrypted command reference string. So actually, interpret is not a good explanation here. In more detail, let me assume that the five years old key understand hash function here. We are just adding a salt and hashing the value and make a modular there. So it's kind of a deterministic random stuff. So the rhino never can cheat on that if this rhino doesn't know the original reference string. By the way, these encrypted command reference strings are not enough to be used publicly. Because this is OK when only we want to verify this rhino is smart. What we want to build is some protocol that can be used publicly, widely, for everyone. So for example, we have a system that we can transfer some if using ZK proof. Then the ZK proof will include some information that I have enough balance. And I can generate some signature. And every information will be in the ZK proof. But if you can cheat on that, I just can move a lot if to my account without the correct information, without the signature. This is really important to make anyone, no one knows the original reference string. Yes, this is called the trusses setup. To achieve this, we have to do the trusses setup. Let me explain this one by one. Actually, this is how a ZKP system works with. I mean, the ZK snark works with the common reference string. So there is a common reference string made by the trusses setup is shared with the prover and the verifier. And the prover and verifier both does not know the seed original reference string here. And then prover picks a random salt and share it with the verifier. And then also, once the prover picks a salt, the prover can drive a set of questions because there is a reference string. Actually, the verifier, at first, in the interactive system, verifier just gave the question to the writer. But in this case, writer can generate the questions by himself. And also, the verifier can drive the answers, write answers, without knowing the exact questions. If the verifier using the homomorphic feature, homomorphic characteristic of the reference string. It can be a little bit tricky, but this is also a pretty important thing. So I want to explain some multiparty computation thing here. Actually, this is pretty technical, but not that difficult, actually. Please, by the way, let me say why I'm explaining this multiparty computation here. It's like, do you guys know how the trusses setup works? Why you need to join the ceremony that is shared today's opening ceremony? So I just want to share how it works and why you need to join the KJJ trusses set of ceremony here. So let's go through. Actually, this is pretty for 15 years old kid, but let's go. There is a homomorphic hiding. G to the A is kind of a, we can make some encrypted value using number A. So actually, that is a signature of the homomorphic hiding H. But just think about that just as a hash function. So to think about G to the A is something related to the hash of A. Actually, it's kind of a homomorphic hiding of A, but then there is a characteristic that we can compute the G to the A using number A pretty easily. But in contrast, it is extremely difficult to compute A from G to the A. Actually, this is called the logarithmic discrete assumption here. But let's skip here. And also, if we have a G to the A and B, we can also compute the G to the A, B pretty easily. This is just some key features of the homomorphic hiding using the electrical cryptography. And let's see how the trusses setup works. So truss setup is creating a common reference string and without anyone knows the original reference string. So at first, Alice joined the ceremony and takes the set of the questions. The set of questions here is A, B, C, D, E here. All the A and B and C, the N, D, and E are numbers in a finite field, just the numbers. There are numbers. And then we compute, actually, we did some encryption thing here. You remember? So left, left, right, left, right, left is A, B, C, D, E. And this is something already encrypted value. G to the A, G to the B, G to the C is something. So we can compute G to the A, G to the B, C, and G to the E there. And Alice shares these G to the A and G to the E values publicly to the people. Then Bob joins this ceremony. In this case, Alice may discard the ABCDE value if Alice is innocent. But if Alice is not innocent, maybe she just stored the ABCDE value in her computer. By the way, Alice didn't share the ABCDE value with Bob yet. Then Bob also picks a set of questions again here. That is FGHIJ. And then we're going to create a new reference string using G to the A to the G to the E and the FGHIJ only. Because we can compute G to the AF using G to the A and F together. Bob can generate G to the AF, G to the BG, G to the CH without knowing the ABCDE value here. Carl does the same thing here. OK, then if any one of these three participants discarded and destroyed the randomly picked question values, then maybe anyone might know the original reference string here, AFK, BGL, CHM, and et cetera. Because to know AFK, you need all those values, A and F and K. So it means to just recover its original value, you need all the secrets from the old participant of the ceremony. So it makes if any one of the participants to discard it and destroy the value, then all we are safe. The best way to use this common reference string is actually not to trust anyone. It means just go to the trusted set of ceremony and discard your seed there. Then you will be safe, at least, by yourself if you just keep discarding and destroyed. Don't trust anyone. Just trust, actually, don't trust yourself, too. Just go to the trusted set of ceremony. This is the page that shared today's opening ceremony. So you can just go to ceremony.etherum.org. Then you can join the ceremony. And actually, you just saw that these should be conducted in a sequential manner. Because Ali should do something and share, and then Bob does something. So there might be some queue, but please don't lose your faith. Please don't trust anyone. So go into the queue, and let's join the ceremony together. OK, great. Then now I think I've explained almost every important concept of ZK-SNARK. Then let's rebuild why this is called ZK-SNARK using the concepts we just explored today. So ZK-SNARK is zero-knowledge, succinct, non-interactive argument of knowledge. First, zero-knowledge means just hiding some information. You remember that I just wanted to hide my passport number here, but just wanted to prove something. So this is called just zero-knowledge. If you want to hide some value, that can be called zero-knowledge. And to talk about succinct, actually, we have to talk about the soundness. Remember, if you repeat only 10 times, the proof will be pretty small. But if we repeat the answering like 10,000 times, the proof size will be larger. It's pretty important to keep the proof succinct while we keep the soundness. So we need to find the gray balance there. So succinct is used here because of the soundness thing. The non-interactive thing. We can do that at 1,000 times the immigration office. So we should have a non-interactive system. And for the non-interactive system, we should do some common reference string. And because of that, we need to do the trusted setup stuff. Oh, we did all these things to prove argument of knowledge from this rhino. So this is called ZKSNARC, general succinct, non-interactive argument of knowledge. So does everyone understand now? Great, I am pretty happy now. OK, so we're going to go through the applied ZKP stuff. So where can I use ZKP? Mostly people think I can hide something. Then it can be used for the privacy, definitely. So the usages are mainly the privacy and scaling. And there are a lot of undiscovered usages. So let's go to the privacy thing first. Yeah, and actually, we already go through some difficult concepts like multipartic computation, homomorphic hiding, and logarithm discrete assumption stuff. So let me ask you again that I already know such function in MergeProof. And please, let's remind how the ZK Proving System works here, gain. We have a circuit that represent the relations between witness, including the public inputs and private inputs. And the prover creates a ZKP and the verifier will verify the proof using the circuit together. And in the Merkle Tree, what we want to do here is proving that there exists a leaf in the Merkle Tree without revealing any information about the leaf and the sibling information, which can reveal the path of the leaf, which can be kind of a reference. And here, I'm going to share the Merkle Root information between both the verifier and the prover. So this is where do we use this thing at the immigration office? Yeah. So this is proof I'm a member of this group, but I don't want to reveal my identity here. So this is the reason why we do this is Merkle Proof using ZKP. Actually, we can compute the Merkle Root using sibling values. And the sibling values also should be private inputs, because if they are revealed, then they can be some hint for about the leaf. And then to generate the Merkle Proof, we need to compute the intermediate nodes here. You need to compute the branch node of the Merkle Tree when you compute the Merkle Proof. And these intermediate values are the witness. Actually, witness also includes the private and public older values, but I'm going to say this is a witness. And also, this is the relation of the witness. So let's see the first relation. Node 1 is hash of sibling 1 and leaf 1. And node 2 is hash of the node 1 and sibling 2. Node 3 is the hash of node 2 and sibling 3. And finally, the computed node 3 should equal to the root value here. This is a relation that we want to prove using the witness, while we are not revealing the private information here. OK, so we just put these values like this. So there is a circle circuit. The logic is blue color, and the private inputs are the green color, and public inputs are the red color here. Then we can generate ZK Proof, and the verifier can prove that, OK, you don't need to reveal the private inputs, but I have the information about this group, which is the root value, the public input, red thing. And also, there is a relation logic between the witness. Here, that is the Merkle Proof. And this members proof thing also can be used for various usages. Actually, first of all, the privacy protocol, definitely. And for the privacy protocol, we have the very good example for the identity. We are having the semaphore protocol, which is just the name of a membership proof protocol that keeps your identity private, but let you vote on some agenda in an anonymous manner. And also, we can have some private transaction stuff, ZCash. And also, Aztec's ZK Money, and Polygonite Ball, and PS Team ZK Proof, and Tolerant Cache. They are all implementing the same logic with this members proof system. And also, this members proof system can be implemented in various ways. Definitely, the first way is the method that I shared here, the Merkle Proof thing. And actually, recently, people are exploring another methodology using the vector commitment, which can let us express a set of values using a polynomial. So if you are interested in, you can just Google this cog and take a deep look at that. By the way, we have 10 more minutes. So I'm going to use 10 more minutes, all the 10 minutes. The next example is the scaling. You guys are pretty familiar with the word, roll up, right? Actually, the roll up started, I guess, it started from 2018 by Barry, our PSC Team's leader. And roll up started from the ZK roll up. And I'm going to explain what is the basic form of ZK roll up here. So the first block is just a normal Ethereum block. Let's assume that this is a normal Ethereum block. Then there should be some transactions. Transaction 1, transition 2. And for each transaction, every account, external owned account, should generate the ECDSA signature, right? So every transaction has its matching signature there. And finally, we compute the block hash using some other values there. But how if we make these signatures as private input? What happens here? We can just remove the private inputs and we can replace that using its ZKP. This is just what ZK roll up is. And here are two advantages. What are the two advantages here? Yeah, definitely the data usage and the another one. Because if we just compress all the signatures, then we don't need to verify all the electrical signatures. So let's assume that if we have 10,000 of signatures, then the zero launch proof can be much less than the 10,000 of the signatures. So we can reduce the data size a lot. And also, we can skip the computation just using the cryptographical verifying system. So we have a two advantage here, the scaling of the computation and the scaling of the data usage. So yeah, so this is the reason why we are using ZK for scaling solutions. And actually, there is a tutorial that you can implement the simple ZK roll up by yourself. So if you want to just deep dive into how it really works, then you can just go to there and go to the tutorial. It'll be very helpful for you to understand how it works. And for the next, I'm going to share another fun examples. Macy and rate limiting lollifier. Macy stands for minimal anti-collusion infrastructure, which means actually, have you tried the CLR fund before using Bitcoin fund, quadratic fund? So quadratic fund in quadratic fund is very useful to buy the vote. Because the number of the participants is much important than the amount of the votes in quadratic voting. So buying the vote is pretty useful. Then how can we prevent vote-buying attack? Collecting all the votes first, and then the coordinator mix it and generate a new state tree. Then the voter cannot prove that I voted to this one. Then we can just prevent the vote-buying attack. So we can also use ZKP here, that the coordinator mixed the result without just modifying them correctly using zero knowledge proof. So we are also doing the CLR fund for DAF CON. So you can go to the 8th Columbia, the CLR fund, to participate in the new round, quadratic funding round. And another really fun example is the rate-limiting nullifier. This is pretty novel, and maybe it is pretty hard to think about this concept from ZKP, because we are just thinking about only the privacy or scaling. Then let's see what it is. So there is a polynomial, a one degree polynomial. So it is y equals ax plus b. And actually, this polynomial is a polynomial that I just chose. And actually, the value b is my secret key of Ethereum. Then OK, then I can share you some point on this line. But if I share you more than two points, what happens? You can just compute this polynomial, right? Because you have two points, and this is one degree. So you can just know the a and b. Then you can know my secret key. So my secret gets revealed. So rate-limiting nullifier is using this. Actually, this protocol is Charmere's secret sharing protocol. Limiting nullifier is using this to prevent spam attack. If I want to communicate with you, I should reveal my points on the polynomial to you. So if I just send you too many messages, then actually you can just recover my polynomial and just get all my it from the account, right? But here, we have to use ZKP, that all these shared points are on the polynomial. This is only the relation. Pretty simple, right? Then we can use this for spam protection protocol. We are doing a lot of experiments using this rate-limiting nullifier concept for the consensus layer and also the peer-to-peer networking. OK, so this is the last. So from five years old key to a student, I want to recommend this curriculum. The first one is just write a ZKP application using the tutorial thing I shared for the ZKRollup. Then it will help you understand how ZKP works and how the proving system works there. And then you need to study and learn about the first abstract algebra, because in the proving system, we are using a specific set of numbers. And we need to understand how these numbers works and how the homomorphic hiding works. To understand this, actually you need to understand the abstract algebra and the group theory thing. After that, please study and learn about the electric curve cryptography first. And then after that, please study about the pairing-based cryptography. Then maybe some of you guys have heard about Planck and KGD and inner-product argument stuff. And they are all the kind of things after you study about this pairing-based cryptography and then abstract algebra and then extra. So after you study these three things, then please study about the Planck, which is arithmetization, which means converting your program into a polynomial. Then after that, just go through the polynomial commitment schemes, which is like how to make the questions and how to make the answers while we have done using the Alibaba case with the rightness. Actually, the arithmetization is pretty related to the polynomial commitment scheme. So you're going to study with some R-N-C-S arithmetization with grad 16. And you're going to study Planck arithmetization with KGD or inner-product argument. Thank you, everyone. I'm Wansub from Interim Foundation, PSC team. And I hope this session helped you a lot. Thank you so much.