 Okay, Daniel you were live take it away. Okay, so hey everybody. Good morning. Good afternoon and good evening everybody I mean depending on the time zone Well, can have everybody in this hyper ledger meetup We just have a pretty special topic which is I mean, I would say very much theoretical But it's it's getting to be hyped on the one hand on the other hand It's probably it's getting to be you know, I mean I'm in a field which which can't be just you know I mean I mean Controlled or or basically developed just by just by mathematicians It might be like a field which gonna be practically available for developers as well And that's that's practically zero knowledge proof and snarks This meetup is dedicated to this topic. We're gonna have like two presentations The first presentation will be from from on rash sub-org. It's gonna be more theoretical But please note that actually we are not mathematicians So although we planned a little bit into the details of some of the the mathematical, you know, I mean depth But despite we just try to be as much engineering as possible or as much developers as possible If it's possible, I mean sometimes it's just just not possible the second presentation will be from me It's gonna be like You know, I mean as as practical presentation as possible Focusing on how you can practically integrate Zero knowledge proof to high quality of fabric. It's gonna be like a hello world application. Nothing more But I mean, I hope it's it's gonna be interesting. Um, so actually that's the agenda for today And then so I mean I would suggest we do it in a way There's gonna be a first presentation from on rash then we make a very small break Where you can have like questions, I mean sure if you have like questions in the meantime like I mean something is wrong Like we have like problems with the with the with the audio or with the video with the slides Just just interrupt us and then go ahead just say that something is wrong But otherwise I would say there's gonna be like a small discussion Or a possibility for a small discussion in the first break and then at the end we can have like, you know I mean bigger questions and answers and then even discussion as well It's it's practically at the end of meet-up like at the end of the second presentation So let me just start with on rash he's a solution architect blockchain solution architect at at block band and Well, he's he's pretty much deep into the even in the theoretical field of zero knowledge proof as well So I I hope I mean is he's not gonna Plunge very much deep into the details of of maths and figures But I mean we will see so basically on rash the the floor is yours Thank you guys Okay, thank you Welcome to everybody and Just turn my screen share on okay Okay, no everything Oh Okay, so Thanks. Thank you Daniel for the presentation and I'm really thankful for being here and present Some of the zero knowledge proofs Actually, I gave the title of the basics, but it's probably really the basics So it's it's zero knowledge proofs It's a really huge field and a lot of things that we could Talk about but today I have only 20 minutes And actually I have 20 slides. So probably it's won't won't be enough time to get them all But what is it exactly the zero knowledge? The hangarian translation actually it's much more better because it means that Something like non exploratory evidence, it's it's more more Convenience probably for the hungarians because zero knowledge something means something that no information But what does it mean? So it means if I want to convince someone that I know something But I don't want to reveal any information of that secret then how can I Convince you so this is the zero knowledge proofs that I can create something some proofs and Convince you that that I know the secret one Today probably we are going to talk about a lot about Alice and Bob and Alice and Bob they want to prove usually Alice would like to prove something to Bob Without revealing any information. So Alice will be the proof The prover and Bob will be the verifier who verifies the proofs and decide That Alice is telling is true or not Bob will challenge usually Alice and Alice will respond with something with the proofs and with something so then Bob can decide whatever the Statement is true or not. So but how does it work actually just a really common Example I Think there is a book called You called varies Waldo and a lot of images where you should find a Guy on that picture So if you see this picture on the right side and I show you the guy With with the hat and you should find it It's really hard if you don't know where is it? Where is the guy? So how can I prove that I found Waldo without? For example, the question is how can I show you where is Waldo without showing the exactly? Location of Waldo that I found so that is a question and for example one solution is that I take the picture and I Cut it with a susser and I give you Waldo the image So Alice will cut Waldo from the picture and gave Bob, but now How can we be sure that I just cut it and not before? So how about the reusing the piece so Bob could Make for example, just draw something on the back backwards of the image And so Alice should always cut and Bob could check the back of Waldo the image of Waldo that The image is original or not. So this is the solution for this kind of Example So let's check what are the properties of this zero knowledge proof Soundness means that everything is provable is true in in a simple way it means that Alice proof system are truthful and She can't cheat how does this work because Bob just draw something On the back of the image. So Alice can't cheat because she can't reuse the old Waldo image She should always cut Waldo and give to Bob completeness Means everything that is true has a proof. It means that If Alice convince Bob that she found Swarado because Alice Could give the image of Waldo to Bob. It means that is a valid proof So if something is true, then it has a proof Okay, and what does it mean zero knowledge? Zero knowledge means Only the statement is being proven and no in no other information is given. So Bob won't know where exactly is Waldo on that image because he can't see the Original image where Alice just cut Waldo, okay What types Because usually we think if we hear zero knowledge, we usually think only one or two Just buzzwords like interactive non-interactive snark stark and something like that, but a lot more than these ones. So Actually the first one is the first Group I think we should say that first group is interactive and non-interactive types of zero knowledges I will tell you some examples of them The other types are like zero knowledge Like proof of knowledge. It means usually a simple. I call it usually simple zero knowledge proofs Because it has some purpose. So it's not a general one I will show you an example as well and Here will be some math as well. So we can see What's behind the scene? There are usually statistical Zika proofs as well Bullet proofs bullet proofs. I won't tell you anything about them. It's just a range proof. So I can Prove that for example someone is over 18 years old without revealing His or her birth date. So yeah, you can with the range proofs You can it's like bullet proof with bullet proofs. You can Prove that one and Sigma protocols. This is the most common one These are zero knowledge proof systems We call them like this and these are always generic and today Then you I will show you One type of them Okay, let's go. So what does it mean interactive interactive means Here's an example when we We give a statement So we are we have a statement for example in this example Let's Think that In this word, everyone is colorblind. So no one can see a colors, but only Bob and Bob would like to convince everyone In this case now Alice that he can see colors. So How can we decide if Bob is true or not because I for example, I am Alice and I don't know I can't see color. So how can I? Okay, Alice Just hold two ball get two balls and hold one one Hold a red one and the blue one ball in her hands in One hand the red and one hand a blue one and Alice would like to challenge Bob and Alice is now put her hands behind her back and Just decide maybe exchange the balls in her hands or not and then show Bob her hands and Bob should Answer if the balls were exchanged or not for example if Alice Alice's hand left hands contains the red ball and not exchanging Then Bob would say no you did not exchange then Alice know that it's true and It's it is interactive because Alice should do this Challenge and response multiple times. So it means The probability I just write it wrote it down What's the probability that Bob is really could see colors? Okay, so multiple challenge response Should be necessary and It's only if nuts usually interactive Processes are not hundred persons only just the Almost hundred percent Certainity that the statement is true. Oh Yes now the non-interactive way. It's always it's going to be a little bit Harder one, but I wrote everything next to the Or onto the slides. So if you would like to Get an example of a non-interactive zero-knowledge proof Let's say that we have a show the pool probably everyone already seen a show the pool So Alice would like to prove To Bob that she already saw of that puzzle But without revealing the numbers Okay, so Bob should not know the Correct way to solve this problem. So how could we do that one? Okay, Alice for this for this Alice builds a machine that executes a proof so creates a proof to Bob and This machine will follow the The next Statement so what does it? Okay, first this machine will create the original steps and as we show before for example C1 It has a three just just three Oh Yeah, sorry with my okay See one and here we see See one as three, but it creates like every cell will contain Three cards Face up So everyone can see the numbers because these are the initials numbers Okay, the next step that Alice is solution Here are Alice's solutions, but all the cards are face down and Everywhere, there is three cards of them. So for example, this is a a one contains for example nine then It should be a one cell contains three card With number nine phase down Okay, so this is step two now both can interact with the machine and a Bob should choose For example, let's say Bob decide decides that Which row He would like to start for example the first row with the first throw He just pick up Cards, but randomly which column? Okay and put it here Okay, and then the next row and next row. So doesn't matter the order just get cards every row and column of cards and put Put aside and Okay, just for more not just rows Bob will do or must do or have to do The columns as well. So actually we will see nine cards Nine cards here nine nine cards for the Second row next to the second row and nice nice nine cards third row and etc. So at the end There will be eight cards for each row and each column and The remaining cards are stored into the one packet of each three by three grid So in total we have 27 packets. Okay, and now the machine will Shuffles all packages and then Bob can check Each packet that each package should contain Each number only once so like From number one through nine without any numbers missing or duplicated. Okay, so if every 27 packets contains only Number one through nine without any Missing sort of gates then it means That every row and every column and every three by three grid contains the necessary Numbers But Bob doesn't know What was the original solution for the puzzle but be sure that Alice created solution is good one so this is the non-interactive zero knowledge proof because Alice Does not have to challenge Bob does not have to challenge at least more times only one time is enough and anytime Bob can use this machine to Check whatever the solution is okay or not so he can do this multiple times Okay, now simple as they have zero knowledge proofs It usually means that built only for one purpose or only for Proving only one thing so not a general one not a general case It's usually our accumulators ring signatures proof of knowledge usually Elliptic curve based or lattice based solutions Here are some math on the right side It's probably important to To read this and to understand so let a be a secret key In an elliptic curve elliptic cryptography. It's usually just a random number. So let a be a random number and the secret our secret so now the corresponding public keys a Generator race to a Modulo modulo P it's usually a modular arithmetic is involved But I don't want to now Explain Exactly, what does it mean if probably I hope everyone knows what modular arithmetic is But there is two Important thing these are just Okay, so the interactive way here is Alice and Bob Alice Alice has a like a random number and secret and already The public keys Generator race to a is already known by Bob, but now Alice would like to convince Bob that she knows the secret Okay In this way Bob would Not at first Alice will this we all choose a random another random number K and the first Number she creates a public key of K. So generator race to K modulo P and we call it age and This is a commitment From Alice we call it commitment. So Alice gives and sends Bob this commitment now Bob This is the interactive way because Bob just Pick randomly a C number C and send back to Alice. So this is that's why this is an interactive way because multiple Interaction are there between the parties So randomly choose C and Alice now Computes a times C plus K. So a is Alice's secret C is Cams from Bob. It's a random number and K is another random number. So s that it represents s Alice will send back Bob Don't know or doesn't know how to calculate a the secret Itself but only knows s and knows C and knows all the public keys But We know that some simple math we can do so Bob could Really calculate generate to s which must be the same as the public key of Alice race to see Multiply multiple with H So Bob easily could this do this math because he knows the public key of Alice knows the C because C Was given by Bob He knows age because age was the initial value the commitment of Alice and Bob knows s because Alice said s as the proof s is the proof so now This is a simple way how to how do a how To convince someone if I know a secret number and how to convince someone that I know this secret number An only interactive way is almost the same but in this way If we go back The C is was given by Bob But how about if Alice could create a C like her own challenge, okay, so Usually this is the own challenge So every every time Alice is would like to create a proof randomly chooses a number and create a private part and Use a hash function to create with the generator is sick her secret her public key and her random numbers Public part of the public of the random number she could calculate this and this will be the challenge and could calculate air Or s but it's it's important It's not s not the same as we see s is a here is Addition But in the non-interactive way, this is a minus not plus so it's important That's why I use are not s and then send We see and are to Bob and Bob could verify really easily that that is correct or not if not correct then Alice does not know doesn't know a or Not doing the math correctly. Okay What is it zero knowledge and now now we are going to Talk about zero knowledge proof systems like the generic zero knowledges So for example, if if I would like to prove something Or I would like to prove almost anything that is that could be described in in In a mathematical way mathematical way or I can do a program for calculating something then we can prove Without knowing the inputs we can prove that the output is correct or not so these systems are called generic zero knowledge proof systems and One of the most known probably the Zeika snark It means zero knowledge succinct non-interactive argument of knowledge each word is Means really important things So zero knowledge means that the verifier knows nothing about the Statement except for its validity or falsity Succinct means the proof is small enough for the verifier to verify in a short time frame So it means that the proof must be really small one like Few hundred bytes not more than non-interactive. It means Snarks are non-interactive because provers and verifiers don't need to exchange any information Beyond the initial proof submitted Early zero knowledge Proving systems require prouver and verifiers to exchange multiple messages to verify statement, but now snark systems doesn't need them Argument of knowledge and argument is a computationally sound statement that satisfy Some very important requirements making it difficult to cheat for example generate false proofs Knowledge in a snark-based proofs Cannot be created with access to the underlying information or the witness. So it's really important Okay, what does the pros and cons Pros that are the proof size is really small. It's very important The verification process is fast The creation of the proof It's usually we could say fast, but it depends Usually I will talk about it later Pros that it's generic so we can use a circuit. I will talk about this one later Trustless re-verifiable by anyone. So it's really important. And what are the cons? It It needs a trusted setup sometimes not sometimes it needs trusted setup. There are Just only one exception. I know But I'm not too sure that it requires an untrusted setup, but So that's why I say all snark needs trusted setup Quantum computing attacks. Yes, because snark usually use Elliptic curve based cryptography. So it's can be break with comp quantum computing Quantum computers. So It's not the best Setup and proof generation is computationally intensive process it means that Daniel probably you should tell tell us that it's really really huge one The lot of gigabytes of memory. We need to create the proof And the proof system and the generation of the proof So and and it needs a lot of time as well Even in a very basic Scannerios Zika stark Zero it stands for the zero knowledge scalable transparent argument of knowledge. It's almost the same Scalable means that it's it is the fastest So it's really the pros as well. And this is no need for a trusted setup. So it's untrusted as well the setup phase It's really convenient Really high security. So it's quantum compute. It's resistant to quantum computing attacks as well what does What are the cons? really large proof size like it's I mean really huge the proof size are And it's very lower. The adaptation is very low at this moment The security Why is it Quantum computing resistant because it uses a collision resistant hashing algorithm inside Okay, and very important because it's really because very low time requirements require Requirement for creating a proof is very low time or very low because It's totally using a different math behind like snark Okay, here's a zero knowledge proof systems as as you see there are a lot of them. So Usually they are snark There are only Three exceptions. I think that's only one stark one snark It's an old one from five years ago and there is a bullet proof It's yeah, okay One Only two slides left. So one is this slide they It Let's just check about the level one until level six means the arithmetic circuit complexity So very basic or very high complex circuits and snark Snark are the blue one and stark are the yellowish one. I think it's yellowish So we can see that the Proof time and the verification time How I'll just compare to them and you can see the snark is really really Behind the stark stark is really fast and communication complexity also very good for stark and Then why why are we talking about the snark always and usually we use and everywhere Every program usually use snark because of the proof size. So start Proofs I am are maybe 10 or 100 times bigger than then snark proofs and now I should really talk about the snark mat and deep dive but Probably I don't have much time left but How does snark work? It's it's really complicated and and I I tried to To create some sentences for two minutes, but I did not succeed. So it Probably I need minimum 40 minutes to to do the math and and Just to create the basic concept of snark and and how does it work inside? But in cryptography way, but probably we don't need this because Danielle would like to show you In a real world example, it's it's much more better than just do a math and only one thing I will tell you about the deep and And and and how does it work? and actually The deep dive if you would like to do some ads it usually 40 minutes, but it could be two days or Two weeks it depends on the mathematics what how much deep you would like to go down So the rabbit hole of snark is really really big one So Okay, just one the last sentence that I would like to Just read about But you can read on on the slide the given fun. We have a function like fx And we have a public Output of this fx function is like epsilon or y Using snark One can generate a proof that demonstrate that the knowledge of the solution of this fx function With epsilon without revealing the value of it So if we know given fx equals y then What is the s value so I can create a proof to everybody could Check that the fx function will evaluate to epsilon at Some point, but I don't know which point but you can be sure that I know that point where is the point where is exactly the Value of the function will be why So that that's the Snark what does it do, but it's really a magic one. So now I Give the stage to Danielle to show you this magic So so thanks for the great presentation. I mean, I mean I would suppose So I'm just might might answer some of the questions in the chat But the point is that I mean we have just limited time and then well, I mean, of course Again as as just just repeat the fact. I mean, I mean from zero knowledge We might as well have something which is like, I don't know three weeks course or even a couple of months course as well So in this in this limited time, yes, we have limited effort I would say we don't have like a break at the moment I would just continue with my presentation and in the meantime if you have like Like more questions from a cryptographic side then under just gonna try to answer it in the chat And then again, so I will just try to finish pretty fast So I would just try to go through pretty fast and then we can have like, you know I'm in longer discussion in the end. So that would be my my proposition And then so let me just continue Again, this is gonna be pretty much an engineering approach or a programming approach I just just want to do something which is a hello word application Combining Zeno knowledge with Hyperledger February If you are not familiar Hyperledger Fabric is is actually one of the one of the biggest project From from Hyperledger and then basically that's that's a consortium blockchain. I would say framework that you can install in many different You know, I mean combination and yeah, so it's it's already live project for for more than five years So perhaps even six So what I'm gonna do is a hello word For Hyperledger fabric and just before showing some code I would say let me just let me just have a couple of slides How things look like from a from a developer or from an engineer engineering point of view So, I mean if we don't want to plunge very much deep into the mass It looks that way that we find couple of frameworks couple of tools couple of platforms For programming with zero knowledge or snark systems and usually the idea looks somehow that way that you see it on the slide So basically we got a framework. We got a platform. That's a that's a zero knowledge platform Sometimes it's an idea integrated development environment and we get something which is a DSL DSL means domain specific language and DSL is used actually for program for programming stuff Snarks for for zero zero knowledge Basically, basically developing a program up that you want to have actually your your business knowledge Behind your sale on large proof. I mean the example is like, you know, I mean if you just want to prove that you know Basically a prime factorization of a very big prime then then you would just program it with a with a DSL language Or you might as well say that say I just just want to prove that I know I don't know pre-image pre-image of a hash function Then it's again, it is something that should be programmed with basically bits with DSL The idea is somehow that with the help of such a system even like I would say no mathematicians Could program zero zero knowledge, but it's still not exactly true So I would say I mean I mean strong cryptographic knowledge is required If you if you want to do anything basically with zero programming about perhaps in like, you know In five or ten years time We're gonna just reach basically a state where even like, you know, non cryptographers can program Basically a zero knowledge in a in a pretty secure and easy way as far So that's that's basically the idea that's the evolution. So having this platform You got just a program which is in this domain specific language They usually there's kind of a compiler which compiling to the to the internal Computation model I would say it's usually something which is an arithmetic circuit or rank one constraints and then basically I mean these such platforms Provides provide you basically some some basic basic functionality for for creating proof Based on this compiled, you know computation model Making some verification and so on and so forth So basically all are Supported or or have somehow with this platform and basically that's somehow the idea We get the we get the software developer with strong cryptographic knowledge at the moment which creates a high-level program In DSL language and from this stage basically, I mean the rest of the work is done pretty much by this by this kind of a framework and So the mathematical details are more or less basically hidden So how do we choose such a platform? Let me just have like two slides on that So first consideration is like the the core algorithm We got some core core snark stark bulletproof zk snark algorithm arguments here I'm not gonna plunge into the details again. That would take like, you know weeks and probably if you just use Programming with with the zero DSL language. You don't necessarily need very much very much the details Of these of these core algorithms What you should basically know however is is kind of a comparison and you're like high-level properties of these frameworks So usually what is to be considered is the is the size of the proof If it's big or small The more complex if it's like a constant basically or if it's something that might you know increase logarithmic basically like with the With the size of your circuit or size of your computation for instance Verification time is very important as well. If it's like constant or if it if it increases With the with the complexity of your computation Actually proof size is not on this list, but proof size is I mean from from practical applications proof size is important as well So if you just like, you know, I mean expect kind of a web application That could react for instance in real time And then it is combined somehow with zero knowledge Then actually creating a proof which is your zone. I mean mathematically consider Actually not to be such a huge problem because it's not considered to be sus in but in real application I mean creating this proof. I mean the proof time is basically important as well And we got some other properties as well. So setup is an interesting Seeing basically we got setup for for each circuit. I mean we got algorithms that have like trusted setup for each circuit Better ways like having like a universal setup and we got something which is transparent setup as well Which is practically not trusted. It's it's basically kind of a trust model Everywhere where you have to trust practically in one party. That's always a counter party risk So like secret like peace and stuff like that might be actually compromised and revealed So basically we like like transparent setup It's just not always possible and then there are always some trade off So if you have like transparent setup, you might as you might as well have like bigger verification time You might as well have like bigger proof and you might as well have like, you know, very very big proof time for instance And then the last properties for instance, uh, if if that core algorithm is is ready is post quantum secure Usually I mean the core. I mean the first like two algorithms are naturally, uh There are post quantum secure algorithm is algorithms as well like stark It's just, you know, I mean basic basic platforms support for instance grow 16 and and plonk and then it's just, you know, I mean difficult to find like a good DSL and region zero knowledge programming framework Not just for mathematicians, but for programmers as well that that supports for instance stark But again, I mean, this is the matrix and then there's there's no optimal choice at the moment So you won't find at the moment something which is which is very fast transparent setup post quantum secure You just have to find some trade off trade offs. And then basically, I mean this gonna this is developed Very very fast. So like in for instance in in in one year Uh, you just find like, I don't know, uh them or such core algorithms that you can consider So this is one consideration. Uh, the second consideration is like choosing the the domain specific language or domain specific framework or platform Uh, there are many options here. I mean, some of the options are are basically on the slides. It's like noir It's like leo circum And so on and so forth. Uh, what basically you need to consider. I mean First, I mean, um, these are not just domain specific languages But again, there's a platform behind and the platform basically supports different color core algorithms So for instance, we're gonna take a look on the on circum just in a second Circum sector scroll 16 and plonk. It doesn't doesn't support stark at the moment Then of course, I mean one important aspects again from an engineering perspective It's like the programming language itself if it's an imperative language If it's a description language is if it's a certain programming language You know, I mean, I mean you might as well say, hey, I don't I don't want to use like circuit programming I just I just want to use like, uh, you know Classical imperative or a kind of object oriented functional language. There's there's possibility, of course Then uh, so again, there's different base programming language. Um And then what's probably more important? There's like different frameworks for for integration Uh It's it's usually a good idea not to develop everything from scratch But just just having the core platform functionalities So for instance, like circum has integration with like with like javascript very good integration with javascript Uh with c++ and it generates even like uh, like a solidity smart contracts as well So it has good integrations for instance with these platforms. It doesn't have a very good integration Uh with with like rust You can do it, but you have just to you know develop develop almost from scratch. So it's not too practical No as far as I know for instance, that's uh, that's a rust based language. So certainly it has very good integration with rust Uh, I'm not quite sure if it has like good integration with c++ or stuff stuff like that Another thing is to consider is like the technological life cycle I mean this whole field is pretty early stage. So like I don't know the oldest technologies I don't know three years or or or four years old top But despite if you if you find so it's always a good idea to to use a platform Which is which is like a couple of releases A couple of bug fix if it's if it's very early stage, uh, you know, I mean you will find a lot of bugs In the in the integrated development environment itself So unless you like like, you know repairing these bugs and Then then usually it's just a good idea to to choose a platform Which is already like a couple of productive releases for instance So this is some consideration for a dls language and tool selection And then basically, I mean, I know circum. So I mean the demonstration is gonna be on circum That's uh, that's a domain specific language. It's a circuit programming language. So if you have ever ever done anything with like VHDL or or like very low they are they are circuit programming languages as well Circum uh programs not a hardware circuit, but basically uh an arithmetic circuit So it's a little bit different But if you're familiar with any any real hardware circuit programming language, uh, then it won't be such a huge Uh Challenge I would say It was already successfully used like in torna tornado cash It is I would I mean, I wouldn't say it's it's it's an old technology Old means in our our case. It's I guess it's three years old So it it has more than one like productive releases. Uh, which is a good idea It supports like row 16. It supports plonk Again, it's well as I would say well established. I wouldn't say it's an old technology And it supports integration possibilities with javascript. There's the snark gs There's with c plus plus and there's an automatically generated smart contract for For for for making verification with solidity as well So what I'm gonna do is that I will just try to put this stuff into hyper ledger fabric If you're not familiar hyper ledger fabric is again pretty complex enterprise ready Uh Consortium blockchain this is many parts. We just not go very much into the details Uh, it's just like ps chain code state database ordering service certificates authorities and stuff like that So what I want to do basically, uh, I just want to make some of of chain calculation of chain calculation We'll we'll we look in that way that basically I know a secret and I just want to prove that I know this secret And uh, I will just create basically a zk proof zero knowledge proof of chain And I will just send this proof in a transaction to hyper ledger fabric And basically I want hyper ledger fabric to verify basically my proof And then based on this verification, you know, there should be an output like for instance Hey, uh, is it is it a valid proof? Do you really know the secret secret without revealing the secret or or no You don't know this secret, uh So why is it good? I mean you can use something for instance one example is secret is like, uh, you know, it's a pass pass password It's like a pre image of hash function I just just want to prove that I know the secret Without actually revealing the secret and then basically based on this based on this pass Password based on the secret, uh, if it is verified in the chain code You know, I mean, I mean there can be a functionality in hyper ledger fabric Which is accessible only if you know the password for instance Again, this is gonna be a hello world demonstration. So don't expect much, but we might as well do something on the long run You know a real a real workshop like I don't know three four hours long and then we can show more So let's see some of the code and some some action Anyway, everything is is available on github. So, uh, we're gonna send the slides Uh, you can take the the link. Uh, you will find basically everything on github So let's see some code. Uh, so first I start with basically with a Program that's gonna be a program which is written in circum And let me just try to zoom it but perhaps it's enough. So this is a very simple circuit. Uh, it's again a demo As it's basically an arithmetic circuit. It has like inputs and outputs What I'm gonna do basically it's again, it's not even a prime factorization Again, we are just that with uh with hello world I just I just make make like a cube and cube root. So basically the idea is that uh, I can I can prove that I know A cube root of a number basically without revealing the cube root itself. That's the idea Okay, so basically I got a cube, uh, which is like a times a times a and then basically I just want to make Make a prove on that that basically I know a cube root uh of a of a cube of of a number which is a times a times a without revealing the A itself, okay Again, very simple example, but this is just a hello world So we got circuits. Uh, what we have in circum, uh, we got like inputs and outputs and some temporary circuits Uh, so these are the inputs. These are the outputs and then we make some So what we have here basically is a computation model The computation model is uh with arithmetic circuit and and first order constraints realized So basically, uh, I have here just like two two operators One says it's like a calculation Which is like an internal circuit is like a times a and I got basically a cube which is a times Calk, which is a times a times a and if I use this operator I don't just define basically like setting the value But there's a there's a there's a first order constraint behind as well And I will have just one more first order constraint which says basically the expected cube I mean that's the expected result should be equal to to cube basically So again, that's that's the only circuit that I'm gonna use Uh, I will have basically a main sentence as well and the main sentence looks that way I just create basically one circuit from this from this demo one And what's probably more important that I will define basically, uh, what are the public inputs? So I got just one public input. That's the expected cube again. Uh, what I want to do is that, uh I I will prove you that I know the cube root of this expected cube without actually revealing the cube root itself. Okay, so that's all So what I'm gonna do, uh, as the next round, perhaps I will just, uh I will just show it. I mean, I just if you take a look on the repo I will just summarize everything in the in the read me so you can take You can take a look. So the first step is basically run In which I just summarize the couple of uh, basically commands Circum if you install circum Provides you basically some common from parameter. So you get like a compiler. Uh, you can compiler circuit Circuit into into different files into like this is like an air one constraint This is like some some c++ extension and so on and so forth. These are basically the The numbers of the of the of the signals and so on and so forth. So it compiles basically You can even take a look basically the result of your computation Then cheat a little bit because I just pre-compiled everything again. I just for the demonstration purposes but if I just Take a look, uh, let me just zoom in a little bit more If I just take a look on my pre-compiled circuit Uh, what I see basically that after compiling, uh, my circuit, uh, which is again, I mean basically this guy What I have here. It's like I got like five wires I got like constraints I got private input private input is a I got like I got like labels I'm not quite sure what the label is. I got like public input public input is the expected cube And basically I have one output as well. I just don't really use I'm not going to use the output at the moment But anyway, I mean just to check if if that's the expected value. So that's my constraint and that's my compiled constraint What I'm gonna do as the next run, uh, it's just a little bit more complicated I will just show basically in this, uh In this setup, it looks that way, uh, that that basically what you need as the next next step is to do a setup I mean, um, there are there are like two, uh, algorithms core algorithms that are supported one is go 16 and the other one is is is plonk Um, in in both cases, you need a setup. Um, I will use your plonk. So basically what you need is a universal setup universal setup, uh, I mean everything is supported basically by Circuit there's a tool which is called snark gs And then uh, there's a so called protocol which is called power of tau and power of tau makes for you this setup So the point is with setup. I mean independently if it's uh, if it's a one per circuit setup or if it's uh, if it's uh, if it's uh If it's a general setup, sorry, it's not the universal setup It's a it's a general setup So independently, um, the point is basically that you should not really Make any kind of setup fully centralized Uh by one party. I mean again, just imagine if I just if I just generate this case This practically cryptographic material salon then I can cheat with it If I can cheat it or if that's material is compromised then basically I can prove anything Which is not very much welcome So usually there's a so called power of tau ceremony and power of tau Tau ceremony Looks that way that there are several parties and basically these different parties Ghana Independently from each other provide this setup And then if they are really independent then that means practically that your that your result Will be I mean as as much as much random as possible as possible with these independent actors So in some cases there are like more than 200 Such independent actors and you can just imagine if there's like more than 200 independent actors Even if one such actor is is really random and independent from the from the from the other ones Then your setup is is practically random or can be regarded as random And that's the so called power of tau ceremony So having that ceremony, uh, what I can basically do Uh, I can just set up long. It's again, there's there's one command for that It's uh, it's uh, it's it's with an install snark gs library. And then basically, I mean based off this, uh Set up, uh, we get like different keys like I have the Let me just try to make it I'm not quite sure if I can begin off. But anyway, uh, I will have like, you know, I mean Verification keys and proofs and stuff like that And if I have all the cryptographic materials at the end of the day, what I can basically do I can just use this common prompt. It looks that way. I just may basically make a proof With plonk Based on this witness, uh, based on some input parameters It's important that we get some input parameters. I just have these input parameters. It's it's the cube root And that's gonna be the cube of this number And based on the stuff I can just create the proof And then based on the proof, uh, basically based on the verification key and like some public json public json Is basically the public inputs and based on the proof I can I can even verify it Okay, um, I'm not gonna show this one. But what I want to show is that basically, uh, I just wrote a proof and verify JavaScript library Not a library. It's just an mpm function. So based on this data, uh, you can use practically this this data in javascript as well So if you have like any kind of This is like no gs if you have any kind of no gs application Then you can use this, uh, these guys, uh, this snark Plonk proof and verify functionality in an easy way as well. So I'm just trying to do one proof It's again, it's a very simple, uh No gs package. I just got inputs I got the the vast that's that's practically the compile compile circuit and I have like the proving keys So if I have all these then basically let me just Give a shot and then create basically a proof Uh, I will just say hey, I will I will call Basically this functionality and say I mean proof basically, uh, based on the Based based on some keys, uh, based on the input. I mean I proof here So basically I have I have both my public and private inputs as well And then uh, and then I have the compile circuit as well So that's the proof, uh, and then, uh, sorry As a result of a proof I got first the proof. I mean this one is the proof. It looks that way uh Honestly, I don't know each and every Details on this proof, but basically that's that's your proof Basically, and you have like actually a public signal output as well. These are the public signals This is just the cube. Uh, so so don't see if you just go back and take a look on the input In the input we get both the both the public input Which is the expected tube and we get the private input as well private input is the cube root On the output or on the public input Signals at the end of this command. Uh, we just see the the public information And uh, we can easily write something in Node.js as well, which is like a verification Again, I just wrote basically a very simple note package Process it looks that way. It's again some some some javascript supports So you get practically the snark long verify You need to have the verification key. Uh, it was generated by the setup You need to have the inputs and what's important here that the inputs are Here only the public inputs. So you don't see the private input anymore and you just need to have the proof basically So if I just call this guy Again, I just have the uh verification key. I will just call with the public signals. Uh, I Have somewhere the public signals. Yeah, these are the public signals. It's actually just one signal I'm not quite sure why it is. Uh, it is listed two times But if I just call it with this public inside and basically with the proof, uh, then I can call the verification function And basically that's all uh, so we don't see like big magic at the end We just see if the verification is true or false. I mean, that's it. That's that's what we wanted to achieve But again, basically I just verified, uh, this guy without the private input So I just verify that anybody created this proof knows basically, uh The cube root uh of of that cube and and that cube root itself wasn't basically revealed. Okay So how do we put this one into high collager fabric? Um, so what we need to basically have is like, uh, kind of javas javascript javascript chain code Uh, we just we just want to put this thing into into into into a chain code. So I just want to create basically, uh, an off chain off chain proof and then I just want to basically, uh, put this proof with the input parameters, uh, into Uh, into a transaction. I just want to send this transaction Uh into a high collager fabric network and then basically, uh, there should be a chain code in my high collager fabric network, uh, that validates, uh, basically my, uh My zero knowledge proof So what I'm having here. I'm in first high collager fabric supports like three different chain code our language One is go. Uh, the second one is java and the third one is javascript or type type script Basically, I'm using here the the javascript version. Uh, if you're familiar with fabric samples I use here basically fabric samples and there's a fabcar demo under uh under And there's a test network demo and the fabcar demo basically So I just have and I just extended the fabcar j s That's again a fabcar demo under high collager fabric under the test network And I just extended with one, uh, basically transaction. I mean, uh, I mean one one functionality Which is a which is a verify I cheated a little bit, uh, because I mean for verification As you might have seen you need like three different things If I just go back You need the you need the verification key You need the public signals and you need the proof itself So in this three guys, it's just calling high collager fabric Sometimes from a common prompt, um as a transaction is not so easy So what I basically did I just have one input here and I put basically, uh, the rest Uh at the beginning of my chain code again, this is just a fabcar chain code So I get my verification keys here That should come here. I mean that can come here basically in your chain code I have the proof here as well, which is not so nice But again, it's just uh putting this full proof into a common line to a high collager fabric Transaction is a little bit freaky. So I have basically both of my stuff here And I have just one input and with this input is basically, uh, my verify functionality Okay, that's that's my that's my input functionality. Okay. Um, so this is basically a new function In the fabcar demo and what I did I just extended one One high collager fabric function, uh, which is the change car owner You know, it looks that way, uh with this demonstration code, you can just create like Like cars you can change the color and the owner and stuff like that for these cars So I have just extended one one code, which is the change car owner And basically I just put this verification code here. So basically what I do I just call this verify Uh, again with the inputs, but I mean in this demonstration does just with the inputs But actually I just you should have like the inputs the proof As well, uh, and I just call this verification here And if it is not authorized if it is not correct I just give an error which says unauthorized and if it is fine Then I just make the rest of the code with which basically changes the owner of a car So let's see if that works Uh, so we got we got here practically I just started Uh, one high collager fabric network It's the test network. So we just see the components I just installed these components Previously because it just takes time And what I will do now I will just check some of these functionality I just pre-configured the common prompt so I can basically I mean calling high collager fabric from common prompt is a little bit like No, not so nice But basically what I can do if I configure basically the command Command then I can I can make some some query and I can just execute some transaction So what I did for the first round I just Let me just clear it and have it again. I just call the query over cars It's a standard functionality in this in this demonstration. We don't have cars at the moment So what I'm gonna do? I'm just creating a test transaction Which adds one car basically uh to my demo and it looks that way that basically After adding one car What I will have is that hey, I will see one car In my demonstration. It's basically It has some properties. It is a key Like car 11 green Doctor, uh, it's an issan. It's uh, and there's an old there which is shio pan. I'm not quite sure Um, which language is that but anyway, uh, we get one car in the model So, I mean this happened basically without, um, zero much proof So let me just take a look and let me just call basically this verification function Uh, which again, uh looks that way at the moment Uh, it has some inputs and that should based on the inputs and proof and Verification case. It just says if my zero knowledge is correct or not So what I'm gonna do is just I just call this guy. Again, this is my inputs It's just the cube of my private input Which is the which was the cube root, but I will just publish actually the uh the public inputs So after calling this functionality, uh, what I will see is a true Um, so basically it looks great. Uh, it was verified. Let me just take a look if I just, you know, I mean edit something in this input for instance, uh If I manage that's my yeah So if I just edit something basically I should see a false So it really works. It makes some some verification So what I do is as a next one, uh, I just try to call basically this change car owner Uh, and it looks that way. I just want to change the owner of car 11 Again the owner of car 11, uh, that was like, uh, this guy. This was like That was like shioban And what I want to do, I just want to change the car owner, uh, to johnny Okay, and then again, there's like an additional authentication So basically if I have a correct zero knowledge proof, I mean if I know a pre-image Uh, not a pre-image, but a but a cube root of a cube Then I can I can change the owner of the car. Otherwise I just can't So what I do first, I just make some some wrong configuration So first I just just want to make sure that if I have like the wrong proof again I mean, it's it's I just cheat a little bit because it's just easier It's gonna be the wrong input, but it works the same way with wrong Proof as well. So if I just want to Do that then I get basically an error message which says I'm authorized So I just couldn't basically change the owner And then if I have the correct input, basically, I mean it means the correct public input and the correct proof Then basically, uh, the transaction should be successful And then I should be able so I see basically a correct chain code invocation And I should be able to see That the owner of the car Goes basically change and from shioban We should see something Which is I guess gone in And then here we are we say that the car owner was really changed. So basically our very simple hello world zero knowledge proof based authentication in hyper ledger fabric was working So I would say this is pretty much end of my demo It was taking longer than I had that I expected honestly I mean, I just apologize for that That's that's basically the first time that I that I demo like zero one with hyper ledger fabric So I just just couldn't really estimate basically the time But I would say that was the demonstration And then we have like, I don't know. I guess like 15 minutes left. So now we are ready for You know, I mean I mean discussion questions comments stuff like that Uh, it's like actually, uh, let me ask actually the first question which I can't answer Uh, but anyway, that's an interesting question. Uh, so if if you're familiar with hyper ledger fabric, you you might as well ask, uh So so like like you can do something similar with with private data collection and transient field as well So like you could do something that you send you send the information and because because what I did basically I just I just made some authentication in a way that some data remained private I would say not seen that was my my my my cube root So it's something which which might be possible. Basically, uh, with with like, uh Private data collection and transient field as well And it's it's a very interesting question in which way, uh, we should use for such scanners zero knowledge And in which way we should use like, you know, I mean private data collection and transient transient field It's it's something that I can't really answer at the at the moment. It's it's an open Open point. I mean if you if you're familiar with hyper ledger fabric, there are a lot of uh, like design patterns that you can do with with like, uh, uh, private data collection And transient fields. So like with data, which not gonna be at the at the end of the day, uh on your ledger, uh It's I would say I still didn't really find much with zero knowledge proof As I demonstrated, it's doable Uh, it's probably needs some, you know, a lot of like discussion and brainstorming To see which are the I mean, which are the design patterns, uh for using For using zero knowledge, for instance in in in in hyper ledger fabric and which are the ways where you should use rather like No private data collection or transient fields and which are the ways I mean for hiding data and which are the ways, uh, where like, you know, I mean such such a Such as a knowledge proof is something which is I mean better. I would say So that was that was my first questions that I couldn't answer So, uh, so but anyway, uh If if you have any questions, uh, first I would suggest just just go ahead just time you yourself and and ask it Um Otherwise what I'm gonna do. I'm just I just try to to browse basically the the questions And then and then and then let me just try to to answer basically, um So, yeah, um So, so I just I just I don't know pick pick a couple of ones from the middle are pretty randomly Again, if you have if you have questions, just go ahead just time you to yourself and just ask Uh, otherwise just just picking uh picking questions randomly so, uh, so basically, uh, Circum as far as I know circum itself was written in rust So there's a whole platform behind in circuit, uh, which was actually the The platform itself was was written in rust at this point I'm not quite sure if if it is very very simple to integrate into a rest program uh dot circum file is, uh If I just can change back Yeah, I just can't see because of my of my Then also so this dot circum file is actually a text file Which contains a basically a circuit an arithmetic circuit description And this is our arithmetic circuit description But as soon as we say like compile, um, then there's a whole framework behind which as far as I know Or as far as I know the version 2 was uh of circum was was written in rust. Uh, yeah But I mean this one is a domain specific language. So this is certainly not rust It's it's not even uh, like, you know, v h t l or or something. It's you know, it's a specific language That's what uh, that's what, um, I mean the domain specific language uh So I'm uh, I don't know. I'm just just browsing the questions, uh But if you have any questions, I mean you can just uh, go ahead and mute yourself and just just ask ask it Uh, I mean as I as I see I mean there are there are already a lot of answers Uh Yeah, uh, it's this is a very good question. There's there's a question regarding computational overhead Uh So, uh, if I just go back to this slide Um, so in terms of computational overhead, uh Usually usually what's what's considered uh to be fast Or measure it is the verification time Uh, and again, uh, this is more important So if if you just take a look basically on this this hyper ledger fabric, uh model What we do is that uh, we create our our proof of chain So the indirect estimation is that this can be You know as as slow as Um performance as possible what need to be actually fast is the verification This is because uh because practically you need fast verification because of your Block time which is considered to be like two seconds as default But even if it's like, you know one second or something So verification should be fast and basically, uh, that's that's a point so like With circum with plonk like like even with like uh big, uh circuits. I just had had like like, I don't know In one example, it was like 300 milliseconds Might be contradicts with this number, but again, so the verification is is fast. Uh, usually Even the gross 60 and even even with plonks If you use something else, which is not supported by by circum that can be a problem So if you just want to use like bullet proofs if you want to make the Verification on chain And you have like one second a block time and the verification time is three seconds Yeah, that might be tricky. Actually that might be even tricky with hyper ledger fabric as well The other point point is basically your proof time and then um, so this is usually not considered very strongly from a From from mathematicians, but in real life applications. I mean this can be a problem So in live circuits, I have like here. I don't know, uh, two three minutes In very light circuits, uh circuits, this can be like, I don't know, uh, you know, 10 minutes or 20 minutes If you have something which is which is extremely big So for practical application verification time, uh, sorry not verification proof proof time Might be an issue. I mean, I mean I would propose generally, uh, you know before before planning productive system or designing productive system Just try to set up like a circuit with a similar time and try to measure basically I mean both the both the proving time and the actually the verification time as well again, um verification time is strongly try to push down By by crypto cryptographers, uh, but that's that's usually theory. So even if you have like, you know, I mean, I mean constants Like verification time theoretically it might be Like two factors bigger, uh, just because it has been implemented in a javascript library and that javascript library Is not performant enough for instance. Uh, and then Yeah, so proof time might be an issue. It depends on your application. So, uh Is it is it a bad thing if you have like, you know, three minutes proof generation time? It might happen actually for for big circuits Is it an issue or is it is it not an issue? It depends on your application. Yeah That's a very good point Again, uh, this is more like an engineering perspective of Designing system with uh with zero knowledge Yeah, uh, so so perhaps yeah one one point is, um, so how secure is this whole stuff and then Uh, that's a difficult question. Uh Basically Basically, uh, I can give just a high level answer So if you have like, you know Extended zero knowledge proof in your system, uh, at the moment, uh, I would suggest to call, uh, you know hardcore cryptographer um, especially for, uh For for for for auditing the security of the system But generally, um, so there are ways of of cheating such as zero knowledge proof I can mention a couple of a couple of things Um, so first, I mean If you're if you're dsl language and platform is not battle tested It can cause problems. For instance, uh, if you're if you're zero knowledge program is not good And it's it's depend on your on your on your execution model on your dsl language That might cause problems. So for instance in in circuit programming, uh, you have to pay attention that basically Uh, you have like you have many many operators, but like you can have something which is Uh, which is just setting value I know it's like b times c So this this operator is just setting setting value Without like creating an arithmetic constraint and like such such operators can be treated for instance So if you have like a wrong program here, then it can be cheated This is one one thing then another thing is for instance Again, you get this setup ceremony If if you leak information, uh, at your at your setup ceremony Or if you leak it total in a total centralized manner And if that leaks, uh, then basically anybody can prove anything. Um, again, that's that's that's a way of attack. Uh, basically If you use this part of tau, then you should just take a look actually in the literature How part of tau ceremony can be can be used in a real decentralized and secure way But again, if you just do it as I do it now and then I just Stream my share and everybody can see everything again. That's uh, that's a bad idea. That's uh, that's a bad thing um as a force idea is to Is to is to attack Such schemes is probably if you're If your verification key is somehow cheated that might be actually a problem as well So, I mean having like a security of a zkbs system Even if you have like like, you know, the underlying platform, uh, which is considered to be secure is something That can be complex I would say this is something similar as you as you write programs with with like solidity If you if you deploy like a solidity smart contract, there are there are many dos and don'ts that you should consider um Just just to have your uh smart contract To be considered as secure, uh The same thing is true, uh for zeonji programming as well And then I just mentioned a couple of a couple of examples I don't have like a full list at the moment, but you know, I mean perhaps we can do like a mean in a subsequent Meetup probably So, I don't know. Uh, we are slowly running running out of time. Um, so I would say If you have like like one last question, uh, basically, uh, Then we we we we just give a shot and then we might answer it. Uh So if you have like one one last question, I mean, you can you can likely uh, go ahead and I mute yourself And ask it. Uh, otherwise, it's just uh, it's a seondra typing some answers for the for the more more cryptographic oriented questions Yes, so so we don't know the answer for this last question, but uh, but we can take a look So anyway, uh, it feels like less than one minute left. Uh, I would say, uh, that was the meetup and presentation, uh for today Uh, uh, thank you very much for your attention. I hope it was interesting. I mean, I hope it was not very boring basically Even if even even if my demo was, uh, I mean, it just just took longer that I expected, but I hope it wasn't Too boring. Um, so thank you very much for the attention. I mean if you have like any questions You can just contact us basically on LinkedIn and certainly, uh, which is gonna show basically which is gonna send Uh, I mean all the presentation materials. I mean the both slides shows and then basically you can find the github repository as well So like I mean it's I mean David gonna send it. It's probably you can you can get it like by tomorrow or or tomorrow So again, uh, that was for today. Uh, thank you very much for the for the participation participation and uh, and attention and I hope it Wasn't very boring Yeah, that was great. Thanks daniel. I'm thinking thanks and drosh and thanks everyone for joining Thank you guys Hey, bye bro. I'll send an email with the details later