 Welcome back. So we have with us Takamichi Tsutsumi, and he's going to tell us about a private exchange application that was built on top of ZK Op Group. Thank you for coming. My name is Takamichi. Today I'm going to talk about the private exchange. Yes, I'm software engineer at the Privacy and Scaling Exploration team at the ATEM Foundation. And today I want to explore a privacy-preserving decentralized exchange on ZK Op Group. For this project, we are aiming for more private peer-to-peer exchange system. And private exchange consists of three different zero-knowledge protocols to protect users' privacy. In this talk, I'm not going very deep on the technical details of the protocol, but I will show how those protocols work and how the protocols are used in private exchange. Before diving right into the private exchange, let me start with one question. So why do we need privacy? I think there are many reasons for many different people and for many different use cases. So I'd like to share my opinion on this today. The privacy is important because it can contribute to censorship resistance. On public blockchain like Ethereum, transactions on all the transactions on the blockchain are all visible to everyone, so it can be censored mostly in smaller networks because the number of validators and block builders are relatively small, so the censorship likely to happen more often. For example, if you want to spin up minor roll-up on Ethereum, this is the case. And for second, it also can mitigate the MEV or front-running. So if the privacy of the transactions can be kept at work to prevent the MEV and front-running, but most importantly, it is a human rights. The privacy is a human rights. Here is a quote from the Universal Declaration of the Human Rights in Article 12. The opinion is we don't need any reason to work on protecting privacy. We need privacy because it's human rights and we should care when we're building an application. And today in this talk, I will walk you through how we approach to protect privacy when building a decentralized application like private exchange. All right, let's get into the interesting part. What is private exchange and how it works? So what we are trying to achieve with the private exchange is to make exchange process more private. Yes, very simple. And don't let users to expose their information or intentions. That's our goal here. So what exchanges do? Exchange let users exchange their tokens. In this diagram, Alice sends 1.08 to exchange and gets 1,050, 500 die in exchange. There are more functionalities, but I'd like to focus this one function today. And there are two popular constructions in decentralized exchanges today. The first one is automated market maker. In this kind of exchange, users can typically exchange their tokens without a counterparty. This means that Alice just interacts with a smart contract and doesn't need to anyone else doing an opposite trade. The price is calculated automatically in the smart contract and Alice can exchange tokens on that price. The second approach is an order book. In order book, Alice puts something called an order to an order book. And the order contains information such as token pair, amount, and a price. In this example, Alice wants die in exchange of it. An amount she wants is 1,500 die. And a price is 1,500 die per it. And if there happens to be some other order by Bob, who wants to do the opposite trade, sending 1,500 die for 1 it. Then the order book attempts to match the orders and executes the swap transaction by sending transaction on chain. And one thing to note is that order books can be on chain or off chain. If the order book is on chain, Alice posts an order to the smart contract order book. Then Bob finds the order on the smart contract and takes it by sending transactions. And if the order book is off chain, there's typically some intermediary order book provider that collects all the orders and trying to match the orders. But in either way, the orders Bob and Alice sends includes the information that order book provider or smart contracts can find a pair. Okay, now it's time to think how we can execute the process more privately. In order to make exchange process private, we come up with a relatively simple peer-to-peer exchange system. And it is somewhat similar to an order book construction here, but it tries to keep information private as much as possible. So let's look at the order book diagram again. Here we can see the parts that are not private in this diagram. The contents of the orders Alice and Bob sends to the order book are not private. And the transaction that order book sends to the blockchain is not private. So how do we make this more private? Here we use three zero-knowledge protocols, Blind Find and Socialist Millionaire Problem and ZK OPROO. Okay, firstly, let us think of how we can make orders more private. In the order book system, order book is the one who collects all the orders from users and make matches. So Alice and Bob needs to send the order data to the order book provider. But if they can compare prices and make a match in more peer-to-peer way by directly sending messages each other, then they don't need to reveal the data to the order book provider at all. But wait, how does Bob reach out Alice in peer-to-peer network? We use Blind Find protocol here. Blind Find is a network that peers have neighborhood lists and Bob can look up Alice and prove that he can reach to Alice in the network. But importantly, Bob can search for Alice in the network but without revealing that Bob is the one who is searching for Alice. So the neighbors that receive a message from Bob will never learn that Bob is the one who is searching for Alice. So in this way, Bob has some privacy of that. He has some intention to take Alice's order in the public board. Now, Bob can reach out to Alice to execute the peer-to-peer order matching. Thanks to the Socialist Millionaire Problem here, we can do the private peer-to-peer order matching. Socialist Millionaire Protocol is used to check the equality of two values but without revealing the actual values. So the idea is that they have some numbers in mind. Let's say Bob has X in mind and Alice has Y in mind. Then they don't directly send in the original values but instead they derive some values by calculating some mathematics and also they use some random values and exchanging messages. Then after the exchange is complete, they can test that if the original values that Bob has in mind and Alice has in mind are same or not. But here Bob cannot calculate back using the received value to Y and Alice cannot calculate X from the derived messaging values. And we use this protocol to check if the prices that Bob wants and Alice wants much or not. And here is how things work in private exchange. So firstly, Alice creates information to public board but without a price. We call this advertisement and Bob finds the advertisement on public board and search Alice in the blind find network. If the price matches, they proceed to create transactions. In this way, we could omit the intermediary who acts as comparing the price and making a match and preventing posting the prices they want to public. Now the order is partially private because they can post an advertisement without price. And now we should think about how we can make these transactions right hand part private. So here comes ZKOPRU. ZKOPRU is an abbreviation of zero-knowledge optimistic roll-up. We use ZKOPRU for privacy and optimistic roll-up technology as a layer-to-technology protocol. And in essence, we can make secret transfers with cheap fees. We can prove that those transfers are valid using ZKOPRU but without revealing the contents of the transfers. But there is another thing, a secret atomic swap. So there is a feature called atomic swap on ZKOPRU. And let's say that Alice and Bob agreed on some price using socialist million problem and they want to create the transactions called atomic swap. Atomic swap transactions are a pair of transactions and has to be included in the same block. So in this case Bob sent Alice 1,500 die and Alice sends 1.0 is to Bob. The two transactions have to be included in the same block. And if not, it's not valid transactions anymore. And of course the transactions contents are secret. Even block builders called coordinators cannot see the contents of the transactions. So using the secret atomic swap, the transactions sent on the blockchain is private now. So here is a diagram, complete diagram of the private exchange. Alright, so let's go over the private exchange flow again. So firstly Alice and Bob joins the network called BlindFind so that they can reach to each other but without revealing that they are finding someone in the network. Next Alice posts an advertisement on the board. But without a price. And next Bob finds the advertisement and Bob search for Alice in the BlindFind. If they successfully Bob finds the Alice, he start executing socialist millioner problem to compare the price that they want. And if the price are same, they can create atomic swap transaction and send it to ZK Opru. And this process advertisement is partially private. And price matching is done privately. And peer finding is done privately. And transactions contents is also private. So what I've talked today is one simple example of a privacy application. And what I talked was firstly I started with what does this application do? So in our case, it is an exchange. So exchange let users to exchange their tokens. And in that process, which part of the exchange process is should be private. In our case, it is an orders and transactions sent on chain. And lastly, I talked about how to make those informations private. We use three large protocols, BlindFind and socialist millioner problem and ZK Opru. And as a result, the private exchange does not reveal transactions content. And it does not reveal price of the orders to public. And it also does not reveal the peer-to-peer routing in the network. But at the same time, there are challenges in these constructions. Firstly, socialist millioner problem can check the equality of the values. Therefore, it's not easy to compare, for example, to use a range to create a match. So in the application, it's harder to find the counterparty like Bob. If the SMP can work only this way. Secondly, an advertiser needs to stay online while waiting incoming socialist millioner problem messages. So Alice, after sending advertisement on public board, she has to stay online until Bob shows up. And finally, users need to join BlindFind network before starting the process. And also run the BlindFind process while in the application. So these are the challenges. And it directly affects the user experience of application. But some of the challenges can be mitigated on the application layers, but some other needs improvement of the cryptographic protocol layer. So in privacy and scaling explorations team, we do many privacy projects like applications and also cryptographic protocols to improve privacy in this blockchain space. If you're interested in those projects, please take a look at our homepage and discord. And I want to give a shout out to the team. What's up. Jane. Give me Geo chance. Charlie Rachel. Thank you. Questions, please. First quick question is the SMP interactive or non interactive. It's interactive. So, so you have to basically, so like if there's a list of advertisers, a user will have to communicate with every advertiser, right? Yes. So this doesn't really scale well as any increases is n squared, like complexity for. Yes. Okay. So that's that's. Yes, that's also what you challenge us as well. Yeah, sort of on the same vein. One question I had was because, you know, you still have to do the SMP to find the price. You sort of know a general idea of the price because you have other markets that you can measure the price from. And so is there any prevention mechanism for like a mass the anonymization of the of the price the ads in a way that somebody could just keep trying to discover the price and build up an order book. That sort of matches the expectation of the ads, because there's no obligation to actually trade on any of these ads, right? So you could just try to brute force to figure out the actual order. Yeah. Yeah, yeah. So for currently implementation, we don't have like such features. But as you said, it needs like the many times of SMP trial to find the price matches. And also, we don't have like to prevent it to prevent such details, like types of attacks right now. So, yeah, we need to work on that. Thank you. Thank you.