 So this talk is supposed to be an introduction to CK Snarks. I will start with a general problem setting, then try to explain what zero knowledge is, and then give a quick walkthrough of CK Snarks. So CK Snarks are important, especially for blockchains in two aspects. The first aspect is that blockchains scale much better if they only verify a computation instead of actually doing the computation. So we'll see later what that actually means. And the great thing about CK Snarks is that the verification is magnitudes faster than the actual computation of CK Snarks. The downside again is that CK Snarks themselves add an overhead, but we'll hope that this balances out so that they can actually be a scaling solution in the future. Then the second aspect is that in blockchains, everything is public. All you send to a blockchain is readable by the whole world. And CK Snarks help there because they add a property that is called zero knowledge. OK, let's start explaining what zero knowledge is, or more importantly, so zero knowledge is an aspect or a notion that was defined in the area of interactive protocols. And in an interactive protocol, you always have two parties, a prover and a verifier. And the prover wants to... So this is a quite small room. And I think it's very important to get a very high-quality recording of these talks, so please don't do this stuff with the lights. Sorry for the technical... So we are fixing, just one moment, please. OK, in interactive protocols, you always have two parties, the prover and the verifier, and the prover wants to convince the verifier about a certain fact. It has... This protocol has the property of zero knowledge. If the prover can convince the verifier that the fact is true, but without verifying any detail about why it is true. This sounds really weird, and I hope the examples on the next slide will be verified. And examples of such statements are that a given message is a valid transact in the blockchain, or more abstractly, there is a w such that a f of x, comma, w is y for a fixed function f. But let's take a more specific example, and so one would be a mini Sudoku board is solvable. So what is mini Sudoku? You probably know the regular 9 x 9 Sudoku, and to fit it into the presentation, I will talk about a smaller version, a 4 x 4 Sudoku, but which is the same thing in the end. So you have a board with 4 x 4 cells, and some of these cells are prefilled with numbers between 1 and 4, but not all of them. And the task is to fill all the remaining cells in a way such that in each row there is exactly, so that one of the numbers between 1 and 4 appears exactly once in each row, it appears exactly once in each column, and it appears exactly once in each of the 2 x 2, in each of the 4, 2 x 2 sub squares. And so of course the regular Sudoku games, it's always clear that it's solvable. The question is how, but in this setting, we want to, so the prover wants to convince the verifier that the board is solvable without telling anything about how the solution looks like. And in the general setting, you would also consider boards which are not solvable, and then of course the prover cannot convince the verifier that it's not solvable. So this only works in the positive case. And it is important to note that the protocol we will see next, the size of the puzzle is irrelevant for the protocol. It works for nine times nine, or for 1,000 times 1,000 boards. And the only things we need are a table, a sheet of paper and a pen, and then an opaque sticky tape and a dice. Okay, and so it starts, so of course the prover has the secret solution to the puzzle, it looks like that. And the first step, what the prover does is she shuffles the numbers, so uses the dice to create a replacement of the numbers. So she doesn't move the numbers on the board, but she replaces each number by a different one. So each one is replaced by a three, each two is replaced by a four, each three by a two, and each four by one. And this is how the shuffled solution looks like now, and I also added the replacement here. And because of the specific properties of the Sudoku problem, the shuffled solution is still a solution. So you still have each of the numbers exactly once in each row, exactly once in each column, and exactly once in each sub-square. But it doesn't necessarily fit anymore into this initial setting of the pre-filled cells. Now, the next thing that happens is that the prover writes the shuffled puzzle on a piece of paper and covers each cell individually with a piece of sticky tape. And then the prover puts the paper on the table for the verifier to see. And now it's the verifier's turn. Okay, that's how it looks like now, everything is covered. Both the cells and the replacement is covered with tape. Now the verifier has the following choices. She can either ask the prover to reveal a certain row, reveal a certain column, reveal a certain sub-square, or reveal the initially filled cells from the initial setting and the shuffling. So let's assume she chooses to see the initially filled cells, then the prover will just peel off the sticky tape from the cells from the initial solution and from the substitution, from the shuffling. And the verifier will check that this matches the initially given problem setting. So she looks at the problem setting here on the right. For example, in the top row, there's a three. She looks at the replacement and the shuffling sees that three is replaced by two, looks at the cell in the partially covered table and see that there's a two, so that that matches. And she does that for all the cells in the initial problem setting. Okay, and what just happened? So the prover revealed parts of the, reveal the shuffling, right? Doesn't that reveal any information? I mean, the shuffling is, the prover chose that in secret, but it's not part of the solution. So that's totally fine. And all the initial cells, I mean, there's nothing to be learned there, right? So no private information was shared in this turn. And now these steps one to five are repeated multiple times. And the one very important thing here is that the prover always has to find a completely random shuffling in each round. If the prover uses the same shuffling and the verifier knows the fact, then information can be revealed. So yes, and only if you choose a new shuffling in each round, you achieve zero knowledge. So let's do a second round. We have a newly shuffled board with a newly randomly chosen shuffling and cover that again, put it on the table and now the verifier again has these choices. She chooses to, she wants to see column two. So the prover peels off the sticky tape from column two, but it's not peel off the sticky tape from the shuffling. That's very important. And now what the prover does, and what the verifier does is she checks that each of the numbers one to four appears exactly once in this column because that's the property we want to have. And now you might say, okay, the prover just revealed the numbers in the solution. So some private information was revealed, but that's actually not the fact because this replacement was completely random. Any replacement has equal probability and each replacement actually corresponds to a permutation of this column here. So every correct solution inside this column is equally likely. So not a single bit of private information was revealed here. And yeah, so, and if you repeat this multiple times then the prover cannot cheat or at least it becomes less and less likely for the prover to cheat because the verifier doesn't check everything. She only checks a certain part of the solution in each round, but there's always a certain probability that she will find the error and the overall chance of success in cheating of course decreases exponentially with the number of rounds. And the important thing that happened here is why this works is that the prover actually writes the numbers on the paper, covers it with tape, so it's impossible to change the numbers after the verifier has made her decision what to see. That's basically the way we buy this protocol works. Okay, this was Mini Sudoku and from this example we want to go to CK Snarks. Mini Sudoku still has lots of problems. It's not a really nicely usable protocol and the first problem is that it doesn't use, it doesn't work for generic computation, it just works for these Sudoku boards. But that's actually not true, so you can take an arbitrary problem in computation and transform that into the Sudoku problem, so this is called a reduction or you could also just see it as, you have a solution written in one programming language and you take a compiler and compile it into a machine language. This is also, I mean this is done all the time. These problems just look a little less than computers but they can actually encode all these problems you could think of, so this is a solved problem. It takes a lot of engineering work to make that efficient, that take for granted, but the general problem is solved. So what is actually more problematic is that Mini Sudoku takes many rounds of interaction and this is especially problematic for a blockchain where you want to create a transaction, send it to the blockchain and the blockchain should verify it and then be done with it instead of having all these rounds of interactions and especially the verifier is a person separate from the blockchain that has to use their own randomness and that would also not work in the blockchain context. So we have to reduce the rounds of interaction and at the best reduce it to only one. And the reason why we have this many interactions is that because a single tiny error could be hidden in any cell of this Sudoku board and if there is a single error then the whole solution is wrong. So we have to do these many rounds to increase the likelihood of actually finding this tiny error that is hidden in a single cell. But if we take a different problem that does not have this, if we have take a different game that doesn't have this problem then, okay, let me start again. So we have to find a different game that does not have this problem. So we have to find a setting where a single error is visible almost everywhere and polynomials have this property. So if you change a polynomial in a single place then this will usually change the full polynomial. So take a look at this polynomial here. This is the graph. And now let's change this two X to the four into a one X to the four. And we will get this graph here. And you see it's different at almost every point. And there's of course a theorem that says that two different polynomials of degree up to n can coincide in at most n points. So, and of course, this that we take polynomials that are low degree. I mean, it can still be quite high degree but the degree is usually tiny compared to the number of points we can evaluate the polynomial at. So, and with that we get the error probability to a point where it's negligible. Okay, how do snarks now work? How do they use these polynomials? We use, yeah, special polynomial equations where a proven knows a secret polynomial W such that for all X, A of X times W of X equals B of X times C of X. This is a simplification. Usually you have multiple polynomials and you have to have a way to choose a selection of polynomials according to some rules. But I would like to keep it simple here and just take a single polynomial. So, W is the secret solution that is only known to the prover and the prover wants to convince the verifier that she knows the solution. Oh, yeah. So, and what happens now is that the verify chooses a secret evaluation point. To check that these polynomials are equal that this polynomial equation holds and asks the prover to evaluate the secret polynomials and you already see that this doesn't really work. So, the verify has a secret point. The prover has a secret polynomial. So, and they both don't want to reveal their secrets. So, we have to add another tool and this is homomorphic encryption. Homomorphic encryption, yeah. And then, so they use homomorphic encryptions and magic happens and then the verify can check whether the two polynomials are equal or not. So, what is homomorphic encryption? It allows you to perform computations on encrypted data. So, you have a known function, a known program, but you don't know the inputs that are encrypted some way. You perform the computation and the result is the encrypted version of the result. This does not yet work for arbitrary computations, but so there is theoretical work that allows that, but it's not really practical yet. But we have a tool called pairings which can do it up to a certain point and this point is arbitrary sums and a single multiplication at the end. So, A of X times W of X is a single multiplication. So, it works fine until you take a closer look and see that we actually have more than one multiplication here because X is taken to certain powers inside the polynomial. But this can be worked around by taking a look at this separate for each power of X. Yeah, so you encrypt X. So, you take X to the K and encrypt that and then perform the addition inside the polynomial and the multiplication here at the end. Yeah, and this allows the prover to evaluate a polynomial at a unknown or encrypted point and thus the verifier can check that the polynomials are equal or whether they are equal. Okay, we now reduce this whole thing to a two round protocol. The prover claims something, the verifier chooses a circuit point, prover evaluates the polynomial, verifier checks that they are equal. But we would like to reduce that even further and here is where this thing called trusted setup comes into play. The way it works is, okay. Yes, that's what I just said, sorry. I'll sync with the slides. If you take a look at the procedure here, you see that we don't really need to go from the encrypted form to the decrypted form in the end again. We can just check equality on the encrypted form. So if the encrypted version of X equals the encrypted version of X, then X equals X, yeah. So what we actually, what we don't actually need is the decrypted version of X. So this initial X that got encrypted then sent to the prover and the prover evaluates the polynomial. We don't need this initial version anymore. We only need it once to encrypt it. And this is what the trusted setup does. And especially if nobody knows the non-encrypted version of X at any point, then we can actually reuse the encrypted version of X all the time. We just have to generate it once. And this is exactly what the trusted setup does. We generate an encrypted version of X in a distributed process in a simplified way. You can think of that like, and why do we want it to be distributed? Because we want to share the responsibility among multiple persons. So we want to, if anyone publishes this decrypted version of X, then we can create fake proofs. And if we do it in a way that the encrypted version of X is a combined version of the secrets of all participants, then we require all participants to publish the secrets in order for it to be broken. So, yeah, that's how the trusted setup works. Yes, and this is the, so these secret numbers generated by the participants of this setup is also called the toxic waste because they should not ever publish it. They should just destroy it. Okay, do I have time for a quick wrap up? So we have the trusted set that it generates a reusable encrypted evaluation point. The prover evaluates the polynomials at this encrypted point using homomorphic encryption, using pairings, then verify a checks that the numbers are equal in an encrypted form. This is all quite simplified. I hope the next talks will go into depth there more, and zero knowledge, oh yeah, right, we didn't talk about zero knowledge. This is actually, I mean, the interesting point about Snarks is actually not that they allow zero knowledge, it's that they allow this speed up in verification. And people find zero knowledge more interesting because it's kind of counterintuitive, but actually it's a triviality to add to the protocol here. So the protocol works, so most of the work in the protocol is to allow this speed up, and the zero knowledge just basically comes for free. And this is how it comes for free. The prover just adds a random encrypted number to both sides of the equation. And because it's all encrypted, there's no way for the prover to cheat there, and that's how you get zero knowledge. And the proof itself is eight group elements in an elliptic curve. The verifying is five pairing checks plus some elliptic curve arithmetics. And I'm way out of time now, so thanks for your attention.