 Hello everyone, great to be here. My name is Jakob Iberhardt and I work at TU Berlin in the information systems engineering group and we've heard such great talks today which brought the setup phase to the next level, I think, which will make it in the future, hopefully feasible to run your own setup for your own circuit. With that, bring CK Snark actually to the practice so you can use it So what we did with the Socrates project is to see what we can do with the new pre-compiles on Ethereum, how we can use them to actually do something useful in the network and it's currently a research prototype But we can already do some things So the end goal is to have a nice domain specific language and some tooling to actually be able to use Snark's and I want to show you some of that today So I won't go into detail about the Socrates toolbox because I did a talk on Wednesday already But just as a quick wrap-up So the vision is to provide a usable abstraction and tooling for CK Snark's that integrates nicely with Ethereum and it's supposed to support the full process that means from specifying your program code up to the point where you Validate the execution of that code or the correctness of the execution of that code on the blockchain in sir knowledge So what does it feature at the moment at the moment? It's a domain specific higher level language not terribly powerful yet I'm talking to people about what the feature should be how we can extend it and what makes sense at the moment It's still quite limited and the compiler which transforms these conditions into constraint system We can use to do proof zone Also, it provides some support with a setup pace at this point This is a trusted setup and that's why I'm so excited to hear about the efforts by the Ccash guys to make a distributed setup Pace actually usable because I think then we could actually make Applications use this technology. So that's like really cool. I'm really excited I hope this works well in the future and brings them to developers as fast as possible It also the tool also helps to generate witnesses and with that to find solutions for your constraint system Generate proof and export Solidity smart contracts. So you will actually be able to check the proofs on the blockchain So the language I covered in my other talk. So just briefly The the primary data type you have is prime field elements So think of positive numbers that are larger than smaller than one huge prime number And of course you can simulate binary circuits with that Which is just not very efficient because you only use one and zero instead of a larger set and you have imperative statements You have assertions. You have loops conditionals and functions which allow you to structure code nicely But there's no recursion at that point that would be doable with things like tiny ram Which is really cool concept, but the proofs just seem to be a bit too expensive for applications at this point So what's the process? How do you use socrates? This is based on command line interface like you're seeing here So you have high-level code and then you compile that to a constraint system basically and then based on that constraint system you can find the solution for that constraint system Based on either private or public inputs you decide which part of that you make public So that's the witness computation and then it supports at this point only a local trusted setup I hope there will be some distributive process in the future supported That allow you to generate the verification key and the proven key these are circuits specific so you do that once for one computation you specified up here basically and Then you can export that verification key into a solidity smart contract Which will then allow you to check the proofs on the blockchain the proofs You can then actually check with that is the proofs you generated by using a witness a solution for your constraint system satisfying variable assignment together with the proving key and Based on that you can generate a proof Which shows that you evaluated your constraint system correctly and with that executed your program correctly but also you can provide or Publish part of the inputs you use your public input But you can also keep part of that private so you don't have to reveal it to the public Who of you has seen Christian talk the Christians talk in the morning? Okay, that's a lot very good So Christian introduced the Sudoku example and what I want to do in this workshop session is to show you how you can specify a Sudoku checker in that language and how you can actually Then check whether someone found the solution for your Sudoku system on the theorem So let's do that So here we have a given solution. I just copied that from Christian. I didn't find it myself So the question now is How can we use docas to prove we know a solution to the Sudoku system without revealing it to the public? So essentially we want to show that there is a solution for a given system and how can we verify that on chain? Okay, so first we need to model our problem a little bit so we have a Sudoku a mini Sudoku and it consists of sub squares and I've used Letters for them. So we have sub square a B C and D and then we just number all variables to build that kind of matrix structure and Then we have to define the validity conditions for Sudoku system So what would that be first we have to guarantee that values are in one two three four in this set So other values are not allowed and then we have to make sure that we have unique values in Rows in columns and in sub squares So each of these values can occur or has to occur exactly once in each sub square column and row So how do we put that as down as? conditions So first define a validate input function and this return zero if the value is In one two three or four it does it by multiplication And then we assert that's conditioned down here that all inputs Satisfy that condition so that we actually only have one two three four in our system Then we need a uniqueness check so we need to compare all the elements with each other and with that make sure that that There's no duplicate entries in either rows columns or sub squares. So that's the conditions we have to check for entries and Then we put that together. We define one global counter in that constraints or in that in that system and then we Check these conditions these checks return zero if they're all different So we just do that for sub squares. We do it for rows We do it for columns and in the end we assert that the counter is zero and if the counter is zero in the end We know for sure that the Sudoku Has or that the inputs we had were a valid solution for our Sudoku puzzle So one more thing here what we had given as our task is to solve this puzzle here on the left side what we have also is our internal modeling structure how we modeled that in the code and Now we have to specify which of these points are given So we kind of have to say okay this is the possible we have to solve and we do that by Specifying input parameters in our main functions that are later the public inputs that become public together with the proof and in that case we have a to one for example this entry Is three because that's what we see in the system here. So that's how we specify That part and then for the solution We have private input two one four four one three one two one three. That's a solution I showed earlier, right? That's just how you fill out the others to come up with a Valid solution and now I want to do something that's always discouraged when giving talks I want to do a live demo So I'll have to put this down. I hope you can still hear me. I'll just give it a try if not you let me know That's awesome. Thank you Unfortunately, I can't see right here, but I'll look over there and hope that it works Okay, I'll just try to turn mirroring on real quick if I can find my mouse Yeah, sorry about that Okay, here we go I'm at it, okay Can you read this is this okay? All right Okay, we should be fine now. So okay what we have here. Oh, let me remove this really quick So we have a cleaner rectory state So what we have here is our Sudoku checker code, right? That's just the the set of conditions we have and I just showed you that on the slide set And then we have the socrates tool which we will now use moving on So what we do first is we compile these Yeah, these this program into a set of conditions So we simply do socrates compile and give it an input file and that's a so Sudoku Checker code and it writes it to another file That's the out dot codes to human readable one so we can say see it's a set of human readable Equations that are as expressive as a rank one constraint system, but that's not too important for now So we we compiled it basically What we can do now is we can find a witness for this problem So we essentially need to find a satisfying variable assignment for this set of constraints I just showed you and we have to do it So we can later find a proof so I do socrates compute witness and I have to provide the arguments Which I showed you before the arguments of the main function here and I prepared it a little bit. So it's faster Okay, so now we have the public inputs, but the private inputs We need to specify them still and here we can do that interactively So the other parts of private solution what we actually fill in the Sudoku puzzle That is what we now have to specify So I'll just type in what we had in the solution before so field a 1 1 was a 2 Then we had a 1 then a 4 a 4 again 1 3 1 2 1 3 I will not make a mistake now But believe me if I would have made a mistake this would crash and show me an error Okay, but it would just take too much time. So I immediately immediately put in Private inputs that satisfy the constraint system so what we have now here is a file that contains a witness and as you can see that's just a variable assignment for all of these variables We use in our constraint system before Okay Because that's how we model equality checks because for equality checks we asked that there is a witness multiplied by the By some input is one so there is the inverse element and that's in its inverse element So that's what we calculate internally and that's why there is those huge numbers in the system. Okay Okay, so now what we have is we have a solution to our constraint system And we have the constraint system, but we have not done a setup phase yet so that's what we have to do next and Because we do not have a good distributed setup yet. We do local trusted setup. So we do Socrates and setup and That gives us a verification key and a proving key. We can see that in files But what's interesting now? We can use a tool to actually generate a solidity smart contract out of the verification key that we can afterwards use to verify the computation on chain. So let's do that. We do Socrates oh What's the command? Oh, I show you another nice feature. You can have a command line Over for you here. So it's export verifier and then You get a smart contract a Solidity smart contract that does then all the necessary checks to Yeah, validate the solution on chain. So what we do now I have already deployed that to the Robson test network So I uploaded the code. So you see I'm not cheating here So this is actually the smart contract. We just generated only that it uses a different verification key and Here I already did some transactions But what I want to do now and I use the remix ID for that is I bind that Contract that's already deployed to the smart contract. I have in here so I can conveniently use their interface to invoke the smart contract and then I I Can here Generate a proof Based on the witness and the proofing key I already had and then I get that down here and I already have it prepared here in a way where the Output is formatted nicely and can be directly pasted into the solidity web IDE So I will just paste this Down here in my new instance instance and say verify transactions that may take One second No, MetaMask will ask me whether I'm okay with this Transaction, so I say all right. I want to do it. Let's go on Robson and Then we can check the verification contract in case we're still yeah So we have a pending transaction here now and We'll have to wait for it to be mined for just a second. It usually happens quite quickly on Robson Okay, so it's my now. Let's look into it What was it wrong? Okay, let me go back. Sorry. Oh here it is. Okay. Sorry about that. Okay, and here we can go to the event logs and Check the message So the event was issued that the transaction was successfully verified So what we did now is we actually checked on chain that we provided a valid solution to the Sudoku What what's maybe interesting to note here? It was quite expensive though, so it cost 1.8 million Gas so that's quite a lot on the main net. That would mean you could currently do six Validations in in one block so six verifications in one block and why is that I may go back to the slide set real quick Okay, so what happens? Thank you very much We we generated the proof using the Socrates tool and that proof has eight elliptic curve points At least with the current CK SNR construction we use as I learned today. It could become even less and then the public inputs And they are used in the verification smart contract to Check the conditions and for that you need five pairing checks for elliptic curve additions and Depending on the inputs the number of public inputs you have to generate the customization key there several elliptic curve multiplications, so that's That are the new pre-compiles contracts that were introduced with by santium and this is Currently quite expensive, but maybe there will be better constructions that make it even cheaper to verify those proofs on chain So to sum it up you can check out the source code and I'm happy for contributions I think regarding the domain specific language We're we're at an early stage right so it's working, but we would need efficient implementations of hash functions so we can do good commitments and As Sean pointed out there might be some other challenges we need to talk tackle So we're in contract there and also an integration of a distributed setup phase will of course be key for adaption Adoption on the network so you can actually prove things to third parties and in that case with a sudoku example Only I could deploy that thing and and trust the proofs that someone sense to me because I did the setup and I know I Forgot the toxic waste involved. I could not convince us the third party of that at that point So there's just some work to do Please talk to me if you're interested in that and thank you very much