We talked to the author of Bulletproofs about the latest advances in zero-knowledge proof technology.

In the International Blockchain Week held at the Universal Blockchain Lab, Benedikt Bünz, co-founder and chief scientist of Findora, shared a new zero-knowledge proof technology, Supersonic, in one of the sub-forums. Benedikt Bünz is not only one of the inventors of Bulletproofs, but also one of the authors of the Ethereum 2.0 cryptographic core component "Verifiable Delay Functions", so he is very important in the field of cryptocurrency. Frontier cryptography researchers are superb experts in the field of privacy computing , which is of course inseparable from his educational background as a Ph.D. in computer cryptography at Stanford University.

Advances in VDF research in Ethereum 2.0

Supersonic is a new type of zero-knowledge proof technology. It represents the needs of a particular cryptocurrency user: anonymous, that is, users do not want their assets and transaction records to be fully public. Zero-knowledge proof is a general term for a technology that satisfies such needs, but there are many categories in its implementation, the most common being zk-SNARK and zk-STARK.

Zcash is the first widely used application of zk-SNARKs and may now be the most common and well-known of the zero-knowledge proof. The biggest problem with this technique is that there is a need to "initialize trusted settings" between the prover and the verifier – this means that a set of public parameters is needed to build zk-SNARKs, which may be a trust issue. So "initializing trusted settings" is the core issue that other new technologies are trying to overcome.

Later, Bulletproof was proposed by Benedikt Bünz et al. Compared to zk-SNARKs, there is no need to initialize trusted settings, but the verification cost may be higher, but still far lower than other technologies such as zk-STARKs. This year, global cryptography researchers have also proposed a variety of zero-knowledge proof related technologies, such as PLONK, Halo, Sonic, DARK proofs, and Supersonic.

Chain Wen was fortunate to interview Dr. Benedikt Bünz during the Shanghai International Blockchain Week to hear what he thought about the latest zero-knowledge proof technology. The interview content was edited on the basis of not affecting the original intention.

Core point of view:

  • For the latest zero-knowledge proof technology: PLONK, Halo, Sonic, DARK proofs, Supersonic, how to choose the right tool?
  • In addition to privacy-related cryptography algorithms, what other cryptographic tools are worth paying attention to?
  • Is the universal multi-party secure computing MPC platform well suited to the blockchain?
  • What are the problems with Ethereum's smart contract design?
  • Can WeChat be reproduced on the blockchain?

Benedikt Bünz at the CESC 2017 conference

Chain smell: There are many types of zero-knowledge proof techniques, such as zk-SNARKs used by Zcash and zk-STARKs often mentioned by Vitalik Buterin. In contrast, what are the characteristics of your proposed Bulletproofs?

Benedikt Bünz: Bulletproofs are better suited for trading in medium or low complexity, but for very high complexity transactions, the verification process can be time consuming. The advantage of SNARK is that it has a very efficient verification speed, but the biggest problem with SNARK is the need to initialize the trusted setup.

Chain smell: Last month, two researchers published a zero-knowledge proof paper called PLONK, trying to optimize the problem of zk-SNARKs, and there was a significant performance improvement over another technology called Sonic, and Sonic again Can be combined with the DARK proofs you mentioned to become Supersonic. What are the connections between these technologies?

Benedikt Bünz: Sonic and PLONK have made some progress in some aspects of zero-knowledge proof technology. Although they still need to initialize the trusted settings, this initial trusted setting is no longer application specific. Our recently released DARK Proofs is a cryptographic tool that helps Sonic and PLONK make them better because they can remove their trusted settings. So the technology that combines Sonic and Dark Proof is called Supersonic. In a word, Supersonic is a SNARK that doesn't require initial authentication.

So if you have a very complex transaction or need to provide a proof, Supersonic's verification will be very efficient. And the volume of the proof is very small, for example, as long as 10 to 20 kb. Although there is no Bulletproofs small, it is very small, far less than the proof of hundreds of kb for STARK.

Chain smell: At the beginning of this month, Zcash Development's cryptographer published a new technology called Halo as the first author. The founder of Zcash said that the study found a "required no trust" zero-knowledge proof recursive combination, which is cryptography. "Long-term breakthroughs" may become the key to "protecting and expanding blockchains." What do you think about this technology?

Benedikt Bünz: Halo is an interesting new technology, and Bulletproofs are mentioned in their papers. But they are not a SNARK because they still need a trusted or untrusted third party to be more efficient. If there is only one transaction or one statement, then it is not SNARK, and the verification process will not be very efficient. It only works when you need to validate many different statements, which means that efficiency in batch verification is more efficient than single-pass verification, so it does not reflect the full capabilities of SNARK. But Halo is still an interesting idea and may have the potential to further enhance Bulletproofs or other technologies. Halo is still evolving in this new technology. It has not been proved by security. There is still a lot of work to be done, so it is not a SNARK without trust.

Chain smell: Since there are so many zero-knowledge proof related research, how should we choose these different technologies for the project?

Benedikt Bünz: Of course, it is definitely the best tool to meet the needs of a particular scene. In some scenarios, Bulletproofs are very useful, efficient and prove to be only 2kb, but for other more complex scenarios, Supersonic would be better. In fact, for many specific applications and scenarios, common tools may not be very efficient, so we spend a lot of time exploring and optimizing different algorithms to use more appropriate and efficient algorithms.

Chain smell: In addition to the above mentioned cryptographic algorithms related to zero-knowledge proof, what other cryptographic tools are worth paying attention to? Are you currently putting your energy into the development of these new technologies?

Benedikt Bünz: There are many more, but you can mention two, one of which is "anonymous credential". If the user stores the identity information in the system, there will be a lot of data like the passport, such as name, gender, age, etc., which is usually used when doing KYC. If the user's requirement to participate in an activity is 18 to 22 years old, then this feature will work, without revealing other data, and without revealing the user's actual age, but can prove through the system whether their age is in this range. Internal, so it can also be called "selective disclosure credential". This cryptography tool is very important in the financial field.

Also worth mentioning is the multiparty computation required in some scenarios, abbreviated as MPC. After using this tool, you can, for example, make a lot of people participate in an auction, but no one needs to disclose his auction price.

But we will still focus our efforts on optimizing the algorithms we have planned so far and making them more efficient. While some projects claim to use very powerful technologies, they may not be practical, efficient, or even scalable.

Chain smell: There are also some core MPC blockchain projects in the core. Can the MPC be well matched to the blockchain at this stage?

Benedikt Bünz: If you really want to bring multi-party secure computing MPC into the field of general computing, "inefficiency" is the most important problem to overcome. For example, in a calculation, multiple rounds of interaction may be required, all participants in the calculation need to be online, and the efficiency will be low, and in this decentralized scenario, you do not know the opponent in the calculation. who is it.

For example, multiple hospitals need to study a group of data together. Each party has its own patient data, and it knows what other hospitals are and what their IP addresses are. The whole calculation process of MPC is that these participants send data to each other, such as data of MB or even GB, and then they can get a final result, which is the best scene of MPC. This is actually not the same as the environment and settings of the blockchain, because the blockchain may have thousands of nodes, and the nodes are not aware of each other.

Chain smell: As the first well-known blockchain project in Turing, what problems does Ethereum have in designing general-purpose smart contracts?

Benedikt Bünz: From the perspective of smart contract implementation, Ethereum is an account-based system. The language of the contract is similar to Javascript, called Solidity. For performance reasons, we believe that the blockchain itself is not good at handling general-purpose calculations. For example, although Ethereum can do operations similar to 4+3, the result of the Solidity language processing and calculation can be 7, but This is stupid, because perhaps thousands of miners around the world are calculating this topic. So we can't figure out the results of this kind of problem, or we can calculate it by other means. So our project does not focus on general computing.

Chain News: What is the difference between a blockchain project focused on the financial sector and a general-purpose public chain project?

Benedikt Bünz: For example, for investment funds or lending platforms, they have special needs for privacy and transparency. In terms of transparency, because they need to comply with regulations, they also need to show users and regulators their solvency and can be audited. Financial applications also have privacy needs, such as the inability to disclose the user's balance, the company's trade secrets, which companies have been invested, and so on.

Zero knowledge and cryptography are very good at balancing privacy and transparency.

Chain smell: What is the difference between cryptography and consensus algorithms and other general-purpose public chains?

Benedikt Bünz: For cryptography, from a trading perspective, it is necessary to focus on building a balance. Zcash provides users with a lot of privacy features, but does not provide auditability and cannot disclose some of the data. But for example, in the Findora platform, assets can be called "Smart Assets", and some pre-set rules can be set for these assets, for example, the assets can only be sent to users of specific nationality, because different countries Regulatory regulations may vary. Everyone can see that these preset rules have been executed, but the information about the transfer amount, what kind of assets and the transferee can keep the privacy private.

And these technologies are modularized, so they can be used by different consensus algorithms. But we also open a set of consensus algorithms called Finsense. This would be a consensus protocol based on PoS and reputation systems to ensure that if the PoS fails, there will be a corresponding fallback mechanism.

Chain smell: We know that the oracle is a very important tool for the blockchain. It can bring the data under the chain to the chain, which will open the practical application of the blockchain to a great extent. How do you think about the prophecy scheme?

Benedikt Bünz: We have been actively looking for partners to provide us with predictive machine tools. However, our data will still focus on the needs of financial institutions and financial services. For example, let brokers issue stocks in the chain. We already have some partners to provide such data, they can help provide a lot of financial data and Financial assets to the Findora blockchain, I believe these are the oracles and data we need.

For other application data, such as weather data, or sports competition data, these may not be the data that Findora needs to pay attention to now, but our platform can still interoperability with other predictive machine tools.

Chain News: In China, WeChat is a tool that cannot be avoided. Is it possible to build a WeChat platform through blockchain technology to realize comprehensive scenarios such as chat, payment, and lending?

Benedikt Bünz: Perhaps the part of the chat tool is happening on other platforms, maybe not necessarily the blockchain , but payment and lending can be done through the blockchain. At present, Chinese users are using WeChat. They store all the assets of the users. If bankruptcy occurs, it may be a financial crisis. But if you run these businesses on a privacy-focused blockchain, the benefits include going to the center, no trust, and when you transfer money, you don't need to know the transfer information to anyone else, the transaction can It was processed very quickly.

Another cool thing is that the blockchain can also provide a standardized and open access method. If WeChat's payment works on the blockchain, even if they are a centralized blockchain, users can build other apps based on the data on these blockchains, and they don't need WeChat licenses and APIs. Blockchain is very helpful for this type of standardization, which is equivalent to adding an open API to money.

Since it is a cross-scenario application, it may be related to cross-chain technology, that is, atomic switching and cross-chain protocols. Take the Findora project as an example. Findora itself has an open network, but there may be many small private networks, such as a licensed network. These private networks can be connected to the Findora public chain. Although each blockchain may adopt different consensus algorithms, it is still possible to transfer assets between the chains because we use atomic switching technology to make the cross-chain more seamless.

Author / Interview: Pan Zhixiong

Source: Chain smell