A very brief description of how Zcash private transactions work Ariel Gabizon,

Zcash adds privacy to Bitcoin’s decentralization Shielded (private) transactions reveal no information about sender, receiver, amount ..yet miners can still distinguish between valid and non-valid transactions!

Recall Bitcoin’s set of unspent transaction outputs. (PK1,2.3BTC), (PK2, 0.4BTC),.. To spend money Alice signs a message with the secret key corresponding to a public address in an output: “Move my BTC from PK1 to PK4” (signed by sk1)

For simplicity, assume each output/note is exactly 1 BTC. Each node stores: Note1=(PK1) Note2=(PK2) Note3=(PK3)

Now think of each note as containing a randomly picked ``serial number’’ ri. Note1=(PK1,r1) Note2=(PK2,r2) Note3=(PK3,r3)

For privacy..the node database will only contain hashes of the notes H1=HASH(PK1,r1) H2=HASH(PK2,r2) H3=HASH(PK3,r3)

For privacy, the node will continue to store Hi even after Notei has been spent. The node also stores a nullifier set that contains the hashes of all serial numbers of notes previously spent Nullifier set after Note2 has been spent: H1=HASH(PK1,r1) H2=HASH(PK2,r2) H3=HASH(PK3,r3) nf1=HASH(r2)

To spend a note, Alice sends a zk-SNARK proving she knows the secret key of a note s.t. -It’s Hash is in the table -The hash of its serial number is not in the nullifier set Nullifier set after Note2 has been spent: H1=HASH(PK1,r1) H2=HASH(PK2,r2) H3=HASH(PK3,r3) nf1=HASH(r2)

zk-SNARKs(zero-knowledge Succinct Non-interactive Arguments of Knowledge) Short proofs that let you to prove possession of information, e.g. a secret key, without revealing that information. In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions

Main ingredient: Homomorphic Hidings(HH) Mapping E such that - Given E(x) hard to find x - x≠y­ → E(x)­≠E(y) - from E(x),E(y) can compute E(x+y),E(x*y)

(over)Simple zk-SNARK example using HH Alice wants to prove to Bob she knows a,b s.t. a+b=7 1. She sends E(a),E(b) to Bob. 2. Bob computes E(7) and E(a+b) using E(a), E(b). 3. Bob checks that E(7)=E(a+b).

how to construct HH? If only need E(x+y) use x→gx in group with hard DL problem. If want both E(x+y) and E(x*y)..need pairings in elliptic curve groups.

Thanks!

more detailed SNARK example, leading to QAPs 1.want to prove know a,b with a+b=7 mod p g – generator of group of order p where DL is hard. Prover: send A=ga, B= gb Verifier: Check that A*B=ga+b = g7 2. Prove we know a,b,c with (a+b)*c = 7 mod p Need: Bi-linear pairings: Map e:G⨯G → GT such that e(ga,gb)=gTa*b (Exists for some elliptic curve groups)

1.want to prove know a,b with a+b=7 mod p heck that A*B=ga+b = g7 2. Prove we know a,b,c with (a+b)*c = 7 mod p Need: Bi-linear pairings: Map e:G⨯G → GT such that e(ga,gb)=gTa*b (Exists for some elliptic curve groups)

more detailed SNARK example, leading to QAPs Prover: Send A=ga, B=gb, C=gc Verifier: Check that e(A*B,C) = (gT)7 e(A*B,C) = e(ga+b,gc) = gT(a+b)c 3. Prove you know a,b,c,d with (a+b)*bc = 7 mod p

Label multiplication gates: + x a b c (a+b)*b*c g2 g1

x + a b c w5 g2 w4 g1 w1 w2 w3 Label wires in certain way: What we want to prove is that we have legal assignment to wires with w5=7.

x + a b c Define degree 2 polys A1,..,A5 w1 w2 w3 w4 w5 Define degree 2 polys A1,..,A5 Ai(j)=1 if wi is left input of gj , 0 otherwise i.e. A1(2)=A2(1)=1, otherwise Ai(j)=0 Bi’s , Ci’s defined sim. for right input and output wires

Define A(X):= sumi=1..5wiAi(X) B(X):= sumi=1..5wiBi(X) C(X):= sumi=1..5wiBi(X) For example A(1) = w2, B(1)=w3, C(1)=w4 We have that w1,…,w5 is legal assignment iff P(X):=A*B-C is divisible by t(X):=(X-1)*(X-2). If so, there exists h(X) such that P(X)≡t(X)*h(X)

Idea: Verifier will check equality on random s not known to the prover: Verifier: choose rand s, send gs,gs^2,,...,gs^d Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s) Verifier: Check that e(A*B,1/C) = e(H,gt(s))

Idea: Verifier will check equality on random s not known to the prover: Verifier: choose rand s, send gs,gs^2,,...,gs^d Prover: compute and send A=gA(s),B=gB(s),C=gC(s),H=gh(s) Verifier: Check that e(A*B,1/C) = e(H,gt(s)) e(A*B,1/C) = gA(s)*B(s)-C(s)=gP(s) e(H,gt(s)) = gh(s)*t(s)=gP(s)

Zero-Knowledge (ZK) proofs are to encryption/hashing as a dimmer to a light switch. Decide what and how much you want to reveal about the plaintext/hash preimage.

Example: Alice can use a ZK-proof to prove she knows a SHA-2 preimage of z with msb 1 (and not reveal anything else about preimage). z z Reveal preimage ZK proof 100 1XX

Non-interactive-just one message from Prover (requires setup phase) zk-SNARKs-ZK proofs with all the dream features Succinct: verification time very quick, proof length very short -a few 100 bytes. Non-interactive-just one message from Prover (requires setup phase) Argument of Knowledge In 2013 “Quadratic Span Programs and Succint NIZKs without PCPs “ by Gennaro, Gentry, Parno and Raykova paved the way for efficient SNARK constructions

A few minutes about how zk-SNARKs work. Ingredient one: Convert what you want to prove to knowing a solution to some algebraic equations I know SHA-2 preimage of z with msb 1 I know x,y such that x3+y5=2

Ingredient two: Homomorphic encryption Given encryptions of x,y can obtain the encryption of any arithmetic expression in x,y. E(x3+y5) E(x),E(y)

Proving possession of x,y satisfying x3+y5=2: (without revealing x,y) Prover: Send E(x),E(y) Verifier: Compute E(x3+y5), and E(2), check that they are equal.