https://medium.com/manta-network/the-evolution-of-zero-knowledge-proofs-in-web3-b92a68c41c04
Source: Twitter
This year, Zero-Knowledge Proofs (ZKPs) have been making a strong appearance in various mentions by thought leaders and notable projects in the Web3 space. Whether it’s Vitalik’s prediction that ZK will be a major technological revolution, or the latest developments of StarkWare, zkSync and other projects, ZK will be highly anticipated in 2022.
The concept of Zero-Knowledge Proofs (ZKPs) was first invented by Shafi Goldwasser, Silvio Micali and Charles Rackoff in their seminal paper, “Knowledge Complexity of Interactive Proof Systems” in the 1980s. The idea is that someone (the prover) can prove the correctness of a statement to someone else (the verifier) without disclosing any information.
Read the full paper, “The Knowledge Complexity of Interactive Proof Systems” by Shafi Goldwasser, Silvio Micali, and Charles Rackoff.
When the idea was born, despite being considered as a theoretical breakthrough, even the cryptography community labeled the scheme as impossible in practice. Thanks to many breakthroughs made in the recent decades, though, especially the contribution made by many web3 projects like ZCash, we have seen a Moore’s Law style improvement on the performance of zero-knowledge proof systems.
There is jargon around ZKP systems. However, generally, zero-knowledge proof systems should have the following 4 crucial properties:
An honest prover can convince the verifier about any statement he/she knows.
A computationally bounded prover cannot forfeit a proof that can convince an honest verifier.
The proof doesn’t leak any information other than the proof itself.
The proof size is constant or logarithmic compared with the circuit size (ie. the amount of computation) of the statement.
In order to generate a ZKP, both the prover and the verifier need to commit to some shared secret and use this shared secret to generate public parameters. This secret is referred to as toxic waste. If this secret is revealed, the attacker could fabricate zero-knowledge proofs to fool the verifiers.
To solve this issue, cryptographers from ZCash/Berkeley/Technion came up with a solution: using Multi-Party Computation (MPC) to do a ceremony called Trusted Setup [2 & 3] for the zero-knowledge proof system. By doing so, as long as there is a single person who is honest during the ceremony (an honest person would discard the toxic waste successfully), the entire system is safe.
However, since a trusted setup requires a huge community effort, this imposes practical challenges of deploying the ZK system in the real world. For example, if you find a bug in your ZK circuit, you need to do a trusted setup again, which takes weeks. That cost of time may result in other consequences, such as lost funds that have been accessed by unauthorized parties (ie., hackers).
To solve this problem, a wide variety of ZKP systems has been proposed. They can roughly be divided into 3 categories.
The widely used Groth16 implementation (used by ZCash, Filecoin, and Celo) is an example of this kind. Until today, Groth16 still has the best verifier efficiency and a very good prover efficiency. For every circuit, another trusted setup ceremony must be performed.
STARK doesn’t require a trusted setup. However, this is at the cost of a much bigger proof size (192 Bytes in Groth16 vs 20~40KB), which means a higher gas cost on-chain.
Universal zkSNARK still requires a trusted setup. However, this trusted setup needs only to be done once for all circuits to a certain size. This greatly solves the problem of per circuit trusted setup. The state-of-the-art universal zkSNARKs have good proof size, good verifier and prover efficiency as well. An example of universal zkSNARK is Plonk, which is adopted by Manta Network, Aztec, and Matters Lab.
One of the biggest issues in the current Web 3 world is the lack of privacy. Sending transactions in a public ledger is like sending money over Twitter; essentially, the transaction history of an account is completely transparent and immutable.
Furthermore, linkages between pseudo-anonymous wallet addresses and existing online identities form revealing and publicly accessible information about individuals, groups, or organizations. A recent example of this is the verification of NFT ownership through Twitter profile pictures, which requires the Twitter user to publicly prove on-chain ownership of the NFT by connecting a wallet address to their Twitter profile.
Using NFTs as profile pictures on Twitter requires the user to connect the wallet address that contains the NFT.
ZKP is the perfect technology to prevent this pitfall for web3 protocols. It allows decentralized verifiability, which only relies on the trust of cryptographic assumptions (ie., math). And at the same time, due to the zero-knowledge property mentioned previously, it protects an individual’s privacy by not leaking sensitive information on-chain. It protects a user’s anonymity as well by using zero-knowledge proof as a “shield” for common adversaries such as data-harvesting advertising campaigns and machine-learning-based link analysis.
Equally concerning is the immutability of on-chain transactions. This means that anything written to a blockchain cannot be changed. Public data that is published on-chain will remain public and accessible by anyone with an Internet connection. By adding a layer of privacy to the transaction through the use of ZKPs, users will have peace of mind for their privacy, not only for now but also for the years to come.
Apart from privacy, ZKPs provide a desirable solution for scaling web3 protocols without sacrificing decentralization. That scalability feature brings tremendous value to congested protocols like Ethereum by lowering gas fees for users.
The core idea of scaling up web3 protocols using ZKP is called a zk-rollup: essentially packaging a large number of transactions together (eg., 10,000 transactions). Normally, this packaging would not bring any performance benefits, since the validator still needs to execute those 10,000 transactions one by one. However, ZKPs can pack those 10,000 transactions in a single proof by using the verifiability properties of soundness and completeness as mentioned before. Instead of re-executing these 10,000 transactions, the validators only need to verify the single zero-knowledge proof.
Quantifying this demonstrates the scalability efficiency of a zk-rollup. Executing a single zero-knowledge proof can be approximately 100x more computationally expensive than executing a single transaction. That being said, a zk-rollup is a single zero-knowledge proof execution that contains, in this example, 10,000 transactions. This means that the execution of a single zk-rollup can be compared to the execution of 10,000 single transactions. This makes the zk-rollup 100x cheaper than before.
There is a tradeoff, though. A zk-rollup must aggregate 10,000 transactions before being executed. This wait time between each execution is referred to as the finality time. The cheaper transaction cost of packaging 10,000 transactions together, therefore, comes at an expense of time.
The complete vision of Manta is to become the privacy layer of Web 3 using zero-knowledge proofs. This vision consists of 3 steps.
MantaPay is the first product that Manta is launching. Currently, the initial version of this product was launched as Dolphin testnet on December 2021. MantaPay is a UTXO-based (similar to Bitcoin) private payment protocol that uses zkSNARK to shield the linkage between coin transfers. While the protocol design is similar to ZCash, it brings two significant improvements.
The first improvement is interoperability. Compared with ZCash, which only supports ZCash public tokens, MantaPay is a multi-asset private payment protocol that supports a BYOT (Bring Your Own Token) model. For now, MantaPay supports all Polkadot/Kusma fungible assets. With the introduction of cross-chain bridges, MantaPay will support even more assets.
The second improvement is scalability. Manta’s cryptographic team has optimized the design of a multi-asset private payment protocol by using a “bag of tricks” including:
As a result, MantaPay’s circuit size is only a tenth of the size of ZCash’s Sapling protocol. Combined with the fast Substrate runtime and high throughput consensus offered by Polkadot, MantaPay can achieve a much higher TPS with lower finality time.
To the Polkadot ecosystem, MantaPay’s privatization functionality, which extends to any parachain asset, creates intrinsic value for the assets existing within it. As shown in the figure below, all the Polkadot ecosystem assets get privatization functionality through Manta, which creates a great value to all the ecosystem projects:
https://miro.medium.com/max/1400/0*L78JOwhBNRJImLsy
The next step of Manta is MantaSwap, a private AMM-based decentralized exchange using zkSNARK.
The decentralized exchange is the bread and butter for web3 users. It enables a trustless free market of crypto assets, which can be obtained in a sovereign manner to unlock access and participation in other web3 ecosystems, applications, and voting structures. Manta’s ethos is to increase privacy adoption by providing more utility for private assets on-chain. Naturally, creating a decentralized exchange would our next step. MantaSwap uses the market-proven automated market maker (AMM) design, which brings both capital efficiency and transaction efficiency. By using a relatively simple exchange algorithm, the zero-knowledge proof circuit size, as well as the prover efficiency, can be guaranteed.
MantaSwap’s design provides anonymity for both traders and liquidity providers; this encourages adoption for both traders and liquidity providers. At the same time, the liquidity pool size and the trading price is public; this enables liquidity discovery and effective arbitrage that ensures the efficiency of the exchange.
The third step for Manta is to solve the final missing piece of private assets and programmability with a dedicated smart contract platform on private assets.
Programmability is the heart and soul of the web3 revolution. Because of programmability, the entire Web 3 space is innovative, colorful, and interactive in a self-sovereign manner.
Manta’s privacy-preserving smart contracts will be based on MantaPay and MantaSwap’s circuits, also will allow any DApp developers to build and deploy their own protocol on the private assets on Manta. Notable examples include privacy-preserving DAO tools, private NFT marketplaces, and more. Manta’s long-term vision is to deliver privacy-as-a-service to web3, providing convenient privacy-enabling features to integrate with existing and new applications without the need for privacy or cryptography expertise from those applications.
Twitter | Discord | Telegram | GitHub | Linkedin | Website
Manta Network is committed to building a better Web3 world through privacy protection. Manta’s product design starts from first principles and provides end-to-end privacy protection for blockchain users through leading cryptography architectures such as zkSNARK. While ensuring privacy, Manta offers interoperability, convenience, high performance, and auditability, allowing users to conduct private transfers and transactions between any parallel chain of assets. Manta’s vision is to provide more convenient privacy protection services for the entire blockchain world.
Manta’s founding team is made up of several cryptocurrency veterans, professors and academics with experience from Harvard University, MIT and Algorand. Manta’s advisors include Hypersphere Ventures co-founder Jack Platts, Polychain partner Luke Pearson, former Web3 Foundation co-founder Ashley Tyson, Consensys’ Shuyao Kong.
Manta’s investors include Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance and Hypersphere. Manta is also an official Web3 Foundation grant recipient, a member of Substrate Builder Program, and a member of Berkeley Blockchain Accelerator.
资料来源:推特
今年,零知识证明 (ZKP) 在 Web3 领域的思想领袖和著名项目的各种提及中都非常引人注目。无论是 Vitalik 对 ZK 将是一次重大技术革命的预测,还是 StarkWare、zkSync 等项目的最新进展,ZK 都将在 2022 年备受期待。
零知识证明 (ZKP) 的概念最初是由 Shafi Goldwasser、Silvio Micali 和 Charles Rackoff 在他们的开创性论文“交互式证明系统的知识复杂性”中于 1980 年代发明的。这个想法是某人(证明者)可以在不透露任何信息的情况下向其他人(验证者)证明陈述的正确性。
阅读 Shafi Goldwasser、Silvio Micali 和 Charles Rackoff 的完整论文“交互式证明系统的知识复杂性”。
当这个想法诞生时,尽管被认为是理论上的突破,但即使是密码学界也认为该方案在实践中是不可能的。然而,由于近几十年来取得的许多突破,尤其是 ZCash 等许多 web3 项目的贡献,我们已经看到了摩尔定律在零知识证明系统的性能方面的改进。
ZKP 系统有一些术语。但是,一般来说,零知识证明系统应该具有以下 4 个关键属性:
一个诚实的证明者可以让验证者相信他/她知道的任何陈述。
计算有界的证明者不能放弃可以说服诚实验证者的证明。
除了证明本身之外,证明不会泄露任何信息。
与语句的电路大小(即计算量)相比,证明大小是常数或对数。
为了生成 ZKP,证明者和验证者都需要提交某个共享密钥,并使用该共享密钥生成公共参数。这个秘密被称为*有毒废物。*如果这个秘密被泄露,攻击者可以制造零知识证明来欺骗验证者。
为了解决这个问题,来自 ZCash/Berkeley/Technion 的密码学家提出了一个解决方案:使用多方计算 (MPC)为零知识证明系统做一个名为***Trusted Setup [2 & 3] 的仪式。***这样一来,只要有一个人在仪式上诚实(诚实的人会成功丢弃有毒废物),整个系统就是安全的。
然而,由于可信设置需要巨大的社区努力,这给在现实世界中部署 ZK 系统带来了实际挑战。例如,如果您在 ZK 电路中发现错误,则需要再次进行可信设置,这需要数周时间。这种时间成本可能会导致其他后果,例如丢失已被未经授权方(即黑客)访问的资金。
为了解决这个问题,已经提出了各种各样的 ZKP 系统。它们大致可以分为3类。
广泛使用的 Groth16 实现(由 ZCash、Filecoin 和 Celo 使用)就是此类示例。直到今天,Groth16 仍然拥有最好的验证者效率和非常好的证明者效率。对于每个电路,必须执行另一个受信任的设置仪式。
STARK 不需要受信任的设置。然而,这是以更大的证明大小为代价的(Groth16 中的 192 字节 vs 20~40KB),这意味着链上的 gas 成本更高。
通用 zkSNARK 仍然需要可信设置。但是,对于特定大小的所有电路,这种受信任的设置只需要完成一次。这极大地解决了每个电路可信设置的问题。最先进的通用 zkSNARK 具有良好的证明大小、良好的验证者和证明者效率。通用 zkSNARK 的一个例子是 Plonk,它被 Manta Network、Aztec 和 Matters Lab 采用。
当前 Web 3 世界中最大的问题之一是缺乏隐私。在公共账本中发送交易就像在 Twitter 上汇款一样;本质上,一个账户的交易历史是完全透明和不可变的。
此外,伪匿名钱包地址和现有在线身份之间的联系形成了关于个人、团体或组织的公开和可公开访问的信息。最近的一个例子是通过 Twitter 个人资料图片验证 NFT 所有权,这要求 Twitter 用户通过将钱包地址连接到他们的 Twitter 个人资料来公开证明 NFT 的链上所有权。
在 Twitter 上使用 NFT 作为头像需要用户连接包含 NFT 的钱包地址。
ZKP 是防止 web3 协议陷入这种陷阱的完美技术。它允许去中心化的可验证性,这仅依赖于加密假设(即数学)的信任。同时,由于前面提到的零知识属性,它通过不泄露链上敏感信息来保护个人的隐私。它还通过使用零知识证明作为常见对手的“盾牌”来保护用户的匿名性,例如数据收集广告活动和基于机器学习的链接分析。
同样令人担忧的是链上交易的不变性。这意味着写入区块链的任何内容都无法更改。在链上发布的公共数据将保持公开状态,任何有互联网连接的人都可以访问。通过使用 ZKP 为交易添加一层隐私,用户不仅现在而且在未来几年都可以安心地保护自己的隐私。
除了隐私之外,ZKP 为扩展 web3 协议提供了一个理想的解决方案,而不牺牲去中心化。这种可扩展性功能通过降低用户的汽油费为以太坊等拥挤的协议带来了巨大的价值。
使用 ZKP 扩展 web3 协议的核心思想称为 zk-rollup:本质上是将大量事务打包在一起(例如,10,000 个事务)。通常,这种打包不会带来任何性能优势,因为验证者仍然需要一一执行这 10,000 笔交易。然而,ZKP 可以使用前面提到的健全性和完整性的可验证性属性将这 10,000 笔交易打包在一个证明中。验证者无需重新执行这 10,000 笔交易,只需验证单个零知识证明。
量化这证明了 zk-rollup 的可扩展性效率。执行单个零知识证明的计算成本大约是执行单个事务的 100 倍。话虽如此,zk-rollup 是一个单一的零知识证明执行,在此示例中包含 10,000 个事务。这意味着单个 zk-rollup 的执行可以与 10,000 个单个事务的执行进行比较。这使得 zk-rollup 比以前便宜 100 倍。
不过,有一个权衡。zk-rollup 必须在执行之前聚合 10,000 个事务。每次执行之间的等待时间称为最终时间。因此,将 10,000 笔交易打包在一起会降低交易成本,但要以时间为代价。
Manta 的完整愿景是使用零知识证明成为 Web 3 的隐私层。这一愿景包括 3 个步骤。
MantaPay 是 Manta 推出的第一款产品。目前,该产品的初始版本已于 2021 年 12 月作为Dolphin 测试网推出。MantaPay 是一种基于 UTXO(类似于比特币)的私有支付协议,使用 zkSNARK 来屏蔽转币之间的联动。虽然协议设计类似于 ZCash,但它带来了两个重大改进。
第一个改进是互操作性。与仅支持 ZCash 公有代币的 ZCash 相比,MantaPay 是一种支持 BYOT(Bring Your Own Token)模型的多资产私有支付协议。目前,MantaPay 支持所有 Polkadot/Kusma 可替代资产。随着跨链桥的引入,MantaPay 将支持更多的资产。
第二个改进是可扩展性。Manta 的加密团队通过使用“一揽子技巧”优化了多资产私人支付协议的设计,其中包括:
因此,MantaPay 的电路规模只有 ZCash 的 Sapling 协议规模的十分之一。结合 Polkadot 提供的快速 Substrate 运行时和高吞吐量共识,MantaPay 可以实现更高的 TPS 和更短的最终确定时间。
对于 Polkadot 生态系统而言,MantaPay 的私有化功能可扩展到任何平行链资产,为其中存在的资产创造内在价值。如下图所示,所有波卡生态资产通过 Manta 获得私有化功能,为所有生态项目创造了巨大价值:
https://miro.medium.com/max/1400/0*L78JOwhBNRJImLsy
Manta 的下一步是 MantaSwap,这是一个使用 zkSNARK 的基于 AMM 的私有去中心化交易所。
去中心化交易所是 web3 用户的生计。它实现了一个无需信任的加密资产自由市场,可以以主权方式获得,以解锁对其他 web3 生态系统、应用程序和投票结构的访问和参与。Manta 的精神是通过为链上私人资产提供更多实用性来增加隐私采用。自然,创建去中心化交易所将是我们的下一步。MantaSwap 采用经过市场验证的自动做市商 (AMM) 设计,带来资金效率和交易效率。通过使用相对简单的交换算法,可以保证零知识证明电路的规模,以及证明者的效率。
MantaSwap 的设计为交易者和流动性提供者提供匿名性;这鼓励了交易者和流动性提供者的采用。同时,流动性池规模和交易价格是公开的;这使得流动性发现和有效套利成为可能,从而确保交易所的效率。
Manta 的第三步是通过私有资产的专用智能合约平台解决私有资产和可编程性的最后缺失部分。
可编程性是 web3 革命的核心和灵魂。因为可编程性,整个 Web 3 空间是创新的、丰富多彩的,并且以一种自主的方式进行交互。
Manta 的隐私保护智能合约将基于 MantaPay 和 MantaSwap 的电路,也将允许任何 DApp 开发人员在 Manta 的私有资产上构建和部署自己的协议。值得注意的例子包括保护隐私的 DAO 工具、私有 NFT 市场等。Manta 的长期愿景是为 web3 提供隐私即服务,提供方便的隐私启用功能以与现有和新应用程序集成,而无需这些应用程序的隐私或密码学专业知识。
Manta Network 致力于通过隐私保护来构建一个更美好的 Web3 世界。Manta的产品设计从第一原理出发,通过zkSNARK等领先的密码学架构为区块链用户提供端到端的隐私保护。在确保隐私的同时,Manta 提供互操作性、便利性、高性能和可审计性,允许用户在任何平行资产链之间进行私人转移和交易。Manta 的愿景是为整个区块链世界提供更便捷的隐私保护服务。
Manta 的创始团队由数位来自哈佛大学、麻省理工学院和 Algorand 的加密货币资深人士、教授和学者组成。Manta 的顾问包括 Hypersphere Ventures 联合创始人 Jack Platts、Polychain 合伙人 Luke Pearson、前 Web3 Foundation 联合创始人 Ashley Tyson、Consensys 的 Shuyao Kong。
Manta 的投资者包括 Polychain、ParaFi、Binance Labs、Multicoin、CoinFund、Alameda、DeFiance 和 Hypersphere。Manta 还是 Web3 基金会的官方赠款接受者、Substrate Builder Program 的成员和伯克利区块链加速器的成员。