ZK Interaction at Zuzalu

Written by Vivek of 0xPARC. Including ideas from Aayush of 0xPARC + Andy, Danilo, Barry, and Althea of PSE

Zero knowledge cryptography is becoming more practical on many fronts. Computationally, proving simple statements in ZK (pre-image of hash, set membership) is fast enough to run on mobile phones, and proofs are small enough to cheaply verify on-chain. For developers, the work of groups like iden3, PSE, and zcash have made deploying new circuits much easier. And educationally, work from groups like 0xPARC and ZKHACK has given more people the vocabulary to understand the unique affordances of zkSNARKs.

As a result, we are finally starting to see meaningful deployments of zkSNARKs that the average (zk interested) person can understand and play with. One of my favorite examples has been in-person pseudonymous groups at some recent conferences. I think in-person groups are kinda fuckin hype for a few reasons:

Using Semaphore. Semaphore allows for the creation of plumes (i.e. hash(nullifiers)), or a second identity that maps 1-1 with a public key in the group but can't be linked by anyone other than you. This is currently not possible for on-chain ECDSA groups, but is necessary for voting schemes, useful moderation, and building pseudonymous reputation. Unfortunately, there aren't (yet) many Semaphore groups in the wild, but joining them at events is natural and easy.
Easier to get engagement. We're still figuring out the right form factor and use-cases for zk-enabled interaction. As a result, apps can sometimes be too confusing or clunky for people to use regularly. But in-person it's much easier to answer questions, encourage people to try things, and get feedback.
Lots of relevant groups to join. Your role at the event, which company you work for, which fields you're interested in, what your experience level is, etc. More groups means more detailed and expressive psuedonymity, which allows you to attach only the necessary reputation with your speech instead of your full identity.

Past deployments have included an anonymous Twitter feed I built for attendees of the Stanford Blockchain Conference back in August, explored in detail here: https://personaelabs.org/posts/sbcheyanon/. For Devcon, PSE built a richer and more secure experience with the Temporary Anonymous Zone, detailed in their blog here: https://mirror.xyz/privacy-scaling-explorations.eth/plfDBIpiKZVyNSJWhE9vix76JaJoJ1seDfRAddV7HEc

These experiments were super fun, and in total got a few hundred people interacting with ZK proofs for the first time. But due to the experiments only running for the length of the conference and not getting regular usage, it was difficult to extract useful product or UX insights.

Deploying at Zuzalu

On the other hand, Zuzalu seems like a much more optimal setting for experiments with ZK-enabled interaction. It'll run for two months, meaning we can have experiments that run over weeks instead of days. It'll be a cohort of cryptography pilled folks who will be willing and excited to try wacky ZK experiments. And the vibes the organizers are trying to create seem uniquely thoughtful, open, and collaborative, which will create a safer environment to deploy powerful (and potentially destructive) pseudonymous speech technology. With that in mind, my current two goals for Zuzalu are as follows:

Develop robust moderation and anonymity sets that lead to pseudonymity being used for open, honest, and vulnerable expression instead of toxic, hurtful, and spammy content.
Creating a user experience that is smooth and intuitive enough for people to regularly generate ZK proofs, feel how magical they are, and find unique ways to use their newfound powers.

More concretely, this currently consists of:

Better UX for joining groups using NFC chips from IYK and signaling (posts, upvotes, polls) using WebAuthn
Attaching more reputation to your Semaphore identities from Ethereum, zk-email, zk-JWT, and self-attested for more expressive pseudonymous speech
Posting to Twitter, Telegram, Discord, and Farcaster so people can interact with pseudonymous speech using their "real" identities
Having weekly experiments with different groups and use-cases to see what resonates, taking careful notes on the results and getting user feedback
Trying experiments with private funding as we will have a robust enough identity system to build interesting setups. This is a direction entirely proposed/developed by Danilo of PSE
Experimenting with a wide variety of moderation schemes and seeing what the outcomes are, including: approval votes before posting, removing a post after enough downvotes, a small set of admins, dictatorship, prediction markets à la COCO, revealing identity with enough downvotes
Making the setup easy enough to use so people who visit and enjoy using it can easily deploy at their own events and offices

I expand on each of the above points in the following sections.

User experience

Joining groups

Both of the previous in-person ZK deployments have used some sort of QR code invite system, similar to event POAPs. Each QR code needs to be printed out and unique, which is unnecessarily wasteful and also difficult to get right! I had a lot of trouble getting stuff ready for SBC and I remember TAZ had to delay getting started by one day due to a printing mishap.

Thanks to a connection from Yi Sum of Axiom, I've been collaborating with the folks from IYK for the past few months, who were behind the NFC ENS cards at Devcon. They've given me a few NFC devices that when tapped automatically redirect users to a site of my choosing, with a "?iykRef=abc" query that is unique and single-use.

An IYK NFC disk. very sexy.

Now, setting up a new group becomes as easy as changing the redirect link and letting people tap the disk while they first register for an event or when they complete some activity!

If possible, I'm also very interested in integrating with Semacaulk for efficient on-chain group management. But this likely isn't a priority as the Semaphore contracts are so easy to deploy and still fairly cheap.

Creating and storing identities

Part of the reason there aren't many Semaphore groups is because we don't have robust infrastructure to store and manage different Semaphore identies. TAZ used localStorage to store the Semaphore private key, which restricts it to a single device and can lead to it getting removed if localStorage starts filling up too much. There's some other great work from PSE on CryptKeeper, but as it's a Chrome extension it can't easily work on mobile platforms.

Over the past few months, myself and Enrico Bottazzi have been doing a deep dive into the WebAuthn standard, a way to remove passwords by generating a public/private key pair, sending the public key to the server, and authenticating by signing some challenge. The private key is kept securely on the user's device, and signatures can only be made with biometric approval (TouchID, Windows Hello). And your device will only access the key pair for a specific website if you're in a secure context (i.e. an HTTPS connection with the website you're logging into) which prevents phishing! It's fairly easy to set up, and works across the vast majority of devices.

After some close inspection of the spec, it turns out each key pair generated is also associated with a unique credential ID. This turns out to be a great Semaphore private key for Semaphore group membership and signalling! And WebAuthn allows you to create multiple keypairs, thus allowing you to use it as a natural Semaphore wallet that's secured with biometrics! I'm skipping some details here, but will link a presentation with more details in a few days. A repo with this scheme implemented can be found at https://github.com/vb7401/heyauthn

Signaling

Using this WebAuthn semaphore wallet, you're only allowed to signal after a valid biometric has been provided, which is a fairly clean and secure UX.

Attaching more reputation

If there's only one anonymity set of "Zuzalu attendees", we might as well just have a Google Form that's only shared with attendees that people can use to post things. It seems the real unlock comes when we have a variety of labels and attestations to choose from, potentially even combining multiple when necessary. I want to have a few different ways for people to attach reputation to their Semaphore identities ready by Zuzalu:

Manual attesting. There's a whole host of interesting attestations that seem fine for people to self-attest to, or for there to be in-person verification of. Your nationality, which fields you're interested in, where you're experienced, etc.
Ethereum groups. Using https://github.com/personaelabs/spartan-ecdsa, we can efficiently attach reputation from POAPs and SBTs to our Zuzalu Semaphore identies. As there are no nullifiers for ECDSA (not yet, we're working on it!) we can't prevent people from attaching their reputation to multiple Semaphore identies, but we should be able to trust people to not abuse that (or disincentivize this behavior somehow).
ZK-JWT. This is a recent project scoped out by Aayush Gupta and a v1 is implemented here https://github.com/emmaguo13/zk-blind. Using OpenAI's RSA-based JWT, users can prove that they own an email with a specific @domain.com. OpenAI is a great choice for this as their anonymity set is >100M users. What emails you have are a huge part of our professional identies, so it'll be dope to be able to attach your anonymized email domain without manual verification.
ZK-Email. Another project led by Aayush Gupta that can extract information from emails using signatures by the outgoing mailserver. Many use cases, one being to attach Twitter reputation (own an account with >x followers, or you contributed to a github repository, etc). You get a lot of other web2 identities, anything you can anonymously attest to in your email.

Relevant tools for managing the groups created by these sorts of attestations is ZK-Groups from PSE, which is a Semaphore group management tool being built out which could allow for certain types of attestations being made more easily by Zuzalu staff on top of a Semaphore identity system.

Where to post

Personally, I lean towards having anonymous feeds on existing social media and chat platforms instead of creating a separate platform for a few reasons:

Being able to interact with pseudonymous speech with "real-life identities" will make for richer conversations than a purely anonymous platform
I honestly just want to do cryptography and its too risky of a cold start problem to get people to regularly check a new website

But this is also a great chance to get more usage for products from PSE and other folks, so definitely want to figure out what's best for everyone! For existing platforms I see the following breakdowns:

Twitter/Farcaster -> Any feeds or events that are public-facing, where people can post questions or what they thought of things
Discord -> For Zuzalu internal messaging, like positive/negative feedback for organizers
Telegram (WhatsApp? Signal?) -> Can add a Telegram bot to any chat and send messages there if it's directed at a smaller group. Should also be able to create a new anonymity set with members of the chat

Events/feed ideas

Choosing the right events and long-running feeds is necessary to direct this technology towards more open and honest discussion over toxicity. I think toxicity isn't strictly negative; at the very least it makes for good content. But if we want this technology to be used positively, then toxicity cannot be the primary use case (which there's a lot of precedent for, e.g. 4chan and cyber bullying).

One excellent idea from Danilo of PSE is that we can directly integrate Semaphore based identity into the events page, whether that be

Being able to create an event to an open feed needs a Semaphore identity
Gating event access or visibilty to people with specific attributes or attestations or reputation
Integrating feedback in directly at the end of events

This is also probably where Zuzalu organizers will have the best input on what to build as they'll be most familiar with who is attending and what sorts of setups would be most engaging for attendees and useful for organizers. Here's some ideas:

Confessions/Overheard: a familiar form of anonymity to get people warmed up and using this stuff more regularly
- Particularly inspired by https://aaiconfessions.com/, a project from MIT focused on asian american experiences with love and relationships. They were able to use anonymity for more vulnerability and honesty, and have created an incredibly relatable and powerful set of stories for fellow AAI students
Feedback for organizers: Yeah pretty self explanatory, but with some moderation so people can't just be super toxic for no reason
- Sugesto is a tool being built out by PSE that could easily integrate with a Semaphore based identity system?
Q&A during events: allow people who are less experienced to ask questions without feeling bad; hopefully everyone learns better! In addition, having a separate feed of questions during talks means speakers/attendees can go back and answer things later if there isn't time during the talk
Mini-governance / private voting. If we start out with Semaphore identies, we can much more easily do experiments with private voting and polling than ECDSA-based DAOs!
Harry Potter and the Philosopher's Stone: LOL this is an idea I've wanted to do for so long. Basically, a bunch of people sign up to play and at the start of the game three Semaphore identies are randomly assigned to be Harry, Ron, and Hermoine. I am Voldemort, and if I find any of the three, I hit them with the avada kedavara and I win. But if two of them meet up before I find them, they win. The catch is they're only allowed to communicate using a public Twitter feed, which I'll be following the whole day. Thus they'll need to do some sort of scheme to mislead me and coordinate a meetup. There's all sorts of extensions here: if it is too easy for me then Harry/Ron/Hermoine might get "Polyjuice potion" to impersonate someone else, or if it's too easy for them then I get to have some Death Eaters help me find them. Super down to jam on these sorts of ideas and come up with a bunch of bangers!!

Private donation tools

From Danilo of PSE, we could have a ZK-enabled multisig to allow for private donation / grant giving to projects that are being built out at Zuzalu! Another similar idea is explained by him here:

"Needs/Offer" Dapp, where members can privately post some(dont see an issue of being offchain) of their needs so others can support or members can privately posts some things they can offer to the community privately(or not in this case).

The idea is that users would be able to see the lists of Needs/Offer , chat, if both party agrees, they become known to each other.

(I truly believe that selfless work/contribution is a must for a strong community building)

Moderation schemes

Mainly, we need to try a bunch of different things and see how people respond / how it affects the sorts of conversation people have. Would love to hear ideas from PSE as you guys have a bunch of experiments exploring this already (UniRep, cocoverse, etc.)

Easy to re-use setup

It'll be a very good sign if visitors enjoy the experiments we have at Zuzalu and want to replicate it at their own events and offices. As a result, I think it'd be good to aim for an easily reusable setup by the time Zuzalu starts so the zk-interaction meme can spread beyond just PSE/0xPARC!

barryWhiteHat

2023/02/15 15:31:45

Having weekly experiments with different groups and use-cases to see what resonates,

I would be really intersted to explore this concept related to avoiding group think. That could be a nice way to give a gift to the other communites who are attending. By giving htem a safe space to call out what they think is wrong but feel too shared to call it out in person. (Edited)

2023/02/15 15:32:00

Maybe that is a nice framing for this (Edited)

2023/02/15 15:33:06

groups

I thik its important to add some ritual to hte joining of certain groups. I feel this would give the groups mistque and power. The reasons that so many secret socities have weird rituals is because it makes them more likey to survive (Edited)

River Ruby

2023/02/15 16:37:12

oooh i really like this!! I've never thought about fighting group think with this sort of speech but that's a great use case (Edited)

2023/02/15 16:37:49

yep i agree, it should feel very special (Edited)

aguzmant103

2023/02/16 16:35:57

Can we continue these experiments online? Something like Gitcoin or DarkForest rounds> It will be a platform where people would be able to interact with many zkapps and experiment anonumously. They open up temporarily, and each round more zkapps could appear/improvements could come. (Edited)

2023/02/16 16:36:19

Sort of like a ZK "experimental" hub (Edited)

2023/02/16 16:53:58

Experimenting with a **wide variety of moderation schemes and seeing what the outcomes are**, including: approval votes before posting, removing a post after enough downvotes, a small set of admins, dictatorship, prediction markets à la COCO, revealing identity with enough downvotes

Anti spam with RLN (Edited)

2023/02/16 17:00:05

on-chain group managemen

On PSE we´ve also being working on ZK-Groups exactly for that! Not ready yet but might be for Zuzalu! Check the UI here https://www.figma.com/file/pHF81XB1soKjLoBjXAjALV/ZK-Groups?node-id=175%3A2167&t=5w6k4xJgEBSMEU0P-1 (Edited)

2023/02/16 17:27:06

natural Semaphore wallet that's secured with biometrics

This is absolutely EXCITING!! (Edited)

2023/02/16 17:46:36

feedback

Another cool project we're building is Sugesto. A tool to provide anonymous feedback of events. It uses sempahore underneath for identity/signalling, and zk-groups for group creation and group management (so for example to send invite magic links to only the attendees of a session) (Edited)

2023/02/16 18:09:22

I'm intrigued by this since Devcon haha. Will they have an identifier they'd be able to prove they're Harry, Ron Hermaione? Future iterations of this could include powers and skills each character has to help with the task =) i'm pumped to hear more how this goes! (Edited)

2023/02/17 06:45:58

Yes we absolutely should!! The comparison to dark forest is really great (Edited)

2023/02/17 06:46:38

This is where collaborations with Gather would be so cool, to also have a metaverse-like experiences (Edited)

2023/02/17 06:47:53

Oh true!! (Edited)

2023/02/17 07:30:56

This will require people to stake money though, right? Or have some repercussion for getting their nullifier revealed (Edited)

2023/02/17 07:33:54

another way to make joining groups feel more special is to make the phone experience more wild. vibrating the phone, playing a funky tune, having a magical animation, having an AR experience, etc. (Edited)

2023/02/17 07:36:09

yayyy i'm happy you're hyped :D I think WebAuthn is actually massive alpha (Edited)

2023/02/17 07:44:49

Plumes for free! and can prove ECDSA signatures quickly! (Edited)

2023/02/17 07:45:26

oooh very nice, could be great for integration with the identities (Edited)

2023/02/17 07:50:34

> Will they have an identifier they'd be able to prove they're Harry, Ron Hermaione? Yes! At the start of the game we make a three person merkle tree with the identity commitments of Harry/Ron/Hermione and post it publicly, as well as the identity commitment of Voldemort (me). Then everyone playing the game will have a QR code of their semaphore secret displayed on some url (heyanon.xyz/hp). (Edited)

2023/02/17 07:51:52

If Harry and Hermione find each other for example, then one of them can scan the semaphore secret of the other, and they can make a proof they know two distinct identity secrets corresponding to distinct identity commitments in the original merkle tree, thus proving two people have met, and so I lose. (Edited)

2023/02/17 07:52:58

But if I find one of them, then Voldemort (me) can make a proof that he (me) knows one of the identity secrets in the merkle tree, thus proving Voldemort (me) found one of the three, and so Voldemort (me) wins. (Edited)

2023/02/17 07:53:03

Does that make sense? (Edited)