--- lang: en image: https://i.imgur.com/7eRWde5.png --- # Mull Over The Nullifier *Thanks to Kobi Gurkan and Wanseob Lim for the reviews and the feedback* [TOC] ![](https://i.imgur.com/7eRWde5.png) > We're not talking about ["An item purchasable at the Main Shop, under Magical."](https://dota2.gamepedia.com/Nullifier) When I first looked into the zero-knowledge proof applications, the term nullifier confused me a lot. Many projects use nullifiers and define them differently depending on the context. In this post, we review those projects and extract the abstract idea that works for all. ## A Single-Use Gadget **Nullifier is a piece of data that ensures a message only takes effect once**. When we see the term nullifier, we can first restrict our attention to this primary function and take care of other details later. Why taking effect once matters? Consider the following applications: - Application A: A sender can send a message that instructs the system to move $10 from the sender's balance to a receiver, with the information of the sender, receiver, and value hidden from the public. - Application B: An user deposited $10 in the system some time ago. They can hire a relayer to send a message to withdraw the $10. The depositor can't be inferred from the message. - Application C: A voter can send a message to cast a vote to support a candidate without revealing the voter's name. These applications have something in common: - A message carries some economic value or causes some important things to happen. - A message hides information, but itself is broadcasted publicly. One can easily rebroadcast these messages to the system. Here's what would happen if we don't have a protection mechanism, and the same message takes effect twice or more. - Application A: The sender now sends another $10 to the receiver again. The receiver can drain all sender's money by resending the message again and again. - Application B: The user who deposited only $10 now withdraw another $10 from the system. The system can not maintain the balance and will go bankrupt. - Application C: The voter now cast two votes for the candidate. The tally becomes meaningless because anyone can throw as many votes they like. How can a nullifier come to help? Let's reveal the true identity of each application I choose arbitrarily. Note that people sometimes refer "nullifier" to secret data and "nullifier hash" to the secret's hash. Sometimes people refer "nullifier" to the hash of the secret and name the secret differently. In the former case, the nullifier is private information, while it is public in the latter case. ## Application A ### Zcash (Sprout) ``` Input Transparent 46252.81429411 ZEC + Shielded ? ZEC ▶JoinSplit▶ Output Transparent 0 ZEC + Shielded ? ZEC ``` > An example of [shielded payment](https://explorer.zcha.in/transactions/9329552a2acb3d686989b467bdd98ad1ae9ef77a608d7a731e093498df69c047) [Zcash](https://z.cash/technology/zksnarks/) allows a user to send a shielded payment, which hides receiver and amount information. ``` Nullifier = HASH(spending key, rho) ``` To send a shielded payment, the sender publishes an encrypted note along with its Nullifier. A note is the information of the receiver and amount. The full node tracks all the Nullifiers revealed so that a double spend can be detected. The Nullifier is a hash of the sender's spending key and a variable rho. In the older version Sprout, rho is just a unique identifier of the note. In contrast, in the newer version, Sapling, rho is the hash of the unique identifier and the note. ### Zkopru ``` Nullifier = HASH(nullifier_seed, utxo_leaf_index) ``` [Zkopru](https://docs.zkopru.network/how-it-works/grove#nullifier-tree) also allows users to send shielded payments, but on layer 2. Zkopru keeps the Nullifiers in a giant 254-depth Sparse Merkle Tree. A Nullifier is a hash of a secret `nullifier_seed` and the UTXO leaf index in the UTXO tree. The user sends a transaction and attaches a Nullifier with it. The coordinator runs the circuit off chain and tries to update each Nullifier leaf. A successful update should change the tree root. Otherwise, if the tree root remains the same after an update, it means the Nullifier is already in the tree, and thus the transaction is a double spend. ## Application B ### Tornado Cash ``` nullifierHash = HASH(nullifier) ``` When attempting to withdraw money from the Tornado Cash, the user provides a zk proof of the withdraw circuit validating the public nullifierHash is the hash of the private nullifier. The Tornado contract checks the nullifierHash hasn't been set before, then marks it sent on a successful withdraw. ```solidity contract Tornado { mapping(bytes32 => bool) public nullifierHashes; function withdraw(... bytes32 _nullifierHash, ...) { // ... require(!nullifierHashes[_nullifierHash], "The note has been already spent"); // ... nullifierHashes[_nullifierHash] = true; // ... } } ``` ## Application C ### OneOfUs ![](https://i.imgur.com/F00ii5U.png) The voting example came from the [OneOfUs](https://weijiek.medium.com/private-voting-and-whistleblowing-in-ethereum-using-semaphore-449b376808e) ([Github repo](https://github.com/weijiekoh/oneofus/blob/master/contracts/sol/OneOfUs.sol)), which lets a POAP token owner register and vote on questions. Voting is anonymous, and a user can only vote once per question so that no double vote is allowed. OneOfUs is built upon a more general private signaling framework called Semaphore. Let's talk about Semaphore first, then OneOfUs is easier to understand. ### Semaphore ``` // Semaphore nullifiers_hash = HASH(identity_nullifier, external_nullifier, identity_path_index) ``` Like Tornado Cash, arguably a specialized and simplified version of Semaphore, Semaphore contract also has a mapping `nullifierHashHistory` that tracks nullifier hash that has been published before. What makes Semaphore so special is that it has an _External Nullifier_, a piece of public data that acts as a topic. The application designer can exploit the external nullifier to limit a user's action to a particular topic only once, or even [rate limit](https://github.com/ChihChengLiang/semaphore_auth/issues/23) the user action three times, or once every 5 minutes. ``` // OneOfUs external_nullifier = HASH("Is the typhon going to hit Osaka?") ``` In the OneOfUs example, the external nullifier is just the hash of the question. Once the user answers the question 1 publishes the nullifier hash, they can't answer the question 1 again because that would publish a duplicated nullifier hash. But the user can still answer another question, say question 2 since the nullifier hash will be different and the Semaphore contract hasn't seen it before. ## Commitment We've focused on how nullifiers gurantee the signle use of the messages. The next natural question to ask is who is authorized to send that single valid nullifier in the first place? The nullifier usually comes with its counterpart, the commitment. Some project's document calls the combination a "commitment-nullifier scheme," which is a pattern that powers many Zero-knowledge proof applications. A commitment is a published hash of secrets, and it determines who is allowed to create a valid nullifier. As a result, the commitment hash and the nullifier hash share a common data field in their preimage so that the zk prover can cross-validate that data field for validity. Examples are: - Zcash (Sprout): The preimage of the Nullifier shares a note id `rho` with the commitment. - Zkopru: The UTXO is the commitment. The Nullifier has nullifier_seed and utxo_leaf_index. The former is derived from the sender's secret to make sure only the sender can create the nullifier. The latter makes sure the UTXO is only spent once. - Tornado Cash: A user deposits money and commits the secret named "nullifier." The zk proof convinces the system the user has deposited before by validating the commitment hash and nullifier hash. - Semaphore: Require a user to be registered to the system and commit a secret data named "identity nullifier." So only a registered user can create a valid nullifier hash. ## Conclusion We reviewed how several projects use nullifier hash to gurantee the single use of the message. We also explored the relationship between the nullifier and the commitment. We hope the post makes nullifier less a dangerous weapon and contributes to health regeneration for the dear readers.
Last changed by  
Chih-Cheng Liang
4092

Read more

Deposit game

Consider a two player simulatneous game:

1/29/2024
BLS Signatures in Solidity

Thank Onur, Jannik, and Mikerah for the review and the advice published version https://ethresear.ch/t/bls-signatures-in-solidity/7919 [TOC] Who should read this? This article targets developers who want to perform BLS signature verification in Eth1 contracts. For readers interested in the BLS signature in Eth2, I highly recommend "BLS12-381 For The Rest Of Us"^ben-bls by Ben Edgington, which provides long but not too long answers to common questions.

10/28/2022
資料可得性

在資料分片的環境底下,我們不能讓全節點去完整下載其他分片上所有的資料,否則就失去分片的意義了。 但我們仍然要顧慮一種情況:某個分片上的惡意節點,發佈了承諾,卻窩藏承諾背後的資料沒有發布。如果說在其他分片上的全節點,都乖乖收下了帶有這個承諾的區塊,這會是個危險的情況。相當於整個系統產出了一個區塊,但區塊上屬於該分片上的資料,除了惡意節點外沒有人知道是什麼。 要解決這個問題可以引入兩個機制:抽樣挑戰和糾刪碼。 抽樣挑戰是我們可以把該分片需要發布的資料切成幾等份,並要求全節點對其抽樣。例如切為 256 份,並對其抽取 75 份。全節點必須在抽樣的 75 份的資料都有正確回應的情況下,才能收下區塊。注意這時候惡意節點的選擇變成到底 256 份的資料中要發布幾份和窩藏幾份。抽樣挑戰的好處是全節點只要少少的抽樣,惡意節點必須發布很大比例的資料(例如 250 份),才能讓全網大部分的全節點完成挑戰並收下區塊。 但發布很大比例的資料仍然不夠,只要惡意節點能夠窩藏一份資料,這區塊就是一個資料不完整的不合格區塊。所以我們除了抽樣挑戰外還需要糾刪碼。

7/29/2022
Zeroknowledge podcast Dan Boneh interview

10/27/2019
Read more from Chih-Cheng Liang
Published on HackMD