Note:
不好意思我現在不會講中文,沒有時間準備
Director of Research at Vac
Vac builds public good protocols for the decentralized web,
with a focus on communication and privacy
origin in Status app and trying to improve on underlying protocols
We build Waku, ZK tooling and other things
Note:
Go over RLN core construct first, then look at in a p2p setting
For each part we'll also do a bit of a code/demo that you can play around with
Note:
Existing solutions for preventing spam are usually either centralized or they don't work in practice
This is a big problem, services that require phone number, tied to identity, and country
We'll talk more about the p2p aspects later on
Note:
Rate limiting can only send N messages in a period
Can be used for spam protection in p2p messaging systems
Also things like rate limiting in general, decentralized captcha
Note:
ETHResearch post origin by Barry Whitehat
Then a lot of work on various implementations, performance, making it work in p2p setting
First let's look at construct a bit
Note:
We split up flow into three parts
Put some capital at risk, economic or social, if you double signal, you get slashed
Note:
Identity commitment inserted into merkle tree
Identity secret random 32 byte values, hash twice to get identity commitment
Want to make it economically or otherwise costly to register, against Sybil attacks
InterRep prove user has a reputable social media account
keccak256
hash of contentNote:
Signal is hash of message, external nullifier, proof and some other fields
Note:
Verification: external nullifier correct epoch, non-duplicate check, zk proof verification and then double signal check
Slashing: based on Shamir’s secret sharing, reveal secret key -> get stake
// private
signal input identity_secret;
signal input path_elements[n_levels][1];
signal input identity_path_index[n_levels];
// public
signal input x; // signal_hash
signal input epoch;
signal input rln_identifier;
Note:
identity_secret is is ther secret key generated locally
path_elements elements along path, siblings
identity_path_index path to leaf for merkle proof
x is the signal hash
epoch is external_identifier here
Usually a timestamp or period, can think of as voting booth,
can only signal once in that period
RLN identifier is for a specific RLN app
path_elements has a 1 here for simplicity, indicates number of neighbors at that level
signal output y;
signal output root;
signal output nullifier;
Note:
Calculated locally
y is share of secret equation, see soon, and internal nullifier
internal nullifier acts as unique fingerprint for a given app/user/period combination
Also root of Merkle tree
How is this output with y and the internal nullifier calculated?
a_0 = identity_secret
a_1 = poseidonHash([a0, external_nullifier])
y = a_0 + x * a_1
internal_nullifier = poseidonHash([a_1, rln_identifier])
Note:
This is using Shamir's secret sharing
If a given identity a0 signals twice in epoch/external nullifier, a1 is the same
For a given RLN app, internal_nullifier then stays the same
x is signal hash which is different, and y is public, so we can reconstruct identity_secret
With the identity secret revealed, this gives access to e.g. financial stake
y1 = a_0 + x1 * a_1
y2 = a_0 + x2 * a_1
(RLN SSS)
Note:
Shamir's secret sharing is based on idea of splitting a secret into shares
k points is enough to determine polynomial of degree <= k-1
In this case we have two shares, and since a0 and a1 stays the same for a given user and epoch,
With x (signal hash) changing we are able to reveal a0 which is the identity secret
`
{
signal: signal, # full signal
proof: zk_proof,
internal_nullifier: internal_nullifier,
x: x, # signal hash
y: y,
rln_identifier: rln_identifier,
// application specific
root: merkle_proof.root,
external_nullifier: external_nullifier
}
Note:
This is the actual message we send
We may also include root and external nullifier here
{
[external_nullifier]: {
[internal_nullifier]: {
x_shares: [],
y_shares: []
}
}
}
Note:
E.g. can happen at central server, or at each client
Metadata needs to be stored to detect double signaling and ability to reconstruct secret
Note:
Check external nullifier / period is correct one (e.g. 20s window)
Discard duplicate messages
Verify ZKP, otherwise discard
Check if there is more than one x/y share combination per external nullifier and internal nullifier
If there is, we can reconstruct a0 and take stake
Store metadata
Note:
Now Circom one much more performant, WASM, Circom 2 etc
Current libraries we have are
Note:
Circom are the official spec version
rlnjs is by PSE and the reference implementation
Zerokit is using Circom circuits via WASM, more soon
js-rln wrapper Zerokit WASM, primarily made to make it easier to work with Zerokit and Waku
Final one is the alt impl not using official Circom spec, Waku used this before but moved away from
Note:
Context: Waku as p2p infra running in many environments (Nim/JS/Go/Rust)
Circuit artifacts wasm and r1cs code
Circom strength Dapp developers, tooling, verification codes, circuits etc
Rust strength systems based, easy to interface with Nim, Go, Rust, C etc
Also access to other Rust ZK ecosystem, arkworks here with ark-circom
Opens door for using other constructs, Halo etc
Note:
Show code
Note:
By modular we mean: pick and choose protocols and how you use them depending on constraints and trade-offs (e.g. bw vs privacy)
Resource restricted environments
With Whisper you had holy trinity back in day, Ethereum/Swarm/Whisper
Note:
Waku Relay protocol based libp2p GossipSub for p2p messaging
Filter for bandwidth-restricted nodes to only receive subset of messages
Lightpush for nodes with short connection windows to push messages into network
Store for nodes that want to retrieve historical messages
Subset of protocols, for more can check specs
graph graphname{
g [color=Red, penwidth=3.0]
a [color=Red, penwidth=3.0]
h [color=Red, penwidth=3.0]
d [color=Red, penwidth=3.0]
b [color=Red, penwidth=3.0]
edge [color=Blue, style=dashed]
rankdir=LR;
a -- c;
e -- a;
f -- a;
b -- c;
f -- e;
e -- d;
e -- g;
h -- f;
i -- b;
i -- c;
a -- i;
edge [color=Red, style=solid, penwidth=3.0]
a -- b;
g -- a;
a -- d;
h -- a;
}
a relays messages to a subset of peers
From 30/ADAPTIVE-NODES
Note:
Open network where nodes have different capababilities
Few problems here, e.g. spam and incentivizing service node
Want to address these while keeping privacy-guarantees of base layer
Today we gonna focus specifically on spam problem
The spam problem arises on gossip layer when anyone can overwhelm the network with messages (red lines)
Note:
Traditional phone numbers not decentralized/private
Whisper PoW not good for heterogenerous nodes
Peer scoring prone to censorship and can also be circumvented
RLN Relay!
Note:
This is how RLN is used with Relay/GossipSub protocol
Diff other ZK applications, verify each peer
Worth noting that this can be combined with peer scoring
Note:
TODO: Link to repo rln-circuit repo, more details
Shamir example how work?
Note:
Note:
From above two should be able to find most things
Show docs, and RLN spec, also paper etc
Thanks! Questions?