### WITHOUT PERMISSION, WITH PROGRAMMABLE CRYPTOGRAPHY @oskarth, HCPP24 (Prague) --- ## About me - @oskarth / oskarth.com - now: independent researcher (programmable cryptography) - previously: mopro (client-side proving), waku (p2p messaging protocol) Note: Slide 2 --- ## TLDR **With programmable cryptography, we can permissionlessly reclaim our data** Note: Slide 3 Need to understand what we mean by progcrypto and permissionly reclaiming our data --- ## Takeaways 1. Programmable cryptography is a powerful tool 2. Most data online is cryptographically signed 3. We can make this data portable Note: Slide 4 and use it where we want --- ## Agenda - Motivation - Zero Knowledge Proofs - Applications Note: Slide 5 For rest of talk Motivation - look back at last decade, set scene --- ### War on general computation (2011)  Note: Slide 6 Can we compute what we want? Vs locked down Regulatory challenges Same stuff, but changed from copyright etc to free speech, freedom to transact in middle of it, e.g. tornado cash 15y ago --- ### Software is eating the world (2011) Program or be programmed.  Note: Slide 7 more than decade ago, even more true today program or be programmed by the algorithm --- ### Privacy is dead (2010)  Note: Slide 8 heard this too, while convo changed similar themes chat control, arrest of durov telegram, e2ee encryption crackdown etc --- ## MORE DATA Who owns your data? What can they do with it? Who can compute on it?  Note: Slide 9 2 zb to 18, x100 las 15y zetta->exa->peta->tera a lot of data - so who owns it etc? --- ## Where is all this data? - Stuck in data silos (Web2) - Google, FB, Amazon... - Banks, Governments... - (Self-hosted, E2EE, Blockchains...) Note: Slide 10 Even if data belongs to you Bitcoin/Self-sovereign but minority --- ## Cryptographic matter - Blockchains and E2EE protocols - yes, and also... - HTTPS (TLS) - Emails (DKIM) - Digital documents (RSA) - Everywhere - can we use this? Note: Slide 11 Everywhere - can we use this? --- ## Without permission (1997)  Note: Slide 12 been here before One cool thing about cryptography is we can just do it Same with Bitcoin etc if we are operating self-soverign way nothing stop us, no intermediaries obviously, some fight along the way, but technically can do it --- ### Programmable cryptography (briefly) - Cryptography: Securing digital information - Prog crypto: Cryptography + Computation - Tools: ZK, MPC, FHE - Ex: Prove you 18y+ w/o revealing anything else - If ZK is single-player, MPC/FHE multi-player Note: Slide 13 We will go into this more Witness encryption clear throughline with cypherpunk manifesto in 90s --- ## Part 2 - Zero Knowledge Proofs - Assume you maybe heard but don't know details - Give brief friendly intro - If you familiar can zone out for a bit Note: Slide 14 Explain what they are and how they work TODO: (read more...) later ref --- ## Friendly Intro to ZK - Prove arbitrary statements (general-purpose) - Privacy and compression - Examples - Prove 18y+ (privacy) - Prove state change correct (compression) - Only prove statement is true Note: Slide 15 Proof size --- ### Where's Waldo  Note: Slide 16 Toy example --- ## Why should you care *Privacy is the power to selectively reveal oneself to the world.* (Cypherpunk's Manifesto) *Civilization advances by extending the number of operations we can perform without thinking about them.* (Alfred Whitehead) Note: Slide 17 No need to convince anyone here of privacy Also gives us certainty, concise proofs building block in many things --- ## How does it work - Special program (ZKP) - Made up of constrains (think Sudoku) - Prover and Verifier - Verifier can be on-chain - Prover creates a proof, verifier verifies it - Private and public input Note: Slide 18 --- ## Why now - Quite new field - Recent advances in affordances - Growing need, especially blockchain context - Complementary tech - Moore's law for ZKPs Note: Slide 19 Exploding field Moore's law: slow, orders of magnitude --- ## Zerocash/Zcash (~2014)  Note: Slide 20 From 80s mathematically Practical with Zcash decade ago, Zooko exploded Complementary tech, why --- ## ZKPs and Public Blockchains - Blockchains: censorship resistant and transparent - ZKPs: privacy and compression - Hence Zcash/Monero, L2s... - But: we can use ZKPs w/o blockchains! Note: Slide 21 Note still verifiers --- ## Part 3 - Applications (Overview) - Electronic cash: Zcash/Monero, private tx - Ethereum/Bitcoin L2s... - What about non-blockchain applications? Note: Slide 22 --- ## More on applications - Private identity/voting - A lot of web2 data is locked in - Cryptographic matter: use existing signatures - Let's look at more concrete examples Note: Slide 23 Just look at a few --- ## ZK Identity: Three examples - Zupass (crypto-native) - OpenPassport (passport data) - Anon-Aadhaar (Aadhaar digital ID system) Note: Slide 24 Anti-sybil resistance Access control --- ## Zupass: crypto-native identity - Semaphore groups - (Identity commitments and merkle trees)  Note: Slide 25 Basic crypto (Poseidon/Semaphore) Merkle Tree Zupass proto-network state But key distribution limited Access and voting What about existing key distributions? --- ### Cryptographic matter - Zupass based on Poseidon hash/Semaphore - Cryptographic matter out there - ECDSA keys for Bitcoin/Ethereum - Signed identity documents, emails... - Can we use this? Note: Slide 26 Why complex? cuz x100 harder to express different plaform, dealing with polynomials not binary out of scope of talk why exactly, written about before TODO: Check diff previous slide --- ## Anon-Aadhaar - Aadhaar in India, ~1B users - RSA verification inside ZKP  Note: Slide 27 Complex, but now possible! Including on phones Permissionless Not leaking address Mention client-side perf problem --- ### OpenPassport - Verify signature inside passport - Selective disclosure - Different standards but a lot supported  Note: Slide 28 Signature inside, can verify Diff standards a lot support --- ## OpenPassport (cont) - Proof of humanity - Identity verification - Quadratic funding - Wallet recovery Note: Slide 29 E.g. anti sybil, only reveal you got a valid passport nothing else Big problem, especially LLM generated If gonna interact with system this is option in trade-offs space Tool in toolbox Wallet recovery - not gonna burn passport, can use as factor Verify above 18 ECDSA / RSA (SHA256 etc) --- ## ZK Email - DKIM signatures in every email - Emails contains _a lot_ of signed data - Email wallet, ZKP2P  Note: Slide 30 Bring off-chain data onchain Regex Example email from Twitter or Parallel Polis --- ## ZKP2P - Trust-minmized p2p onramp to crypto from fiat - Built on top of ZK-Email - Venmo email as proof of payment (e.g.)  Note: Slide 31 Upload email/proof (right now remote, UX) Alpha but few 100k volume --- ## ZKP2P (cont) - Above works for some platforms - But not for everything (need good data in email) - What about something like Revolut? Note: Slide 32 Payment details unique id etc Can we do more than just DKIM email signatures? Turns out we can! --- ## Using TLS? - Up until now talked about ZKPs - Programmable Cryptography has more tools - Web runs on HTTPS/TLS - Websites/APIs very data rich - TLS: data origin and integrity, but not portable Note: Slide 33 --- ## TLSNotary - Problem: Client can forge server data - Solution: MPC (more specifically, 2PC) - Not MITM, operating on TLS connection in MPC  Note: Slide 34 Symmetric keys ZK single-player, MPC multiplayer Data provenance Original idea bitcointalk thread 2014 --- ## TLSNotary (cont) - ZKP2P: Revolut data with browser add-on - Extremely powerful and general-purpose - Prove access to account, private information about yourself, received private message, earned a degree, etc... Note: Slide 35 Notary can be anyone, network/replaceable Avoid censorship/collusion --- ## More on programmable cryptography - ZK: Mature, on my private data (single-player) - MPC/FHE: Multiplayer, 2PC most mature - Combinations: ZK-FHE, coSNARKs, ... - (Arguably smart contracts?) - Theoretical: witness encryption, IO... Note: Slide 36 FHE: Operate on multiple encrypted data MPC: Only learn output PSI example WE: encrypt to specific program IO: encrypt program Computationly expensive, threshhold cryptography --- ## Programmable cryptography Hard and flexible, like bamboo and carbon fiber  Note: Slide 37 Both robust and flexible Cryptographic hardness, sound money Also flexible in world we live in Anchored old, bamboo New into digital future, carbon fiber ProgCrypto allows us to build new tools and systems for more free future --- ## Recap **With programmable cryptography, we can permissionlessly reclaim our data** - Intro to ZK, briefly on programmable crypto - Saw examples of ZK Identity, ZK-Email, ZKP2P, TLS Notary... Note: Slide 38 --- ## Thanks! Questions? - zkintro.com want to learn more - friendly intro to ZKPs for anyone - also for programming ZKPs - oskarth.com / @oskarth Note: Slide 39 TODO: Mini-wiki resource? ---