Fall 2024

Blockchains, Cryptocurrencies and

Smart Contracts

Lecture 8

Ahmed Kosba

Department of Computer and Systems Engineering

Faculty of Engineering
Alexandria University
Privacy problems in cryptocurrencies (Bitcoin)
• Bitcoin provides psuedonymity, but not unlinkability.
• Transaction graph (plus side channel information) can link pseudonyms
to real/online identities
• For example, see Bitcoin Transaction Graph Analysis [Fleder et. al]

2
 Privacy problems in cryptocurrencies (Ethereum)
Recall how smart contracts work
Smart Contract
Address: 0x1234
..
Create Contract
Storage
Owner:
Participants: []

The miners need to have access to plaintext

values, in order to execute the code.
Balance: 0
Code

If collected funds > 10000 on Mar 1st

then Send(Alice, collectedFunds)
else
refund Participants Decide money flow 3
based on code rules
Why anonymity and privacy matter?
• Payment history can reveal sensitive information
• Personal: location, interests, medical
• Commercial: trade deals
• Traceability harms Fungibility:
• Discrimination against certain coin sources (or against users with certain
transaction history) is possible
• Note that the ledger information is public in our context. (Compare
with traditional banking)
• The analysis can be done by anyone at anytime!

From another perspective,

Anonymity might lead to more criminal activity, so why should we still care? 4
Coin Mixing
Via an intermediary: Peer to Peer, e.g., CoinJoin
New addresses
New addresses

Mixing Single
Service Transaction

Each arrow above represents a single transaction. The users collaborate to produce a single multi-input
multi-output transactions.

Drawbacks of these solutions? 5

Other Privacy/Anonymity attempts
• Compatible Solutions with Bitcoin:
• Confidential transactions [Max16]
• TumbleBit [HABSG17]
• New Altcoins:
• Ring Signature-based: Monero
• Zero-knowledge proof-based: ZeroCash (ZCash)

• We will focus on zero-knowledge proofs today

6
 Zero-Knowledge Proofs
• Warm-up:
• How is linkability helpful in the context of transaction verification?
Block # i + n
Block # i Block # i + 1

A (05 BTC) -> B (02 BTC) B (02 BTC) -> F (01 BTC) B (02 BTC) -> G (01 BTC)
-> A (03 BTC) -> B (01 BTC) -> B (01 BTC)
…
C (10 BTC) -> D (01 BTC)
-> E (05 BTC)
-> C (04 BTC)

Our goal is: Can we prove that a transaction is valid without showing the links?
7
Trivial Scenario
How can Bob convince Alice that he knows
a solution to a Sudoku puzzle?

Send the solution

Bob (Prover) Alice (Verifier)

• The solution is easy to verify.
• Alice learns what the solution8 is.
Zero-Knowledge Proofs of Knowledge
Can Bob convince Alice that he knows a
solution to the Sudoku puzzle without
revealing any information about the solution?
Yes!

A ZK Proof of Knowledge

Bob Alice

• Alice will be able to verify that Bob knows a solution.

• Alice will not learn any information about the solution.
9
Zero-Knowledge (ZK) Proofs

• Can there be convincing proofs that don’t reveal any extra information?
• Do we really need them in practice?
• What kind of statements can we prove in zero knowledge?
• How efficient can the proofs be?

10
Where is Waldo?

11
 Send the location Not ZK

Bob Alice

How can Bob convince Alice that he knows the solution without revealing any information
about it?

Zero-Knowledge

Bob Alice

12
Zero-Knowledge Proofs New York Times: Feb 17th, 1987

• Introduced by Goldwasser,
Micali and Rackoff’s seminal
paper in 1985

• The first two authors won a

Turing award because of their
contributions.

13
Interactive Zero-Knowledge Proofs
L is language in NP
Stmt: x ∈ L

.
.

Alice Bob
(Verifier) (Prover)

Zero-Knowledge:
How can Bob prove the statement without revealing any other information?
14
Graph Isomorphism
G0 G1 G0 ≃ G1
G1 = π (G0)
1

2 2 1 3
3 5
2 6
4 3 4
6
4 2
6 5 5
6 1

15
Interactive ZK Proofs for Graph Isomorphism
G0 G1
Statement:
G0 is isomorphic to G1
G1 = π (G0)

• If zero knowledge is not a

requirement, Bob can just provide
the vertex permutation π as a
proof.

• How to prove the statement .

without revealing any other .
information? Alice Bob
(Verifier) (Prover)
16
 Interactive ZK Proofs for Graph Isomorphism
G1 = π (G0) G0 G1 1

Permute the vertices of one of

2 the graphs, and construct a new
isomorphic graph Gr :

Choose one of the graphs • Select a random bit b ∊ {0,1}

randomly, and ask the and random permutation πr
prover for a permutation : • Send Gr = πr (Gb)

• Select a random bit Gr =

b’ ∊ {0,1}
• Send b’ 3
b’

• Find π’ such that

Alice π' Bob
Gr = π’ (Gb’)
(Verifier) (Prover)

Probabiliy that Bob cheats? 17

Zero-Knowledge Proofs
• Properties (Informal):
• Completeness: Every true statement can be proven.
• Soundness: A false statement cannot be proven (except with negligible
probability)
• Zero Knowledge: The proof cannot reveal anything other than the
correctness of the statement.

• ZK proof of knowledge:
• Same properties as above, but additionally,
• The proof implies that the prover knows the witness (Knowledge
Extraction)

18
Zero-Knowledge Proofs
• Any statement in NP can be proven in Zero-Knowledge [GMW86]

• Making protocols non-interactive (NIZKs)

• Important for many applications
Proof
• Public Verifiability

Alice Bob
(Verifier) (Prover)
• Ways to achieve non-interactiveness
• Using a common reference string [BFM88] -- generated in a trusted manner
• Fiat-Shamir heuristic (assumes a Random Oracle model)

19
Applications of Zero-Knowledge Proofs
• Verifying computation on private data
• Voting
• Anonymous certificates
• Image authentication

• Privacy-preserving cryptocurrencies

20
(zk)-SNARKs
• Zero-knowledge Succinct Non-interactive Arguments of Knowledge

• There are currently different implementations of zk-SNARKs. We will

consider the first zk-SNARK implementation that was used in practice,
QAP-based zk-SNARKs, which provide
• Constant-size proofs.
• Verification time is linear in the public input/output that the verifier sees
(linear in the size of the statement).
• On the other hand,
• The proof computation overhead is high.
• A trusted Key Generation phase is required in the beginning.

21
 Applications
(zk)-SNARKs with Constant-size Proofs
Secret input
CRS 2013 Pinocchio Coin [DFKP]

u s ZeroCash [BCGGMTV]
2014
F ALITHEIA [ZPK]
Input u

2015 Mining Puzzles [MKKS]

Output y = F(u, s) , ZK Proof 𝜋
Verifier VerDP [NFPH]

Prover Cinderella [DFKP]

Minimal Overhead Succinct proof: O(1) F(u, s) 2016 Hawk [KMSWP]
O(Size of Input/output)
PhotoProof [NT]

Support for zk-SNARKs

2017
• Practical implementations for zk-SNARKs, e.g. Pinocchio added for Ethereum

[GGPR13][PGHR13], libsnark [BCTV14], Groth16 22

QAP-based (zk)-SNARKs – Basic Idea
Quadratic Arithmetic c1 c2 c3 c4 Equivalent Constraints
Programs (QAPs) + x
………
c5 = c3.c4
[GGPR13, ……… c6 = c5.(c1 + c2)
c5
PGHR13] x …
………

c6

An arithmetic circuit representing

the computation. Each wire carries m m m

a value in a finite field. (addition p( x ) = (  [Link] ( x )).(  [Link] ( x )) − (  ck. yk ( x ))

and multiplication modulo p) k =1 k =1 k =1

p( x ) = t ( x ).h( x )
where

t(x) = (x – r1) (x – r2) .. (x – rd)

vk, wk and yk are polynomials defined based on the circuit

23
structure.
QAP-based zk-SNARKs
• Outline:
• Expressing a computation as a polynomial equation
• Building a cryptographic protocol to argue about the polynomial properties.

24
 QAP-based zk-SNARKs (Pinocchio [PGHR13])
Left Right
Output
Inputs contributor contributor

c1 c2 c3 c4 (𝑟5 , 𝑟6 ) (𝑟5 , 𝑟6 ) (𝑟5 , 𝑟6 )

𝑣1 (ri ) (0,1) 𝑤1 (ri ) (0,0) 𝑦1 (ri ) (0,0)
+ r5 x 𝑣2 (ri ) (0,1) 𝑤2 (ri ) (0,0) 𝑦2 (ri ) (0,0)

r6 x c5 𝑣3 (ri ) (1,0) 𝑤3 (ri ) (0,0) 𝑦3 (ri ) (0,0)

𝑣4 (ri ) (0,0) 𝑤4 (ri ) (1,0) 𝑦4 (ri ) (0,0)
c6 𝑣5 (ri ) (0,0) 𝑤5 (ri ) (0,1) 𝑦5 (ri ) (1,0)
Output 𝑣6 (ri ) (0,0) 𝑤6 (ri ) (0,0) 𝑦6 (ri ) (0,1)

𝑡 𝑥 = 𝑥 − 𝑟5 (𝑥 − 𝑟6 )

25
QAP-based zk-SNARKs (Pinocchio [PGHR13])
Inputs
x − r5 w1 ( x ) = 0 y1 ( x ) = 0
c4 v1 ( x ) =
c1 c2 c3 r6 − r5 w2 ( x ) = 0 y2 ( x ) = 0
r5 x x − r5 w3 ( x ) = 0 y3 ( x ) = 0
+ v2 ( x ) =
r6 − r5 x − r6 y4 ( x ) = 0
x c5 w4 ( x ) =
r6 x − r6 r5 − r6 x − r6
v3 ( x ) = y5 ( x ) =
r5 − r6 x − r5 r5 − r6
c6 w5 ( x ) =
v4 ( x ) = 0 r6 − r5 x − r5
Output y6 ( x ) =
v5 ( x ) = 0 w6 ( x ) = 0 r6 − r5
v6 ( x ) = 0

26
 QAP-based zk-SNARKs (Pinocchio [PGHR13])
Inputs
𝑡 𝑥 = 𝑥 − 𝑟5 (𝑥 − 𝑟6 )
c1 c2 c3 c4
r5 x 𝑝 𝑥 = 𝑣 𝑥 . 𝑤 𝑥 − 𝑦(𝑥)
+
m m m
r6 x c5
p( x ) = (  [Link] ( x )).(  [Link] ( x )) − (  ck. yk ( x ))
k =1 k =1 k =1
c6
Output
 x − r5   x − r5   x − r6    x − r6   x − r5  
p ( x ) =  .c1 +  .c2 +  .c3 . .c4 +  .c5  −
 r6 − r5   r6 − r5   r5 − r6    r5 − r6   r6 − r5  
 x − r6   x − r5  
 .c5 +  .c6 
 r5 − r6   r6 − r5  
27
This polynomial is divisible by t(x) = (x-r5) (x-r6) only if: c5 = c3.c4 and c6 = c5.(c1 + c2 )
QAP-based zk-SNARKs (Pinocchio [PGHR13])
• How to prove the correctness of the computation?
• Naïve solution: Send the polynomials to the verifier?
(Too expensive – Clearly not zero knowledge)

• To verify that the computation has been done correctly, let’s break the
previous steps into smaller parts. We want to verify the following:
• 𝑣 𝑥 , 𝑤 𝑥 𝑎𝑛𝑑 𝑦(𝑥) have been computed correctly, i.e. as linear functions of the
subcomponents.
• The same coefficients have been used in all of them.
• Divisibility: 𝑡 𝑥 divides (𝑣 𝑥 . 𝑤 𝑥 − 𝑦(𝑥))

• An efficient protocol based on pairing-based cryptography is used to check

Pinocchio paper

the above. (Check the Pinocchio paper for more details.)

28
The ZeroCash protocol [BCG+14]
• Privacy-preserving decentralized currency
• Hides sender, receiver and amount of a payment.

• Relies on zero-knowledge arguments of knowledge (zk-SNARKs)

Recall Bitcoin transaction graph
Block # i Block # i + 1

A (05 BTC) -> B (02 BTC) B (02 BTC) -> F (01 BTC)
-> A (03 BTC) -> B (01 BTC)

C (10 BTC) -> D (01 BTC)

-> E (05 BTC)
-> C (04 BTC)
34
How to verify the validity of transactions while hiding the links?
 Intuition of ZeroCash (1/2) -- Simplified for
illustration
Pool of anonymous coins [Public]
C3 C6
C1
C3 Owner: Bob’s PK Owner: Alice’s PK
Value: v Value: v
C2

C4
How to break linkability?
C6 C5 If Bob would like to spend C3 to generate a new coin for Alice:
- Bob will send C6 with a ZK proof that proves:
- The ownership of an anonymous coin that belongs to the pool
Commitment C - The data of C6 have been constructed correctly.

Problems? Double Spending

Owner: PK
Value: v
35
The commitment hides the owner's PK and value
 Intuition of ZeroCash (2/2):
How to prevent double spending?
Pool of anonymous coins [Public] Serial Numbers of Spent Coins [Public]

C1 C3 C6
C3 SN3
C2 Owner: Bob’s PK Owner: Alice’s PK
Value: v Value: v
C4 seed: r3 seed: r6

C6 C5 When Bob spends C3,

- He will also compute and send the serial number corresponding to
C3.
C - The ZK proof will prove
- The ownership of an anonymous coin that belongs to the pool
- The data of C6 have been constructed correctly.
Owner: PK SerialNumber of a - The correct computation of SN3
Value: v Note: SN3 won’t be linkable to C3, and C6 won’t be linkable to C3.
coin C = F(SK, r)
seed: r 36