►
From YouTube: ZoKrates - a zkSNARK toolbox - Jacob Eberhardt
Description
Slides: https://github.com/JacobEberhardt/documents/blob/master/talks/ZoKrates-EthereumMeetupBerlin.pdf
ZoKrates is a complete toolbox to use zkSNARKs on Ethereum. It features a high level language that can be used to write programs and later verify executions of these programs using zkSNARKs on Ethereum.
A
D
A
And
I'm,
currently
working
on
a
compiler
that
compiles
from
a
high
level
language
to
computations,
you
can
do
a
zero
knowledge
proof
over
basically
and
then
verify
that
proof
on
the
blockchain.
So
to
give
a
little
context,
I've
prepared
a
couple
of
slides-
I'm
not
too
well
prepared
prepared,
because
I
just
found
out
that
I'll
be
giving
this
talk
in
the
afternoon
today,
so
yeah.
So
what's
what's
the
basic
idea?
What's
the
basic
setting
we're
talking
about,
I
think
its
delegated
computation.
A
What
we
have
at
the
moment
with
watching
systems
is
what
we
see
on
the
left
side,
so
we
usually
have
only
onto
in
processing,
there's
transaction
being
sent
to
the
network,
and
then
it
gets
validated,
but
every
single
node
in
the
network-
and
there
are
several
proposals
to
change
that
with
with
a
blasphemer
christian,
we'll
talk
about
later
and
other
sharding
techniques,
but
there's
also
another
idea
that
we
do
no
longer
do
all
the
computation
on
chain,
but
do
part
of
it
off
chain.
So
one
proposal
that
did
that
was
true
bit,
for
example.
A
So,
instead
of
doing
the
whole
computation
on
the
blockchain,
you
do
it
off
chain
and
only
validate
that
it's
actually
okay
on
chain
and
that's
the
setting
where
we're
talking
about
here.
Okay,
so
so
Curtis,
we
called
the
tool
so
protests
seek
a
certain
knowledge
and
ideas
that
you
know
the
famous
saying
from
Socrates
I
know
that
I
know
nothing
here.
It's
I
know
that
I
show
nothing
bit
of
a
bad
pun.
A
A
Curtis
I
will
give
you
a
demo
in
a
minute
and
it's
a
tool.
It
takes
a
higher-level
language,
it's
not
too
super
powerful.
Just
because
it
it
is
limited.
It's
not
Turing
complete
because
of
the
underlying
abstractions
needed
to
do
seek
a
snark
song,
but
it's
a
high-level
language.
It
can
be
yeah,
it's
it's
very
understandable
and
and
quite
simple,
and
then
we
have
a
compiler
which
transform
stat
in
the
representation
you
can
do.
Ck
starts
with
basically,
so
we
have
the
high
level
language,
and
then
we
compile
these
statements
into
the
set
of
conditions.
A
These
set
of
conditions.
They
have
a
special
for
and
they're
called
what
they're
called
a
rank.
One
constraint
system,
we
just
have
a
huge
list
of
conditions,
and
then
you
can
transform
that
to
a
quadratic
arithmetic
program,
which
is
basically
equal
to
a
tree
with
only
additions
and
multiplications
on
the
nodes
in
the
tree
and
from
that
using
the
sir
knowledge
work
that
has
been
developed,
you
can
generate
approver
a
verifier
and
use
these
to
actually
do
computations
and
with
the
computations
ya,
find
the
proof.
Okay.
A
So
here's
what
the
process
looks
like
what
those
others
live
as
well.
We
have
code,
we
compile
them
to
a
rank,
one
constraint
system
that
gets
compiled
to
a
quadratic
arithmetic
program,
and
then
we
generate
a
sequence
knowledge
base
on
that
representation.
So
this
part
is
basically
yeah
well
understood,
I,
would
say
and
is
covered
in
the
library
lip
snark,
which
is
publicly
available.
It's
used
by
the
C
cash
Network
as
well,
and
this
part
is
yeah.
A
It's
like
the
main
contribution
in
the
compiler
that
we
take
the
high
level
language
and
transform
it
to
the
set
of
conditions,
and
here
we
have
a
little
code
sample
at
the
bottom.
How
such
a
program
to
look
like.
We
have
positive,
integer
variables,
and
here
we
check
some
conditions
depending
on
X
and
do
computations
based
on
these
okay.
So
that's
the
general
setting
and
how
it
looks
like
and
now
I
would
like
to
move
on
to
the
demo,
but
maybe
we'll
have
time
for
quick
questions
regarding
the
whole
process
in
CKD
snarks.
A
Oh
sure,
knowledge,
succinctness
argument
of
knowledge.
Let
me
take
the
very
helpful
question.
Thank
you
so
yeah
these
these
proves
they
have
several
properties,
and
the
first
proves
that
were
able
to
verify
or
prove
that
computations
were
correct.
We're
interactive
proves
that
meant
between
the
verifier
and
the
prover.
Several
rounds
of
communication
were
necessary
to
actually
reach
a
certain
level
of
yeah
certainty
that
the
the
computation
was
actually
correct,
and
these
seek
has
North
instruction.
They
don't
have
that
interactivity
property,
so
they're
non
interactive
and
that's
part
of
the
name
with
non
interactive.
A
The
succinct,
this
property
just
means
the
proofs
are
short,
so
that
means
they're
cheap
to
send
around
the
network.
They
can
be
received
yeah,
it's
just
a
short
format
and
the
certain
knowledge
property
is
also
a
nice
property
and
it
basically
comes
for
free
in
the
construction.
That
means,
when
I
do
my
computation
off
chain.
A
I
can
use
data
that
will
later
be
publicly
visible,
but
I
can
also
use
private
data,
for
example,
whatever
my
my
ID
or
something
use
it
in
the
computation
to
arrive
at
an
outcome
and
that
outcome
can
then
be
validated
or
verified
without
me.
Leaking
the
private
information,
so
I
keep
my
private
information
to
myself
and
can
still
prove
that
I
have
that
private
information.
Okay.
A
So
one
example,
a
good
example,
maybe
is
I,
have
an
ID
and
there
is
a
hash
of
my
D
ID
on
the
blockchain
and
now
I
can
prove
that
I
have
that
idea,
ID
by
hashing
it
off
chain
and
providing
certain
knowledge
proof
that
I
have
the
value.
That
means
the
idea
that
hashes
to
the
value
stored
on
check
without
ever
really
revealing
my
ID
information,
so
I
keep
the
sense
of
information
completely
to
myself
and
can
still
make
statements
about
it
and
verify
this
statement.
So
that's
a
CK
part
of
C
kiss
marks.
C
C
A
The
the
computation
requires
much
more
amount
of
work.
The
the
verification
is
very
cheap
and
that's
a
cool
property
because
we
use
that
here
and
we
do
the
verification
directly
in
solidity.
That
means
in
the
EVM
and
if
that
part
was
expensive,
that
would
not
be
possible.
So
it's
just
several
elliptic
curve
operations,
couple
of
pairings
additions,
scalar
multiplications
and
actual
multiplications,
but
it's
it's
a
couple
of
operations.
It's
cheap
to
do,
I!
Think
at
the
moment
it's
about
half
half
the
gas
limit.
It
takes
to
do
one
verification,
right,
I,
think
wrong.
A
E
A
So
yeah,
so
one
goal
is
privacy
that
was
in
the
example.
I
gave
you
that
I
can,
you
know,
prove
things
on
information
that
I
do
not
reveal,
and
we
don't
have
that
at
the
moment.
You
need
to
make
all
information
public
and
the
blockchain
will.
Then
you
know,
do
computations
and
and
you
references
another
thing.
A
I
haven't
seen
that
the
boat,
because
the
proof
generation
is
still
quite
expensive,
but
what
you
can
also
do
the
special
property
of
TC
case,
not
just
that
the
verification
is
independent
or
the
complexity
of
the
verification
is
independent
of
the
complexity
of
the
computation
you're
proving
so
that
means
no
matter
how
complex
your
off
chain
operations
are.
The
proof
always
costs
you
the
same.
A
So
at
some
point,
there's
a
break-even
point,
we're
doing
a
very
complex
computation
off
a
chain
and
doing
it
on
chain
where
the
Austrian
part
becomes
much
cheaper
than
doing
the
same
computation
on
chain,
and
you
can
do
operations
that
would
exceed
the
gas
limit,
that's
off
a
block
and
still
verify
it
on
chains,
or
you
also
enhance
capabilities
of
the
blockchain.
Yes,.
C
A
You'll
see
that
in
the
demo
it's
it's
not
too
powerful,
but
you
can
do
some
things.
I'm
currently
still
implementing
a
hash
function.
It
should
be
possible-
it's
just
not
done
yet.
So
that
would
be
very
nice
to
have
in
the
future.
At
the
moment
you
can
just
do
condition,
checking
loops
function,
calls
and
arithmetic
operations
on
field
elements
for
people.
It's
the.
A
Okay,
let
me
show
you
something:
oh
I'm,
in
the
room,
okay,
so
what
I
have
here
is
I
just
show
you,
the
file
I,
go
to
the
examples
directory
and
show
you
very
simple
program,
which
is
a
simple
ad.
That's
what
it
looks
like
we
have.
A
main
function
takes
two
parameters
and
it
returns
to
some
of
those
okay.
So
that's
a
very
basic
example.
You
can
do
much
more
complex,
but
I'll
just
show
you
what
you
can
do
with
that,
and
the
tool
provides
a
command-line
interface.
A
That
allows
you
to
compile
such
code
to
compute
witnesses.
That
means
to
derive
solutions
for
the
constraint
system
and
with
that
derive
solutions
for
the
program.
In
the
first
place.
You
can
then
export
the
verification
code
to
solidity
smart
contract,
so
you
can
actually
verify
your
computation.
You
specified
on
the
theorem
blockchain
and
what
the
journalist
was
required
at
the
moment
is
trust
and
setup
face.
A
Specify
your
program,
you
compile
it
in
a
set
of
conditions.
You
find
a
solution
with
that
tool
for
your
conditions
and
then
you
can
compute
proof
and
also
you
can
compute
a
solidity
source
code
that
you
publish
to
the
network
and
with
that
source
code
you
can
verify
the
computations
on
chain
and
solutions
of
your
new
constraint
system.
So
let
me
compile
this
code.
A
A
First
compiled
the
act
example
again
and
then
I
will
compute
a
witness.
That
means
a
solution
for
the
program
and
also
a
solidity
smart
contract
which
I
can
use
to
verify
that
computation
on
chain
I.
Do
that
using
the
shortcut
operation
which
stand
up
witness,
computation
and
solidity
code
export
in
one
step,
I
provide
two
arguments:
let's
say
one
and
one
I
want
to
calculate
the
sum
of
a
and
B
I.
Do
that
and
what
I
get
let's
go
up:
okay,
first
I
get
a
witness.
A
A
I
can
use
that
pasted
in
the
template
and
deploy
that
to
the
network,
and
then
I
can
verify
proofs
with
that
that
I
can
also
generate
with
this
tool
and
down
here
we
also
have
approved,
which
I
can
then
use
to
validate
stuff
from
salinity.
Actually,
today,
we
validated
the
first
proof
on
the
Rob
spoon
test,
nut
and
bettan.
We'll
briefly,
yeah
show
us
this
process
because
it
works
better
on
this
machine.
C
A
At
this
point,
we
don't
use
private
data.
What
we
could
also
have
is
that
we
say
or
that
we
prove
that
we
have
two
numbers,
the
sum
of
which
equals
two
and
then
we
would
only
provide
the
two
and
the
proof
and
still
would
be
sure
that
the
person
who
generates
a
better
proof
was
in
possession
of
two
numbers,
for
example,
one
and
one
that
satisfy
the
constraint
system.
Yes,.
A
A
Send
the
inputs
that
means,
in
that
case
one
one
and
two,
and
then
you
send
yeah
a
proof
and
that's
said
a
couple
of
elliptic
curve
points,
essentially
that
are
again
used
to
check
conditions
on
and
they
what
they,
what
they
show.
What
the,
what
the
validation,
logic,
verification
logic
checks
is
that
you
actually
used
the
correct
code,
basically
the
correct
program,
and
you
did
not
just
use
another
program
to
compute
the
result.
E
A
E
E
A
That's
fixed
because
you
always
do
the
same
verification
steps,
no
matter
how
complex
or
often
computation
is.
It
only
depends
slightly
on
the
number
of
input
variables,
so
the
gas
cost
actually
grows
a
bit
with
the
number
of
input
variables
you
have,
but
generally
the
the
large
part
of
the
gas
clause
remains
constant.
A
Well,
someone
would
have
to
arrive
at
batteries
in
case
narco
would
make
to
have
would
have
to
make
the
verification
operations
cheaper,
so
ik
or
more
efficient
on
Hardware,
so
that
the
theorem
Foundation
cook
reduced
the
gas
cost
for
these
operations.
But
what
it
is
it's
elliptic
curve
operations
and
they
are
costly
and
there's
several
required
so
I
think
either
you
have
music
as
marks
that
allow
you
to
do
less
cost
the
operations
or
you
have
to
like.
You
have
become
more
efficient,
but
I
don't
see
that.
A
But
you
could
have
computations
often
that
you
couldn't
even
fit
in
the
block,
so
in
that
case
it
would
actually
save
gas
yeah.
So
it
depends
on
use
case
and
also,
of
course,
there's
surprise
for
privacy,
but
at
the
moment
you
don't
have
privacy,
so
you
cannot
make
statements
about
your
private
data
and
you
can
do
that.
Of
course.
At
the
moment,
it's
expensive,
but
it's
a
it's
the
thing
you
can't
do
without
it.
A
A
Yeah,
so
that's
the
function,
you
call
when
you
want
to
provide
the
proof
and
have
the
proofs
verified.
So
you
call
verify
the
transaction,
and
then
you
provide
a
number
of
elliptic
curve
points.
These
are
the
a
and
a
P
and
then
they're
always
yeah
large
numbers.
Basically
that
make
up
one
point
in
the
case
of
the
one
truth
we're
using
and
in
the
case
of
the
other
truth,
it's
even
four
points,
but
it
doesn't
really
matter.
You
provide
a
number
of
points
and
then
you
provide
input
variables.
A
A
Or
IPA
see
that's
the
the
parameters
here.
So
these
are
these
elliptic
curve
points
that
come
out
of
the
CK
snark
stuff,
that
we
just
need
to
make
sure
that
the
correct
program
was
used
and
that
nobody
cheated
with
with
the
program-
and
here
are
our
input
parameters
at
the
very
end
and
that
our
input
we
now
take
and
pass
to
the
solidity
verify
transaction
functions.
We
do
that
from
remix
here
and
then
you
just
made
a
mask
to
send
it
to
the
Rothstein
to
Rob.
D
D
A
A
B
A
Here
you
can
see,
we
actually
have
a
transaction
and
it
triggers
an
event,
and
it
said
that
the
transaction
was
successfully
verified
and
because
we
have
two
inputs,
one
one
and
two.
We
now
know
that
it's
most
likely
one
one
is
most
likely
to
so
that's
that's
it
with
our
short
demo.
I
think
it
was
a
lot
and
I
could
not
cover
the
low-level
details
because
they're
actually
quite
complex,
but
now
we're
we're
open
to
any
questions
of.
D
A
It's
it's
free
compiled
contract.
So
essentially
it's
it's
not
really
machine
codes,
but
like
machine
codes,
it's
things
you
cannot
do
in
the
EVM
that
or
if
they
would
be
too
costly
to
do
in
the
VM
that
now
having
direct
implementation
and
these
operations
can
be
called
from
EVM,
so
you
can
think
of
it
as
if
it
was
a
new
op
code
added
to
the
EVM
and
that
can
do
pairing
operations.
A
B
D
A
Well,
in
the
actual
seek
have
setup
face,
they
had
six
people
sitting
in
the
room
for
like
a
day
or
something
and
copying
DVDs
and
passing
them
around.
So
no,
that's
not
what
we're
using
at
the
moment
we're
actually
using
for
this
prototype
a
trusted
setup
face.
That's
why
I
also
say
don't
use
introduction,
because
you
can
only
trust
your
own
Bruce,
basically
or
proves
by
people.
You
trust
anyway.
So
there's
a
much
point
in
that.
A
But
there
is
efforts
of
creating
distributed
setup
phases
that
are
more
efficient
scalable
than
the
original
distributed
protocol
that
to
see
cash
guys
used
during
their
set
up
phase.
So
Stefan
is
currently
looking
at
options
of
bringing
that
to
you.
So
you
could
do
actually
do
the
setup
off
shame
but
synchronized
by
a
smart
contracts
so
that
there
could
be
a
set
up
of
a
number
of
people
who
then
can
be
sure
that
if
they
themselves
were
honest,
then
the
proofs
can
never
be
faked
or
anything.
A
D
B
D
As
one
single
person
TV
chatter,
then
the
process
worked.
So
if
they
were
actually
with
the
the
seek
hat
just
said,
they
were
actually
not
sitting
in
the
same
room.
They
were
distribute
or
not
with
you,
or
at
least
they
tried
a
different
location
and
there's
an
interesting
article,
but
Peter
taught
who
participate
in
the
setup
and
he
was
actually
driving
around
the
west
coast
of
the
United
States.
Never
staying
at
the
same
place.
C
B
B
D
Would
say
that
a
recursive
system
is
a
security
lock
that
verifies
another
suitcase
I
mean
a
secure
start.
Is
it's
just
the
computation
itself
breaks,
so
you
can
use
the
keys
next
very
pressing
this
month
and
because
the
time
needed
the
complexity
need
to
do.
The
verification
does
not
depend
on
the
actual
computation
can
do
this
bootstrapping
process
and
then
yeah
verifiability,
complex.
A
A
Phase
is
just
local
and
then
we
actually
it's
identify
meant
that
myself
in
this
library.
For
that.
So
we
hope
that
the
library
forgets
or
destroys
the
data,
or
we
can
look
at
the
source
filter.
Actually,
it
seems
to
do
it,
but
if
you
have
compromised
device,
there's
still
the
risk
so
distributed.
Setup
phase
is
definitely
reason
also
so
that
I
can
convince
others
that
the
setup
process
has
been
performed
correctly
and
they
can
trust
the
proofs
I
generate.