At 21:00 on July 23, Beijing time, Manta Network co-founder Shumo Chu was invited by Tsinghua University Student Blockchain Association (THUBA) to have a conversation with Sputnik, Ph.D. Scientific research and application, and how Manta can help ZK solve the privacy problem of Web3, the following is the full transcript of the conversation:
Yiki (host):
Hello everyone, I am the vice president of Tsinghua Blockchain Association (THUBA), Yiki. Since its establishment in 2017, we have a history of 5 years and have held nearly 200 events. In the coming August, the first Hackathon will be held, and everyone is welcome to pay attention and sign up to participate. Then, could I ask Shumo to briefly introduce what Manta does and introduce yourself.
Shumo:
Hello everyone, it is a great honor to participate in this event, I am Shumo, Manta Network cofounder. Let me introduce Manta first. We will be established in October 2020. At that time, the reason why we established Manta was that the blockchain (Web3) had a big problem, which was privacy. We were very optimistic about the prospects of the Web 3 industry at that time, but if this industry goes mainstream, all transactions on the chain will be in plain text, which is very bad. We feel that privacy is the most basic human right. If you look at the structure of all the current public chains, you can find that all public chains basically have no privacy, except for a few like Monero or Zcash.
So our original intention is to solve this privacy problem, so how to solve it? We first made a private payment product on the chain - MantaPay, and two versions of the test network have been launched so far. Then you can think of it as a bring-your-token version of Zcash. This product is launched in the Polkadot ecosystem, but we will also move towards multi-chains in the future. The second step we are about to start is to do smart contracts on private assets. It has been developed for about half a year, but it has not yet been officially released. I think Manta can sum up in one sentence that we are doing the privacy layer of the entire Web3. We hope that in the future, in all traditional operations of Web3, you can have an option - privatize by Manta, and then your transaction will automatically become a private transaction.
About myself, I did a PhD at the University of Washington before, doing database systems and formal verification. After graduation, he worked as a research scientist in Algorand for one year, then as an assistant professor at the University of California, Santa Barbara, and now works full-time on Manta Network.
Yiki:
ok thanks. Sputnik You can also briefly introduce yourself and some areas you are currently focusing on in scientific research.
Sputnik:
first level title
🎙️ What is ZK
Yiki:
First of all, I would like to ask Shumo to briefly introduce what is ZK, its principle and application, and give an overview with a little white.
Shumo:
The full name of ZK is zero knowledge proof (zero knowledge proof). It was originally studied theoretically for many years. The earliest research was at least 20 or 30 years ago, which was the GMR (Goldwasser Micali Rackoff) paper. Then everyone thinks that this thing is feasible in theory. A very important milestone is Zcash, when several school professors collaborated to make the first version. Everyone used to think that this was a theoretical thing, and it was impossible to practice it. Then they made a more practical construction called libsnark, which supported the first version of Zcash at that time, and everyone realized that this thing is practicable.
I borrowed what Micali said, what is ZK, you can imagine it as an encryption on computation. Encryption generally refers to data encryption, that is, data can be changed from plaintext to ciphertext, but ZK is actually a relatively more powerful thing. It means that encryption on computation is to encrypt the computation. Specifically, let's say you want to prove that you know something, such as 3 plus 5 equals 8. Then I hope to prove that you know this thing, but you don't tell what the specific input of this 3 plus 5 and this 8 is. Then you have this 3-commitment 5-commitment and 8-commitment and you need to convince someone that this is correct. Specifically in the blockchain, you need to use this method to prove to all validators or node runners that it is a very, very high level ZK.
Yiki:
Thank you Shumo. Sputnik, from your perspective, what do you think of the development of ZK and how would you define ZK?
Sputnik:
From a cryptographic point of view, the ZK protocol is actually very simple, and can be summed up in one sentence: it is a two-party cryptographic protocol, and then there is a prover and a verifier, which are what we call a prover and a verifier. What he wants to accomplish is that the prover needs zero knowledge to prove to the verifier that he knows a secret.
Then what is zero-knowledge? That is, from the perspective of cryptography, it may need to use some knowledge of information theory to strictly define, that is, the verifier cannot know or obtain the ability, or knowledge, that it does not have in the process of interacting with the prover. Like some examples given by Shumo just now, for example, to prove that 3 plus 5 equals 8, he knows this formula, but he cannot publish it. So it may be necessary to use a commitment. Commitment is a cryptographic commitment we are talking about, and then it has a binding and a concealment, that is, you can see my commitment and its internal value is bound by it, a bit like a hash function. If the bound value changes, the commitment will also change, which is binding. Concealment means that if you see a commitment and don’t know exactly what is inside, I can open it in the future, and now I can provide you with a zero-knowledge proof, and then convince you that what I promised is my value. This is looking at ZK from the perspective of cryptography.
Yiki:
It just happened that you just talked about the definition and development of ZK from the perspective of scientific research. Could you briefly introduce how ZK is studied in the scientific research field now, and what do you all pay attention to?
Sputnik:
In fact, in the field of scientific research, there are also different directions. There are very theoretical ones, that is, provable security. It is a set of contents of very cryptography theory. It requires some formal methods. We will not expand this in detail. In addition, there are some applications. In terms of application, it is also done at the algorithm level, which is to propose some new optimized algorithms, which may have better performance than the previous algorithms. Then, like Zcash, Zcash was also designed by several professors mentioned by Shumo just now. The protocol was proposed in 2014, and then the system was launched in 2016. This kind of it is actually equivalent to using an algorithm to implement an application. Probably these directions.
Yiki:
That is, you have been paying attention to crypto for a long time in THUBA. What do you think is the relationship between ZK's scientific research and the crypto industry now? Is the connection good?
Sputnik:
I think that ZK may have achieved some results in scientific research and has many different algorithms, but I think that if it is combined with the industry, it needs to improve its performance and other optimizations. What I mean is that there may be some algorithms that we may have some good results in theory, but it may not be so good in implementation. We asked Shumo to tell us in detail how far the application of ZK has reached in terms of industrial applications.
Shumo:
Scientific research is of course very important. I think the gap between scientific research and practical application is that scientific research is mainly studied from the perspective of complexity, while practical application pays more attention to actual performance. The better point of cryptography is that there is not much difference between theoretical performance and actual implementation, and there will be no large hidden constants. In addition, implementing an algorithm may require large-scale engineering and personnel.
The second is that the amount of engineering implemented by the ZK underlying protocol is very complicated, such as the circuits of R1CS and plonk. Then, including that our Manta is building a called OpenZL (open source zero-knowledge proof library), which is equivalent to a middle layer that can improve development efficiency. I think the gap between scientific research and industry is this middle layer abstraction. Of course, for the underlying cryptography It is very good to understand and also beneficial to engineering.
Yiki:
ok ok thanks. Then I just mentioned some ZK applications. I would like to ask Sputnik to sort out in detail the application scenarios of ZK in the blockchain field and non-blockchain fields.
Sputnik:
In the application of blockchain, ZK is mainly divided into two parts. I think one is privacy, and the other is expansion. Privacy words include the Zcash project we mentioned many times just now, and most of you may have heard the name Zcash. It mainly realizes the concealment at a transaction level, that is, it realizes the three elements of the transaction through zero-knowledge proof, that is, the transfer party, the payee, and the transaction content, which is an improvement over Zcoin before it.
In addition, it is expansion. In fact, the so-called expansion, we often hear the term blockchain expansion, which may mainly reflect the improvement of a TPS. Then, for a public chain like layer1, how does expansion have anything to do with ZK? We mentioned just now that a zero-knowledge proof is first of all a proof system. Then if we say that privacy is protected just now, it is its zero-knowledge nature. So on the expansion side, what we use is actually a property of its proof. A term that everyone is familiar with now is called ZK roll-up, and Ethereum is also exploring the expansion of this ZK roll-up. Its logic is that we want the public chain to return to itself, because the cost of the public chain is actually very high, everyone needs to reach a consensus, everyone has to maintain a set of ledgers, and they have to run a new calculation, which is very costly . So we hope to take this calculation cost off-chain, and then only agree on the final result on the chain. That is to say, our blockchain is actually a state, which is composed of the balance of everyone's account, and every time there is a transaction, the balance will be updated. Then this is actually a calculation process. We hope to perform such calculations off the chain, and then submit the new calculated results and the proof value that my calculation is correct to the chain. The chain only needs to verify the proof value, and then the state can be updated directly. Compared with direct calculation and verification of the proof value, it is actually very fast. So this is what we call ZK roll-up, which performs an expansion. This is the current application of ZK in the direction of blockchain.
Then in the non-blockchain field, in fact, we are often talking about some privacy calculations. Of course, now privacy computing is also being combined with the blockchain. For privacy computing, for example, we hope to achieve multi-party secure computing, and multiple parties need to jointly calculate a result. Then some ZK protocols may be used in this, and it often appears as a component. Then the basic application situation is like this.
Yiki:
ok thanks. So now I would like to ask why is ZK important? For example, if you want to explain ZK to some college students, how would you explain it to Shumo?
Shumo:
first level title
🎙️ How to learn ZK
Yiki:
Understood, then you can ask again along this topic. Shumo is one experience you can combine with your own learning of ZK. Can you give me some suggestions on how to learn ZK from 0?
Shumo:
I think the first thing you need is to clarify a point of view, that is, to look at the first one, what is the purpose of everyone learning ZK? ZK's technology stack is very deep, and it is more efficient to have a clear purpose. The second point is that if you want to be a master of ZK, you need to learn the basics of cryptography. Then the younger generation of cryptographers started to learn by watching some open courses such as Stanford University professor Dan Boneh, because that is the most basic thing about cryptography.
The second is to look at open-source libraries on Github. In practice, I think it is basically these two aspects. One is that you can start learning directly from the most basic of cryptography. The second practice is to start writing the program.
Yiki:
Understand, I think it is very meaningful, not only to learn theoretically, but also to write code is very essential. So Sputnik do you have any thoughts on this issue? Because as far as I know, you have studied mathematics since college. Do you have any suggestions for some students to learn ZK?
Sputnik:
I studied mathematics as an undergraduate, and later studied information security, and then I started to learn about cryptography in my junior year. If you want to understand the system and then be able to apply it yourself, then I also suggest that you need to learn some basic concepts of cryptography, including a series of concepts such as signature, hash function, MAC, etc., and then include cryptography The method, how to define zero knowledge.
first level title
🎙️ ZK track status and future
Sputnik:
Then our next topic is to talk so much about ZK and ZK learning, and then I also want to hear about Shumo. From an industry point of view, why do we say that the current ZK application track is very complicated, that is It seems that there are many ZK application projects, including zkSync, etc., as well as the Zcash mentioned just now, and even the Ethereum Foundation itself is doing it. Then they all have a strong cryptography team behind them, including Starkware's cofounder Eli Ben-Sasson, who is a professor in Israel, and he is also a founder of Zcash, and I want to ask Shumo about this phenomenon What do you think?
Shumo:
First of all, I think it depends on how everyone understands the word volume. Indeed, I think this is the case. Whether it is an existing project or a project at the start-up stage, what I can tell you is that it will only become more voluptuous, and will not become less voluptuous, but it will definitely become more and more voluptuous. But I think the matter of volume is a good thing for including the field of ZK and including my entire web 3. Web3 is a field that can come and go freely. Everyone felt that they had a chance, so the volume began. In fact, in the volume, each project does not exactly the same thing, Starkware is very distinctive and has its own programming language.
Then there is another question, how to cut into the process of this volume, that is, it may not look at what these projects that are currently on fire are doing, but want to talk about what needs are there in this field, and how can we solve some practical problems? . All in all, I think volume is an inevitable phenomenon. Then I think if you want to do things here in ZK, you should find your own entry point instead of imitating other projects.
Sputnik:
Regarding a question on this ZK track, I would also like to ask you to talk about it. Several leading companies in the ZK rollup field include zkSync, Starkware, Scroll, etc. What are the differences between them? Can we talk about this?
Shumo:
That is, first of all, I did not do ZK rollup by myself. Regarding this issue, I think the first is EVM equivalence, that is, whether the project is fully compatible with EVM.
The first one is called evm compatible, which is made by zkSync. His approach is not to put the entire evm into the circuit, but to make a VM by himself. Because it is too technically difficult to put the EVM into the circuit, and then some problems will arise. This is the approach of zkSync. Its advantage is that it may go online earlier, that is to say, in the actual main network, zkSync may be the earliest main network among these companies. But if it is only compatible at the Solidity level, many tools in Ethereum, including debuggers, cannot be used.
Both Scroll and Hermez claim to have EVM equivalence, which I think is better and can take advantage of the toolchain.
Starkware prover so far, that is, the prover is still closed source. Then you just said that what the Ethereum Foundation is doing is actually a purely technical exploration, and there is a high probability that it will not actually go online.
Sputnik:
Then the next thing is about this ZK track. We still have one last question, which is that we just talked about some applications in ZK in terms of privacy and rollup. But in fact, for developers, it may be said that a professional password team is required. Then the application actually includes rollup, and we hope to actually do one. This user is transparent, that is, he may not feel the existence of this intermediate layer. My question is is it possible for us to make some more down-to-earth products? It is something that ordinary people can feel and use. Is there such a thing?
Shumo:
I think this question is very good, and I think of course there are. Regarding the first point about ZK rollup, it has no privacy and can be deployed directly on the middle layer, such as zkSync, without knowing ZK yourself. But if it is an application from the perspective of privacy, you need to understand ZK yourself. For example, for example, if you interact with the privacy asset platform of Manta, then you may need to do the ZK programming yourself. I think this is a very interesting thing for developers.
The second point is that although a background in cryptography is very good in this field, the development of high-level languages and tools makes developers no longer need to write low-level circuits by hand, just like the emergence of high-level programming languages makes it unnecessary to write assembly by hand. So we can see that the threshold for programming with ZK is actually getting lower and lower. I think this matter will definitely take time. In the future, developers will not need to understand every detail of cryptography, and ZK programming languages and libraries will continue to emerge.
Sputnik:
OK Thank you Shumo. I probably understand your outlook on ZK. And then that next piece we might want to talk back about Manta. The next question I may want to ask is that I know that Manta is working on MantaPay, which is also a payment system and has the nature of privacy. Then, can I ask Shumo to introduce this MantaPay and talk about the difference between MantaPay and Zcash at the same time?
Shumo:
The first is from the perspective of problem solving. First of all, we did learn from many of the successes of Zcash, but a big difference in my protocol is that Zcash only supports a single currency, and we support multiple. We also have differences in the overall concept, Zcash is to build something from 0. We want to use privacy as an infrastructure that can empower the entire industry chain, rather than just making our own payment system.
The second point is from a technical point of view, we started later than Zcash so we used newer cryptography techniques, including ZK-friendly hash functions. Our circuit is 1/10 the size of Zcash. Better performance and better user experience. This is the similarity and difference between us and Zcash. Of course, we are standing on the shoulders of giants and learning a lot about Zcash.
Sputnik:
Okay, thank you Shumo for introducing MantaPay. In addition, I still have a detailed question. I am personally curious. Before that, I may introduce this concept to you, that is, trusted setup, which is called trusted setup. That is to say, in some algorithms, sometimes we need to use a trusted setup to generate a parameter that an algorithm needs to use, and then like the initial design in Zcash, and then its algorithm needs such a design . Like the one introduced by Shumo before, I learned that we also need such a trusted setup for Manta pay. I want to hear it, because there may be some algorithms of the trusted setup that are not needed, and we still use it. After this point, is there any benefit?
Shumo:
Yes, this is definitely beneficial, and it is currently widely used. There are two types of zero-knowledge proof systems, one is called Groth16 we are using now, and the other is Plonk, each has its own advantages and disadvantages. The former requires trusted setup but the latter does not (application-specific trusted setup). We found that the former has good performance through testing.
From the perspective of many cryptography details, the circuits of the two are different, and the proof systems are different. To sum up, the trusted setup we use now is purely for performance considerations. Different user devices have different proof generation times, and we cannot "discriminate" against slow users. Specifically, whether the proof generation time is 2 seconds or 20 seconds will actually have an essential impact on the user experience. This is our performance consideration.
Then the second point, trusted setup security is still controllable. Many members of the Manta community will participate, and we may also invite some more prestigious people in the circle to participate in the trusted setup. So honesty can be guaranteed, which is why we use trusted setup.
Yiki:
secondary title
About THUBA
Manta's founding team consists of several cryptocurrency veterans, professors, and academics whose experience includes Harvard, MIT, and Algorand. Manta's investment institutions include Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance, and Hypersphere, etc. Manta is also a grant recipient of Polkadot's official Web3 Foundation, a member of the Substrate Builder Program, and a member of the Berkeley University Blockchain Accelerator.
About Manta Network
Manta Network is committed to building a better Web3 world through privacy protection. Manta's product design starts from first principles, and provides end-to-end privacy protection for blockchain users through leading cryptographic architectures such as zkSNARK. While protecting privacy, Manta is interoperable, convenient, high-performance and auditable, allowing users to conduct private transfers and transactions between any parachain assets. Manta's vision is to provide more convenient privacy protection services for the entire blockchain world.
Manta's founding team consists of several cryptocurrency veterans, professors, and academics whose experience includes Harvard, MIT, and Algorand. Manta's investment institutions include Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance, and Hypersphere, etc. Manta is also a grant recipient of Polkadot's official Web3 Foundation, a member of the Substrate Builder Program, and a member of the Berkeley University Blockchain Accelerator.
We're Hiring!
Twitter Chinese:
Follow the official channel for more information about Manta/Calamari:
Website:https://manta.network/
Github:https://github.com/Manta-Network
Twitter:https://twitter.com/MantaNetwork
Medium:https://mantanetwork.medium.co
Telegram:https://t.me/mantanetwork
Discord:https://discord.gg/ZtSuSKRy8X
Telegram Chinese:https://t.me/mantanetwork_zh
Twitter Chinese:https://twitter.com/manta_china
