Manta founder Shumo in conversation with Tsinghua Cryptography PhD, in-depth discussion on the ZK track

Author: Manta Network

On July 23, 21:00 Beijing time, Shumo Chu, co-founder of Manta Network, was invited by the Tsinghua University Blockchain Association (THUBA) to have a dialogue with cryptography PhD Sputnik on Twitter Space. The topics included basic knowledge of ZK, ZK research and applications, and how Manta utilizes ZK to solve Web3 privacy issues. Below is the full transcript of the dialogue:

Yiki (Host):

Hello everyone, I am Yiki, the vice president of the Tsinghua Blockchain Association (THUBA). Since our establishment in 2017, we have a history of 5 years and have held nearly 200 events. In the upcoming August, we will also host our first hackathon, and everyone is welcome to pay attention and register. Now, could we ask Shumo to briefly introduce what Manta does and give a self-introduction?

Shumo:

Hello everyone, I am very honored to participate in this event. I am Shumo, co-founder of Manta Network. First, let me introduce Manta. We were established around October 2020. The reason we founded Manta was that we felt there was a significant issue with blockchain (Web3), which is privacy. We were very optimistic about the prospects of the Web3 industry, but if this industry goes mainstream, all on-chain transactions are in plaintext, which is very undesirable. We believe privacy is a fundamental right of individuals. If you look at the architecture of all current public chains, you can find that almost all public chains lack privacy, except for a few like Monero or Zcash.

So our original intention is to solve this privacy issue. How do we solve it specifically? We first developed an on-chain privacy payment product—MantaPay, which has already launched two versions of the testnet. You can think of it as a bring-your-token version of Zcash. This product is launched in the Polkadot ecosystem, but we will also expand to multi-chain in the future. Our next step is to develop smart contracts for privacy assets, which we have been working on for about half a year, but it has not been officially released yet. I would summarize Manta in one sentence: we are building the privacy layer for the entire Web3. We hope that in all traditional operations of Web3 in the future, you will have an option—privatize by Manta, and your transactions will automatically become private transactions.

About myself, I previously studied for a PhD at the University of Washington, focusing on database systems and formal verification. After graduation, I worked as a research scientist at Algorand for a year, then became an assistant professor at the University of California, Santa Barbara, and now I am working full-time at Manta Network.

Yiki:

Thank you. Sputnik, could you also briefly introduce yourself and some areas of research you are currently focusing on?

Sputnik:

Hello everyone, I am Sputnik. Currently, I am responsible for the ZK research direction at THUBA. I am pursuing a PhD in cryptography at Tsinghua University, mainly researching privacy protection technologies on blockchain, including algorithms and applications, as well as zero-knowledge proof technology. Our ZK research is currently focused on establishing a ZK discussion group for the public, including exchanges between industry and academia, and everyone is welcome to participate. I am very glad to be here today to discuss ZK applications with Shumo. Welcome everyone.

What is ZK

Yiki:

First, let’s ask Shumo to briefly introduce what ZK is, its principles, and applications, in simple terms.

Shumo:

ZK stands for zero-knowledge proof. It has been theoretically researched for many years, with the earliest studies dating back at least two or three decades to the GMR (Goldwasser Micali Rackoff) paper. At that time, people thought this concept was theoretically feasible. A significant milestone was Zcash, where several professors collaborated to create the first version. Previously, people thought this was a theoretical concept that was unlikely to be practical. Then they created a more practical construction called libsnark, which supported the first version of Zcash, and people realized that this could be implemented in practice.

To borrow from Micali, what is ZK? You can think of it as encryption on computation. Encryption generally refers to data encryption, which transforms data from plaintext to ciphertext, but ZK is actually a relatively more powerful concept. It refers to encryption on computation, meaning that the computation itself is encrypted. Specifically, for example, if you want to prove that you know something, such as 3 plus 5 equals 8, you want to prove that you know this fact without revealing the specific inputs of 3, 5, and 8. You have the commitments of 3, 5, and 8, and you need to convince someone that this is correct. In the context of blockchain, you need to prove this to all validators or node runners in a very high-level way.

Yiki:

Thank you, Shumo. Sputnik, from your perspective, how do you see the development of ZK, and how would you define ZK?

Sputnik:

From a cryptographic perspective, the ZK protocol is actually very simple. In one sentence, it can be summarized as a two-party cryptographic protocol involving a prover and a verifier. The prover needs to prove to the verifier that they know a secret without revealing it.

What does zero-knowledge mean? From a cryptographic standpoint, it may require some knowledge of information theory to strictly define it. During the interaction between the verifier and the prover, the verifier cannot gain any knowledge or capabilities that they did not originally possess. For example, as Shumo mentioned, if you want to prove that 3 plus 5 equals 8, you know the equation, but you cannot disclose it. Therefore, you may need to use a commitment. A commitment is a cryptographic promise that has binding and hiding properties. You can see my commitment, but the inherent value is bound by it, similar to a hash function.

If the bound value changes, the commitment will also change, which is the binding property. The hiding property means that seeing the commitment does not allow you to know what is inside. I can provide a zero-knowledge proof to you now and convince you that my commitment is indeed my value. This is how ZK is viewed from a cryptographic perspective.

Yiki:

You just provided a definition and development of ZK from a research perspective. Could you briefly introduce how ZK is currently being researched in the academic field and what areas you focus on?

Sputnik:

In the research field, there are indeed different directions. There is a very theoretical aspect, which is provable security, involving a set of formal methods that we won’t go into detail about. Additionally, there are applications. In terms of applications, there are new optimization algorithms being proposed that may perform better than previous algorithms. For example, Zcash, which was designed by several professors mentioned by Shumo, had its protocol proposed in 2014 and the system launched in 2016. This is essentially using algorithms to implement an application. Those are the main directions.

Yiki:

You have been focusing on crypto for a long time at THUBA. How do you see the relationship between ZK research and the crypto industry? Is the connection good?

Sputnik:

I think ZK has already achieved some results in research, with many different algorithms developed. However, I believe that in terms of integration with the industry, there is still a need to improve its performance and other optimizations. What I mean is that while some algorithms may have good theoretical results, it is uncertain whether they perform as well in practice. We can ask Shumo to elaborate on the current level of ZK applications in the industry.

Shumo:

Research is certainly very important. I think the gap between research and practical applications lies in the fact that research mainly studies complexity, while practical applications focus more on actual performance. In cryptography, the theoretical performance and actual implementation do not differ significantly, and there are no large hidden constants. Additionally, implementing an algorithm may require large-scale engineering and personnel.

Secondly, the engineering effort required to implement the underlying ZK protocols is very complex, such as R1CS and Plonk circuits. Therefore, Manta is building something called OpenZL (an open-source zero-knowledge proof library), which acts as a middle layer to improve development efficiency. I believe the gap between research and industry is this middle layer abstraction. Of course, having a good understanding of the underlying cryptography is also beneficial for engineering.

Yiki:

Thank you. We just mentioned some applications of ZK. I would like to ask Sputnik to further outline the application scenarios of ZK in both blockchain and non-blockchain fields.

Sputnik:

In terms of blockchain applications, ZK mainly falls into two parts: privacy and scalability. Regarding privacy, we have repeatedly mentioned the Zcash project, which many of you may have heard of as the "big zero coin." It primarily achieves hiding at the transaction level, using zero-knowledge proofs to conceal the three elements of a transaction: the sender, the receiver, and the transaction content, improving upon what Zcoin achieved previously.

As for scalability, when we talk about blockchain scalability, it often reflects an increase in TPS (transactions per second). How does layer 1 public chain scalability relate to ZK? As we mentioned earlier, a zero-knowledge proof is primarily a proof system. If we use its zero-knowledge property to protect privacy, then on the scalability side, we utilize its proof property.

Currently, a familiar term is ZK roll-up, and Ethereum is exploring ZK roll-up scalability. The logic is that we want to return the public chain to its essence because the cost of public chains is very high. Everyone needs to reach consensus, maintain a set of ledgers, and run calculations again, which is costly. Therefore, we hope to move this computational cost off-chain and only reach consensus on the final results on-chain.

In essence, this blockchain is a state composed of everyone’s account balances, and with each transaction, the balance will be updated. This is a computational process, and we hope to perform this computation off-chain, then submit the new results and the proof that our computation is correct to the chain. The chain only needs to verify this proof, allowing the state to be updated directly. Compared to direct computation, verifying the proof is much faster. This is what we refer to as ZK roll-up for scalability. This is the current application of ZK in the blockchain direction.

In non-blockchain fields, we often refer to privacy computing. Of course, privacy computing is also being integrated with blockchain. For example, in privacy computing, we hope to achieve secure multi-party computation, where multiple parties need to jointly compute a result. In this process, some ZK protocols may be used, often appearing as a component. This is the basic application situation.

Yiki:

Thank you. Now I would like to ask why ZK is important. For example, if you were to explain ZK to some university students, how would you do it, Shumo?

Shumo:

From a fundamental perspective, it is about trust between people. The entire blockchain system is solving the trust issue. As Sputnik mentioned earlier, we can already see that the applications of ZK are very important. The first is on-chain privacy; currently, ZK is the only solution to hide information while reaching consensus. The second is rollup, which provides proof for transaction bundling and verification. Therefore, from a broader trend, the direction of our social development is to eliminate the process of establishing trust between people. ZK has evolved from unique protocols to being able to verify any computation, and we can see a kind of Moore's Law-like improvement.

How to Learn ZK:

Yiki:

Understood. Following this topic, I would like to ask Shumo to share some advice for beginners on how to start learning ZK from scratch, based on your own learning experience.

Shumo:

I think first, everyone needs to clarify a point: what is the purpose of learning ZK? The ZK tech stack is deep, and having a clear purpose makes learning more efficient. The second point is that if you want to become a master in ZK, you need to start with the basics of cryptography. The younger generation of cryptographers often begins by watching open courses from professors like Dan Boneh at Stanford University, as those cover the foundational aspects of cryptography.

Secondly, you can look at open-source libraries on GitHub. In practice, I think these are the two main aspects: one is to start learning directly from the foundational concepts of cryptography, and the other is to begin writing programs.

Yiki:

I understand. I think that is very insightful; it is essential to learn from theory and also to write code. Sputnik, what are your thoughts on this? As I understand, you have a background in mathematics. Do you have any advice for students learning ZK?

Sputnik:

I studied mathematics for my undergraduate degree, and later my subfield was information security. I started getting into cryptography in my junior year. If people want to understand ZK systematically and be able to apply it themselves, I also recommend learning some basic cryptographic concepts, including signatures, hash functions, MACs, and a series of related concepts, as well as cryptographic methods and how to define zero-knowledge.

If someone wants a simple understanding, I think it is essential to clarify what the ZK protocol is doing. I recommend an article titled "How to explain ZK protocols to your children," published in the 1990s at the Crypto conference, which is one of the most authoritative conferences in cryptography. This article uses a familiar example of Alibaba and the Forty Thieves, as well as the zero-knowledge cave, both originating from this article. It introduces various properties of ZK and some cryptographic tools in a storytelling manner, including what a simulator is, which is a tool we use to prove zero-knowledge. Additionally, you can follow my personal repo and a podcast, which you can find by searching for "Zero-Knowledge Cave" on Xiaoyuzhou. It also discusses this article and some applications of ZK.

Current Status and Future of the ZK Track:

Sputnik:

Now, our next topic is to discuss the ZK track. After talking so much about ZK and learning about it, I would like to hear Shumo's perspective on why we say the current ZK application track is very competitive. It seems that there are many ZK application projects, including zkSync and others, as well as Zcash mentioned earlier. Even the Ethereum Foundation is working on it. They all have strong cryptographic teams behind them, including Eli Ben-Sasson, the co-founder of Starkware, who is a professor in Israel and also a founder of Zcash. What are your thoughts on this phenomenon, Shumo?

Shumo:

First, I think it depends on how you interpret the term "competitive." Indeed, I believe that whether it is existing projects or those in the startup phase, I can tell you that it will only become more competitive, not less. It is definitely going to get more competitive. However, I think this competition is a good thing for both the ZK field and the entire Web3. Web3 is a field where people can freely enter and exit. Everyone feels they have a chance, so the competition begins. In fact, within this competition, different projects are doing different things. Starkware has its unique features and its own programming language.

Another question is how to approach this competition. It may not be about looking at what the currently popular projects are doing, but rather considering what needs exist in this field and how we can solve some practical problems. In summary, I think competition is an inevitable phenomenon. If you want to do something in ZK, you should find your own entry point rather than mimic other projects.

Sputnik:

Regarding the ZK track, I would like to ask you to discuss the differences among leading companies in the ZK rollup field, including zkSync, Starkware, Scroll, etc. Can you elaborate on that?

Shumo:

First of all, I am not personally involved in ZK rollup. Regarding this question, I believe the first aspect is EVM compatibility, meaning whether the project can fully support EVM.

The first type is called EVM compatible, which is what zkSync is doing. Their approach does not put the entire EVM into the circuit but instead creates their own VM. Putting the EVM into the circuit is technically very challenging and can lead to various issues. This is zkSync's approach, and its advantage is that it may go live earlier, meaning that zkSync might be the first among these to launch on the mainnet. However, if it only maintains compatibility at the Solidity level, many Ethereum tools, including debuggers, cannot be used.

Scroll and Hermez both claim to have EVM equivalence, which I believe is better as it can utilize the toolchain.

As for Starkware, up until now, the prover is still closed-source. You mentioned that the Ethereum Foundation is working on something, which is likely a pure technical exploration and probably will not launch in practice.

Sputnik:

Next, regarding the ZK track, we have one last question. We discussed the applications of ZK in privacy and rollup aspects. However, for developers, as mentioned earlier, it often requires a specialized cryptographic team. For applications like rollup, we hope to achieve user transparency, meaning users may not even feel the existence of the middle layer. My question is, is it possible to create more accessible products that ordinary people can feel and use?

Shumo:

I think this is a very good question, and I believe it is certainly possible. First of all, regarding ZK rollup, it does not have privacy and can be directly deployed on the middle layer, such as zkSync, without needing to understand ZK. However, if it is an application focused on privacy, you would need to understand ZK yourself. For example, in Manta's privacy asset platform, if you interact with this privacy asset, you may need to do ZK programming yourself. I think this is a very interesting aspect for developers.

Secondly, while having a background in cryptography is beneficial, the development of high-level languages and tools means that developers no longer need to write the underlying circuits by hand, just as the emergence of high-level programming languages eliminated the need to write assembly code. Therefore, we can see that the barrier to ZK programming is gradually lowering. I believe this will take time, and in the future, developers will not need to understand every detail of cryptography, as ZK programming languages and libraries are continuously emerging.

Sputnik:

Thank you, Shumo. I have a general understanding of your outlook on ZK. Now, I would like to return to Manta. I know that Manta is working on MantaPay, which is also a payment system with privacy features. Could you please introduce MantaPay and explain how it differs from Zcash?

Shumo:

First, from the perspective of solving problems, we have indeed learned a lot from Zcash's successes. However, a significant difference in our protocol is that Zcash only supports a single currency, while we support multiple currencies. Our overall concept also differs; Zcash aims to build something from scratch. We want to make privacy a foundational infrastructure that empowers the entire industry, rather than just creating our own payment system.

Secondly, from a technical perspective, we started later than Zcash, so we utilized newer cryptographic technologies, including ZK-friendly hash functions. Our circuit size is one-tenth that of Zcash. Our performance is better, and the user experience is improved. These are the similarities and differences between us and Zcash. We certainly stand on the shoulders of giants and have learned a lot from Zcash.

Sputnik:

Thank you, Shumo, for the introduction to MantaPay. Additionally, I have a detail-oriented question. I am personally curious about the concept of trusted setup. In some algorithms, we sometimes need to generate parameters required by an algorithm through a trusted setup. In Zcash, its initial design requires such a setup. From what Shumo introduced earlier, I understand that MantaPay also requires a trusted setup. I would like to hear your thoughts on this, as there are now some algorithms that do not require a trusted setup, yet we still adopt this approach. Are there any benefits to this?

Shumo:

Yes, there are indeed benefits, and this is currently a widely used approach. There are two types of zero-knowledge proof systems: one is what we currently use called Groth16, and the other is Plonk, each with its advantages and disadvantages. The former requires a trusted setup, while the latter does not (application-specific trusted setup). We have found through testing that the former performs better.

From many cryptographic details, the circuits differ, and the proof systems are different. In summary, we currently use a trusted setup purely for performance considerations. Different user devices generate proof times that vary, and we cannot "discriminate" against slower users. Specifically, whether the proof generation time is 2 seconds or 20 seconds can fundamentally impact user experience. This is our consideration for performance.

Secondly, the security of the trusted setup is still controllable. Many members of the Manta community will participate, and we may also invite some reputable individuals in the field to participate in the trusted setup. Therefore, the honesty can be guaranteed, which is why we use a trusted setup.

Yiki:

Thank you, Shumo. Our AMA has been going on for an hour and is nearing its end. Overall, we have had a very in-depth discussion from what ZK is to how beginners can learn ZK, as well as the current state of ZK research and industry. The guest segment has concluded. Thank you, Shumo and Sputnik, for your sharing.

About THUBA

The Tsinghua University Blockchain Association (THUBA) is a student organization spontaneously formed and self-managed by Tsinghua students who are passionate about blockchain technology research. It aims to become a bridge connecting universities in the blockchain field both domestically and internationally, dedicated to educating and cultivating future leaders in Web3.

Manta Network is committed to building a better Web3 world through privacy protection. Manta's product design starts from first principles, providing end-to-end privacy protection for blockchain users through leading cryptographic architectures such as zkSNARK. While ensuring privacy, Manta also features interoperability, convenience, high performance, and auditability, allowing users to conduct private transfers and transactions between any parallel chain assets. Manta's vision is to provide more convenient privacy protection services for the entire blockchain world.

The founding team of Manta consists of several senior cryptocurrency professionals, professors, and scholars with experience from Harvard University, MIT, and Algorand. Manta's investors include Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance, and Hypersphere, among others. Manta is also a recipient of funding from the official Web3 Foundation of Polkadot, a member of the Substrate Builder Program, and a member of the Berkeley Blockchain Accelerator.