保护隐私的人格证明协议 (Privacy-Preserving Proof-of-Personhood Protocol)

我们在构建什么(What Are We Building?)

We are building what we call a Privacy-Preserving Proof-of-Personhood Protocol (PPPoPP). We originally set out with the goal of airdropping a token to a billion people. Along the way, we found that we had to develop a lot of foundational infrastructure not only on the hardware side (which became the Orb), but also on the crypto/protocol side.

我们正在构建我们所提倡的保护隐私的人格证明协议 (PPPoPP)。我们最初的目标是向 10 亿人空投代币。一路走来,我们发现我们不仅在硬件方面(后来成为 Orb),而且在加密/协议方面都必须开发很多基础设施。

While there are many projects out there building general purpose rollups (e.g., ArbitrumOptimismzksync), we came across the open source project Hubble, a minimal, application-specific rollup. It allows a highly efficient, but also permissionless and non-custodial airdrop at the scale of one billion people.

虽然有很多项目在构建通用rollup(例如,ArbitrumOptimism、[zksync](https: //zksync.io/)),我们遇到了开源项目 Hubble,这是一个最小的、聚焦应用的rollup。它允许在 10 亿人的规模上进行高效、无许可和非托管的空投。

Hubble’s open source contracts were already in great shape, and we decided to contribute a high-performance sequencer implementation written in Go, with the goal of deploying on mainnet as soon as possible. We managed to squeeze out quite some performance of the sequencer in the process. While there will be a separate deep dive on Hubble in the future, this post will focus on Semaphore, another open source project from the appliedzkp team.

Hubble 的 开源合约 已经非常完善,我们决定贡献一个高性能的 [实施序列器(sequencer implementation)](https://github.com/worldcoin /hubble-commander) ,它用 Go 编写,目标是尽快在主网上部署。在这个过程中,我们设法"挤"出了它相当多的性能。虽然未来将单独深入探讨Hubble,但本文将重点关注 appliedzkp 团队 的另一个开源项目 Semaphore。

Because the Orb uses biometrics for the initial sign-up, we wanted to delink this step from the wallet and any future transactions to ensure the user’s privacy. So we settled on Semaphore because it not only allows us to add anonymity to a specific action, but also makes it very easy to reuse the setup for new applications, making future use cases possible.

由于 Orb 使用生物识别技术进行初始注册,我们希望将此步骤与钱包和任何未来交易脱钩,以确保用户的隐私。所以我们选择了 Semaphore,因为它不仅允许我们为特定操作添加匿名性,而且还可以很容易地为新应用复用设置,从而使未来的用例成为可能。

Semaphore如何工作?(How Does Semaphore Work?)

The privacy in Semaphore is created by introducing a larger set of identities called “identity commitments,” which are hashes of a secret string, and comparable to a traditional public key. This set is represented as a Merkle tree in order to allow anyone in the set to efficiently prove membership. However, because this Merkle proof would leak an individual member’s identity, the proof needs to be verified in zero knowledge. This zero knowledge proof (ZKP) can then be transmitted to prove membership without leaking the identity, and be verified by anyone.

Semaphore 中的隐私是通过引入一组称为“身份承诺”的更大身份来创建的,这些身份是秘密字符串的哈希值,与传统的公钥相当。该集合表示为 Merkle 树,以允许集合中的任何人有效地证明成员资格。但是,由于这个 Merkle 证明会泄露个人成员的身份,因此需要在零知识下验证该证明。然后可以传输此零知识证明(ZKP)来验证,且不会泄露成员身份,并且任何人均可验证。

The application using Semaphore decides how the set of identities is created. The smart contract has to implement custom logic for the “gatekeeper” function to add an identity to the set. In the case of Worldcoin, the uniqueness check on the IrisHash is the gatekeeper. The IrisHash provided and signed by an Orb has to be unique, and only then is the identity added to the set.

使用 Semaphore 的应用程序决定如何创建身份集。智能合约必须为“关守/把关系统”功能实现自定义逻辑,来将身份添加到集合中。在 Worldcoin 的情况下,对 IrisHash 的唯一性检查就是关守/把关系统。 Orb 提供和签名的 IrisHash 必须是唯一的,然后才能将身份添加到集合中。

Semaphore fundamentally has two main parts to it: a set of identities and a mechanism to prove membership. Users can create a zero knowledge proof that simultaneously proves three important claims:

Semaphore基本上有两个主要部分:一组身份和一个证明成员资格的机制。用户可以创建一个零知识证明,同时证明三个重要的主张:

  • Membership “I am a member of the set.”

  • One-shot “I have not made a claim before in this context.”

  • Signal “I want to say this ....”

  • 会员资格“我是该系列的一员。”

  • 一次性“我之前没有在这种情况下提出过声索。”

  • 信号“我想说这个......”

Membership. The set of users is stored as a Merkle tree of public keys (identity commitments). To prove membership, a user proves they have a private key and a Merkle proof for public key in the tree. All of this, including the Merkle proof, is verified inside the zero-knowledge proof so no one can see which leaf was used or what the public key was. This is what provides perfect anonymity. An external observer sees only that the proof came from a member, without being able to see which member.

成员资格 用户集存储为公钥的 Merkle 树(身份承诺)。为了证明成员资格,用户证实他们在树中拥有私钥和公钥的 Merkle 证明。所有这一切,包括 Merkle 证明,都在零知识证明中得到验证,因此没有人可以看到使用了哪片"叶子"或公钥是什么。这就是提供完美匿名性的原因。外部观察者只能看到证明来自成员,而无法看到是哪个成员。

One-shot. In nearly all applications, we want to make sure that each member gets to do something only once, (e.g., vote or spend a token). However, because membership is proven anonymously, we cannot tell if two proofs came from the same user. This is solved by having each proof publish a nullifier, which is a random number that is unique for each user. Thus, any proof from the same user will have the same nullifier, so we can detect them and know that they are coming from the same user. Nullifiers are similar to random pseudonyms that cannot be linked to the real identity.

一次性 在几乎所有应用程序中,我们都希望确保每个成员只能做一次事情(例如,投票或花费代币)。但是,由于成员身份是匿名证明的,我们无法判断两个证明是否来自同一用户。这可以通过让每个证明发布一个无效器来解决,它是一个对每个用户都是唯一的随机数。因此,来自同一用户的任何证明都将具有相同的无效器,因此我们可以检测到它们并知道它们来自同一用户。 无效器类似于无法与真实身份相关联的随机假名。

Nullifiers have been used since the first privacy coins. However, Semaphore goes beyond regular nullifiers. Take voting as an example: say we want every user to cast one vote on each proposal. With regular nullifiers, we wouldn’t be able to track users' votes across proposals because they have the same nullifier. Instead, we need a new random pseudonym for each voting round. Semaphore makes this possible by mixing in an unique number for each round: the external nullifier. This is powerful as it allows us to build a set of all humans that everyone can build on.

自第一个隐私币以来,就使用了无效器。但是,Semaphore 超越了常规的无效器。以投票为例:假设我们希望每个用户对每个提案投一票。使用常规的无效器,我们将无法跟踪用户在提案中的投票,因为它们具有相同的无效器。相反,我们需要为每一轮投票使用一个新的随机化名。Semaphore通过为每一轮混合一个唯一的数字来实现这一点:即外部无效器。这很强大,因为它允许我们构建一组任何人都可以构建的”全体成员“。

Signal. To continue the example of voting, each user needs to be able to voice their decision. If we simply bundled their decision with a zero knowledge proof in a transaction, we would run into a problem: an attacker who sees the transaction could replace the decision, copy the proof, and front-run. To prevent this, we need to cryptographically tie the decision to the proof. Semaphore allows attaching an arbitrary signal to a proof to achieve this.

信号 要继续投票的示例,每个用户都需要能够表达他们的决定。如果我们只是将他们的决策与交易中的零知识证明捆绑在一起,我们就会遇到一个问题:看到交易的攻击者可以替换决策、复制证明并抢占先机。为了防止这种情况,我们需要以密码方式将决定与证明联系起来。Semaphore允许将任意信号附加到证明以实现此目的。

All together, these claims are proven as follows (for the actual implementation, see here):

总之,这些声明被证明如下(有关实际实现,请参见此处):

Figure

图. 1

Pseudo-code for the Semaphore circuit implementation
Semaphore回路实现的伪代码

Note that instead of something complex like elliptic curve signatures, the public key is simply a hash. This works because zero knowledge proofs keep the pre-image secret.

请注意,公钥不是像椭圆曲线签名这样复杂的东西,而是简单的散列。这是有效的,因为零知识证明将原像保密。

我们目前都构建了什么?(What Have We Built So Far?)

We’ve done some early refactoring on the contracts to separate the identity tree from usage and nullifier implementation, which allows for even more generic use cases. We’ve also created semaphore-rs and ported most of the relevant parts of the client library zk-kit from Typescript to Rust. We are already using this library internally while building the Worldcoin wallet, which, in addition to Ethereum and Hubble, is also an identity wallet supporting local Semaphore proof generation. The wallet will be a native iOS and Android app and it uses a cross-compiled version of semaphore-rs under the hood. The wallet will be fully open sourced later in the year.

我们已经对合约进行了一些早期重构,从而将身份树的使用和无效器实现分开,进而允许更普遍的用例。我们还创建了 semaphore-rs 并从 Typescript 到 Rust,移植了客户端库 zk-kit 的大部分相关应用。我们已经在内部使用这个库来构建 Worldcoin 钱包,除了 Ethereum 和 Hubble 之外,它也是一个支持本地生成Semaphore证明的钱包。钱包将是一个原生的 iOS 和 Android 应用程序,它在后台使用交叉编译版本的 semaphore-rs。该钱包将在今年晚些时候完全开源。

Figure

图. 2

Example code to use semaphore-rs
使用 semaphore-rs 的示例代码

下一步是什么? (What’s Next?)

We are currently working on scaling Semaphore. Improvements to scale Semaphore can be done on two sides:

我们目前正在努力扩展 Semaphore。可以在两个方面进行改进:

  • Identity insertion: Currently, every leaf is inserted individually into the Merkle tree and the updated root is calculated inside the contract. Since the Merkle proofs have to be efficiently verifiable inside a ZKP, the tree uses poseidon hashes instead of keccak. Unfortunately, this makes the insertion in Solidity very expensive (1-2M gas). A sequencer batching insertions together into a ZKP that aggregates multiple Merkle tree updates will drive down the cost of identity insertion significantly.

    身份插入: 目前,每片叶子单独插入到 Merkle 树中,更新的根是在合约内部计算的。由于 Merkle 证明必须在 ZKP 中有效验证,因此树使用poseidon哈希而不是 keccak。不幸的是,这使得在 Solidity 中的插入非常昂贵(1-2M )。序列器将批量插入到 ZKP 中,聚合多个 Merkle 树更新,将显着降低身份插入的成本。

  • Proof verification: Currently, each semaphore proof is submitted and verified individually, making the cost of signaling around 300k gas. Like the identity insertion, one can think of aggregating multiple proofs into a single proof to amortize the costs. Unfortunately, this is quite difficult with the proving system (Groth16) that is currently used by Semaphore. We are working on upgrading to a more modern proving system that also allows for aggregation.

    证明验证: 目前,每个semaphore证明都是单独提交和验证的,使得信号成本约为 300k gas。就像身份插入一样,可以考虑将多个证明聚合成一个证明来分摊成本。不幸的是,这对于 Semaphore 目前使用的证明系统 (Groth16) 来说是相当困难的。我们正在努力升级到更现代的证明系统,该系统也会允许聚合。

    Why not just deploy it to Arbitrum or Optimism? Zero knowledge proofs still come with significant calldata and this cost is not going anywhere with L2s. Proof aggregation is the only way to reduce it to some sub-linear cost per verification.

    为什么不将其部署到 Arbitrum 或 Optimism?零知识证明仍然伴随着大量调用数据,而 L2 的成本并不会消失。证明的聚合是将其降低到每次验证只有某种次线性成本的唯一方法。

让开发干一会儿 (Let The Devs Do Something)

We hope that our efforts will make it as easy as possible for developers to use Proof-of-Personhood as a new primitive in their own contracts and apps. We’ll also soon release more developer tooling that will allow us to interact with the Worldcoin wallet and all users of Worldcoin. There are many exciting applications of Proof-of-Personhood beyond airdrops and we want to help build the infrastructure for them.

If you’re interested in scaling Semaphore, working on L2s, or building developer tools: we’re hiring.

希望我们的努力能让开发人员尽可能轻松地在自己的合约和应用中使用 Proof-of-Personhood 作为新的原生工具。我们还将很快发布更多开发工具,使我们能够与 Worldcoin 钱包和 Worldcoin 的所有用户进行交互。除了空投之外,人格证明还有许多令人兴奋的应用,我们希望帮助为它们构建基础设施。

如果您对扩展 Semaphore、研究 L2 或构建开发工具感兴趣:我们正在招聘

原文:https://worldcoin.org/the-worldcoin-protocol

赞赏