--- title: Are we zk-Cardano yet? date: 2023-08-07 --- Not so long ago Emurgo announced they were doing a Cardano centered hackathon. It was a welcome prospect - very few similar such events seem to exist in the space. Things went monotonically south ever since the announcement, but that's a different story. One particularly interesting quirk was that of the three "tracks" of the hackathon, one was _Zero Knowledge_ (aka zk). Why particularly interesting quirk? In some sense it is not suprising: zK has been very trendy these last few years around blockchains. However, building on Cardano is notoriously challenging. Building with zk on a zk-native blockchain is itself a very steep learning curve. So combining the two, zk on Cardano seemed... a bit mad. This post is bourne out of a best effort of how far "zk on cardano" can be pushed. ## What is zk? There is no shortage of explanations describing what zk is [TODO: Links]. There is also a reasonable breath to the field of zk that includes things like distributed compute. Zk involves some really neat maths that lets you do some seemingly magical feats, and pairs well with blockchain in extending what is functionally possible. Let's stick to a simple and prototypical example. Suppose Alice and Bob are playing battleships. The game begins with Alice and Bob placing their ships within their own coordinate grid. They then take in terms picking coordinates to "bomb". If they hit nothing, then their turn ends, but if they hit a ship then they guess again. The winner is the first to sink all their oponents ships. Alice knows Bob has a reputation of being a notorious liar; how can she enjoy the game? Each guess she makes, Bob says gleefully shouts "Miss!". She can't ask Bob to show he's not lying by revealing the actual locations of the ships. She could ask Charlie to independently verify Bob's not lying, but then what if Charlie is actually on team Bob and also lies. Or Bob might suspect Charlie is actually on team Alice, slyly brought in to give could Alice some hints. Is there a way that Bob can prove to Alice that each guess is a miss, but without revealing the locations of the ships either to Alice or anyone else? The answer is yes. Using zk Bob can produce a proof each time Alice's guess misses if and only if it honestly does. Alice can inspect each proof and verify Bob's response. Alice can interogate the proof as much as she wants, but she won't learn anything more than her guess was a miss. There are multiplitude of different ways to do this, but essentially it involves modelling the problem as a bunch of algebra over finite fields - like a lot of cryptography. What's the snark of zk-snark? Snark stands for _Succinct Non-Interactive Argument of Knowledge_. And without saying anything more: it means that Alice has to do way less algebra than Bob. In applications this is important, because Bob might not be able to lie anymore, but he could still waste Alice's time. ## Sudoku snark Sudoku snark was the entrant to Emurgo hackathon. The summary/ pitch/ story deck is [here](https://pub.kompact.io/sudoku-snark). Links to associated repos [plutus-zk]() and [sudoku-snark](). Just after the hackathon got underway there was a large PR merged into the main branch of plutus. It's a mammoth PR that is the culmination of many many months of work. In it were some fundamental primitives needed for running zk algos. The idea of the project was as follows: - write a validator implementing a zk algorithm with the new primitives - write a programme to generate the setup and proofs - try to get a version of hydra running this newest version of plutus. Unsurprisingly to anyone who's hung around the Cardano repos long enough, this final part is where things got stuck. Things got as far as running a cluster of nodes in the conway era supposedly with the latest plutus but some unrelated changes seemed to thwart any chance of building transactions. The validator uses [groth16]. In part because this was already mostly available from the plutus repo itself. It is also the most obvious candidate to begin with. It's relatively mature, relatively simple, can be implemented from the new primitives, and, importantly in cardano land, has small proof size. (As far as I know, the smallest of comparable algos.) The program to generate the setup and proofs uses the arkworks framework. Again this was initially inspired by a script from the IOG team. The choice of game, sudoku, was in turn inspired by an arkworks example. It's not the most compelling of choices, but it did for now. The intended game play involved locking ada at a utxo spendable only if a player could provide proof you knew the solution. And through the magic of zk, not disclosing to the competition the solution itself. Other details were TBC: is it first and second prizes? are players whitelisted? ## So are we zk-Cardano yet? We're close. There is potentially still quite a stretch between being in the plutus repo and being run on-chain. The word on the street is that it might happen before the end of 2023. Before it's available on mainnet there will be versions the cardano node available, and so possibly plumbable into hydra without causing oneself an aneurysm.