TRON 4.0 Online Conference: Matthew To — Technical Lead of TRONZ: Birth of the First of its Kind Smart Contract Virtual Machine that Supports Privacy Computation

Hello, my name is Matthew To, Technical Lead in TRONZ team. TRONZ is a group of experienced TRON community developer, specialized in cryptography. Our goal is to provide the whole TRON ecosystem with better privacy and protecting our users. As our first big thing to TRON 4.0, we are really excited in bringing shielded contract & shielded transaction into the TRON ecosystem for all of our TRON users.

Today, I’m going to introduce the Zero-Knowledge proof inside our Tron Virtual Machine.

I’m sure that everybody has heard of the term Zero-knowledge proof a lot, but what is it exactly? Zero-Knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that something is true, yet, without revealing any information apart from the fact that this specific statement is true. So it’s like I wanna proof to someone that I owns $1 million dollars. But I would never show the real money to the person. Still, I’d be able to proof that. Zero-knowledge proof can play a key role for privacy protection in blockchain. It can be used to prove that the conditions of a valid transaction has been met without revealing anything to the verifier.

All zero-knowledge proof has the following 3 properties:

First, if the statement is true, the verifier will be convinced by the fact that this is an honest prover.

Second, if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some tiny small probability, which we called soundness error.

Third, if the statement is true, no verifier learns anything other than the fact that the statement is true.

So that’s the fundamental of zero-knowledge proof.

Over the decades, numerous researches on zero-knowledge proof are proposed. Right now, there are 3 major zero-knowledge proofs to provide privacy within the blockchain industry: BulletProof, zk-STARKs & zk-SNARKs. Let’s look down different properties of the proofs, and how they perform. If you look at the figures, it’s not hard to tell which one is the best to use. In terms of the Proof size, bulletproof 6 times more, and zk-STARKs, 200 times more than that of zk-SNARKs. So that’s way way smaller. In terms of verification time, bulletproof is 110 times more, zk-STARKs is 16 milliseconds, but only 10 milliseconds in zk-SNARKs. Way faster. While there are compromises on prover time, which is 2.3s compare with 1.6s in zk-STARKs, and it also needs a trusted setup, but overall, we could easily pick zk-SNARKs as our implementation to the solution.

Underneath the zk-SNARK scheme, it involves a lot of complex cryptographic theory procedures, which I’m not going through them one by one here, but the basic idea is to transform a statement, something that you want to prove, for example, I know the keys that allow me to spend this shielded transaction, turns it into an equivalent form of a quadratic arithmetic program.

And a prover has to show that he / she knows the solution of this equation.

So that he will have the right to spend the shielded token.

Moving on to the Shielded Transaction Protocol. We have to apply shielded account system, which is quite different from our ordinary account. And we have a bunch of keys in order to perform a series operations. 7 Keys in total. But actually all the keys are derived from 1 single spending key. All the other keys serves different purpose through out the process.

The shielded transaction protocol is based on the Unspent Transaction Output model. Each shielded output is a note, but in order to serve better privacy, the note itself doesn’t put on chain. What we put is its commitment. The same goes to both SpendDescription and also ReceiveDescription.

With SpendDescription & ReceiveDescription, they forms the input & output of a transaction respectively. With each transaction links to another transaction, it forms the UTXO model.

With the shielded transaction protocol defined, we than go to create our shielded TRC-20 contract. We have implemented the shielded TRC-20 contract related core functions in TIP-135, which can hide the source address, destination address, and the token amount for TRC-20 transaction and provide users with better privacy. The shielded TRC-20 contract has three core functions: mint, transfer and burn. May be you could guess what they’re doing from its name.

Mint is used to transform the public TRC-20 token to shielded token, which makes token ownership invisible. Mint has only one transparent input and one shielded output.

Transfer is used for shielded token transactions, which can hide the source address, the destination address, and the transaction amount. Transfer has at most two shielded input and two shielded output.

Burn is used to transform the shielded token to the public TRC-20 token. Burn has only one shielded input, one transparent output and zero or one shielded output.

May be it’s better to understand with a flow diagram. Assume that Alice owns 100 tokens, JUST for example, she wanna transfer 100 JUST to Bob, Alice first need to mint the JUST into a shielded form, the tokens will goes to the shielded TRC-20 contract. After several transfer steps, the shielded token will be burnt from the shielded TRC-20 contract, transfer back to a public JUST token and goes to Bob’s hand.

As the shielded contract is like smart contract, anyone can deploy it, we need to also implement a proof verification process. We’ve added new zero know proof instructions in TIP137 & TIP 138 for our TVM to achieve the verification process. There are 4 functions implemented into TVM, the first 3 are verifying functions which is used to verify the mint, transfer, burn functions which we’ve just mentioned. All of them takes around 10 milliseconds to verify. And also one morepedersan Hash function. The pedersanHash instruction is used to compute the node value in the Merkle tree, as we are using the data structure, and it only takes less than 1 millisecond.

Back in January, the Multi-Party Computation Torch Project is initiated by our TRONZ team, which is dedicated to generating key parameters with the MPC technology. The target of Trusted Setup phase is to generate common reference string(CRS) for partial zkSNARK parameters. The security of trusted setup relies on that one of the participants is honest, that is, discard the toxic waste after generating corresponding parameters.The MPC Torch project is officially launched by Justin Sun, founder of TRON. And as you could see right here, Justin himself also participated in the MPC project! In honor of pioneers in privacy protocol, TRONZ Foundation is giving 100 American dollars to privacy protocol foundations for every participant in MPC. Finally, a total of 196 participants have participated, which is by far the most participated MPC project by numbers. People raging from developers of the TRON community, blockchain enthusiasts, those from traditional industry, everyday users, and Key Opinion Leaders (KOLs).

So to wrap things up, how well is our shielded TRC-20 contract performs compare with the other popular projects? We took 5 of them. Let’s see the pros and cons.

Monero: RingCT Protocol, Linear with the Ring size, which is good. But as it uses bulletproof, it’s performance is poor.

ZCash: Perfect privacy, but it doesn’t support the shielded contact, which it limits the extension of privacy protection.

MimbleWimble: It uses Pedersen commitment to hide the amount, but it requires sender and receiver to have interactive communication to build the transaction

Tornado Cash: One of a popular Ethereum based Mixer solution, it implements shielded contract, but it support deposit and withdraw only, and a fixed amount of token transfer. It requires more users to stake up the privacy.

Aztec: It only shielded transaction amount, but the sender and receiver addressed are public.

So by far, our shielded trc20 contract offers the most professional, extendable, and convenient to our users.

We are devoted to research of frontier cryptographic technique and want to make a contribution for the privacy protection in blockchain.In the future, if there are any new solutions proposed, we would and bring them to TRON. At this stage, we’re bringing you shielded contract, with blablabla. And there are so much more to come. We do believe that TRON 4.0 will bring Tron public chain into a whole new level. We can’t wait to see the day arrives. Thank you.