Pre-Program Topic Sampler
This resource collection contains several subtopics; some will be more interesting to math/theory-oriented readers (i.e. sections 4 and 5), while others will be more interesting to engineers and builders (i.e. sections 1 and 2).
Each subtopic has a reading list (note that we don't expect you to read everything in any given reading list!) and one or more "quests" to help solidify your understanding.
Section 1 focuses on real production use cases of ZK, including mixers/games/rollup on Ethereum, and ZCash / privacy coins.
Section 2 focuses on resources for building decentralized applications with zkSNARKs.
Section 3 covers trusted setup, a process needed to generate the public parameters of a zkSNARK securely. We include some resources on the underlying mathematics and some resources on actually participating in an MPC.
Section 4 covers the mathematics behind zero knowledge cryptography, which has been studied for a few decades. A basic number theory background will be helpful for understanding this section.
Section 5 touches on the mathematics behind zkSNARKs, a powerful new zero-knowledge gadget first invented in 2012. zkSNARKs first became viable in production in blockchain systems in the last few years; they are something of a "cryptographic nuke." Before approaching this track, you should feel comfortable with everything in Section 4.
Section 0: Introductionβ
Everyone looking to understand zero-knowledge cryptography should read this!
Readingsβ
- Understanding ZKPs Through Illustrated Examples
- Zero Knowledge Proofs: An Illustrated Primer
- What are zk-SNARKs?
- Just the intro section, if youβre looking for a high-level overview.
- ZKPs for Engineers: Introduction
- Privacy in Cryptocurrencies: An Overview
- Only briefly touches on ZKPs, but helpful context for why blockchains care about this kind of privacy tech!
Questsβ
- Play with this Interactive ZK 3-coloring demo (after reading the "illustrated primer" reading). Try to answer Exercises 1 and 2 at the bottom of the page.
Section 1: ZK Applications in Blockchainβ
This is probably the friendliest section for engineering-minded readers.
Readingsβ
- Announcing Dark Forest
- Group Signatures with zkSNARKs
- StealthDrop: Anonymous Airdrops using ZK Proofs (explainer tweet thread)
- TornadoCash: Introducing Private Transactions on Ethereum Now
- Loopring Lauches zkRollup Exchange
- To Mixers and Beyond: presenting Semaphore, a privacy gadget built on Ethereum
- ZCash: How It Works
Questsβ
- Post an anonymous message on zkmessage.xyz.
- Make a private transaction using Tornado.cash.
- Bring assets onto and make a transaction on the Loopring decentralized exchange.
- Make a shielded transaction on ZCash.
- Conquer a planet on Dark Forest. (ask us for an invite key if you're doing this quest!)
Section 2: Building with ZKβ
Readingsβ
- ZKPs for Engineers: A look at the Dark Forest ZKPs
- snarkjs Github repo
- this is the most-used Javascript library for zkSNARK proof generation. See the README
- zkaffold-eth
- A scaffold-eth branch showing how to interact with ZKPs and perform zkSNARK verification on-chain.
- circom-starter repo
- a simple repo with a build script where you can play around with circuits
- zk-browser repo
- a simple webapp that generates ZK proofs for pre-image of MiMC hash and verifies them in browser
- poseidon-tornado
- A repository for a TornadoCash-like decentralized app that you can run locally and experiment with.
Questsβ
- Complete the snarkjs tutorial. Don't worry if steps 1-8 and 15-20 don't make sense just yet; if you want to understand them, section 3 of this Notion document provides more context.
- Run the circom-starter, zk-browser, and poseidon-tornado repositories.
- Checkout the
puzzle
branch of poseidon-tornado, and try to fix the withdraw circuit and smart contractβthere are a few errors and intentionally missing pieces!- You can check your work by running
npm run test
to see if unit tests pass.
- You can check your work by running
- Write a zkSNARK using circom and snarkjs for the MiMC hash function (info). You'll probably want to reference the circomlib library of useful circuits (which includes a MiMC function you can import). Feel free to check out this circuit in the Dark Forest open-source repo, which imports and uses circomlib's MiMC circuit.
- Take a look at the Dark Forest Modulo circuit. Try to understand why each part is necessary!
Section 3: Trusted Setup and Multi-Party Computationβ
Readingsβ
Radioactive Material From Chernobyl Will Help Secure the Next Version of ZCash (pop science article but a fun read)
The design of the ZCash trusted setup ceremony
Announcing the Perpetual Powers of Tau Ceremony
How the AZTEC Multi-Party Computation Ceremony Works (and a more technical explanation)
Tornado Cash Trusted Setup Ceremony and Completion Announcement
Scalable Multi-party Computation for zk-SNARK Parameters: Math heavy. If you're glancing at this, I'd recommend prioritizing sections 1 and 2 of this paper.
VDFs, or "Proof-of-Time": Not directly related to zkSNARKs, but this is a useful cryptographic gadget used to finalize trusted setup parameters.
Questsβ
- Participate in the Semaphore zkSNARK (Phase 2) Trusted Setup ceremony from your own computer! Follow these instructions to participate. If you're curious, more detailed information about the ceremony can be found here.
- Participate in the Perpetual Powers of Tau (Phase 1) Trusted Setup ceremony. NOTE: This quest will likely require you to have dedicated hardware and some more technical experience. Documentation on the ceremony is available here.
Section 4: Zero Knowledge Protocols (math-heavy)β
Readingsβ
Zero-Knowledge Proofs for discrete logs (first section)
Zero-Knowledge Proofs - full formal definition of ZKPs, including quadratic residue example. You probably don't need to go through this whole thing.
Fiat-Shamir Heuristic - a technique that can be used to make interactive zero-knowledge protocols into non-interactive protocols.
Questsβ
- Implement a non-interactive ZKP for discrete log in code! Specifically, you should implement:
- a function
dlogProof(x, g, p)
that returns (1) a residuey
, evaluated asg^x (mod p)
and (2) a proof of knowledgepf
that you knowx
that is the discrete log ofy
. - a function
verify(y, g, p, pf)
that evaluates totrue
ifpf
is a valid proof of knowledge, andfalse
otherwise. The prover should only be able to compute a valid proof with non-negligible probability if they do indeed know validx
. - if you need help, a reference implementation in Javascript with comments can be found here.
- a function
Section 5: zkSNARK Theory (very math-heavy!)β
For those approaching zkSNARKs from a more theoretical perspective.
Readingsβ
- Vitalikβs writings on SNARKs
- Pairings for Beginners
- A textbook on elliptic curve pairings, which drive zkSNARKs and other more recent cryptographic mechanisms.
- A Succinct Story of Zero Knowledge
- Tracing the roots of zkSNARKs from complexity theory and the PCP theorem.
- What are zkSNARKs? (and the linked SNARKs Explainer Series)