andrew

June 19, 2024At ZK Summit 11 in Athens, Cursive gave every attendee an NFC card and placed cards around the venue to digitize the event experience. Tapping a card would grant you a digital signature, representing the fact that you met another attendee or that you attended a talk. Collecting signatures formed the basis of new forms of social expression powered by advanced cryptography. By gathering signatures, an attendee was able to:

- Generate zero knowledge proofs attesting to their event experience (i.e. I attended 5 talks at ZK Summit 11)
- Use 2-party computation and fully-homomorphic encryption to privately compute the people and talks they had in common with another attendee
- Summarize their entire event experience into one concise proof using folding schemes, almost like a cryptographically verifiable version of Spotify Wrapped

Every attendee at ZK Summit 11 received an NFC card along with their badge.

All in all, we had 250 attendees participate in the experience, tapping a total of 1,500 times. Here were some of the main learnings we took from the activation.

Conferences and other in-person events are great breeding grounds for new relationships and communities to form. ZK Summit in particular is an excellent example of this, as it aligns builders in the ZK space who attend the event in order to meet folks that share the same interests in advanced cryptography. NFC makes it easier for these interactions and communities to be built. Tapping cards to share contact information and store a repository of people you've met works extremely well when everyone by default is already interested in talking to most other attendees at the event. By contrast, at ETH Denver there were a lot more people from scattered sectors who didn't always care about meeting a random person at the event. In addition, using PSI to quickly discover shared connections and interests in the ZK space acted as a fantastic icebreaker for attendees to start off new interactions with some common ground. In particular, this experience could have been made even smoother with UX improvements - namely, tapping someone else's badge was a little awkward. Using NFC wristbands for example might have made this experience even easier.

The aspect of this experience with the highest friction and cause of churn was when users had to register an account to begin tapping. Creating an account is necessary so that we can store encrypted backups of your data for future access. We attempted several new flows to make this as smooth as possible, namely using Webauthn to allow passwordless logins, as well as using the encryption and signature key generation time during account creation to explain to users how the app worked. However, this process was still painful as users would get their new NFC card and immediately want to use it, only to find out that they needed to tap their own card first (not intuitive), register a passkey (unfamiliar for some), and wait for account creation (slow). One solution that we will look into for future activations is to have accounts preregistered to a specific NFC card. This would require us to associate each card with a specific attendee, which may not generalize to every activation, but would greatly simplify onboarding as you can use the card to authenticate and store encryption keys for backups.

One pleasant discovery we had during the building of this app was just how fast Private Set Intersection using 2-Party Computation (2PC) and Fully Homomorphic Encryption (FHE) really is. The actual computation we are doing here is computing the pairwise (Hadamard) product of two bit vectors, where in this case each index represents a person or talk you could tap. Running PSI across bit vectors of length 1000 would take on the order of a couple hundred milliseconds on mobile browser, faster that the time it takes to generate a zero knowledge proof of a Baby JubJub ECDSA signature! This means that PSI is already practical for many real time applications today. However, the main drawback is that this flow requires interactivity, and the bandwidth requirements are nontrivial with ~5-10MB of data sent. If interactivity is not an issue, namely at events and from other in-person interactions, then PSI is an extremely promising tool.

To our knowledge, this is the first implementation of folding schemes in a production consumer app. Folding schemes, and in particular Nova, allow us to incrementally compute a zero knowledge proof over repeated instances of the same computation. Specifically for us the computation was "prove you have a Baby Jubjub ECDSA signature from a public key within the merkle tree of ZK Summit 11 NFC card public keys". Folding each new signature in took around 2-3 seconds on a mobile browser. To improve the UX and make folding instances manageable, we put the folding into a Web Worker so that the 2-3 seconds would occur in the background and not affect the main user flow. In addition, to make the final folded instance zero knowledge, we ran a chaff step that took an additional 2-3 seconds. We chose this over a final ZK wrappper with Spartan, which we benched at 3 minutes on a mobile browser. In contrast, if we had simply generated Groth16 proofs for each signature, this would have only taken 1-2 seconds. The linear proof size of generating multiple Groth16 proofs would not have mattered in our use case due to its small size to begin with.

As a result, we learned that folding schemes did not really make sense for this use case. Folding is preferred for proving large instances, such as with a zkVM, since in this case the overhead of folding is amortized much better and iteration-independent proof size is significant. We are excited for future improvements to folding schemes, as Sonobe has recently implemented CycleFold and will continue to work on HyperNova. This also includes a Groth16 wrapper for verifying folding proofs onchain, as well as a toolkit for being able to fold circuits written in Circom, which forms our existing circuit stack.

Synthesizing many of the takeaways above, our main learning from ZK Summit 11 is that **many tools in advanced cryptography are already practical - we just need to work around their corresponding tradeoffs**. Generating ZK proofs of signatures takes around 1-2 seconds on mobile browser, which is often fine for UX since users are generating proofs to receive a certain reward. Running PSI has sub-second latency as we previously discussed but requires interactivity - this is a tool that can be readily used in situations where users will already be both online at the same time. Folding schemes takes a few seconds to fold each instance in, but with an implementation in Web Workers we can make this happen in the background. It is important to understand the tradeoffs and drawbacks of each tool, but overall we are optimistic that the suite of production-grade tools in advanced cryptography is rapidly increasing.

Like always, it was a huge team effort to build out this activation at ZK Summit 11. We owe special thanks to:

- Anna, Agni, and the ZK Summit team for working with us on this collaboration
- Gauss for building libraries for PSI and helping us integrate them
- Mach34 for building the integration with folding schemes and tirelessly working to make it perform well
- IYK for proving us with NFC cards in a super short timeframe and helping us troubleshoot
- Privacy & Scaling Explorations for funding this work