Crypto has always had the mindshare, talent, and funding to change the world, but has often lacked the means. Most of the real-world crypto successes to date are at the behest of Web2 powers. We are left hoping Visa and Mastercard continue to support crypto cards; that Coinbase, PayPal, and Stripe continue to make legacy rails more compatible with blockchains; that BlackRock continues tokenizing treasuries; and that Walmart keeps selling Pudgy Penguins.

We now have a powerful new tool that gives crypto builders the impetus to make things happen. Incompetence and restriction dominate legacy marketplaces, and crypto is as well-positioned as ever to offer alternatives.

This article is an excerpt from Delphi Digital’s report The Inefficient Market Hypothesis, published on Sep 27, 2024.

Here’s a high-level overview of how zkTLS works.

Transport Layer Security (TLS) is a protocol for encrypting traffic between a client and a server. TLS makes up the “S” in HTTPS (HTTPS = HTTP + TLS), and has become standardized across the web, securing 95% of web traffic.

TLS is a trusted, centralized authority that issues session keys. Upon entering a website, the browser and the target server engage in a TLS handshake process that generates session keys in order to use symmetric encryption for data transmission thereafter. The data exchanged between the client and server is not signed, so its authenticity cannot be proven elsewhere.

TLS guarantees:

• Authenticity
• Security
• Privacy
• NOT data portability

zkTLS solves the portability problem by authenticating transcripts between the client and server during an HTTPS session and bringing arbitrary, privacy-preserving proofs on-chain. Importantly, this is usually undetectable by the server and cannot be firewalled. With zkTLS, the entire repository of internet data becomes composable building blocks for blockchain applications, and there is little that Web2 can do about it.

There are a few approaches to zkTLS: MPC, Proxy, and TEE.

MPC

Multi-party computation (MPC) enables a group to jointly execute a computation without revealing any participant’s private inputs. MPC has strong security guarantees, but carries high computation overhead and has a collusion issue.

Deco

Deco first demonstrated an MPC solution for TLS in a 2019 paper. Deco’s maliciously secure Two-Party Computation (2PC) approach is highly computationally expensive. It requires 475MB of communication to authenticate a 2KB payload, and 50 seconds to finish. It was extremely vulnerable to timeouts and hasn’t been successfully implemented. Deco was acquired by Chainlink and developed a proof of concept with Teller.

TLSNotary

TLSNotary improved upon Deco’s idea with a 2PC implementation using garbled circuits and oblivious transfers. Garbled circuits is the easiest and simplest form of MPC.

TLS Notary ‘notarizes’ a transcript between the client and server as authentic. The prover and verifier work together to compute the key encryption/decryption during the TLS handshake. Throughout this process, only the prover communicates with the server, and the verifier only sees encrypted data. The prover cannot forge inputs or responses. At the end of the process, the prover can redact information from the transcript before revealing it to the verifier (e.g., show the verifier that the prover lives in XYZ jurisdiction, but hides latitude and longitude).

The verifier can participate in the process as the notary, or the verification role can be outsourced for generalizable and portable proofs. This introduces a trust assumption, as the verifier must now trust the notary not to collude with the prover and issue a fake proof. To mitigate this, the verifier can demand proofs from multiple notaries, or define which notaries they trust. These solutions have various flaws, the collision remains a major problem associated with MPC. A TLSNotary demo can be found here.

TLSNotary allows the data to be portable while preserving privacy and not relying on cooperation from the server. TLSNotary allows for selective disclosure of authenticated data with garbled circuits and key sharding techniques, but does not use ZKPs. There are several emerging projects building on the TLSNotary framework, introducing zero knowledge and making it easier to integrate.

Pluto

Pluto Labs is an open-source zero-knowledge implementation of TLSNotary. Pluto is productionizing TLSNotary to allow developers to incorporate any off-chain data into smart contracts with just five lines of code. A good outline of trust assumptions can be found here.

Primus Labs (formerly PADO Labs)

Primus Labs improved upon Deco, opting for a garble-then-prove technique over maliciously secure 2PC. Demonstrated a 14x improvement in communication and up to a 15.5x improvement in runtime. Successfully implemented with real-world APIs like Coinbase and Twitter. In addition, Primus is working on a zkFHE solution that could allow for more complicated schemas in the future. Primus uses an extension and has an iOS/Android app coming soon.

Opacity

Opacity differentiates itself with a robust framework for tackling the collusion issue. To prevent collusion, Opacity uses an Eigenlayer AVS for economic security, layering additional security measures on top:

• Makeshift sybil resistance via on-chain verification of Web2 account ID
• Commit and reveal scheme – A user must commit to a value before a notary node is selected.
• Random selection of MPC-node
• Verifiable log of attempts

Opacity limits users from using multiple wallets for collusion attempts by mapping each wallet to a Web2 account ID. By forcing users to commit to a claim before the node is selected, a colluding user does not have the chance to flip honest if they fail to match with the colluding node. The verifiable log of attempts offers accountability on the user side, as a bold claim (i.e., 0x54.. has $10M in a bank account) looks suspicious with failed attempts before proof success. Lastly, Opacity requires notary software to be run in a TEE. This prevents collusion altogether unless the TEE is broken first. Importantly, Opacity does not solely rely on the TEE for security.

To falsify a proof under Opacity’s framework, several conditions must be met:

1. A colluding user
2. A colluding node(s)
3. A colluding node running a broken TEE
4. Colluding user randomly matching with a colluding node in 1-3 tries
5. The verifier can require a proof to be generated multiple times sequentially, exponentially decreasing the probability of #4
6. All at the threat of slashing for malicious behavior

Sybil resistance can be the weakest element of the setup. Opacity’s solution can prevent multiple wallets for a Web2 account, but not multiple Web2 accounts. Opacity essentially outsources Sybil resistance to select Web2 platforms. Certain platforms are more reliable than others (Rippling HR provides better assurances than an X account). In the future, Opacity can incorporate multiple Web2 accounts for added security.

Opacity is positioning itself as a best-practices implementation of zkTLS, making great strides toward decentralization and mitigating trust assumptions. Its ability to overcome MPC overhead will be a key factor in future success.

There are ways to further optimize MPC performance moving forward. Vector oblivious linear evaluation can allow a highly efficient 1 of N oblivious transfer, making more progress each round trip. This could reduce networking overhead by a factor of 100, making 1-second MPC-TLS proofs attainable.

Proxy

HTTPS Proxies are intermediaries between the client and server that forward encrypted traffic, decrypting only to verify user credentials. Proxies can improve security, performance, and privacy. They are common in corporate workplaces, allowing employee traffic to be monitored or restricted.

Proxies can also be used for zkTLS. This model inserts a proxy witness between the client and server that attests the communication is legitimate. The proxy model is very fast, cheap and simple. It can handle a substantial amount of data volume. Censorship, collusion, and decentralization are potential issues. This method is detectable by the server, so it could be blocked at scale.

Reclaim Protocol

Reclaim protocol has pioneered the proxy model and is the farthest along of all the zkTLS projects. Reclaim supports just about every blockchain and has 889 community-built data sources. Several projects are building on top of it, including zkP2P’s ticket marketplace.

Reclaim can generate proofs from a user’s mobile device in about 2–4 seconds, without requiring the user to download an app or extension. Reclaim uses residential proxies to get around the Web2 firewall issue.

Reclaim’s proxy model is much more simple than MPC-TLS, which is reflected in the speed. Many of the concerns around proxies have been addressed by an academic research paper,

Proxying is Enough, and in Reclaim’s blog. The paper found that the probability of breaking Reclaim’s security is 10^-40.

https://x.com/zkJyu/status/1834889693437304875

zkPass

zkPass employs a hybrid model. It began as an MPC solution but has shifted to a proxy witness model in production, with the MPC option as a backup. It is live on Base, BNB, Scroll, Linea, Arbitrum, zkSync, OP, X Layer. zkPass uses its native TransGate Chrome extension and has over 200 schemas from 70+ data sources. zkPass appears to be thematically focused around identity and sybil resistance. There is an ongoing incentive program where users can complete challenges and earn ZKP credits. zkPass will likely be the first zkTLS project with a liquid token. A zkPass demo can be found here.

TEE

Trusted execution environments (TEEs) are tamper-proof enclaves within a processor. These enclaves can store sensitive data and run computations protected from the rest of the CPU. TEEs have both hardware and software isolation. Enclaves use their own designated memory and processing power. Intel SGX is the most prominent TEE. TEE’s have a track record of being broken and are vulnerable to side channel attacks. You can read more about TEEs in our EthCC Report.

Clique

Clique is building zkTLS with TEEs. This method is extremely efficient, adding almost no computation or networking overhead. This solves a lot of issues, but introduces trusted hardware. It simply shifts risk from the notary to the chip manufacturer. The TEE wholly assumes the security guarantees in this model.

Summary

It is worth noting that zkTLS is a colloquial term. zkTLS methods vary in the degree to which they use zero-knowledge, and do not offer the same assurances as other zk-tech such as zkEmail. One could argue zkTLS is more properly classified by MPC-TLS(+zkp), TEE-TLS, and zkTLS Proxy.

Much of the zkTLS discussion moving forward will revolve around the tradeoffs between performance and security.

Proxy: A more universal solution, but it comes with an additional trust assumption and requires a client-affordable ZK solution as well as additional measures to bypass firewalls.

MPC: This model has strong security guarantees but a lot of networking communication overhead to setup the MPC. Due to the large overhead from truth tables, the MPC method is ideal for small request/response interactions and TLS sessions without strict time limits. MPC is censorship-resistant, but has a collusion issue.

TEE: The TEE model conveniently solves most of the issues facing zkTLS, at the hard-to-swallow cost of fully trusting TEE hardware.

Reclaim and Opacity have a lot of momentum and appear to be leading the zkTLS discussion at the moment. The performance <> security tradeoffs of the MPC and proxy models will remain a major talking point as zkTLS continues to emerge.

Conclusion

zkTLS is an emerging narrative that unironically changes everything. There are many unanswered questions: Will zkTLS providers become commoditized, and will value capture flow through to apps? What is the extractable value of a fake proof, and how will this affect the discussion around these tradeoffs?

One thing is clear: zkTLS blows the design space for decentralized applications wide open, and offers us a new way to think about building. There is an abundance of new and exciting ideas, several of which are already being built:

• Ticket marketplace – zkP2P via Reclaim
• Importing Web2 reputation (Uber, DoorDash credentials) – Nosh Delivery via Opacity
• Influencer marketing/proof of shill – Daisy via Opacity
• Intelligent prediction markets – TMR.NEWS via Reclaim
• Undercollateralized lending through earned wage access – Earnifi via Opacity
• Precision targeting & incentives for digital advertising - EarnOS via Opacity
• Undercollateralized lending through soft collateral - 3Jane via Reclaim

ZkTLS undermines the data monopolies that prop up complacent Web2 incumbents. Every inefficient market that exists today is an opportunity for crypto to infiltrate and improve society.

Disclaimer：

1. This article is reprinted from [X]. All copyrights belong to the original author [@yeak__]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.