ProofPlay

ProofPlay Description

ProofPlay is a prototype implementation of a blockchain-based Texas Hold’em poker application with verifiably fair and private shuffling in real time. Today, all online poker applications either place trust in a central server that has access to card identities, or they implement a cryptographic protocol for verifiable shuffling with privacy (zkHoldem, InstaPoker, ZKazino), but cannot support more than 3 players with reasonable speed of play (under 3 seconds to receive cards). Using more sophisticated Zero Knowledge Proof algorithms, ProofPlay is able to achieve cryptographic guarantees and deal cards to 7 players in 1.16 seconds. Based on this technological achievement, the vision of ProofPlay is to offer blockchain-based poker which is in every way superior to Web2 online poker (better security/fairness, easier buy-in and cash-out, lower rake, greater access), and thus bring in a significant new pool of users into Web3.

Also ProofPlay’s fast verifiably fair and secret shuffle can be used in any shuffling application, including any online card game, and also mixnets for elections, silent auctions, and anonymous messaging. We are particularly interested in fair order-matching in exchanges as a future effort.

The core technology of ProofPlay is a re-encryption shuffle performed by the players, following the original protocol outlined in the Mental Poker paper of 1979 by Rivest, Shamir, and Adleman, that additionally forces each player to prove in Zero Knowledge that he performed his action correctly. This protocol follows the model of zkHoldem. The re-encryption shuffle with proofs ensure that the cards are shuffled by each player in a fair and uniformly random way, and that no one can know anything about the order of the cards except for his own hole cards provided at least one player is not willing to collude with the others outside the protocol.

In more detail, at the start of a hand, here is what happens: Shuffle_and_encrypt: Shuffle committee member (we use 7 shufflers) uses the Rao-Sandelius (RS) algorithm to pick a permutation of the list [1,2,...,52] uniformly at random based on a bitstring produced by two Poseidon hashes. Then the player ElGamal encrypts each card with his private secret key, and arranges the cards in the order of his generated permutation. Shuffler posts newly ordered and encrypted deck to the public game ledger. SE_proof: Shuffler also produces a proof of the above action. This consists of a zkSNARK proof that the permutation was the result of the RS algorithm, and a Bayer-Groth proof that the output deck is a permutation and encryption the the deck that the player received. A careful argument ties the output permutation of RS to the permutation used in the BG proof. This is the most novel part of our submission. It prevents any attempt to manipulate the order of the deck, while also being much faster than the proofs used in zkHoldem. Shuffler posts proof to the game ledger. SE_verify: Upon receiving a shuffler’s posted deck and proof, the game ledger operator verifies the proof at the same time the next shuffler begins his shuffle. When all shufflers have shuffled and encrypted, the dealing process begins. To deal hole cards to P_i, all shufflers additionally put on an Identity Based Encryption scheme to serve each player: Blinding: every shuffler puts on a blinding factor, unique to each card position Request_dec_key: P_j posts blinded version of personal public key to ledger along with Chaum-Pedersen proof of knowledge of blinding factor Response: Shufflers verify request proofs. Each in turn decrypts their encryption from the shuffling round, and posts their partial key for the player decryption. Reconstruct_and_decrypt: Each player reconstructs their decryption key from the shuffler responses.

This system solves the problem of a hand of play having to stop if a player drops out, as happens in zkHoldem.

At this point, the players can participate in the game according to the rules of Texas Hold’em. Community cards are decrypt_post’ed by every player so that the plaintext cards become publicly visible in the game ledger and the decryption is proven (again with Chaum-Pedersen) so players can’t lie about their cards.

In the demo, after cards are dealt and community cards are shown to all players, players show their cards and the winner is chosen according to the best poker hand. Implementing the game of poker is for future work.

Future work: Replace Groth16 SNARK proofs with Spartan + ZeroMorph Multithreading for accelerating MSM and pairing calculations Folding-based SNARK aggregation proofs of correct play throughout a hand

We use Rust to ensure that we have fast performing circuits and crypto. We built all of circuits from the ground up with no framework except for arkworks and arkworks-r1cs. We also have a frontend in typescript and Supabase.

We did not use any partner technologies since this is completely offchain.