Zero-knowledge proofs from the perspective of non-technical personnel How did it become the third major technological innovation in the history of blockchain development?

How did zero-knowledge proofs become the third major technological innovation in blockchain development?

Author: @Jesse_meta, Researcher at the SUSS NiFT Institute of Inclusive Finance; @EatonAshton2, Researcher at Beosin; @kaplannie, Security Researcher at Least Authority

This article introduces the application scenarios, working principles, current status, and future trends of zero-knowledge proofs from a non-technical perspective, in order to help readers without technical background understand the significant changes that zero-knowledge proofs will bring.

Note: This article is a research report from the SUSS NiFT Blockchain Security Alliance.

Whether information is stored on the Internet or in offline archives, information leakage incidents are not uncommon today, regardless of whether they are due to subjective intent or objective accidents. As long as information is stored in a centralized manner, there is a risk of being attacked at a single point. As long as the verification process requires a trusted third party, there will be moral risks and low efficiency. Solving information security is crucial and urgent. Zero-knowledge proof technology allows users to complete verification more efficiently and securely while protecting their privacy.

• The Third Major Technological Innovation in the History of Blockchain Development – Application of Zero-Knowledge Proof Technology
• Bankless Dialogue with Vitalik The great vision of ETH is to truly create an independent open technology stack.
• Exploring DeFi Economic Models Design and Evolution of Incentive Mechanism

If Bitcoin is considered the first major invention brought by blockchain to the real world, providing a new way of storing value, and Ethereum’s smart contracts are the second major milestone event, unlocking the potential for innovation, then the application of zero-knowledge proofs is the third major technological innovation in the history of blockchain development, bringing privacy and scalability. It is not only an important part of the Web3 ecosystem but also a fundamental technology with the potential to drive social change.

This article introduces the application scenarios, working principles, current status, and future trends of zero-knowledge proofs from a non-technical perspective, in order to help readers without technical background understand the significant changes that zero-knowledge proofs will bring.

1. What is a Zero-Knowledge Proof?

A zero-knowledge proof (ZKP) is a mathematical protocol first proposed in 1985 by Shafi Goldwasser, Silvio Micali, and Chales Rackoff in their paper “The knowledge complexity of interactive proof systems.” It does not reveal any other information besides the fact to be proven. The verifier cannot obtain the secret information used to generate the proof. To help everyone understand, let’s take an example: I want to prove that I know someone’s phone number. I only need to be able to dial that person’s phone number in front of everyone to prove this fact, without revealing the person’s actual number. Zero-knowledge proofs provide an effective and nearly risk-free way of sharing data. With zero-knowledge proofs, we can retain ownership of data, greatly enhancing privacy protection and potentially making data leakage incidents a thing of the past.

Zero-knowledge proofs have three characteristics:

Completeness

If a statement is true, an honest verifier will be convinced by an honest prover. That is, the right cannot be wrong.

Soundness

If a statement is false, in most cases, a deceptive prover cannot make an honest verifier believe the false statement. That is, the wrong cannot be right.

Zero Knowledge

If a statement is true, the verifier can only know that the statement is true, without obtaining any additional information.

Zero knowledge proofs have a very small probability of producing soundness errors, meaning that a cheating prover may convince the verifier of an incorrect statement. Zero knowledge proofs are probabilistic proofs, not deterministic proofs, but we can reduce soundness errors to a negligible level through certain techniques.

2. Applications of Zero Knowledge Proofs

The two most important application scenarios for zero knowledge proofs are privacy and scalability.

2.1 Privacy

Zero knowledge proofs allow users to securely share necessary information to obtain goods and services without revealing detailed personal information, thereby protecting against hacker attacks and the leakage of personal identity information. As the digital and physical realms gradually converge, the privacy protection function of zero knowledge proofs becomes crucial for both Web3 and information security beyond Web3. Without zero knowledge proofs, user information would be stored in trusted third-party databases, posing potential risks of being attacked by hackers. The first use case of zero knowledge proofs in blockchain is the privacy coin Zcash, which is used to hide transaction details.

2.1.1 Protection and Verification of Identity Information

In online activities, we often need to provide information such as name, date of birth, email, and complex passwords to prove that we are legitimate users with authorized access. As a result, we often leave behind sensitive information that we do not want to disclose online. Nowadays, receiving scam calls that know our names is not uncommon, indicating that personal information leakage is a serious issue.

We can utilize blockchain technology to give each individual a special encrypted digital identifier containing personal data. This digital identifier can be used to construct a decentralized identity that cannot be forged or altered without the owner’s knowledge. Decentralized identities can be controlled by users to grant access to personal identity, proving citizenship without revealing passport details, simplifying the authentication process, and reducing incidents where users lose access due to forgotten passwords. Zero knowledge proofs are generated from publicly available data that can prove a user’s identity and privacy data containing user information, and can be used for identity verification when accessing services. This reduces cumbersome verification processes, improves user experience, and avoids centralized storage of user information.

In addition, zero knowledge proofs can also be used to build private reputation systems, allowing service organizations to verify if users meet certain reputation criteria without users needing to expose their identities. Users can output their reputation anonymously, while concealing specific source accounts, from platforms like Facebook, Twitter, and Github.

2.1.2 Anonymous Payments

The transaction details of payments made with bank cards are usually visible to multiple parties, including payment providers, banks, and governments, which to some extent exposes the privacy of ordinary citizens. Users need to trust these parties not to act maliciously.

Cryptocurrencies can enable payments to be made without the need for third parties, allowing for direct peer-to-peer transactions. However, transactions on mainstream public blockchains are currently publicly visible. While user addresses are anonymous, it is still possible to identify real-world identities by analyzing on-chain associated addresses and off-chain data such as KYC information from exchanges and Twitter. Knowing someone’s wallet address is equivalent to being able to view their bank account balance at any time, and could potentially pose a threat to their identity and assets.

Zero-knowledge proofs can provide anonymous payments at three levels: privacy coins, privacy applications, and privacy-oriented public blockchains. Privacy coin Zcash hides transaction details such as sender and receiver addresses, asset type, quantity, and time. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proofs to obfuscate transaction details for private transfers (although it is often used for money laundering). Aleo is an L1 blockchain designed to provide privacy features at the protocol level for applications.

2.1.3 Honest Behavior

Zero-knowledge proofs can facilitate honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proofs to prove their honest behavior. Due to the soundness of zero-knowledge proofs, users must engage in honest behavior according to protocol requirements in order to submit valid proofs.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honest behavior and prevents collusion during on-chain voting or other decision-making processes. The system utilizes key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys in a smart contract and send their votes to the contract via encrypted messages. MACI’s anti-collusion feature allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proofs to prove that they have correctly processed all messages and that the final voting result is the sum of all valid votes. This ensures the integrity and fairness of the voting process.

2.1.4 Identity Verification

When applying for a loan, we can obtain a digital income proof from a company. The legitimacy of this proof can be easily verified using cryptography. Banks can use zero-knowledge proofs to verify if our income meets the specified minimum threshold, without obtaining sensitive specific information.

2.1.5 Unlocking the Potential of Private Data with Machine Learning

Training machine learning models typically requires a large amount of data. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually revealing the data itself. This enables private data to be utilized and monetized.

In addition, zero-knowledge proofs can allow model creators to prove that their models meet certain performance metrics without disclosing the details of the models, preventing others from replicating or tampering with them.

2.2 Scalability

As the number of blockchain users increases, there is a need for a large amount of computation on the blockchain, leading to transaction congestion. Some blockchains take the route of sharding for scalability, but this requires complex modifications to the underlying layer of the blockchain, which may threaten the security of the blockchain. Another feasible solution is to use the ZK-Rollup approach, which utilizes verifiable computation to outsource computation to entities on another chain, and then submits the zero-knowledge proof and the verifiable result to the main chain for verification of authenticity. The zero-knowledge proof ensures the authenticity of transactions, and the main chain only needs to update the results to the state without storing details or replaying computations, nor waiting for others to discuss the authenticity of transactions, greatly improving efficiency and scalability. Developers can use zero-knowledge proofs to design lightweight dapps that can run on ordinary hardware such as mobile phones, which is more conducive to the popularization of Web3.

The scalability of zero-knowledge proofs can be applied to both layer-one networks, such as Mina Protocol, and layer-two networks like ZK-rollups.

3. How Zero-Knowledge Proofs Work

Dmitry Laverenov (2019) divides the structure of zero-knowledge proofs into interactive and non-interactive forms.

3.1 Interactive Zero-Knowledge Proofs

The basic form of interactive zero-knowledge proofs consists of three steps: proof, verifier, and response.

• Proof: The hidden secret information is the proof of the prover. These proofs establish a series of questions that can only be correctly answered by someone who knows this information. The prover starts by randomly selecting questions and sending the computed answers to the verifier for proof.

• Verifier: The verifier randomly selects another question from the set and asks the prover to answer it.

• Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover’s response allows the verifier to check if the prover knows this evidence.

This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes sufficiently low. For example, in a simplified mathematical example, if the probability of the prover guessing the correct answer without knowing the secret information is 1/2, and the interaction is repeated ten times, the probability of the prover hitting the correct answer every time is only 0.0097%, making it highly unlikely for the verifier to mistakenly accept a false proof.

3.2 Non-Interactive Zero-Knowledge Proofs

Interactive zero-knowledge proofs have limitations. On the one hand, both the prover and the verifier need to be present simultaneously for repeated verification. On the other hand, for each new proof calculation, the prover and verifier need to exchange a set of information, and the proof cannot be reused in independent verifications.

To address the limitations of interactive zero-knowledge proofs, Manuel Blum, LianGuaiul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs, where the prover and verifier share a secret key and only need to perform one round of verification to make the zero-knowledge proof more efficient. The prover calculates the secret information using a special algorithm to generate a zero-knowledge proof and sends it to the verifier. The verifier uses another algorithm to check if the prover knows the secret information. Once the zero-knowledge proof is generated, anyone with the shared key and verification algorithm can perform the verification.

Non-interactive zero-knowledge proofs are a major breakthrough in zero-knowledge proof technology, promoting the development of zero-knowledge proof systems used today. The main methods are ZK-SNARK and ZK-STARK.

4. Main Technical Paths of Zero-Knowledge Proofs

Alchemy (2022) divides the technical paths of zero-knowledge proofs into ZK-SNARK, ZK-STARK, and recursive ZK-SNARK.

4.1 ZK-SNARK

ZK-SNARKs are succinct non-interactive proofs with zero knowledge.

Public chains need to ensure the correctness of transactions executed on the network by having other computers (nodes) re-execute each transaction. However, this method slows down the network speed as each node has to re-execute each transaction, limiting scalability. Nodes also have to store transaction data, resulting in exponential growth of the blockchain’s size.

ZK-SNARK plays a role in addressing these limitations. It can prove the correctness of computations performed off-chain without requiring nodes to replay each step of the computation. This also eliminates the need for nodes to store redundant transaction data, improving network throughput.

Validating off-chain computations using SNARKs involves encoding the computation as a mathematical expression to form a proof of validity. Validators check the correctness of the proof. If the proof passes all checks, then the underlying computation is considered valid. SNARKs are called succinct because the size of the proof of validity is much smaller than the computation it validates.

Most ZK Rollup implementations that use ZK-SNARK follow the following steps.

1. Users on L2 sign transactions and submit them to validators.

2. Validators compress multiple transactions using cryptography to generate corresponding proofs of validity (SNARKs).

3. Smart contracts on L1 validate the proofs of validity and determine whether this batch of transactions should be published to the main chain.

It is worth mentioning that ZK-SNARK requires a trusted setup. In this phase, a key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and one for verifying proofs. These two public keys only need to be generated once through a trusted setup ceremony and can be used multiple times by parties wishing to participate in zero-knowledge protocols. Users need to trust that the participants in the trusted setup ceremony do not act maliciously and have no way of assessing the honesty of the participants. Knowing the secret parameter allows the generation of fake proofs to deceive verifiers, thus posing potential security risks. Currently, researchers are exploring trustless assumptions for ZK-SNARK.

• Advantages

1. Security

ZK rollup is considered a more secure scaling solution than OP rollup because ZK-SNARK uses advanced cryptographic security mechanisms, making it difficult to deceive verifiers and engage in malicious behavior.

2. High Throughput

ZK-SNARK reduces the computational load on the underlying Ethereum network, alleviating congestion on the mainnet and enabling faster transaction speeds by offloading off-chain computations and sharing transaction fees.

3. Small Proof Size

The small size of SNARK proofs makes them easily verifiable on the main chain, which means lower Gas Fees for verifying off-chain transactions and reduces costs for users.

• Limitations

1. Relatively Centralized

Most of the time, it relies on a trusted setup, which contradicts the original intention of trustlessness in blockchain.

Generating validity proofs with ZK-SNARK is a computationally intensive process that requires investment in specialized hardware. These hardware devices are expensive and only affordable for a few, resulting in a highly centralized proof process for ZK-SNARK.

2. ZK-SNARK uses Elliptic Curve Cryptography (ECC) to encrypt the information used for generating validity proofs, which is currently relatively secure. However, advancements in quantum computing may break its security model.

Projects Using ZK-SNARK

• Polygon Hermez

Polygon acquired Hermez for $250 million in 2021, marking the first comprehensive acquisition of two blockchain networks. Hermez brought ZK technology and tools to Polygon’s rapidly growing user base, enabling Polygon to support the development of zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to conveniently transfer ERC-20 tokens between Hermez accounts at a transaction rate of up to 2000 per second.

Hermez 2.0, as a transparent zkEVM, executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum, requiring minimal modifications to smart contract code, making it easy for developers to deploy L1 projects on Polygon Hermez. Hermez 1.0 uses SNARK proofs, while 2.0 uses both SNARK and STARK proofs. In 2.0, STARK proofs are used to prove the validity of off-chain transactions. However, the cost of verifying STARK proofs on the main chain is high, so SNARK proofs are introduced to verify STARK.

• zkSync

zkSync 1.0, launched by Matter Labs in 2020, does not support smart contracts and is primarily used for transactions or transfers. zkSync 2.0, which supports smart contracts, was publicly launched on the mainnet in March 2023.

zkSync compiles Solidity smart contract source code on Ethereum into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. Using the LLVM compiler framework, Yul code can be recompiled into custom, circuit-compatible bytecode sets designed for zkSync’s zkEVM. This approach eliminates the need to zk-proof all steps of EVM execution through higher-level code, making the proof process more decentralized while maintaining high performance. In the future, support for Rust, JavaScript, or other languages can be added by building new compiler frontends, increasing the flexibility and developer options of the zkEVM architecture.

• Aztec

Aztec is the first hybrid zkRollup that achieves the execution of both public and private smart contracts in a single environment. It is a zero-knowledge execution environment, not zkEVM. Confidentiality is achieved by merging public and private execution into a single hybrid rollup, enabling privacy transactions in public AMMs, private conversations in public games, and private voting in public DAOs, etc.

4.2 ZK-STARK

ZK-STARK does not require a trusted setup. ZK-STARK stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARK, ZK-STARK has better scalability and transparency.

Advantages

1. Trustlessness

ZK-STARK replaces trusted setups with publicly verifiable randomness, reducing reliance on participants and improving protocol security.

2. Greater scalability

Even with exponential growth in the complexity of underlying computations, ZK-STARK maintains low proof and verification times, unlike ZK-SNARK, which has linear growth.

3. Higher security guarantees

ZK-STARK uses collision-resistant hash values for encryption instead of the elliptic curve scheme used in ZK-SNARK, making it resistant to attacks from quantum computing.

Limitations

1. Larger proof size

ZK-STARK has a larger proof size, resulting in higher costs for verification on the mainnet.

2. Lower adoption rate

ZK-SNARK was the first practical application of zero-knowledge proofs in blockchain, so most ZK rollups adopt ZK-SNARK, which has a more mature developer ecosystem and tools. Although ZK-STARK also has support from the Ethereum Foundation, its adoption rate is lower and the underlying tools still need improvement.

Which projects use ZK-STARK?

• Polygon Miden

Polygon Miden is an Ethereum L2-based scaling solution that integrates a large number of L2 transactions into a single Ethereum transaction using zk-STARK technology, increasing processing capacity and reducing transaction costs. Without sharding, Polygon Miden can generate a block within 5 seconds, and its TPS can reach over 1,000. After sharding, its TPS can reach up to 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a STARK-based Turing-complete virtual machine called Miden VM, which simplifies the formal verification of contracts.

• StarkEx and StarkNet

StarkEx is a permissioned framework for customizing scalable solutions for specific applications. Projects can use StarkEx for low-cost off-chain computation and generate STARK proofs to verify the correctness of execution. Such proofs can include 12,000–500,000 transactions. The proofs are then sent to the on-chain STARK verifier for verification and, if correct, accept state updates. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading marketplace Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, which is responsible for submitting transactions, StarkNet’s sequencer batches and sends transactions for processing and proving. StarkNet is more suitable for protocols that require synchronous interaction with other protocols or extend beyond the scope of StarkEx applications. As StarkNet develops, applications based on StarkEx will be able to be ported to StarkNet and enjoy composability.

Comparison between ZK-SNARK and ZK-STARK

4.3 Recursive ZK-SNARK

Ordinary ZK rollups can only handle one transaction block, which limits the number of transactions they can process. Recursive ZK-SNARK can verify more than one transaction block by merging SNARKs generated by different L2 blocks into a single validity proof and submitting it to the L1 chain. Once the contract on the L1 chain accepts the submitted proof, all of these transactions become valid, greatly increasing the number of transactions that can be completed with zero-knowledge proofs.

Plonky2 is a new proof mechanism for Polygon Zero that uses recursive ZK-SNARKs to increase the number of transactions. Recursive SNARKs extend the proof generation process by aggregating several proofs into a recursive proof. Plonky2 uses the same technique to reduce the time it takes to generate proofs for new blocks. Plonky2 parallelizes the generation of proofs for thousands of transactions and recursively aggregates them into a block proof, resulting in fast generation speed. In contrast, ordinary proof mechanisms attempt to generate the entire block proof at once, resulting in lower efficiency. Additionally, Plonky2 can generate proofs on consumer-grade devices, addressing the issue of hardware centralization that often accompanies SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARK and ZK-STARK have become core infrastructure for blockchain scalability projects, especially in Zero Knowledge Rollup solutions. Zero Knowledge Rollup refers to an Ethereum Layer 2 scaling solution that uses zero-knowledge proofs to move all computations off-chain and alleviate network congestion. The main advantage of Zero Knowledge Rollup is that it significantly increases Ethereum’s transaction throughput while maintaining low transaction fees, and once transactions are included in a rollup, they can be immediately finalized.

Currently, Ethereum’s L2 scaling solutions include not only Zero Knowledge Rollup but also Optimistic Rollup. In Optimistic Rollup, transactions are assumed to be valid and executed immediately. Only when fraudulent transactions are discovered (someone submits fraud proofs) will the transactions be rolled back. Therefore, the security of Optimistic Rollup is lower than that of Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, during which transactions need to wait to be finalized. This may result in users having to wait for a period of time to withdraw their funds.

When the EVM was initially designed, zero-knowledge proof technology was not taken into consideration. Ethereum founder Vitalik believes that in the short term, Zero Knowledge Rollup will face technical complexity, but will ultimately win over Optimistic Rollup in the scalability battle. Below is a comparison between Zero Knowledge Rollup and Optimistic Rollup.

Source: SUSS NiFT, ChatGPT

6. What is the future prospect of zero-knowledge proof technology?

The field of zero-knowledge proof technology is in a unique position: in recent years, through a lot of effort to promote research in this field, many achievements are quite new in the fields of cryptography and secure communication. Therefore, many interesting questions still need to be answered by the academic community and developer community. At the same time, zero-knowledge proof technology is being used in various projects, demonstrating the challenges and expanding the requirements of zero-knowledge technology.

One of the areas worth paying attention to in zero-knowledge proof technology is the discussion on the post-quantum security of zero-knowledge proof technology. Publicly verifiable SNARKs (Succinct Non-interactive Arguments of Knowledge) are a key component of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered to be quantum secure. Examples include Groth16, Sonic, Marlin, SuperSonic, and SLianGuairtan. The mathematical problems that these schemes rely on can be effectively solved with the help of quantum computers, greatly compromising their security in a post-quantum world.

We have found that the academic community is actively seeking quantum-secure zero-knowledge proofs that can be used for various statements without a pre-processing phase. Examples of the most advanced quantum-secure zero-knowledge proofs currently include Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both of these functions are considered to be quantum secure. It is a trend to generalize these schemes and improve their efficiency.

Another expectation for the future of zero-knowledge technology is its ability to resist attacks and the maturity of the related code. With the increase in the amount of code being written, there will be more secure and audited libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We expect the field to mature and be widely adopted, striving to standardize protocols and ensure interoperability between different implementations. A project called ZKProof has already started to do so.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible special hardware. In recent years, we have seen a reduction in proof size and the proof generation and verification becoming more efficient. Advances in algorithms, special hardware, and computational optimization may lead to faster and more scalable implementations.

Although the efficiency of existing algorithms is beneficial to the users of future zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs continue to expand. In the past, we encountered many instances when implementing preprocessed ZK-SNARK. Now we are finding more and more instances of upgradable ZK-SNARK. In addition, the use of some zero-knowledge proof techniques is more due to their simplicity rather than their zero-knowledge ability.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea requires training large language models in a multi-party environment and using zero-knowledge techniques to verify computations. This is very useful for current artificial intelligence. There is potential for emerging projects in this field.

Conclusion

This article was jointly written by members of the Blockchain Security Alliance. Through this article, we can understand the wide application of zero-knowledge proofs in the field of blockchain, the technical path, the development trends, and the challenges it faces. We believe that with the development of hardware technology and cryptography, zero-knowledge proofs will achieve more breakthroughs in the future and provide faster and more secure application services for the digital world.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!