The Third Major Technological Innovation in the History of Blockchain Development – Application of Zero-Knowledge Proof Technology

Zero-Knowledge Proof Technology - the Third Major Innovation in Blockchain Development

Authors: Jesse_meta, SUSS NiFT researcher at New Leap Social Science University, EatonAshton2, researcher at Beosin, kaplannie, security researcher at Least Authority

Whether the information is stored on the Internet or in offline archives, whether it is due to subjective intent or objective accidents, information leakage incidents are already common today, needless to say. As long as information is centralized, there is a risk of being attacked at a single point. As long as the verification process requires a trusted third party, there will be ethical risks and inefficiencies. Information security solutions are crucial and urgent. Zero-knowledge proof technology allows users to complete verification more efficiently and securely while protecting their privacy.

If Bitcoin is the first major invention brought to the real world by blockchain, providing a new way of storing value, and Ethereum’s smart contracts are the second major milestone event, unlocking the potential for innovation, then the application of zero-knowledge proofs is the third major technological innovation in the history of blockchain development, bringing privacy and scalability. This is not only an important part of the Web3 ecosystem but also a fundamental technology with the potential to drive social change.

This article, from the perspective of non-technical personnel, introduces the application scenarios, working principles, current development status, and future trends of zero-knowledge proofs, in order to help readers without technical backgrounds understand the significant changes that zero-knowledge proofs will bring.

• Bankless Dialogue with Vitalik The great vision of ETH is to truly create an independent open technology stack.
• Exploring DeFi Economic Models Design and Evolution of Incentive Mechanism
• Layer2 Public Chain Token Valuation Model Analysis

1. What is a Zero-Knowledge Proof?

Zero-knowledge proof (ZKP) is a mathematical protocol first proposed in the paper “The knowledge complexity of interactive proof systems” by Shafi Goldwasser, Silvio Micali, and Chales Rackoff in 1985. It does not reveal any other information besides a fact that needs to be proven. The verifier cannot obtain the secret information used to generate the proof. Let’s use an example to help everyone understand: If I want to prove that I know someone’s phone number, I only need to be able to dial that person’s phone in front of everyone to prove this fact, without revealing the person’s actual number. Zero-knowledge proofs provide an effective and almost risk-free way of sharing data. With zero-knowledge proofs, we can retain ownership of the data and greatly enhance privacy protection, potentially making data leakage incidents a thing of the past.

Zero-knowledge proofs have three characteristics:

Completeness

If a statement is true, an honest verifier will be convinced by an honest prover. That is, the right cannot be wrong.

Soundness

If a statement is false, in the vast majority of cases, a deceitful prover cannot make an honest verifier believe a false statement. That is, the wrong cannot be right.

Zero-knowledge

If a statement is true, the verifier can know that the statement is true, but cannot obtain any additional information.

Zero-knowledge proofs have a very small probability of generating soundness errors, that is, a cheating prover may make the verifier believe a false statement. Zero-knowledge proofs are probabilistic proofs, not deterministic proofs, but we can reduce soundness errors to a negligible level through certain techniques.

2. Applications of Zero-Knowledge Proofs

The two most important applications of zero-knowledge proofs are privacy and scalability.

2.1 Privacy

Zero-knowledge proofs allow users to securely share necessary information to obtain goods and services without revealing personal details, protecting them from hacker attacks and leaks of personal identity information. With the gradual integration of the digital and physical realms, the privacy protection function of zero-knowledge proofs has become crucial for Web3 and even beyond. Without zero-knowledge proofs, user information would exist in trusted third-party databases, posing potential risks of being attacked by hackers. The first application of zero-knowledge proofs in blockchain is Zcash, a privacy coin used to hide transaction details.

2.1.1 Protection and Verification of Identity Information

In online activities, we often need to provide information such as name, date of birth, email, and complex passwords to prove that we are legitimate users with proper authorization. As a result, we often leave behind sensitive information that we do not want to disclose online. Nowadays, receiving scam calls that directly address us by name has become common, indicating a serious situation of personal information leakage.

We can use blockchain technology to give everyone a special encrypted digital identifier containing personal data. This digital identifier can build a decentralized identity that cannot be forged or altered without the owner’s knowledge. Decentralized identity can be controlled by users to grant access permissions to personal identity, proving citizenship without disclosing passport details, simplifying the authentication process, and reducing incidents where users lose access due to forgotten passwords. Zero-knowledge proofs are generated from public data that can prove user identity and private data containing user information, which can be used for identity verification when accessing services. This reduces cumbersome verification processes, improves user experience, and avoids centralized storage of user information.

In addition, zero-knowledge proofs can be used to build private reputation systems, allowing service organizations to verify whether users meet certain reputation criteria without exposing their identities. Users can output reputation anonymously while concealing the specific source accounts from platforms such as Facebook, Twitter, and Github.

2.1.2 Anonymous Payments

Transaction details made with bank card payments are usually visible to multiple parties, including payment providers, banks, and governments, exposing the privacy of ordinary citizens to some extent, requiring users to trust these parties not to misuse the information.

Cryptocurrencies can enable payments without third parties, allowing direct peer-to-peer transactions. However, transactions on mainstream public chains are publicly visible, and although user addresses are anonymous, it is still possible to find real-world identities through on-chain associated addresses and off-chain data analysis, such as KYC on exchanges and Twitter information. If someone knows a person’s wallet address, it is equivalent to being able to view that person’s bank account balance at any time, and may even pose a threat to the user’s identity and property.

Zero-knowledge proofs can provide anonymous payments at three levels: privacy coins, privacy applications, and privacy public chains. Privacy coin Zcash hides transaction details including sender and recipient addresses, asset type, quantity, and time. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proofs to obfuscate transaction details for privacy transfers (although it is often used for money laundering as well). Aleo is an L1 blockchain designed to provide privacy features for applications at the protocol level.

2.1.3 Honest Behavior

Zero-knowledge proofs can facilitate honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proofs to prove their honesty. Due to the validity of zero-knowledge proofs (wrong ones cannot be proven), users must engage in honest behavior according to the protocol requirements to submit valid proofs.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty and prevents collusion in on-chain voting or other decision-making processes. The system utilizes key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys in a smart contract and send their votes to the contract through encrypted messages. MACI’s anti-collusion feature allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proofs to prove that they have correctly processed all messages at the end of the voting period, and the final voting result is the sum of all valid votes. This ensures the integrity and fairness of the voting process.

2.1.4 Identity Verification

When applying for a loan, we can obtain a digital income proof from a company. The validity of this proof can be easily checked cryptographically. Banks can use zero-knowledge proofs to verify if our income meets the required minimum limit, without obtaining sensitive specific information.

2.1.5 Unlocking the Potential of Private Data through Machine Learning

Training machine learning models usually requires a large amount of data. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually disclosing the data. This enables private data to be utilized and monetized.

In addition, zero-knowledge proofs can allow model creators to prove that their models meet certain performance indicators without disclosing the details of the models, to prevent others from copying or tampering with them.

2.2 Scalability

As the number of blockchain users increases, a large amount of computation is required on the blockchain, resulting in transaction congestion. Some blockchains take the sharding route for scalability, but this requires complex modifications to the underlying layer of the blockchain and may threaten its security. Another feasible solution is to adopt the ZK-Rollup approach, which uses verifiable computation to outsource computation to entities on another chain, and then submits zero-knowledge proofs and verifiable results to the main chain for verification of authenticity. Zero-knowledge proofs ensure the authenticity of transactions, and the main chain only needs to update the results to the state, without storing details or replaying computations, and without waiting for others to discuss the authenticity of transactions, greatly improving efficiency and scalability. Developers can leverage zero-knowledge proofs to design lightweight node dapps that can run on ordinary hardware like mobile phones, making it more user-friendly for Web3.

Zero-knowledge proof extensions can be applied to both layer-one networks, such as Mina Protocol, and layer-two networks like ZK-rollups.

3. How Zero-Knowledge Proofs Work

Dmitry Laverenov (2019) divides zero-knowledge proofs into interactive and non-interactive forms.

3.1 Interactive Zero-Knowledge Proofs

Interactive zero-knowledge proofs consist of three basic steps: evidence, challenger, and response.

Evidence: The hidden secret information serves as the evidence for the prover. This evidence establishes a series of questions that can only be correctly answered by someone who knows this information. The prover randomly selects questions and sends the computed answers to the verifier for proof.

Challenger: The verifier randomly selects another question from a set and challenges the prover to answer it.

Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover’s response allows the verifier to check if the prover knows this evidence.

This process can be repeated multiple times until the probability of the prover correctly guessing the answers without knowing the secret information becomes low enough. As a simplified mathematical example, if the prover has a 1/2 probability of guessing the correct answer without knowing the secret information, repeating the interaction ten times results in a probability of the prover hitting the correct answer only 0.0097% of the time, making it highly unlikely for the verifier to mistakenly accept a false proof.

3.2 Non-Interactive Zero-Knowledge Proofs

Interactive zero-knowledge proofs have limitations. On one hand, they require the presence of both the prover and verifier for repeated verification. On the other hand, each new proof computation requires the prover and verifier to exchange a set of messages, making proofs non-reusable in independent verifications.

To overcome the limitations of interactive zero-knowledge proofs, Manuel Blum, LianGuaiul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs, where the prover and verifier share a key and only one round of verification is needed to make the zero-knowledge proof effective. The prover computes a zero-knowledge proof by using a special algorithm to transform the secret information and sends it to the verifier. The verifier uses another algorithm to check if the prover knows the secret information. Once generated, this zero-knowledge proof can be verified by anyone who possesses the shared key and the verification algorithm.

Non-interactive zero-knowledge proofs are a major breakthrough in zero-knowledge proof technology and have driven the development of zero-knowledge proof systems used today. The main methods include ZK-SNARK and ZK-STARK.

4. Main Technological Paths of Zero-Knowledge Proofs

Alchemy (2022) categorizes the technological paths of zero-knowledge proofs into ZK-SNARK, ZK-STARK, and recursive ZK-SNARK.

4.1 ZK-SNARK

ZK-SNARKs are concise, non-interactive proofs of zero knowledge.

Public blockchains need to ensure the correctness of transactions executed on the network by having other computers (nodes) re-execute each transaction. However, this method would slow down the network and limit scalability as each node would have to re-execute every transaction. Nodes also need to store transaction data, resulting in exponential growth of the blockchain’s size.

ZK-SNARK plays a role in addressing these limitations. It can prove the correctness of computations performed off-chain without requiring nodes to replay every step of the computation. This also eliminates the need for nodes to store redundant transaction data, increasing network throughput.

Using SNARK to verify off-chain computations involves encoding the computations as a mathematical expression to form a proof of validity. Validators check the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of the proof of validity is much smaller than the computation it verifies, which is why we call SNARKs succinct.

Most ZK Rollup implementations that use ZK-SNARK follow these steps:

1. Users on L2 sign transactions and submit them to validators.

2. Validators compress multiple transactions using cryptography to generate corresponding proofs of validity (SNARKs).

3. Smart contracts on L1 validate the proofs of validity and determine whether this batch of transactions should be published to the main chain.

It is worth mentioning that ZK-SNARK requires a trusted setup. In this stage, a trusted setup ceremony is conducted where a key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and one for verifying proofs. These two public keys are generated once through a trusted setup ceremony and can be used multiple times by parties wishing to participate in zero-knowledge protocols. Users need to trust that the participants in the trusted setup ceremony do not act maliciously and have no way of evaluating the honesty of the participants. Knowing the secret parameter allows the generation of false proofs to deceive validators, so there is a potential security risk. Researchers are currently exploring trustless alternatives to ZK-SNARK.

Advantages

1. Security

ZK rollup is considered a more secure scaling solution compared to OP rollup because ZK-SNARK utilizes advanced cryptographic security mechanisms, making it difficult to deceive validators and engage in malicious behavior.

2. High Throughput

ZK-SNARK reduces the computational load on the Ethereum base layer, alleviating congestion on the main network. Off-chain computations share transaction fees, resulting in faster transaction speeds.

3. Small Proof Size

The small size of SNARK proofs makes them easy to verify on the main chain, which means lower Gas Fees for verifying off-chain transactions, reducing costs for users.

Limitations

1. Relative Centralization

Most of the time, it relies on a trusted setup, which contradicts the original intention of blockchain to be trustless.

Generating proofs of validity using ZK-SNARK is a computationally intensive process, requiring proof generators to invest in specialized hardware. These hardware devices are expensive, and only a few can afford them, making the proof generation process highly centralized.

2. ZK-SNARK uses elliptic curve cryptography (ECC) to encrypt the information used for generating proofs of validity. It is currently considered secure, but advancements in quantum computing could potentially break its security model.

Projects Using ZK SNARK

Polygon Hermez

Polygon acquired Hermez for $250 million in 2021, making it the first case of a comprehensive acquisition of two blockchain networks. The ZK technology and tools brought by Hermez to Polygon’s rapidly growing user base enabled Polygon to develop zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to transfer ERC-20 tokens from one Hermez account to another Hermez account conveniently, with a transaction speed of up to 2,000 per second.

Hermez 2.0 is a zero-knowledge zkEVM that transparently executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum and requires minimal changes to the smart contract code, making it convenient for developers to deploy L1 projects on Polygon Hermez. Hermez 1.0 uses SNARK-proofs, while 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proofs are used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proofs on the main chain is high, so SNARK-proofs are introduced to verify STARK-proofs.

zkSync

zkSync 1.0, launched by Matter Labs in 2020, does not support smart contracts and is mainly used for transactions or transfers. zkSync 2.0, which supports smart contracts, was publicly launched on the mainnet in March 2023.

zkSync compiles the Solidity source code of smart contracts on Ethereum into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. The Yul code can be recompiled into custom, circuit-compatible bytecode sets designed for zkSync’s zkEVM using the LLVM compiler framework. This eliminates the need to zk-proof all steps of EVM execution through higher-level code, making the proof process more decentralized while maintaining high performance. In the future, support for Rust, Javascript, or other languages can be added by building new compiler frontends, increasing the flexibility of the zkEVM architecture and attracting more developers.

Aztec

Aztec is the first hybrid zkRollup that achieves the execution of both public and private smart contracts in a single environment. It is a zero-knowledge execution environment, not zkEVM. Confidentiality is achieved by merging public and private execution into a single hybrid rollup, enabling privacy transactions of public AMMs, private conversations in public games, private voting in public DAOs, and more.

4.2 ZK-STARK

ZK-STARK does not require a trusted setup. ZK-STARK stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARK, ZK-STARK has better scalability and transparency.

Advantages

1. Trustlessness

ZK-STARK replaces trusted setups with publicly verifiable randomness, reducing reliance on participants and improving protocol security.

2. Greater Scalability

Even with the exponential growth in complexity of underlying calculations, ZK-STARK maintains a lower proof and verification time compared to ZK-SNARK, which grows linearly.

3. Higher security guarantee

ZK-STARK uses collision-resistant hash values for encryption, instead of the elliptic curve scheme used in ZK-SNARK, which is resistant to attacks from quantum computing.

Limitations

1. Larger proof size

ZK-STARK has a larger proof size, which leads to higher costs for verification on the main network.

2. Lower adoption rate

ZK-SNARK was the first practical application of zero-knowledge proofs in blockchain, so most ZK rollups adopt ZK-SNARK, which has more mature developer systems and tools. Although ZK-STARK also has support from the Ethereum Foundation, its adoption rate is lower and the underlying tools still need improvement.

Which projects use ZK-STARK?

Polygon Miden

Polygon Miden is an Ethereum L2-based scaling solution that integrates a large number of L2 transactions into a single Ethereum transaction using zk-STARK technology, thereby improving processing capacity and reducing transaction costs. Without sharding, Polygon Miden can produce a block within 5 seconds, and its TPS can reach over 1000. After sharding, its TPS can reach up to 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a STARK-based Turing complete virtual machine called Miden VM, which makes formal verification of contracts easier.

StarkEx and StarkNet

StarkEx is a permissioned framework for customizing scaling solutions for specific applications. Projects can use StarkEx for low-cost off-chain computation and generate STARK proofs of execution correctness. Such proofs can contain 12,000-500,000 transactions. The proofs are then sent to the on-chain STARK verifier for validation, and once validated, the state updates are accepted. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading platform Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, where applications are responsible for submitting transactions, StarkNet’s sequencer batches transactions and sends them for processing and proof generation. StarkNet is more suitable for protocols that require synchronous interaction with other protocols or go beyond the scope of StarkEx applications. As StarkNet develops, applications based on StarkEx will be able to be ported to StarkNet and enjoy composability.

Comparison between ZK-SNARK and ZK-STARK

4.3 Recursive ZK-SNARK

Ordinary ZK rollups can only handle one transaction block, which limits the number of transactions they can process. Recursive ZK-SNARK can verify more than one transaction block and merge the SNARKs generated from different L2 blocks into a single validity proof, which is submitted to the L1 chain. Once the contract on the L1 chain accepts the submitted proof, all these transactions become valid, greatly increasing the number of transactions that can be completed using zero-knowledge proofs.

Plonky2 is a new proof mechanism for increasing transactions in Polygon Zero using recursive ZK-SNARK. Recursive SNARK extends the proof generation process by aggregating several proofs into one recursive proof. Plonky2 uses the same technology to reduce the time it takes to generate new block proofs. Plonky2 parallelly generates proofs for thousands of transactions and recursively aggregates them into one block proof, resulting in fast generation speed. On the other hand, traditional proof mechanisms attempt to generate the entire block proof at once, which is less efficient. In addition, Plonky2 can generate proofs on consumer-grade devices, addressing the issue of hardware centralization that often accompanies SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARK and ZK-STARK have become the core infrastructure of blockchain scaling projects, especially in the Zero Knowledge Rollup scheme. Zero-Knowledge Rollup refers to the use of zero-knowledge proof technology to move all computations off-chain to alleviate network congestion, serving as an Ethereum Layer 2 scaling solution. The main advantages of Zero Knowledge Rollup are significantly increased transaction throughput on Ethereum, while maintaining low transaction fees, and immediate confirmation once transactions are included in the rollup.

Currently, besides Zero Knowledge Rollup, Ethereum’s L2 scaling solutions also include Optimistic Rollup. Transactions running on Optimistic Rollup are assumed valid and executed immediately. Only when fraudulent transactions are discovered (someone submits proof of fraud), the transactions are rolled back. Therefore, Optimistic Rollup has lower security compared to Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, after which transactions can be finalized. This may result in users having to wait for a period of time to withdraw their funds.

When EVM was initially designed, the use of zero-knowledge proof technology was not considered. Ethereum founder Vitalik believes that in the short term, Zero Knowledge Rollup has technical complexity but will ultimately prevail over Optimistic Rollup in the scalability war. The following is a comparison between Zero Knowledge Rollup and Optimistic Rollup.

Source: SUSS NiFT, ChatGPT

6. What is the future prospect of zero-knowledge proof technology?

The field of zero-knowledge proof technology holds a unique position: in recent years, through extensive efforts to advance research in this field, many achievements are fairly new in the fields of cryptography and secure communication. Therefore, many interesting questions are still waiting to be answered by the academic community and developer community. At the same time, zero-knowledge proof technology is being used in various projects, showcasing the challenges and expanding the requirements of zero-knowledge technology.

One area worth paying attention to in zero-knowledge proof technology is the discussion on post-quantum security. Publicly verifiable SNARKs (succinct non-interactive arguments of knowledge) are a key component of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered post-quantum secure. For example, Groth16, Sonic, Marlin, SuperSonic, and SLianGuairtan. The mathematical problems these schemes rely on can be efficiently solved with the help of quantum computers, greatly compromising their security in a post-quantum world.

We have found that the academic community is actively seeking zero-knowledge proofs that are quantum-safe, which can be used for various statements without a pre-processing phase. The most advanced examples of quantum-safe zero-knowledge proofs currently include schemes such as Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both of these functions are considered to be quantum-safe. The trend is to promote these schemes and improve their efficiency.

Another expectation for zero-knowledge technology in the future is its ability to resist attacks and the maturity of related code. With the increase in the amount of code written, there will be more secure and audited libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We expect this field to mature and be widely adopted, striving to standardize protocols and ensure interoperability between different implementations. A project called ZKProof has already started doing this.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible specialized hardware. In recent years, we have seen a reduction in proof size and increased efficiency of provers and verifiers. Advances in algorithms, specialized hardware, and computational optimization may lead to faster and more scalable implementations.

While the efficiency of existing algorithms is beneficial to future users of zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs expand. In the past, we encountered many instances in implementing pre-processing ZK-SNARKs. Now we are finding more instances of upgradable ZK-SNARKs. In addition, the use of some zero-knowledge proof technologies is more due to their simplicity rather than their zero-knowledge capabilities.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea requires training large language models in a multi-party environment and using zero-knowledge technology to verify computations. This is very useful for current artificial intelligence. There is the possibility of emerging projects in this field.

Conclusion

This article is jointly written by members of the Blockchain Security Alliance. Through this article, we can understand the widespread application of zero-knowledge proofs in the blockchain field, the technical path, development trends, and the challenges it faces. We believe that with the development of hardware technology and cryptography, zero-knowledge proofs will make more breakthroughs in the future, providing faster and more secure application services for the digital world.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!