Author: @Jesse_meta, Researcher of SUSS NiFT, Inclusive Finance Node, New Leap Social Sciences University; @EatonAshton2, Researcher of Beosin; @kaplannie, Security Researcher of Least Authority
Note: This article is a research report from the SUSS NiFT Blockchain Security Alliance.
Whether information is stored on the Internet or in offline archives, intentional or accidental information leakage incidents are not uncommon today, needless to say. Whenever information is stored in a centralized manner, there is a risk of being attacked at a single point. Whenever the verification process requires a trusted third party, there is a moral risk and inefficiency. The solution to information security is crucial and urgent. Zero-knowledge proof technology allows users to efficiently and securely complete verification while protecting their privacy.
If Bitcoin is considered the first major invention that blockchain brought to the real world, providing a new way of storing value, and Ethereum’s smart contracts are the second major milestone event that unlocks innovation potential, then the application of zero-knowledge proofs is the third major technological innovation in the history of blockchain development, bringing privacy and scalability. It is not only an important part of the Web3 ecosystem but also a fundamental technology with the potential to drive social change.
- Professor Zhenzhong Lan of Westlake University Several Understandings about Large Models
- Reduce loss restrictions in order to have more time to deal with the economic and technical consequences of liquidity collateral.
- Cosmos&Polkadot V.S. Layer2 Stacks Chapter 1 Comprehensive Overview of Technical Solutions
This article, from the perspective of non-technical personnel, introduces the application scenarios, working principles, current development status, and future trends of zero-knowledge proofs, in order to help readers without technical background understand the significant changes that zero-knowledge proofs are about to bring.
1. What is a Zero-Knowledge Proof?
A Zero-Knowledge Proof (ZKP) is a mathematical protocol first proposed in 1985 in the paper “The knowledge complexity of interactive proof systems” by Shafi Goldwasser, Silvio Micali, and Chales Rackoff. It does not reveal any other information except for a fact that needs to be proven. The verifier cannot obtain the secret information used to generate the proof. To help everyone understand, let’s take an example: I want to prove that I know someone’s phone number. I only need to be able to dial that person’s number in front of everyone to prove this fact, without revealing their actual number. Zero-knowledge proofs provide an effective and almost risk-free way to share data. With zero-knowledge proofs, we can retain ownership of the data and greatly enhance privacy protection, potentially making data leakage incidents a thing of the past.
Zero-knowledge proofs have three properties:
Completeness
If a statement is true, an honest verifier will be convinced by an honest prover. That is, the true statement cannot be proven false.
Soundness
If a statement is false, in most cases, a dishonest prover cannot make an honest verifier believe the false statement. That is, the false statement cannot be proven true.
Zero-Knowledge
If a statement is true, the verifier, besides knowing that the statement is true, cannot obtain any additional information.
Zero-knowledge proofs have a very small probability of producing soundness errors, meaning a dishonest prover may convince a verifier of an incorrect statement. Zero-knowledge proofs are probabilistic proofs, not deterministic proofs, but we can use some techniques to reduce the soundness error to a negligible level.
2. Applications of Zero-knowledge Proofs
The two most important applications of zero-knowledge proofs are privacy and scalability.
2.1 Privacy
Zero-knowledge proofs allow users to securely share necessary information to obtain goods and services without revealing detailed personal information, protecting them from hacker attacks and personal identity leaks. As the digital and physical worlds gradually merge, the privacy protection function of zero-knowledge proofs becomes crucial for Web3 and even information security outside of Web3. Without zero-knowledge proofs, user information would exist in trusted third-party databases, posing a potential risk of being attacked by hackers. The first use case of zero-knowledge proofs in blockchain is Zcash, which is used to hide transaction details.
2.1.1 Protection and Verification of Identity Information
In online activities, we often need to provide personal information such as name, date of birth, email, and complex passwords to prove that we are legitimate users. Therefore, we often leave sensitive information online that we do not want to disclose. Nowadays, receiving scam calls that call us by name is not uncommon, indicating that personal information leaks are very serious.
We can use blockchain technology to give everyone a special encrypted digital identifier that contains personal data. This digital identifier can be used to build a decentralized identity that cannot be forged or altered without the owner’s knowledge. Decentralized identities can be controlled by users to grant access to personal identities, proving citizenship without revealing passport details, simplifying the authentication process, and reducing incidents where users lose access due to forgotten passwords. Zero-knowledge proofs are generated from public data that can prove user identity and privacy data that contains user information, which can be used for identity verification when users access services. This reduces cumbersome verification processes, improves user experience, and avoids centralized storage of user information.
In addition, zero-knowledge proofs can also be used to build private reputation systems, allowing service organizations to verify whether users meet certain reputation standards without exposing their identities. Users can anonymously output reputations while concealing specific source account information from platforms such as Facebook, Twitter, and Github.
2.1.2 Anonymous Payments
The transaction details of payments made with bank cards are usually visible to multiple parties, including payment providers, banks, and governments, which to some extent expose the privacy of ordinary citizens, requiring users to trust these parties not to do harm.
Cryptocurrencies can enable payments without third parties, allowing direct peer-to-peer transactions. However, transactions on mainstream public chains are publicly visible, and although user addresses are anonymous, there is still a possibility of finding real-world identities through on-chain associated addresses and off-chain data analysis such as KYC at exchanges and Twitter information. If someone knows a person’s wallet address, it is equivalent to being able to view the individual’s bank account balance at any time and may even pose a threat to the user’s identity and property.
Zero-knowledge proofs can provide anonymous payments at three levels: privacy coins, privacy applications, and privacy public chains. Zcash, a privacy coin, hides transaction details such as sender and recipient addresses, asset type, quantity, and time. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proofs to obfuscate transaction details for privacy transfers (although it is often used for money laundering). Aleo is an L1 blockchain designed to provide privacy features for applications at the protocol level.
2.1.3 Honest Behavior
Zero-knowledge proofs can facilitate honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proofs to prove their honest behavior. Due to the soundness of zero-knowledge proofs, users must engage in honest behavior according to protocol requirements in order to submit valid proofs.
MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty and prevents collusion in on-chain voting or other decision-making processes. The system utilizes key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys in a smart contract and send their votes to the contract through encrypted messages. MACI’s anti-collusion feature allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proofs to prove that they have correctly processed all messages at the end of the voting period, ensuring the integrity and fairness of the final voting results.
2.1.4 Identity Verification
When we want to apply for a loan, we can obtain a digital income certificate from a company. The validity of this certificate can be easily verified cryptographically. Banks can use zero-knowledge proofs to verify if our income meets the minimum requirement without obtaining sensitive specific information.
2.1.5 Unlocking the Potential of Private Data with Machine Learning
Training machine learning models typically requires a large amount of data. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually disclosing the data. This allows private data to be utilized and monetized.
In addition, zero-knowledge proofs can allow model creators to prove that their models meet certain performance metrics without disclosing the details of the models, preventing others from copying or tampering with them.
2.2 Scalability
As the number of blockchain users increases, there is a need for a large amount of computation on the blockchain, leading to transaction congestion. Some blockchains take the sharding route for scalability, but this requires complex modifications to the underlying layer of the blockchain, which may threaten its security. Another feasible solution is the ZK-Rollup approach, which uses verifiable computation to outsource the computation to entities on another chain, and then submits the zero-knowledge proofs and verifiable results to the main chain for verification of authenticity. Zero-knowledge proofs ensure the authenticity of transactions, and the main chain only needs to update the results to the state, without storing details or replaying computations, and without waiting for others to discuss the authenticity of the transactions, greatly improving efficiency and scalability. Using zero-knowledge proofs, developers can design lightweight node dapps that can run on ordinary hardware such as smartphones, making it more accessible for Web3 to reach the masses.
Zero-knowledge proof extensions can be applied in both layer one networks, such as Mina Protocol, and layer two networks like ZK-rollups.
3. How Zero-Knowledge Proofs Work
Dmitry Laverenov (2019) classified zero-knowledge proofs into interactive and non-interactive.
3.1 Interactive Zero-Knowledge Proofs
Interactive zero-knowledge proofs consist of three steps: proof, challenger, and response.
- Proof: The hidden secret information is the proof of the prover. This proof establishes a series of questions that can only be correctly answered by someone who knows this information. The prover randomly selects questions and sends the computed answers to the verifier for proof.
- Challenge: The verifier randomly selects another question from the set and requests the prover to answer it.
- Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover’s response allows the verifier to check if the prover knows this evidence.
This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes sufficiently low. As a simplified mathematical example, if the prover has a 1/2 probability of guessing the correct answer without knowing the secret information, and the interaction is repeated ten times, the probability of the prover hitting the correct answer every time is only 0.0097%. This makes the possibility of the verifier mistakenly accepting a false proof extremely low.
3.2 Non-Interactive Zero-Knowledge Proofs
Interactive zero-knowledge proofs have limitations. On the one hand, both the prover and the verifier need to be present and repeat the verification. On the other hand, each new proof calculation requires the exchange of a set of information between the prover and the verifier, making the proof non-reusable in independent verifications.
To overcome the limitations of interactive zero-knowledge proofs, Manuel Blum, LianGuaiul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs. In this approach, the prover and the verifier share a secret key, and a single round of verification is sufficient to make the zero-knowledge proof effective. The prover calculates a zero-knowledge proof of the secret information using a special algorithm and sends it to the verifier. The verifier uses another algorithm to check if the prover knows the secret information. Once the zero-knowledge proof is generated, anyone with the shared key and verification algorithm can perform the verification.
Non-interactive zero-knowledge proofs are a major breakthrough in zero-knowledge proof technology and have facilitated the development of zero-knowledge proof systems today. The main methods include ZK-SNARK and ZK-STARK.
4. Main Technological Paths of Zero-Knowledge Proofs
Alchemy (2022) categorizes the technological paths of zero-knowledge proofs into ZK-SNARK, ZK-STARK, and Recursive ZK-SNARK.
4.1 ZK-SNARK
ZK-SNARKs are concise non-interactive proofs of zero-knowledge.
Public chains need to ensure the correctness of transactions executed on the network by allowing other computers (nodes) to re-run each transaction. However, this method slows down the network speed and limits scalability as each node has to re-execute every transaction. Nodes also need to store transaction data, leading to exponential growth in the size of the blockchain.
To address these limitations, ZK-SNARK comes into play. It can prove the correctness of computations performed off-chain without requiring nodes to replay every step of the computation. This also eliminates the need for nodes to store redundant transaction data, improving network throughput.
Using SNARK to verify off-chain computations involves encoding the computation into a mathematical expression to form a proof of validity. Validators check the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of the proof of validity is much smaller than the computation it verifies, which is why we call SNARKs succinct.
Most ZK Rollup solutions that use ZK-SNARK follow the following steps:
1. Users on L2 sign transactions and submit them to validators.
2. Validators compress multiple transactions using cryptography to generate corresponding proofs of validity (SNARKs).
3. Smart contracts on L1 verify the proofs of validity and determine whether to publish this batch of transactions to the main chain.
It is worth mentioning that ZK-SNARK requires a trusted setup. In this stage, a key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and one for verifying proofs. These two public keys only need to be generated once through a trusted setup ceremony and can be used multiple times by parties wishing to participate in zero-knowledge protocols. Users need to trust that the participants in the trusted setup ceremony will not act maliciously and that there is no way to evaluate the honesty of the participants. Knowing the secret parameter allows the generation of fake proofs to deceive validators, so there is a potential security risk. Researchers are currently exploring ZK-SNARK schemes that do not require a trusted setup assumption.
- Advantages
1. Security
ZK rollup is considered a more secure scaling solution than OP rollup because ZK-SNARK uses advanced cryptographic security mechanisms, making it difficult to deceive validators and engage in malicious behavior.
2. High throughput
ZK-SNARK reduces the computational load on the Ethereum base layer, alleviating congestion on the mainnet. Off-chain computations share transaction fees, resulting in faster transaction speeds.
3. Small proof size
The small size of SNARK proofs makes them easy to verify on the main chain, which means lower Gas Fees for verifying off-chain transactions, reducing costs for users.
- Limitations
1. Relatively centralized
Most of the time, it relies on a trusted setup. This contradicts the original intention of blockchain to be trustless.
Generating proofs of validity with ZK-SNARK is a computationally intensive process, and the prover must invest in specialized hardware. These hardware devices are expensive and only a few can afford them, making the proof generation process highly centralized.
2. ZK-SNARK uses elliptic curve cryptography (ECC) to encrypt the information used to generate validity proofs. It is currently relatively secure, but the progress of quantum computing may break its security model.
Projects that use ZK SNARK
- Polygon Hermez
Polygon acquired Hermez for $250 million in 2021, making it the first case of a comprehensive acquisition of two blockchain networks. The ZK technology and tools brought by Hermez to Polygon’s rapidly growing user base enabled Polygon to develop zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to easily transfer ERC-20 tokens from one Hermez account to another, with a transaction speed of up to 2000 transactions per second.
Hermez 2.0, as a zero-knowledge zkEVM, transparently executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum, requiring minimal modifications to smart contract code, making it convenient for developers to deploy L1 projects on Polygon Hermez. Hermez 1.0 uses SNARK-proofs, while 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proofs are used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proofs on the main chain is high, so SNARK-proofs are introduced to verify STARK on-chain.
- zkSync
zkSync 1.0, launched by Matter Labs in 2020, does not support smart contracts and is mainly used for transactions or transfers. zkSync 2.0, which supports smart contracts, was publicly launched on the mainnet in March 2023.
zkSync compiles Solidity, the smart contract source code on Ethereum, into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. The Yul code can be recompiled into custom, circuit-compatible bytecode sets designed for zkSync’s zkEVM using the LLVM compiler framework. This eliminates the need to zk-proof all steps of EVM execution through higher-level code, making the proof process more decentralized while maintaining high performance. In the future, support for Rust, JavaScript, or other languages can be added by building a new compiler frontend, increasing the flexibility of the zkEVM architecture and attracting more developers.
- Aztec
Aztec is the first hybrid zkRollup that achieves the execution of both public and private smart contracts in one environment. It is a zero-knowledge execution environment, not zkEVM. By merging public and private execution into a single hybrid rollup, confidentiality is achieved, allowing for privacy transactions in public AMMs, private conversations in public games, private voting in public DAOs, and more.
4.2 ZK-STARK
ZK-STARK does not require a trusted setup. ZK-STARK stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARK, ZK-STARK has better scalability and transparency.
Advantages
1. Trustless
ZK-STARK replaces trusted setups with publicly verifiable randomness, reducing reliance on participants and improving protocol security.
2. Greater scalability
Even with exponential growth in the complexity of underlying computations, ZK-STARK maintains lower proof and verification times, unlike ZK-SNARK which grows linearly.
3. Higher security guarantees
ZK-STARK uses collision-resistant hash values for encryption instead of elliptic curve schemes used in ZK-SNARK, making it resistant to attacks from quantum computers.
Limitations
1. Larger proof size
ZK-STARK has a larger proof size, resulting in higher costs for verification on the mainnet.
2. Lower adoption rate
ZK-SNARK was the first practical application of zero-knowledge proofs in blockchain, so most ZK rollups adopt ZK-SNARK, which has more mature developer systems and tools. Although ZK-STARK is supported by the Ethereum Foundation, its adoption rate is relatively low, and the underlying tools still need improvement.
Which projects use ZK-STARK?
- Polygon Miden
Polygon Miden is an Ethereum L2-based scaling solution that integrates a large number of L2 transactions into a single Ethereum transaction using zk-STARK technology, thereby increasing processing capacity and reducing transaction costs. Without sharding, Polygon Miden can generate a block within 5 seconds, with a TPS of over 1000. After sharding, its TPS can reach 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a STARK-based Turing complete virtual machine called Miden VM, which makes formal verification of contracts easier.
- StarkEx and StarkNet
StarkEx is a permissioned framework for customized scaling solutions for specific applications. Projects can use StarkEx for low-cost off-chain computations and generate STARK proofs of correctness. Such proofs can include 12,000-500,000 transactions. The proofs are then sent to the on-chain STARK verifier for validation, and upon successful validation, state updates are accepted. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading platform Sorare, and multi-chain DeFi aggregator rhino.fi.
StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, where applications are responsible for submitting transactions, StarkNet’s sequencer batches transactions and sends them for processing and proof generation. StarkNet is more suitable for protocols that require synchronous interaction with other protocols or go beyond the scope of StarkEx applications. As StarkNet develops further, applications based on StarkEx will be able to be ported to StarkNet, enjoying composability.
Comparison of ZK-SNARK and ZK-STARK
4.3 Recursive ZK-SNARK
Ordinary ZK rollups can only process one transaction block, which limits the number of transactions they can handle. Recursive ZK-SNARK can verify more than one transaction block, merging the SNARKs generated by different L2 blocks into a single proof of validity and submitting it to the L1 chain. Once the contract on the L1 chain accepts the submitted proof, all these transactions become valid, greatly increasing the number of transactions that can be completed using zero-knowledge proofs.
Plonky2 is a new proof mechanism for increasing transactions in Polygon Zero using recursive ZK-SNARK. Recursive SNARK extends the proof generation process by aggregating several proofs into a recursive proof. Plonky2 uses the same technique to reduce the time it takes to generate proofs for new blocks. Plonky2 parallelizes the generation of proofs for thousands of transactions and recursively aggregates them into a block proof, resulting in fast generation speeds. In contrast, ordinary proof mechanisms attempt to generate the entire block proof at once, resulting in lower efficiency. Additionally, Plonky2 can generate proofs on consumer-level devices, addressing the hardware centralization issue typically associated with SNARK proofs.
5. Zero Knowledge Rollup VS Optimistic Rollup
ZK-SNARK and ZK-STARK have become the core infrastructure for blockchain scalability projects, especially in the Zero Knowledge Rollup scheme. Zero Knowledge Rollup refers to an Ethereum Layer 2 scaling solution that uses zero-knowledge proofs to move all computations off-chain and alleviate network congestion. The main advantages of Zero Knowledge Rollup are significantly increased transaction throughput on Ethereum, low transaction fees, and immediate confirmation once transactions are included in the rollup.
Currently, Ethereum’s L2 scaling solutions include not only Zero Knowledge Rollup but also Optimistic Rollup. In Optimistic Rollup, transactions running on it are assumed to be valid and executed immediately. Only when fraudulent transactions are discovered (someone submits fraud proofs) will those transactions be revoked. Therefore, the security of Optimistic Rollup is lower than that of Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, during which transactions can only be finalized after the challenge period. This may result in users having to wait for a period of time to withdraw their funds.
When the EVM was initially designed, the use of zero-knowledge proofs was not considered. Ethereum founder Vitalik believes that Zero Knowledge Rollup has technical complexity in the short term but will eventually prevail over Optimistic Rollup in the scalability war. The following is a comparison of Zero Knowledge Rollup and Optimistic Rollup.
Source: SUSS NiFT, ChatGPT
6. What is the future prospect of zero-knowledge proof technology?
Zero-knowledge proof technology occupies a unique position: in recent years, through a lot of efforts to promote research in this field, many achievements are quite new in the fields of cryptography and secure communication. Therefore, many interesting questions are still waiting to be answered by the academic community and developer community. At the same time, zero-knowledge proof technology is used in various projects, demonstrating the challenges of zero-knowledge technology and expanding its requirements.
One of the areas worth paying attention to in zero-knowledge proof technology is the discussion on post-quantum security of zero-knowledge proofs. Publicly verifiable SNARK (Succinct Non-Interactive Argument of Knowledge) is a key component in the field of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered quantum-safe. For example, Groth16, Sonic, Marlin, SuperSonic, and SLianGuairtan. The mathematical problems these schemes rely on can be effectively solved with the help of quantum computers, greatly compromising their security in a post-quantum world.
We have found that the academic community is actively seeking quantum-safe zero-knowledge proofs that can be used for various statements without a pre-processing phase. The examples of the most advanced quantum-safe zero-knowledge proofs currently include Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22 schemes. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both functions are considered quantum-safe. Generalizing these schemes and improving their efficiency has become a trend.
Another expectation for the future of zero-knowledge technology is its resilience to attacks and the maturity of related code implementations. With the increase in the amount of written code, there will be more secure and audited libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We expect this field to mature and be widely adopted, striving to standardize protocols and ensure interoperability between different implementations. A project called ZKProof has already started doing this.
Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible specialized hardware. In recent years, we have seen a reduction in proof size and increased efficiency of provers and verifiers. Advances in algorithms, specialized hardware, and computational optimization may lead to faster and more scalable implementations.
While the efficiency of existing algorithms is beneficial to future users of zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs continue to expand. In the past, we have encountered many instances when implementing pre-processing ZK-SNARK. Now we are seeing more and more instances of upgradable ZK-SNARK. In addition, the use of some zero-knowledge proof technologies is more due to their succinctness rather than their zero-knowledge capabilities.
Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea involves training large language models in a multi-party environment and using zero-knowledge technology to verify computations. This is very useful for current artificial intelligence. There is potential for emerging projects in this field.
Conclusion
This article is jointly written by members of the Blockchain Security Alliance. Through the introduction in this article, we can understand the wide application of zero-knowledge proofs in the field of blockchain, the technical path, development trends, and the challenges it faces. We believe that with the development of hardware technology and cryptography, zero-knowledge proofs will achieve more breakthroughs in the future, providing faster and more secure application services for the digital world.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
