This article mainly introduces the extensive application of zero-knowledge proof in the field of blockchain, technical paths, development trends, and the challenges it faces.

Authors:

Jesse_meta, Researcher at SUSS NiFT, Inclusive Finance Node, New Leap Social Science University @Jesse_meta

EatonAshton2, Researcher at Beosin @EatonAshton2

kaplannie, Security Researcher at Least Authority @kaplannie

Note: SUSS NiFT Blockchain Security Alliance Research Report

Whether information is stored on the Internet or in offline archives, intentional or accidental, information leakage incidents are common today, needless to say. As long as information is stored centrally, there is a risk of a single point of attack. As long as the verification process requires a trusted third party, there is a moral risk and inefficiency. The solution to information security is crucial and urgent. Zero-knowledge proof technology allows users to complete verification more efficiently and securely while protecting their privacy. If Bitcoin is the first major invention that blockchain has brought to the real world, providing a new way of storing value, and Ethereum's smart contracts are the second major milestone event, unlocking innovative potential, then the application of zero-knowledge proof is the third major technological innovation in the history of blockchain development, bringing privacy and scalability. This is not only an important part of the Web3 ecosystem, but also an important foundational technology with the potential to drive social change.

This article, from the perspective of non-technical personnel, introduces the application scenarios, working principles, current development, and future trends of zero-knowledge proof, in order to let readers without technical background understand the significant changes that zero-knowledge proof is about to bring.

1. What is Zero-Knowledge Proof

Zero-knowledge proof (ZKP) is a mathematical protocol first proposed in 1985 by Shafi Goldwasser, Silvio Micali, and Chales Rackoff in the paper "The knowledge complexity of interactive proof systems." It does not reveal any information other than the fact to be proven. The verifier cannot obtain the secret information used to generate the proof. To help everyone understand, let's take an example: if I want to prove that I know someone's phone number, I only need to be able to dial that person's phone in front of others to prove this fact, without revealing the person's actual number. Zero-knowledge proof provides an almost risk-free way of sharing data. By using zero-knowledge proof, we can retain ownership of the data, greatly enhance privacy protection, and potentially make data leakage incidents a thing of the past.

Zero-knowledge proof has three characteristics:

Completeness

If a statement is true, an honest verifier will be convinced by an honest prover. That is, right cannot be wrong.

Soundness

If a statement is false, in the vast majority of cases, a dishonest prover cannot convince an honest verifier of the false statement. That is, wrong cannot be right.

Zero-Knowledge

If a statement is true, the verifier can only know that the statement is true, and cannot obtain any additional information.

Zero-knowledge proof has a very small probability of producing soundness errors, that is, a cheating prover may make the verifier believe a false statement. Zero-knowledge proof is a probabilistic proof, not a deterministic proof, but we can use some techniques to reduce the soundness error to a negligible level.

2. Applications of Zero-Knowledge Proof

The two most important application scenarios of zero-knowledge proof are privacy and scalability.

2.1 Privacy

Zero-knowledge proof allows users to securely share necessary information to obtain goods and services without revealing detailed personal information, thus avoiding hacker attacks and personal identity leakage. As the digital and physical realms gradually merge, the privacy protection function of zero-knowledge proof becomes crucial for Web3 and information security beyond Web3. Without zero-knowledge proof, user information would be stored in a trusted third-party database, with the potential risk of being attacked by hackers. The first application case of zero-knowledge proof in blockchain is the privacy coin Zcash, used to hide transaction details.

2.1.1 Protection and Verification of Identity Information

In online activities, we often need to provide sensitive information such as name, date of birth, email, and complex passwords to prove that we are legitimate users. Therefore, we often leave sensitive information online that we do not want to reveal. Today, receiving scam calls addressing us by name is common, indicating a very serious situation of personal information leakage.

We can use blockchain technology to give everyone a special encrypted digital identifier containing personal data. This digital identifier can build a decentralized identity that cannot be forged or altered without the owner's knowledge. Decentralized identity can be controlled by users to access personal identity, proving citizenship without revealing passport details, simplifying the authentication process, and reducing the occurrence of users losing access due to forgotten passwords. Zero-knowledge proof is generated from public data that can prove a user's identity and private data with user information, and can be used for identity verification when users access services. This not only reduces the cumbersome verification process and improves user experience, but also avoids centralized storage of user information.

In addition, zero-knowledge proof can also be used to build a private reputation system, allowing service organizations to verify whether a user meets certain reputation standards without revealing their identity. Users can output reputation anonymously from platforms such as Facebook, Twitter, and Github, without revealing specific source account details.

2.1.2 Anonymous Payments

Transaction details of payments using bank cards are usually visible to multiple parties, including payment providers, banks, and government entities, which to some extent exposes the privacy of ordinary citizens, and users need to trust the relevant parties not to act maliciously.

Cryptocurrencies can enable payments to bypass third parties and be directly peer-to-peer. However, transactions on mainstream public chains are publicly visible, and although user addresses are anonymous, it is still possible to find real-world identities through on-chain associated addresses and off-chain data analysis such as KYC at exchanges, Twitter information, etc. If someone knows a person's wallet address, it is equivalent to being able to view the person's bank account balance at any time, and may even pose a threat to the user's identity and property.

Zero-knowledge proof can provide anonymous payments at three levels: privacy coins, privacy applications, and privacy public chains. Zcash, a privacy coin, hides transaction details including sender and receiver addresses, asset types, quantity, and time. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proof to obfuscate transaction details to provide private transfers (but is also often used for money laundering). Aleo is an L1 blockchain aimed at providing privacy features for applications from a protocol level.

2.1.3 Honest Behavior

Zero-knowledge proof can promote honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proof to prove their honest behavior. Due to the soundness of zero-knowledge proof (wrong cannot be right), users must make honest behavior according to the protocol requirements to submit valid proof.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty, preventing collusion in on-chain voting or other forms of decision-making processes. The system uses key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys in a smart contract and send their votes to the contract through encrypted messages. MACI's anti-collusion feature allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proof to prove that they have correctly processed all messages at the end of the voting period, and that the final voting result is the sum of all valid votes. This ensures the integrity and fairness of the voting.

2.1.4 Personal Information Verification

When we want to obtain a loan, we can obtain a digital income certificate from a company to apply for the loan. The legitimacy of this certificate can be easily checked in cryptography. Banks can use zero-knowledge proof to verify whether our income meets the specified minimum limit, without obtaining sensitive specific information.

2.1.5 Unleashing the Potential of Private Data with Machine Learning

When training machine learning models, a large amount of data is usually required. By using zero-knowledge proof, data owners can prove that their data meets the requirements for model training without actually disclosing the data. This helps private data to be utilized and monetized.

In addition, zero-knowledge proof can allow model creators to prove that their models meet certain performance metrics without disclosing the details of the model, to prevent others from replicating or tampering with their models.

2.2 Scalability

With the increasing number of blockchain users, a large amount of computation is required on the blockchain, leading to transaction congestion. Some blockchains may take the sharding route for scalability, but this requires complex modifications to the underlying layer of the blockchain, which may threaten the security of the blockchain. Another more feasible solution is to take the ZK-Rollup route, using verifiable computation to outsource computation to entities on another chain, and then submit zero-knowledge proofs and verifiable results to the main chain for verification of authenticity. Zero-knowledge proof ensures the authenticity of transactions, and the main chain only needs to update the results to the state, without storing details or replaying computations, and without waiting for others to discuss the authenticity of transactions, greatly improving efficiency and scalability. Developers can use zero-knowledge proof to design lightweight node dapps that can run on ordinary hardware such as mobile phones, which is more conducive to the mass adoption of Web3.

The scalability of zero-knowledge proof can be applied on the first layer network, such as Mina Protocol, and also on the second layer network ZK-rollups.

3. How Zero-Knowledge Proof Works

Dmitry Laverenov (2019) divides the structure of zero-knowledge proof into interactive and non-interactive.

3.1 Interactive Zero-Knowledge Proof

The basic form of interactive zero-knowledge proof consists of three steps: evidence, challenger, and response.

Evidence: The hidden secret information is the evidence of the prover. These pieces of evidence establish a series of questions that can only be answered correctly by someone who knows this information. The prover starts by randomly selecting questions and sending the computed answers to the verifier for proof.

Challenge: The verifier randomly selects another question from the set and asks the prover to answer it.

Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover's response allows the verifier to check if the prover knows this evidence.

This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes sufficiently low. For a simplified mathematical example, if the prover has a 1/2 probability of guessing the correct answer without knowing the secret information, repeating the interaction ten times results in the prover hitting the correct answer only 9.7 out of 10,000 times, making the likelihood of the verifier mistakenly accepting a false proof very low.

3.2 Non-Interactive Zero-Knowledge Proof

Interactive zero-knowledge proof has limitations, as it requires the presence of both the prover and the verifier for repeated verification, and each new proof calculation requires the exchange of a set of information between the prover and the verifier.

To address the limitations of interactive zero-knowledge proof, Manuel Blum, Paul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proof, where the prover and verifier share a secret key and only need to conduct one round of verification to make zero-knowledge proof more effective. The prover uses a special algorithm to calculate and generate a zero-knowledge proof from the secret information, and sends it to the verifier. The verifier uses another algorithm to check if the prover knows the secret information. Once the zero-knowledge proof is generated, anyone with the shared key and verification algorithm can verify it. Non-interactive zero-knowledge proof is a major breakthrough in zero-knowledge proof technology, promoting the development of zero-knowledge proof systems used today. The main methods are ZK-SNARKS and ZK-STARKS.

4. Main Technical Paths of Zero-Knowledge Proof

Alchemy (2022) divides the technical paths of zero-knowledge proof into ZK-SNARKs, ZK-STARKs, and Recursive ZK-SNARK.

4.1 ZK-SNARKs

ZK-SNARKs is a concise non-interactive proof of zero-knowledge.

Public chains need to ensure the correctness of transactions executed on the network by having other computers (nodes) re-run each transaction. However, this method slows down the network and limits scalability as each node must re-execute every transaction, and nodes also need to store transaction data, leading to exponential growth in the size of the blockchain.

To address these limitations, ZK-SNARKs come into play. It can prove the correctness of off-chain computations without the need for nodes to replay every step of the computation. This also eliminates the need for nodes to store redundant transaction data, improving network throughput.

Using SNARKs to verify off-chain computations encodes the computation into a mathematical expression to form a proof of validity. The verifier checks the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of the proof of validity is much smaller than the computation it verifies, hence SNARKs are considered concise.

Most ZK Rollup implementations using ZK-SNARKs follow the following steps:

1. L2 users sign transactions and submit them to verifiers.

2. Verifiers use cryptography to compress multiple transactions into corresponding proofs of validity (SNARK).

3. Smart contracts on the L1 chain verify the proofs of validity and decide whether to publish this batch of transactions to the main chain.

It is worth mentioning that ZK-SNARKs require a trusted setup. In this stage, a key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and one for verifying proofs. These two public keys only need to be generated once through a trusted setup ceremony and can be used multiple times by parties wishing to participate in zero-knowledge protocols. Users need to trust that the participants in the trusted setup ceremony do not act maliciously, and there is no way to assess the honesty of the participants. Knowing the secret parameter allows the generation of false proofs to deceive verifiers, posing potential security risks. Researchers are currently exploring ZK-SNARKs schemes that do not require a trusted setup.

Advantages

1. Security

ZK rollup is considered a more secure scaling solution than OP rollup because ZK-SNARKs use advanced encryption security mechanisms, making it difficult to deceive verifiers and engage in malicious behavior.

2. High Throughput

ZK-SNARKs reduce the computational load on the underlying Ethereum network, alleviating network congestion, and off-chain computations share transaction fees, resulting in faster transaction speeds.

3. Small Proof Size

The small size of SNARK proofs makes them easy to verify on the main chain, which means lower Gas Fees for verifying off-chain transactions, reducing user costs.

Limitations

1. Relatively Centralized

It often relies on a trusted setup. This contradicts the original intention of trustlessness in blockchain.

Generating proofs of validity with ZK-SNARKs is a computationally intensive process, and provers must invest in specialized hardware. This hardware is expensive, and only a few can afford it, making the proof process highly centralized.

2. ZK-SNARKs use elliptic curve cryptography (ECC) to encrypt the information used to generate proofs of validity, which is currently relatively secure, but progress in quantum computing may break its security model.

Projects Using ZK SNARKs

Polygon Hermez

Polygon acquired Hermez for $250 million in 2021, making it the first comprehensive acquisition case of two blockchain networks. Hermez's ZK technology and tools brought to Polygon's rapidly growing user base enabled Polygon to gain support for developing zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to easily transfer ERC-20 tokens from one Hermez account to another, with a transaction speed of up to 2000 transactions per second. Hermez 2.0, as a zero-knowledge zkEVM, transparently executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum, requiring minimal changes to smart contract code, making it convenient for developers to deploy L1 projects to Polygon Hermez. Hermez 1.0 uses SNARK-proofs, while 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proof is used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proof on the main chain is high, so SNARK-proof is introduced to verify STARK.

zkSync

Matter Labs launched zkSync 1.0 in 2020, which does not support smart contracts and is mainly used for transactions or transfers. zkSync 2.0, which supports smart contracts, was publicly launched on the mainnet in March 2023.

zkSync compiles Solidity smart contract source code on Ethereum into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for zkSync's zkEVM designed for custom, circuit-compatible bytecode sets using the LLVM compiler framework. This method eliminates the need to zk-proof all steps of EVM execution through higher-level code, making the proof process more decentralized while maintaining high performance. In the future, support for Rust, Javascript, or other languages can be added by building a new compiler frontend, increasing the flexibility of the zkEVM architecture and attracting more developers.

Aztec

Aztec is the first hybrid zkRollup, implementing the execution of public and private smart contracts in a single environment. It is a zero-knowledge execution environment, not zkEVM. By merging public and private execution into a single hybrid aggregation, it achieves confidentiality, such as privacy transactions for public AMMs, private conversations in public games, and private voting for public DAOs.

4.2 ZK-STARKS

ZK-STARKs does not require a trusted setup. ZK-STARKs stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARKs, ZK-STARKs offer better scalability and transparency.

Advantages

1. Trustlessness

ZK-STARKs use publicly verifiable randomness instead of a trusted setup, reducing reliance on participants and enhancing protocol security.

2. Stronger Scalability

Despite the exponential growth in the complexity of underlying computations, ZK-STARKs maintain lower proof and verification times, unlike the linear growth of ZK-SNARKs.

3. Higher Security Assurance

ZK-STARKs use collision-resistant hash values for encryption, as opposed to the elliptic curve scheme used in ZK-SNARKs, making it resistant to quantum computing attacks.

Limitations

1. Larger Proof Size

ZK-STARKs have larger proof sizes, resulting in higher costs for verification on the mainnet.

2. Lower Adoption Rate

ZK-SNARKs was the first practical application of zero-knowledge proof in blockchain, so most ZK rollups adopt ZK-SNARKs, which has a more mature developer ecosystem and tools. Although ZK-STARKs also have support from the Ethereum Foundation, their adoption rate is lower, and the foundational tools still need improvement.

Projects Using ZK-STARKs

Polygon Miden

Polygon Miden, an Ethereum L2-based scaling solution, integrates a large number of L2 transactions into a single Ethereum transaction using zk-STARKs technology, increasing processing capacity and reducing transaction costs. Without sharding, Polygon Miden can produce a block in 5 seconds, with a TPS of over 1000. After sharding, its TPS can reach 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a STARK-based Turing-complete virtual machine—Miden VM, which simplifies formal verification of contracts.

StarkEx and StarkNet

StarkEx is a permissioned framework for custom scaling solutions for specific applications. Projects can use StarkEx for low-cost off-chain computation, generating proofs of correctness using STARK proofs. Such proofs contain 12,000–500,000 transactions. The proofs are then sent to the on-chain STARK verifier for validation, and upon successful validation, the state is updated. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading market Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, where applications are responsible for submitting transactions, StarkNet's sequencer batches transactions and sends them for processing and proof. StarkNet is more suitable for protocols that require synchronous interaction with other protocols or protocols beyond the scope of StarkEx applications. As StarkNet development progresses, applications based on StarkEx will be able to be ported to StarkNet, enjoying composability.

Comparison of ZK-SNARKs and ZK-STARKs

4.3 Recursive ZK-SNARKs

Regular ZK rollups can only handle one transaction block, limiting the number of transactions they can process. Recursive ZK-SNARKs can verify more than one transaction block, merging SNARKs generated from different L2 blocks into a single proof of validity, submitted to the L1 chain. Once the contract on the L1 chain accepts the submitted proof, all these transactions become valid, greatly increasing the number of transactions that can be ultimately completed using zero-knowledge proof.

Plonky2 is a new proof mechanism for Polygon Zero that uses recursive ZK-SNARKs to increase transaction throughput. Recursive SNARKs extend the proof generation process by aggregating several proofs into a recursive proof. Plonky2 uses the same technology to reduce the time it takes to generate new block proofs. Plonky2 parallelizes the generation of thousands of transactions to recursively aggregate them into a block proof, resulting in fast proof generation. In contrast, conventional proof mechanisms attempt to generate the entire block proof at once, resulting in lower efficiency. Additionally, Plonky2 can generate proofs on consumer-grade devices, addressing the hardware centralization issue often associated with SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARKs and ZK-STARKs have become core infrastructure for blockchain scaling projects, especially in Zero Knowledge Rollup solutions. Zero Knowledge Rollup uses zero-knowledge proof technology to offload all computations to off-chain processing, alleviating network congestion and serving as a second-layer scaling solution for Ethereum. The main advantage of Zero Knowledge Rollup is the significant increase in Ethereum's transaction throughput while maintaining low transaction fees, with transactions being immediately confirmed once included in the rollup.

In addition to Zero Knowledge Rollup, Ethereum's L2 scaling solutions also include Optimistic Rollup. In Optimistic Rollup, transactions are assumed to be valid and executed immediately. Only when fraudulent transactions are discovered (someone submits a fraud proof) will the transaction be rolled back. Therefore, the security is lower than that of Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, which may require users to wait for a period before their funds can be withdrawn.

When EVM was initially designed, the use of zero-knowledge proof technology was not considered. Ethereum founder Vitalik believes that in the short term, Zero Knowledge Rollup presents technical complexity, but will ultimately prevail over Optimistic Rollup in the scaling war. The following is a comparison of Zero Knowledge Rollup and Optimistic Rollup.

6. The Future Prospects of Zero Knowledge Proof Technology

The field of zero-knowledge proof technology holds a unique position: in recent years, significant efforts have been made to advance research in this field, resulting in many new achievements in cryptography and secure communication. Therefore, many interesting questions are still awaiting answers from the academic and developer communities. At the same time, zero-knowledge proof technology has been used in various projects, demonstrating the challenges of zero-knowledge technology and expanding its requirements.

One of the noteworthy areas in zero-knowledge proof technology is the discussion of post-quantum security. Publicly verifiable SNARKs (Succinct Non-interactive Arguments of Knowledge) are a key component of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered to be post-quantum secure. For example, Groth16, Sonic, Marlin, SuperSonic, and Spartan. The mathematical problems they rely on can be effectively solved with the help of quantum computers, greatly compromising their security in a post-quantum world.

We find that the academic community is actively seeking post-quantum secure zero-knowledge proofs that can be used for various statements without a preprocessing stage. The most advanced examples of post-quantum secure zero-knowledge proofs currently include schemes such as Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both functions are considered to be post-quantum secure. The trend is to promote these schemes and improve their efficiency.

Another expectation for the future of zero-knowledge technology is its ability to resist attacks and the maturity of related code. With the increase in the volume of written code, there will be more secure and audited libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We expect the field to mature and be widely adopted, striving to standardize protocols and ensure interoperability between different implementations, a project called ZKProof has already begun to do so.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible specialized hardware. In recent years, we have seen a reduction in proof size and increased efficiency for both provers and verifiers. Progress in algorithms, specialized hardware, and computational optimization may lead to faster and more scalable implementations.

While the efficiency of existing algorithms bodes well for future users of zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs continue to expand. In the past, we encountered many instances of implementing preprocessed zk-SNARKs. Now we are seeing more instances of upgradable zk-SNARKs. Additionally, the use of some zero-knowledge proof technologies is more due to their succinctness rather than their zero-knowledge capabilities.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea involves training large language models in a multi-party environment and using zero-knowledge technology to verify computations. This is very useful for current artificial intelligence. There is potential for emerging projects in this field.

Conclusion

Through this introduction, we can understand the widespread application of zero-knowledge proofs in the blockchain field, the technological path, development trends, and the challenges it faces. With the development of hardware technology and cryptography, we believe that zero-knowledge proofs will make more breakthroughs in the future, providing faster and more secure application services for the digital world.

About the SUSS NiFT Blockchain Ecosystem Security Alliance

The SUSS NiFT Blockchain Ecosystem Security Alliance, jointly initiated by the international leading blockchain security company Beosin and SUSS NiFT, is launched by multiple units with diverse industry backgrounds, including university institutions, blockchain security companies, industry associations, and fintech service providers. The first batch of governing units includes Beosin, SUSS NiFT, NUS AIDF, BAS, FOMO Pay, Onchain Custodian, Semisand, Coinhako, ParityBit, and Huawei Cloud. The alliance members will work together and cooperate with ecological partners to leverage their technical advantages to continuously provide security value for the global blockchain ecosystem. At the same time, the Alliance Council welcomes more knowledgeable individuals in the blockchain-related fields to join in defending the security of the blockchain ecosystem.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。