Author:

Jesse, Researcher at the SUSS NiFT Financial Inclusion Node, New Leap Social Science University @Jesse_meta

Ashton Eaton, Researcher at Beosin @EatonAshton2

Kaplannie, Security Researcher at Least Authority @kaplannie

Whether information is stored on the internet or in offline archives, intentional or accidental, data breaches are common today and need no further explanation. As long as information is stored centrally, there is a risk of a single point of attack. As long as the verification process requires a trusted third party, there is a moral risk and inefficiency. The resolution of information security is crucial and urgent. Zero-knowledge proof technology allows users to efficiently and securely complete verification while protecting their privacy.

If Bitcoin is the first major invention brought to the real world by blockchain, providing a new way of storing value, and Ethereum's smart contracts are the second major milestone, unlocking innovative potential, then the application of zero-knowledge proofs is the third major technological innovation in the history of blockchain development, bringing privacy and scalability. This is not only an important part of the Web3 ecosystem, but also an important foundational technology with the potential to drive social change.

This article, from a non-technical perspective, introduces the application scenarios, working principles, current developments, and future trends of zero-knowledge proofs, in order to help readers without a technical background understand the significant changes that zero-knowledge proofs are about to bring.

1. What is a Zero-Knowledge Proof

Zero-knowledge proof (ZKP) is a mathematical protocol first proposed in 1985 by Shafi Goldwasser, Silvio Micali, and Chales Rackoff in the paper "The knowledge complexity of interactive proof systems." It reveals no information other than the fact to be proven. The verifier cannot obtain any secret information used to generate the proof. To help everyone understand, consider this example: to prove that I know someone's phone number, I only need to be able to dial that person's phone in front of others to prove this fact, without revealing the person's actual number. Zero-knowledge proofs provide an almost risk-free way of sharing data. By using zero-knowledge proofs, we can retain ownership of the data, greatly enhance privacy protection, and potentially make data breaches a thing of the past.

Zero-knowledge proofs have three characteristics:

Completeness

If a statement is true, an honest verifier will be convinced by an honest prover. In other words, right cannot be wrong.

Soundness

If a statement is false, in most cases, a dishonest prover cannot convince an honest verifier of the false statement. In other words, wrong cannot be right.

Zero-Knowledge

If a statement is true, the verifier can only know that the statement is true and cannot obtain any additional information.

Zero-knowledge proofs have an extremely low probability of soundness error, meaning a cheating prover may make the verifier believe a false statement. Zero-knowledge proofs are probabilistic, not deterministic, but we can use certain techniques to reduce the soundness error to a negligible level.

2. Applications of Zero-Knowledge Proofs

The two most important application scenarios of zero-knowledge proofs are privacy and scalability.

2.1 Privacy

Zero-knowledge proofs allow users to securely share necessary information to obtain goods and services without revealing detailed personal information, protecting them from hacker attacks and personal identity leaks. As the digital and physical realms gradually merge, the privacy protection function of zero-knowledge proofs becomes crucial for Web3 and beyond. Without zero-knowledge proofs, user information would be stored in trusted third-party databases, posing a potential risk of being attacked by hackers. The first application case of zero-knowledge proofs in blockchain is the privacy coin Zcash, used to conceal transaction details.

2.1.1 Protection and Verification of Identity Information

In online activities, we often need to provide sensitive information such as names, birth dates, emails, and complex passwords to prove that we are legitimate users. As a result, we often leave sensitive information online that we do not want to reveal. It is common to receive scam calls addressing us by our names, indicating a serious situation of personal information leaks.

We can use blockchain technology to give everyone a special encrypted digital identifier containing personal data. This digital identifier can build a decentralized identity that cannot be forged or altered without the owner's knowledge. Decentralized identity allows users to control access to personal identity, prove citizenship without revealing passport details, simplify the authentication process, and reduce incidents where users lose access due to forgotten passwords. Zero-knowledge proofs are generated from public data that can prove a user's identity and private data containing user information, and can be used for identity verification when accessing services. This reduces cumbersome verification processes, improves user experience, and avoids centralized storage of user information.

In addition, zero-knowledge proofs can also be used to build a private reputation system, allowing service organizations to verify whether a user meets certain reputation standards without revealing their identity. Users can output their reputation anonymously from platforms such as Facebook, Twitter, and Github, without revealing specific source account details.

2.1.2 Anonymous Payments

Transaction details of payments made using bank cards are usually visible to multiple parties, including payment providers, banks, and government entities, to some extent exposing the privacy of ordinary citizens. Users need to trust these parties not to act maliciously.

Cryptocurrencies can enable payments to bypass third parties and be made directly between peers. However, transactions on mainstream public chains are publicly visible, and although user addresses are anonymous, it is still possible to find real-world identities through data analysis of on-chain associated addresses and off-chain data such as KYC at exchanges and Twitter information. Knowing someone's wallet address is equivalent to being able to view their bank account balance at any time, and may even pose a threat to the user's identity and property.

Zero-knowledge proofs can provide anonymous payments at three levels: privacy coins, privacy applications, and privacy public chains. Zcash hides transaction details including sender and receiver addresses, asset types, quantities, and times. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proofs to obfuscate transaction details for private transfers (but is also often used for money laundering). Aleo is an L1 blockchain aimed at providing privacy features for applications from a protocol level.

2.1.3 Honest Behavior

Zero-knowledge proofs can promote honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proofs to prove their honest behavior. Due to the soundness of zero-knowledge proofs (wrong cannot be right), users must engage in honest behavior as required by the protocol to submit valid proofs.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty, preventing collusion in on-chain voting or other forms of decision-making processes. The system uses key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys in a smart contract and send their votes to the contract in encrypted messages. MACI's anti-collusion feature allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proofs to prove that they have correctly processed all messages at the end of the voting period, and that the final vote count is the sum of all valid votes. This ensures the integrity and fairness of the voting process.

2.1.4 Verification of Personal Information

When we want to obtain a loan, we can obtain a digital income certificate from a company to apply for the loan. The legitimacy of this certificate can be checked using cryptography. Banks can use zero-knowledge proofs to verify whether our income meets the specified minimum limit, without obtaining sensitive specific information.

2.1.5 Unleashing the Potential of Private Data through Machine Learning

When training machine learning models, a large amount of data is usually required. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually disclosing this data. This helps private data to be utilized and monetized.

Additionally, zero-knowledge proofs can allow model creators to prove that their models meet certain performance metrics without revealing the details of the model, to prevent others from replicating or tampering with their models.

2.2 Scalability

With the increasing number of blockchain users, a large amount of computation is required on the blockchain, leading to transaction congestion. Some blockchains are taking the sharding route for scalability, but this requires complex modifications to the underlying layer of the blockchain, which may threaten the security of the blockchain. Another more feasible solution is to use the ZK-Rollup approach, which utilizes verifiable computation to outsource computation to entities on another chain, and then submits zero-knowledge proofs and verifiable results to the main chain for verification of authenticity. Zero-knowledge proofs ensure the authenticity of transactions, and the main chain only needs to update the state without storing details or replaying computations, and does not need to wait for others to discuss the authenticity of transactions, greatly improving efficiency and scalability. Developers can use zero-knowledge proofs to design lightweight node dapps that can run on ordinary hardware such as smartphones, which is more conducive to the mass adoption of Web3.

The extension of zero-knowledge proofs can be applied on a single-layer network, such as Mina Protocol, and can also be applied on a second-layer network, ZK-rollups.

3. How Zero-Knowledge Proofs Work

Dmitry Laverenov (2019) divides the structure of zero-knowledge proofs into interactive and non-interactive.

3.1 Interactive Zero-Knowledge Proofs

The basic form of interactive zero-knowledge proofs consists of three steps: evidence, challenger, and response.

Evidence: The hidden secret information is the evidence of the prover. This evidence establishes a series of questions that can only be answered correctly by someone who knows this information. The prover begins by randomly selecting questions and sending the computed answers to the verifier for proof.

Challenge: The verifier randomly selects another question from the set and asks the prover to answer it.

Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover's response allows the verifier to check if the prover knows this evidence.

This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes sufficiently low. In a simplified mathematical example, if the prover has a 1/2 probability of guessing the correct answer without knowing the secret information, after ten interactions, the probability of the prover hitting the correct answer every time is only 0.0097, making it highly unlikely for the verifier to mistakenly accept a false proof.

3.2 Non-Interactive Zero-Knowledge Proofs

Interactive zero-knowledge proofs have limitations, as they require the prover and verifier to be present simultaneously and repeat the verification, and each new proof calculation requires the exchange of a set of information between the prover and verifier.

To address the limitations of interactive zero-knowledge proofs, Manuel Blum, Paul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs, where the prover and verifier share a secret key and only need to conduct one round of verification to make zero-knowledge proofs more effective. The prover uses a special algorithm to calculate the secret information and generate a zero-knowledge proof, which is then sent to the verifier. The verifier uses another algorithm to check if the prover knows the secret information. Once the zero-knowledge proof is generated, anyone with the shared key and verification algorithm can verify it.

Non-interactive zero-knowledge proofs are a major breakthrough in zero-knowledge proof technology, promoting the development of zero-knowledge proof systems used today. The main methods include ZK-SNARK and ZK-STARK.

4. Main Technological Paths of Zero-Knowledge Proofs

Alchemy (2022) divides the technological paths of zero-knowledge proofs into ZK-SNARK, ZK-STARK, and Recursive ZK-SNARK.

4.1 ZK-SNARK

ZK-SNARKs are a concise non-interactive proof of zero-knowledge.

Public chains need to ensure the correctness of transactions executed on the network by having other computers (nodes) re-run each transaction. However, this method slows down the network and limits scalability as each node must re-execute every transaction, and nodes also need to store transaction data, leading to exponential growth in the size of the blockchain.

To address these limitations, ZK-SNARKs come into play. They can prove the correctness of computations performed off-chain without the need for nodes to replay every step of the computation. This also eliminates the need for nodes to store redundant transaction data, improving network throughput.

Using SNARK to verify off-chain computations encodes the computation as a mathematical expression to form a proof of validity. The verifier checks the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of the proof of validity is much smaller than the computation it verifies, which is why SNARKs are considered concise.

Most ZK Rollup implementations using ZK-SNARKs follow the following steps:

1. L2 users sign transactions and submit them to verifiers.
2. Verifiers use cryptography to compress multiple transactions into corresponding proofs of validity (SNARKs).
3. Smart contracts on the L1 chain verify the proofs of validity and decide whether to publish this batch of transactions to the main chain.

It is worth mentioning that ZK-SNARKs require a trusted setup. In this stage, a key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and one for verifying proofs. These two public keys need to be generated only once through a trusted setup ceremony and can be used multiple times by all parties wishing to participate in zero-knowledge protocols. Users need to trust that the participants in the trusted setup ceremony do not act maliciously, and there is no way to assess the honesty of the participants. Knowing the secret parameter allows the generation of false proofs to deceive verifiers, posing a potential security risk. Researchers are currently exploring ZK-SNARK schemes that do not require a trusted setup.

Advantages

1. Security: ZK rollup is considered a more secure scaling solution than OP rollup because ZK-SNARKs use advanced encryption security mechanisms, making it difficult to deceive verifiers and engage in malicious behavior.

2. High Throughput: ZK-SNARKs reduce the computational load on the underlying Ethereum network, alleviating network congestion and offloading transaction fees for off-chain computations, resulting in faster transaction speeds.

3. Small Proof Size: The small size of SNARK proofs makes them easy to verify on the main chain, which means lower Gas Fees for verifying off-chain transactions, reducing user costs.

Limitations

1. Relative Centralization: It often relies on a trusted setup, which contradicts the original intention of trustlessness in blockchain.

2. ZK-SNARKs use elliptic curve cryptography (ECC) to encrypt the information used to generate proofs of validity, which is currently relatively secure, but progress in quantum computing may break its security model.

Projects Using ZK-SNARK

Polygon Hermez

In 2021, Polygon acquired Hermez for $250 million, becoming the first case of comprehensive acquisition of two blockchain networks. Hermez's ZK technology and tools brought rapid growth to Polygon's user base, enabling Polygon to develop support for zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to easily transfer ERC-20 tokens from one Hermez account to another, with a transaction speed of up to 2000 transactions per second.

Hermez 2.0, as a zero-knowledge zkEVM, transparently executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum and does not require much modification to the smart contract code, making it easy for developers to deploy L1 projects to Polygon Hermez. Hermez 1.0 uses SNARK-proofs, while 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proof is used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proof on the main chain is high, so SNARK-proof is introduced to verify STARK.

zkSync

Matter Labs launched zkSync 1.0 in 2020, which does not support smart contracts and is mainly used for transactions or transfers. zkSync 2.0, which supports smart contracts, was publicly launched on the mainnet in March 2023.

zkSync compiles Solidity smart contract source code on Ethereum into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. Using the LLVM compiler framework, Yul code can be recompiled into custom, circuit-compatible bytecode sets designed for zkEVM in zkSync. This method eliminates the need to prove all steps of EVM execution through higher-level code, making the proof process more decentralized while maintaining high performance. In the future, support for Rust, Javascript, or other languages can be added by building a new compiler frontend, increasing the flexibility of the zkEVM architecture and attracting more developers.

Aztec

Aztec is the first hybrid zkRollup, implementing the execution of both public and private smart contracts in a single environment. It is a zero-knowledge execution environment, not zkEVM. By merging public and private execution into a single hybrid aggregation, confidentiality is achieved, such as private transactions in public AMMs, private conversations in public games, and private voting in public DAOs.

4.2 ZK-STARK

ZK-STARK does not require a trusted setup. ZK-STARK stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARK, ZK-STARK has better scalability and transparency.

Advantages

1. Trustlessness

ZK-STARK uses publicly verifiable randomness instead of a trusted setup, reducing reliance on participants and enhancing protocol security.

2. Stronger Scalability

Despite the exponential growth in the complexity of underlying computations, ZK-STARK maintains low proof and verification times, unlike ZK-SNARK, which has linear growth.

3. Higher Security Assurance

ZK-STARK uses collision-resistant hash values for encryption, rather than the elliptic curve scheme used in ZK-SNARK, making it resistant to quantum computing attacks.

Limitations

1. Larger Proof Size

ZK-STARK has a larger proof size, resulting in higher costs for verification on the mainnet.

2. Lower Adoption Rate

ZK-SNARK was the first practical application of zero-knowledge proofs in blockchain, so most ZK rollups adopt ZK-SNARK, which has a more mature developer ecosystem and tools. Although ZK-STARK also has support from the Ethereum Foundation, its adoption rate is lower, and the underlying tools still need improvement.

Which Projects Use ZK-STARK?

Polygon Miden

Polygon Miden, an extension solution based on Ethereum L2, integrates a large number of L2 transactions into a single Ethereum transaction using zk-STARK technology, increasing processing capacity and reducing transaction costs. Without sharding, Polygon Miden can generate a block in 5 seconds, with a TPS of over 1000. After sharding, its TPS can reach 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a STARK-based Turing-complete virtual machine—Miden VM, which simplifies formal verification of contracts.

StarkEx and StarkNet

StarkEx is a permissioned framework for custom extension solutions for specific applications. Projects can use StarkEx for low-cost off-chain computation and generate STARK proofs of execution correctness. Such proofs contain 12,000–500,000 transactions. The proofs are then sent to the on-chain STARK verifier for validation, and upon successful validation, the state is updated. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading platform Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, where applications are responsible for submitting transactions, the StarkNet sequencer batches transactions and sends them for processing and proof generation. StarkNet is more suitable for protocols that require synchronous interaction with other protocols or protocols beyond the scope of StarkEx applications. As StarkNet development progresses, applications based on StarkEx will be able to be ported to StarkNet, enjoying composability.

Comparison of ZK-SNARK and ZK-STARK

4.3 Recursive ZK-SNARK

Ordinary ZK rollups can only handle one transaction block, limiting the number of transactions they can process. Recursive ZK-SNARK can verify more than one transaction block, aggregating SNARKs generated from different L2 blocks into a single proof of validity submitted to the L1 chain. Once the contracts on the L1 chain accept the submitted proof, all these transactions become valid, greatly increasing the number of transactions that can be ultimately completed using zero-knowledge proofs.

Plonky2 is a new proof mechanism for Polygon Zero that uses recursive ZK-SNARK to increase transaction throughput. Recursive SNARK extends the proof generation process by aggregating several proofs into a recursive proof. Plonky2 uses the same technology to reduce the time to generate new block proofs. Plonky2 parallelizes the generation of proofs for thousands of transactions and recursively aggregates them into a block proof, resulting in fast generation. In contrast, ordinary proof mechanisms attempt to generate the entire block proof at once, resulting in lower efficiency. Additionally, Plonky2 can generate proofs on consumer-grade devices, addressing the hardware centralization issue often associated with SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARK and ZK-STARK have become core infrastructure for blockchain scaling projects, especially in Zero Knowledge Rollup solutions. Zero-Knowledge Rollup refers to using zero-knowledge proof technology to offload all computations to off-chain processing, reducing network congestion, and is an Ethereum Layer 2 scaling solution. The main advantage of Zero Knowledge Rollup is the significant increase in Ethereum's transaction throughput while maintaining low transaction fees, and once transactions are included in the rollup, they can be immediately confirmed.

Currently, Ethereum's L2 scaling solutions include Zero Knowledge Rollup and Optimistic Rollup. In Optimistic Rollup, transactions are assumed to be valid and executed immediately. Only when fraudulent transactions are discovered (someone submits a fraud proof) will the transaction be rolled back. Therefore, the security is lower than that of Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, and transactions may need to be finalized after the challenge period, potentially causing users to wait for a period when withdrawing their funds.

When the EVM was initially designed, zero-knowledge proof technology was not considered. Ethereum founder Vitalik believes that in the short term, Zero Knowledge Rollup presents technical complexity, but will ultimately prevail over Optimistic Rollup in the scaling war. Below is a comparison of Zero Knowledge Rollup and Optimistic Rollup.

Source: SUSS NiFT, ChatGPT

6. What Is the Future Outlook for Zero-Knowledge Proof Technology?

Zero-knowledge proof technology is in a unique position: in recent years, a lot of effort has been devoted to advancing research in this field, and many achievements are quite new in the fields of cryptography and secure communication. Therefore, many interesting questions are still awaiting answers from the academic and developer communities. At the same time, zero-knowledge proof technology has been used in various projects, demonstrating the challenges of zero-knowledge technology and expanding its requirements.

One of the noteworthy areas in zero-knowledge proof technology is the discussion of post-quantum security. Publicly verifiable SNARKs (Succinct Non-interactive Arguments of Knowledge) are a key component of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered to be quantum-secure. For example, Groth16, Sonic, Marlin, SuperSonic, and Spartan. The mathematical problems these schemes rely on can be effectively solved with the help of quantum computers, greatly compromising their security in a post-quantum world.

We find that the academic community is actively seeking quantum-secure zero-knowledge proofs that can be used for various statements without a preprocessing stage. Examples of the most advanced quantum-secure zero-knowledge proofs currently include Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both of these functions are considered to be quantum-secure. Promoting these schemes and improving their efficiency has become a trend.

Another expectation for the future of zero-knowledge technology is its ability to resist attacks and the maturity of related code. With the increase in the amount of written code, there will be more secure and audited libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We expect this field to mature and be widely adopted, striving to standardize protocols and ensure interoperability between different implementations, a project called ZKProof has already begun to do so.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible specialized hardware. In recent years, we have seen a reduction in proof size and increased efficiency of provers and verifiers. Progress in algorithms, specialized hardware, and computational optimization may lead to faster and more scalable implementations.

While the efficiency of existing algorithms bodes well for future users of zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs continue to expand. In the past, we encountered many instances of implementing preprocessed ZK-SNARKs. Now we are finding more and more upgradable ZK-SNARK instances. Additionally, the use of some zero-knowledge proof technologies is more due to their succinctness rather than their zero-knowledge capabilities.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea involves training large language models in a multi-party environment and using zero-knowledge technology to verify computations. This is very useful for current artificial intelligence. There is potential for emerging projects in this field.

Conclusion

This article was jointly written by members of the Blockchain Security Alliance. Through this introduction, we can understand the widespread application of zero-knowledge proofs in the blockchain field, the technological path, development trends, and the challenges it faces. We believe that with the development of hardware technology and cryptography, zero-knowledge proofs will make more breakthroughs in the future, providing faster and more secure application services for the digital world.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。