Author's Twitter: @renkingeth

Abstract

Zero-knowledge proof (ZKP) is widely regarded as one of the most important technological innovations in the field of blockchain since the advent of distributed ledger technology, and it is also a focus area for venture capital. This article provides a systematic review of the historical literature and the latest research on zero-knowledge proof technology over the past forty years.

First, it introduces the basic concepts and historical background of zero-knowledge proof. Then, it focuses on the analysis of circuit-based zero-knowledge proof technology, including the design, applications, and optimization methods of models such as zkSNARK, Ben-Sasson, Pinocchio, Bulletproofs, and Ligero. In the field of computational environments, the article introduces ZKVM and ZKEVM, discussing how they enhance transaction processing capabilities, protect privacy, and improve verification efficiency. The article also introduces the working mechanism and optimization methods of Zero-Knowledge Rollup (ZK Rollup) as a Layer 2 scaling solution, as well as the latest developments in hardware acceleration, hybrid solutions, and dedicated ZK EVM.

Finally, the article looks ahead to emerging concepts such as ZKCoprocessor, ZKML, ZKThreads, ZK Sharding, and ZK StateChannels, and discusses their potential in terms of blockchain scalability, interoperability, and privacy protection.

By analyzing these latest technologies and development trends, this article provides a comprehensive perspective for understanding and applying zero-knowledge proof technology, demonstrating its enormous potential in enhancing the efficiency and security of blockchain systems, and providing important references for future investment decisions.

Table of Contents

Preface… 4

I. Basics of Zero-Knowledge Proof… 5

1. Overview… 5

2. Examples of Zero-Knowledge Proof… 6

II. Non-Interactive Zero-Knowledge Proof… 8

1. Background… 8

2. Introduction of NIZK… 8

3. Fiat-Shamir Transformation… 9

4. Jens Groth and his research… 9

5. Other research… 10

III. Circuit-Based Zero-Knowledge Proof… 11

1. Background… 11

2. Basic concepts and characteristics of circuit models… 12

3. Circuit design and applications in zero-knowledge proof… 12

4. Potential flaws and challenges… 13

IV. Zero-Knowledge Proof Models… 14

1. Background… 14

2. Common algorithm models… 14

3. Solutions based on linear PCP and discrete logarithm problems… 17

4. Solutions based on ordinary proofs… 18

5. Zero-knowledge based on Probabilistically Checkable Proofs (PCP)… 19

6. Classification based on the setup phase of CPC (Common Proof Construction)… 20

V. Overview and Development of Zero-Knowledge Virtual Machine… 21

1. Background… 21

2. Classification of existing ZKVM… 22

3. Front-end and back-end paradigms… 23

4. Advantages and disadvantages of ZKVM paradigm… 24

VI. Overview and Development of Zero-Knowledge Ethereum Virtual Machine… 25

1. Background… 25

2. Working principle of ZKEVM… 27

3. Implementation process of ZKEVM… 27

4. Features of ZKEVM… 27

VII. Overview of Zero-Knowledge Layer 2 Network Solutions and Development… 28

1. Background… 28

2. Working mechanism of ZK Rollup… 28

3. Drawbacks and optimizations of ZK Rollup… 29

VIII. Future Development Directions of Zero-Knowledge Proof… 30

1. Development of accelerated computing environments… 31

2. Introduction and development of ZKML… 32

3. Development of ZKP scaling technologies… 32

4. Development of ZKP interoperability… 34

IX. Conclusion… 35

References… 37

Preface

In the process of entering the Web3 era, the development of blockchain applications (DApps) is rapidly advancing, with new applications emerging almost every day. In recent years, blockchain platforms have been handling the activities of millions of users and processing billions of transactions on a daily basis. The data generated by these transactions typically include sensitive personal information such as user identities, transaction amounts, account addresses, and balances. Given the openness and transparency of blockchain, this stored data is accessible to everyone, leading to various security and privacy issues.

Currently, several encryption technologies can address these challenges, including homomorphic encryption, ring signatures, secure multi-party computation, and zero-knowledge proof. Homomorphic encryption allows operations to be performed without decrypting the ciphertext, helping to protect the security of account balances and transaction amounts, but it cannot protect the security of account addresses. Ring signatures provide a special form of digital signature that can hide the identity of the signer, thereby protecting the security of account addresses, but they are unable to protect the security of account balances and transaction amounts. Secure multi-party computation allows the distribution of computing tasks among multiple participants without any participant knowing the data of other participants, effectively protecting the security of account balances and transaction amounts, but it also cannot protect the security of account addresses. In addition, homomorphic encryption, ring signatures, and secure multi-party computation cannot be used to verify whether a prover in a blockchain environment has sufficient transaction amount without revealing transaction amounts, account addresses, and balances (Sun et al., 2021).

Zero-knowledge proof is a more comprehensive solution, as this verification protocol allows the correctness of certain propositions to be verified without revealing any intermediate data (Goldwasser, Micali & Rackoff, 1985). This protocol does not require complex public key infrastructure, and its repeated implementation does not provide malicious users with the opportunity to obtain additional useful information (Goldreich, 2004). Through ZKP, verifiers can verify whether a prover has sufficient transaction amount without revealing any private transaction data. The verification process involves generating a proof containing the claimed transaction amount by the prover, then passing the proof to the verifier, who performs predefined calculations on the proof and produces the final computation result to determine whether to accept the prover's claim. If the prover's claim is accepted, it means they have sufficient transaction amount. The above verification process can be recorded on the blockchain without any forgery (Feige, Fiat & Shamir, 1986).

This characteristic of ZKP makes it play a central role in blockchain transactions and cryptocurrency applications, especially in privacy protection and network scalability, making it not only a focus of academic research but also widely regarded as one of the most important technological innovations since the successful implementation of distributed ledger technology, especially Bitcoin. It is also a key track for industry applications and venture capital (Konstantopoulos, 2022).

As a result, many network projects based on ZKP have emerged, such as ZkSync, StarkNet, Mina, Filecoin, and Aleo. With the development of these projects, there is a continuous stream of algorithmic innovations related to ZKP, with new algorithms reportedly emerging almost every week (Lavery, 2024; AdaPulse, 2024). In addition, hardware development related to ZKP is also progressing rapidly, including chips optimized for ZKP. For example, projects such as Ingonyama, Irreducible, and Cysic have completed large-scale fundraising, showcasing not only the rapid progress of ZKP technology but also the shift from general-purpose hardware to specialized hardware such as GPU, FPGA, and ASIC (Ingonyama, 2023; Burger, 2022).

These developments indicate that zero-knowledge proof technology is not only an important breakthrough in the field of cryptography but also a key driving force for achieving a wider range of blockchain technology applications, particularly in improving privacy protection and processing capabilities (Zhou et al., 2022).

Therefore, we have decided to systematically organize the relevant knowledge of zero-knowledge proof (ZKP) to better assist us in making future investment decisions. To this end, we have comprehensively reviewed the core academic papers related to ZKP (sorted by relevance and citation frequency), and we have also analyzed in detail the information and white papers of leading projects in this field (sorted by their fundraising scale). This comprehensive data collection and analysis provide a solid foundation for the writing of this article.

I. Basics of Zero-Knowledge Proof

1. Overview

In 1985, scholars Goldwasser, Micali, and Rackoff first proposed the concept of zero-knowledge proof (ZKP) and interactive zero-knowledge proof (IZK) in their paper "The Knowledge Complexity of Interactive Proof-Systems." This paper laid the foundation for zero-knowledge proof and defined many concepts that have influenced subsequent academic research. For example, they defined knowledge as the output of an unfeasible computation, meaning that knowledge must be an output of an unfeasible computation, indicating that it cannot be a simple function but must be a complex function. Unfeasible computation is typically understood as an NP problem, which can be verified for correctness in polynomial time, where polynomial time refers to the algorithm's running time being expressible as a polynomial function of the input size. This is an important criterion for measuring algorithm efficiency and feasibility in computer science. Due to the complexity of solving NP problems, they are considered unfeasible computations, but their verification process is relatively simple, making them suitable for zero-knowledge proof verification (Goldwasser, Micali & Rackoff, 1985).

A classic example of an NP problem is the traveling salesman problem, where the task is to find the shortest path to visit a series of cities and return to the starting point. While finding the shortest path may be difficult, verifying whether a given path is the shortest is relatively easy. This is because verifying the total distance of a specific path can be done in polynomial time.

Goldwasser et al. introduced the concept of "knowledge complexity" in their paper to quantify the amount of knowledge leaked from the prover to the verifier in an interactive proof system. They also proposed interactive proof systems (IPS), where the prover and verifier interact through multiple rounds to prove the truth of a statement (Goldwasser, Micali & Rackoff, 1985).

In summary, the definition of zero-knowledge proof as summarized by Goldwasser et al. is a special form of interactive proof where the verifier does not gain any additional information other than the truth value of the statement during the verification process. They also proposed three fundamental properties, including completeness, soundness, and zero-knowledge, which ensure the integrity, reliability, and zero-knowledge nature of the zero-knowledge proof (Goldwasser, Micali & Rackoff, 1985).

2. Examples of Zero-Knowledge Proof

To better understand zero-knowledge proof and its properties, here is an example of verifying whether a prover possesses certain private information, divided into three stages: setup, challenge, and response.

Step 1: Setup

In this step, the prover's goal is to create evidence to prove that they know a secret number s without directly revealing s. The secret number s is set;

Two large prime numbers p and q are chosen, and their product is calculated. Let the prime numbers be p and q, and the product be n;

Calculate v, which is part of the proof sent to the verifier, but it is not sufficient for the verifier or any onlooker to infer s;

A random integer r is chosen, and x is calculated and sent to the verifier. This value x is used for the subsequent verification process but does not reveal s. Let the random integer be r, and calculate x.

Step 2: Challenge

The verifier randomly chooses a bit a (which can be 0 or 1) and sends it to the prover. This "challenge" determines the next steps the prover needs to take.

Step 3: Response

Based on the value of a sent by the verifier, the prover responds:

If a = 0, the prover sends (where r is the previously randomly chosen number).

If a = 1, the prover calculates and sends. Let r be the random bit sent by the verifier, and based on the value of a, the prover calculates.

Finally, the verifier verifies whether g is equal to. If the equation holds, the verifier accepts the proof. When, the verifier calculates, and the right-hand side is verified; when, the verifier calculates, and the right-hand side is verified.

In this example, we see that the verifier's calculation of g indicates that the prover successfully passed the verification process without revealing their secret number s. Here, since a can only take the values 0 or 1, there are only two possibilities. The prover's probability of passing the verification process relies on luck (when a is 0). However, the verifier subsequently challenges the prover multiple times, and the prover continuously changes relevant numbers, submits them to the verifier, and always successfully passes the verification process. As a result, the prover's probability of passing the verification process (approaches 0), proving that the prover indeed knows a certain secret number s. This example demonstrates the completeness, soundness, and zero-knowledge nature of the zero-knowledge proof system (Fiat & Shamir, 1986).

II. Non-Interactive Zero-Knowledge Proof

1. Background

Zero-knowledge proof (ZKP) is traditionally conceived as an interactive and online protocol; for example, Sigma protocols typically require three to five rounds of interaction to complete authentication (Fiat & Shamir, 1986). However, in scenarios such as instant transactions or voting, there is often no opportunity for multiple rounds of interaction, especially in the context of blockchain technology applications, where offline verification is particularly important (Sun et al., 2021).

2. Introduction of NIZK

In 1988, Blum, Feldman, and Micali first introduced the concept of non-interactive zero-knowledge (NIZK) proof, demonstrating the possibility of completing authentication between the prover and verifier without the need for multiple rounds of interaction. This breakthrough made it feasible to implement instant transactions, voting, and blockchain applications (Blum, Feldman & Micali, 1988).

They proposed that non-interactive zero-knowledge proof (NIZK) can be divided into three stages:

1. Setup

2. Computation

3. Verification

In the setup stage, a computation function is used to transform security parameters into public knowledge (accessible to both the prover and verifier), typically encoded in a common reference string (CRS). This is the way to compute the proof and use the correct parameters and algorithms for verification.

The computation stage involves using a computation function, input, and proof keys to output the computation result and proof.

In the verification stage, the validity of the proof is verified using the verification key.

They introduced the common reference string (CRS) model, which implements non-interactive zero-knowledge proof for NP problems based on all participants sharing a string. The operation of this model depends on the trusted generation of the CRS, and all participants must have access to the same string. Only when the CRS is correctly and securely generated can schemes implemented based on this model ensure security. For a large number of participants, the generation process of the CRS may be complex and time-consuming, so while such schemes are typically operationally convenient and have small proof sizes, the setup process is challenging (Blum, Feldman & Micali, 1988).

Subsequently, NIZK technology experienced rapid development, leading to various methods for transforming interactive zero-knowledge proofs into non-interactive proofs. These methods differ in the construction of the system or the underlying cryptographic model assumptions.

3. Fiat-Shamir Transformation

Fiat-Shamir Transformation, also known as the Fiat-Shamir Heuristic or Fiat-Shamir Paradigm, was proposed by Fiat and Shamir in 1986 as a method to transform interactive zero-knowledge proofs into non-interactive ones. This method reduces the number of interactions by introducing a hash function and relies on security assumptions to ensure the authenticity and difficulty of forging the proofs. The Fiat-Shamir transformation uses public cryptographic hash functions to replace some randomness and interaction, and its output can be considered as a common reference string (CRS) to some extent. Although this protocol is considered secure in the random oracle model, it relies on the assumption that the hash function output exhibits uniform randomness and independence for different inputs (Fiat & Shamir, 1986). Research by Canetti, Goldreich, and Halevi in 2003 indicated that while this assumption holds in theoretical models, it may face challenges in practical applications, posing risks of failure when used (Canetti, Goldreich & Halevi, 2003). Micali later improved this method, compressing multiple rounds of interaction into a single round, further simplifying the interaction process (Micali, 1994).

4. Jens Groth and His Research

Jens Groth's subsequent research greatly advanced the application of zero-knowledge proofs in cryptography and blockchain technology. In 2005, he, along with Ostrovsky and Sahai, jointly proposed the first perfect non-interactive zero-knowledge proof system applicable to any NP language, ensuring universal composability (UC) security even in the face of dynamic/adaptive adversaries. Additionally, they designed a concise and efficient non-interactive zero-knowledge proof system based on number-theoretic complexity assumptions, significantly reducing the size of the CRS and proofs (Groth & Sahai, 2005).

In 2007, Groth, Cramer, and Damgård began commercializing these technologies. Through experimentation, their public key encryption and signature schemes demonstrated significant improvements in efficiency and security, despite being based on the assumption of bilinear groups (Groth & Sahai, 2007). In 2011, Groth further explored the combination of fully homomorphic encryption with non-interactive zero-knowledge proofs, proposing a solution to reduce communication overhead, ensuring that the size of NIZK remains consistent with the size of the witness of the proof (Groth, 2011). In the following years, he and other researchers conducted in-depth research on pairing-based technologies, providing compact and efficient non-interactive proofs for large-scale statements, although these proofs still remained within the framework of bilinear groups (Bayer & Groth, 2012; Groth, Kohlweiss & Pintore, 2016; Bootle, Cerulli, Chaidos, Groth & Petit, 2015; Groth, Ostrovsky & Sahai, 2012; Groth & Maller, 2017).

5. Other Research

In specific application scenarios, non-interactive zero-knowledge proofs for specific verifiers have demonstrated unique practical value. For example, Cramer and Shoup developed a public key encryption scheme based on universal hash functions, effectively resisting chosen ciphertext attacks in 1998 and 2002. Additionally, a new non-interactive zero-knowledge proof method was successfully developed for the key registration model, applicable to solving all NP-class problems, with the key requirement being that participants need to register their own keys for subsequent verification (Cramer & Shoup, 1998, 2002).

Furthermore, Damgård, Fazio, and Nicolosi proposed a new method in 2006 to improve the existing Fiat-Shamir transformation, allowing non-interactive zero-knowledge proofs to be conducted without direct interaction. In their method, the verifier first needs to register a public key for subsequent encryption operations. The prover uses additive homomorphic encryption technology to perform operations on data without knowledge, generating encrypted information containing the answer as a response to the challenge. The security of this method is based on the "complexity leveraging assumption," which assumes that for adversaries with extraordinary computational resources, certain computationally hard problems may be solved (Damgård, Fazio & Nicolosi, 2006).

The concept of "weakly accountable reliability" proposed by Ventre and Visconti in 2009 is an alternative to this assumption, requiring adversaries, when presenting false proofs, to not only be aware of their falsity but also to clearly understand how they successfully fabricated the false proof. This requirement significantly increases the difficulty of deception, as adversaries must be explicit about their deceptive means. In practical operation, adversaries using this concept need to provide specific proofs containing ciphertext information for a designated verifier, making it difficult to complete the proof without the verifier's private key, thereby exposing their behavior when attempting to forge a proof (Ventre and Visconti, 2009).

The Unruh transformation, proposed in 2015, is an alternative to the Fiat-Shamir transformation. The Fiat-Shamir method is generally not secure against quantum computation and may lead to insecure schemes for certain protocols. In contrast, the Unruh transformation provides provably secure non-interactive zero-knowledge proofs against quantum adversaries for any interactive protocol in the random oracle model (ROM). Similar to the Fiat-Shamir method, the Unruh transformation does not require additional setup steps (Ambainis, Rosmanis & Unruh, 2014).

Additionally, Kalai et al. proposed an arbitrary decision problem argument system based on private information retrieval technology. This method uses a multi-prover interactive proof system (MIP) model and, through the method of Aiello et al., transforms MIP into an argument system. This construction operates in the standard model without relying on the random oracle assumption. This method has been applied in some "proofs-for-muggles" zero-knowledge arguments (Kalai, Raz & Rothblum, 2014).

Building on these technologies, non-interactive zero-knowledge proofs (NIZK) have been widely applied in various fields requiring high security and privacy protection, such as financial transactions, electronic voting, and blockchain technology. By reducing the number of interactions and optimizing the proof generation and verification processes, NIZK not only improves system efficiency but also enhances security and privacy protection capabilities. In the future, with further development and refinement of these technologies, we can expect NIZK to play an important role in more fields, providing a solid technical foundation for achieving more secure and efficient information processing and transmission (Partala, Nguyen & Pirttikangas, 2020).

III. Circuit-Based Zero-Knowledge Proofs

1. Background

In the field of cryptography, especially in dealing with highly parallelized and specific types of computational tasks (such as large-scale matrix operations), the traditional Turing machine model has shown certain limitations. The Turing machine model requires complex memory management mechanisms to simulate an infinitely long tape and is not suitable for directly expressing parallel computation and pipeline operations. In contrast, the circuit model, with its unique computational structure advantages, is more suitable for certain specific cryptographic processing tasks (Chaidos, 2017). This article will delve into zero-knowledge proof systems based on circuit models, which emphasize the use of circuits (typically arithmetic or Boolean circuits) to express and verify computational processes.

2. Basic Concepts and Characteristics of Circuit Models

In the circuit-based computational model, a circuit is defined as a special computational model that can transform any computational process into a series of gates and wires, with these gates performing specific logical or arithmetic operations. Specifically, the circuit model is mainly divided into two major categories:

Arithmetic circuits: primarily composed of addition and multiplication gates, used for processing elements in finite fields. Arithmetic circuits are suitable for performing complex numerical operations and are widely used in encryption algorithms and numerical analysis.

Logic circuits: composed of basic logic gates such as AND gates, OR gates, and NOT gates, used for Boolean operations. Logic circuits are suitable for performing simple logical judgments and binary calculations, commonly used in various control systems and simple data processing tasks (Chaidos, 2017).

3. Circuit Design and Application in Zero-Knowledge Proofs

In zero-knowledge proof systems, the process of circuit design involves expressing the problem to be proven as a circuit. This process requires a significant amount of "reverse thinking" in designing zk circuits: "If a computation claims that its output is genuine, the output must satisfy certain requirements. If these requirements are difficult to model using only addition or multiplication, we require the prover to do additional work to make it easier for us to model these requirements." The design process typically follows the following steps (Chaidos, 2017):

Problem representation: The problem to be proven, such as the computation process of cryptographic hash functions, is first transformed into a circuit form. This includes breaking down the computation steps into basic units in the circuit, such as gates and wires.

Circuit optimization: Through techniques such as gate merging and constant folding, the circuit design is optimized to reduce the number of gates required and computational steps, thereby improving system efficiency and response speed.

Conversion to polynomial representation: To adapt to zero-knowledge proof technology, the optimized circuit is further transformed into polynomial form. Each circuit component and connection corresponds to specific polynomial constraints.

Generation of Common Reference String (CRS): During the system initialization phase, a common reference string is generated, including proof keys and verification keys, for use in subsequent proof generation and verification processes.

Proof generation and verification: The prover performs computations on the circuit based on their private input and CRS to generate a zero-knowledge proof. The verifier can then verify the correctness of the proof based on the public circuit description and CRS, without needing to know the prover's private information (Chaidos, 2017).

The design of zero-knowledge proof circuits involves transforming specific computational processes into circuit representations and ensuring the accuracy of the computation results through the construction of polynomial constraints, while avoiding the leakage of any additional personal information. In circuit design, the key task is to optimize the structure of the circuit and generate effective polynomial representations to enhance the efficiency of proof generation and verification. Through the implementation of these steps, zero-knowledge proof technology can verify the correctness of computations without revealing additional information, ensuring the fulfillment of both privacy protection and data security requirements (Chaidos, 2017).

4. Potential Drawbacks and Challenges

Drawbacks include:

1. Circuit complexity and scale: Complex computations require large circuits, leading to significantly increased computational costs for proof generation and verification, especially when dealing with large-scale data.

2. Difficulty of optimization: While techniques such as gate merging and constant folding can optimize circuits, designing and optimizing efficient circuits still require deep expertise.

3. Adaptability to specific computational tasks: Different computational tasks require different circuit designs, making it time-consuming and challenging to design efficient circuits for each specific task.

4. Difficulty of implementing encryption algorithms: Implementing complex cryptographic algorithms (such as hash functions or public key encryption) may require a large number of logic gates, making circuit design and implementation difficult.

5. Resource consumption: Large-scale circuits require a significant amount of hardware resources, potentially encountering practical hardware implementation bottlenecks in terms of power consumption, heat, and physical space (Goldreich, 2004; Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

Solutions and improvement directions:

1. Circuit compression technology: Research and application of efficient circuit compression techniques to reduce the number of logic gates required and computational resources.

2. Modular design: Modular circuit design to improve circuit reusability and scalability, reducing the workload of redesigning circuits for different tasks.

3. Hardware acceleration: Utilizing dedicated hardware (such as FPGA or ASIC) to accelerate circuit computations and improve the overall performance of zero-knowledge proofs (Goldreich, 2004; Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

IV. Zero-Knowledge Proof Models

1. Background

Circuit-based zero-knowledge proofs have limited generality and require the development of new models and algorithms for specific problems. There are various high-level language compilers and low-level circuit composition tools for circuit generation and algorithm design. The transformation of related computations can be completed through manual circuit construction tools or automatic compilers. Manual transformation can often produce optimized circuits, while automatic transformation is more convenient for developers. Performance-critical applications typically require manual transformation tools (Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

This article will discuss some of the most famous ones. In general, these models are extensions or variants of zkSNARKs technology, each attempting to provide optimization in specific application requirements such as proof size, computational complexity, and setup requirements.

Each protocol has its specific applications, advantages, and limitations, especially in terms of setup requirements, proof size, verification speed, and computational costs. They are applied in various fields, from cryptocurrency privacy and secure voting systems to general computations verified in a zero-knowledge manner (Čapko, Vukmirović & Nedić, 2019).

2. Common Algorithm Models

1. zkSNARK model: Proposed by cryptographers Bitansky et al. in 2011, zkSNARK stands for "Zero-Knowledge Succinct Non-Interactive Argument of Knowledge." It is an improved zero-knowledge proof mechanism, demonstrating the possibility of achieving SNARKs for NP problems if an extractable collision-resistant hash (ECRH) function exists. It showcases the applicability of SNARKs in scenarios such as delegated computation, succinct non-interactive zero-knowledge proofs, and succinct two-party secure computation. This research also establishes the necessity of ECRH for SNARKs, establishing foundational connections between these cryptographic primitives (Bitansky et al., 2011).

The zkSNARK system consists of a setup, prover, and verifier. The setup process generates proof keys (PK) and verification keys (VK) using predefined security parameters l and an F-arithmetic circuit C. All inputs and outputs of this circuit are elements in the field F. PK is used to generate verifiable proofs, while VK is used to verify the generated proofs. Based on the generated PK, the prover uses input x ∈ Fn and witness W ∈ Fh to generate proof p, where C(x, W) = 0l. Here, C(x, W) = 0l indicates that the output of circuit C is 0l, and x and W are input parameters of circuit C. n, h, and l represent the dimensions of x, W, and the output of C, respectively. Finally, the verifier uses VK, x, and p to verify p and decides to accept or reject the proof based on the verification result (Bitansky et al., 2011).

Additionally, zkSNARK possesses some additional features. Firstly, the verification process can be completed in a short time, and the size of the proof is typically only a few bytes. Secondly, there is no need for synchronous communication between the prover and verifier, and any verifier can verify the proof offline. Finally, the prover algorithm can only be implemented in polynomial time. Since then, various improved zkSNARK models have emerged, further optimizing their performance and application scope (Bitansky et al., 2011).

2. Ben-Sasson's Model: Ben-Sasson et al. proposed a new zkSNARK model for the execution of programs on the Von Neumann RISC architecture in 2013 and 2014. Based on the proposed universal circuit generator, they established a system and demonstrated its application in verifying program execution. The system consists of two components: a cryptographic proof system for verifying arithmetic circuit satisfiability, and a circuit generator that converts program execution into arithmetic circuits. This design is superior in functionality and efficiency compared to previous work, especially in the universality of the circuit generator and the additive dependence of output circuit size. Experimental evaluations show that the system can handle programs with up to 10,000 instructions, generate succinct proofs at a high security level, and verify them in just 5 milliseconds. Its value lies in providing an efficient, universal, and secure zk-SNARKs solution for practical applications such as blockchain and privacy-preserving smart contracts (Ben-Sasson et al., 2013, 2014).

3. Pinocchio Model: Proposed by Parno et al. (2013), it is a complete non-interactive zero-knowledge proof generation suite. It includes a high-level compiler that provides developers with a convenient way to transform computations into circuits. These compilers accept code written in high-level languages, allowing for easy transformation of both new and old algorithms. However, to generate appropriately sized circuits, there may be some restrictions on the code structure.

Another feature of Pinocchio is the use of a mathematical structure called Quadratic Arithmetic Programs (QAPs), which efficiently transform computational tasks into verification tasks. QAPs can encode any arithmetic circuit as a set of polynomials and require only linear time and space complexity to generate these polynomials. The proofs generated by Pinocchio are 288 bytes in size and do not vary with the complexity of the computational task or the input/output size, significantly reducing data transmission and storage costs. The verification time for Pinocchio is typically 10 milliseconds, representing a 5-7 order of magnitude reduction compared to previous work. For certain applications, Pinocchio can even achieve faster verification speeds than local execution. Reducing the prover's proof overhead: Pinocchio also reduces the overhead of generating proofs for workers, achieving a 19-60 times reduction compared to previous work (Parno et al., 2013).

4. Bulletproofs Model: In 2017, Benedikt Bünz et al. (2018) designed a new non-interactive ZKP model. It does not require a trusted setup, and the proof size grows logarithmically with the size of the witness. Bulletproofs are particularly suitable for range proofs in confidential transactions, as they can prove a value is within a range using the minimal number of group and field elements. Additionally, Bulletproofs support aggregation of range proofs, allowing a single concise proof to be generated through a multi-party computation protocol, significantly reducing communication and verification time. The design of Bulletproofs makes it highly efficient and practical in distributed and trustless environments such as cryptocurrency. While Bulletproofs are not strictly circuit-based protocols, their succinctness is not as strong as SNARKs, and the verification time for Bulletproofs is longer than for verifying SNARK proofs. However, they are more efficient in scenarios where a trusted setup is not required.

5. Ligero Model: Proposed by Ames et al. (2017), Ligero is a lightweight zero-knowledge proof model. The communication complexity of Ligero is proportional to the square root of the verification circuit size. Additionally, Ligero can rely on any collision-resistant hash function. It can be a zkSNARK scheme in a random oracle model. This model does not require a trusted setup or a public-key cryptosystem. Ligero can be used for very large verification circuits and is suitable for medium-sized circuits in applications.

6. Solutions Based on Linear PCP and Discrete Logarithm Problems

Ishai and Paskin (2007) proposed using additive homomorphic public-key encryption to reduce the communication complexity of interactive linear PCP. Subsequently, Groth and others published several studies from 2006 to 2008, proposing NIZK schemes based on the discrete logarithm problem and bilinear pairings, achieving perfect completeness, computational soundness, and perfect zero-knowledge. The scheme represents statements as algebraic constraint satisfaction problems, achieving sublinear proof length and non-interactivity using an encryption commitment scheme similar to Pedersen commitments, without the need for the Fiat-Shamir heuristic. Although it requires a large CRS and a strong encryption assumption of "exponential knowledge," a sufficiently long CRS can achieve constant proof length. The verification and proof costs are high, and it is recommended to adopt the "simulation extractability" security model. These types of schemes are based on linear PCP and/or the discrete logarithm problem, but they do not have post-quantum security (Groth, 2006, 2006, 2008; Groth & Sahai, 2007).

6. Groth16 Model: Proposed by Jens Groth in 2016, it is an efficient non-interactive zero-knowledge proof system based on elliptic curve pairings and Quadratic Arithmetic Programs (QAP), aiming to provide succinct, fast, and secure zero-knowledge proofs.

7. Sonic Model: Proposed by M. Maller et al. (2019), it is based on Groth's updatable CRS model, using polynomial commitments, pairings, and arithmetic circuits. It requires a trusted setup and can be achieved through secure multi-party computation. Once the CRS is generated, it supports circuits of any size.

8. PLONK Model: A universal zk-SNARK proposed in 2019, using permutation polynomials to simplify arithmetic circuit representation, making proofs simpler and more efficient. It is versatile and supports recursive proof composition (Gabizon, Williamson & Ciobotaru, 2019). The PLONK model claims to reduce proof length and improve proof efficiency compared to Sonic, but it has not yet been peer-reviewed.

9. Marlin Model: An improved zk-SNARK protocol that combines the efficiency of algebraic proof systems with the generality and updatable setup properties of Sonic and PLONK, providing improvements in proof size and verification time (Chiesa et al., 2019).

10. SLONK Model: A new protocol introduced by Zac and Ariel in a document on ethresear, an extension of PLONK aimed at addressing specific computational efficiency issues and enhancing the functionality of the original PLONK system, often involving changes in underlying cryptographic assumptions or implementations (Ethereum Research, 2019).

11. SuperSonic Model: An application of a novel polynomial commitment scheme that transforms Sonic into a post-quantum secure zero-knowledge scheme without the need for a trusted setup (Bünz, Fisch & Szepieniec, 2019).

12. Solutions Based on Proofs-for-Muggles

"Proofs-for-Muggles" is a new zero-knowledge proof method proposed by Goldwasser, Kalai, and Rothblum in 2008. This method constructs interactive proofs for polynomial-time provers in the original interactive proof model, applicable to a wide range of problems. Through a transformation by Kalai et al., these proofs can be turned into non-interactive zero-knowledge proofs (Kalai, Raz & Rothblum, 2014).

12. Hyrax Model: Based on Proofs-for-Muggles, Wahby et al. (2018) first designed a low-communication, low-cost zero-knowledge proof scheme called Hyrax, with low costs for both the prover and verifier. In this scheme, there is no trusted setup. When applied to batch statements, the verification time has a sublinear relationship with the arithmetic circuit size, with a good constant. The prover's runtime has a linear relationship with the arithmetic circuit size, also with a good constant. Non-interactivity is achieved using the Fiat-Shamir heuristic, based on the discrete logarithm problem, and it does not achieve post-quantum security.

13. Libra Model: The first ZKP model with linear prover time, succinct proof size, and verification time. In Libra, to reduce verification costs, the zero-knowledge mechanism is implemented using a method that can mask the prover's response with a slightly random polynomial. Additionally, Libra requires a one-time trusted setup, which depends only on the input size of the circuit. Libra has outstanding asymptotic performance and prover efficiency. Its performance in proof size and verification time is also highly efficient (Xie et al., 2019).

In terms of prover algorithm computational complexity, Libra outperforms Ben-Sasson's model, Ligero, Hyrax, and Aurora. Furthermore, the prover algorithm's computational complexity in Libra is independent of the circuit type (Partala, Nguyen & Pirttikangas, 2020).

14. Spartan Model: Proposed by Srinath Setty (2019), it aims to provide efficient proofs without the need for a trusted setup in a zero-knowledge proof system; non-interactivity is achieved using the Fiat-Shamir transform. It is known for its lightweight design and ability to efficiently handle large circuits.

5. Zero-Knowledge Based on Probabilistically Checkable Proofs (PCP)

Kilian (1992) constructed the first interactive zero-knowledge proof for NP, achieving multiple logarithmic communication. The scheme uses collision-resistant hash functions, interactive proof systems (IP), and probabilistically checkable proofs (PCP). The prover and verifier (as a random algorithm) communicate through multiple rounds, with the verifier testing the prover's knowledge of the statement. Typically, only one-sided error is considered: the prover can always defend a true statement, but the verifier may accept a false statement with low probability. In 2000, Micali used the Fiat-Shamir transform to convert the scheme into a single-message non-interactive scheme. The following implementations can be considered to adopt this approach:

15. STARK Model: In 2018, ZK-STARKs (Scalable Transparent ARgument of Knowledge) technology was proposed by Ben-Sasson et al. to address the inefficiency of zk-SNARKs in handling complex proofs. It also addresses the problem of verifying computation integrity on private data, providing transparent and post-quantum secure proofs without relying on any trusted party.

In the same year, Ben-Sasson et al. founded StarkWare Industries and developed the first scalable solution based on ZK-STARKs, called StarkEx. According to the official Ethereum documentation, it can achieve non-interactivity in a random oracle model using the Fiat-Shamir paradigm. The construction has post-quantum security, but its security relies on non-standard encryption assumptions about Reed-Solomon codes. ZK-STARKs have the same properties as ZK-SNARKs, but with the following advantages: a) Scalability: faster verification process. Transparency: the verification process is public. Larger proof size: requires higher transaction fees (StarkWare Industries, 2018).

16. Aurora Model: Proposed by Ben-Sasson et al. (2019), it is a succinct non-interactive argument (SNARG) based on STARK. Non-interactivity is based on the Fiat-Shamir construction. It is applicable to arithmetic circuit satisfiability. The proof size of Aurora is logarithmic in the circuit size. Additionally, Aurora has several attractive features. In Aurora, there is a transparent setup. There are no effective quantum computing attacks that can break Aurora. Furthermore, fast symmetric encryption is used as a black box. Aurora optimizes proof size. For example, if the security parameter is 128 bits, the proof size of Aurora is at most 250 kilobytes. Aurora and Ligero are very suitable for zero-knowledge proofs on resource-constrained devices, as they optimize proof size and computational overhead. These optimizations not only improve efficiency but also expand the application range of zero-knowledge proof technology, making it applicable in more practical scenarios.

17. Succinct Aurora Model: Also proposed by Ben-Sasson et al. (2019) in the same paper: an extension of the Aurora protocol, providing further optimized proof size and verification process. It maintains the transparent setup and security features of Aurora while enhancing efficiency.

18. Fractal Model: Proposed by Chiesa et al. (2020), a preprocessed SNARK that improves efficiency and scalability using recursive composition. It leverages logarithmic proof size and verification time, particularly suitable for complex computations.

6. Classification Based on the Universal Proof Construction (CPC) Setting Stage

First Generation (G1) - Each circuit requires a separate trusted setup. zkSNARK, Pinocchio, and Groth16.

Second Generation (G2) - Initially, a one-time setup for all circuits. PlonK, Sonic, Marlin, slonk, and Libra.

Third Generation (G3) - Proof systems that do not require a trusted setup. Bulletproofs, STARKs, Spartan, Fractal, Supersonic, Ligero, Aurora, and Succinct Aurora (Čapko, Vukmirović & Nedić, 2019; Partala, Nguyen & Pirttikangas, 2020).

V. Overview and Development of Zero-Knowledge Virtual Machines

1. Background

The previous sections mainly focused on the development of zero-knowledge proofs (ZKP) in cryptography. Next, we briefly introduce its development in the field of computer science.

In 2019, Andreev et al. first proposed the concept of ZK-VM at the "ZkVM: Fast, Private, Flexible Blockchain Contracts" conference as an implementation of a zero-knowledge proof system. The goal of ZK-VM is to generate zero-knowledge proofs by running virtual machine programs to verify the correctness of program execution without leaking input data.

A VM (Virtual Machine) is a software-simulated computer system capable of executing programs, similar to a physical computer. VMs are commonly used to create independent operating system environments for software testing and development, among other purposes. A VM or VM abstraction can generally be understood as a CPU abstraction, referring to the abstraction of the complex operations and architecture of the computer's processing unit (CPU) into a simple, operable instruction set architecture (ISA) to simplify the design and execution of computer programs. In this abstraction, computer programs can run through a virtual machine (VM), which simulates the behavior of a real CPU (Henderson, 2007).

Zero-knowledge proofs (ZKP) typically require execution through CPU abstractions. This is useful because it allows programs to run in a controlled virtual environment while generating proofs (Arun, Setty & Thaler, 2024).

Example: A prover wishes to prove possession of a password's hash without revealing the password:

• Password → Hash Function → Hash Value
• Private → Public

In general, the prover should be able to run code that performs the hashing operation and generate a "proof" that allows anyone to verify the correctness of the proof, i.e., that the prover indeed possesses a valid pre-image for the given hash value.

Systems that generate these VM abstraction proofs are often referred to as "zkVMs." This name is actually misleading because ZKVM does not necessarily provide zero-knowledge. In short, ZKVM is a zero-knowledge proof-focused virtual machine that extends the functionality of traditional VMs, making it easier to develop zero-knowledge circuits and generate proofs for any application or computation in real-time (Zhang et al., 2023).

2. Classification of Existing ZKVMs

According to design goals, they are mainly divided into three categories:

1. Mainstream ZKVM

These ZKVMs utilize existing standard Instruction Set Architectures (ISAs) and compiler toolchains, suitable for a wide range of applications and development environments.

• RISCZero (2021): Uses the RISC-V instruction set with a rich compiler ecosystem (Bögli, 2024).

• PolygonMiden (2021): Based on standard ISAs, it achieves simplicity and efficient development (Chawla, 2021).

• zkWASM (2022): Implements zero-knowledge proofs for the WebAssembly (WASM) instruction set, a widely adopted standard ISA (DelphinusLab, 2022).

2. EVM Equivalent ZKVM

These ZKVMs are specifically designed to be compatible with the Ethereum Virtual Machine (EVM) and can directly run Ethereum bytecode.

• zkEVM projects: Multiple projects are dedicated to achieving bytecode-level compatibility with the EVM, such as zkSync (MatterLabs, 2020) and Polygon Hermez (Polygon Labs, 2021).

3. Zero-Knowledge Optimization (Zero-Knowledge Friendly) ZKVM

These ZKVMs optimize the efficiency and performance of zero-knowledge proofs, designed for specific application scenarios.

• Cairo-VM (2018): Simple and compatible with SNARK proofs, its instruction set is specifically designed to be arithmetic-friendly, facilitating the implementation of basic arithmetic operations in zero-knowledge circuits, such as addition and multiplication (StarkWare, 2018).

• Valida (2023): Optimized for specific applications, such as reducing the computational resources and time required to generate proofs through algorithm optimization; its lightweight design makes it suitable for various hardware and software environments (LitaFoundation, 2023).

• TinyRAM (2013): Not dependent on standard toolchains: due to its simplified and optimized design, it typically does not support LLVM or GCC toolchains and can only be used for small-scale custom software components (Ben-Sasson et al., 2013).

The prevailing view is that simpler VMs can be transformed into circuits with fewer gate counts per step. This is most evident in the design of VMs that are particularly simple and clearly SNARK-friendly, such as TinyRAM and Cairo-VM. However, this comes with additional overhead, as implementing real-world CPU operations on a simple VM requires many primitive instructions (Arun, Setty & Thaler, 2024).

3. Frontend and Backend Paradigms

From a programming perspective, ZKP systems are generally divided into two parts: the frontend and the backend. The frontend of a ZKP system mainly uses low-level languages to represent high-level languages. For example, it can represent a general computational problem using a lower-level circuit language, such as R1CS circuit constraint construction computation (e.g., circom uses R1CS to describe its frontend circuit). The backend of a ZKP system is the cryptographic proof system, which primarily converts the low-level language description of the circuit built in the frontend into proof generation and correctness verification, such as commonly used backend system protocols like Groth16 and Plonk (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

Typically, the circuit "executes" each step of the computation program (with the help of an untrusted "advice input"). The concept of executing a CPU step involves two tasks: (1) identifying the basic instructions to be executed in that step, and (2) executing the instructions and updating the CPU state appropriately. Existing frontends achieve these tasks through carefully designed gates or constraints. This is both time-consuming and error-prone, and it results in circuits much larger than necessary (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

4. Advantages and Disadvantages of ZKVM Paradigms

Advantages:

1. Utilization of existing ISAs: For example, RISC-V and EVM instruction sets can leverage existing compiler infrastructure and toolchains without the need to build infrastructure from scratch. Existing compilers can be directly invoked to convert witness checking programs written in high-level languages into ISA assembly code, benefiting from previous audits or other verification work.

2. Support for multiple programs with a single circuit: ZKVM allows a single circuit to run all programs until a time limit is reached, while other methods may require re-running the frontend for each program.

3. Circuits with repetitive structures: Frontend outputs circuits with repetitive structures, allowing backends to process them more quickly (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

Disadvantages:

1. Overhead of generality: To support all possible CPU instruction sequences, ZKVM circuits incur a cost for their generality, leading to an increase in circuit size and proof cost.

2. High-cost operations: Implementing certain important operations (such as encryption operations) in ZKVM is very expensive. For example, ECDSA signature verification takes 100 microseconds on a real CPU, but requires millions of instructions on the RISC-V instruction set. Therefore, ZKVM projects include manually optimized circuits and lookup tables for computing specific functions.

3. High proof cost: Even for very simple ISAs, the prover cost of existing ZKVMs is still high. For example, Cairo-VM requires the prover to submit 51 field elements for each step, meaning that executing a primitive instruction may require millions of instructions on a real CPU, limiting its applicability in complex applications (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

VI. Overview and Development of Zero-Knowledge Ethereum Virtual Machine

1. Background

ZKEVM (Zero-Knowledge Ethereum Virtual Machine) and ZKVM (Zero-Knowledge Virtual Machine) are both virtual machines that apply zero-knowledge proofs (ZKP) technology. The Ethereum Virtual Machine (EVM) is part of the Ethereum blockchain system, responsible for deploying and executing smart contracts. EVM has a stack-based architecture and serves as a computational engine, providing a specific instruction set for computation and storage (e.g., log operations, execution, memory and storage access, control flow, recording, calls, etc.). The role of EVM is to update the state of Ethereum after applying operations from smart contracts. ZKEVM is specifically designed for Ethereum, primarily used to verify the correctness of smart contract execution while protecting transaction privacy. ZKEVM translates the EVM instruction set into the ZK system for execution, requiring a proof for each instruction, including state proofs and execution correctness proofs (Čapko, Vukmirović & Nedić, 2019).

The current mainstream solutions for ZKEVM include STARKWARE, zkSync, Polygon Hermez, and Scroll. Here is a brief overview of these projects (Čapko, Vukmirović & Nedić, 2019):

STARKWARE: Founded by Ben-Sasson et al. (2018), it aims to enhance the privacy and scalability of blockchain using STARK zero-knowledge proof technology.

zkSync: Founded by Alex Gluchowski (2020) and others at Matter Labs, it proposes an Ethereum Layer 2 scaling solution based on zk-rollups.

Polygon Hermez: Originally an independent project, Hermez was released in 2020. After being acquired by Polygon in August 2021, it became Polygon Hermez, focusing on high-throughput zk-rollups solutions.

Scroll: Founded by Zhang and Peng (2021), it achieves higher transaction throughput and lower gas fees, thereby improving the overall performance and user experience of Ethereum.

They can be categorized based on their compatibility with EVM:

1. EVM-EVM-compatibility: Compatibility at the smart contract functionality level, such as STARKWARE and zkSync.

2. EVM-equivalence: Compatibility at the EVM instruction level (equivalence), such as Polygon Hermez and Scroll.

For improved zero-knowledge Ethereum system solutions, please refer to Figure 1.

Type of Optimization

Solution

Used Algorithms/Compilers

Algorithm Improvement

Polygon Zero

Plonky3, Plonky2, Keccak256, FRI, Plonk

Hybridization

Polygon Nightfall

Nightfall

ZK EVM

AppliedZKP

Halo2, KZG, BN-254

zkSync

ultraPlonk

Polygon Hermez

Plonk, KZG, Groth16

Sin7Y

Halo2, KZG, Recursive Plonk

Polygon Miden

STARK based ZK VM

Hardware

DIZK

Distributed zkSNARK

PipeZK

POLY, MSM

PipeMSM

PipeMSM

HardAcc-Groth16

Groth16

CPU/GPUAcc - Bulletproof

Bulletproof

Figure 1: Improved Solutions for Zero-Knowledge Ethereum Systems

2. Working Principle of ZKEVM

Node Program Processing: The node program processes and verifies execution logs, block headers, transactions, contract bytecode, Merkle proofs, etc., and sends this data to zkEVM for processing.

Generating ZK Proofs: zkEVM uses circuits to generate ZK proofs of the execution results (state and execution correctness proofs), with these circuits mainly using tables and custom circuits to achieve this.

Proof Aggregation: Large proofs are aggregated into smaller proofs using aggregation circuits, such as recursive proofs.

Sent to L1 Contract: Aggregated proofs are sent to L1 contracts for execution in the form of transactions (Čapko, Vukmirović & Nedić, 2019).

3. Implementation Process of ZKEVM

Data Acquisition: Obtain data from the Ethereum blockchain system, including transactions, block headers, contracts, etc.

Data Processing: Process and verify execution logs, block headers, transactions, contract bytecode, Merkle proofs, etc.

Proof Generation: Use circuits to generate ZK proofs, ensuring the state updates and execution correctness of each instruction.

Recursive Proofs: Compress the generated large proofs into smaller aggregated proofs.

Proof Submission: Submit the aggregated proofs to L1 contracts to complete transaction verification (Čapko, Vukmirović & Nedić, 2019).

4. Features of ZKEVM

Enhanced Transaction Processing Capacity: Executing transactions on ZKEVM on L2 reduces the load on L1.

Privacy Protection: Protects transaction privacy while verifying smart contract execution.

Efficient Verification: Uses zero-knowledge proof technology to achieve efficient state and execution correctness verification (Čapko, Vukmirović & Nedić, 2019).

VII. Overview and Development of Zero-Knowledge Layer 2 Network Solutions

1. Background

The Ethereum blockchain is one of the most widely adopted blockchain ecosystems. However, Ethereum faces serious scalability issues, leading to high usage costs. Zero-Knowledge Layer 2 Network Solutions (ZK Rollup), based on zero-knowledge proofs (ZKP), are a second-layer (Layer 2) scaling solution for Ethereum that overcomes the drawbacks of long confirmation times for Optimistic Rollup transactions (Ganguly, 2023).

2. Working Mechanism of ZK Rollup

ZK Rollup allows scalability within a single transaction. Smart contracts on L1 are responsible for processing and verifying all transfers, ideally generating only one transaction. This is achieved by reducing the use of computational resources on Ethereum by executing transactions off-chain and then reintroducing the final signed transactions back on-chain. This step is known as Validity Proof. In some cases, it may not be possible to complete the verification within a single proof, requiring additional transactions to publish rollup data to the Ethereum main chain to ensure data availability (Ganguly, 2023).

In terms of space, using ZK Rollup improves efficiency as it does not require data storage like regular smart contracts. Each transaction only requires verification proofs, further minimizing data, making them cheaper and faster (Ganguly, 2023).

Although the term "ZK" (zero-knowledge) is included in the name ZK Rollup, they primarily leverage the conciseness of zero-knowledge proofs to improve the efficiency of blockchain transactions, rather than focusing primarily on privacy protection (Ganguly, 2023).

3. Drawbacks and Optimization of ZK Rollup

ZK Rollup, as a Layer 2 solution for Ethereum scalability, performs well in improving transaction processing efficiency, but its main issue lies in the very high computational cost. However, through some optimization strategies, the performance and feasibility of ZK Rollup can be significantly improved (Čapko, Vukmirović & Nedić, 2019).

1. Optimization of Cryptographic Algorithm Computation

Optimizing the computation process of cryptographic algorithms can improve the efficiency of ZK Rollup, reducing computation time and resource consumption. For example, Plonky2, proposed by Polygon Zero (formerly MIR), is a decentralized ZK Rollup solution. Plonky2 is a recursive SNARK that is 100 times faster than other Ethereum-compatible alternatives, combining the best features of STARKs and SNARKs:

• Plonk and FRI: Provide fast proofs without trusted setups.
• Support for recursion: Improves efficiency through recursive proofs.
• Low verification cost: Achieves efficient proofs through 64-bit recursive FRI combined with Plonk.
• Hybrid Optimistic and ZK Rollup

For example, Polygon Nightfall is a hybrid Rollup that combines the features of Optimistic and ZK Rollup, aiming to increase transaction privacy and reduce transfer fees (up to 86% reduction).

3. Development of Dedicated ZK EVM

Dedicated ZK EVM is designed to improve ZK Rollup algorithms and optimize the zero-knowledge proof process. Here are several specific solutions:

• AppliedZKP: An open-source project funded by the Ethereum Foundation, implementing ZK of native Ethereum EVM opcodes, using cryptographic algorithms such as halo2, KZG, and Barreto-Naehrig (BN-254) elliptic curve pairings.
• zkSync: A custom EVM developed by Matter Labs, implementing the compilation of contract code into YUL (intermediate language of the Solidity compiler), and then compiling it into supported custom bytecode, using the extended version of Plonk, ultraPlonk.
• Polygon Hermez: A decentralized Rollup compatible with custom EVM, compiling contract code into supported microinstructions, using the Plonk, KZG, and Groth16 proof systems.
• Sin7Y zkEVM: Implements ZK of native Ethereum EVM opcodes and optimizes dedicated opcodes, using halo2, KZG, and Recursive Plonk.
• Polygon Miden: A universal zero-knowledge virtual machine based on STARK.

4. Hardware Optimization

Hardware optimization can significantly improve the performance of ZK Rollup. Here are several hardware optimization solutions:

• DIZK (DIstributed Zero Knowledge): Optimized by distributing the execution of zkSNARK proofs on a computing cluster. The hardware architecture includes two subsystems, one for polynomial computation (POLY) with large-size number theoretic transforms (NTTs), and another for performing multiple scalar multiplications (MSM) on elliptic curves (ECs). PipeMSM is a pipelined design MSM algorithm implemented on FPGA.
• FPGA-based ZKP Hardware Accelerator Design: Includes multiple Fast Fourier Transform (FFT) units and decomposition of FFT operations, multiple Multiply-Accumulate (MAC) units, and multiple Elliptic Curve Processing (ECP) units to reduce computational overhead. FPGA-based zk-SNARK design reduces proof time by approximately 10 times.
• Hardware Acceleration of Bulletproof Protocol: Implemented through CPU-GPU collaboration framework and parallel Bulletproofs on GPU (Čapko, Vukmirović & Nedić, 2019).

VIII. Future Development Directions of Zero-Knowledge Proofs

1. Development of Accelerated Computing Environment

Zero-knowledge proof protocols (such as ZKSNARKs and ZKSTARKs) typically involve a large number of complex mathematical operations during execution, which need to be completed in a very short time, placing high demands on computational resources (such as CPU and GPU), resulting in high computational complexity and long computation time. In addition, generating and verifying zero-knowledge proofs requires frequent access to large amounts of data, placing high demands on memory bandwidth. The limited memory bandwidth of modern computer systems cannot efficiently support such high-frequency data access requirements, leading to performance bottlenecks. Ultimately, high computational loads lead to high energy consumption, especially in blockchain and decentralized applications that require continuous proof computation. Therefore, while software optimization solutions can partially alleviate these issues, it is difficult to achieve the efficiency and low energy consumption levels of hardware acceleration due to the physical limitations of general-purpose computing hardware. Hybrid solutions can achieve higher performance improvements while maintaining flexibility (Zhang et al., 2021).

ZK-ASIC (Application-Specific Integrated Circuit)

During 2020, several projects emerged aiming to accelerate and optimize the generation and verification process of zero-knowledge proofs (ZKP) using hardware such as GPUs or FPGAs to improve efficiency (Filecoin, 2024; Coda, 2024; Gpu groth16 prover, 2024; Roy et al., 2019; Devlin, 2024; Javeed & Wang, 2017).

In 2021, Zhang et al. proposed a zero-knowledge proof acceleration solution based on a pipelined architecture, optimizing multiple scalar multiplications (MSM) using the Pippenger algorithm and reducing data transfer latency through "unrolling" Fast Fourier Transform (FFT) (Zhang et al., 2021).

ZKCoprocessor

Axiom (2022) introduced the concept of ZKCoprocessor, which refers to a ZK coprocessor. A coprocessor refers to a separate chip that enhances the CPU and provides specialized operations such as floating-point operations, encryption operations, or graphics processing. While the term is no longer commonly used as CPUs become more powerful, GPUs can still be considered as a coprocessor for CPUs, especially in the context of machine learning.

The term ZK coprocessor extends the analogy of physical coprocessor chips to blockchain computing, allowing smart contract developers to prove off-chain computations of existing on-chain data without state. One of the biggest bottlenecks faced by smart contract developers is still the high cost of on-chain computations. As gas is calculated for each operation, the cost of complex application logic quickly becomes impractical. The ZK coprocessor introduces a new design pattern for on-chain applications, eliminating the restriction of having to complete computations in the blockchain virtual machine. This allows applications to access more data and operate at a larger scale than before (Axiom, 2022).

2. Introduction and Development of ZKML

Concept of ZKML

Zero-Knowledge Machine Learning (ZKML) is an emerging field that applies zero-knowledge proof (ZKP) technology to machine learning. The core idea of ZKML is to allow verification of machine learning computations without revealing data or model details. This not only protects data privacy but also ensures the trustworthiness and correctness of computation results (Zhang et al., 2020).

Development of ZKML

In 2020, Zhang et al. systematically introduced the concept of ZKML at the CCS conference, demonstrating how zero-knowledge proofs can be used to make decision tree predictions without revealing data or model details. This laid the theoretical foundation for ZKML.

In 2022, Wang and Hoang further researched and implemented ZKML, proposing an efficient zero-knowledge machine learning inference pipeline and demonstrating how ZKML can be implemented in real-world applications. The research showed that, despite the complexity of ZKP technology, acceptable computational performance can be achieved through reasonable optimization while ensuring data privacy and computational correctness.

3. Developments Related to ZKP Scalability Techniques

Introduction of ZKThreads Concept

In 2021, StarkWare introduced the concept of ZKThreads, aiming to combine zero-knowledge proofs (ZKP) and sharding technology to provide scalability and customizability for decentralized applications (DApps) without fragmentation issues. ZKThreads ensures real-time processing at the base layer, improving security and composability.

Optimizations of ZKThreads are made in three main aspects: single-chain solutions, ZK-rollups solutions, and Proto-Danksharding technology.

Single-chain solution: In traditional single-chain architecture, all transactions are processed on a single chain, leading to heavy system load and poor scalability. ZKThreads significantly improves processing efficiency by distributing data and computational tasks across multiple shards.

ZK-rollups solution: While ZK-rollups have significantly improved transaction processing speed and reduced costs, they are often operated independently, leading to liquidity fragmentation and interoperability issues. ZKThreads provides a standardized development environment supporting interoperability between different shards, addressing liquidity fragmentation issues.

Proto-Danksharding technology: This is an internal improvement solution for Ethereum, reducing transaction costs for zk-rollups by temporarily storing data blocks. ZKThreads further improves this by reducing reliance on temporary data storage through a more efficient sharding architecture, enhancing overall system efficiency and security (StarkWare, 2021).

Introduction of ZK Sharding Concept

Subsequently, in 2022, NilFoundation introduced the concept of ZK Sharding, aiming to achieve scalability and faster transaction speeds for Ethereum through the combination of zero-knowledge proofs (ZKP) and sharding technology. This technology aims to divide the Ethereum network into multiple parts to process transactions in a cheaper and more efficient manner. The technology includes zkSharding, which uses zero-knowledge technology to generate proofs, ensuring that transactions across different shards are valid before being submitted to the main chain. This approach not only improves transaction speed but also reduces fragmentation of on-chain data, ensuring economic security and liquidity.

4. Development of ZKP Interoperability

ZK State Channels

In 2021, the concept of ZK State Channels was introduced by Virtual Labs, combining zero-knowledge proofs (ZKP) and state channel technology to achieve efficient off-chain transactions while ensuring transaction privacy and security using zero-knowledge proofs.

ZK State Channels as an Alternative to Existing Solutions

1. Traditional State Channels:

Original Solution: Traditional state channels allow two users to conduct peer-to-peer (P2P) transactions by locking funds in smart contracts. Since the funds are locked, signature exchanges between users can be done directly without any gas fees or delays. However, this method requires predefined addresses and the opening and closing of channels require on-chain operations, limiting its flexibility.

Alternative Solution: ZK StateChannels support an unlimited number of participants, allowing dynamic entry and exit without the need for predefined user addresses. Additionally, through zero-knowledge proofs, ZK StateChannels provide instant cross-chain access and self-verifying proofs, addressing the flexibility and scalability issues of traditional state channels.

Multi-chain Support:

Original Solution: Traditional state channels typically only support transactions on a single chain, unable to perform cross-chain operations, limiting user operations.

Alternative Solution: ZK StateChannels, through zero-knowledge proof technology, enable instant cross-chain transactions and asset transfers without the need for intermediate bridging, greatly enhancing multi-chain interoperability.

Predefined Address Limitation:

Original Solution: In traditional state channels, the addresses of transaction participants must be predefined at channel creation. If new participants join or leave, the channel must be closed and reopened, increasing operational complexity and costs.

Alternative Solution: ZK StateChannels allow dynamic entry and exit, enabling new participants to join existing channels at any time without affecting current user operations, greatly improving system flexibility and user experience.

ZK Omnichain Interoperability Protocol

In 2022, the ZK Omnichain Interoperability Protocol was proposed by Way Network to achieve cross-chain asset and data interoperability based on zero-knowledge proofs. The protocol enables full-chain communication and data transfer using zkRelayer, ZK Verifier, IPFS, Sender, and Receiver.

The Omnichain project focuses on cross-chain interoperability, aiming to provide a low-latency, secure network connecting different blockchains. By introducing a standardized cross-chain transaction protocol, it enables seamless transfer of assets and data between blockchains. This approach not only improves transaction efficiency but also ensures the security of cross-chain operations.

Way Network can be seen as a specific implementation of the Omnichain concept, particularly in enhancing privacy and security using zero-knowledge proof technology. The technical architecture of Way Network enables seamless interoperability between chains while maintaining decentralization and efficiency.

In summary, Omnichain provides an overall framework for cross-chain interoperability, and Way Network, through zero-knowledge proof technology, enhances privacy protection and security within this framework.

Conclusion

This paper provides a comprehensive literature review of zero-knowledge proofs (ZKP) technology and its latest developments and applications in the blockchain field. It systematically examines ZKP in the blockchain environment, investigates state-of-the-art zero-knowledge proof schemes applicable to blockchain and verifiable computation, and explores their applications in anonymous and confidential transactions and privacy smart contracts. The paper lists the pros and cons of these peer-reviewed schemes and methods, providing reference materials for practical evaluation and comparison of these schemes, emphasizing the skills and knowledge developers need when choosing the appropriate solution for specific use cases.

Furthermore, the paper looks ahead to the future development directions of zero-knowledge proofs in hardware acceleration, blockchain scalability, interoperability, and privacy protection. Through a detailed analysis of these latest technologies and development trends, the paper provides a comprehensive perspective on understanding and applying zero-knowledge proof technology, demonstrating its enormous potential in improving the efficiency and security of blockchain systems. This research also lays a solid foundation for future studies on ZK project investments.

References

Ames, S., Hazay, C., Ishai, Y., & Venkitasubramaniam, M. (2017). Ligero. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2087-2104. DOI: https://doi.org/10.1145/3133956.3134104.

AdaPulse (2024). The Convergence of Zero-Knowledge Proofs and Decentralized Systems: Part 1. AdaPulse. Available at: https://adapulse.io/the-convergence-of-zero-knowledge-proofs-and-decentralized-systems-part-1 (Accessed: 30 June 2024).

Ambainis, A., Rosmanis, A., & Unruh, D. (2014). Quantum attacks on classical proof systems: The hardness of quantum rewinding. In Proceedings of the IEEE 55th Annual Symposium on Foundations of Computer Science (FOCS 2014), 474-483.

Andreev, O., et al. (2019). ZkVM: Fast, Private, Flexible Blockchain Contracts. Available at: https://cathieyun.github.io/presentations/zkvm.html (Accessed: 30 June 2024).

Arun, A., Setty, S., & Thaler, J. (2024). Jolt: SNARKs for Virtual Machines via Lookups. In Joye, M., & Leander, G. (Eds.), Advances in Cryptology – EUROCRYPT 2024, Lecture Notes in Computer Science, 14656. Cham: Springer. Available at: https://doi.org/10.1007/978-3-031-58751-1_1 (Accessed: 30 June 2024).

Axiom (2022). What is a ZK Coprocessor? Available at: https://blog.axiom.xyz (Accessed: 30 June 2024).

Bögli, R. (2024). Assessing RISC Zero using ZKit: An Extensible Testing and Benchmarking Suite for ZKP Frameworks. Master's thesis, OST Ostschweizer Fachhochschule.

• Burger, E. (2022) 'Decentralized Speed: Advances in Zero Knowledge Proofs', a16z. Available at: https://a16z.com/decentralized-speed-advances-in-zero-knowledge-proofs/ (Accessed: 30 June 2024).

• Blum, M., Feldman, P., & Micali, S. (1988) 'Non-interactive zero-knowledge and its applications', Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing (STOC '88), 103-112. DOI: https://doi.org/10.1145/62212.62222.

• Bootle, J., Cerulli, A., Chaidos, P., Groth, J., & Petit, C. (2015) 'Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting', EUROCRYPT 2016: Advances in Cryptology, Lecture Notes in Computer Science, 9666, 327-357. Available at: https://link.springer.com/chapter/10.1007/978-3-662-49896-5_12 (Accessed: 30 June 2024).

• Bayer, S., & Groth, J. (2012) 'Efficient zero-knowledge argument for correctness of a shuffle', EUROCRYPT 2012: Advances in Cryptology, Lecture Notes in Computer Science, 7237, 263-280. Available at: https://link.springer.com/chapter/10.1007/978-3-642-29011-4_16 (Accessed: 30 June 2024).

• Bitansky, N., Canetti, R., Chiesa, A., & Tromer, E. (2011) 'From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2011/443.pdf (Accessed: 30 June 2024).

• Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., & Maxwell, G. (2018) 'Bulletproofs: Short Proofs for Confidential Transactions and More', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2017/1066.pdf (Accessed: 30 June 2024).

• Bünz, B., Fisch, B., & Szepieniec, A. (2019) 'Transparent SNARKs from DARK Compilers', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/1229 (Accessed: 28 June 2024).

• Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., & Virza, M. (2013) 'SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge (extended version)', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2013/507.pdf (Accessed: 30 June 2024).

• Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., & Virza, M. (2014) 'Succinct Noninteractive Zero Knowledge for a Von Neumann Architecture', in Proceedings of the 23rd USENIX Security Symposium, 781-796.

• Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., & Virza, M. (2014) 'Zerocash: Decentralized Anonymous Payments from Bitcoin', in Proceedings of the 2014 IEEE Symposium on Security and Privacy.

• Ben-Sasson, E., Bentov, I., Horesh, Y., & Riabzev, M. (2018) 'Scalable, Transparent, and Post-Quantum Secure Computational Integrity', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2018/046.pdf (Accessed: 30 June 2024).

• Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., & Ward, N. (2019) 'Aurora: Transparent Succinct Arguments for R1CS', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2018/828.pdf (Accessed: 3 May 2024).

• Chaidos, P.I.P. (2017) Zero Knowledge Protocols and Applications. Doctor of Philosophy Dissertation. University College London, Security & Crime Science.

• Chawla, V. (2021) 'Polygon Unveils ZK-Rollup Solution Miden to Scale Ethereum', CryptoBriefing. Available at: https://cryptobriefing.com/polygon-unveils-miden (Accessed: 30 June 2024).

• Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, P., & Ward, N. (2019) 'M: Preprocessing zkSNARKs with Universal and Updatable SRS'. [online] Available at: https://eprint.iacr.org/2019/1047.pdf (Accessed: 30 June 2024).

• CodaProtocol (n.d.) 'Gpu groth16 prover'. Available at: https://github.com/CodaProtocol/gpu-groth16-prover-3x (Accessed: 30 June 2024).

• Chiesa, A., Ojha, D., & Spooner, N. (2020) 'FRACTAL: Post-Quantum and Transparent Recursive Proofs from Holography'. [online] Available at: https://eprint.iacr.org/2019/1076.pdf (Accessed: 3 May 2024).

• Čapko, D., Vukmirović, S., & Nedić, N. (2019) 'State of the Art of Zero-Knowledge Proofs in Blockchain', Faculty of Technical Sciences, University of Novi Sad, Novi Sad, Serbia. Available at: dcapko@uns.ac.rs, srdjanvu@uns.ac.rs, nemanja.nedic@uns.ac.rs (Accessed: 30 June 2024).

• Cramer, R., & Shoup, V. (1998) 'A practical public-key encryption scheme secure against adaptive chosen ciphertext attack', in Advances in Cryptology – CRYPTO’98, 13-25. Springer.

• Cramer, R., & Shoup, V. (2002) 'Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption', in Advances in Cryptology – EUROCRYPT 2002, 45-64. Springer.

• Canetti, R., Goldreich, O., & Halevi, S. (2003) 'On the random-oracle methodology as applied to length-restricted signature schemes'. [online] Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2003/150 (Accessed: 28 Jun. 2024).

• Devlin, B.S. (n.d.) 'Fpga snark prover targeting the bn128 curve'. Available at: https://github.com/bsdevlin/fpgasnarkprover (Accessed: 30 June 2024).

• Damgård, I., Fazio, N., & Nicolosi, A. (2006) 'Non-Interactive Zero-Knowledge from Homomorphic Encryption', in Theory of Cryptography Conference (TCC 2006), Lecture Notes in Computer Science, 3876, 41-59. Available at: https://iacr.org/archive/tcc2006/38760041/38760041.pdf (Accessed: 28 Jun. 2024).

• EthereumResearch (2019) 'SLONK—a simple universal SNARK'. [online] Available at: https://ethresear.ch/t/slonk-a-simple-universal-snark/6420 (Accessed: 28 Jun. 2024).

• FilecoinProject (n.d.) 'bellperson: Gpu parallel acceleration for zk-snark'. Available at: https://github.com/filecoin-project/bellperson (Accessed: 30 June 2024).

• Fiat, A., & Shamir, A. (1986) 'How To Prove Yourself: Practical Solutions to Identification and Signature Problems', in Advances in Cryptology — CRYPTO’86, 186–194. DOI: https://doi.org/10.1007/3-540-47721-7_12.

Feige, U., Fiat, A., & Shamir, A. (1986) 'Zero-Knowledge Proofs of Identity', in Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC 1986), pp. 210-217. DOI: 10.1145/12130.12146.

Ganguly, P. (2023) Zero-Knowledge Proofs Origination and Early Twenty-First Century Use Cases. Master of Science (Computer Science) thesis, New York University, Tandon School of Engineering. UMI Dissertation Publishing, ProQuest CSA, 789 E. Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106-134.

Goldreich, O. (2004) 'Zero-Knowledge Twenty Years After Its Invention', Electronic Colloquium on Computational Complexity (ECCC), Report No. 63. Available at: https://eccc.weizmann.ac.il/report/2004/063/ (Accessed: 30 June 2024).

Goldwasser, S., Micali, S., & Rackoff, C. (1985) 'The knowledge complexity of interactive proof-systems', Proceedings of the seventeenth annual ACM symposium on Theory of computing - STOC ’85. DOI: https://doi.org/10.1145/22145.22178.

Groth, J., & Sahai, A. (2005) 'Perfect Non-Interactive Zero Knowledge for NP'. [online] Available at: https://eprint.iacr.org/2005/290.pdf (Accessed: 27 June 2024).

Groth, J. (2006) 'Simulation-sound NIZK proofs for a practical language and constant size group signatures', ASIACRYPT 2006: Advances in Cryptology, Lecture Notes in Computer Science, vol. 4284, pp. 444-459. Available at: https://link.springer.com/chapter/10.1007/11935230_29 (Accessed: 30 June 2024).

Groth, J., Ostrovsky, R., & Sahai, A. (2006) 'Fully concurrent non-malleable zero-knowledge', EUROCRYPT 2006: Advances in Cryptology, Lecture Notes in Computer Science, vol. 4004, pp. 214-235. Available at: https://link.springer.com/chapter/10.1007/11761679_14 (Accessed: 30 June 2024).

Groth, J., & Sahai, A. (2007) 'Efficient non-interactive proof systems for bilinear groups', SIAM Journal on Computing, vol. 41, no. 5, pp. 1193-1232. Available at: https://epubs.siam.org/doi/10.1137/080725386 (Accessed: 30 June 2024).

Groth, J. (2008) 'Sub-linear zero-knowledge arguments for linear algebra', CRYPTO 2008: Advances in Cryptology, Lecture Notes in Computer Science, vol. 5157, pp. 192-206. Available at: https://link.springer.com/chapter/10.1007/978-3-540-85174-5_11 (Accessed: 30 June 2024).

Groth, J. (2011) 'Minimizing Non-interactive Zero-Knowledge Proofs Using Fully Homomorphic Encryption', Journal of Cryptology, 24(4), pp. 591-623.

Groth, J., Ostrovsky, R., & Sahai, A. (2012) 'New techniques for non-interactive zero-knowledge', Journal of the ACM, 59(3), pp. 1-35. Available at: https://dl.acm.org/doi/10.1145/2220357.2220361 (Accessed: 30 June 2024).

Groth, J. (2016) 'On the Size of Pairing-based Non-interactive Arguments'. [online] DOI: https://doi.org/10.1007/978-3-662-49896-5.

Groth, J., Kohlweiss, M., & Pintore, F. (2016) 'One-time simulation-sound QA-NIZK arguments and applications to ring signatures', ASIACRYPT 2016: Advances in Cryptology, Lecture Notes in Computer Science, vol. 10031, pp. 102-132. Available at: https://link.springer.com/chapter/10.1007/978-3-662-53887-6_4 (Accessed: 30 June 2024).

Groth, J., & Maller, M. (2017) 'Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs', CRYPTO 2017: Advances in Cryptology, Lecture Notes in Computer Science, vol. 10402, pp. 581-612. Available at: https://link.springer.com/chapter/10.1007/978-3-319-63715-0_20 (Accessed: 30 June 2024).

Gabizon, A., Williamson, Z.J., & Ciobotaru, O. (2019) 'PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/953 (Accessed: 30 June 2024).

Goldwasser, S., Kalai, Y., & Rothblum, G. (2008) 'Delegating Computation: Interactive Proofs for Muggles'. [online] Available at: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/12/2008-DelegatingComputation.pdf (Accessed: 30 June 2024).

Henderson, F. (2007) 'Introduction to Virtual Machines', Proceedings of the Linux Symposium. Available at: https://www.kernel.org/doc/ols/2007/ols2007v1-pages-1-10.pdf (Accessed: 30 June 2024).

Ingonyama (2023) 'Hardware Review: GPUs, FPGAs and Zero Knowledge Proofs', Ingonyama. Published on: May 4, 2023. Available at: https://www.ingonyama.com/blog/hardware-review-gpus-fpgas-and-zero-knowledge-proofs (Accessed: 30 June 2024).

Ishai, Y., & Paskin, A. (n.d.) 'Evaluating Branching Programs on Encrypted Data', Theory of Cryptography, pp. 575–594. DOI: https://doi.org/10.1007/978-3-540-70936-7_31.

Kalai, Y.T., Raz, R., & Rothblum, R.D. (2014) 'How to delegate computations: The power of no-signaling proofs', Proceedings of the Annual ACM Symposium on Theory of Computing, New York, NY, USA, pp. 485-494.

Javeed, K., & Wang, X. (2017) 'Low latency flexible FPGA implementation of point multiplication on elliptic curves over GF(p)', International Journal of Circuit Theory and Applications, 45(2), pp. 214-228. DOI: 10.1002/cta.2359.

Kilian, J. (1992) 'A note on efficient zero-knowledge proofs and arguments (extended abstract)', Proceedings of the 24th Annual ACM Symposium on Theory of Computing, pp. 723-732.

Konstantopoulos, G. (2022) 'Hardware Acceleration for Zero Knowledge Proofs', Paradigm. Available at: https://www.paradigm.xyz/2022/04/zk-hardware (Accessed: 30 June 2024).

Lita Foundation (2023) 'Announcing Lita's Valida C Compiler & zkVM'. Available at: https://www.lita.foundation (Accessed: 30 June 2024).

Lavery, S. (2024) 'Compact and Secure Zero-Knowledge Proofs for Quantum-Resistant Cryptography from Modular Lattice Innovations', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2024/652 (Accessed: 30 June 2024).

Maller, M., Bowe, S., Kohlweiss, M., & Meiklejohn, S. (2019) 'Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/099 (Accessed: 28 June 2024).

Matter Labs (2020) 'Introducing zkSync: The missing link to the mass adoption of Ethereum', Matter Labs Blog. Available at: https://blog.matter-labs.io/introducing-zksync-the-missing-link-to-the-mass-adoption-of-ethereum (Accessed: 30 June 2024).

Pionex Foundation (2023) 'zkSharding for Ethereum'. Available at: https://nil.foundation/zksharding (Accessed: 30 June 2024).

Partala, J., Nguyen, T.H., & Pirttikangas, S. (2020) 'Non-Interactive Zero-Knowledge for Blockchain: A Survey', IEEE Access. Received November 27, 2020, accepted December 13, 2020, published December 21, 2020, current version December 31, 2020. DOI: 10.1109/ACCESS.2020.3046025.

Parno, B., Howell, J., Gentry, C., & Raykova, M. (2013) 'Pinocchio: Nearly practical verifiable computation', Security and Privacy – S&P 2013, pp.238-252. IEEE.

Polygon Labs (2021) 'Deep Dive on Polygon Hermez: Bringing Scalability to Ethereum Using zk-Technology'. Available at: https://polygon.technology/blog/polygon-unveils-miden (Accessed: 30 June 2024).

Polygon Technology (2021) 'Polygon Miden: A STARK-Based zk-Rollup'. Polygon Community Forum. Available at: https://forum.polygon.technology/t/polygon-miden-deep-dive-a-stark-based-zk-rollup/299 (Accessed: 30 June 2024).

Roy, S.S., Turan, F., Jarvinen, K., Vercauteren, F., & Verbauwhede, I. (2019) 'FPGA-based high-performance parallel architecture for homomorphic computing on encrypted data', 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 387-398. DOI: 10.1109/HPCA.2019.00051.

RISC Zero (2021) 'zkVM Overview', RISC Zero Developer Docs. Available at: https://dev.risczero.com/api/zkvm (Accessed: 30 June 2024).

Setty, S. (2019) 'Spartan: Efficient and general-purpose zkSNARKs without trusted setup', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/550 (Accessed: 30 June 2024).

Sun, X., Yu, F.R., Zhang, P., Sun, Z., Xie, W., & Peng, X. (2021) 'A Survey on Zero-Knowledge Proof in Blockchain', IEEE Network, 35(4), pp. 198-205. DOI: 10.1109/ACCESS.2020.3046025.

StarkWare Industries (2018) 'StarkEx Documentation'. Available at: https://docs.starkware.co/starkex/index.html (Accessed: 30 June 2024).

StarkWare Industries (2018) 'About Us'. Available at: https://starkware.co (Accessed: 30 June 2024).

StarkWare (2018) 'Cairo Programming Language'. Available at: https://www.cairo-lang.org (Accessed: 30 June 2024).

StarkWare (2021) 'ZKThreads: A canonical ZK sharding framework for dApps'. Available at: https://starkware.co/zkthreads (Accessed: 30 June 2024).

Unruh, D. (2015) 'Non-interactive zero-knowledge proofs in the quantum random oracle model', in Oswald, E. and Fischlin, M. (eds) Advances in Cryptology. Berlin, Germany: Springer, pp. 755-784.

Ventre, C. and Visconti, I. (2009) 'Co-sound Zero-Knowledge with Public Keys', Lecture Notes in Computer Science, pp. 287–304. DOI: https://doi.org/10.1007/978-3-642-02384-2_18.

VirtualLabs (2021) 'ZK State Channel vs. State Channel'. Available at: https://docs.virtual.tech (Accessed: 30 June 2024).

Way Network (2022) 'ZK Omnichain Interoperability Protocol'. Available at: https://way.network (Accessed: 30 June 2024).

Wang, H. and Hoang, T. (2022) 'ezDPS: An Efficient and Zero-Knowledge Machine Learning Inference Pipeline', arXiv.org. DOI: https://doi.org/10.48550/arXiv.2212.05428.

Wahby, R.S., Tzialla, I., shelat, a., Thaler, J. and Walfish, M. (2018) 'Doubly-efficient zkSNARKs without trusted setup', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2017/1132.pdf (Accessed: 28 June 2024).

Xie, T., Zhang, J., Zhang, Y., Papamanthou, C. and Song, D. (2019) 'Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/317 (Accessed: 28 June 2024).

Zhou, Y., Wei, Z., Ma, S. and Tang, H. (2022) 'Overview of Zero-Knowledge Proof and Its Applications in Blockchain', in Sun, Y., Cai, L., Wang, W., Song, X. and Lu, Z. (eds) Blockchain Technology and Application. CBCC 2022. Communications in Computer and Information Science, vol. 1736. Singapore: Springer. Available at: https://doi.org/10.1007/978-981-19-8877-6_5 (Accessed: 30 June 2024).

Zhang, B., Lu, G., Qiu, P., Gui, X. and Shi, Y. (2023) 'Advancing Federated Learning through Verifiable Computations and Homomorphic Encryption', Entropy, 25(11), p. 1550. Available at: https://doi.org/10.3390/e25111550 (Submission received: 11 September 2023 / Revised: 1 November 2023 / Accepted: 4 November 2023 / Published: 16 November 2023).

Zhang, Y., Wang, S., Zhang, X., Dong, J., Mao, X., Long, F., Wang, C., Zhou, D., Gao, M. and Sun, G. (2021) 'PipeZK: Accelerating Zero-Knowledge Proof with a Pipelined Architecture', IEEE Xplore. DOI: https://doi.org/10.1109/ISCA52012.2021.00040.

Zhang, J., Fang, Z., Zhang, Y. and Song, D. (2020) 'Zero Knowledge Proofs for Decision Tree Predictions and Accuracy', Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. DOI: https://doi.org/10.1145/3372297.3417278.

Author's Twitter: @renkingeth

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。