The third major technological innovation in the history of blockchain development: the application of zero-knowledge proof technology

Author: Singapore University of Social Sciences inclusive finance node SUSS NiFT researcher @Jesse_meta, Beosin researcher @EatonAshton2, Least Authority security researcher @kaplannie

Regardless of whether the information is stored on the Internet or in offline archives, whether it is intentional or accidental, information leakage incidents are commonplace today and needless to say. As long as information is stored centrally, there is always the risk of a single point of attack. As long as the verification process requires a trusted third party, there will be ethical risks and inefficiencies. The solution to information security is crucial and urgent. Zero-knowledge proof technology allows users to complete verification more efficiently and securely while protecting their privacy.

If Bitcoin is the first major invention that blockchain brings to the real world, providing a new way to store value, and Ethereum’s smart contracts are the second major milestone event, unlocking the potential for innovation, then the application of zero-knowledge proofs is the biggest The third largest technological innovation in the history of blockchain development, bringing privacy and scalability. This is not only an important part of the Web3 ecosystem, but also an important basic technology that has the potential to promote social change.

This article introduces the application scenarios, working principles, development status and future trends of zero-knowledge proof from the perspective of a non-technical person, in order to let readers without technical background understand the major changes that zero-knowledge proof is about to bring. **

1.What is zero-knowledge proof

Zero-knowledge proof (ZKP) is a mathematical protocol first proposed in the 1985 paper "The knowledge complexity of interactive proofs" co-authored by Shafi Goldwasser, Silvio Micali, and Charles Rackoff. Except for a certain fact to be proved, there will be no Disclose any other information. The verifier does not have access to the secret information that generated the proof. Let me give you an example to help you understand: I want to prove that I know someone's phone number. I only need to be able to dial that person's phone number in front of everyone to prove this fact, without revealing that person's real number. Zero-knowledge proofs provide an efficient and nearly risk-free way to share data. Using zero-knowledge proofs, we can retain ownership of data, greatly improve privacy protection, and hopefully make data breaches a thing of the past.

Zero-knowledge proof has three characteristics:

Completeness

If a claim is true, honest verifiers will be convinced by honest provers. That is, what is right cannot be wrong.

rationality

If a claim is false, in the vast majority of cases a deceptive prover cannot make an honest verifier believe the false claim. That is, what is wrong cannot be right.

ZERO KNOWLEDGE

If a statement is true, the verifier cannot obtain any additional information other than that the statement is true.

Zero-knowledge proofs have a very small probability of producing reasonable errors, that is, a cheating prover may make the verifier believe a wrong statement. Zero-knowledge proof is a probabilistic proof, not a deterministic proof, but we can reduce the rational error to negligible through some techniques.

2. Application of zero-knowledge proof

The two most important application scenarios of zero-knowledge proof are privacy and scalability.

2.1 Privacy

Zero-knowledge proofs allow users to securely share the necessary information to obtain goods and services without revealing personal details, protecting them from hackers and the leakage of personally identifiable information. With the gradual integration of the digital and physical fields, the privacy protection function of zero-knowledge proof has become crucial to information security in Web3 and even beyond Web3. Without zero-knowledge proof, user information will exist in a trusted third-party database and be potentially vulnerable to hacker attacks. The first application case of zero-knowledge proof in the blockchain is the privacy coin Zcash, which is used to hide transaction details.

2.1.1 Identity information protection and verification

In online activities, we often need to provide information such as name, date of birth, email, and complex passwords to prove that we are users with legal permissions. Therefore, we often leave sensitive information online that we do not want to disclose. Nowadays, it is not uncommon to receive scam calls calling us by our names, which shows that the leakage of personal information is very serious.

We can use blockchain technology to give each person a special encrypted digital identifier that contains personal data. This digital identifier allows for the construction of a decentralized identity and is impossible to forge or change without the knowledge of its owner. Decentralized identity allows users to control access to personal identities, prove citizenship without revealing passport details, simplify the authentication process, and reduce the occurrence of users losing access due to forgotten passwords. Zero-knowledge proofs are generated from public data that can prove the user's identity and private data with user information, and can be used for identity verification when users access services. This not only reduces the cumbersome verification process, improves user experience, but also avoids centralized storage of user information.

In addition, zero-knowledge proofs can also be used to build private reputation systems, allowing service agencies to verify whether users meet certain reputation standards without revealing their identity. Users can export their reputation anonymously from platforms such as Facebook, Twitter, and Github while masking the specific source account.

2.1.2 Anonymous payment

Transaction details paid with bank cards are usually visible to multiple parties, including payment providers, banks, and governments. This exposes the privacy of ordinary citizens to a certain extent, and users need to trust relevant parties not to do evil.

Cryptocurrencies can allow payments to be made without third parties, allowing direct peer-to-peer transactions. However, transactions on mainstream public chains are currently publicly visible. Although user addresses are anonymous, real-world identities can still be found through data analysis of associated addresses on the chain and off-chain data such as exchange KYC and Twitter information. If you know a person's wallet address, you can check your bank account balance at any time, which may even pose a threat to the user's identity and property.

Zero-knowledge proof can provide anonymous payments at three levels: privacy coins, privacy applications and privacy public chains. The privacy coin Zcash hides transaction details including sender, receiver address, asset type, quantity and time. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proof to obfuscate transaction details to provide private transfers (but is also often used by hackers to launder money). Aleo is an L1 blockchain designed to provide privacy features for applications at the protocol level.

2.1.3 Honest conduct

Zero-knowledge proofs can promote honest behavior while preserving privacy. The protocol can require users to submit zero-knowledge proofs to prove their honest behavior. Due to the rationality of zero-knowledge proofs (what is wrong cannot be right), users must act honestly according to the protocol requirements before they can submit valid proofs.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty and prevents collusion during on-chain voting or other forms of decision-making. The system utilizes key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys into a smart contract and send their votes to the contract via encrypted messages. MACI’s anti-collusion feature allows voters to change their public keys to prevent others from learning their voting choices. The coordinator uses a zero-knowledge proof at the end of the voting period to prove that they have processed all messages correctly, and the final voting result is the sum of all valid votes. This ensures the integrity and fairness of the vote.

2.1.4 Personal information verification

When we want to get a loan, we can get a digital income certificate from the company to apply for the loan. The legitimacy of this proof can easily be checked cryptographically. The bank can use a zero-knowledge proof to verify that our income reaches the required minimum, but it will not get sensitive specific information.

2.1.5 Combining machine learning to tap the potential of private data

When training machine learning models, large amounts of data are usually required. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually exposing the data. This helps put private data to work and monetize it.

Additionally, zero-knowledge proofs can allow model creators to prove that their models meet certain performance metrics without exposing the details of the model to prevent others from copying or tampering with their models.

2.2 Extensible

As the number of blockchain users increases, a large amount of calculations are required on the blockchain, causing transaction congestion. Some blockchains will take the expansion route of sharding, but this requires a large number of complex modifications to the base layer of the blockchain, which may threaten the security of the blockchain. Another more feasible solution is to take the ZK-Rollup route, use verifiable calculations, outsource the calculations to entities on another chain for execution, and then submit the zero-knowledge proof and verifiable results to the main chain for verification. sex. Zero-knowledge proof guarantees the authenticity of the transaction. The main chain only needs to update the result to the state. There is no need to store details or replay calculations, and there is no need to wait for others to discuss the authenticity of the transaction, which greatly improves efficiency and scalability. Developers can use zero-knowledge proofs to design light node dapps that can run on common hardware such as mobile phones, which is more conducive to Web3 reaching the masses.

The extension of zero-knowledge proof can be applied to both the first-layer network, such as Mina Protocol, and the second-layer network ZK-rollups.

3. How zero-knowledge proofs work

Dmitry Laverenov (2019) divides zero-knowledge proof structures into interactive and non-interactive.

3.1 Interactive zero-knowledge proof

The basic form of interactive zero-knowledge proof consists of three steps: evidence, challenger and response

Evidence: The hidden secret information is the prover’s evidence. This evidence sets up a series of questions that can only be answered correctly by someone who knows the information. The prover starts randomly selecting questions and sends the calculated answers to the verifier for proof.

Challenge: The verifier randomly picks another question from the set and asks the prover to answer it.

Response: The prover accepts the question, computes the answer and returns the result to the verifier. The prover's response enables the verifier to check whether the prover knows the evidence.

This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes low enough. To give a simplified mathematical example, if the probability that the prover can guess the correct answer without knowing the secret information is 1/2, and the interaction is repeated ten times, the probability that the prover will hit each time is only 9.7 out of 10,000. If you want to verify The possibility of a person mistakenly endorsing a false certification is extremely low.

3.2 Non-interactive zero-knowledge proof

Interactive zero-knowledge proofs have limitations. On the one hand, the prover and the verifier need to exist at the same time and perform repeated verifications. On the other hand, each calculation of a new proof requires the prover and the verifier to pass a set of information. The proof cannot be Reused in independent verification.

In order to solve the limitations of interactive zero-knowledge proofs, Manuel Blum, Paul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs, in which the prover and the verifier share the key, and only one round of verification is required to make the zero-knowledge proof Proven to be more effective. The prover calculates the secret information through a special algorithm to generate a zero-knowledge proof and sends it to the verifier. The verifier uses another algorithm to check whether the prover knows the secret information. Once this zero-knowledge proof is generated, anyone with the shared key and verification algorithm can verify it.

Non-interactive zero-knowledge proof is a major breakthrough in zero-knowledge proof technology and promotes the development of today's zero-knowledge proof systems. The main methods are ZK-SNARK and ZK-STARK.

4. Main technical paths of zero-knowledge proof

Alchemy (2022) divides the technical paths of zero-knowledge proof into ZK-SNARK, ZK-STARK and recursive ZK-SNARK.

4.1 ZK-SNARK

ZK-SNARKs are a concise, non-interactive zero-knowledge proof.

For a public chain to ensure the correctness of transactions executed on the network, it needs to be achieved by having other computers (nodes) rerun each transaction. However, this method will cause each node to re-execute each transaction, which will slow down the network and limit scalability. Nodes must also store transaction data, causing the size of the blockchain to grow exponentially.

For these restrictions, ZK-SNARK comes into play. It can prove the correctness of calculations performed off-chain without requiring nodes to replay every step of the calculation. This also eliminates the need for nodes to store redundant transaction data and increases the throughput of the network.

Using SNARK to verify off-chain calculations encodes the calculation into a mathematical expression to form a validity proof. The verifier checks the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of a validity proof is many times smaller than the computation it verifies, hence why we call SNARKs succinct.

Most ZK Rollups using ZK-SNARK follow the following steps.

**1. L2 users sign the transaction and submit it to the verifier. **

**2. The verifier uses cryptography to compress multiple transactions to generate corresponding validity certificates (SNARKs). **

**3. The smart contract on the L1 chain verifies the validity certificate and determines whether this batch of transactions is published to the main chain. **

It is worth mentioning that ZK-SNARK requires trusted settings. At this stage, the key generator takes a program and a secret parameter to generate two usable public keys, one for creating the proof and one for verifying the proof. These two public keys only need to generate public parameters once through a trusted setup ceremony and can be used multiple times by parties wishing to participate in the zero-knowledge protocol. Users need to trust that participants in trusted setup rituals are not evil, and there is no way to assess the honesty of participants. Knowing the secret parameters can generate fake proofs and deceive the verifier, so there are potential security risks. There are currently researchers exploring ZK-SNARK solutions that do not require trust assumptions.

Advantage

1. Security

ZK rollup is considered a more secure expansion solution than OP rollup because ZK-SNARK uses an advanced encryption security mechanism, which makes it difficult to deceive verifiers and conduct malicious behaviors.

2. High throughput

ZK-SNARK reduces the amount of calculation at the bottom of Ethereum, easing the main network congestion. Off-chain calculations share transaction costs, bringing faster transaction speeds.

3. Small proof size

The small size of SNARK proofs makes them easy to verify on the main chain, which means the gas fee for verifying off-chain transactions is lower, reducing the cost for users.

Limitations

1. Relative centralization

Relying on a trusted setup most of the time. This goes against the original intention of blockchain to remove trust.

Generating validity proofs with ZK-SNARKs is a computationally intensive process, and the prover must invest in specialized hardware. These hardware are expensive and only a few people can afford them, so the proof process of ZK-SNARK is highly centralized.

2 ZK-SNARK uses elliptic curve cryptography (ECC) to encrypt the information used to generate validity proofs and is currently relatively secure, but advances in quantum computing may break its security model.

Projects using ZK SNARK

Polygon Hermez

Polygon acquired Hermez for US$250 million in 2021, becoming the first comprehensive merger and acquisition of two blockchain networks. The ZK technology and tools Hermez brought to Polygon's rapidly growing user base enabled Polygon to gain support in developing zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to easily transfer ERC-20 tokens from one Hermez account to another Hermez account, with up to 2,000 transactions per second.

Hermez 2.0 acts as a zero-knowledge zkEVM to transparently execute Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum and does not require many changes to the smart contract code, making it convenient for developers to deploy L1 projects to Polygon Hermez. Hermez 1.0 uses SNARK-proofs, and 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proof is used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proof on the main chain is very high, so SNARK-proof is introduced to verify STARK.

zkSync

zkSync 1.0, launched by Matter Labs in 2020, does not support smart contracts and is mainly used for transactions or transfers. ZkSync 2.0, which supports smart contracts, will be publicly launched on the mainnet in March 2023.

ZkSync compiles the smart contract source code Solidity on Ethereum into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. Yul code can be recompiled using the LLVM compiler framework into a custom, circuit-compatible set of bytecode designed for zkSync's zkEVM. This approach eliminates the need to perform zk proofs through higher-level code for all steps in EVM execution, making it easier to decentralize the proof process while maintaining high performance. In the future, support for Rust, Java, or other languages can be added by building new compiler front-ends, increasing the flexibility of the zkEVM architecture and reaching more developers.

Aztec

Aztec is the first hybrid zkRollup, enabling both public and private smart contract execution in one environment. This is a zero-knowledge execution environment, not zkEVM. Confidentiality is achieved by merging public and private executions into a single hybrid rollup, such as private transactions for public AMMs, private conversations in public games, private voting for public DAOs, and more.

4.2 ZK-STARK

ZK-STARK does not require a trusted setup. ZK-STARK is the abbreviation for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared with ZK-SNARK, ZK-STARK has better scalability and transparency.

Advantage

1. Lose trust

ZK-STARK publicly verifies randomness to replace trusted settings, reducing dependence on participants and improving protocol security.

2. Stronger expansion capabilities

Even though the complexity of the underlying calculations increases exponentially, ZK-STARK still maintains lower proof and verification times, rather than linear growth like ZK-SNARK.

3. Higher security guarantee

ZK-STARK uses collision-resistant hash values for encryption instead of the elliptic curve scheme used in ZK-SNARK, which is resistant to quantum computing attacks.

Limitations

1. Larger proof size

ZK-STARK's proof size is larger, making verification on the main network more successful.

2. Lower Adoption Rate

ZK-SNARK is the first practical application of zero-knowledge proof in the blockchain, so most ZK rollups use ZK-SNARK, which has more mature developer systems and tools. Although ZK-STARK is also supported by the Ethereum Foundation, its adoption rate is insufficient and the basic tools need to be improved.

**Which projects use ZK-STARK? **

Polygon Miden

Polygon Miden, an Ethereum L2-based scaling solution, leverages zk-STARK technology to integrate large numbers of L2 transactions into a single Ethereum transaction, thereby increasing processing power and reducing transaction costs. Without sharding, Polygon Miden can generate a block in 5 seconds, and its TPS can reach more than 1,000. After sharding, its TPS can be as high as 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core function of Polygon Miden is a STARK-based Turing-complete virtual machine - Miden VM, which makes the formal verification of contracts easier.

StarkEx and StarkNet

StarkEx is a framework for licensing extension solutions customized for specific applications. Projects can use StarkEx to perform low-cost off-chain calculations and generate STARK proofs that prove the correctness of execution. Such a proof contains 12,000–500,000 transactions. Finally, the proof is sent to the STARK validator on the chain, and the status update is accepted after verification is correct. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading market Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx where applications are responsible for submitting transactions, StarkNet's sequencer batches transactions and sends them for processing and certification. StarkNet is more suitable for protocols that need to interact synchronously with other protocols or that are beyond the scope of StarkEx applications. As StarkNet development progresses, StarkEx-based applications will be able to be ported to StarkNet and enjoy composability.

ZK-SNARK and ZK-STARK comparison

4.3 Recursive ZK-SNARK

Normal ZK rollups can only process one block of transactions, which limits the number of transactions they can process. Recursive ZK-SNARK can verify more than one transaction block, merge the SNARKs generated by different L2 blocks into a single validity certificate, and submit it to the L1 chain. Once the L1 on-chain contract accepts the submitted proof, all of these transactions become valid, greatly increasing the number of transactions that can ultimately be completed with zero-knowledge proofs.

Plonky2 is a new proof mechanism from Polygon Zero that uses recursive ZK-SNARKs to augment transactions. Recursive SNARKs extend the proof generation process by aggregating several proofs into a recursive proof. Plonky2 uses the same technology to reduce the time to generate new block proofs. Plonky2 generates proofs for thousands of transactions in parallel and then recursively aggregates them into a block proof, so the generation speed is very fast. The ordinary proof mechanism attempts to generate the entire block proof at once, which is even less efficient. In addition, Plonky2 can also generate proofs on consumer-grade devices, solving the hardware centralization problem often associated with SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARK and ZK-STARK have become the core infrastructure of blockchain expansion projects, especially the Zero Knowledge Rollup solution. Zero-Knowledge Rollup refers to a second-layer expansion solution for Ethereum that uses zero-knowledge proof technology to transfer all calculations to off-chain processing to reduce network congestion. The main advantage of Zero Knowledge Rollup is that it can greatly increase the transaction throughput of Ethereum while keeping transaction fees low, and once the transaction is packaged into the rollup, it can be determined immediately.

In addition to Zero Knowledge Rollup, Ethereum's current L2 expansion plan also includes Optimistic Rollup. Transactions run in Optimistic Rollup are valid and executed immediately by default. Only when a fraudulent transaction is discovered (someone submits proof of fraud) will the transaction be reversed. Therefore, the security is lower than Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period after which a transaction needs to be finalized. This may result in users having to wait for a while before getting their funds back.

The use of zero-knowledge proof technology was not considered when EVM was originally designed. Vitalik, the founder of Ethereum, believes that Zero Knowledge Rollup will be technically complex in the short term, but will eventually defeat Optimistic Rollup in the expansion war. The following is a comparison between Zero Knowledge Rollup and Optimistic Rollup.

Source: SUSS NiFT, ChatGPT

**6. What is the future prospect of zero-knowledge proof technology? **

The field of zero-knowledge proof technology is in a unique position: in recent years, a lot of effort has been devoted to advancing research in this field, and many of the results are quite new in the field of cryptography and secure communications. Therefore, many interesting questions remain to be answered by the academic and developer communities. At the same time, zero-knowledge proof technology is used in various projects, demonstrating the challenges of zero-knowledge technology and expanding its requirements.

One area of concern for zero-knowledge proof technology is the discussion of post-quantum security of zero-knowledge proof technology. Publicly verifiable SNARKs (Succinct Non-Interactive Arguments of Knowledge) are a key component in the field of zero-knowledge technologies. However, most widely used publicly verifiable SNARK schemes are not considered quantum safe. Examples include Groth16, Sonic, Marlin, SuperSonic and Spartan. These solutions rely on mathematical problems that can be effectively solved with the help of quantum computers, which greatly compromises their security in a post-quantum world.

We found that the academic community is actively looking for quantum-safe zero-knowledge proofs that can be used for a variety of statements without a preprocessing stage. Current examples of state-of-the-art quantum-safe zero-knowledge proofs include schemes such as Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions. Both functions are considered quantum safe. It has become a trend to promote these programs and improve their efficiency.

Another expectation we have for the future of zero-knowledge technology is its ability to resist attacks and implementation-related code maturity. Given the increase in the amount of code written, there will be more secure and vetted libraries and best practices for various zero-knowledge proof techniques. Of course, there will be more common errors in the future that will be waiting to be discovered and communicated. We expect the field to mature and become highly adopted, with efforts to standardize protocols and ensure interoperability between different implementations. A project called ZKProof has already begun to do this.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possibly special hardware. In recent years, we have seen proof sizes decrease and provers and verifiers becoming more efficient. Advances in algorithms, special hardware, and computational optimization may lead to faster, more scalable implementations.

While the efficiency of existing algorithms benefits future users of zero-knowledge proof technology, we also expect to see the capabilities of zero-knowledge proofs continue to expand. In the past, we have encountered many instances when implementing preprocessed ZK-SNARKs. Now we are seeing more and more scalable ZK-SNARK instances. Additionally, some zero-knowledge proof techniques are used more for their simplicity than for their zero-knowledge capabilities.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). The idea requires training large language models in a multi-party environment and using zero-knowledge techniques to verify the calculations. This is very useful for current artificial intelligence. There is potential for projects to emerge in this area.

Conclusion

This article is co-written by members of the Blockchain Security Alliance. Through the introduction of this article, we can understand the wide application, technical paths, development trends and challenges of zero-knowledge proof in the blockchain field. **We believe that with the development of hardware technology and cryptography, zero-knowledge proofs will achieve more breakthroughs in the future, providing faster and more secure application services for the digital world. **