Zero-Knowledge Proof Technology Application: The Third Major Technological Innovation in the History of Blockchain Development

1. What is Zero-Knowledge Proof?

Zero-knowledge proof (ZKP) is a mathematical protocol first proposed in the 1985 paper "The Knowledge Complexity of Interactive Proof Systems" co-authored by Shafi Goldwasser, Silvio Micali, and Charles Rackoff. It reveals no information other than the fact that a certain statement is true. The verifier cannot obtain the secret information that generates the proof. To help everyone understand, here’s an example: if I want to prove that I know someone's phone number, I only need to be able to call that person in front of others to prove this fact, without revealing the actual number. Zero-knowledge proofs provide an effective and nearly risk-free way to share data. With zero-knowledge proofs, we can retain ownership of the data, greatly enhance privacy protection, and potentially make data leakage incidents a thing of the past.

Zero-knowledge proofs have three properties:

Completeness

If a statement is true, an honest verifier will be convinced by an honest prover. That is, the truth cannot be mistaken.

Soundness

If a statement is false, in the vast majority of cases, a cheating prover cannot convince an honest verifier of the false statement. That is, falsehood cannot be mistaken for truth.

Zero-knowledge

If a statement is true, the verifier cannot gain any additional information beyond knowing that the statement is true.

Zero-knowledge proofs have a very small probability of producing soundness errors, meaning a cheating prover might convince the verifier of a false statement. Zero-knowledge proofs are probabilistic rather than deterministic, but we can use certain techniques to reduce the soundness error to negligible levels.

2. Applications of Zero-Knowledge Proofs

The two most important application scenarios for zero-knowledge proofs are privacy and scalability.

2.1 Privacy

Zero-knowledge proofs allow users to securely share necessary information to obtain goods and services without revealing personal details, protecting them from hacking and identity theft. As the digital and physical realms gradually merge, the privacy protection capabilities of zero-knowledge proofs become crucial for information security both within and beyond Web3. Without zero-knowledge proofs, user information would reside in trusted third-party databases, posing potential risks of hacking. The first application case of zero-knowledge proofs in blockchain is the privacy coin Zcash, which is used to hide transaction details.

2.1.1 Identity Information Protection and Verification

In online activities, we often need to provide sensitive information such as name, date of birth, email, and complex passwords to prove that we are legitimate users. As a result, we often leave behind sensitive information that we do not wish to disclose online. Nowadays, receiving scam calls that address us by name has become common, indicating the severity of personal information leakage.

We can leverage blockchain technology to give each person a unique encrypted digital identifier containing personal data. This digital identifier can construct a decentralized identity that cannot be forged or altered without the owner's knowledge. Decentralized identities allow users to control access to their personal identity, proving citizenship without revealing passport details, simplifying the authentication process, and reducing incidents where users lose access due to forgotten passwords. Zero-knowledge proofs are generated from public data that can prove user identity and private data containing user information, which can be used for identity verification when users access services. This reduces cumbersome verification processes, enhances user experience, and avoids centralized storage of user information.

Additionally, zero-knowledge proofs can also be used to build private reputation systems, allowing service providers to verify whether users meet certain reputation standards without exposing their identities. Users can anonymously output their reputation from platforms like Facebook, Twitter, and Github while concealing the specific source accounts.

2.1.2 Anonymous Payments

The transaction details of payments made with bank cards are usually visible to multiple parties, including payment providers, banks, and governments, which exposes the privacy of ordinary citizens to some extent, requiring users to trust these parties not to act maliciously.

Cryptocurrencies can eliminate third parties in payments, enabling direct peer-to-peer transactions. However, transactions on mainstream public chains are publicly visible; although user addresses are anonymous, there is still a risk of linking on-chain addresses with off-chain data such as exchange KYC or Twitter information to identify real-world identities. If someone knows a person's wallet address, they can view the person's bank account balance at any time, potentially threatening the user's identity and assets.

Zero-knowledge proofs can provide anonymous payments from three levels: privacy coins, privacy applications, and privacy public chains. The privacy coin Zcash hides transaction details, including sender and receiver addresses, asset types, amounts, and timestamps. Tornado Cash is a decentralized application on Ethereum that uses zero-knowledge proofs to obfuscate transaction details for private transfers (but is also often used for money laundering by hackers). Aleo is an L1 blockchain designed to provide privacy features for applications at the protocol level.

2.1.3 Honest Behavior

Zero-knowledge proofs can promote honest behavior while preserving privacy. Protocols can require users to submit zero-knowledge proofs to demonstrate their honest behavior. Due to the soundness of zero-knowledge proofs (falsehood cannot be mistaken for truth), users must act honestly according to the protocol requirements to submit valid proofs.

MACI (Minimal Anti-Collusion Infrastructure) is an application scenario that promotes honesty, preventing collusion during on-chain voting or other decision-making processes. This system utilizes key pairs and zero-knowledge proof technology to achieve this goal. In MACI, users register their public keys with a smart contract and send their votes to the contract via encrypted messages. The anti-collusion feature of MACI allows voters to change their public keys to prevent others from knowing their voting choices. Coordinators use zero-knowledge proofs at the end of the voting period to prove that they have correctly processed all messages and that the final voting result is the sum of all valid votes. This ensures the integrity and fairness of the voting process.

2.1.4 Personal Information Verification

When we want to obtain a loan, we can get a digital income certificate from a company to apply for the loan. The legitimacy of this certificate can be easily verified cryptographically. Banks can use zero-knowledge proofs to verify whether our income meets the required minimum threshold without obtaining sensitive specific information.

2.1.5 Combining Machine Learning to Uncover Private Data Potential

Training machine learning models typically requires a large amount of data. By using zero-knowledge proofs, data owners can prove that their data meets the requirements for model training without actually disclosing the data. This helps to leverage private data and achieve monetization.

Furthermore, zero-knowledge proofs can allow model creators to prove that their models meet certain performance metrics without disclosing the details of the models, preventing others from copying or tampering with their models.

2.2 Scalability

As the number of blockchain users increases, a large amount of computation is required on the blockchain, leading to transaction congestion. Some blockchains take a sharding approach to scalability, but this requires extensive and complex modifications to the underlying blockchain, which may threaten the security of the blockchain. Another more feasible solution is to adopt the ZK-Rollup approach, which utilizes verifiable computation to outsource computation to entities on another chain, then submits the zero-knowledge proofs and verifiable results to the main chain for authenticity verification. Zero-knowledge proofs ensure the authenticity of transactions, allowing the main chain to simply update the state without needing to store details or replay computations, nor waiting for others to discuss the authenticity of transactions, greatly improving efficiency and scalability. Developers can leverage zero-knowledge proofs to design lightweight node dapps that can run on ordinary hardware like smartphones, making it more conducive for Web3 to reach the masses.

The scalability of zero-knowledge proofs can be applied on both layer one networks, such as Mina Protocol, and layer two networks like ZK-rollups.

3. How Zero-Knowledge Proofs Work

Dmitry Laverenov (2019) divides the structure of zero-knowledge proofs into interactive and non-interactive.

3.1 Interactive Zero-Knowledge Proofs

The basic form of interactive zero-knowledge proofs consists of three steps: evidence, challenger, and response.

Evidence: The hidden secret information serves as the prover's evidence. This evidence establishes a series of questions that can only be correctly answered by someone who knows this information. The prover begins by randomly selecting questions and sending the computed answers to the verifier for proof.

Challenge: The verifier randomly selects another question from the set and asks the prover to respond.

Response: The prover accepts the question, computes the answer, and returns the result to the verifier. The prover's response allows the verifier to check whether the prover knows this evidence.

This process can be repeated multiple times until the probability of the prover guessing the correct answer without knowing the secret information becomes sufficiently low. For a simplified mathematical example, if the probability of the prover guessing the correct answer without knowing the secret information is 1/2, repeating the interaction ten times results in a probability of only 0.000097 of hitting the target each time, making it extremely unlikely for the verifier to mistakenly accept a false proof.

3.2 Non-Interactive Zero-Knowledge Proofs

Interactive zero-knowledge proofs have limitations; on one hand, they require the prover and verifier to be present simultaneously for repeated verification, and on the other hand, each new proof requires the prover and verifier to exchange a set of information, making the proof non-reusable in independent verifications.

To address the limitations of interactive zero-knowledge proofs, Manuel Blum, Paul Feldman, and Silvio Micali proposed non-interactive zero-knowledge proofs, where the prover and verifier share a key and only need to perform one round of verification to make zero-knowledge proofs more efficient. The prover computes a zero-knowledge proof from the secret information using a special algorithm and sends it to the verifier. The verifier uses another algorithm to check whether the prover knows the secret information. Once generated, this zero-knowledge proof can be verified by anyone with the shared key and verification algorithm.

Non-interactive zero-knowledge proofs represent a significant breakthrough in zero-knowledge proof technology, facilitating the development of zero-knowledge proof systems today. The main methods include ZK-SNARK and ZK-STARK.

4. Main Technical Paths of Zero-Knowledge Proofs

Alchemy (2022) categorizes the technical paths of zero-knowledge proofs into ZK-SNARK, ZK-STARK, and Recursive ZK-SNARK.

4.1 ZK-SNARK

ZK-SNARKs are succinct non-interactive proofs that are zero-knowledge.

Public chains must ensure the correctness of transactions executed on the network by having other computers (nodes) re-run each transaction. However, this method requires each node to re-execute every transaction, slowing down the network and limiting scalability. Nodes must also store transaction data, leading to exponential growth in the size of the blockchain.

ZK-SNARKs address these limitations. They can prove the correctness of computations performed off-chain without requiring nodes to replay every step of the computation. This also eliminates the need for nodes to store excess transaction data, improving the network's throughput.

Using SNARK, off-chain computations are encoded into a mathematical expression to form a validity proof. The verifier checks the correctness of the proof. If the proof passes all checks, the underlying computation is considered valid. The size of the validity proof is many times smaller than the computation it verifies, which is why we refer to SNARKs as succinct.

Most ZK Rollups using ZK-SNARK follow these steps:

1. Users on L2 sign transactions and submit them to the verifier.

2. The verifier uses cryptography to compress multiple transactions into a corresponding validity proof (SNARK).

3. A smart contract on the L1 chain verifies the validity proof and decides whether to publish this batch of transactions to the main chain.

It is worth mentioning that ZK-SNARK requires a trusted setup. During this phase, the key generator obtains a program and a secret parameter to generate two usable public keys, one for creating proofs and the other for verifying proofs. These two public keys can be used multiple times by all parties wishing to participate in the zero-knowledge protocol, generated only once through a trusted setup ceremony. Users must trust that the participants in the trusted setup ceremony do not act maliciously and cannot assess the honesty of the participants. Knowing the secret parameters can generate false proofs to deceive verifiers, thus posing potential security risks. Researchers are currently exploring solutions for ZK-SNARKs that do not require trust assumptions.

Advantages

1. Security

ZK Rollup is considered a more secure scaling solution than OP Rollup because ZK-SNARK employs advanced cryptographic security mechanisms, making it difficult to deceive verifiers and engage in malicious behavior.

2. High Throughput

ZK-SNARK reduces the computational load on Ethereum's underlying layer, alleviating congestion on the mainnet, with off-chain computations sharing transaction costs, resulting in faster transaction speeds.

3. Small Proof Size

The small size of SNARK proofs makes them easy to verify on the main chain, meaning lower Gas Fees for verifying off-chain transactions, reducing costs for users.

Limitations

1. Relative Centralization

Most of the time, it relies on a trusted setup, which contradicts the original intention of blockchain to eliminate trust.

Generating validity proofs using ZK-SNARK is a computationally intensive process, requiring provers to invest in specialized hardware. These hardware components are expensive and only a few can afford them, leading to a highly centralized proof generation process.

2. ZK-SNARK uses Elliptic Curve Cryptography (ECC) to encrypt the information used to generate validity proofs, which is currently relatively secure, but advancements in quantum computing may break its security model.

Projects Using ZK-SNARK

Polygon Hermez

In 2021, Polygon acquired Hermez for $250 million, becoming the first case of a complete merger between two blockchain networks. The ZK technology and tools brought by Hermez to Polygon's rapidly growing user base support the development of zkEVM. Hermez 1.0 is a payment platform that executes a batch of transactions off-chain, allowing users to conveniently transfer ERC-20 tokens from one Hermez account to another, achieving up to 2000 transactions per second.

Hermez 2.0, as a zero-knowledge zkEVM, transparently executes Ethereum transactions, including smart contracts with zero-knowledge verification. It is fully compatible with Ethereum, requiring minimal changes to smart contract code, making it easy for developers to deploy L1 projects on Polygon Hermez. Hermez 1.0 uses SNARK-proofs, while 2.0 uses both SNARK-proofs and STARK-proofs. In 2.0, STARK-proof is used to prove the validity of off-chain transactions. However, the cost of verifying STARK-proof on the main chain is high, so SNARK-proof is introduced to verify STARK.

zkSync

Launched by Matter Labs in 2020, zkSync 1.0 does not support smart contracts and is mainly used for transactions or transfers. The smart contract-supporting zkSync 2.0 was publicly launched on the mainnet in March 2023.

zkSync compiles the source code of smart contracts on Ethereum, written in Solidity, into Yul to achieve EVM compatibility. Yul is an intermediate language that can be compiled into bytecode for different EVMs. Using the LLVM compiler framework, Yul code can be recompiled into a custom, circuit-compatible bytecode set designed for zkSync's zkEVM. This method eliminates the need for zk proofs for all steps executed by the EVM through higher-level code, making the proof process easier to decentralize while maintaining high performance. In the future, support for Rust, Javascript, or other languages can be added by building new compiler frontends, increasing the flexibility of the zkEVM architecture and attracting more developers.

Aztec

Aztec is the first hybrid zkRollup, executing both public and private smart contracts in a single environment. It is a zero-knowledge execution environment rather than a zkEVM. It achieves confidentiality by merging public and private executions into a single hybrid aggregate, such as public AMM privacy transactions, private conversations in public games, and private voting in public DAOs.

4.2 ZK-STARK

ZK-STARK does not require a trusted setup. ZK-STARK stands for Zero-Knowledge Scalable Transparent Argument of Knowledge. Compared to ZK-SNARK, ZK-STARK has better scalability and transparency.

Advantages

1. Trustless

ZK-STARK replaces trusted setups with publicly verifiable randomness, reducing reliance on participants and enhancing protocol security.

2. Stronger Scalability

Even as the complexity of underlying computations grows exponentially, ZK-STARK maintains low proof and verification times, unlike ZK-SNARK, which grows linearly.

3. Higher Security Guarantees

ZK-STARK uses collision-resistant hashes for encryption, unlike the elliptic curve schemes used in ZK-SNARK, making it resistant to quantum computing attacks.

Limitations

1. Larger Proof Size

ZK-STARK proofs are larger, resulting in higher costs for verification on the mainnet.

2. Lower Adoption Rate

ZK-SNARK is the first practical application of zero-knowledge proofs in blockchain, so most ZK rollups adopt ZK-SNARK, which has a more mature developer ecosystem and tools. Although ZK-STARK also has support from the Ethereum Foundation, its adoption rate is comparatively low, and foundational tools still need improvement.

Which Projects Use ZK-STARK?

Polygon Miden

Polygon Miden is an Ethereum L2 scaling solution that utilizes zk-STARK technology to integrate a large number of L2 transactions into a single Ethereum transaction, enhancing processing capacity and reducing transaction costs. Without sharding, Polygon Miden can produce a block in 5 seconds, with TPS exceeding 1000. After implementing sharding, its TPS can reach up to 10,000. Users can withdraw funds from Polygon Miden to Ethereum in just 15 minutes. The core feature of Polygon Miden is a Turing-complete virtual machine based on STARK—Miden VM—which simplifies the formal verification of contracts.

StarkEx and StarkNet

StarkEx is a permissioned framework for customized scaling solutions for specific applications. Projects can use StarkEx for low-cost off-chain computations, generating STARK proofs to verify the correctness of execution. Such proofs can contain 12,000 to 500,000 transactions. Finally, the proofs are sent to the STARK verifier on-chain, and upon verification, state updates are accepted. Applications deployed on StarkEx include perpetual options dYdX, NFT L2 Immutable, sports digital card trading market Sorare, and multi-chain DeFi aggregator rhino.fi.

StarkNet is a permissionless L2 where anyone can deploy smart contracts developed in the Cairo language. Contracts deployed on StarkNet can interact with each other to build new composable protocols. Unlike StarkEx, where applications are responsible for submitting transactions, StarkNet's sequencer batches transactions and sends them for processing and proof. StarkNet is more suitable for protocols that require synchronized interactions with other protocols or exceed the scope of StarkEx applications. As StarkNet develops, applications based on StarkEx will be able to migrate to StarkNet and enjoy composability.

Comparison of ZK-SNARK and ZK-STARK

4.3 Recursive ZK-SNARK

Ordinary ZK rollups can only handle a single transaction block, limiting the number of transactions they can process. Recursive ZK-SNARK can verify more than one transaction block, merging SNARKs generated from different L2 blocks into a single validity proof submitted to the L1 chain. Once the contract on the L1 chain accepts the submitted proof, all these transactions become valid, greatly increasing the number of transactions that can ultimately be completed using zero-knowledge proofs.

Plonky2 is a new proof mechanism used by Polygon Zero that employs recursive ZK-SNARK to increase transactions. Recursive SNARK expands the proof generation process by aggregating several proofs into a single recursive proof. Plonky2 uses the same technique to reduce the time required to generate proofs for new block creation. Plonky2 generates proofs for thousands of transactions in parallel and recursively aggregates them into a block proof, resulting in rapid generation. In contrast, ordinary proof mechanisms attempt to generate the entire block proof at once, which is less efficient. Additionally, Plonky2 can generate proofs on consumer-grade devices, addressing the hardware centralization issues commonly associated with SNARK proofs.

5. Zero Knowledge Rollup VS Optimistic Rollup

ZK-SNARK and ZK-STARK have become core infrastructures for blockchain scaling projects, especially in the Zero Knowledge Rollup scheme. Zero Knowledge Rollup refers to an Ethereum layer two scaling solution that uses zero-knowledge proof technology to offload all computations to off-chain processing to alleviate network congestion. The main advantages of Zero Knowledge Rollup are that it can significantly increase Ethereum's transaction throughput while maintaining low transaction fees, and once transactions are packaged into the rollup, they can be immediately finalized.

Currently, Ethereum's L2 scaling solutions include both Zero Knowledge Rollup and Optimistic Rollup. In Optimistic Rollup, transactions are assumed to be valid and executed immediately. Only when fraudulent transactions are discovered (when someone submits a fraud proof) will the transaction be revoked. Therefore, its security is lower than that of Zero Knowledge Rollup. To prevent fraudulent transactions, Optimistic Rollup has a challenge period, during which transactions can only be finalized after the challenge period has elapsed. This may cause users to wait for a period before retrieving their funds.

When EVM was initially designed, the use of zero-knowledge proof technology was not considered. Ethereum founder Vitalik believes that while Zero Knowledge Rollup has technical complexities in the short term, it will ultimately prevail over Optimistic Rollup in the scaling war. Below is a comparison of Zero Knowledge Rollup and Optimistic Rollup.

Source: SUSS NiFT, ChatGPT

6. What is the Future Prospect of Zero-Knowledge Proof Technology?

The field of zero-knowledge proof technology occupies a unique position: in recent years, significant efforts have been made to advance research in this area, resulting in many outcomes that are quite new in the fields of cryptography and secure communication. Therefore, many interesting questions remain to be answered by the academic community and developer community. Meanwhile, zero-knowledge proof technology is being used in various projects, showcasing the challenges of zero-knowledge technology and expanding its requirements.

One area of zero-knowledge proof technology worth paying attention to is the discussion of post-quantum security. Publicly verifiable SNARKs (succinct non-interactive arguments of knowledge) are a key component of zero-knowledge technology. However, most widely used publicly verifiable SNARK schemes are not considered quantum-safe. For example, Groth16, Sonic, Marlin, SuperSonic, and Spartan. The mathematical problems these schemes rely on can be effectively solved with the help of quantum computers, significantly compromising their security in a post-quantum world.

We find that the academic community is actively seeking quantum-safe zero-knowledge proofs that can be used for various statements without preprocessing phases. Current examples of state-of-the-art quantum-safe zero-knowledge proofs include schemes like Ligero, Aurora, Fractal, Lattice Bulletproofs, and LPK22. Ligero, Aurora, and Fractal are based on hash functions, while Lattice Bulletproofs and LKP22 are based on lattice functions, both of which are considered quantum-safe. Promoting these schemes and improving their efficiency has become a trend.

Another expectation we have for the future of zero-knowledge technology is its resilience against attacks and the maturity of related code. Given the increasing amount of code written, there will be more secure and reviewed libraries and best practices for various zero-knowledge proof technologies. Of course, there will also be more common errors waiting to be discovered and communicated in the future. We hope for the maturity and high adoption of this field, striving to standardize protocols and ensure interoperability between different implementations; a project called ZKProof has already begun to do this.

Another trend that will continue to exist in the zero-knowledge technology community is more work on efficient algorithms and possible specialized hardware. In recent years, we have seen reductions in proof sizes and improvements in the efficiency of provers and verifiers. Advances in algorithms, specialized hardware, and computational optimizations may lead to faster and more scalable implementations.

While the efficiency of existing algorithms benefits future users of zero-knowledge proof technology, we also expect to see the functionality of zero-knowledge proofs continually expand. In the past, we encountered many instances when implementing preprocessing ZK-SNARKs. Now we find more and more upgradable ZK-SNARK instances. Additionally, some zero-knowledge proof technologies are used more for their succinctness rather than their zero-knowledge capabilities.

Finally, another trend in zero-knowledge proof technology is the intersection of machine learning and zero-knowledge proofs (ZKML). This idea involves training large language models in multi-party environments and using zero-knowledge technology to verify computations. This is highly relevant for current artificial intelligence. There is potential for the emergence of projects in this field.

Conclusion

This article is co-authored by members of the Blockchain Security Alliance. Through this introduction, we can understand the wide applications of zero-knowledge proofs in the blockchain field, the technical paths, development trends, and challenges faced. We believe that with the advancement of hardware technology and cryptography, zero-knowledge proofs will achieve more breakthroughs in the future, providing faster and more secure application services for the digital world.

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.