What the heck is Zero Knowledge (ZK) proof?
RavjotSandhu
Posted on January 15, 2022
So you have heard it, ZK proofs or Zero Knowledge proofs. But why there is a sudden buzz? What is it? What are zk-rollups? What are ZK-SNARKs? All of your questions will be answered so hang tight and ride along!
What is Zero Knowledge Proof?
A method by which one party (Prover) can prove that it knows a secret or a statement is true to another party(Verifier) without revealing any actual information.
The term "Zero Knowledge" in itself it the testimony to the fact that no information is revealed but the second party (Verifier) is rightfully convinced that first party (Prover) knows the secret or their statement is true.
So why would we need Zero Knowledge proof? When we don't trust someone with revealing the information but want to persuade them that we know the secret or our statement is true
Now there are 2 types of Zero knowledge proofs
- Interactive
- Non Interactive
1️⃣ Let's first see an example of Interactive Zero Knowledge proof
Suppose You have to ZKP that you are >=18 of age, without actually revealing you age.
We need a third-party authority that can vouch for your age as follows
The authority says: “Thanks for the copy of the birth certificate, we see you are 21 years old. Here’s a secret number, keep it secret and safe. You will need it at later on."
“Your secret number will be hashed 22 times to make a final age hash code for you (yes, it has to be age+1 to make it all work). So there are 22 hashing steps between the secret number we gave you and this final age hash code."
“We are wrapping this up with your name, a time stamp and this final age hash code. That’s the proof kit that you will give to others.”
Now, whenever you want to prove to someone that you are over 18 then you effectively have to prove that there are more than 18 hashing steps to get from your secret number to your final age hash code.
To do this you just want to show them the last 18 hashing steps, you do this by doing the first 4 hashing steps yourself (hashing your secret number 4 times) and then giving them the result; the 4th hash.
They then hash this 18 times and (because we’ve now done a total of 22 hashes on your secret number) they will end up with the final age hash code and can verify this because this is in with the proof kit.
In effect the verifier is saying; ‘Send us a value that we can hash 18 times to get a match with your final age hash code’. If you are not 18 then you won’t have 18 steps in your final age hash code and you won’t be able to give us a starting point that we can hash 18 times to get your final age hash code.
This is also a nice example 👇
Example of a good zero knowledge proof - MathOverflow
▶But there are some limitations to this interactive method:
- Each time they meet the whole lengthy process would need to be carried out. And this is pretty simple hashing process, imagine the need to carry out calculations for actual cryptographic algorithms!
- Both the parties need to be present at same place, same time either online or face to face
2️⃣ Here come into picture Non Interactive proofs
In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and thus came into being first algorithm to create digital signatures based on interactive zero knwoledge proofs
This Fiat-Shamir heuristic can be turned into a Non Interactive ZK proofs using a Commitment Scheme and thus came into being ZK-SNARKs or Zero-Knowledge Succinct Non-Interactive Argument of Knowledge
To make Fiat-Shamir Heuristic stronger commitments are used. Commitment schemes are fundamental components of many cryptographic protocols. A commitment scheme allows a committer to publish a value, called the commitment, which binds them to a message (binding) without revealing it (hiding).
Pederson commitment and Polynomial commitment are two most prominent commitment schemes being used for ZK proofs
But it wasn't until around 2013 that ZK-SNARKs became practically efficient to implement and use in real world applications.
I recommend you to read this excellent article by Vitalik Buterin
An approximate introduction to how zk-SNARKs are possible explaining how they can be implemented. You might not catch hold of it in a single go. Read 3-4 times and you will get chills once you understand what's going on.
▶ In post Quantum world which also seems inevitable just like AI and Web3, we would need to ensure that the cryptographic functions we choose for the ZK-SNARKs cannot be brute forced by quantum computers. That why improvements are being made to achieve post quantum security.
If you want to learn more on this, you may watch this talk by ACM👇
Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures
Alright now we know what ZK proofs are but what are they used for 🤔?
There are two main use cases conceptually:
- Scaling the blockchain transactions
- Privacy-Securing the personal data in sectors such as healthcare
Scaling Blockchain - ZK Rollups
A rollup is a type of scaling solution that works by executing transactions outside of Layer 1 but posting transaction data on Layer 1. This allows the rollup to scale the network and still derive its security from the Ethereum consensus
Moving computation off-chain allows for essentially processing more transactions in total as only some of the data of the rollup transactions has to fit into the Ethereum blocks
To achieve this, rollup transactions are executed on a separate chain that can even run a rollup-specific version of the EVM
The next step after executing transactions on a rollup is to batch them together and post them to the main Ethereum chain.
The whole process essentially executes transactions, takes the data, compresses it and rolls it up to the main chain in a single batch, hence the name - "a rollup"
How does Ethereum know that the posted data is valid and wasn’t submitted by a bad actor trying to benefit themselves🤔?
Each rollup deploys a set of smart contracts on Layer 1 that are responsible for processing deposits and withdrawals and verifying proofs.
Proofs are also where the main distinction between different types of rollups comes into play.
Optimistic rollups use fraud proofs. In contrast, ZK rollups use validity proofs.
In ZK rollups, every batch posted to layer 1 includes a cryptographic proof called a ZK-SNARK. The proof can be quickly verified by the layer 1 contract when the transaction batch is submitted and invalid batches can be rejected straight away.
There is a lot more to both ZK and Optimistic rollups, the methodology of their implementation, their limitations. This is just a crisp idea. There's a lot more to it.
Many projects are developing scaling solutions for ethereum based on ZK rollups. Some prominent one are dYdX, Loopring, Polygon Miden, Polygon Hermez
Privacy-Daily life Applications
Let's say two companies A and B want to use blockchain as medium to operate and communicate.
A transfers asset to B. They want this to remain within themselves. Yes blockchain would bring transparency, interoperability, data security and integrity and other benefits but why would a company share their internal logistic information openly in public? Zero Knowledge Proofs are the way to go.
Let's say you want to privately transfer some money to your friend overseas but don't want officials to snoop over it. How would you do it? Zero Knowledge proofs are the way out.
There are several other sectors where ZK proofs can have profound implications such as healthcare, insurance, e-voting, identity management.
In healthcare securing DNA data, personal information, health care records, essential medical history information, drug traceability, clinical trials, healthcare supply chain, organ transplant.
In insurance to secure insurance covernotes & certificate of Insurance in digital form, personal information, vehicle information, settling claims.
Identity Management using blockchain and ZKP have profound implication. Every kyc linked application, school, college, payment apps ask for images of our IDs like driving license, passport, voter id, national id. Our sensitive personal data is literally out there and we don't even realize it. With ZKp we can secure all of these IDs and reveal only necessary information to vendors, apps and officials. In fact we can completely revamp the way these IDs are issued using zkp.
We can use ZK proofs for all of these so that whenever some information is needed, user approves it and gives required information keeping the rest of details concealed.
It was only after 2013 that ZK-SNARKs efficient enough to practical implement and get used by developers, that's why there's a lot of scope for different apps that use ZKPs to show up in future.
Zcash, launched in 2016, is the only prominent product right now that has succeeded in implementing ZK-SNARKs and provide private transaction between users.
ZK-SNARKs vs ZK-STARKs
Source: Matter Labs github repository
zk-STARK stands for zero-knowledge scalable transparent argument of knowledge, and zk-SNARK stands for zero-knowledge succinct non-interactive argument of knowledge.
Both of these zero-knowledge technologies are non-interactive by nature, meaning the code can be deployed and act autonomously.
Zk-SNARKs at their base depend upon elliptic curves for their security. Elliptic curves in cryptography operate under the base assumption that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible. zk-SNARKs also require a trusted set up.
A trusted setup refers to the initial creation event of the keys that are used to create the proofs required for private transactions and the verification of those proofs
If the secrets used to create these keys in the trusted set up event are not destroyed, the secrets could be utilized to forge transactions by false verifications.
Another limitations of SNARKs,as we already know, their viability in post quantum world
👉On the other hand no trusted set-up is required to begin utilizing STARKs in a network. These are also labelled as quantum resistant. Though the proof size of STARK is much bigger than SNARK
But STARKs are still in nascent stage and there is not much support for developers, so there is still few years' time before we can see a ZK-STARK based product.
That's the end of it. This was small introduction to things that are being done with ZK proofs in Web3 world
Thanks for Reading!
Like and share the blog so that more people become aware about ZK proofs
P.S.- I'm building an inclusive community to talk about web3 and blockchain. You are Welcome to join us! Invite link
Connect with me:
Posted on January 15, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.