A guide to Zero Knowledge Proofs

Introduction

Zero Knowledge Proofs (ZKPs) are cryptographic techniques that allow a prover to convince a verifier that a given statement is true without revealing any additional information.

ZKP represent a significant advancement in the field of cryptography and privacy-preserving computation, and some folks compare ZKPs to the creation of a new form of computing in the sense that they introduce novel ways of representing, manipulating, and reasoning about information. ZKPs expand the range of problems that can be solved and the methods by which they can be approached, introducing new mathematical abstractions and tools to reason about information and its manipulation.

Zero Knowledge Proofs allow for more expressive and powerful privacy-preserving protocols, as the primary focus is on the relationships and transformations between different pieces of information, rather than the specific values themselves. This means that ZKPs offer a unique computing paradigm that focuses on privacy-preserving computation. This allows for the verification of computations without revealing the underlying data or the specifics of the computation itself.

Zero-knowledge proofs can also be viewed as a form of knowledge-compression technology, as they allow the prover to convince the verifier of a statement’s truth without transmitting the entire witness. This results in a smaller proof size and reduced communication overhead, making zero-knowledge proofs suitable for applications with bandwidth limitations or where privacy is paramount.

Additionally, ZKPs can be used as a means of verifiable computation, as they enable the prover to prove the correctness of the computation without revealing any information about the computation’s input, output, or internal detail.

Zero-knowledge proofs achieve verifiable computation through the following process:

1. A prover wants to convince a verifier that they have correctly performed a computation on secret input data.
2. The prover creates a zero-knowledge proof demonstrating the correctness of the computation while keeping the input data secret.
3. The verifier checks the proof to confirm the correctness of the computation without learning any information about the input data.

Why now?

Zero Knowledge Proofs have been around for many years, but their recent traction can be attributed to several factors:

• Proof generalization: Early Zero Knowledge Proofs were specialized and tailored to specific problems, limiting their applicability. The development of more general-purpose proof systems, such as zk-SNARKs and zk-STARKs, has made zero-knowledge proofs more accessible and versatile, allowing for a wider range of applications.
• Performance improvements: Zero Knowledge Proof systems have seen significant performance improvements over the years, particularly in terms of prover and verifier efficiency, proof size, and setup requirements. These improvements have made zero-knowledge proofs more practical and scalable, opening up new use cases and making them more attractive for real-world applications.
• Recursive proof composition: The ability to compose Zero Knowledge Proofs recursively has been a game-changer for many applications, particularly in the context of blockchain scaling. Recursive proof composition allows for the efficient verification of large numbers of proofs, making it possible to build more scalable and privacy-preserving blockchain systems.
• Blockchain adoption: The rise of blockchain technology has created a demand for solutions that can enhance privacy, security, and scalability. Zero Knowledge Proofs fit well within this context, as they can be used to create confidential transactions, secure off-chain computations, and enable more efficient consensus mechanisms. As a result, the growing interest in and adoption of blockchain technology have contributed to the increasing popularity of zero-knowledge proofs.

Fundamentals of Zero-Knowledge Proofs

A zero-knowledge proof has three main properties:

• Completeness: If the statement is true, an honest prover can convince an honest verifier.
• Soundness: If the statement is false, no dishonest prover can convince an honest verifier.
• Zero-Knowledge: If the statement is true, the verifier learns nothing beyond the fact that the statement is true.

To understand the ZKP process, it is important to know its essential components:

• Statement: A claim or assertion that the prover wants to convince the verifier is true.
• Witness: A piece of information that proves the statement is true.
• Prover: The party trying to prove the statement is true, without revealing the witness.
• Verifier: The party verifying the statement’s truth without learning the witness.

Building Blocks of Zero-Knowledge Proofs

Witness, Prover and Verifier

The witness is a piece of information that serves as evidence to prove the truth of a statement, as it satisfies a particular mathematical relation or constraint specified by the statement being proven.

In a ZKP, the prover uses the witness to construct a proof that demonstrates the truth of the statement without revealing any information about the witness. The verifier then checks the proof and confirms that the statement is true, without ever learning the contents of the witness.

As a circuit is used to represent the mathematical relation or constraint that needs to be satisfied for a statement to be true, the witness is usually taken as an input value. The output of the circuit would be typically be ‘1’ (true) or ‘0’ (false), depending on whether the input witness satisfies the constraints specified by the circuit.

Interactive Oracle Proof (IOP)

An Interactive Oracle Proof (IOP) is a communication process used in the realm of cryptography, particularly in proof systems, where a prover and a verifier exchange information through a series of queries to an oracle. The goal is for the prover to convince the verifier of the truth of a statement without revealing any additional information beyond the validity of that statement.

In an IOP, the prover and verifier engage in several rounds of interaction, where the verifier sends queries (questions) to the prover, who responds with answers that typically involve commitments to specific values. The verifier then checks these answers against the oracle, which holds precomputed responses or secrets, to verify the consistency and correctness of the prover’s statements.

In the context of zero-knowledge proofs, IOPs are often combined with other cryptographic techniques, such as polynomial commitments, to create efficient and secure proof systems.

Commitment Schemes

A commitment scheme is a key component of a ZKP. It allows one party, the prover, to commit to a value without revealing the value to the other party, the verifier. This allows the prover to demonstrate that they know a certain value, without revealing the value itself. Commitment scheme should be both binding (the prover cannot change the committed value) and hiding (the verifier cannot learn the committed value).

The key properties of a commitment scheme are that it should be computationally infeasible for the prover to change the committed value after the commitment has been made, and it should be computationally infeasible for the verifier to determine the committed value before the prover reveals it.

Here are some examples of commitment schemes that can be used in ZKPs:

- Hash-based commitments: The prover generates a cryptographic hash of the value they wish to commit to, and sends the hash to the verifier. The prover can then reveal the value later, and the verifier can verify that the revealed value matches the hash.
- Pedersen commitments: The prover generates a commitment by multiplying a random value with a generator and adding the value they wish to commit to. The prover can reveal the value later by revealing the random value and the generator, and the verifier can verify that the revealed value matches the commitment.
- Polynomial commitments: In a polynomial commitment, a prover commits to a polynomial by providing a commitment to its coefficients. The verifier can later verify the commitment by checking that the polynomial evaluates to specific values at specific points. The use of polynomial commitments in ZKPs provides privacy by hiding the values of the polynomial’s coefficients from the verifier, and verifiability by ensuring that the commitment can only be made by someone who knows the values
of the coefficients. Polynomial commitments are an essential building block in various zero-knowledge proof systems, including zk-SNARKs and zk-STARKs, allowing them to achieve succinctness.

PLONK: A Zero-Knowledge SNARK Construction

PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge) is a zero-knowledge proof construction that has introduced several innovations, one of which is the move from linear to sublinear arithmetizations.

This innovation has improved the efficiency of the proof construction process, reducing both the proof generation and verification times compared to earlier zk-SNARK constructions.

PLONK combines polynomial commitments and IOPs to create a non-interactive proof system. In PLONK, the prover commits to polynomials representing the witness using a polynomial commitment scheme. The verifier then queries the oracle at specific points to check the consistency of the witness with the statement.

PLONK construction employs arithmeticization to represent a computation as a set of polynomial equations. These equations are then used to create a zero-knowledge proof that verifies the correctness of the computation without revealing any information about the input data, other than the fact that the computation is correct.

Note that “arithmeticization” is the process of converting a problem into an equivalent representation using polynomials over a finite field, which can then be used as the basis for creating a zero-knowledge proof.

PLONK, Plonky, Plonky2, PlonkUp, UltraPLONK, and HyperPLONK are all variations of the PLONK zero-knowledge proof system. They are designed to improve upon the original PLONK by addressing specific requirements, optimizing performance, and providing additional features.

Fiat-Shamir: Transforming Interactive Proofs into Non-Interactive Proofs

Zero-knowledge proofs can be classified into interactive and non-interactive proof systems. Interactive proof systems require multiple rounds of communication between the prover and verifier, while non-interactive proof systems involve a single message from the prover to the verifier. The Fiat-Shamir heuristic is a technique used to convert interactive proofs into non-interactive proofs. It replaces the verifier’s random challenges with a deterministic hash function, making the proof non-interactive while still allowing efficient verification.

Rust: A Formally Verifiable Language for Zero-Knowledge Proofs

Rust is a programming language with a strong type system and safety features, making it ideal for implementing zero-knowledge proofs. By using Rust to build ZKP systems, developers can leverage its formal verifiability and robustness to ensure correctness and security.

Flow of a Zero Knowledge Proof

Here’s an example of how a ZKP works:

1. The prover wants to convince the verifier that a statement is true without revealing the witness.
2. The prover independently encodes the witness into a polynomial commitment, which is a cryptographic tool that allows the prover to commit to a polynomial.
3. The prover and verifier engage in an Interactive Oracle Proof (IOP), a proof system where they interact through oracle queries. During this interactive stage, the verifier queries the oracle at specific points to check the consistency of the witness with the statement.
4. The prover generates a proof using a zk-SNARK construction like PLONK, which combines polynomial commitments and IOPs to create a non-interactive proof system. This proof generation is done independently by the prover, without the verifier’s involvement.
5. The Fiat-Shamir heuristic is applied to transform the interactive proof into a non-interactive proof. This is achieved by replacing the verifier’s random challenges with a deterministic hash function.
6. The prover sends the non-interactive proof to the verifier, who can now efficiently verify the proof without any further interaction with the prover.
7. The verifier checks the proof and, if it’s valid, becomes convinced that the statement is true without learning any additional information about the witness.

Advanced Concepts in Zero-Knowledge Proofs

Encoding Witnesses and Proof Elements

Efficient encoding of witnesses and proof elements is crucial for compact and efficient zero-knowledge proofs. By transforming the witness and proof components into bytestrings and using standard data types and operations, proof construction, transmission, and verification can be streamlined. This also simplifies the implementation of zero-knowledge proofs in a programming language.

Finite Fields and Algebraic Structures

Finite fields are essential components in constructing efficient zero-knowledge proofs. They consist of a finite number of elements with well-defined arithmetic operations. The operations performed in finite fields are critical to the process of constructing and verifying proofs, as they provide the necessary algebraic structure to support polynomial commitments. Finite fields are used due to their desirable properties, such as the existence of unique inverses and closure under addition, subtraction, multiplication, and division.

Validation with Coefficients in Finite Fields

The validation of zero-knowledge proofs relies on checking the consistency of the witness with the statement. This is done by evaluating polynomials committed by the prover and verifying that they satisfy certain conditions. These evaluations involve coefficients in the finite fields, which ensures the correctness of the proof and guarantees that no dishonest prover can convince the verifier of a false statement.

Openings in Zero-Knowledge Proofs

Openings are an essential aspect of polynomial commitments in zero-knowledge proofs. They refer to the process by which a prover reveals specific values of a committed polynomial at certain points without disclosing the entire polynomial. This allows the verifier to check the consistency of the witness with the statement while maintaining the zero-knowledge property.

Boolean Algebra and Modulus

Boolean algebra deals with the manipulation of binary values (0 and 1) and is used in zero-knowledge proofs to represent logical gates in circuits. Modulus operations are used to ensure that all calculations stay within a finite field, which is crucial for the efficiency and security of zero-knowledge proofs.

Fourier Transformations and Vanishing Polynomials

Fourier Transformations are used in zero-knowledge proofs to transform polynomials between different representations, such as coefficient and evaluation representations. This transformation allows for efficient polynomial operations and evaluations. Vanishing polynomials are a key concept in constructing zero-knowledge proofs, as they help in proving consistency and correctness of the prover’s commitments.

Complexity Considerations: Provers and Verifiers

The computational complexity of zero-knowledge proofs for provers and verifiers can vary depending on the specific zero-knowledge proof system used. However, it is generally desirable to have efficient verification, even for large-scale problems. Provers, on the other hand, typically have more computational resources and are motivated to create the proof, so linear complexity or better is acceptable.

Folding

Folding, in the context of zero-knowledge proofs, refers to a technique used to reduce the size and complexity of a problem or computation in order to make it more efficient to prove and verify. The term “folding” is used because it involves combining or merging parts of the problem or computation in a way that the original problem can still be proven or verified, but with a smaller representation.

Bloom Filters and Cryptographic Accumulators

Bloom filters and cryptographic accumulators are data structures that can be used in the context of zero-knowledge proofs to efficiently represent and verify set membership proofs. Although not directly part of the core zero-knowledge proof constructions, these data structures can enhance the performance and applicability of ZKPs in various scenarios when set membership is a relevant aspect.

Importance of Randomness in Zero-Knowledge Proofs

Randomness plays a crucial role in zero-knowledge proofs, as it helps maintain privacy and prevent information leakage. Randomness is often incorporated into the proof generation and verification process using cryptographic techniques, such as hash functions and random number generators. Ensuring proper randomness is essential for the security of the zero-knowledge proof systems.

Merkle Trees and Merkle Proofs

Merkle trees are data structures used in zero-knowledge proofs to efficiently prove the inclusion or non-inclusion of elements in a large dataset while maintaining privacy. Merkle proofs are generated from Merkle trees, allowing for compact and verifiable proofs of membership. These structures are particularly useful in blockchain applications, where they help to ensure data consistency and integrity.

Recursive Zero-Knowledge

Proofs Recursive zero-knowledge proofs are a technique that allows the composition of multiple zero-knowledge proofs into a single proof. This can help reduce the overall proof size and verification time in certain applications. Recursive proofs enable efficient verification of large and complex statements while maintaining the privacy and security guarantees of zero-knowledge proofs.

ZKPs Protocols and Primitives

Sigma Protocols

Sigma protocols are a class of interactive zero-knowledge proof systems, often used in authentication and digital signatures. They are characterized by efficient proof generation and verification processes, and provide a robust foundation for various cryptographic applications. Sigma protocols are particularly useful for proving knowledge of discrete logarithms or other algebraic relations without revealing any information about the secrets.

Groth16

Groth16 is a popular and efficient zk-SNARK construction that requires a trusted setup. It is widely used in various applications, such as privacy-preserving cryptocurrencies and off-chain computations. Groth16 offers small proof sizes and fast verification times, making it an attractive choice for implementing zero-knowledge proofs in resource-constrained environments.

Bulletproofs

Bulletproofs are a type of non-interactive zero-knowledge proof system that does not require a trusted setup. They have applications in privacy-preserving cryptocurrencies and confidential transactions, offering efficient proof generation and verification. Bulletproofs can be used to create range proofs, which ensure that a secret value lies within a specific range without revealing the actual value.

Halo / Halo 2

Halo and its successor, Halo 2, are non-interactive zero-knowledge proof systems that do not require a trusted setup. They were developed by the Electric Coin Company and are used in privacy-preserving cryptocurrencies, such as Zcash. Halo 2 improves upon the original Halo protocol by offering greater efficiency and performance.

Halo and Halo 2 are notable for their recursive proof composition capabilities. This feature enables the efficient aggregation of multiple zero-knowledge proofs into a single proof, reducing the overall proof size and verification time. This is particularly useful in blockchain applications, where scalability and efficiency are critical factors.

Halo and Halo 2 employ elliptic curve pairings and polynomial commitments.

SNARKs and STARKs: Scalable Zero-Knowledge Proofs

SNARKs and STARKs are two popular families of zero-knowledge proofs that provide highly efficient and scalable solutions. While both offer succinct and non-interactive proof systems, they have different security assumptions and performance characteristics. Understanding the differences between SNARKs and STARKs is essential for choosing the right approach for a specific application.

SNARKs: Succinct Non-Interactive Arguments of Knowledge

SNARKs are a family of zero-knowledge proofs that provide small proof sizes and fast verification times. They rely on a trusted setup, which involves generating a set of public parameters that must remain secret to ensure the security of the system. This trusted setup can be seen as a disadvantage because it exposes the system to potential risks if the secret parameters are compromised. To address this issue, multi-party computation (MPC) is often employed. SNARKs utilize cryptographic methods founded on elliptic curve pairings, which could be susceptible to future quantum computing attacks.

STARKs: Scalable Transparent Arguments of Knowledge

STARKs (Scalable Transparent Arguments of Knowledge) are a class of zero-knowledge proofs that do not necessitate a trusted setup, offering transparent and secure proof systems.

Although STARKs provide efficiency levels comparable to SNARKs, they typically generate larger proof sizes, which may impact their suitability for certain applications. However, STARKs rely on cryptographic assumptions that are considered post-quantum secure.

Security Assumptions in Zero-Knowledge Protocols

Different zero-knowledge proof systems rely on various security assumptions to guarantee their privacy and soundness properties. Some of the most common security assumptions include:

• Discrete Logarithm Problem (DLP): The DLP is based on the assumption that it is computationally infeasible to compute the logarithm of a random element with respect to a generator in a finite cyclic group. Many zk-SNARKs and some zk-STARKs constructions rely on this assumption.
• Computational Diffie-Hellman Problem (CDH): The CDH assumption states that it is computationally infeasible to compute the Diffie-Hellman secret from two public keys without knowing the private keys. Some zk-SNARKs, particularly those based on pairings, rely on this assumption for their security.
• Short Integer Solution (SIS) and Learning With Errors (LWE) problems: SIS and LWE are problems related to lattice-based cryptography, and they assume that it is computationally infeasible to find a short vector in a lattice or to solve certain linear systems with noisy inputs, respectively. zk-STARKs and other post-quantum zero-knowledge proof systems often rely on these assumptions for their security.
• Quadratic Span Programs (QSP) and Quadratic Arithmetic Programs (QAP): QSP and QAP are algebraic representations of circuits that form the basis for many zk-SNARK constructions. The security of these systems relies on the assumption that it is computationally infeasible to find a valid proof without knowing a valid witness for the circuit.
• Random Oracle Model: Some zero-knowledge proof systems, particularly those that use the Fiat-Shamir heuristic to transform interactive proofs into non-interactive proofs, rely on the random oracle model. This model assumes the existence of a truly random function (the random oracle) that can be queried by all parties. In practice, cryptographic hash functions are used as a substitute for the ideal random oracle.

Related Tech

Multi-Party Computation (MPC) in Zero-Knowledge Proofs

Multiparty computation (MPC) is a cryptographic technique that allows multiple parties to jointly compute a function over their private inputs without revealing the inputs themselves. MPC has been integrated into various zero-knowledge proof constructions to enhance privacy and security. In the context of ZKPs, MPC is commonly used during the trusted setup phase for generating parameters, such as the common reference string (CRS). By employing MPC in the parameter generation process, trust issues can be mitigated, as multiple parties jointly generate the CRS. This ensures that, as long as at least one party behaves honestly, the CRS remains secure. In some zero-knowledge proof systems, the setup phase can be designed to be universal or updatable. A universal setup allows multiple instances of a proof system to share the same parameters, increasing efficiency and reducing the setup complexity. An updatable setup enables existing parameters to be updated by multiple parties, mitigating the need for trust in the initial setup and enhancing the overall security of the system.

Additionally, MPC can be used in both interactive and non-interactive zero-knowledge proof systems, and when combined with other cryptographic primitives like threshold signatures, it can further enhance privacy and security.

Difference between Zero-Knowledge Proofs and Homomorphic Encryption

Zero-knowledge proofs and homomorphic encryption are both cryptographic techniques used to preserve privacy, but they serve different purposes and have distinct properties.

Zero-knowledge proofs enable a prover to convince a verifier that a statement is true without revealing any additional information about the statement or the proof itself. Zero-knowledge proofs are primarily used to ensure the validity of a statement without leaking sensitive information.

Homomorphic encryption, on the other hand, is an encryption scheme that allows computations to be performed directly on encrypted data without decrypting it first. This enables secure computation on sensitive data while maintaining privacy. Homomorphic encryption is primarily used for secure computation and data processing in scenarios where multiple parties need to collaborate on sensitive information without revealing their individual inputs. It allows privacy-preserving analysis and decision-making, making it an essential tool for secure cloud computing, privacy-preserving machine learning, and other applications requiring data confidentiality.

Some use cases

ZKPs is an incredible technology, and there are a several use cases for it. Here few of them:

• Anonymous Credentials: Zero-knowledge proofs can be used to implement anonymous credential systems. In such a system, a user can prove possession of certain attributes (e.g., being over a certain age or having a valid membership) without revealing their identity. This allows service providers to verify eligibility without gaining access to sensitive information, preserving user privacy. In this scenario, zero-knowledge proofs serve as a knowledge compression technology, as they enable the user to prove a statement without revealing the underlying data.
• Privacy-Preserving Smart Contracts: In the context of blockchain technology, zero-knowledge proofs can be used to create privacy-preserving smart contracts. For instance, a decentralized finance (DeFi) application could allow users to prove their solvency or the availability of fundsis example, as both a knowledge compression technology (allowing voters to prove their eligibility without revealing personal information) and a verifiable computation technology (verifying the correctness of the vote tally without exposing individual votes). without revealing the exact amounts held in their accounts. In this case, zero-knowledge proofs serve as both knowledge compression and verifiable computation technologies, enabling users to prove statements related to their assets while keeping the information confidential.
• Secure Voting: Zero-knowledge proofs can be applied to implement secure, privacy-preserving voting systems. In such systems, voters can prove that their votes are valid without revealing their voting preferences. This ensures the integrity of the voting process while maintaining voter anonymity. Zero-knowledge proofs play a dual role in this example, as both a knowledge compression technology (allowing voters to prove their eligibility without revealing personal information) and a verifiable computation technology (verifying the correctness of the vote tally without exposing individual votes).
• Privacy-Preserving Location Services: Location-based services often require users to share their exact location, potentially infringing on privacy. Zero-knowledge proofs can be used to build privacy-preserving location services that allow users to prove their presence in a particular area or vicinity without revealing their exact coordinates. In this scenario, zero-knowledge proofs act as knowledge compression technology, enabling users to prove location-based statements without exposing their precise whereabouts. Additionally, as a verifiable computation technology, zero-knowledge proofs can ensure the correctness of the location claims without disclosing the underlying data.

Additional Resources

To learn more about ZKPs, here some resources you can have a look at:

https://zeroknowledge.fm/ (Podcast)

https://www.youtube.com/@zeroknowledgefm/videos (Youtube Channel)

https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649 (Article)

https://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.html (Book)

https://www.zksummit.com/ (Conference)