The Evolution of Zero-Knowledge Proofs in Web3
ZKPs are core to Manta Network’s privacy preservation functionality to enable privacy for all crypto assets.
This year, Zero-Knowledge Proofs (ZKPs) have been making a strong appearance in various mentions by thought leaders and notable projects in the Web3 space. Whether it’s Vitalik’s prediction that ZK will be a major technological revolution, or the latest developments of StarkWare, zkSync and other projects, ZK will be highly anticipated in 2022.
The concept of Zero-Knowledge Proofs (ZKPs) was first invented by Shafi Goldwasser, Silvio Micali and Charles Rackoff in their seminal paper, “Knowledge Complexity of Interactive Proof Systems” in the 1980s. The idea is that someone (the prover) can prove the correctness of a statement to someone else (the verifier) without disclosing any information.
When the idea was born, despite being considered as a theoretical breakthrough, even the cryptography community labeled the scheme as impossible in practice. Thanks to many breakthroughs made in the recent decades, though, especially the contribution made by many web3 projects like ZCash, we have seen a Moore’s Law style improvement on the performance of zero-knowledge proof systems.
Zero-Knowledge Proof Systems Overview
There is jargon around ZKP systems. However, generally, zero-knowledge proof systems should have the following 4 crucial properties:
An honest prover can convince the verifier about any statement he/she knows.
A computationally bounded prover cannot forfeit a proof that can convince an honest verifier.
The proof doesn’t leak any information other than the proof itself.
The proof size is constant or logarithmic compared with the circuit size (ie. the amount of computation) of the statement.
In order to generate a ZKP, both the prover and the verifier need to commit to some shared secret and use this shared secret to generate public parameters. This secret is referred to as toxic waste. If this secret is revealed, the attacker could fabricate zero-knowledge proofs to fool the verifiers.
To solve this issue, cryptographers from ZCash/Berkeley/Technion came up with a solution: using Multi-Party Computation (MPC) to do a ceremony called Trusted Setup [2 & 3] for the zero-knowledge proof system. By doing so, as long as there is a single person who is honest during the ceremony (an honest person would discard the toxic waste successfully), the entire system is safe.
However, since a trusted setup requires a huge community effort, this imposes practical challenges of deploying the ZK system in the real world. For example, if you find a bug in your ZK circuit, you need to do a trusted setup again, which takes weeks. That cost of time may result in other consequences, such as lost funds that have been accessed by unauthorized parties (ie., hackers).
To solve this problem, a wide variety of ZKP systems has been proposed. They can roughly be divided into 3 categories.
zkSNARK (Requires per-circuit Trusted Setup)
The widely used Groth16 implementation (used by ZCash, Filecoin, and Celo) is an example of this kind. Until today, Groth16 still has the best verifier efficiency and a very good prover efficiency. For every circuit, another trusted setup ceremony must be performed.
Transparent zkSNARK (ie., STARK)
STARK doesn’t require a trusted setup. However, this is at the cost of a much bigger proof size (192 Bytes in Groth16 vs 20~40KB), which means a higher gas cost on-chain.
Universal zkSNARK still requires a trusted setup. However, this trusted setup needs only to be done once for all circuits to a certain size. This greatly solves the problem of per circuit trusted setup. The state-of-the-art universal zkSNARKs have good proof size, good verifier and prover efficiency as well. An example of universal zkSNARK is Plonk, which is adopted by Manta Network, Aztec, and Matters Lab.
What does ZKP bring to Web3?
One of the biggest issues in the current Web 3 world is the lack of privacy. Sending transactions in a public ledger is like sending money over Twitter; essentially, the transaction history of an account is completely transparent and immutable.
Furthermore, linkages between pseudo-anonymous wallet addresses and existing online identities form revealing and publicly accessible information about individuals, groups, or organizations. A recent example of this is the verification of NFT ownership through Twitter profile pictures, which requires the Twitter user to publicly prove on-chain ownership of the NFT by connecting a wallet address to their Twitter profile.
ZKP is the perfect technology to prevent this pitfall for web3 protocols. It allows decentralized verifiability, which only relies on the trust of cryptographic assumptions (ie., math). And at the same time, due to the zero-knowledge property mentioned previously, it protects an individual’s privacy by not leaking sensitive information on-chain. It protects a user’s anonymity as well by using zero-knowledge proof as a “shield” for common adversaries such as data-harvesting advertising campaigns and machine-learning-based link analysis.
Equally concerning is the immutability of on-chain transactions. This means that anything written to a blockchain cannot be changed. Public data that is published on-chain will remain public and accessible by anyone with an Internet connection. By adding a layer of privacy to the transaction through the use of ZKPs, users will have peace of mind for their privacy, not only for now but also for the years to come.
Apart from privacy, ZKPs provide a desirable solution for scaling web3 protocols without sacrificing decentralization. That scalability feature brings tremendous value to congested protocols like Ethereum by lowering gas fees for users.
The core idea of scaling up web3 protocols using ZKP is called a zk-rollup: essentially packaging a large number of transactions together (eg., 10,000 transactions). Normally, this packaging would not bring any performance benefits, since the validator still needs to execute those 10,000 transactions one by one. However, ZKPs can pack those 10,000 transactions in a single proof by using the verifiability properties of soundness and completeness as mentioned before. Instead of re-executing these 10,000 transactions, the validators only need to verify the single zero-knowledge proof.
Quantifying this demonstrates the scalability efficiency of a zk-rollup. Executing a single zero-knowledge proof can be approximately 100x more computationally expensive than executing a single transaction. That being said, a zk-rollup is a single zero-knowledge proof execution that contains, in this example, 10,000 transactions. This means that the execution of a single zk-rollup can be compared to the execution of 10,000 single transactions. This makes the zk-rollup 100x cheaper than before.
There is a tradeoff, though. A zk-rollup must aggregate 10,000 transactions before being executed. This wait time between each execution is referred to as the finality time. The cheaper transaction cost of packaging 10,000 transactions together, therefore, comes at an expense of time.
Manta Network’s Deployment of ZKP
The complete vision of Manta is to become the privacy layer of Web 3 using zero-knowledge proofs. This vision consists of 3 steps.
Step 1: MantaPay
MantaPay is the first product that Manta is launching. Currently, the initial version of this product was launched as Dolphin testnet on December 2021. MantaPay is a UTXO-based (similar to Bitcoin) private payment protocol that uses zkSNARK to shield the linkage between coin transfers. While the protocol design is similar to ZCash, it brings two significant improvements.
The first improvement is interoperability. Compared with ZCash, which only supports ZCash public tokens, MantaPay is a multi-asset private payment protocol that supports a BYOT (Bring Your Own Token) model. For now, MantaPay supports all Polkadot/Kusma fungible assets. With the introduction of cross-chain bridges, MantaPay will support even more assets.
The second improvement is scalability. Manta’s cryptographic team has optimized the design of a multi-asset private payment protocol by using a “bag of tricks” including:
- zero-knowledge proof friendly collision-resistant functions and commitment schemes,
- the state of art universal zkSNARK (Plonkup),
- and streamlined protocol design.
As a result, MantaPay’s circuit size is only a tenth of the size of ZCash’s Sapling protocol. Combined with the fast Substrate runtime and high throughput consensus offered by Polkadot, MantaPay can achieve a much higher TPS with lower finality time.
To the Polkadot ecosystem, MantaPay’s privatization functionality, which extends to any parachain asset, creates intrinsic value for the assets existing within it. As shown in the figure below, all the Polkadot ecosystem assets get privatization functionality through Manta, which creates a great value to all the ecosystem projects:
Step 2: MantaSwap
The next step of Manta is MantaSwap, a private AMM-based decentralized exchange using zkSNARK.
The decentralized exchange is the bread and butter for web3 users. It enables a trustless free market of crypto assets, which can be obtained in a sovereign manner to unlock access and participation in other web3 ecosystems, applications, and voting structures. Manta’s ethos is to increase privacy adoption by providing more utility for private assets on-chain. Naturally, creating a decentralized exchange would our next step. MantaSwap uses the market-proven automated market maker (AMM) design, which brings both capital efficiency and transaction efficiency. By using a relatively simple exchange algorithm, the zero-knowledge proof circuit size, as well as the prover efficiency, can be guaranteed.
MantaSwap’s design provides anonymity for both traders and liquidity providers; this encourages adoption for both traders and liquidity providers. At the same time, the liquidity pool size and the trading price is public; this enables liquidity discovery and effective arbitrage that ensures the efficiency of the exchange.
Step 3: Privacy-preserving Smart Contract
The third step for Manta is to solve the final missing piece of private assets and programmability with a dedicated smart contract platform on private assets.
Programmability is the heart and soul of the web3 revolution. Because of programmability, the entire Web 3 space is innovative, colorful, and interactive in a self-sovereign manner.
Manta’s privacy-preserving smart contracts will be based on MantaPay and MantaSwap’s circuits, also will allow any DApp developers to build and deploy their own protocol on the private assets on Manta. Notable examples include privacy-preserving DAO tools, private NFT marketplaces, and more. Manta’s long-term vision is to deliver privacy-as-a-service to web3, providing convenient privacy-enabling features to integrate with existing and new applications without the need for privacy or cryptography expertise from those applications.
- The Knowledge Complexity of Interactive Proof Systems by Shaff Goldwessar, Silvio Micali, Charles Rackoff
- Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs By Eli Ben-Sasson, Alessandro Chiesa, Matthew Green, Eran Tromer, Madars Virza
- A multi-party protocol for constructing the public parameters of the Pinocchio zk-SNARK by Sean Bowe, Ariel Gabizon, Matthew Green
About Manta Network
Manta Network is committed to building a better Web3 world through privacy protection. Manta’s product design starts from first principles and provides end-to-end privacy protection for blockchain users through leading cryptography architectures such as zkSNARK. While ensuring privacy, Manta offers interoperability, convenience, high performance, and auditability, allowing users to conduct private transfers and transactions between any parallel chain of assets. Manta’s vision is to provide more convenient privacy protection services for the entire blockchain world.
Manta’s founding team is made up of several cryptocurrency veterans, professors and academics with experience from Harvard University, MIT and Algorand. Manta’s advisors include Hypersphere Ventures co-founder Jack Platts, Polychain partner Luke Pearson, former Web3 Foundation co-founder Ashley Tyson, Consensys’ Shuyao Kong.
Manta’s investors include Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance and Hypersphere. Manta is also an official Web3 Foundation grant recipient, a member of Substrate Builder Program, and a member of Berkeley Blockchain Accelerator.