The State of Knowledge of Zero-Knowledge

Digital assets infrastructure developers have always been working on the blockchain trilemma of simultaneously improving decentralization, security, and scalability. Much progress has been made on scalability using Layer 2 (L2) rollup solutions, specifically relying on optimistic verifications or zero-knowledge proofs (ZKPs). (Refer to our earlier post on Layers and Bridges for a broader review.) While the nomenclature is seemingly an oxymoron, ZKPs are a technically interesting solution that can address not only scalability but also security and privacy, and thereby, have a wide range of applications.

What is a Zero-Knowledge Proof

The concept of ZKPs originated from a research paper in the mid-1980’s jointly authored by researchers from MIT and the University of Toronto. As described by many sources including the reference from the Ethereum Foundation, a “ zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true.” This characteristic is important because it can improve security and privacy of information for individuals. With a ZKP, no personally identifiable information needs to be shared with a third party to prove one’s identity or attributes.

ZKPs rely on algorithms that take some data as input and return a binary output, e.g., a ‘true’ or ‘false’.  An interactive ZKP consists of three essential elements:

• Witness: The secret information that the prover will use, but not reveal, to prove her knowledge of that hidden information,

• Challenge: A question or a request randomly selected by the verifier, and posed to the prover for a response,

• Response: The action carried out by the prover, using the witness, to convince the verifier that she is in possession of the witness.

A trivial example of this is a circular cave with two openings, A and B, connected by a pathway inside the cave but separated by a door with a secret code. Peggy (the prover) wants to demonstrate to Victor (the verifier) that she possesses the secret code (the witness) without revealing it. While looking away, Victor requests that Peggy enter an entrance that she randomly selects. Victor then turns around and selects the opening from which he wants Peggy to emerge (the challenge). Peggy then proceeds to do so successfully (the response), thereby proving that she does indeed possess the secret code. However, given that Peggy may have randomly entered that same opening that was called out by Victor, the verifier poses the challenge several times to reduce the probability of accepting false positives.

The example outlined above involves interactions between the prover and the verifier. However, practical applications are non-interactive, requiring that the prover uses the witness to generate a zero-knowledge proof and the verifier using an algorithm to determine the validity of that proof.

ZKP’s have far-reaching applications in the real world as well as in digital assets. A 2014 article in Nature proposed a zero-knowledge proof implemented with a physical protocol for the purposes of verifying the presence of nuclear warheads without revealing sensitive information.

For blockchain applications, calculating ZKPs can be computationally intensive and complex to implement, thereby increasing the time it may take to verify and complete transactions. It also adds a layer of complexity to a platform or protocol, making it more difficult to audit or increasing the risk of security and software flaws. However, this rather recent advancement in cryptography is proving to be beneficial and complementary to the blockchain technology by assisting with identity and transaction verifications without disclosing identifying information or the details of the underlying transactions. This has direct applications for on-chain privacy, scalability, and identity.

Privacy, Scalability, and Identity Through Non-Interaction

Non-interactive ZKPs come in two major forms. Zero Knowledge-Succinct Non-interactive ARguments of Knowledge (zk-SNARK) generally rely on the more computationally efficient elliptic curve cryptography and on a trusted partner’s randomness setup to generate the parameters of the proof. In contrast, Zero Knowledge-Scalable Transparent ARguments of Knowledge (zk-STARK) proofs use hashing functions which scales in a computationally efficiently manner as the size of the witness grows, and according to StarkWare’s STARK paper, relies on transparent publicly verifiable randomness for the proof setup.

Zcash is a well-known implementation of zk-SNARK on a fork of Bitcoin back in 2016, to enable privacy in token transactions. It ensures that a user’s wallet balance of the native ZEC coin and transaction history are accurate without revealing them. To the user, ZCash offers the option to use "shielded" transactions that conceal the sender, recipient, and amount being transferred. The transaction's sender must construct proof that shows they have the keys to an address where sufficient ZEC exists to cover the transaction. The proof attests that they have this information, and that the transaction is valid according to the network's consensus rules, without revealing any information about the sender's identity or the transaction amount. When the transaction is broadcast to the network, nodes verify the zk-SNARK proof, and if the proof is valid, the network accepts the transaction without ever learning any of the transaction's confidential details. The blockchain updates with the new shielded transaction, but instead of showing the amount and addresses involved, it only shows that a valid transaction occurred.

ZKPs are also making their way into rollups, Layer 2 scaling solutions that execute and bundle (or "roll up") hundreds of transactions off-chain, validate the transactions, and submit the transactions along with the state changes back to the main blockchain to rely on the main chain’s consensus protocol. Rollups significantly reduce the amount of data stored and computations performed on the main chain, thereby increasing the throughput of the blockchain while still inheriting its security. They are mostly optimistic or rely on zero-knowledge proofs. Optimistic rollups assume that the transactions are valid but undergo a challenge period that can last generally 1 week to allow fraudulent transactions to be detected and challenged. In contrast, ZK rollups rely on cryptographic proofs to prove the transactions’ validity without revealing any transactional details, and transactions can be finalized in minutes.

Although optimistic rollups require a longer time before transactions are fully finalized, they avoid the computational intensity involved with proof generation of ZKPs and are more compatible with the Ethereum Virtual Machine. Currently, this has led to a broader adoption of the former. According to L2Beat, the top three leading rollups are optimistic rollups comprising close to 85% of the total value locked in L2 scaling solutions.

The remaining 6 of the top 10 rollups employ ZKPs and comprise just 10% of the value locked in L2 scaling solutions. Of these, zkSync and StarkNet are two well-known names. zkSync employs the zk-SNARK technology and is EVM (Ethereum Virtual Machine) compatible. Starkware invented and uses zk-STARK for its StarkNet, created its own programming language, and requires a bit of adjustment to achieve EVM compatibility.

“Privacy is rarely lost in one fell swoop. It is usually eroded over time, little bits dissolving almost imperceptibly until we finally begin to notice how much is gone.” 

-          Daniel J. Solove, “Nothing to Hide: The False Tradeoff Between Privacy and Security”

Perhaps the most foundational application of ZKPs is for on- and off-chain identity. The core ethos of blockchain and digital assets is to be permissionless and trustless. Permissionless allows anyone to join a protocol, use a dApp, or deploy code to create a platform. Trustless is enabled by broadly distributing ledgers and employing game theoretic incentives to engender trust among the many instead of requiring qualified agents to centralize and gate members and activities. However, the transparency of public blockchains and the pseudonymity of wallet addresses never provided much privacy.

Privacy is fundamental for a functional democracy. Many have said, “I am a law-abiding citizen and therefore, I have nothing to hide”, and too many have either willingly or unwittingly provided their private information to major corporations for the sake of convenience. Unfortunately, as we’ve witnessed over the last several years, that has led to outcomes ranging from the annoying, e.g., unwanted marketing ads, to the more nefarious, e.g., social media feeding clickbait promoting siloed views that warp public opinion.

Efforts at privacy, implemented by Zcash, Monero, and Tornado Cash, have focused on financial privacy by shielding transactions. Monero achieves this by implementing Ring Confidential Transactions (RingCT) to obfuscate the transaction, Ring signatures to anonymize the sender, and single-use stealth addresses to protect the recipient’s wallet address. Tornado Cash works by unlinking deposit and withdrawal addresses. Specifically, it allows the user to use ZKPs to process a deposit from one address, and through a community of relayers, withdraw funds to other addresses.

But is pure anonymity, on the other end of the spectrum from the full transparency of a public blockchain, what we desire? The world is far from perfect and there are many bad actors ranging from fraudsters to criminals and nefarious organizations. Surely, we would want to know that we are transacting with another good actor, instead of, say, North Korea which is diverting funds for their own nuclear arms program. In other words, performing KYC (know-your-client) checks is important to prevent interactions with fraudulent and deceitful actors, or inadvertently laundering their funds. The US Treasury Department’s sanction of Tornado Cash in August 2022 and the US Justice Department’s indictment of R. Storm and R. Semenov, creators of Tornado Cash, in August 2023 are considered to be a regulatory overreach by many, but suggests that there can be negative real life consequences that are exacerbated by full anonymity.

Leveraging ZKPs for identity verification may offer a compromise. Traditional verification methods often require users to share more personal information than is necessary, revealing a driver's license to prove age and residence for example, to a verifier. Typically, the verifier stores a copy of this information in their records, putting the risk of that record being misused or stolen. The challenge is to verify a user’s identity and credentials, while minimizing the exposure of personal details.

In contrast, with a ZKP protocol, the verifier could verify the credentials match a set of requirements without knowing the details. In such an arrangement, the user obtains a digital identification from a trusted authority (e.g., a government-issued driver’s license). This ID securely contains the birthdate, residence, and other relevant details. The digital ID is cryptographically signed by the authority and is owned by the user in her digital wallet. When accessing a dApp that has an age and residence requirements, the user is asked to prove that she meets these requirements. The protocol interacts with the user’s digital wallet to cryptographically verify the user’s digital credentials, without needing to know the age or residence details.

Various parties are trying to offer such a solution to provide a better approach to identification. Polygon, an L2 scaling solution for Ethereum, has developed Polygon ID, a set of identity infrastructure tools that uses ZKPs to allow developers “to build trusted and secure relationships between users and dApps, following the principles of self-sovereign identity and privacy by default.” Polygon ID’s Triangle of Trust consists of the three aforementioned entities – the individual who holds the identity and the credentials, the issuer who is the trusted authority issuing the credentials, and the verifier who needs to perform KYC and verify a user’s credentials before services can be provided.

Similarly, a recent paper titled “Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium”, written by Vitalik Buterin of the Ethereum Foundation, Jacob Illum of Chainalysis, and three other authors, proposed a protocol to allow people to “prove regulatory compliance without having to reveal their entire transaction history.” The proposal introduces the creation of Privacy Pools to associate members who remain in regulatory compliance, association set providers (ASPs) consisting of trusted organizations or on-chain methodologies to create these associations, and ZKPs to allow the users to prove that their funds are legally sourced without revealing the historical transactional details.

Encryption techniques have been a cornerstone of blockchain technology. Zero knowledge proofs can be used to increase both on-chain privacy and scalability. While its adoption is still limited, we believe that ZKPs will play a more dominant role for improving the user experience, securing user identities, bridging on- and off-chain platforms and products, and securing on-chain protocols.