Imagine this, you have a top-secret key that opens a mysterious portal to an ancient Egypt treasure of tons of gold, diamonds and gems, and you want to resell the secret key to a hunter. However, he is suspicious of your referrals and doesn’t believe the fact that you are in ownership of the key. In this case, how would you solve it? Give him the key? Surely no one would dare to do that, too risky. So, the problem here is you really want to prove to the hunter that you have the key without revealing it in any way. Is that even possible?
What if we told you it is, through a method used in cryptography known as zero-knowledge proof. It is a way of keeping privacy, doing authentication to prove that something is known without revealing directly the known information.
I. What Are Zero-Knowledge Proofs (ZKPs)?
This term zero-knowledge proof was first coined by a group of mathematicians in the 1980s for their interactive protocol. It means that two parties kind of have to go back and forth to make the proof actually work. And zk-snarks, the first widely used form of non-interactive protocol, has been used by various cryptocurrencies such as Zcash, Tornado Cash, which unlike public blockchain like Bitcoin, gives you the option of confidential transactions and financial privacy through shielded addresses.
A zero-knowledge proof is a way of proving the validity of a statement without revealing the statement itself. The prover is the party trying to prove a claim, while the verifier is responsible for validating the claim. In other words, zero-knowledge proofs are indirect proofs allowing you to prove you know a secret without ever revealing the secret to anyone else. You prove that you’re telling the truth only.
Researchers have discovered a way for people to prove that they possess secret information, from their credit card numbers to military access codes without giving any permission for third parties to access that kind of personal information. Where a conventional proof conveys information, a zero-knowledge proof is meant to convey only the assurance that the information is in hand. The goal is to convince a second party without providing any of the knowledge that would allow him, or an eavesdropper, to convince a third party.
Zero-knowledge proofs solve the problem of privacy by eliminating the need to reveal information to prove validity of claims. The zero-knowledge protocol uses the statement called a witness, as input to generate a succinct proof of its validity. This proof provides strong guarantees that a statement is true without exposing the information used in creating it. So going back to the earlier example, you don't have to prove you have the key by reaching the portal and opening it. Hence, the only evidence you need to prove your ownership is a zero-knowledge proof. The verifier only has to check if certain properties of the proof hold true to be convinced that the underlying statement holds true as well.
The Concept Of Provers and Verifiers
In zero-knowledge proofs, the basic roles are the prover and verifier. The prover must prove that they know the secret. The verifier must be able to verify the prover is telling the truth.
It works because the verifier asks the prover to do things that can only be done if the prover definitely knows the secret. If the prover is guessing, people will eventually be proven wrong by the verifier’s tests. If the secret is known, then the prover will pass the verifiers test every time without a problem. It’s like when a bank or institution asks your identity. You’re not telling them what’s in your bank account, you’re merely telling them that you know the sequence of a given word.
II. How Do Zero-Knowledge Proofs Work?
You must have wondered from the beginning of the article how a ZKP can prove you are the owner of the key to the treasure without having to reveal the key to the hunter, right? A ZKP allows you to prove the truth of a statement without sharing the statement’s contents or revealing how you discovered the truth. To make this possible, ZKPs rely on algorithms that take some data as input and return “true” or “false” value as output.
There is a zero-knowledge protocol doing algorithms to satisfy the following requirements:
- Completeness: if the input is valid, the zero-knowledge protocol always returns “true”. Thus, if the underlying statement is true, and the prover and the verifier act honestly then the proof can be accepted.
- Soundness: if the input is valid, it is theoretically impossible to fool the protocol to return “true”. In consequence, a lying prover can’t cheat an honest verifier into believing an invalid statement is valid.
- Zero-knowledge: the verifier learns nothing about a statement beyond its validity of falsity. And this requirement also prevents the verifier from deriving the original input from the proof.
Let’s take the example of the treasure. In this case, you must be the prover, and the hunter is the verifier. Let’s assume, there are two portals but only one has the treasure, portal A and B. You want to prove to the hunter that you know where the treasure is. So the protocol starts, the hunter stays outside and tells you to enter portal A. You successfully enter with your secret key and notice the hunter. The hunter knows you’re in and then is convinced. The input is valid. Transaction should be done.
But this protocol performs only once, the hunter should not be convinced. It is possible that you initially choose the right portal A, instead of B and get lucky when the hunter chooses for you to open the same portal A. So in this scenario, it should only be convincing to the hunter if the test is repeated several times. So if it’s repeated 20 times, the chances of you lying about knowing the secret key becomes about one in a million.
In result, all three zero-knowledge requirements are met. Completeness is assured by you and the hunter and ensured by the verifiably honest computer program following the protocol. Soundness is assured by repetitions of the protocol. And zero-knowledge is assured because the hunter never knows, or has no knowledge of the secret key and any outside observer has no way of knowing if both orchestrated the whole thing.
It’s interesting to point out that a ZKP doesn’t give you an airtight proof. It’s about minimizing the probability that someone is lying to you. So you can get the probability very small but it can never reach zero. Each time you repeat the process, the probability that you’re cheating decreases even further. The algorithm is rather intensive, requiring either a large number of interactions between verifier and prover.
Types Of Non-Interactive Zero-Knowledge Proofs
A protocol like the one we mentioned needs constant interactions between the prover and the identifier, and no third party would be able to evaluate the proof. That’s why a new type of ZK proof was proposed: the non-interactive ZK proof introduces the concept of a shared key. The key is a sort of token that anyone can use to check the validity of the statement. This implies that verifications don’t require a new proof from the verifier every time that a third party wants to check the validity of a statement.
For an “interactive” solution to work, both the verifier and the prover needed to be online at the same time making it difficult to scale up on the real world application. Non-interactive Zero-Knowledge Proofs do not require an interactive process, avoiding the possibility of collusion. It requires picking a hash function to randomly pick the challenge by the verifier.
Right now, if we talk about zero-knowledge proofs, zk-SNARK is, at this point, probably the most popular form of ZKP. The term zk-SNARK was first coined in 2011.
- zk-SNARK: stands for Zero-Knowledge Succinct Non-interactive proof requiring a setup phase between trusted individuals, called the “shared key”. It refers to public parameters that the prover and verifier agree to use in generating and verifying proofs.
- zk-STARK: is an acronym for Zero-Knowledge Scalable Transparent Argument of Knowledge. It is similar to zk-SNARK, but it produces larger proofs meaning they generally have higher verification overheads. However, there are cases such as proving large datasets, where zk-STARK may be more cost-effective than zk-SNARK.
III. Blockchain Applications For Zero-Knowledge Proofs
In spite of the obvious application for zero-knowledge proofs as a privacy-enabling technology, its uses currently remain limited as developers work to reduce the size and computational requirements of zero-knowledge proofs and find effective methods for implementing them. At the moment, ZKPs are mainly used to enable private addresses and transactions when using digital assets but researchers see potential in a wide range of privacy-sensitive applications ranging from simple authentication to nuclear disarmament.
Authentication and Identity Protection
On centralized social media platforms like Facebook, Amazon, Twitter, Tiktok, or the biggest search engine Google, our data is sold to profit in an effort to manipulate our behavior through advertising. On completely open blockchain networks all our activities are recorded. What zero-knowledge proof offers us is a public and transparent network that protects people from the snoopers, peepers and creepers of our digital age.
ZKP in digital identification mechanisms, a secure alternative to the fog of birth certificate photocopies and smartphone photos of passports. Those ID schemes could also allow people to prove that they meet a minimum age requirement without sharing their date of birth, or that they have a valid driver’s license without handing over their number. This improves the experience for users and frees organizations from the need to store huge amounts of user information.
Indeed, transparency on the public blockchain was one of the factors that gave it trust, but it has a major drawback. While some data should be available to be publicly verified, there is a whole host of other information that is better kept private. Cryptocurrencies were intended to provide a means to conduct private, p2p transactions. But most transactions are openly visible on public blockchain, such as some addresses can be associated with real-world organizations using basic block explorers.
ZKPs are being applied into the protocol, privacy-focused blockchain networks that allows for anonymizing transactions on public blockchain. An example is Tornado Cash, it uses ZKP baking and mixing assets to obfuscate transaction details and guarantee financial privacy. However, this just is an add-on privacy tool they are associated with illicit activity. So to overcome this, privacy has to ultimately become a default feature on public blockchains.
At the moment, many teams are working to develop second layers on top of blockchains. Integrating a second layer provides a place where transactions can be recorded and added to the ledger in batches or groups that prevent the network from getting clogged, and solve the problem of the trilemma of a blockchain network. Users demand instant-finality for their transactions, transaction speed is improved and transaction fees are getting cheaper, which is crucial if we are to achieve mainstream adoption of blockchain technologies to the masses.
ZKPs are no doubt quite a revolutionary piece of technology. Their complexity is evidenced by the length of time it has taken for them to be used in any practical way since it was theorized. However, recent concerns in the digital age relating to data breaches and other privacy have spurred the demand for a new option. Now that the advantages of ZKPs are known we can expect to see broader applications of them in both centralized and decentralized environments.