Welcome to our introduction guide on Zero-Knowledge Proofs (ZKPs), a concept in cryptography that allows one party to prove they know a value without revealing any information except the fact they know it. This tutorial will help you understand what ZKPs are, why they’re important, how they work, and the different types of ZKPs. Whether you’re a student, a professional, or simply interested in zero-knowledge, this tutorial aims to offer a comprehensive introduction to ZKPs and their potential to reshape digital privacy and security. Let’s dive in!
Zero-Knowledge Proofs (ZKPs) are a fascinating concept in the field of cryptography and theoretical computer science. They were introduced by Shafi Goldwasser, Silvio Micali, and Charles Rackoff in the 1980s. ZKPs serve as a method by which one party, known as the prover, can prove to another party, the verifier, that they possess a specific piece of knowledge, without revealing that knowledge itself.
ZKPs are particularly significant in a world where data privacy is increasingly valued. They allow for information to be verified without revealing the information itself, providing a method for maintaining privacy and security in transactions, particularly in decentralized systems.
ZKPs have three essential properties:
- Completeness: If the statement is true, an honest verifier will be convinced of this fact by an honest prover. This means that if you genuinely know the secret, using a ZKP, you can convince me that you do.
- Soundness: If the prover is dishonest, they can’t convince the verifier of the soundness of the statement by lying. In other words, if you don’t know the secret, you can’t trick me into believing you do using a ZKP.
- Zero-knowledge: If the statement is true, the verifier learns nothing other than this fact, preserving the prover’s privacy. This means that in convincing me you know the secret, you don’t need to reveal any other information to me.
To better understand this, let’s consider a simple analogy:
Suppose you and a friend come across a magical cave that contains a treasure. The cave has two entrances, A and B, connected by a secret door that can only be opened by a magic word known to you. The paths A and B lead to the secret door and then to the treasure.
Here’s the situation: You want to prove to your friend that you know the magic word to open the door (which represents the secret information), but you don’t want to reveal the magic word itself. This is where a zero-knowledge proof can be applied.
Here’s how the process would work:
- Step 1: While your friend is not looking, you enter the cave through either entrance A or B.
- Step 2: Your friend comes back and shouts the name of the entrance they want you to come out from.
- Step 3: If you entered from the entrance your friend called, you simply come out. If you entered from the other entrance, you use the magic word to open the secret door and come out from the called entrance.
This process is then repeated multiple times. After several rounds, your friend will become convinced that you know the magic word since you’re always able to emerge from the entrance they specify. However, you’ve never revealed the magic word itself.
In this analogy:
- You are the “prover”, proving that you know the magic word.
- Your friend is the “verifier”, trying to verify your claim.
- The magic word is the secret information that you want to prove you know without revealing it.
This scenario captures the essence of a zero-knowledge proof:
- Completeness: If you truly know the magic word, you can always convince your friend by always coming out from the called entrance.
- Soundness: If you don’t know the magic word, you won’t be able to consistently come out from the called entrance, and your friend will not be convinced.
- Zero-knowledge: Your friend becomes convinced that you know the magic word, but they learn nothing about the magic word itself.
Zero-knowledge proofs can be used to protect data privacy in a diverse set of cryptography use cases. Here are some examples:
One of the most prevalent applications of ZKPs is in the field of blockchain technology. Public blockchains like Bitcoin and Celo are transparent by design, meaning that transactions can be verified publicly. However, this transparency can compromise privacy and lead to the deanonymization of users. ZKPs can help introduce more privacy into public blockchains.
For instance, the cryptocurrency Zcash is based on a form of ZKP known as
Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK), which provides privacy to its users. Similarly, the Some blockchains uses a type of ZKP called
Zero-Knowledge Scalable Transparent Argument of Knowledge (zk-STARK) to provide privacy and scalability. In these cases, users can prove that they have a valid secret (like a private key corresponding to their funds) without revealing that secret itself.
ZKPs also find utility in the finance industry. For instance, ING uses ZKPs to allow customers to prove that a secret number (such as their income) lies within a known range without revealing the exact number. This way, a mortgage applicant can prove that their income is within the acceptable range for a loan application without disclosing their exact salary. This preserves privacy while still providing the necessary validation.
Online voting systems can use ZKPs to ensure voter anonymity and integrity of the vote tally. Voters can vote anonymously, and then, using ZKPs, they can verify that their vote was included in the final tally without revealing who they voted for.
ZKPs are a powerful tool for authentication purposes. They can be used to authenticate users without the need for exchanging or storing secret information like passwords. This could be a game-changer for cybersecurity, reducing the risk of data breaches.
ZKPs can even be used in the context of machine learning. Owners of machine learning algorithms can use ZKPs to convince others about the results of the model without revealing any information about the model itself. This can be very useful in preserving proprietary information and ensuring data privacy, while still being able to make claims about the model’s performance.
These are just a few examples of how ZKPs can be applied. The potential applications are vast and continue to grow as more industries recognize the value of maintaining privacy while providing necessary proof or verification.
Zero-Knowledge Proofs come in different types, each with its own unique characteristics and use cases. Here, we will discuss three popular types of ZKPs: zk-SNARKs, zk-STARKs, and Bulletproofs.
zk-SNARKs are a form of ZKP where the proof is both small in size and quick to verify. This makes zk-SNARKs particularly useful for scalability purposes, as they can handle large amounts of data efficiently. A notable feature of zk-SNARKs is that they are non-interactive, meaning the prover can create a proof without any interaction with the verifier.
However, zk-SNARKs come with a caveat: they require a one-time trusted setup. The trusted setup generates a pair of keys: one for creating proofs (proving key) and one for verifying proofs (verification key). The setup must be performed by a trusted party and if the keys from this setup are not destroyed, they could be used to create false proofs that would nonetheless verify correctly. And it is also vulnerable to quantum attacks.
zk-SNARKs are used in Zcash, a privacy-focused cryptocurrency. The use of zk-SNARKs allows Zcash to hide the sender, receiver, and amount in a transaction, while still allowing the network to verify the transaction’s validity.
zk-STARKs are another form of ZKP that offer several advantages over zk-SNARKs. First, zk-STARKs do not require a trusted setup, which eliminates the risk of “toxic waste” (the term for the secret information used in the trusted setup for zk-SNARKs). This makes zk-STARKs more secure and “transparent” than zk-SNARKs.
Moreover, zk-STARKs are post-quantum secure, meaning they are believed to be secure even against attackers with quantum computers, which is not the case for zk-SNARKs.
However, zk-STARKs have their own drawbacks. They generate larger proofs than zk-SNARKs, which means they require more storage space and bandwidth. The verification time, while still fast, is also slower than for zk-SNARKs.
zk-STARKs are relatively new and not yet widely adopted although a company Starkware is taking the lead in the advancement of zk-STARKs. Potential use cases include any scenario where the advantages of zk-STARKs (no trusted setup, post-quantum security) outweigh their disadvantages (larger proof sizes, slower verification time).
Bulletproofs are another type of ZKP that are especially suited for certain types of proofs, such as proving that a number is within a certain range. Like zk-STARKs, Bulletproofs do not require a trusted setup. However, unlike zk-SNARKs and zk-STARKs, Bulletproofs do not use pairings, which makes them more compatible with existing cryptographic assumptions.
Bulletproofs generate short proofs and are efficient in terms of both the prover’s and the verifier’s time. The main drawback of Bulletproofs is that the proof size and verification time scale linearly with the size of the statement being proved, whereas for zk-SNARKs and zk-STARKs they are constant or nearly constant.
Bulletproofs are used in Monero, another privacy-focused cryptocurrency, to hide the amount in a transaction while allowing the network to verify that the transaction is valid.
Here’s a comparison of these three ZKP systems:
|ZKP System||Algorithmic Complexity: Prover||Algorithmic Complexity: Verifier||Communication Complexity (Proof Size)|
|zk-SNARKs||O(N * log(N))||~O(1)||~O(1)|
|zk-STARKs||O(N * poly-log(N))||O(poly-log(N))||O(poly-log(N))|
|Bulletproofs||O(N * log(N))||O(N)||O(log(N))|
Remember that “N” here represents the size of the statement being proved. The “log” and “poly-log” terms refer to logarithmic and polylogarithmic time complexity, respectively, which are mathematical terms used to describe how the time required by an algorithm grows with the size of the input.
Each of these ZKP systems has its own strengths and weaknesses. The choice between them depends on the specific requirements of the use case, such as the need for a trusted setup, the acceptable proof size and verification time, and the level of security required.
Zero-Knowledge Proofs are a sophisticated and intricate area of study within the field of cryptography. As we’ve seen, they have the potential to enhance privacy and security in a variety of applications, ranging from cryptocurrencies like Zcash and Monero, to other potential use-cases in secure voting, identity verification, and more.
While this tutorial provides an introduction to the concept of Zero-Knowledge Proofs and some of the popular types of ZKPs, it’s the first path of a tutorial series on ZKPs on Celo. If you’re interested in diving deeper, you can follow up on the pathway here Zero-Knowledge Proofs on the Celo Blockchain: A Comprehensive Tutorial Series - Pathways - Celo Academy
I’m Jonathan Iheme, A full stack block-chain Developer from Nigeria. With a great passion for Zero Knowledge Technology.