Zero knowledge proofs offer a method for developers to prove data validity or knowledge of data without revealing the data or additional information about the prover. Zero knowledge proofs are becoming widely used in blockchain applications from smart contracts like Tornado Cash to ZKrollups which are layer 2 blockchains on top of Ethereum. In this article we will explore how zero knowledge proofs work and how they are being used in the blockchain sector.
- The Zero Knowledge Problem
- How Zero Knowledge Proofs Work
- ZK Blockchain Applications
The Zero Knowledge Problem
Imagine you want to build a application where there are user accounts and user groups. The app needs a way for a user to prove they belong to a group without showing the verifier who they are.
In traditional development this is impossible, imagine a database of user accounts and then a second dataset of groups which includes an array of their user id numbers. The verifier or server can only lookup if the user is in a group by checking if the userID is in the group array.
This is the problem that zero knowledge proofs solve. ZKP’s provide the possibility to prove a statement or knowledge of information without revealing additional data to the verifier.
How Zero Knowledge Proofs Work
The most simple analogy I’ve heard for zero knowledge proof cryptography is a challenge where the prover has to show they’ve found Waldo from the “Where’s Waldo” books.
A zero knowledge proof would be finding Waldo and proving it by cutting him out of the page and giving it to the verifier. This would show that the prover knows where Waldo is but doesn’t reveal the location. The verifier couldn’t find him in the same book without doing the work to search for him. But the verifier can say without doubt that the prover has done that work and knows the location of Waldo.
For developers zero knowledge proof systems are built using circuits. A proving key and validation key is generated using a handshake ceremony between parties where the various participants contribute to the key. These can be thought of in a similar way to private/public key pairs in elliptic curve cryptography. The circuit may then have private and public inputs.
The proving key is used to generate a fraud proof using the private and public inputs. The validation key can verify this using just the public inputs, the fraud proof and the outputs from the circuit.
ZK Blockchain Applications
The blockchain sector was built on openness and transparency. Any Bitcoin transaction from one wallet to another is viewable by the entire network and any 3rd party via a block explorer. This comes at a cost to privacy and this was an ideal fit for applications and blockchains to integrate zero knowledge technology.
Zcash was launched in October 2016 and was based on a fork of Bitcoin with optional shielded transactions. Transactions are shielded using zkSNARKs (zero-knowledge succinct non-interactive argument of knowledge). Zcash pionnered these non-interactive zero knowledge proofs which combine the transparent and shielded TX inputs as public and private circuit inputs respectively.
In 2020 a paper was published criticising the privacy offered with only 0.09% of transactions from a 30 day period being untraceable. https://eprint.iacr.org/2020/593.pdf
Tornado cash is a mixing service on Ethereum mainnet. Users can deposit 1 ETH to a smart contract liquidity pool and withdraw to a separate address obfuscating the link and making the funds anonymous. In most DeFi hacks we now see the funds end up being washed through Tornado Cash.
On deposit a random secret and nullifier are generated. A commitment hash is computed from this data and inserted into a merkle tree which provides efficient on-chain validation. On withdrawal the user proves that he knows the merkle path and reveals the nullifier part of his commitment. The zkSNARK proof is checked and the funds are released.
Source code: https://github.com/tornadocash/tornado-core
The main reason we are going to be talking about zero knowledge proofs over the next year is the emergence of ZK rollups as layer 2’s for Ethereum. We’ve already seen optimistic rollups such as Optimism and Arbitrum launch with some success.
Rollups provide scalability by moving computation off the mainnet, posting a state proof to the L1. So 100 transactions can be computed on the L2 network and then just the changes in state will be updated in a single transaction on L1. Optimistic rollups assume the state change is valid unless someone launches a challenge. This creates some drawbacks such as the long wait times to withdraw funds from the L2 back to L1.
ZK rollups prove the computation is valid by posting a zkSNARK alongside the state changes. The computation is executed by an external network which is built up of relayers who stake a bond to participate. Withdrawals back to L1 can be executed on the next block rather than waiting days.
Zero knowledge proofs are a useful weapon in the developer tool kit. The first step is understanding how they can be used and in what applications they become useful. From there I would start with something like:
And build out a demo application which could later be integrated in to whatever it is you are building.
ZKrollup’s in one form or another will likely be the future of execution on Ethereum, with mainnet becoming a chain of verification hashes and legacy assets. If the data communications between L2’s can be made seamless then this provides huge scalability and the global computer will be ready to take on the Web3 narrative.