While transparency builds trust and accountability, it also leaves little room for privacy. Every transaction is linked to a sender and receiver address. However, a cryptographic innovation known as Zero-Knowledge Proofs (ZKPs) have emerged as a solution to this paradox of privacy on a blockchain.
ZKPs allow for the confirmation of transactions without the need to disclose any information. They strike a balance between the openness needed for decentralization and the privacy often required by users and particular use cases, thus opening up new horizons for the world of Web3. In an age where privacy is paramount, ZKPs bring us closer to achieving the vision of secure, private, and efficient transactions on the blockchain.
The Problems with Privacy on the Blockchain
Blockchain technology is an open ledger of information that can be used to record and track transactions, and it's inherently transparent, decentralized, and immutable. That decentralization and immutability make blockchain ideal for a wide variety of use cases, but in instances where you want your data to stay private (whether that data is financial, medical, personal, or something else altogether), blockchains today aren’t a good fit.
Zero knowledge proofs solve the paradox of privacy on a blockchain.
That’s because blockchains only provide pseudonymity, not anonymity. Transactions on the blockchain are linked to public addresses, not directly to individuals' identities, but they are traceable. If someone can associate your real identity with your public blockchain address, they can view every transaction you've ever made through that address.
Additionally, privacy on blockchains is also limited by:
- Transactional Linkability: Transactions are not isolated; they are linked to each other. It’s not just individual addresses that are public, but the network of transactions itself and how different addresses relate to one another. Because of this, it's possible to analyze transaction patterns, which might lead to privacy leaks if a series of transactions can be linked to specific individuals or organizations.
- Smart Contract Transparency: Smart contracts are self-executing contracts with the terms of the agreement directly written into code. They are stored on the blockchain, which makes them transparent and visible to all network participants, possibly revealing sensitive business logic.
Of course, sometimes this transparency is good—there are plenty of people and companies that identify bad actors or track on-chain criminal activity, and the public nature of smart contracts means you can audit that behavior and make sure the code behaves the way it should. But there are plenty of use cases where you don’t want your data to be public.
It just isn’t viable to have personal or commercial information on the blockchain. Do you want your medical records decentralized and immutable? Sure, but you don’t necessarily want them accessible on a transparent blockchain for all to see either.
To be a truly useful option for a wide variety of businesses, there needs to be some way to protect sensitive information on the blockchain. That’s where zero-knowledge proofs come in.
What is a Zero-Knowledge Proof?
Zero-knowledge proofs (ZKPs) are a form of cryptographic protocol that allow one party, known as the "prover," to demonstrate to another party, the "verifier," that they know a specific piece of information or that a certain statement is true, without revealing any details about the information itself.
How can you prove you know something without telling the other person what you know?
Let's first go through a classic thought experiment with ZKPs before walking through a technical breakdown of the concept.
Let's say you have two balls: one red, one green. You show them to your friend, who happens to be color-blind. They can't tell the difference between the two balls. How can you prove to your friend that one ball is red while the other is green? And can you do that without telling them which one is red and which one is green?
It turns out you can. You give the two balls to your colorblind friend, who shows you one ball while putting the other behind their back. Then your friend puts the ball they showed you behind their back, and now they have a choice: they can either show you the same ball again, or switch them and show you the second ball. Since you are not color-blind, you will be able to tell your friend whether he switched balls or not every time.
OK, your friend may say, you guessed correctly, but you had a 50-50 chance. Let's do it again. You answer correctly again (one in four chance). Then you do it again. And again. And again. By the time you've done it just 20 times, the odds of you guessing correctly each time are more than one in a million.
You have proved your knowledge, but you have given your friend zero knowledge—they still don't know which ball is red and which is green.
So, at the heart of a zero-knowledge proof is:
- Proof of Knowledge: A prover makes a statement that they know a value 'x' without revealing any information about 'x' itself. 'x' could be a password, personal information, or any kind of data.
- Verification: The verifier challenges the prover with a random request related to the statement. The prover then generates a response to the challenge using their secret knowledge, 'x,' but crucially, this response does not reveal 'x' or any information about it.
- Completeness: If the statement is true and both the prover and verifier follow the protocol, the verifier will be convinced that the prover knows 'x.'
- Soundness: If the statement is false, it's extremely unlikely the prover could consistently generate correct responses to the verifier's challenges.
- Zero-knowledge: If the statement is true, no verifier learns anything beyond the fact that the statement is true. Even if the verifier is dishonest or if their data is later compromised, no information about 'x' is leaked.
The History of Zero-Knowledge Proofs
ZKPs have been around within cryptography since 1989 when Shafi Goldwasser, Silvio Micali, and Charles Rackoff published their paper The Knowledge Complexity of Interactive Proof Systems. They wanted to minimize knowledge transfer while still maintaining the ability of a verifier to check the proof's validity, hence the term "zero-knowledge proofs."
It wasn't until a 2012 paper, catchily titled From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again, that an initial demonstration of a particular type of zero-knowledge proof, a succinct non-interactive argument of knowledge, or SNARK, was demonstrated as a possible privacy mechanism for the blockchain. This was followed in 2018 by the paper Scalable, transparent, and post-quantum secure computational integrity which launched Scalable Transparent Argument of Knowledge, or STARKs. It is these two specific mechanisms that are now utilized heavily in Web3 today.
The distinction between interactive and non-interactive zero-knowledge proofs lies in the number of messages exchanged between the prover and the verifier.
With Interactive Zero-Knowledge Proofs (IZKPs), there are multiple rounds of communication between the prover and the verifier. The verifier asks questions or sends challenges, and the prover responds with answers or solutions. They are often used in situations where ongoing interaction between two parties is feasible, like in authentication protocols.
In Non-Interactive Zero-Knowledge Proofs (NIZKPs) there is just a single message from the prover to the verifier. Once the prover sends the proof, the verifier can check it without any further interaction. zk-SNARKs, described below, are a type of NIZKP.
Implementing ZKPs on the Blockchain
Both zk-SNARKs and zk-STARKs allow one party to prove that they know a value or that a certain statement is true without revealing any information about the value or the statement itself. However, zk-SNARKs and zk-STARKs differ in their construction, efficiency, and assumptions.
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)
A zk-SNARK allows one party, the prover, to demonstrate that they know a specific piece of information without revealing it. The key qualities of zk-SNARKs are:
- First-mover advantage: zk-SNARKs arrived on the Web3 scene 6 years before zk-STARKs and have achieved greater adoption in the space. This means more dev resources like a bigger community and more robust documentation.
- Succinct: The proofs are small in size and can be verified in milliseconds, offering greater efficiency and scalability.
- Trusted setup: The drawback of zk-SNARKs is that they require a trusted setup. The math that underlies the protocol requires initial public parameters that the prover and verifier can use. These parameters are created using a secret, called “toxic waste,” which is destroyed after the setup. But if anyone kept the secret used to create these parameters, they could create counterfeit coins. It also means there is an inherent lack of transparency about the setup process.
One of the most widely used implementations of zk-SNARKs is Zcash. Zcash is a privacy-focused cryptocurrency that was introduced in 2016. It's built on the original Bitcoin codebase, but it includes advanced privacy features that make use of zk-SNARKs.
zk-SNARK technology allows the Zcash network to maintain a secure ledger of balances without disclosing the parties or amounts involved. Instead of publicly demonstrating spend-authority and transaction values, the transaction metadata is encrypted, and zk-SNARKs are used to prove that the conditions of the transaction have been satisfied, such as proving that the transaction amount is equal to the sum of input and output amounts.
zk-SNARKs are also being used in zk-rollups, a popular layer 2 solution for scaling blockchains, including Ethereum.
zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge)
zk-STARKs, like zk-SNARKs, allow for efficient zero-knowledge proofs but with some key differences:
- Transparent: unlike zk-SNARKs, zk-STARKs do not require a trusted setup. This transparency offers a more open and trusted setup, and there’s less opportunity to manipulate the proof.
- Quantum Secure: Quantum computing represents a potential threat to many cryptographic systems. zk-SNARKs are vulnerable to potential quantum attacks. However, zk-STARKs leverage cryptographic primitives (hash functions and error-correcting codes) that are considered resistant to quantum adversaries, future-proofing the technology against advances in quantum computing.
- Scalable: zk-STARKs offer better scalability than zk-SNARKs because they enable devs to take storage and computation for proofs off-chain.
- Larger proof sizes: The main trade-off with zk-STARKs is that they have larger proof sizes, which has a number of ramifications. It means it takes longer to verify a particular proof, users pay higher gas fees to complete that verification, and the on-chain storage costs are greater.
The current main implementation of zk-STARKs is in StarkWare products. StarkWare's StarkNet is a decentralized blockchain that uses zk-STARKs for enhanced scalability and privacy, allowing many transactions to be bundled into one proof, thus maximizing throughput and reducing on-chain data.
StarkEx, another StarkWare product, is a 'layer 2 scalability engine' that improves blockchain efficiency by batching off-chain transactions and submitting a single zk-STARK proof to the blockchain. Both solutions harness zk-STARKs to verify transactions without disclosing specifics, ensuring privacy, scalability, and security in applications like decentralized exchanges.
Start Building in a More Private World
By empowering users to leverage decentralization without surrendering privacy, ZKPs blend the transparency and security of the blockchain with the confidentiality that modern users demand. As blockchain applications continue to evolve and impact various sectors, from finance to healthcare, the incorporation of ZKPs will undeniably be a game-changer, driving the next stage of blockchain's revolution with a renewed emphasis on privacy.
Inspired to start building? Download our free guide to Web3 app development to jumpstart your journey as a Web3 developer: