Session 2.5 - Zero-Knowledge Proofs

Learning Objectives

By the end of this session, you will be able to:

Apply ZKP concepts for privacy preservation
Understand the fundamental principles of zero-knowledge proofs
Distinguish between different types of ZKP systems
Analyze real-world applications of ZKPs in blockchain
Evaluate the trade-offs between privacy and transparency in DLT

Step-by-Step: How Zero-Knowledge Proofs Work

Core Definition

A Zero-Knowledge Proof (ZKP) is a cryptographic method that allows one party (the prover) to prove to another party (the verifier) that they know a secret without revealing the secret itself.

ZKP Process Flow

1

Setup

Prover and Verifier agree on a mathematical statement to prove

Example: "I know the password X"

2

Commitment

Prover creates a cryptographic commitment using their secret

Example: Hash(X + random_value)

3

Challenge

Verifier sends a random challenge to test the Prover's knowledge

Example: "Show me path A or B"

4

Response

Prover provides response that proves knowledge without revealing the secret

Example: Shows correct path without revealing X

Key Insight

This process is repeated multiple times. Each round has a 50% chance of success if the prover is cheating. After n rounds, the probability of successful cheating drops to (1/2)^n, making it negligibly small.

Understanding ZKPs Through Examples

The Classic Cave Analogy - Interactive Walkthrough

Ali Baba's Cave Structure

Entrance

Path A

Path B

Secret Door

🔐 Password Needed

👩 Alice

Step 1: Setup

Claim: Alice knows the secret password to the door that connects both paths inside the cave.

Goal: Prove this knowledge to Bob without revealing the actual password.

Key Point: The door allows passage between paths A and B, but only with the correct password.

Step 2: Random Choice

Action: Alice enters the cave and randomly chooses either Path A or Path B.

Important: Bob cannot see which path Alice chose - he waits outside!

Privacy: Bob has no information about Alice's path choice.

Step 3: Challenge

Challenge: Bob randomly calls out "Come out from Path A!" or "Come out from Path B!"

Result: If Alice knows the password, she can always exit from the requested path (using the secret door if needed).

Probability: Without password = 50% success. With password = 100% success.

Mathematical Analysis

Without Password (Cheating)

Round 1: 50% chance of success
Round 2: 25% chance (0.5 × 0.5)
Round 3: 12.5% chance (0.5³)
Round n: (0.5)ⁿ chance

After 20 rounds: less than 1 in a million chance!

With Password (Honest)

Can always use secret door if needed
Success rate: 100% every round
No matter which path chosen initially
Bob becomes convinced after multiple rounds

Password never revealed, but knowledge proven!

Learning Outcome

After multiple rounds, Bob becomes convinced Alice knows the password without learning the password himself. This demonstrates all three ZKP properties: completeness, soundness, and zero-knowledge!

Three Essential Properties

Completeness

If the statement is true and both parties follow the protocol, the verifier will be convinced

Soundness

If the statement is false, no cheating prover can convince the verifier (except with negligible probability)

Zero-Knowledge

The verifier learns nothing about the secret beyond the fact that the statement is true

Types of Zero-Knowledge Proofs

Interactive ZKPs

Require back-and-forth communication between prover and verifier

Characteristics

Multiple rounds of communication
Verifier sends random challenges
Prover responds to each challenge
Probabilistic verification

Examples

Schnorr identification protocol
Graph isomorphism proofs
Commitment schemes

Non-Interactive ZKPs

Single message from prover to verifier, no interaction needed

Characteristics

One-time proof generation
Can be verified by anyone
Suitable for blockchain applications
Requires trusted setup (usually)

Examples

zk-SNARKs
zk-STARKs
Bulletproofs

Why Non-Interactive for Blockchain?

Blockchain applications typically use non-interactive ZKPs because:

Proofs can be included in transactions
Any network participant can verify them
No need for real-time communication
Proofs remain valid indefinitely

Deep Dive: ZKP Systems Technical Analysis

zk-SNARKs: Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge

Technical Foundation

zk-SNARKs use elliptic curve cryptography and bilinear pairings to create extremely compact proofs that can verify complex computations.

How zk-SNARKs Work

1. Arithmetic Circuit

Convert the computation into an arithmetic circuit (R1CS - Rank-1 Constraint System)

Example: (a + b) * c = output
becomes: 
s1 = a + b
s2 = s1 * c
s2 = output

2. Trusted Setup

Generate proving and verifying keys using random toxic waste

Powers of tau ceremony:
τ, τ², τ³, ..., τⁿ
Toxic waste τ must be destroyed!

3. Proof Generation

Prover creates a proof using secret witness and proving key

π = Prove(pk, public_input, secret_witness)
Size: ~200 bytes regardless of computation complexity

4. Verification

Verifier checks proof using public inputs and verifying key

result = Verify(vk, public_input, π)
Time: ~5-10 milliseconds
Returns: true/false

Popular SNARK Constructions

Groth16

Proof Size: 192 bytes
Verification: ~2.5ms
Setup: Circuit-specific
Used in: Zcash, Tornado Cash

PLONK

Proof Size: ~500 bytes
Verification: ~10ms
Setup: Universal, reusable
Used in: zkSync, Aztec

Marlin

Proof Size: ~650 bytes
Verification: ~8ms
Setup: Universal
Features: Post-quantum resistant variant

Advantages

Ultra-small proofs: ~200 bytes constant size
Fast verification: 2-10 milliseconds
Mature ecosystem: Production-ready tools
Wide adoption: Battle-tested in major protocols
Constant verification time: O(1) regardless of computation
Gas efficient: Cheap to verify on-chain

Disadvantages

Trusted setup: Requires ceremony, potential backdoor
Quantum vulnerable: Broken by quantum computers
Complex implementation: Easy to introduce bugs
Circuit-specific setup: New ceremony for each circuit (Groth16)
Large proving time: Can take minutes for complex computations
High memory usage: Gigabytes of RAM for proving

Real-World Example: Zcash Shielded Transactions

Problem: Send cryptocurrency privately while proving transaction validity.

Solution using zk-SNARKs:

Alice has 100 ZEC in a shielded pool
She wants to send 30 ZEC to Bob privately
She generates a zk-SNARK proof that:

She owns 100 ZEC (without revealing which coins)
She's sending exactly 30 ZEC (without revealing amount)
The transaction is mathematically valid

The proof is only 192 bytes and takes 5ms to verify
Miners can verify validity without seeing any transaction details

zk-STARKs: Zero-Knowledge Scalable Transparent Arguments of Knowledge

Technical Foundation

zk-STARKs use hash functions and error-correcting codes (specifically Reed-Solomon codes) to create transparent, scalable proofs without trusted setup.

How zk-STARKs Work

1. AIR (Algebraic Intermediate Representation)

Convert computation into algebraic constraints over finite fields

Example: Fibonacci sequence
f(x+2) = f(x+1) + f(x)
Constraint: next_value = current + previous

2. Polynomial Commitment

Use Fast Reed-Solomon Interactive Oracle Proofs (FRI)

Commit to execution trace as polynomial
P(x) encodes the computation
Merkle tree commits to evaluations

3. FRI Protocol

Interactive protocol for polynomial proximity testing

Recursively reduce polynomial degree
Each round halves the degree
Verifier samples random points

4. Fiat-Shamir

Make interactive protocol non-interactive using hash functions

challenges = Hash(transcript)
No trusted setup needed
Purely based on hash functions

Key Technical Properties

Scalability

Proving time: O(n log n)
Verification: O(log² n)
Proof size: O(log² n)
Memory: O(n) for proving

Transparency

No trusted setup: Anyone can verify
Public randomness: Based on hash functions
Open verification: All parameters public
Auditability: Complete transparency

Post-Quantum

Hash-based security: Quantum-resistant
Collision resistance: Based on SHA-256/Keccak
Future-proof: No elliptic curves
Long-term security: Conservative assumptions

Performance Characteristics

Computation Size	Proof Size	Proving Time	Verification Time	Memory Usage
1M constraints	~100 KB	~30 seconds	~10 ms	~8 GB
10M constraints	~150 KB	~5 minutes	~15 ms	~80 GB
100M constraints	~200 KB	~45 minutes	~20 ms	~800 GB

Advantages

No trusted setup: Fully transparent system
Quantum-resistant: Based on hash functions
Highly scalable: Efficient for large computations
Simple assumptions: Only requires collision-resistant hashes
Recursive composition: Can prove proofs recursively
Parallelizable: Proving can be distributed

Disadvantages

Larger proofs: 100-200 KB typical size
Newer technology: Less battle-tested
Higher computational cost: More expensive than SNARKs
Memory intensive: Requires significant RAM
Limited tooling: Fewer development frameworks
Higher on-chain costs: More gas to verify

Real-World Example: StarkEx DEX

Problem: Scale Ethereum DEX to handle thousands of trades per second.

Solution using zk-STARKs:

StarkEx processes 9,000+ trades off-chain per batch
Generates a single STARK proof (~150KB) proving:

All trades are valid and correctly executed
All balances are properly updated
No double-spending or invalid operations
Compliance with exchange rules and limits

Ethereum verifies the proof in ~500K gas
Achieves 9,000+ TPS with Ethereum-level security
No trusted setup required - fully transparent

Bulletproofs: Short Non-Interactive Zero-Knowledge Proofs

Technical Foundation

Bulletproofs use inner product arguments and Pedersen commitments to create compact range proofs without trusted setup, particularly optimized for confidential transactions.

How Bulletproofs Work

1. Pedersen Commitments

Cryptographically commit to values using elliptic curve points

Commitment: C = vG + rH
v = secret value
r = random blinding factor
G, H = public generator points

2. Range Proof Construction

Prove that committed value is in valid range [0, 2ⁿ-1]

Prove: 0 ≤ v < 2⁶⁴
Binary representation: v = Σ aᵢ2ⁱ
Each aᵢ ∈ {0,1}

3. Inner Product Argument

Recursively reduce the proof size using inner product relations

⟨a, b⟩ = Σ aᵢbᵢ
Recursive halving technique
O(log n) proof size

4. Aggregation

Efficiently combine multiple range proofs into single proof

Single proof for multiple values:
Prove v₁, v₂, ..., vₙ all in range
Logarithmic size in number of proofs

Types of Bulletproofs

Range Proofs

Purpose: Prove value is in valid range
Use case: Confidential transactions
Size: 674 bytes for 64-bit range
Aggregation: O(log n) for n proofs

Example: Prove transaction amount is positive without revealing actual amount

Arithmetic Circuits

Purpose: General computation verification
Use case: Smart contract privacy
Size: Linear in circuit size
Limitation: Less efficient than SNARKs

Example: Prove knowledge of solution to sudoku puzzle without revealing solution

Performance Characteristics

Proof Size Analysis

Bit Range	Single Proof	Aggregated (n=10)
8-bit	418 bytes	580 bytes
32-bit	546 bytes	708 bytes
64-bit	674 bytes	836 bytes

Time Complexity

Proving time: O(n log n) for n-bit range
Verification time: O(n) linear in proof elements
Memory usage: O(n) for proving
Setup: O(1) - no trusted setup

Trade-off: Smaller proofs than naive approaches but slower verification than SNARKs

Advantages

No trusted setup: Based on standard assumptions
Short proofs: Logarithmic in the statement size
Aggregation friendly: Batch multiple proofs efficiently
Well-suited for ranges: Optimal for confidential transactions
Mature cryptography: Based on well-understood primitives
Constant-size verification key: No per-circuit setup

Disadvantages

Linear verification: O(n) time, slower than SNARKs
Limited scope: Best for range/arithmetic proofs
Not quantum-resistant: Based on elliptic curves
Larger than SNARKs: 600+ bytes vs ~200 bytes
Complex for general circuits: Not ideal for arbitrary computation
Higher gas costs: Linear verification cost on-chain

Real-World Example: Monero Confidential Transactions

Problem: Hide transaction amounts while preventing double-spending and ensuring positive amounts.

Solution using Bulletproofs:

Alice wants to send funds to Bob privately
Transaction commits to amounts using Pedersen commitments
Bulletproof proves that:

All output amounts are positive (range proofs)
Sum of inputs equals sum of outputs
No amount exceeds maximum valid range

Single aggregated proof covers all outputs (~2KB)
90% reduction in transaction size compared to previous methods
Verification time: ~100ms (acceptable for blockchain)

Comprehensive Comparison: SNARKs vs STARKs vs Bulletproofs

Property	zk-SNARKs	zk-STARKs	Bulletproofs
Trusted Setup	Required	Not Required	Not Required
Proof Size	~200 bytes	~100-200 KB	~600-2000 bytes
Verification Time	~5 ms	~10-20 ms	~100-500 ms
Proving Time	Minutes-Hours	Seconds-Minutes	Milliseconds
Quantum Resistance	No	Yes	No
Memory Usage	GB-TB	GB-TB	MB-GB
Best Use Case	General computation	Large-scale computation	Range/arithmetic proofs
Maturity	Production Ready	Emerging	Production Ready

When to Use Which System?

Choose zk-SNARKs for:

✅ Minimal on-chain footprint needed
✅ Fast verification required
✅ General-purpose computation
✅ Mature ecosystem preferred
❌ Trusted setup acceptable
❌ Short-term quantum security

Examples: Private payments, identity verification, voting systems

Choose zk-STARKs for:

✅ No trusted setup required
✅ Quantum resistance needed
✅ Large computations to prove
✅ Transparency paramount
❌ Larger proofs acceptable
❌ Higher costs tolerable

Examples: Rollups, large-scale computation verification, post-quantum applications

Choose Bulletproofs for:

✅ Range proofs specifically
✅ Fast proving needed
✅ No trusted setup required
✅ Batch aggregation beneficial
❌ Slower verification acceptable
❌ Limited scope sufficient

Examples: Confidential transactions, asset amounts, age verification

Future Outlook

Emerging Trends

Universal SNARKs: Eliminating trusted setup per circuit
Recursive proofs: Proofs that verify other proofs
Hardware acceleration: Specialized chips for ZKP
Developer tools: Higher-level programming languages

Convergence

Hybrid systems: Combining best of each approach
Application-specific: Optimized for particular use cases
Interoperability: Cross-system proof verification
Standardization: Common interfaces and formats

ZKP Applications in Blockchain

Private Transactions

Hide transaction amounts and participants while proving validity

Zcash Example

Users can send "shielded" transactions where:

Sender address is hidden
Receiver address is hidden
Transaction amount is hidden
But the transaction is provably valid

Scalability Solutions

Compress many transactions into a single proof for efficiency

zk-Rollups

Layer 2 scaling solution that:

Processes transactions off-chain
Generates ZK proof of validity
Posts proof to main chain
Achieves 1000x+ scalability

Identity Verification

Prove identity attributes without revealing personal information

Age Verification

Prove you're over 18 without revealing:

Exact age
Date of birth
Name or address
Any other personal details

Private Voting

Enable verifiable elections while maintaining voter privacy

Blockchain Voting

Voters can prove they:

Are eligible to vote
Haven't voted before
Cast a valid ballot
Without revealing their choice

Privacy vs Transparency Trade-offs

The Fundamental Tension

Blockchain systems traditionally emphasize transparency, but many applications require privacy. ZKPs offer a way to balance these competing needs.

Benefits of Transparency

Auditability: Anyone can verify transactions
Trust: No hidden operations
Compliance: Regulatory oversight possible
Debugging: Easy to trace issues
Research: Public data enables analysis

Benefits of Privacy

Confidentiality: Sensitive data protection
Competition: Business strategy protection
Personal Safety: Prevents targeting
Fungibility: All coins are equal
Adoption: Users prefer privacy

ZKPs: The Best of Both Worlds

Zero-knowledge proofs enable systems that are:

Verifiable: Anyone can confirm transactions are valid
Private: Sensitive details remain hidden
Compliant: Regulatory requirements can be met
Flexible: Different privacy levels for different use cases

Implementation Challenges

Technical Challenges

Complexity: Difficult to implement correctly
Performance: Proof generation can be slow
Size: Some proofs are large
Setup: Trusted setup ceremonies required
Bugs: Cryptographic vulnerabilities possible

Regulatory Challenges

Compliance: How to meet KYC/AML requirements
Taxation: Difficulty tracking for tax purposes
Law Enforcement: Challenges for investigations
Adoption: Regulatory uncertainty slows adoption
Balance: Finding right privacy level

Future of Zero-Knowledge Proofs

Emerging Trends

Universal ZKPs: General-purpose proof systems
Recursive Proofs: Proofs of proofs for scalability
Hardware Acceleration: Specialized chips for ZKP
Quantum Resistance: Post-quantum ZKP systems
Developer Tools: Easier implementation frameworks

Potential Applications

Web3 Identity: Self-sovereign identity systems
Private DeFi: Confidential financial services
Supply Chain: Private but verifiable tracking
Healthcare: Private medical data sharing
Gaming: Provably fair games with hidden state

Session Summary

Key Takeaways

Zero-knowledge proofs enable privacy-preserving verification in blockchain systems
ZKPs must satisfy completeness, soundness, and zero-knowledge properties
Different ZKP systems (SNARKs, STARKs, Bulletproofs) offer various trade-offs
Applications include private transactions, scalability solutions, and identity verification
ZKPs help balance the tension between transparency and privacy in DLT systems
Implementation challenges include technical complexity and regulatory considerations
The future promises more accessible and powerful ZKP technologies

What's Next?

In the next session, we'll explore Keyless Technologies & Multiple IDs, examining how distributed ledger systems can manage identity without traditional key-based approaches and support multiple identity frameworks.

Next: Keyless Technologies & Multiple IDs Previous: Public vs Private Ledgers Back to Course Home