Zero Knowledge Proofs

Basic Idea

A mechanism that proves to one party (the VERIFIER) that another party (the PROVER) possesses some knowledge, without revealing the knowledge itself or any other information that can be used to re-construct it   

Basic Premise

A mechanism that proves to one party (the VERIFIER) that another party (the PROVER) possesses some knowledge, without revealing the knowledge itself or any other information that can be used to re-construct it   

This is a probabilistic statement not a math proof  

WHY?

I was born between 1976 and 2000

Range Proofs

WHY?

I am an EU citizen

Set Membership

WHY?

Comparison

WHY?

Computational

Integrity

I performed the computation

you asked me to

How? Toy Example 1

Verifier Victor

Prover Peggy

How? Toy Example 2

Types

ZKP

ZKP

SNARKS

STARKS

STIK

NIZKP

Bulletproof

Lattice

DVNIZKP

Graph iso

Pros/Cons

ZKP

ZKP

SNARKS

STARKS

STIK

NIZKP

Bulletproof

Lattice

DVNIZKP

Graph iso

• Improved privacy
• Better security
• Scalability solutions

• Expensive
• Trusted setup (for some types)
• Not always post-quantum secure 

Pros/Cons

ZKP

ZKP

SNARKS

STARKS

STIK

NIZKP

Bulletproof

Lattice

DVNIZKP

Graph iso

• Improved privacy
• Better security
• Scalability solutions

• Expensive
• Trusted setup (for some types)
• Not always post-quantum secure 

• Trusted setup

: multi-party computation ceremonies (2016-2017-2018)

Pros/Cons

ZKP

ZKP

SNARKS

STARKS

STIK

NIZKP

Bulletproof

Lattice

DVNIZKP

Graph iso

• Improved privacy
• Better security
• Scalability solutions

• Compute-heavy
• Trusted setup (for some types)
• Not always post-quantum secure 

• Expensive

Vanilla Tx = 21,000 GAS

SNARK = 800,000 GAS

@ $15/Tx

$570 per SNARK proof

Scalability 

ZKP

ZKP

SNARKS

STARKS

STIK

NIZKP

Bulletproof

Lattice

DVNIZKP

Graph iso

Two most popular

1. Prove computation has been performed according to some rules
2. Key Point: proofs much smaller than the data they represent!
3. From many small payloads on-chain we move to much larger payloads off-chain

Scalability 

• feature of ZK-SNARK:
  • allows to generate a proof that a computation has a particular output
  • s.t. proof can be verified extremely quickly
  • even if the underlying comp takes long

• Example: "I know a secret number such that if you take the word ‘cow', add the number to the end, and SHA256 hash it 100 million times, the output starts with 0x57d00485aa"
  1. verification takes much less time than doing 100 million hashes
  2. secret number won't be revealed

Loose Application:
Proof of Solvency

• Assets: cash in bank accounts and crypto assets in exchange wallets

• Liabilities: crypto and cash deposits made by customers

Proof of assets & liabilities

Merkle Tree Proof of Liabilities

• Simple: Proof of assets
  • show your wallets and prove that you control them)
• Problem: Proof of liabilities
  • how do you prove what you owe without violating privacy?

• Solution 1:
  • Show all balances (name, balance) or (hash(name), balance)
  • User can check if balance included
  • Users can check if balances add up
  • Problem: user balance may be inferred
• Solution 2:
  • Show  (hash(name, salt), balance)
  • Still: balances not private

Solution 3: Merkle Sum Tree Proof of Liabilities

Source: https://vitalik.ca/general/2022/11/19/proof_of_solvency.html

with the blue info, Charlie can verify

• that liabilities sum up
• that his transaction has been included

Solution 4: Zero-Knowledge Proofs

this requires a bit of maths ... and is left as a simple exercise for the reader ;-)

Tornado Cash