All you need to know about Zero Knowledge (ZK-SNARK/STARK)
▶ Tornado Cash
▶ Starknet
▶ Rollups
▶ ZeroCash
▶ L2 Scaling
You may already heard about these blockchain projects.
But did you know that without Zero Knowledge these projects would be impossible to do in the blockchain?
What is ZK (zero-knowledge) ?
There is 2 entities in the Zero knowledge:
- The PROVER, he creates a proof of a statement (without reviling any information)
- The VERIFIER, he verifies that the proof is valid (without checking if the statement is valid) and thus the statement should is valid too.
The statement may be anything like:
- “I know that the result of this complex calculation is X” (The verifier doesn’t have to re-calculate the complex calculation. He can just check the proof which is way less expensive.)
- “I know what are the coefficient of these polynomials.” (The prover can prove this statement to the verifier without reveling the coefficients.)
- “I’m over 18” (The prover can prove this statement without reveling his age.)
- Any type of statement is possible…
▶ Here is a quick “mathematical” example of a “zk-proof”.
- Imagine that the verifier knows a polynomial. (which equals to p(x) = 5x² + 10x + 25)
2. The prover, claims that he knows the polynomial too.
3. The verifier says: “OK, can you evaluate the polynomial p(x) at x = 2?”
4. If the prover really knows the polynomial, he can calculate p(2) = 5*2² + 10*2 + 25 = 65 and give the result to the verifier.
If the prover doesn’t know, he can’t evaluate the polynomial and need the guess the number. (Which have a very small likelihood to be the result p(2).)
5. The verifier evaluates the same polynomial at x = 2 and get 65, this is (of course) the same result. So the verifier verified that the prover knew the polynomial and better: the prover never leaked the polynomial.
This is the main idea of ZK : I can prove to you that that i have the right information on this problem but without revealing any information (like the solution)
This has a lot of use cases… For example I’ll be able to prove to you that I have enough coins to invoke the transaction (useful for privacy coin) or that this batch of transaction is valid without recalculating them. (by just checking the proof)
This is why we call these technology ZK (zero-knowledge)
There is a few types of ZK proofs. We will review 2 of them.
zk-SNARK vs zk-STARK
They are 2 subsets of zero-knowledge proofs: zk-SNARK and zk-STARK.
SNARK stands for:
- ▶ S = succinct (The proofs are small and easy to verify.)
- ▶ N = non interactive (Once the prover submitted a proof, he doesn’t need to communicate with the verifier.)
- ▶ ARK = argument of knowledge (It’s difficult to produce a fake proof if the prover doesn’t have the information.)
For STARK the difference is the letter S and T:
- ▶ S = Scalable
- ▶ T = Transparent (No trusted setup needed)
Each of them generates the following statement: These statements are valid. (Or in case of blockchain, this transaction (or this batch of) transaction is valid.)
In general STARK are considered to be better in most cases because:
- No trusted setup is required. (Which make it more secure.)
- Better scalability and security. (Although the proof is a bit more sized.)
- Resistant to quantum attack. (With quantum computers.)
Here is a more detailed comparison between ZK-SNARK and ZK-STARK:
In the next part, we will talk about rollups. Rollups are an example of how zero knowledge proofs can be applied to Ethereum L2 Scaling
What is a Rollup ?
Rollups are one of the most promising means of scaling the Ethereum blockchain.
In Ethereum, when you execute the EVM, all nodes execute to assure that the result is valid. But this is very expensive. (And cost a lot of gas.)
The idea of ZK-rollups is for every node to verify that the result is valid (by using a ZK-proof) instead of replaying the transaction (this is a lot more efficient)
Basically, an L2 Rollups is a “side chain” distinct from Ethereum, where most of the calculation/transactions are performed. Transactions are “batched” by hundreds and submitted to L1 in only one transaction. (Ethereum blockchain)
As a result, the gas price is decreased 10–1000 fold and the TPS (transaction per second of a blockchain) is multiplied by 10–1000 which allow the blockchain to scale.
In the Ethereum blockchain only proofs are accumulated, which is way more efficient. Theses proof assures that the state is still valid.
Proving that are calculation is valid is way more efficient than redoing the calculation by hand.
This is the most popular way to scale Ethereum.
The technology behind ZCash
Now, let’s talk about the technology behind ZCash the 2nd most used privacy coin. (The 1st in Monero and don’t use ZK but a ring based technology)
As you may already know Bitcoin is not anonymous, someone can easily track your address and see how much bitcoin you transferred and to whom (although there is the lightning network, which can bring privacy at some extent)
But ZCash uses zk-SNARK, every time you send a shielded transaction on the ZCash network, the whole blockchain check that you have the right to send the transaction but without leaking any information. (balance, address…)
But as the ZK-SNARK require a trusted setup, this is:
proofs required a setup phase to produce public parameters that allowed users to construct and verify private transactions.
At that time, some random numbers were sampled (which we refer to as the “toxic waste”) and were then used to construct the parameters.
After the setup phase, the toxic waste had to be destroyed to prevent counterfeiting of Zcash.
source : https://z.cash/technology/paramgen/ (how the parameters were generated)
This “toxic waste” if not destroyed, can allow anyone to generate fake zcash and destroy the trust on this network. Fortunately, this is very unlikely.
Conclusion/Beyond
If you want to dive deeper about Zero Knowledge technology, here is some links I’ve used to learn about this topic.
