Zero-knowledge: the solution to privacy problems on Blockchain?

In the world of blockchains and cryp­tocur­ren­cies, the con­cept of zero-knowl­edge is often men­tioned as an effi­cient solu­tion to con­fi­den­tial­i­ty and pri­va­cy issues. The prin­ci­ple of this tech­nol­o­gy is to prove the exis­tence of cer­tain infor­ma­tion with­out hav­ing to dis­close it. This is a major break­through that does not hin­der research on exist­ing systems.

It must be said that there are many prac­ti­cal appli­ca­tions for this tech­nol­o­gy. For exam­ple, it can be used to ver­i­fy a per­son­’s iden­ti­ty with­out reveal­ing their name. If some­one wants to prove that they are over 18, for exam­ple, they could use their dri­ving licence. Yet this will reveal not only their age, but also their name, date of birth and sev­er­al oth­er per­son­al details. Zero-knowl­edge evi­dence can prove that the per­son is over 18, with­out reveal­ing any of the infor­ma­tion on the dri­ving licence. 

Zero-knowl­edge can also prove that some­one has made a trans­ac­tion with­out reveal­ing the amount. The process? The so-called cryp­to­graph­ic hash func­tion. This hash func­tion, which has no equiv­a­lent in the real world, is an algo­rithm that trans­forms any dig­i­tal data (an image, a text file, etc.) into a fixed size val­ue, such as a 256-bit sequence. For exam­ple, the SHA-256 stan­dard is wide­ly used in blockchains, as it has a high lev­el of secu­ri­ty, and always results in a string of 64 hexa­dec­i­mal char­ac­ters. And if it is offered the same file a sec­ond time, it will give the same answer, i.e. a 64 byte hash. These algo­rithms are stan­dard­ised, and less than a dozen are recog­nised worldwide.

This hash can be com­pared to a fin­ger­print, which is much less com­plex than the orig­i­nal infor­ma­tion, but allows for pre­cise and unique iden­ti­fi­ca­tion. This fin­ger­print or min­i­mal trace is record­ed on a blockchain, and it is based on this fin­ger­print that it is pos­si­ble to prove facts about this infor­ma­tion with­out reveal­ing the infor­ma­tion itself. What is impor­tant to under­stand is that this tech­nol­o­gy is dis­tin­guish­able from encryp­tion, which uses a cryp­to­graph­ic algo­rithm to make data unin­tel­li­gi­ble and which can be made ful­ly acces­si­ble with a decryp­tion key. Encryp­tion is the all-or-noth­ing solu­tion: if you don’t have the key, you can’t know anything.

Zero-knowl­edge proofs work dif­fer­ent­ly, as they allow the verac­i­ty of hid­den data to be proven with­out reveal­ing it. In the Bit­coin net­work, for exam­ple, Merkle trees are used for data ver­i­fi­ca­tion: this method con­sists of using only some of the data instead of all of it. In con­crete terms, blocks con­tain trans­ac­tions, and the head­ers of these blocks con­tain the root of a Merkle tree. This root allows a large amount of data to be “pledged” with very short hash­es, and each piece of data can be indi­vid­u­al­ly cer­ti­fied. There is a so-called “thin client” ver­sion of Bit­coin, which in effect only down­loads the block headers. 

Zero-knowl­edge also pro­vides proof that cal­cu­la­tions have been per­formed correctly.

This pledge, or com­mit­ment, is a cer­ti­fi­ca­tion seal. If I want to prove that I have put a doc­u­ment in the blockchain, I pro­duce the doc­u­ment, and every­one can check its valid­i­ty. In the case of a Merkle tree, you must also pro­duce a hash chain. But Bit­coin is not the only sys­tem to use Merkle trees, Ethereum, for exam­ple, makes use of three Merkle trees. They are essen­tial for reduc­ing the amount of data that needs to be kept in a blockchain for ver­i­fi­ca­tion purposes.

This tech­nol­o­gy also brings a sec­ond impor­tant advance: zero-knowl­edge makes it pos­si­ble to pro­vide proof that cal­cu­la­tions have been car­ried out cor­rect­ly, with­out hav­ing to redo them, and with­out reveal­ing all the nec­es­sary infor­ma­tion. This is an unde­ni­able sav­ing of time and resources.

The two most com­mon zero-knowl­edge proof pro­to­cols are known in the blockchain world as zk-STARKs and zk-SNARKs. The zk-STARKs stand for “zero-knowl­edge scal­able trans­par­ent argu­ments of knowl­edge”, and the zk-SNARKs stand for “zero-knowl­edge Suc­cinct Non-inter­ac­tive Argu­ment of Knowl­edge”. What they have in com­mon is that they are not inter­ac­tive in nature, which means that the evi­dence can be deployed and act autonomous­ly. The sub­mis­sion and ver­i­fi­ca­tion of evi­dence is usu­al­ly done in batch­es, with many trans­ac­tions. This makes the evi­dence much small­er and can be ver­i­fied much faster. 

zk-SNARKs have already been in use for sev­er­al years through the Zcash pro­to­col, which lever­ages them to pro­vide a blockchain expe­ri­ence that respects the pri­va­cy of exchanges, while pro­vid­ing suf­fi­cient proof that each trans­ac­tion is valid.

The zk-STARKs, on the oth­er hand, appeared more recent­ly, in 2018. In addi­tion to pri­va­cy and con­fi­den­tial­i­ty issues, zk-STARKs are posi­tioned as a solu­tion to the prob­lem of scal­ing, i.e. the capac­i­ty of the blockchain to han­dle a grow­ing num­ber of trans­ac­tions. By allow­ing com­pu­ta­tion and stor­age to be moved off-chain, zk-STARKs would also be more secure, as they are resis­tant to quan­tum attacks since they rely on hash func­tions that are not threat­ened by the quan­tum com­put­er. Both zk-STARKs and zk-SNARKs thus pave the way for faster verification. 

While they both use advanced cryp­tog­ra­phy, and while this zero-knowl­edge tech­nol­o­gy is already wide­ly used by some star­tups, this poten­tial to solve cru­cial indus­tri­al prob­lems in the world of the blockchain has not made exist­ing research silent about improv­ing the per­for­mance of exist­ing sys­tems. Researchers still have a lot to say about per­for­mance, and want proofs to be as short as pos­si­ble, quick to ver­i­fy, and quick to compute.

Jean Zeid