Zero-knowledge: the solution to privacy problems on Blockchain?

In the world of block­chains and crypto­cur­ren­cies, the concept of zero-know­ledge is often men­tioned as an effi­cient solu­tion to con­fid­en­ti­al­ity and pri­vacy issues. The prin­ciple of this tech­no­logy is to prove the exist­ence of cer­tain inform­a­tion without hav­ing to dis­close it. This is a major break­through that does not hinder research on exist­ing systems.

It must be said that there are many prac­tic­al applic­a­tions for this tech­no­logy. For example, it can be used to veri­fy a per­son’s iden­tity without reveal­ing their name. If someone wants to prove that they are over 18, for example, they could use their driv­ing licence. Yet this will reveal not only their age, but also their name, date of birth and sev­er­al oth­er per­son­al details. Zero-know­ledge evid­ence can prove that the per­son is over 18, without reveal­ing any of the inform­a­tion on the driv­ing licence. 

Zero-know­ledge can also prove that someone has made a trans­ac­tion without reveal­ing the amount. The pro­cess? The so-called cryp­to­graph­ic hash func­tion. This hash func­tion, which has no equi­val­ent in the real world, is an algorithm that trans­forms any digit­al data (an image, a text file, etc.) into a fixed size value, such as a 256-bit sequence. For example, the SHA-256 stand­ard is widely used in block­chains, as it has a high level of secur­ity, and always res­ults in a string of 64 hexa­decim­al char­ac­ters. And if it is offered the same file a second time, it will give the same answer, i.e. a 64 byte hash. These algorithms are stand­ard­ised, and less than a dozen are recog­nised worldwide.

This hash can be com­pared to a fin­ger­print, which is much less com­plex than the ori­gin­al inform­a­tion, but allows for pre­cise and unique iden­ti­fic­a­tion. This fin­ger­print or min­im­al trace is recor­ded on a block­chain, and it is based on this fin­ger­print that it is pos­sible to prove facts about this inform­a­tion without reveal­ing the inform­a­tion itself. What is import­ant to under­stand is that this tech­no­logy is dis­tin­guish­able from encryp­tion, which uses a cryp­to­graph­ic algorithm to make data unin­tel­li­gible and which can be made fully access­ible with a decryp­tion key. Encryp­tion is the all-or-noth­ing solu­tion: if you don’t have the key, you can­’t know anything.

Zero-know­ledge proofs work dif­fer­ently, as they allow the vera­city of hid­den data to be proven without reveal­ing it. In the Bit­coin net­work, for example, Merkle trees are used for data veri­fic­a­tion: this meth­od con­sists of using only some of the data instead of all of it. In con­crete terms, blocks con­tain trans­ac­tions, and the head­ers of these blocks con­tain the root of a Merkle tree. This root allows a large amount of data to be “pledged” with very short hashes, and each piece of data can be indi­vidu­ally cer­ti­fied. There is a so-called “thin cli­ent” ver­sion of Bit­coin, which in effect only down­loads the block headers. 

Zero-know­ledge also provides proof that cal­cu­la­tions have been per­formed correctly.

This pledge, or com­mit­ment, is a cer­ti­fic­a­tion seal. If I want to prove that I have put a doc­u­ment in the block­chain, I pro­duce the doc­u­ment, and every­one can check its valid­ity. In the case of a Merkle tree, you must also pro­duce a hash chain. But Bit­coin is not the only sys­tem to use Merkle trees, Eth­ereum, for example, makes use of three Merkle trees. They are essen­tial for redu­cing the amount of data that needs to be kept in a block­chain for veri­fic­a­tion purposes.

This tech­no­logy also brings a second import­ant advance: zero-know­ledge makes it pos­sible to provide proof that cal­cu­la­tions have been car­ried out cor­rectly, without hav­ing to redo them, and without reveal­ing all the neces­sary inform­a­tion. This is an undeni­able sav­ing of time and resources.

The two most com­mon zero-know­ledge proof pro­to­cols are known in the block­chain world as zk-STARKs and zk-SNARKs. The zk-STARKs stand for “zero-know­ledge scal­able trans­par­ent argu­ments of know­ledge”, and the zk-SNARKs stand for “zero-know­ledge Suc­cinct Non-inter­act­ive Argu­ment of Know­ledge”. What they have in com­mon is that they are not inter­act­ive in nature, which means that the evid­ence can be deployed and act autonom­ously. The sub­mis­sion and veri­fic­a­tion of evid­ence is usu­ally done in batches, with many trans­ac­tions. This makes the evid­ence much smal­ler and can be veri­fied much faster. 

zk-SNARKs have already been in use for sev­er­al years through the Zcash pro­tocol, which lever­ages them to provide a block­chain exper­i­ence that respects the pri­vacy of exchanges, while provid­ing suf­fi­cient proof that each trans­ac­tion is valid.

The zk-STARKs, on the oth­er hand, appeared more recently, in 2018. In addi­tion to pri­vacy and con­fid­en­ti­al­ity issues, zk-STARKs are posi­tioned as a solu­tion to the prob­lem of scal­ing, i.e. the capa­city of the block­chain to handle a grow­ing num­ber of trans­ac­tions. By allow­ing com­pu­ta­tion and stor­age to be moved off-chain, zk-STARKs would also be more secure, as they are res­ist­ant to quantum attacks since they rely on hash func­tions that are not threatened by the quantum com­puter. Both zk-STARKs and zk-SNARKs thus pave the way for faster verification. 

While they both use advanced cryp­to­graphy, and while this zero-know­ledge tech­no­logy is already widely used by some star­tups, this poten­tial to solve cru­cial indus­tri­al prob­lems in the world of the block­chain has not made exist­ing research silent about improv­ing the per­form­ance of exist­ing sys­tems. Research­ers still have a lot to say about per­form­ance, and want proofs to be as short as pos­sible, quick to veri­fy, and quick to compute.

Jean Zeid