Zero-knowledge : the solution to privacy problems on Blockchain ?

In the world of blo­ck­chains and cryp­to­cur­ren­cies, the concept of zero-know­ledge is often men­tio­ned as an effi­cient solu­tion to confi­den­tia­li­ty and pri­va­cy issues. The prin­ciple of this tech­no­lo­gy is to prove the exis­tence of cer­tain infor­ma­tion without having to dis­close it. This is a major break­through that does not hin­der research on exis­ting systems.

It must be said that there are many prac­ti­cal appli­ca­tions for this tech­no­lo­gy. For example, it can be used to veri­fy a per­son’s iden­ti­ty without revea­ling their name. If someone wants to prove that they are over 18, for example, they could use their dri­ving licence. Yet this will reveal not only their age, but also their name, date of birth and seve­ral other per­so­nal details. Zero-know­ledge evi­dence can prove that the per­son is over 18, without revea­ling any of the infor­ma­tion on the dri­ving licence. 

Zero-know­ledge can also prove that someone has made a tran­sac­tion without revea­ling the amount. The pro­cess ? The so-cal­led cryp­to­gra­phic hash func­tion. This hash func­tion, which has no equi­va­lent in the real world, is an algo­rithm that trans­forms any digi­tal data (an image, a text file, etc.) into a fixed size value, such as a 256-bit sequence. For example, the SHA-256 stan­dard is wide­ly used in blo­ck­chains, as it has a high level of secu­ri­ty, and always results in a string of 64 hexa­de­ci­mal cha­rac­ters. And if it is offe­red the same file a second time, it will give the same ans­wer, i.e. a 64 byte hash. These algo­rithms are stan­dar­di­sed, and less than a dozen are reco­gni­sed worldwide.

This hash can be com­pa­red to a fin­ger­print, which is much less com­plex than the ori­gi­nal infor­ma­tion, but allows for pre­cise and unique iden­ti­fi­ca­tion. This fin­ger­print or mini­mal trace is recor­ded on a blo­ck­chain, and it is based on this fin­ger­print that it is pos­sible to prove facts about this infor­ma­tion without revea­ling the infor­ma­tion itself. What is impor­tant to unders­tand is that this tech­no­lo­gy is dis­tin­gui­shable from encryp­tion, which uses a cryp­to­gra­phic algo­rithm to make data unin­tel­li­gible and which can be made ful­ly acces­sible with a decryp­tion key. Encryp­tion is the all-or-nothing solu­tion : if you don’t have the key, you can’t know anything.

Zero-know­ledge proofs work dif­fe­rent­ly, as they allow the vera­ci­ty of hid­den data to be pro­ven without revea­ling it. In the Bit­coin net­work, for example, Merkle trees are used for data veri­fi­ca­tion : this method consists of using only some of the data ins­tead of all of it. In concrete terms, blocks contain tran­sac­tions, and the hea­ders of these blocks contain the root of a Merkle tree. This root allows a large amount of data to be “pled­ged” with very short hashes, and each piece of data can be indi­vi­dual­ly cer­ti­fied. There is a so-cal­led “thin client” ver­sion of Bit­coin, which in effect only down­loads the block headers. 

Zero-know­ledge also pro­vides proof that cal­cu­la­tions have been per­for­med correctly.

This pledge, or com­mit­ment, is a cer­ti­fi­ca­tion seal. If I want to prove that I have put a docu­ment in the blo­ck­chain, I pro­duce the docu­ment, and eve­ryone can check its vali­di­ty. In the case of a Merkle tree, you must also pro­duce a hash chain. But Bit­coin is not the only sys­tem to use Merkle trees, Ethe­reum, for example, makes use of three Merkle trees. They are essen­tial for redu­cing the amount of data that needs to be kept in a blo­ck­chain for veri­fi­ca­tion purposes.

This tech­no­lo­gy also brings a second impor­tant advance : zero-know­ledge makes it pos­sible to pro­vide proof that cal­cu­la­tions have been car­ried out cor­rect­ly, without having to redo them, and without revea­ling all the neces­sa­ry infor­ma­tion. This is an unde­niable saving of time and resources.

The two most com­mon zero-know­ledge proof pro­to­cols are known in the blo­ck­chain world as zk-STARKs and zk-SNARKs. The zk-STARKs stand for “zero-know­ledge sca­lable trans­pa­rent argu­ments of know­ledge”, and the zk-SNARKs stand for “zero-know­ledge Suc­cinct Non-inter­ac­tive Argu­ment of Know­ledge”. What they have in com­mon is that they are not inter­ac­tive in nature, which means that the evi­dence can be deployed and act auto­no­mous­ly. The sub­mis­sion and veri­fi­ca­tion of evi­dence is usual­ly done in batches, with many tran­sac­tions. This makes the evi­dence much smal­ler and can be veri­fied much faster. 

zk-SNARKs have alrea­dy been in use for seve­ral years through the Zcash pro­to­col, which leve­rages them to pro­vide a blo­ck­chain expe­rience that res­pects the pri­va­cy of exchanges, while pro­vi­ding suf­fi­cient proof that each tran­sac­tion is valid.

The zk-STARKs, on the other hand, appea­red more recent­ly, in 2018. In addi­tion to pri­va­cy and confi­den­tia­li­ty issues, zk-STARKs are posi­tio­ned as a solu­tion to the pro­blem of sca­ling, i.e. the capa­ci­ty of the blo­ck­chain to handle a gro­wing num­ber of tran­sac­tions. By allo­wing com­pu­ta­tion and sto­rage to be moved off-chain, zk-STARKs would also be more secure, as they are resis­tant to quan­tum attacks since they rely on hash func­tions that are not threa­te­ned by the quan­tum com­pu­ter. Both zk-STARKs and zk-SNARKs thus pave the way for fas­ter verification. 

While they both use advan­ced cryp­to­gra­phy, and while this zero-know­ledge tech­no­lo­gy is alrea­dy wide­ly used by some star­tups, this poten­tial to solve cru­cial indus­trial pro­blems in the world of the blo­ck­chain has not made exis­ting research silent about impro­ving the per­for­mance of exis­ting sys­tems. Resear­chers still have a lot to say about per­for­mance, and want proofs to be as short as pos­sible, quick to veri­fy, and quick to compute.

Jean Zeid