Transparency and privacy are two desirable qualities for any blockchain. However, the ability to openly track transactions while keeping personal details under wraps is not possible for all blockchains. To achieve these qualities, blockchains need privacy-centric proof systems.
Proof systems are auditors, a cryptographic one, to certify that an interaction indeed took place, and to validate that the output of the interaction is correct. Zero-knowledge is a property of proof systems to verify on-chain interactions without revealing any related information. And zero-knowledge proofs (ZKPs) are proofs that emulate this property of zero-knowledge.
The most notable variant of ZKPs is zk-SNARK or Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.
In this article, we will explain what zk-SNARKs are, how they work, and their applications on the blockchain.
What is a zk-SNARK?
zk-SNARK (zero-knowledge Succinct Non-interactive ARgument of Knowledge) is a type of zero-knowledge proof (ZKP). This proof construction allows one party to prove to another that a certain statement is true, without revealing any information about the statement itself.
The earliest relevant mention of SNARKs dates back to a research paper co-authored by Alessandro Chiesa, a UC Berkeley Professor. Chiesa is also the co-founder of ZCash, a privacy-centric cryptocurrency that was the first practical implementation of zk-SNARKs as a proof system to offer shielded crypto transactions.
Since then, there have been multiple iterations of zk-SNARKs. But, the fundamental logic remains the same. To understand this core logic, we will break it down into three key concepts:
Non-interactive proof means that the prover can send the proof to the verifier without any further communication or exchange of information. This makes the proof system more efficient and practical. This property is achieved through a process known as the Fiat-Shamir heuristic.
Zero-Knowledge ensures that no additional information, other than the validity of the statement, is revealed. The verifier can confirm the statement's truth but gains no extra knowledge about the specific details of the statement.
3. Succinct arguments
Succinctness refers to the compactness of zk-SNARKs proofs and the speed of verification. The proofs are designed to be small in size and require minimal computational power to verify.
An Argument of Knowledge is a cryptographic assertion that the prover possesses specific information or a solution. It is a stronger claim than just proof of knowledge.
Now that we have a high-level overview of what zk-SNARKs are, let’s dive into some applications & what they’re used for in the first place.
What is a zk-SNARK used for?
zk-SNARKs are primarily used for 3 main applications today: scalability solutions, private transactions, and identity protection.
zk-Rollups are layer-2 scaling solutions that employ zero-knowledge proofs (ZKP) to make blockchains more agile and efficient. Unlike traditional proof systems, zkSNARKs act as proof aggregators i.e. it compiles a single proof for multiple transactions present in a batch.
The succinctness of the zkSNARK proofs makes it easy to quickly verify the correctness of all transactions. The single proof concept also helps in reducing the storage and computational burden on the blockchain. This further leads to faster transaction throughput and reduced transaction fees.
zkSNARKs facilitate private transactions on blockchain by masking personal details like the sender’s and receiver’s addresses, and even the value of the transaction. Although the transaction details are hidden, the transactions are still verifiable by network validators.
On-chain private transactions are a way out of financial surveillance that is plaguing the traditional money system. Institutions can use zk-SNARK-powered networks to do their businesses securely and privately. From a security standpoint, private transactions thwart blockchain front-running, where bots exploit pending transactions.
Every day, a person’s identity is required to access services (banking), travel (visa), and even enter a bar (age restrictions). These interactions rarely guarantee data protection and privacy.
Instead, using zk-SNARKs, a user can prove the authenticity of their identity or credentials without revealing personal information. This enhances the privacy and security of personal data while mitigating identity theft risks.
By this, trustless authentication is also made possible. This removes the need for the service providers or intermediaries to store the credentials of the users.
Zk-creds is a concept protocol that aims to use zk-SNARKs to provide flexible anonymous credentials.
How do zk-SNARKs work?
zk-SNARKs consist of three main cryptographic functions: key generation, proof generation, and verification.
Key generation (setup) function:
The key generation function is part of the initial setup phase that generates cryptographic keys needed for the proof system to function. Specifically, this function produces a proving key (to create proof) and a verification key (to verify the proof).
For example, C(x, w) is the logical statement that we need to verify without revealing the details. Here, ‘x’ is the public input, and ‘w’ is the private input (witness). The setup function, as a mathematical representation of this statement, takes the security parameter ‘λ’ as input. This is used to generate a proving key ‘pk’ and a verification key ‘vk’.
Setup(C,λ) → (pk,vk)
Proof generation (prove) function:
This function is run by the prover to create a cryptographic proof — a succinct, zero-knowledge proof that the prover can send to a verifier. The prover takes the private input ‘w’ (or witness), the public key ‘x’, and the proving key pk, to produce the proof ‘prf’ that they know this information without revealing it.
Prove(w,x,pk) → prf
Verification (verify) function:
The verification function in zk-SNARKs is used by the verifier to check the validity of the cryptographic proof provided by the prover. The verifier uses the proof ‘prf’, the verification key ‘vk’, and public inputs ‘x’ to determine whether or not the proof is valid.Verify(vk,prf,x) → True (if valid) or False (if invalid).
This satisfies all the three fundamental properties of a zero-knowledge proof:
- Completeness: If the initial statement C(x, w) is correct, a valid proof ‘prf’ is always generated and is accepted by the verifier.
- Soundness: If the initial statement C(x, w) is incorrect, any proof ‘prf’ generated by the prover will be deemed invalid by the verifier.
- Zero-knowledge: The verifier verifies the proof ‘prf’ without learning anything about the private input (witness) ‘w’.
Note: Both ‘prover’ and ‘verifier’ are algorithms.
This is a basic overview of how zk-SNARKs work. Adding on, there are three important concepts that power zk-SNARKs. They are: elliptic curve cryptography (ECC), trusted setup, and Fiat-Shamir heuristic
Elliptic curve cryptography (ECC): Fundamentally, zk-SNARKs rely on elliptic curve cryptography for its security. ECC is a cryptographic approach that utilizes a twin key structure, public and private key for encryption and decryption of data.
ECC gains the upper hand over other cryptographic approaches by using algebraic structures of elliptic curves over finite fields.
Trusted setup: “A trusted setup ceremony is a procedure that is done once to generate a piece of data that must then be used every time some cryptographic protocol is run,” is how Vitalik Buterin defines this concept.
Essentially, to build a zk-SNARK protocol and its public parameters, a secret is required as the basis of trust between all the participants. This secret, often called ‘toxic waste’, should be properly discarded after the initial trust setup. If not, illicit participants may exploit it to create fraudulent proofs.
A trusted setup ceremony is inherently a centralized act. The founding developers or contributors are trusted to not corrupt and game the protocol. As a deterrent, protocols now involve more participants in this setup by employing techniques like multi-party computation. This ensures that unless all participants collude, the setup remains secure. The trusted setup is a one-time requirement and is vital for zk-SNARKs' security and zero-knowledge properties.
Fiat-Shamir heuristic: The Fiat-Shamir heuristic converts interactive proof systems into non-interactive ones by simulating the role of the verifier. Typically in an interactive proof, the verifier sends random challenges to the prover.
In the Fiat-Shamir heuristic, instead of receiving random challenges from the verifier, the prover generates the challenges themselves by using a cryptographic hash function.
To form this, we need two key elements — a functional commitment scheme and a polynomial interactive oracle.
How to get started with zk-SNARKs?
You can start employing zk-SNARKs in several ways. Developers can use zk-SNARKs to add privacy to their dapps, providing a safer place for their users. Further, they can opt for blockchains like Ethereum, ZCash, and Celo that natively support zero-knowledge-proof systems.
Alternatively, developers can also deploy smart contracts with in-built zk-SNARKs to execute on-chain actions without revealing data like Tornado mixers.
Thirdweb’s library is a great place for developers to get started on building in the zero-knowledge ecosystem. Our free-to-use web3 developer tools and how-to guides can help you start building:
zk-SNARKs: The path to blockchain privacy and scaling
Today, zk-SNARK is an exciting advancement for scaling blockchain networks and building a privacy-centric web3. zk-SNARK’s potential is undoubted, however, it is young and has certain challenges to solve like its need for a trusted setup.
Also, there is a lot of effort going into making zk-SNARKs easy to use and implement, along with building an ecosystem of zero-knowledge tooling and resources.
Nevertheless, zk-SNARK is the most promising way ahead for blockchains to scale while upholding the thesis of privacy and transparency.
We hope this blog helps you understand zk-SNARKs, how it works, and its various use cases to improve the web3 user experience.
What are the differences between SNARKs and STARKs?
SNARKs (Succinct Non-Interactive Arguments of Knowledge) require a trusted setup and rely on specific cryptographic assumptions such as elliptic curve pairings. STARKs (Succinct Transparent Arguments of Knowledge), on the other hand, do not require a trusted setup and are based on hash functions, making them transparent.
What are the advantages of SNARKs over STARKs?
SNARK proofs are compact, making them highly efficient in terms of verification time and computational burden. Their faster verification times are beneficial for performance-sensitive applications.
What are the advantages of STARKs over SNARKs?
STARKs don’t require any trusted setup, thereby eliminating the risk of backdoors during parameter generation. They are potentially more future-proof due to reliance on more general cryptographic assumptions and are more resilient to quantum attacks.
What is the role of zk-SNARKs in zero-knowledge rollups?
zk-Rollups like Polygon Hermes use zk-SNARKs as a proof system. SNARKs bundle multiple transactions into a single proof, which is submitted to the parent blockchain i.e. Ethereum in this case. This proof attests to the validity of the batched transactions without the blockchain having to process each transaction individually. This significantly increases throughput, reduces fees, and maintains the integrity of the blockchain network.
What are zero-knowledge coins (zk-coins)?
Cryptocurrencies that use zero-knowledge proofs as their proof system are called zk-coins. They are privacy-centric in nature and generally employ zk-SNARKs to provide a shielded, censorship-free environment for transactions to take place. Monero, Tornado Cash, and ZCash are examples of zk-coins.