Zero-Knowledge Proofs are one of the most talked about topics in emerging blockchain technologies, but many people don't have an understanding of what they are or how they work. π§΅ππΌ
1/x
This thread is part of a series of threads explaining all things Zero-Knowledge Proofs.
If you are completely new to the topic, I would recommend checking out my prior thread on Zero-Knowledge Proof basics before reading this to gain a surface-level understanding.
2/x
twitter.com/MarbiusC/status/1585386051886977024?s=20&t=lfyLHleYT-ibb95kErxANA
In this thread, we will be covering the different "flavors" of ZK Proofs and some examples of their applications.
These flavors are:
1. Interactive Proofs
2. Non-Interactive Proofs
3/x
More specifically, we will also cover the different types of Non-Interactive Zero-Knowledge Proofs (NIZK), as these have the most implementation
1. zk-SNARKs
2. zk-STARKs
(Bonus: ZK Rollups)
3. Bulletproofs
4/x
1. Interactive Protocols
In an interactive proof system, the prover and the verifier have to communicate back and forth for multiple iterations; following these iterations, the verifier choses to Accept or Reject.
(See prior thread on "The Cave of Ali Baba)
5/x
Interactive proof systems have their drawbacks; they tend to be computationally heavy and very slow (though they can be useful for situations in which there is only a single verifier).
Thus, in practice, systems tend to use Non-Interactive Proof Systems.
6/x
In a non-interactive proof, the prover only sends one message to the verifier, which is very advantageous for systems containing multiple verifiers.
The idea of an NIZK leads us to one of the most widely used ZK Proof systems - the zk-SNARK.
7/x
zk-SNARKs, or "Zero-Knowledge Succinct Non-Interactive Argument of Knowledge," wherein (as the title suggests) require no interaction with the verifier.
8/x
SNARKs also demand that the proof is short and fast to verify (hence Succinct), giving systems the ability to process very large program statements with a proof of only a few hundred bytes.
9/x
zk-SNARKs have a tremendous amount of applications in the blockchain space. They provide scalability by placing the burden of computational overhead on the prover, often times off-chain (see ZK Rollups section later on) not the validators.
10/x
A full breakdown on zk-SNARKs can be found on my Notion page below:
notion.so/marbius/In-Depth-Explanation-of-zk-SNARKS-74b8e89d3a694444bcf6c992b3ca5fc8
11/x
Some zk-SNARK system examples:
- Tornado Cash
- ZCash
- Dark Forest (on chain RST game)
12/x
zk-SNARKs depend on a trusted setup, meaning that a set of public parameters are required for conducting private transactions. Protocols using trusted setups are face centralization issues, as these random parameter generators are usually formulated by a small group.
13/x
The two main zero-knowledge proof systems that do not use a trusted setup but instead use a transparent setup are Bulletproofs, and STARKs(Zero-Knowledge Scalable Transparent Arguments of Knowledge).
14/x
2. zk-STARKs
zk-STARKs, or Zero-Knowledge Scalable Transparent Arguments of Knowledge are a derived improvement to zk-SNARKs.
They are less complex to perform, more secure and (in theory) resistant to quantum computing.
zk-STARKs must also be scalable (more details found
15/x
Without going into too much detail here, trusted setups (unlike transparent setups) do not rely on trusted parties and have no "toxic waste," or random keys used in trusted setups that can compromise an entire blockchain system.
16/x
The key downside when comparing STARKs to SNARKs is the size of the proofs; proofs in a STARK are orders of magnitude larger than for SNARKs, though as research progresses, proof sizes will likely be reduced.
17/x
One way scalability can be improved with STARKs which is seeing implementations today is through a βhybridβ model, wherein off-chain STARK proofs are generated that attest to the integrity of on-chain transactions.
This leads us to the next category: ZK Rollups
18/x
Bonus: ZK Rollups
I chose to include ZK Rollups as a bonus, as they are technically not a ZK Proof system in and of itself. There are no "pure" zk-STARK systems (AFAIK) due to the key issues mentioned above, though there are many applications thanks to ZK Rollups.
19/x
ZK Rollups are hybrid system that bundle transactions into batches, executed off-chain.
Off-chain computations allow for the processing of thousands of transactions in a batch while posting a minimal data summary to the blockchain, rather than individual transactions.
20/x
A detailed explanation on how ZK Rollups work in practice can be found in my Notion:
notion.so/marbius/Detailed-Explanation-of-ZK-Rollups-92d3de5172e14868b80cbab621c40c4e
21/x
One of the most widely used applications of zk-STARKs is StarkWare, a company that provides STARK-based validity proofs on Ethereum through their Layer 2 scalability ZK Rollup engine.
Some products powered by StarkWare:
- dYdX
- DeversiFi
- iMMUTABLE
22/x
3. Bulletproofs
Bulletproofs are a form of non-interactive zero-knowledge proofs powered by efficient inner product arguments and zero-knowledge range proofs.
Bulletproofs vary from the two systems above in that they are not powered by SNARKs.
23/x
The technicalities and the mathematics behind the terms above like efficient inner product arguments and range proofs can be found on my Notion:
notion.so/marbius/Detailed-Explanation-of-Bulletproofs-bef58d78cc82432194b1ce229342cdcd
24/x
Bulletproofs can be summarized as a system that allows multiple parties with secret committed values to jointly generate a single small range proof for all their values, without revealing their secret values to each other.
A common Bulletproof based system is Monero.
25/x
That's the end of the somewhat lengthy thread on ZK Proof Applications!
If you learned something, please like and RT! Follow my page for more ZK Proof explanation threads to come!
In-Depth ZK Proof Guide below:
notion.so/marbius/Zero-Knowledge-Proofs-A-Scalable-Privacy-Solution-6725af16408c4b688fa2c6082f8c0633
26/x
Marbius π»
@MarbiusC
Spend most of my time researching. What I share is free and worth every penny. Unrolled threads in linkππΌ
