ZK has nothing to do with Blockchains

Breaking down what ZK really is, why it's relevant

ZK-Proofs, most importantly ZK-SNARKs are a way to prove that you hold some information, without having to reveal the information.

ZK-Proofs can be used for

• Privacy : Proving that you have some information that satisfies certain conditions without revealing the information you have. Think revealing your age, without revealing your entire drivers license.

• Scalability : With Snarks, you can prove that certain computation has been executed correctly without the verifier needing to re-run the computation to check for parity. Particularly useful when a validator can verify that a smart contract has been correctly executed without needing to have to re-do the computation. This is what zk-rollups are after.

• Interoperability : A proof can be generated anywhere, and verified anywhere. Meaning, it doesn’t matter who generated the proof. You can always verify that the proof is correct even if you have no way of contacting the issuer. So a proof generated on chain-1 or for that matter centralized-server-1 can be used on chain-2 and the proof will still be valid, without needing to contact chain-1 or server-1.

Myth - ZK Rollups are ZK

“There is a lot of work being done in ZK.” often gets treated as work being done in ZK-Rollups. ZK-Proofs are completely different from ZK-Rollups. Yes, ZK-Rollups are using SNARKs. But they’re not privacy preserving. So, technically, they aren’t ZK.

Eli-Ben-Sasson, founder of Starknet rather have us call these rollups Validity Rollups. Because these rollups generate proofs (using SNARKs/STARKs) about the validity of the execution of transactions.

The truth is ZK-Proofs are a superset of ZK-Rollups as against popularly believed. Quick look at how, below.

How to generate a ZK Proof

Definitely, complex math, but here are the broad steps. I’ll try to use as little math as possible.

Technically speaking, any statement, any program can be converted into a polynomial. Think converting lab observations into equations. So, in it’s purest form, yes it is possible to represent anything as a polynomial aka a mathematical equation.

This mathematical equation can be converted into what’s called a circuit. A circuit is a representation of the equation. You might see the terms R1CS and QAP - which are names to intermediate steps on the conversion to this representation.

Once this representation is complete, is where the magic happens.

Let’s say the equation has the form y=f(x) for some polynomial f.

f here is the representation of a program that has been converted into a polynomial, that has then been converted into a circuit.

The private information you have satisfies this equation for some value of x & y. You know it but you don’t want to reveal the value x. Because that is your private information.

This equation y=f(x) will hold for some x and y, where x can be any number from -ve infinity to +ve infinity.

The last trick is to add a restriction saying x can only be a number in the range 0 to N

If x exceeds N, it will loop all the way back. That is, N+1 = =1 N+2 == 2 …

This is called modulo math. So our equation is now represented as

y = f(x) modulo N

This N is a very large prime number. This prime number and a few other parameters are calculated via a ceremony. This is the trusted setup that is associated with SNARKs.

But once the value N has been calculated and agreed upon without malice, you can prove that you know the solution to the equation without revealing value of x.

There are a few more nuances on how exactly this information is hidden (modular exponentiation), but the core premise is, if the solution to the equation you know is x, you reveal N+x or 2N+x or 103N+x. Because N+x == x (modulo N).

If you reveal N+x, because of the aforementioned nuances, it is impossible to recover x.

Because you know the value (kN+x) for some k, others can trust you that you know the solution to y=f(x), but they don’t know the value of x. Because it is hard/impossible to recover x from (kN+x).

Ok, so?

Generating these circuits and proofs are very compute intensive. Even simple SNARK proofs run into GBs very quickly needing a data centre to do the processing.

The big breakthrough in recent times has been that it is now possible to optimize the SNARK proof generation (for a subset of proofs) into something that can be generated on a mobile phone.

This subset is that of merkel tree branch proof and hash pre-image proof. That is, using a mobile you can prove that you are a part of a group (merkel tree) without proving which member you are; and you can prove that you have some information that generates a certain hash, without revealing what that information is.

Both of these are huge, and put together they are sufficient to be able to generate interesting enough proofs to enable user facing applications.

It has nothing to do with a block chain. A ZK-Proof can exist and can be used in the absence of blockchains all together. If blockchains enabled arriving at a truth via consensus, ZK-Proofs render the consensus unimportant.

The interesting question is, you have privacy preserving, censorship resistant proving mechanisms about group memberships and access to information - what user application will be built?

This is the beginning of a new class of applications.

In the next few posts I’ll cover some interesting applications of ZK-Proofs by deconstructing open source projects. Consider subscribing.