Do You Need a Zero Knowledge Proof?
Where exactly do zero-knowledge proofs fit in?
That’s the title of a new paper from a group of academics who say they are trying to “aid in the critical thinking process” around this mind-bending cryptographic tool. It’s good timing: the hype is nearing levels not seen since the mid-2010s, when blockchains were held up as the solution to a wide variety of society’s problems.
The buzz around “ZKPs,” as they’re sometimes called, is not completely misplaced. They can do something amazing: prove that a secret is true without revealing the secret itself.
Imagine, for example, that you could prove you’re a citizen of your home country without revealing anything else about yourself; that you are older than 21 without revealing your age; or that you have at least $25,000 in your bank account without revealing exactly how much you have. The power seems out of this world; some call it “moon math.” But it is firmly grounded in reality to think ZKPs could be the foundation of a more private internet.
Could. The promise of ZKPs is undeniable. But if that promise is going to be converted into real-world impact, the paper’s authors say it’s time for more people to focus on the specific scenarios in our online lives where ZKPs can make a difference.
The team behind the paper was led by Arthur Gervais, a professor at University College London who has published extensively on the security of blockchain networks. They write that ZKPs have “emerged as a pivotal tool, commanding the attention of both academia and industry.” Beneath this exciting surface, however, lie complicated technical constraints, tradeoffs, and assumptions. “Deciding on whether a ZKP enhances the utility of an application is a non-trivial endeavor,” they say.
Hence the paper, which Gervais and his colleagues say is meant to identify “the contexts where the unique attributes of ZKPs are indeed indispensable.”
Know Your Jargon
Critical thinking requires reliable language. But in the realm of ZKPs, even fundamental terms aren’t always used correctly. “(W)e observe that recent applications misuse the term zero-knowledge, such that some applications do not demand zero knowledge after all,” the team writes.
This is an important point. Despite its sci-fi vibe, the term zero knowledge, if used correctly, is among the least confusing parts of all this. A ZKP can prove that a computer has some piece of knowledge without revealing any of it: zero units of knowledge are transferred. That creates new possibilities for private applications. But there is another property of ZKP systems, called succinctness, that is separate from privacy and has its own implications. And often when people say zero-knowledge, they really mean succinctness.
Succinctness means the proofs are smaller (and thus easier to process) than the statements they prove. And that means ZKPs can be used in “the outsourcing of computation from a constrained environment to a computationally powerful, untrusted server,” the authors write. In other words, as long as the constrained environment can process the smaller proof, it can verify that an associated, more resource-intensive computation took place elsewhere and avoid having to repeat it.
This is already coming in handy for blockchain scaling. As the researchers note, “a blockchain is a primary example of a slow, global computing environment that is replicated on many machines.” A so-called Layer 2 system known as a zk-rollup can process blockchain transactions in a separate computing environment and then submit cryptographic proof of their validity to a smart contract on the main blockchain.
A ZKP system requires a prover, which in the example above is the zk-rollup, and a verifier, which is the smart contract. A verifier could also be traditional software like a browser extension. There are a number of different ways to set this up, and the details are technical, to say the least. But in general, the prover and verifier must first agree on a set of parameters, in a way that makes it extremely improbable if not impossible that the prover could generate a valid cryptographic proof without knowing the secret information in question.
When Are ZKPs Worth the Cost?
Sticking with the zk-rollup example: they generally use the same technology — called Succinct Non-Interactive Arguments of Knowledge, or SNARKs — that the creators of the private cryptocurrency Zcash made practical in the mid-2010s. The development of Zcash ignited an explosion in research and development focused on SNARKs, which has resulted in some high-profile applications. Tornado Cash might be the most (in)famous — the Ethereum-based application, which was sanctioned by the US Treasury, uses SNARKs to help users hide transaction information that could reveal their identity. Decentralized data storage system Filecoin requires that storage providers submit SNARKs verifying that the information they are storing hasn’t been messed with.
A variety of developer tools are now available as well, making SNARKs easier for non-cryptographers to work with. But the technology is still developing and it has important limitations. A major one is that even if it’s possible to outsource computation to more powerful computers, it’s still expensive for those machines to generate proofs.
There are other ways to deploy ZKPs in the real world besides SNARKs. But in many cases, the new paper’s authors argue, it will be less expensive to use other tools besides ZKPs. Whether it’s worth the cost depends on trust. The less you trust someone, the more you may be willing to pay to keep your data secret from them — or to ensure that their computations are cryptographically verifiable.
“Digital self-sovereign identity” is one application for which alternatives to ZKPs may not exist, the authors acknowledge. The big idea here is the ability to share credentials, from national identification to event tickets, without having to reveal any sensitive data to third parties. Projects like Anon Aadhaar, which makes it possible to convert an Indian national ID into a piece of verifiable data that can be transferred anonymously, provide just a glimpse of what might be possible here.
Gervais and his team also note that ZKPs could also be used to add new capabilities to the networking protocols underlying the internet. The paper highlights two specific projects — the Reclaim Protocol and PADO Labs — applying ZKPs to enable users to selectively transfer verifiable data from a website, like account balances on bank sites, to third parties without having to rely on services like Plaid, which store sensitive information.
This Isn’t Just a Blockchain Thing
ZKP applications don’t need blockchains to work. “While blockchain technology has been a significant driving force in the evolution of (ZKPs), their potential extends far beyond this domain,” the paper’s authors write. Recent research has shown that ZKPs could let security researchers prove knowledge of a vulnerability without needing source code, which could replace the current method of “proving” that knowledge via a video recording. Other research has demonstrated how ZKPs could be used to prove machine learning model correctness and accuracy, helping weed out dishonest or unreliable “ML as a service” providers, for example.
These applications may be examples of scenarios in which ZKPs are, to use the authors’ word, “indispensable.” But they are also somewhat niche. While something like digital self-sovereign identity may seem vital to folks with certain ideologies or who live under authoritarian rule, much of society could probably take or leave it.
But there are more mainstream issues the technology is capable of addressing right now.
One is the growing flood of misinformation online. Researchers at Stanford have shown it’s possible to help general readers determine — thanks to a special camera, a ZKP embedded in an image’s metadata, and an in-browser verifier — that a photo of a news event has not been dishonestly manipulated.
Or take private messaging. Just last week, Signal unveiled a new feature that lets users connect with others on the app without sharing their phone numbers. First, a user, Alice, can generate a new “username” (separate from the handle she may already have) and compute a cryptographic digital signature of that username (called a “hash”). Signal stores the hash on its server, though it says it “can’t easily see or produce the username if given the phone number of a Signal account.”
Now, to invite Bob to chat, Alice can share her new username instead of her phone number. Before Bob can chat with her, he must prove he knows Alice’s plaintext user name — without revealing it. By now you can probably guess how Bob is able to pull this off.
Credit: Mike Orcutt