This post is Part 2 of our three-part series dedicated to ZKs and Private Tokens. Please read Part 1 here.

Part 2: The ZK Strikes Back

Money for nothin’ (... and the privacy for free)

But why does it matter? Why delve into all these models and ownership concepts? Well, it's crucial when we aim to understand secure and privacy-centric transactions.

As mentioned in Part 1, the UTXO model resembles a cash-payment system, while ETH's Account-Based model is more akin to a bank account setup. Which one offers better privacy? Certainly, it's the former. Cash transactions are visible to both parties (sender and receiver), and the only necessary data is the bill's value and its new owner's address. Simple as that. Moreover, the sender (Bob) and receiver (Alice) can arrange to transfer cash without meeting by utilizing a code-safe box. Bob places the money in the box, sends the code to Alice, who then enters the code to retrieve the money. Voila! It's private and secure.

Now, let's explore how this straightforward example can evolve into a blockchain solution. The critical question arises: How can we verify that Bob genuinely owned that money before and/or didn't just print the bill and hack the system? Well, the solution lies in checking whether Bob owns the money and ensuring that Alice (A) and Bob (B) balances before the transaction are equal to their balances after the transaction, represented as A1 + B1 = A2 + B2. This is where the magic unfolds — enter zero knowledge proofs.

ZKP. Zero Knowledge Proof.

Thanks to the prowess of cryptography, one can prove the veracity of a given piece of data without actually revealing the data itself. If you've never encountered Zero Knowledge Proofs (ZKP), you might be surprised that it's possible. Yes, it's possible! Revisiting our example, Bob (the prover) can persuade Alice (the verifier) that he owns the money and the transaction is valid. Moreover, the entire system can acknowledge this proof, all without anyone discerning the specific amount of money and balances involved!

Now, let's pause for a moment and delve deeper into the beauty of ZKP. 

While the concept is continually evolving (with much work still ahead), its roots trace back to 1985 when it was first introduced in the academic paper "The knowledge complexity of interactive proof-systems".

From our perspective, the significance lies in ZKP's ability to address privacy concerns, allowing for the validation of claims without the need to expose sensitive information. For instance, it can be employed to verify your ID without revealing the actual ID ("I am Bob, here's the proof!"). To achieve this, the most basic structure of a zero-knowledge proof consists of three elements:

1. Witness: This is the secret information that the prover aims to prove knowledge of without revealing it.
2. Challenge: A randomly selected question posed by the verifier, which the prover must answer.
3. Response: The answer calculated by the prover in response to the question asked.

This interaction must be repeated multiple times to eliminate the possibility of the prover faking knowledge of the witness. Termed "interactive zero-knowledge proof," it necessitates back-and-forth communication between the prover and verifier. While this is effective, it might be inconvenient or even impossible in some cases. Fortunately, there's also a solution—enter "Non-interactive ZKP," which can be generated using a "shared key." This key can be passed to anyone for verification, minimizing the communication required between the prover and verifier, thus enhancing the efficiency of ZKP.

zk-TYPEs 

Non-interactive proofs come in various types, and currently, two of the most compelling are:

1. zk-SNARK: Zero Knowledge Succinct Non-interactive Argument of Knowledge

Introduced in 2012 and employed by, for example, Zcash, zk-SNARKs are small in size and easy to verify (succinct). zk-SNARK generates a proof using elliptic curves cryptography (no worries, I will explain them later on!), which implicates two important things. Firstly, the proof-generating process requires a trusted setup, so the initial creation event of the keys is needed to create and verify the proof. This one is called the Powers of Tau Ceremony and is used to ensure security by using a multi-party computation (MPC) (more about setup ceremonies can be found here). Secondly, zkSNARKs are not quantum attacks resistant, which might be the case in the future. 

2. zk-STARK: Zero-Knowledge Scalable Transparent Argument of Knowledge

Based on hash functions, zk-STARKs stand out by being resistant to quantum attacks and not requiring a trusted setup, unlike zk-SNARKs. However, zk-STARK proofs have a considerably larger size than zk-SNARKs, translating to longer verification times and increased gas requirements.

Zero Knowledge Proof - Full Utility Certainty

Since its introduction, Zero Knowledge Proofs (ZKP) have found compelling use cases, and we'll focus on their application in the blockchain realm. ZCash, launched in 2016, stands out as one of the pioneers in privacy-oriented blockchains, as it was created as the solution for one of the biggest Bitcoin challenges: privacy. While Bitcoin leans towards pseudonymity, allowing for easy tracking of addresses and transactions, ZCash strives for true anonymity. Leveraging ZK technology, specifically zkSNARKs, ZCash conceals transaction amounts and addresses, offering a robust privacy solution (learn more here).

ZK technology isn't exclusive to the UTXO Model; projects on the Account-Based model, especially on the Ethereum Network, have embraced it as well. Tornado Cash, a prominent example, acts as a mixer allowing users to deposit crypto from one address and withdraw it with another, thwarting attempts to link two wallets and track on-chain activity. While facing legal issues and security challenges, Tornado Cash remains an intriguing attempt at preserving privacy.

Other projects like Consensys' "The Confidential Transactions" and EY's "Nightfall Project" approach privacy differently. The Confidential Transactions aimed to enable transfers with encrypted balances, concealing user balances. Sender and receiver addresses weren’t hidden though, both sides of a transaction had to communicate off-chain and users had to keep decrypted balances to not lose access to their funds, which made The Confidential Transactions not so user-friendly and thus unsuccessful. 

On the other hand, the Nightfall Project sought to recreate the UTXO Model on Ethereum's smart contract, employing a Merkle Tree to manage UTXOs and hide users' balances. Though facing challenges such as expensive transactions and synchronization issues, Nightfall evolved into a zk-rollup protocol in collaboration with Polygon, offering efficient private transactions on the Ethereum Mainnet without compromising transparency and security.

Like a complete unknown, like a Rolling Stone… like a ZK Roll-up? 

As detailed on Ethereum's comprehensive content and resource page, Zero-Knowledge Rollups (ZKR) are Layer 2 scaling solutions designed to enhance throughput on the Ethereum Mainnet by relocating computation and state storage off-chain. ZKR bundles transactions into batches, executing them off-chain and subsequently posting reduced data to the blockchain.

Remember the Blockchain Trilemma we discussed earlier? Layer 2 (L2) is a concept aiming to address Ethereum's scalability issues, essentially a separate blockchain extending Ethereum with inherited security guarantees. L2 typically comprises a network (separate blockchain) and a smart contract responsible for interacting with the underlying blockchain, such as the Ethereum Mainnet.

Presently, two main Layer 2 implementations are considered the most promising: payment channels and rollups. Both aim to reduce transaction costs and enhance scalability by executing state changes off-chain and proving them on-chain.

One can’t be surprised that scalability in rollups can be achieved in different ways and nowadays two types are being the most actively developed: Optimistic Rollup and ZK Rollup. Focusing on the latter due to its alignment with the Zero Knowledge theme of this article, ZK Rollups aggregate transactions, perform off-chain computation (generate Zero Knowledge Proofs) and send data to Layer 1 smart contracts for proof validation. This architectural approach accelerates and economizes transactions without compromising security.

While this may seem overly complex, there are already working solutions like zkSync, Starknet, Loopring, and Aztec, with a total value locked exceeding a billion dollars (see ZK Rollup project summary).

A significant challenge in ZK Rollups revolves around generating and validating proofs efficiently. How to create the proof as fast as possible, while keeping it not “too heavy” or not too expensive to verify (remember, this must be passed to the blockchain, and that costs money!)? This is exactly where the knowledge about zkSNARKs and zkSTARKs needs to be utilized to choose the most suitable technology for a project! For example, Starknet uses zkSTARK and Loopring is based on zkSNARKs. So, as you can see, it’s not such a trivial decision, especially when the technology is being developed so rapidly.

This is Part 2 of our three-part series - stay tuned for its continuation!