If you don’t know what zero-knowledge proofs (ZKPs) are, I recommend you go through my article — Zero-Knowledge Proofs for Dummies. While that article skimmed the surface on what they are, the various use cases, and the drawbacks, in this article, I want to expand on the differences between the major implementations of zero-knowledge proofs. This article aims not to go in-depth from a technical, cryptographic perspective but more from an application level as it pertains to blockchain technologies in general.
Let’s first start with the basic types of ZKPs.
Interactive vs non-interactive zero-knowledge proofs
The two main types of zero-knowledge proofs are interactive and non-interactive. Interactive zero-knowledge proofs (IZKPs) require the prover and verifier to engage in a back-and-forth conversation in which the prover provides responses to the verifier’s queries. This interaction can be performed in person or over a network like the internet.
Non-interactive zero-knowledge proofs (NIZKPs), on the other hand, do not require any interaction between the prover and verifier. Instead, the prover creates a single, self-contained proof that the verifier can independently verify without further communication. This can be more convenient and efficient than interactive proofs since it does not require the prover and verifier to be online simultaneously or exchange multiple messages. One of the most classic ways of achieving this is with the Fiat-Shamir heuristic technique based on digital signatures.
One of the key differences between interactive and non-interactive zero-knowledge proofs is the level of trust required between the prover and verifier. In an interactive proof, the verifier must trust the prover to follow the protocol and provide honest responses to their queries. In a non-interactive proof, on the other hand, the verifier doesn’t need to trust the prover at all since they can independently verify the proof without relying on any information provided by the prover.
Another difference between the two types of zero-knowledge proofs is the level of computational complexity required. Interactive proofs tend to be more computationally intensive than non-interactive proofs since they require the prover and verifier to exchange multiple messages and perform additional computations. Non-interactive proofs, on the other hand, require only a single computation by the verifier, making them more efficient and scalable.
Both interactive and non-interactive zero-knowledge proofs have pros and cons, and the best choice for a given scenario will depend on the specific requirements and constraints. Interactive proofs may be more suitable for situations where the prover and verifier are online simultaneously and can easily communicate. In contrast, non-interactive proofs may be more suitable for situations where the prover and verifier are not online simultaneously or where the prover’s trustworthiness is uncertain.
Limitations of interactive zero-knowledge proofs
Interactive zero-knowledge proofs (IZKPs) have several limitations, thus making them more expensive and complex.
- IZKPs require interaction between the prover and verifier, which can be inefficient and time-consuming. To complete the proof, the prover must send multiple messages back and forth with the verifier. This can take significant time, especially if the proof is complex or involves large data. This can be a problem when speed is of the essence, such as in high-frequency trading or real-time decision-making.
- IZKPs do not scale well. As the data being proven increases, the proof’s complexity also increases, making it difficult to complete the proof in a reasonable amount of time. This can be a problem when large amounts of data need to be proven, such as in supply chain management or healthcare.
- IZKPs rely on the assumption that the prover and verifier are honest and do not try to cheat or manipulate the proof. However, this assumption is not always valid, and the prover can try to deceive the verifier by sending false messages or manipulating the proof somehow. This can compromise the integrity of the proof and undermine its usefulness.
- IZKPs require specialized cryptographic techniques, which can be difficult to implement and require a high level of technical expertise. This can make it challenging for non-technical users to use IZKPs and may limit their adoption in certain contexts.
Overall, while IZKPs have the potential to provide strong security and privacy guarantees, these limitations have historically hampered their widespread use. Alternative techniques, such as non-interactive zero-knowledge proofs or proof-of-work systems, may be more suitable in certain contexts.
Once we understand the differences between interactive and non-interactive ZKPs, it’s time to dive deeper into the most popular blockchain and crypto industry implementations — zkSNARKs. While zkSNARKs are used by zkSync, arguably the most popular L2 utilizing ZKPs, a close second is also zkSTARKs by Starkware. Let’s understand how these two implementations differ and the pros and cons of each.
zkSNARKs vs zkSTARKs
zkSNARKs and zkSTARKs are both zero-knowledge proof (ZKP) systems that allow one party (the prover) to prove to another party (the verifier) that a statement is true without revealing any information about the statement itself. ZKPs have many applications, including privacy-preserving transactions on blockchains, secure multi-party computation, and anonymous communication.
zkSNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) were first introduced in a paper by Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza in 2014. They are based on the idea of a “non-interactive proof,” which means that the prover and verifier do not need to communicate with each other during the proof process. This makes zkSNARKs well-suited for use in blockchains, where communication between parties is limited by the need to reach a consensus.
zkSNARKs use a combination of public and private keys to create a proof. The prover has access to a private key, which they use to generate a proof of the statement they wish to make. The verifier has access to a corresponding public key, which they use to verify the proof. If the proof is valid, the verifier can be confident that the statement is true, even though they do not have any information about the statement itself.
Advantages of zkSNARKs
- One of the main advantages of zkSNARKs is their efficiency. The proof process is very fast, making it possible to use zkSNARKs in high-throughput systems such as blockchains.
Disadvantages of zkSNARKs
- They rely on a “trusted setup” process, in which a group of participants generate and destroy a set of public and private keys. If this process is not performed correctly, it could compromise the system’s security.
- Additionally, zkSNARKs are not transparent, meaning that it is impossible to verify the proof’s correctness without access to the private key.
zkSTARKs (Zero-Knowledge Scalable Transparent ARgument of Knowledge) was introduced in a paper by Eli Ben-Sasson, Michael Riabzev, and Nicholas Spooner in 2018. They are an improvement on zkSNARKs that address some issues with the original design.
Like zkSNARKs, zkSTARKs allow a prover to create a proof of a statement without revealing any information about the statement itself. However, zkSTARKs do not require a trusted setup process, making them more secure and transparent. In addition, zkSTARKs are much more efficient than zkSNARKs, with proof sizes that are several orders of magnitude smaller.
Advantages of zkSTARKs
- One of the main advantages of zkSTARKs is their transparency. With zkSNARKs, it is not possible to verify the correctness of the proof without access to the private key. With zkSTARKs, it is possible to create a “proof of verification,” which allows anyone to verify the correctness of the proof without access to any secret information. This makes zkSTARKs a more secure and transparent choice for applications where trust is essential.
- Another advantage of zkSTARKs is their scalability. zkSNARKs rely on complex mathematical operations that are resource-intensive, making them less efficient as the size of the proof increases.
Disadvantages of zkSTARKs
- One major drawback is that zkSTARKs are only suitable for proving the authenticity of certain types of statements. In particular, they can only be used to prove the authenticity of statements represented as polynomials, which limits their applicability.
- Another drawback is that zkSTARKs are not fully non-interactive, requiring a trusted setup phase in which a common reference string (CRS) is generated. This CRS must be kept secret and secure for the zkSTARK proof to be considered valid. If the CRS is compromised, then the security of the proof is also compromised.
- Additionally, zkSTARKs are not yet widely used or well-understood, so potential vulnerabilities may not yet be discovered. This lack of widespread adoption and understanding also means a lack of tools and resources for working with zkSTARKs, making it more difficult to implement and use them in practice.
- Finally, zkSTARKs are still relatively new and untested compared to other zero-knowledge proof systems, which means that their long-term security and reliability are not yet fully understood. This uncertainty can be a drawback for organizations or individuals looking for a proven and reliable method of verifying the authenticity of statements.
In summary, while zkSTARKs offer several benefits in terms of efficiency and security, there are also several drawbacks to consider when deciding whether to use them. These drawbacks include a limited range of applicability, the need for a trusted setup phase, a lack of widespread adoption and understanding, and uncertainty about their long-term security and reliability.
All Comments