DEV Community

Cover image for ZKu Week 1: Introduction to ZKP
Mark Kop
Mark Kop

Posted on

ZKu Week 1: Introduction to ZKP

πŸ‘‹ Intro

Web3 technologies are fantastic, and one, in particular, has been talked about a lot lately, promising to solve the blockchain privacy and scalability problem.

The zero-knowledge proof is the idea that a user can prove to another user that they know an absolute value without revealing any other or extra information.

This means we can have trusted private transactions and a layer two solution called zkRollup.

To better understand this technology, I've enrolled in a Zero-Knowledge course promoted by ZKU.ONE.

ZKU.ONE is an Online Course and Informal Study Group, for software developers to learn how to build market-ready products in WEB3 using zero-knowledge proof technology. The goal is to launch a ZK-product on mainnet within a couple of months. This is no doubt challenging; we’re here to help.

From now on, I will be sharing my studies in this 8-week course to fixate the knowledge and to provide material for others that want to know more about zero-knowledge proofs.

πŸ”Ž Week 1

It's possible to see the first-week material and the follow-up assignment in this Moodle course with guest log in.

In this first week, ZKu provided videos explaining ZKp, its use cases, and some of its characteristics.

🐭 About ZKp

In the 'Introduction to Zero Knowledge Proofs', Elena Nadolinski provides the Waldo example as a ZKp analogy, talks about privacy and scalability, and explains three properties that have to be satisfied when using ZKp:

  • Completeness (Integralidade in Portuguese)
    If the statement is true, an honest verifier will be convinced by an honest prover

  • Soudness (Solidez in Portuguese)
    If the statement is false, no cheating prover can convince the honest verifier

  • Zero-knowledge
    If the statement is true, no verifier learns anything other than the fact that the statement is true

She also talks about the history of Zero-Knowledge.
Here's a summary:

1985: First coined as a Term in 1985 for an interactive protocol
2011: zk-SNARK as an evolution of ZKP
2013: zk-SNARKs are applicable for general computing
2016: zk-SNARKs are really efficient

🐯 About SNARKs

SNARK stands for Succinct Non-interactive Arguments of Knowledge and is a way of using ZKp. More specifically, it's a fast+small (succinct) and non-interactive way of doing it.

With SNARKs, we have a programmatic way to transform a statement into a language of polynomials. This statement is a challenge that will involve a prover and a verifier.

To make the challenge non-interactive, there is a hardcoded common reference string (CRS) or SRS (Structured Reference String), which is part of a trusted setup (explained later).

There are several types (proving schemes/constructs) of zk-SNARKS, and they can be graded on proof size, prover time, and verifier time. The most known ones are Groth16 and PLONK.

  • Groth16
    It has an efficient prover time, constant proof size (192 bytes), and constant/fast verification time. The downside is it requires a trusted setup.

    It has a slower prover time than Groth16, a bigger proof size, and a slower verification time. However, it doesn't require a trusted setup.

Other zk-SNARKs are Sonic, Fractal, Halo, Marlin, etc.


βš™οΈ Technical Details

Another video provides a general theoretical background, discussing hashing, trusted setups, and interaction types.

For example, consider the following scenario:

"I know secret so that H(secret)=hashvalue."

Statement x is public data describing what we are proving in this instance: hashvalue
Witness w is private data that supports our statement: secret
Relation R is how statement and witness must be related: R(w,x): x == H(w)

Statement x is true if there is a w, so that R(x,w) is true
Statement x is false if there is no w, so that R(x,w) is true

We can check ZKp properties with these statements:

Completeness: if R(x,w) is true, P(x,w) <-> V(x) will accept
Soundness: if x is false, V(x) will reject any P (even a cheating one)
Zero-Knowledge: if R(x,w) is true, we can simulate execution logs of the protocol using only x

πŸ‘Œ Trusted Setup

The way a prover and a verifier know they're with the same statement is by using a Common Reference String (CRS).

trusted setup

A trusted setup is a process to generate this CRS.

Pyrros Chaidos has a good explanation regarding the importance of this setup.

If a single person makes this file, she will be able to cheat on the protocol.
Most kinds of trusted setup protocols guarantee that when several people are taking part in a ceremony, only one person needs to be trustworthy to generate a common reference string that is not under any one person's control.
The idea is everybody rolls some dice, and the randomness is pulled together in that file. As long as nobody knows what all the dice rolls were, the protocol is fine.
For example, you're supposed to roll your dice and do stuff with the results. Then throw your dice away without writing down the result.
If people write down their results, bad guys could hack and get all the dice rolls, reverse engineering what went into the string and therefore cheating on the protocol.

In a more cryptographic explanation, a trusted setup refers to the initial creation event of the keys used to create the proofs required for private transactions and verify those proofs. Initially, a hidden parameter is linked between the verification key and the keys sending private transactions when those keys are created. Suppose the secrets used to create these keys in the trusted setup event are not destroyed. In that case, they could be utilized to forge transactions by false verifications, giving the holder the ability to perform actions such as creating new tokens out of thin air and using them for transactions.

A trusted setup can be universal or non-universal.
Universal means that it doesn't have to be set up again to be used on other protocols, but it might be less efficient than a non-universal setup.

🌟 About STARK

STARK is a type of SNARK that stands for Scalable Transparent Argument of Knowledge. The transparent keyword means that it doesn't require a trusted setup.

Everything needed to generate the proofs is public, and the proofs are generated from random numbers.

Technically speaking, zk-STARKs do not require an initial trusted setup because they rely on leaner cryptography through collision-resistant hash functions.

Also, ZK-STARKs are more scalable in terms of computational speed and size when compared to ZK-SNARKs.

As a final note, ZK-SNARKs are vulnerable to attacks from quantum computers due to the cryptography they use. ZK-STARKs are currently quantum-resistant.

πŸ’» Circom and SnarkJS

After answering the theoretical questions from the assignment, which led me to the research I've just written above, I moved to the practical ones.

Their goal was to teach how to use Circom to build zero-knowledge circuits and SnarkJS to compile them into solidity smart contracts.

GitHub logo iden3 / snarkjs

zkSNARK implementation in JavaScript & WASM



This is a JavaScript and Pure Web Assembly implementation of zkSNARK and PLONK schemes. It uses the Groth16 Protocol (3 point only and 3 pairings) and PLONK.

This library includes all the tools required to perform trusted setup multi-party ceremonies: including the universal powers of tau ceremony, and the second phase circuit specific ceremonies.

Any zk-snark project can pick a round from the common phase 1 to start their circuit-specific phase 2 ceremony.

The formats used in this library for the multi-party computation are compatible with the ones used in Semaphore's Perpetual Powers of Tau and other implementations.

This library uses the compiled circuits generated by the circom compiler.

It works in node.js as well as directly in the browser.

It's an ES module, so it can be directly imported into bigger projects using Rollup or Webpack.

The low-level cryptography is performed directly in wasm…

I've also learned how to perform and utilize a Powers of Tau ceremony, call and create tests for the generated verifier contracts, and use a ZKp to solve sudoku puzzles.

πŸ”₯ Conclusion

That's a lot of new information to process, and I'm still unsure if I got everything intended to be taught in just one week.

However, this is just the start of this course. I'm sure that by the end of it, I will be able to a dapp with zero knowledge on a mainnet 😎.

πŸ“š References

Discussion (0)