Zero-Knowledge Proofs

Zero Knowledge Proofs

Motivation & Foundational Context

ZKPs sit at the intersection of Complexity Theory, Cryptography, and Interactive Proof Systems. The core question: can you convince someone you know something without revealing what you know? This has profound implications for privacy-preserving authentication, blockchain protocols, and verifiable computation.

Interactive Proof Systems

Interactive Theorem Provers

The Classical Model

An interactive proof system involves two parties exchanging messages:

Prover (P): Computationally unbounded; claims a statement is true.
Verifier (V): Probabilistic polynomial-time (PPT); decides accept/reject.

“An interactive proof system for a language $L$ is a protocol $(P, V)$ such that completeness and soundness hold.” ~ Goldwasser, Micali, Rackoff (1985)

The class of languages with interactive proofs is IP, and famously $\text{IP} = \text{PSPACE}$.

Completeness and Soundness

These are the two non-negotiable properties of any proof system:

$$\Pr[\langle P, V \rangle(x) = 1] \geq 1 - \text{negl}(\lambda)$$

$$\forall P^_, \quad \Pr[\langle P^*, V \rangle(x) = 1] \leq \text{negl}(\lambda)$$

The soundness error $\epsilon$ is the maximum cheating probability; for practical systems, we require $\epsilon \leq 2^{-\lambda}$.

Zero Knowledge: The Core Definition

Intuition

The verifier learns nothing beyond the truth of the statement. Formally, whatever the verifier sees during the interaction could have been produced without the prover — using only knowledge that the statement is true.

The canonical example: proving knowledge of a 3-coloring of a graph without revealing the coloring.

The Simulator Paradigm

Zero knowledge is defined via simulation: a protocol is ZK if there exists a PPT simulator $\mathcal{S}$ such that the simulated transcript is computationally indistinguishable from the real transcript.

$${\text{View}_{V^_}[\langle P(w), V^*(z) \rangle(x)]}_{x \in L, w, z} \approx_c {\mathcal{S}(x, z)}_{x \in L, z}$$

where $w$ is the witness, $z$ is $V^*$’s auxiliary input, and $\approx_c$ denotes computational indistinguishability.

Three Flavors of Zero Knowledge

Variant	Indistinguishability	Strength
Perfect ZK	Identical distributions	Strongest; information-theoretic
Statistical ZK (SZK)	Statistically close ($\leq \text{negl}$)	Very strong; holds vs. unbounded adversary
Computational ZK (CZK)	Computationally indistinguishable	Standard; relies on hardness assumptions

For most practical constructions (SNARKs, STARKs), computational ZK suffices.

Sigma Protocols (Σ-Protocols)

Structure

Sigma protocols are 3-move public-coin interactive proofs:

Commit ($a$): Prover sends commitment $a$.
Challenge ($e$): Verifier sends random challenge $e \xleftarrow{$} {0,1}^\lambda$.
Response ($z$): Prover sends response $z$.

Verifier accepts/rejects based on $(a, e, z)$.

Special Soundness

A Sigma protocol has special soundness if from any two accepting transcripts $(a, e_1, z_1)$ and $(a, e_2, z_2)$ with $e_1 \neq e_2$, one can efficiently extract the witness $w$.

This is the key property used in the extractor argument for proof of knowledge.

Schnorr Protocol (Example)

Proving knowledge of discrete log: given $y = g^x \bmod p$, prove knowledge of $x$.

$$ \begin{align*} &\text{Commit: } P \text{ samples } r \xleftarrow{$} \mathbb{Z}_q, \text{ sends } a = g^r \ &\text{Challenge: } V \text{ sends } e \xleftarrow{$} \mathbb{Z}_q \ &\text{Response: } P \text{ sends } z = r + ex \bmod q \ &\text{Verify: } g^z \stackrel{?}{=} a \cdot y^e \end{align*} $$

Completeness: $g^z = g^{r+ex} = g^r \cdot (g^x)^e = a \cdot y^e$ ✓
Special soundness: Two transcripts $(a, e_1, z_1), (a, e_2, z_2)$ yield $x = \frac{z_1 - z_2}{e_1 - e_2}$.
HVZK: Simulator picks $z, e$ at random, sets $a = g^z y^{-e}$ — transcript is perfectly indistinguishable.

Concrete Numerical Example

With small parameters $p = 23$, $g = 5$, $x = 7$:

Public key: $Y = g^x \bmod p = 5^7 \bmod 23 = 17$. Computed via repeated squaring: $5^1 = 5$, $5^2 = 2$, $5^4 = 4$, then $5^7 = 5^4 \cdot 5^2 \cdot 5^1 = 4 \cdot 2 \cdot 5 = 40 \bmod 23 = 17$.
Commit: Sample $r = 3$, compute $R = 5^3 \bmod 23 = 125 \bmod 23 = 10$.
Challenge: Verifier sends $c = 4$.
Response: $s = r + c \cdot x \bmod (p-1) = 3 + 4 \cdot 7 \bmod 22 = 31 \bmod 22 = 9$.
Verify: Check $g^s \stackrel{?}{=} R \cdot Y^c \pmod{p}$:
- LHS: $5^9 \bmod 23 = 11$
- RHS: $10 \cdot 17^4 \bmod 23 = 10 \cdot 1 \bmod 23 = 10$…

The algebraic identity closes because $g^s = g^{r + cx} = g^r \cdot (g^x)^c = R \cdot Y^c$ — the verifier never sees $x$.

Why zero knowledge: the transcript $(R, c, s)$ can be simulated: pick $s, c$ first, compute $R = g^s \cdot Y^{-c}$. The distribution is identical — the verifier learns nothing beyond “the prover knows $x$”.

Fiat-Shamir Transform

Converts an interactive Sigma protocol into a non-interactive ZK (NIZK) proof in the Random Oracle Model:

Replace the verifier’s random challenge with a hash: $e = H(x | a)$.

The resulting proof $\pi = (a, z)$ is a signature of knowledge. Security relies on modeling $H$ as a random oracle — in the standard model this is much harder to achieve (see Canetti-Goldreich-Halevi impossibility).

This single trick is what converts the interactive Schnorr protocol into a non-interactive proof (and the Schnorr signature scheme), and is the basis for making all modern SNARK/STARK systems non-interactive.

Non-Interactive Zero Knowledge (NIZK)

Definition

A NIZK proof system has:

Common Reference String (CRS): A trusted public string $\sigma$ generated at setup.
No interaction: Prover outputs $\pi$; verifier checks $\pi$ against $\sigma$.

Formally: $\text{Setup}(1^\lambda) \to \sigma$, $\text{Prove}(\sigma, x, w) \to \pi$, $\text{Verify}(\sigma, x, \pi) \to {0,1}$.

The ZK simulator gets a simulated CRS $\tilde{\sigma}$ with a trapdoor $\tau$, allowing simulation without the witness.

CRS vs. Random Oracle

Setup	Trust Assumption	Standard Model?
CRS	Trusted setup (or MPC ceremony)	Yes
Random Oracle	Heuristic (Fiat-Shamir)	No
Transparent setup	None (STARKs)	Yes (no trapdoor)

SNARKs

Definition

Succinct Non-interactive ARgument of Knowledge (SNARK):

Succinct: Proof size $|\pi| = O(\text{poly}(\lambda))$, independent of witness size; verification in $O(\text{poly}(\lambda) \cdot |x|)$.
Non-interactive: Single message from prover to verifier.
Argument: Soundness holds only against computationally bounded provers (not information-theoretic).
of Knowledge: Extractability — a prover producing a valid proof must “know” a witness (formalized via a knowledge extractor).

$$\Pr\left[\text{Verify}(\sigma, x, \pi) = 1 \wedge (x, w) \notin R ;\Big|; (\pi, x) \leftarrow P^_(\sigma); w \leftarrow \mathcal{E}^{P^*}(\sigma)\right] \leq \text{negl}(\lambda)$$

zk-SNARKs in Practice

The dominant paradigm: arithmetic circuit satisfiability. Given a circuit $C$ over field $\mathbb{F}$, prove $\exists w$ s.t. $C(x, w) = 0$.

Key pipeline:

Computation $\to$ Arithmetic Circuit $\to$ R1CS (Rank-1 Constraint System) $\to$ QAP (Quadratic Arithmetic Program)
QAP encodes R1CS constraints as polynomial identities over $\mathbb{F}$.
KZG Polynomial Commitments or IPA used to prove polynomial identities succinctly.

R1CS and QAP

$$\forall i: \langle \mathbf{a}_i, \mathbf{z} \rangle \cdot \langle \mathbf{b}_i, \mathbf{z} \rangle = \langle \mathbf{c}_i, \mathbf{z} \rangle$$

where $\mathbf{z} = (1, x_1, \ldots, x_n, w_1, \ldots, w_m)$ is the assignment vector.

A QAP over field $\mathbb{F}$ with $n$ constraints:

Encode each $\mathbf{a}_i, \mathbf{b}_i, \mathbf{c}_i$ as evaluations of polynomials $A(X), B(X), C(X)$.
Satisfiability $\iff$ $A(X) \cdot B(X) - C(X) = H(X) \cdot Z(X)$ where $Z(X) = \prod_{i=1}^n (X - r_i)$ is the vanishing polynomial.

The prover commits to $A, B, C, H$ and the verifier checks the identity at a random point (Schwartz-Zippel).

Concrete Example: SNARK Circuit for $x^2 + x + 5 = 11$

To see R1CS and QAP concretely, consider proving knowledge of secret $x$ such that $x^2 + x + 5 = 11$ (the witness is $x = 2$, but the verifier only sees the public output $11$).

Step 1 — Flatten into gates. A SNARK handles one multiplication per gate, so we decompose:

Gate	Operation	Constraint
Gate 1	Multiply	$x \times x = w_1$
Gate 2	Add	$w_1 + x = w_2$
Gate 3	Add	$w_2 + 5 = w_3$

Final assertion: $w_3 = 11$.

$$\mathbf{z} = (1, x, w_1, w_2, w_3) = (1, 2, 4, 6, 11)$$

Step 3 — R1CS encoding. Each gate becomes $(\mathbf{a}_i \cdot \mathbf{z}) \times (\mathbf{b}_i \cdot \mathbf{z}) = (\mathbf{c}_i \cdot \mathbf{z})$:

	$x$	$w_1$
$\mathbf{a}_1$	1	0
$\mathbf{b}_1$	1	0
$\mathbf{c}_1$	0	1

Check: $(0 + 1 \cdot 2 + 0 + 0 + 0) \times (0 + 1 \cdot 2 + 0 + 0 + 0) = 4 = \mathbf{c}_1 \cdot \mathbf{z}$ ✓

Addition is encoded as multiplication by $1$: the constraint $w_1 + x = w_2$ becomes $(w_1 + x) \times 1 = w_2$.

	$1$	$x$	$w_1$	$w_2$
$\mathbf{a}_2$	0	1	1	0
$\mathbf{b}_2$	1	0	0	0
$\mathbf{c}_2$	0	0	0	1

Check: $(0 + 2 + 4 + 0 + 0) \times (1) = 6 = w_2$ ✓

Similarly for Gate 3, the constant $5$ appears via the constant wire: $\mathbf{a}_3 = (5, 0, 0, 1, 0)$.

$$A(\tau) \cdot B(\tau) - C(\tau) = H(\tau) \cdot Z(\tau)$$

where $Z(\tau) = (\tau - \tau_1)(\tau - \tau_2)(\tau - \tau_3)$ is the vanishing polynomial. Divisibility by $Z$ implies all constraints hold simultaneously. The prover commits to the quotient polynomial $H$, and the proof is essentially a commitment that the division works out.

Step 5 — Proof generation and verification. The verifier’s check reduces to a single pairing equation (in Groth16) or polynomial identity check (in PLONK), regardless of circuit size. This is the “succinct” property: the proof is constant-size and verification is $O(1)$.

Groth16

The most efficient known SNARK (constant-size proofs: 3 group elements):

Setup: Structured Reference String (SRS) computed from toxic waste $(\alpha, \beta, \gamma, \delta, \tau)$. If the toxic waste leaks, soundness breaks — motivates Powers of Tau MPC Ceremony.
Proof: $\pi = ([A]_1, [B]_2, [C]_1)$ where $[\cdot]_i$ denotes group element in $\mathbb{G}_i$.
Verification: Two pairing checks: $$e([A]_1, [B]_2) = e([\alpha]_1, [\beta]_2) \cdot e!\left(\frac{\sum_i a_i u_i(\tau)}{\gamma}, [\gamma]_2\right) \cdot e([C]_1, [\delta]_2)$$
Drawback: Circuit-specific SRS — new trusted setup per circuit. See PLONK for universal SRS.

STARKs

Design Principles

Scalable Transparent ARguments of Knowledge:

Transparent: No trusted setup; public randomness only (eliminates toxic waste problem).
Scalable: Prover time $O(n \log n)$, but proof size $O(\log^2 n)$ — larger than SNARKs but no CRS.
Post-quantum: Security based on collision-resistant hash functions, not elliptic curves.

Key building blocks:

FRI Protocol (Fast Reed-Solomon IOP of Proximity): Proves a committed function is close to a low-degree polynomial. See Reed-Solomon Codes.
Algebraic Intermediate Representation (AIR): Constraint system using execution trace + transition constraints.

SNARK vs. STARK Tradeoff

Property	SNARKs (e.g., Groth16)	STARKs
Proof size	Constant (e.g., 288 bytes)	$O(\log^2 n)$ (KBs–MBs)
Verification time	Constant (pairings)	$O(\log^2 n)$
Prover time	$O(n \log n)$	$O(n \log n)$
Trusted setup	Required (per-circuit or universal)	None
Assumptions	Elliptic curve pairings, KoE	Collision-resistant hashes
Post-quantum	No	Yes

Polynomial Commitments

KZG Commitments

Kate-Zaverucha-Goldberg: Commit to polynomial $f(X) \in \mathbb{F}[X]$ of degree $\leq d$.

Setup: $\text{SRS} = ([1]_1, [\tau]_1, [\tau^2]_1, \ldots, [\tau^d]_1, [\tau]_2)$ for secret $\tau$.
Commit: $C = [f(\tau)]_1 = \sum_i a_i [\tau^i]_1$.
Open at point $z$: Prover computes quotient $q(X) = \frac{f(X) - f(z)}{X - z}$, sends $\pi = [q(\tau)]_1$.
Verify: $e(C - [f(z)]_1, [1]_2) \stackrel{?}{=} e(\pi, [\tau - z]_2)$ using bilinear pairing.

Binding: Follows from the $d$-Strong Diffie-Hellman assumption.

Drawback: Requires trusted setup for SRS; pairing-based (not post-quantum).

IPA (Inner Product Arguments)

Alternative commitment without trusted setup; used in Bulletproofs:

Logarithmic proof size via recursive halving.
No pairings; verification is $O(n)$ — slower than KZG but transparent.

Proof of Knowledge & Extractability

Knowledge Extractor

The formal mechanism ensuring “argument of knowledge” is meaningful:

$\forall$ PPT $P^_$ that outputs valid $\pi$ for $x$ with non-negligible probability, $\exists$ PPT extractor $\mathcal{E}$ (with rewinding/oracle access to $P^_$) that outputs witness $w$ s.t. $(x, w) \in R$.

Rewinding: Classical extraction rewinds $P^*$ to the same random coins, sends different challenges — works for interactive proofs but is problematic in UC Security / Concurrent Composition.

Proof of Knowledge vs. Proof of Membership

Type	What is Proven	Extractability
Proof of membership	$x \in L$	No witness extraction
Proof of knowledge	Prover knows $w$ s.t. $(x,w) \in R$	Witness extractable

This distinction is critical in cryptographic protocols (e.g., you want to prove you know a secret key, not just that one exists).

ZKP Protocol Design Space

Five Axes of Differentiation

Every ZK protocol makes tradeoffs along these axes:

Axis	Spectrum
Interactive ↔ Non-interactive	Schnorr/Sigma (3 rounds) vs. SNARKs/STARKs (Fiat-Shamir)
Trusted setup ↔ Transparent	Groth16 (per-circuit) → PLONK (universal) → STARKs (none)
Proof size	Groth16 (~192 B) → PLONK (~700 B) → STARKs (~50–200 KB)
Expressiveness	Special-purpose (Schnorr: discrete log only) → General-purpose (SNARKs: any circuit)
Cryptographic assumptions	Elliptic curves + pairings (not quantum-safe) → Hash functions only (STARKs, plausibly post-quantum)

No free lunch: every system trades off proof size, verification time, prover time, setup trust, and cryptographic assumptions. The “right” system depends on deployment context.

Arithmetisation Schemes

Different protocols use different representations for the computation being proved:

Scheme	Used by	Structure
R1CS	Groth16, Spartan	$\langle \mathbf{a}_i, \mathbf{z} \rangle \cdot \langle \mathbf{b}_i, \mathbf{z} \rangle = \langle \mathbf{c}_i, \mathbf{z} \rangle$ per gate
PLONKish	PLONK, Halo2	Custom gates + copy constraints; more flexible
AIR	STARKs	Execution trace + transition polynomials

The “compilation” step from high-level program to constraints is called arithmetisation — this is where most engineering complexity lives. Languages like Circom, Noir (Aztec), and Leo (Aleo) abstract this step for developers.

Applications

ZKPs in Blockchain & Privacy

Zcash: Uses Groth16 SNARKs to prove validity of shielded transactions without revealing sender, receiver, or amount.
zkEVM: Proves correct execution of EVM bytecode via ZK circuit; enables zkRollups (Layer 2 scaling).
PLONK / Halo2: Universal SNARKs enabling a single trusted setup for all circuits.

ZK Authentication

Replace password transmission with ZK proof of knowledge of password/secret. No password ever leaves client. Combines with Sigma Protocols + Fiat-Shamir.

Recursive SNARKs

$$\pi_{n+1} = \text{Prove}(\text{Verify}(\pi_n, x_n) \wedge f(x_n) = x_{n+1})$$

See Nova, Halo2, Pickles (Mina Protocol). Key challenge: cycle of elliptic curves to avoid field mismatch (e.g., Pasta curves: Pallas + Vesta).

Blockchain Applications (Detailed)

ZK-Rollups (L2 Scaling)

zkRollups, Layer 2 Scaling

ZK-rollups are the dominant blockchain application of ZKPs. They execute transactions off-chain, generate a validity proof (SNARK or STARK), and post the proof + compressed state diff to L1 (typically Ethereum). The L1 contract verifies the proof — if it passes, the entire batch is final.

The key value proposition: batch thousands of transactions into one proof, reducing per-transaction gas cost by ~90%. As of 2025, ZK-based rollups hold >$28B in Total Value Locked.

How it works concretely:

Users submit transactions to L2 sequencer (same UX as Ethereum).
Sequencer executes transactions, computes new state root.
Prover generates a ZK proof that the state transition is valid.
Proof + compressed state diff posted to L1 Ethereum contract.
L1 verifier contract checks the proof → if valid, state is finalized.

Major projects: zkSync Era (SNARK-based, zkEVM), StarkNet (STARK-based, Cairo language), Polygon zkEVM, Scroll, Linea (ConsenSys).

ZK-Rollups vs. Optimistic Rollups

Optimistic Rollups, Arbitrum, Optimism

Optimistic rollups are the alternative L2 scaling approach. They use fraud proofs instead of validity proofs — the fundamental difference is the proof model:

Property	ZK-Rollups	Optimistic Rollups
Proof model	Validity proof (math: prove batch is correct before posting)	Fraud proof (assume valid, challenge within 7-day window)
Finality	Minutes (once proof verified on L1)	~7 days (challenge window must close)
Withdrawal to L1	Fast (proof settles immediately)	7-day delay (or use liquidity bridges at a fee)
Security assumption	Cryptographic (math)	Game-theoretic (at least 1 honest watcher must exist)
EVM compatibility	Improving (zkEVMs are maturing)	Near-native (deploy existing Solidity with zero changes)
Data posted to L1	Proof + compressed state diff	Full transaction data (calldata/blobs)
Prover cost	High (proof generation needs specialized hardware)	Low (just re-execute and post)
TVL (2025)	~$28B across ZK L2s	Higher overall (Arbitrum, Optimism, Base)

Optimistic rollup fraud proof mechanism: A sequencer posts batches to L1 asserting validity. Anyone can re-execute the batch and, if they find a discrepancy, submit a fraud proof. Two designs exist: single-round (Optimism — re-execute entire batch on L1) and interactive bisection (Arbitrum — narrow dispute to a single instruction via a binary search game, much more gas-efficient). If fraud is confirmed, the sequencer is slashed (loses staked collateral) and the batch is reverted.

The fraud proof mechanism on Arbitrum and Optimism has never been successfully exploited in production, but the security model is weaker than ZK: it relies on incentive-compatible game theory rather than mathematical proof. A successful DoS attack on challengers during the dispute window could, in theory, allow invalid state to be finalized.

Vitalik Buterin’s view: ZK-rollups are likely to outperform long-term once zkEVM technology matures, but optimistic rollups dominate today due to easier developer migration and EVM compatibility.

Private Transactions

Zcash, Aztec Network, Tornado Cash

The original blockchain ZKP use case: prove a transaction is valid without revealing sender, receiver, or amount.

Zcash: Each shielded transaction includes a Groth16 zk-SNARK proving that inputs equal outputs (conservation of value), the sender owns the input notes (knowledge of spending key), and no double-spend occurred (nullifier not in the spent set) — all without exposing any on-chain details.

Aztec Network: Extends private transactions to full private smart contracts on Ethereum. Uses a dual-layer architecture: one layer encrypts transactions for privacy, a second layer compresses them for scalability (PLONK-based). Aztec developed Noir, a domain-specific language for writing ZK circuits, significantly lowering the barrier for developers.

Tradeoffs: proof generation is slow on consumer devices (seconds for Zcash, improving); regulatory friction in some jurisdictions; anonymity set size limits effective privacy (small anonymity sets leak information via traffic analysis).

Decentralized Identity and ZK-KYC

Verifiable Credentials, Polygon ID, Humanity Protocol, World ID

ZK-based identity enables proving attributes (age, citizenship, accreditation, KYC status) without revealing raw PII:

Prove you’re over 18 without revealing your birthdate.
Prove you’re KYC-verified without sharing identity documents.
Prove you’re a unique human (Sybil resistance) without biometric exposure.

The credential model: a trusted issuer signs an attribute; the user holds the credential; a verifier checks a ZK proof derived from the credential. The proof reveals only the predicate (e.g., “age ≥ 18”), not the underlying data.

Major projects: Humanity Protocol (palm biometrics → ZK proofs for proof-of-personhood), World ID / Worldcoin (iris scan → ZK proof of uniqueness), Polygon ID (verifiable credentials on Polygon), Privado ID (Deutsche Bank PoC).

This is GDPR-aligned by design: the data never leaves the user’s device. The ZK-KYC market is projected to grow at ~40% CAGR.

Proof of Reserves

Proof of Solvency, Merkle Trees

Post-FTX, proof of reserves became critical infrastructure. A ZK proof can show that an exchange’s total assets $\geq$ total liabilities (sum of all customer balances) without revealing any individual customer’s position.

The construction typically uses a Merkle sum tree of customer balances, where the exchange proves:

Each leaf (customer balance) is non-negative.
The root sum equals the claimed total liability.
The exchange controls on-chain addresses with assets $\geq$ the root sum.

All via ZK proofs — no individual balance is ever revealed. OKX publishes monthly ZK-based PoR attestations.

Limitation: Proves assets $\geq$ known liabilities at a snapshot in time. Cannot prove absence of hidden off-balance-sheet liabilities without additional auditing.

Verifiable Computation and zkVMs

RISC Zero, SP1, zkVM

A zkVM (zero-knowledge virtual machine) generalises the SNARK circuit approach: instead of compiling each program into a bespoke circuit, you prove correct execution of a general-purpose instruction set (e.g., RISC-V).

Write normal code (Rust, C) → execute off-chain → produce ZK proof that execution was correct → any on-chain verifier checks the proof without re-executing.

This is the “any program is provable” endpoint of ZKP technology. The SNARK circuit example above ($x^2 + x + 5 = 11$) required manually flattening into gates; a zkVM does this automatically for arbitrary programs.

Major projects: RISC Zero (RISC-V + STARKs), SP1 (Succinct), Valida.

Tradeoffs: proof generation is 100–1000× slower than native execution; memory-intensive programs are hard to prove (the circuit size for the VM itself is large); tooling is improving rapidly.

ZK Bridges and Light Clients

Cross-Chain Bridges, ZeroSync

Traditional cross-chain bridges rely on multisig committees — if the committee is compromised, funds are stolen (e.g., Ronin bridge: $625M, Wormhole: $320M). ZK bridges replace the multisig with a cryptographic proof: a SNARK proves that $N$ validators signed the source chain’s block header, allowing the destination chain to verify trustlessly.

ZK light clients: Instead of downloading and validating every block header, a light client verifies a single ZK proof that the entire chain history (or a segment) is valid. ZeroSync is building this for Bitcoin — proving the Bitcoin state transition function via STARKs.

Tradeoffs: proving consensus (e.g., BLS signature verification) inside a ZK circuit is computationally expensive; latency from proof generation; still largely in research/prototype stage.

ZK + Machine Learning (Emerging)

Verifiable AI, EZKL, Modulus Labs

An emerging frontier: using ZK proofs to verify ML model inference or training correctness without revealing the model weights or training data. This enables verifiable AI — critical if AI agents are making financial decisions on-chain.

The construction: encode a neural network’s forward pass as an arithmetic circuit, prove that given input $x$, the model produces output $y$. The proof attests to correct execution of the specific model without revealing its parameters.

Research projects: EZKL (proves ML inference), Modulus Labs, zkFDL (federated learning).

Tradeoffs: proving even a small neural network is extremely expensive — the circuit size for a single inference of a modest model can be enormous. This is the primary bottleneck. Current approaches use quantisation and circuit-friendly architectures to reduce overhead, but it remains very early stage.

Connection to multi-agent AI safety: if AI agents operate autonomously on-chain (e.g., managing DeFi positions, participating in governance), ZK proofs could serve as the verification layer ensuring agents are running the claimed model faithfully. This creates a mechanism design problem: how to structure verification incentives so that agent behavior is auditable without revealing proprietary model details. See Mechanism Design, Multi-Agent Systems.

Critical Pitfalls & Warnings

Trusted Setup Failures

If the toxic waste $\tau$ from a SNARK CRS ceremony is not destroyed, an adversary can forge arbitrary proofs.

Mitigations:

MPC ceremonies (Powers of Tau): $n$-of-$n$ threshold — safe if $\geq 1$ participant is honest.
Universal setups (PLONK): Reuse same SRS across circuits.
Transparent setups (STARKs): Eliminate the problem entirely.

Soundness vs. Knowledge Soundness

Soundness: No PPT prover can convince verifier of false statement.
Knowledge soundness: Stronger — any convincing prover must know a witness.
Many protocols achieve soundness but NOT knowledge soundness. For authentication and credential systems, you need the latter.

Non-Black-Box vs. Black-Box Simulation

Standard ZK definitions use black-box simulation (simulator can rewind $V^*$). Non-black-box simulation (Barak 2001) achieves round-efficient ZK for NP but at high computational cost. Practical systems almost always use black-box.

Completeness–Soundness–ZK: The Tension

You cannot simultaneously achieve perfect completeness, perfect soundness, and perfect ZK (unless $\text{BPP} = \text{IP}$).

Perfect ZK + negligible soundness error: feasible.
Statistical ZK (SZK) is a rich class but collapses to AM ∩ coAM under plausible assumptions.

Summary: The ZKP Design Space

                  Transparency
                  (No trusted setup)
                        |
            STARKs ---- +
           (large π)    |
                        |
   Bulletproofs --------+-------- SNARKs (Groth16, PLONK)
   (no pairing,         |         (small π, fast verify,
    slow verify)        |          trusted setup)
                        |
                  Post-quantum
                  security

Key takeaway: No free lunch — every ZK system trades off proof size, verification time, prover time, setup trust, and cryptographic assumptions. The “right” system depends on the deployment context (on-chain verification cost vs. prover infrastructure vs. quantum threat model).

See Interactive Proof Systems, Complexity Theory (IP=PSPACE)), Elliptic Curve Cryptography, Merkle Trees, Reed-Solomon Codes, MPC Ceremonies, Layer 2 Scaling, Optimistic Rollups, zkRollups, Verifiable Credentials, Cross-Chain Bridges.