Nelson Petracek, TIBCO December 16, 2017 2:41 PM
Zero-knowledge (ZK) proofs are generating excitement in financial circles lately due to their potential for increasing privacy and security for blockchain participants. The concept itself is not new, as cryptographers have been working with zero-knowledge/interactive proofs for years. But the protocols are now being incorporated into “establishment” blockchain platforms as financial companies look at new ways to use blockchain technology and address its current shortcomings.
Most recently, a couple of financial services stalwarts have embraced ZK proofs with great fanfare:
• Last month, multinational banking and financial services corporation ING unveiled its own zero-knowledge range proof (ZKRP), asserting that it is 10X more efficient than other options on the Ethereum network.
So what is a zero-knowledge proof?
A zero-knowledge proof or protocol allows a “prover” to assure a “verifier” that they have knowledge of a secret or statement without revealing the secret itself.
An oft-cited example of how a ZK proof works references the “Where’s Waldo?” game and cryptography’s favorite fictional characters, Alice and Bob. If Alice has found Waldo on a particular page, how can she prove this to Bob without revealing Waldo’s location? How does she convince Bob she’s not lying without actually showing him where Waldo is? A low-tech solution involves a large piece of cardboard with a small rectangle cut out of it. Out of Bob’s sight, Alice positions the page behind the cardboard so that only Waldo’s picture is showing through the rectangle, then calls Bob over to show him. As the cardboard is much larger than the book, Bob has no idea where on the page Waldo is located — no other images on the page are exposed — but he can see that Alice has, indeed, discovered him. She can further validate her claim by covering the rectangle with one hand and carefully sliding the book out from beneath the cardboard with the other to reveal the entire page and prove to Bob that the Waldo seen in the rectangle was indeed located on the page under consideration.
Similar “interactive” proof mechanisms can be embedded programmatically in digital systems. To qualify as zero-knowledge, these protocols must satisfy three requirements:
1 Completeness: If the statement is true, an honest verifier will be convinced by an honest prover.
2 Soundness: If the statement is false, no cheating prover can convince an honest verifier that it is true.
3 Zero-knowledge: If the statement is true, no cheating verifier learns anything other than the fact that the statement is true.
Zero-knowledge proofs are probabilistic, since there is always some slight chance a crafty cheater will find a way to fool an honest verifier, but the concept does provide a pretty solid verification mechanism for an assertion while shielding all ancillary information related to that assertion. ZK proofs let you validate the truth of something without revealing how you know that truth.
ZK proofs in blockchain
So what value do ZK protocols bring to blockchain platforms? As first exemplified in Bitcoin, a blockchain system is not completely anonymous and was actually built with transparency in mind. Bitcoin transaction data is viewable by all network participants, and information such as the sender, recipient, amount, etc. is open (or at least the addresses are open, which provides traceability). Similarly, in Ethereum’s original blockchain model, all details about a smart contract are public on the Ethereum network, and all transactions and code are visible.
This lack of complete data privacy and confidentiality causes issues in use cases related to verticals such as finance or those that involve the transfer of tokenized assets. Regulatory requirements may also stipulate that confidential information not be “exposed” on a network. In Ethereum’s case, these issues are being addressed in its Byzantium upgrade via the zero-knowledge protocol in zkSnarks, as explained by Ethereum’s Christian Reitwiessner:
“SNARKs are short for succinct non-interactive arguments of knowledge …The individual parts of the acronym have the following meaning:
• Succinct: The sizes of the messages are tiny in comparison to the length of the actual computation.
• Non-interactive: There is no or only little interaction. For zkSNARKs, there is usually a setup phase and after that a single message from the prover to the verifier. Furthermore, SNARKs often have the so-called “public verifier” property, meaning anyone can verify without interacting anew, which is important for blockchains.
• ARguments: The verifier is only protected against computationally limited provers. Provers with enough computational power can create proofs/arguments about wrong statements (note that with enough computational power, any public-key encryption can be broken). This is also called “computational soundness” as opposed to “perfect soundness.”
• of Knowledge: It is not possible for the prover to construct a proof/argument without knowing a certain so-called witness (for example the address she wants to spend from, the preimage of a hash function, or the path to a certain Merkle-tree node).
If you add the zero-knowledge prefix, you also require the property (roughly speaking) that during the interaction, the verifier learns nothing apart from the validity of the statement.”
Ethereum wasn’t the first to embrace ZK proofs. Other cryptocurrency platforms and blockchain-based systems incorporate zero-knowledge proofs into their solutions to allow for transactions to be verified while protecting user/transaction privacy. The identity and amount being spent can remain hidden, and problems such as “front-running” can be avoided. ZK protocols provide the ability to transfer assets across a distributed, peer-to-peer blockchain network with secrecy.
Zero-knowledge proof capability is not, however, without its challenges. One reason ING’s ZKRP is so interesting is that it purports to improve efficiency. Performance and the level of compute power required to support trust setup can be an issue (in fact, speed and scaling continue to be blockchain limitations, as was evident when the recent CryptoKitties craze caused serious congestion and backlogs on Ethereum’s network). Further, chain participants still have to be confident that the cryptography (and underlying code) is strong enough to prevent malicious attacks, and recent cryptocurrency platform attacks merit concern.
However, as a way of enforcing “honest” behavior and ensuring that a transaction is “valid” (without revealing the actual purpose of the transaction or other sensitive details), zero-knowledge proofs show great promise.
Beyond cryptocurrency uses, zero-knowledge proofs in blockchain may have even more impact. In essence, they provide a mechanism for legitimate exchange while safeguarding privacy, and that is a powerful proposition.
Nelson Petracek is CTO of the Strategic Enablement Group at TIBCO.