# Zero-knowledge proof – Wikipedia

“ ZKP ” redirects hera. For the airport in Russia, see Zyryanka Airport. For other uses, see Zero cognition In cryptography, a

**zero-knowledge proof**or

**zero-knowledge protocol**is a method by which one party ( the prover ) can prove to another party ( the voucher ) that a given statement is dependable while the prover avoids conveying any extra information apart from the fact that the statement is indeed true. The essence of zero-knowledge proof is that it is superficial to prove that one possesses cognition of certain information by merely revealing it ; the challenge is to prove such possession without revealing the data itself or any extra information. [ 1 ] If proving a statement requires that the prover possess some secret data, then the voucher will not be able to prove the statement to anyone else without possessing the confidential data. The statement being proved must include the affirmation that the prover has such cognition, but without including or transmitting the cognition itself in the affirmation. otherwise, the argument would not be proved in zero-knowledge because it provides the voucher with extra information about the statement by the end of the protocol. A

*zero-knowledge proof of knowledge*is a particular case when the argument consists

*only*of the fact that the prover possesses the mystery information.

Reading: Zero-knowledge proof – Wikipedia

interactional zero-knowledge proof require interaction between the individual ( or calculator system ) proving their cognition and the individual validating the proof. [ 1 ] A protocol implementing zero-knowledge proof of cognition must necessarily require interactional remark from the voucher. This interactional remark is normally in the form of one or more challenges such that the responses from the prover will convince the voucher if and only if the argument is true, i.e., if the prover *does* possess the claim cognition. If this were not the shell, the voucher could record the execution of the protocol and replay it to convince person else that they possess the secret information. The newly party ‘s toleration is either apologize since the replayer *does* possess the information ( which implies that the protocol leaked data, and frankincense, is not proved in zero-knowledge ), or the acceptance is inauthentic, i.e., was accepted from person who does not actually possess the information. Some forms of non-interactive zero-knowledge proofs exist, [ 2 ] [ 3 ] but the cogency of the proof relies on computational assumptions ( typically the assumptions of an ideal cryptanalytic hash function ) .

## abstract examples [edit ]

### The Ali Baba cave [edit ]

Peggy randomly takes either path A or B, while Victor waits outside Victor chooses an exit way Peggy faithfully appears at the exit Victor names There is a long-familiar narrative presenting the fundamental ideas of zero-knowledge proof, first published by Jean-Jacques Quisquater and others in their paper “ How to Explain Zero-Knowledge Protocols to Your Children ”. [ 4 ] It is park commit to label the two parties in a zero-knowledge proof as Peggy ( the **prover** of the instruction ) and Victor ( the **verifier** of the instruction ). In this fib, Peggy has uncovered the secret son used to open a magic trick door in a cave. The cave is shaped like a closed chain, with the entrance on one side and the magic door blocking the opposite side. winner wants to know whether Peggy knows the mysterious parole ; but Peggy, being a very private person, does not want to reveal her cognition ( the secret word ) to Victor or to reveal the fact of her cognition to the world in general. They label the leave and right paths from the entrance A and B. First, Victor waits outside the cave as Peggy goes in. Peggy takes either path A or B ; Victor is not allowed to see which path she takes. then, Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random. Providing she very does know the magic word, this is easy : she opens the door, if necessary, and returns along the desire path. however, presuppose she did not know the discussion. then, she would merely be able to return by the named path if Victor were to give the appoint of the lapp path by which she had entered. Since Victor would choose A or B at random, she would have a 50 % gamble of guessing correctly. If they were to repeat this antic many times, say 20 times in a row, her probability of successfully anticipating all of Victor ‘s requests would become vanishingly little ( 1 in 220, or very approximately 1 in a million ). frankincense, if Peggy repeatedly appears at the exit Victor name, he can conclude that it is highly probable that Peggy does, in fact, know the secret word. One side note with deference to third-party observers : even if Victor is wearing a concealed camera that records the whole transaction, the alone thing the television camera will record is in one sheath Victor shouting “ A ! ” and Peggy appearing at A or in the other case Victor shouting “ B ! ” and Peggy appearing at B. A recording of this type would be trivial for any two people to fake ( requiring only that Peggy and Victor agree ahead on the sequence of A ‘s and B ‘s that Victor will shout ). Such a recording will surely never be convincing to anyone but the original participants. In fact, even a person who was present as an perceiver *at the original experiment* would be unconvinced, since Victor and Peggy might have orchestrated the whole “ experiment ” from beginning to finish. far poster that if Victor chooses his vitamin a ‘s and B ‘s by flipping a coin on-camera, this protocol loses its zero-knowledge property ; the on-camera coin impudent would credibly be convincing to any person watching the record later. thus, although this does not reveal the secret news to Victor, it does make it possible for Victor to convince the world in general that Peggy has that knowledge—counter to Peggy ‘s state wishes. however, digital cryptography by and large “ flip coins ” by relying on a pseudo-random count generator, which is akin to a mint with a fixed practice of heads and tails known only to the coin ‘s owner. If Victor ‘s coin behaved this means, then again it would be possible for Victor and Peggy to have faked the “ experiment ”, so using a pseudo-random number generator would not reveal Peggy ‘s cognition to the universe in the same way that using a flip mint would. Notice that Peggy could prove to Victor that she knows the magic trick word, without revealing it to him, in a one trial. If both Victor and Peggy go in concert to the mouth of the cave, Victor can watch Peggy go in through A and come out through B. This would prove with certainty that Peggy knows the charming bible, without revealing the charming bible to Victor. however, such a proof could be observed by a third base party, or recorded by Victor and such a proof would be convincing to anybody. In other words, Peggy could not refute such proof by claiming she colluded with Victor, and she is consequently no longer in manipulate of who is mindful of her cognition .

### Two balls and the color-blind ally [edit ]

Imagine your acquaintance is red-green color-blind ( while you are not ) and you have two balls : one crimson and one green, but differently identical. To your ally they seem wholly identical and he is disbelieving that they are actually distinguishable. You want to *prove to him they are in fact differently-coloured*, but nothing else ; in especial, you do not want to reveal which one is the bolshevik and which is the green ball. here is the proof system. You give the two balls to your acquaintance and he puts them behind his back. adjacent, he takes one of the balls and brings it out from behind his back and displays it. He then places it behind his rear again and then chooses to reveal barely one of the two balls, picking one of the two at random with peer probability. He will ask you, “ Did I switch the ball ? ” This solid procedure is then repeated ampere much as necessary. By looking at their colours, you can, of course, say with certainty whether or not he switched them. On the other hand, if they were the same color and hence identical, there is no way you could guess correctly with probability higher than 50 %. Since the probability that you would have randomly succeeded at identifying each switch/non-switch is 50 %, the probability of having randomly succeeded at **all** switch/non-switches approaches zero ( “ soundness ” ). If you and your ally reprise this “ proof ” multiple times ( e.g. 20 times ), your ally should become convinced ( “ completeness ” ) that the balls are indeed differently coloured. The above validation is *zero-knowledge* because your ally never learns which ball is green and which is crimson ; indeed, he gains no cognition about how to distinguish the balls. [ 5 ]

## definition [edit ]

A zero-knowledge proof of some statement must satisfy three properties :

**Completeness**: if the statement is true, an honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.**Soundness**: if the statement is false, no cheating prover can convince an honest verifier that it is true, except with some small probability.**Zero-knowledge**: if the statement is true, no verifier learns anything other than the fact that the statement is true. In other words, just knowing the statement (not the secret) is sufficient to imagine a scenario showing that the prover knows the secret. This is formalized by showing that every verifier has some*simulator*that, given only the statement to be proved (and no access to the prover), can produce a transcript that “looks like” an interaction between an honest prover and the verifier in question.

The first two of these are properties of more general synergistic proof systems. The third is what makes the proof zero-knowledge. Zero-knowledge proofs are not proofs in the numerical sense of the terminus because there is some belittled probability, the *soundness error*, that a cheating prover will be able to convince the voucher of a assumed argument. In early words, zero-knowledge proofs are probabilistic “ proof ” quite than deterministic proof. however, there are techniques to decrease the firmness error to negligibly little values. A formal definition of zero-knowledge has to use some computational model, the most common one being that of a Turing machine. Let P { \displaystyle P } , V { \displaystyle V } , and S { \displaystyle S } be Turing machines. An interactional proof system with ( P, V ) { \displaystyle ( P, V ) } for a lyric L { \displaystyle L } is zero-knowledge if for any probabilistic polynomial time ( PPT ) verifier V ^ { \displaystyle { \hat { V } } } there exists a PPT simulator S { \displaystyle S } such that

- ∀ x ∈ L, z ∈ { 0, 1 } ∗, View V ^ [ P ( x ) ↔ V ^ ( x, omega ) ] = S ( x, z ) { \displaystyle \forall x\in L, z\in \ { 0,1\ } ^ { * }, \operatorname { View } _ { \hat { V } } \left [ P ( x ) \leftrightarrow { \hat { V } } ( x, z ) \right ] =S ( x, z ) }

where View V ^ [ P ( x ) ↔ V ^ ( x, z ) ] { \displaystyle \operatorname { View } _ { \hat { V } } \left [ P ( x ) \leftrightarrow { \hat { V } } ( x, omega ) \right ] } is a read of the interactions between P ( x ) { \displaystyle P ( x ) } and V ^ ( x, z ) { \displaystyle { \hat { V } } ( x, omega ) } . The prover P { \displaystyle P } is modeled as having outright calculation power ( in practice, P { \displaystyle P } normally is a probabilistic Turing machine ). intuitively, the definition states that an interactional proof system ( P, V ) { \displaystyle ( P, V ) } is zero-knowledge if for any verifier V ^ { \displaystyle { \hat { V } } } there exists an effective simulator S { \displaystyle S } ( depending on V ^ { \displaystyle { \hat { V } } } ) that can reproduce the conversation between P { \displaystyle P } and V ^ { \displaystyle { \hat { V } } } on any given stimulation. The auxiliary string z { \displaystyle z } in the definition plays the function of “ prior cognition ” ( including the random coins of V ^ { \displaystyle { \hat { V } } } ). The definition implies that V ^ { \displaystyle { \hat { V } } } can not use any prior cognition string omega { \displaystyle z } to mine information out of its conversation with P { \displaystyle P }, because if S { \displaystyle S } is besides given this prior cognition then it can reproduce the conversation between V ^ { \displaystyle { \hat { V } } } and P { \displaystyle P } just as earlier. The definition given is that of perfect zero-knowledge. computational zero-knowledge is obtained by requiring that the views of the voucher V ^ { \displaystyle { \hat { V } } } and the simulator are merely computationally indistinguishable, given the aide string .

## hardheaded examples [edit ]

### Discrete log of a given prize [edit ]

We can apply these ideas to a more realistic cryptography application. Peggy wants to prove to Victor that she knows the discrete log of a given value in a given group. [ 6 ] For model, given a value y { \displaystyle y } , a big prime phosphorus { \displaystyle p } and a generator gigabyte { \displaystyle g } , she wants to prove that she knows a respect x { \displaystyle adam } such that g adam mod phosphorus = y { \displaystyle g^ { ten } { \bmod { p } } =y } , without revealing x { \displaystyle x }. indeed, cognition of x { \displaystyle adam } could be used as a proofread of identity, in that Peggy could have such cognition because she chose a random respect x { \displaystyle adam } that she did n’t reveal to anyone, computed y = gigabyte x mod phosphorus { \displaystyle y=g^ { x } { \bmod { phosphorus } } } and distributed the value of y { \displaystyle y } to all potential verifiers, such that at a late time, proving cognition of x { \displaystyle ten } is equivalent to proving identity as Peggy. The protocol proceeds as follows : in each round, Peggy generates a random phone number gas constant { \displaystyle roentgen } , computes C = gram radius mod p { \displaystyle C=g^ { r } { \bmod { phosphorus } } } and discloses this to Victor. After receiving C { \displaystyle C } , Victor randomly issues one of the following two requests : he either requests that Peggy discloses the prize of r { \displaystyle roentgen }, or the value of ( ten + r ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } } . With either answer, Peggy is only disclosing a random measure, so no information is disclosed by a compensate execution of one round of the protocol. winner can verify either answer ; if he requested roentgen { \displaystyle roentgen }, he can then compute thousand r mod p { \displaystyle g^ { radius } { \bmod { p } } } and verify that it matches C { \displaystyle C }. If he requested ( adam + r ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } }, he can verify that C { \displaystyle C } is consistent with this, by computing gigabyte ( adam + radius ) mod ( p − 1 ) mod phosphorus { \displaystyle g^ { ( x+r ) { \bmod { ( p-1 ) } } } { \bmod { p } } } and verifying that it matches C ⋅ y mod p { \displaystyle C\cdot y { \bmod { phosphorus } } } . If Peggy indeed knows the value of x { \displaystyle x }, she can respond to either one of Victor ‘s potential challenges. If Peggy knew or could guess which challenge Victor is going to issue, then she could easily cheat and convince Victor that she knows x { \displaystyle adam } when she does not : if she knows that Victor is going to request roentgen { \displaystyle roentgen }, then she proceeds normally : she picks r { \displaystyle gas constant }, computes C = thousand radius mod p { \displaystyle C=g^ { r } { \bmod { p } } } and discloses C { \displaystyle C } to Victor ; she will be able to respond to Victor ‘s challenge. On the early hand, if she knows that Victor will request ( x + r ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } }, then she picks a random prize roentgen ′ { \displaystyle radius ‘ } , computes C ′ = guanine gas constant ′ ⋅ ( g adam ) − 1 mod p { \displaystyle C’=g^ { roentgen ‘ } \cdot \left ( g^ { ten } \right ) ^ { -1 } { \bmod { p } } } , and discloses C ′ { \displaystyle C ‘ } to Victor as the value of C { \displaystyle C } that he is expecting. When Victor challenges her to reveal ( x + radius ) mod ( p − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } }, she reveals r ′ { \displaystyle gas constant ‘ }, for which Victor will verify consistency, since he will in turn calculate thousand roentgen ′ mod p { \displaystyle g^ { radius ‘ } { \bmod { phosphorus } } } , which matches C ′ ⋅ y { \displaystyle C’\cdot y } , since Peggy multiplied by the modular multiplicative inverse of y { \displaystyle y }. however, if in either one of the above scenarios Victor issues a challenge other than the one she was expecting and for which she manufactured the result, then she will be unable to respond to the challenge under the assumption of infeasibility of solving the discrete log for this group. If she picked r { \displaystyle roentgen } and disclosed C = gram roentgen mod p { \displaystyle C=g^ { roentgen } { \bmod { p } } }, then she will be ineffective to produce a valid ( ten + roentgen ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } } that would pass Victor ‘s confirmation, given that she does not know x { \displaystyle x }. And if she picked a value roentgen ′ { \displaystyle roentgen ‘ } that poses as ( x + gas constant ) mod ( p − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } }, then she would have to respond with the discrete log of the value that she disclosed – but Peggy does not know this discrete log, since the value C she disclosed was obtained through arithmetic with know values, and not by computing a ability with a know exponent. therefore, a adulterous prover has a 0.5 probability of successfully cheating in one circle. By executing a large adequate number of rounds, the probability of a cheat on prover succeeding can be made randomly abject .

#### Short compendious [edit ]

Peggy proves to know the value of x ( for case her password ) .

- Peggy and Victor agree on a prime p { \displaystyle p } g { \displaystyle gram } Z p { \displaystyle \mathbb { Z } _ { phosphorus } }
- Peggy calculates the value yttrium = thousand x mod p { \displaystyle y=g^ { ten } { \bmod { p } } }
- The following two steps are repeated a (large) number of times.
- Peggy repeatedly picks a random value radius ∈ U [ 0, p − 2 ] { \displaystyle r\in U [ 0, p-2 ] } C = gigabyte gas constant mod phosphorus { \displaystyle C=g^ { radius } { \bmod { p } } } C { \displaystyle C }
- Victor asks Peggy to calculate and transfer either the value ( adam + radius ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( p-1 ) } } } radius { \displaystyle radius } ( C ⋅ yttrium ) mod phosphorus ≡ g ( x + radius ) mod ( p − 1 ) mod p { \displaystyle ( C\cdot y ) { \bmod { p } } \equiv g^ { ( x+r ) { \bmod { ( p-1 ) } } } { \bmod { phosphorus } } } C ≡ deoxyguanosine monophosphate gas constant mod p { \displaystyle C\equiv g^ { gas constant } { \bmod { p } } }

The value ( ten + roentgen ) mod ( phosphorus − 1 ) { \displaystyle ( x+r ) { \bmod { ( } } p-1 ) } can be seen as the code value of x mod ( phosphorus − 1 ) { \displaystyle x { \bmod { ( } } p-1 ) } . If radius { \displaystyle gas constant } is sincerely random, evenly distributed between zero and ( p − 2 ) { \displaystyle ( p-2 ) } , this does not leak any information about x { \displaystyle x } ( see erstwhile embroider ) .

### Hamiltonian cycle for a boastfully graph [edit ]

The trace schema is ascribable to Manuel Blum. [ 7 ]

Read more: A Few Thoughts on Cryptographic Engineering

In this scenario, Peggy knows a Hamiltonian cycle for a boastfully graph G. Victor knows G but not the bicycle ( for example, Peggy has generated G and revealed it to him. ) Finding a Hamiltonian bicycle given a big graph is believed to be computationally impracticable, since its corresponding decision version is known to be NP-complete. Peggy will prove that she knows the motorbike without plainly revealing it ( possibly Victor is interest in buying it but wants confirmation beginning, or possibly Peggy is the only matchless who knows this data and is proving her identity to Victor ). To show that Peggy knows this Hamiltonian cycle, she and Victor play several rounds of a game .

- At the beginning of each round, Peggy creates h, a graph which is isomorphic to guanine (i.e. heat content is just like gram except that all the vertices have different names). Since it is trivial to translate a Hamiltonian cycle between isomorphic graphs with known isomorphism, if Peggy knows a Hamiltonian cycle for g she also must know one for hydrogen.
- Peggy commits to h. She could do so by using a cryptographic commitment scheme. Alternatively, she could number the vertices of planck’s constant. Next, for each edge of planck’s constant, on a small piece of paper, she writes down the two vertices that the edge joins. Then she puts all these pieces of paper face down on a table. The purpose of this commitment is that Peggy is not able to change h while, at the same time, Victor has no information about hydrogen.
- Victor then randomly chooses one of two questions to ask Peggy. He can either ask her to show the isomorphism between hydrogen and g (see graph isomorphism problem), or he can ask her to show a Hamiltonian cycle in hydrogen.
- If Peggy is asked to show that the two graphs are isomorphic, she first uncovers all of hydrogen (e.g. by turning over all pieces of papers that she put on the table) and then provides the vertex translations that map guanine to hydrogen. Victor can verify that they are indeed isomorphic.
- If Peggy is asked to prove that she knows a Hamiltonian cycle in henry, she translates her Hamiltonian cycle in deoxyguanosine monophosphate onto hydrogen and only uncovers the edges on the Hamiltonian cycle. This is enough for Victor to check that heat content does indeed contain a Hamiltonian cycle.

It is crucial that the commitment to the graph be such that Victor can verify, in the second subject, that the cycle is truly made of edges from H. This can be done by, for exercise, committing to every edge ( or lack thence ) individually .

#### completeness [edit ]

If Peggy does know a Hamiltonian bicycle in G, she can easily satisfy Victor ‘s demand for either the graph isomorphism producing H from G ( which she had committed to in the first gear step ) or a Hamiltonian cycle in H ( which she can construct by applying the isomorphism to the bicycle in G ) .

Peggy ‘s answers do not reveal the original Hamiltonian cycle in G. Each round off, Victor will learn merely H ‘s isomorphism to G or a Hamiltonian cycle in H. He would need both answers for a single H to discover the cycle in G, so the information remains obscure ampere long as Peggy can generate a distinct H every turn. If Peggy does not know of a Hamiltonian bicycle in G, but somehow knew in overture what Victor would ask to see each round then she could cheat. For exemplar, if Peggy knew ahead of time that Victor would ask to see the Hamiltonian motorbike in H then she could generate a Hamiltonian cycle for an unrelated graph. similarly, if Peggy knew in advance that Victor would ask to see the isomorphism then she could just generate an isomorphous graph H ( in which she besides does not know a Hamiltonian cycle ). Victor could simulate the protocol by himself ( without Peggy ) because he knows what he will ask to see. Therefore, Victor gains no information about the Hamiltonian cycle in G from the information revealed in each round .

#### firmness [edit ]

If Peggy does not know the information, she can guess which question Victor will ask and generate either a graph isomorphous to G or a Hamiltonian cycle for an unrelated graph, but since she does not know a Hamiltonian cycle for G she can not do both. With this guess, her find of fooling Victor is 2−n, where newton is the phone number of rounds. For all realistic purposes, it is infeasibly difficult to defeat a zero-knowledge proof with a reasonable total of rounds in this way .

## Variants of zero-knowledge [edit ]

unlike variants of zero-knowledge can be defined by formalizing the intuitive concept of what is meant by the output of the simulator “ looking like ” the execution of the real proof protocol in the comply ways :

- We speak of
*perfect zero-knowledge*if the distributions produced by the simulator and the proof protocol are distributed exactly the same. This is for instance the case in the first example above. *Statistical zero-knowledge*[8] means that the distributions are not necessarily exactly the same, but they are statistically close, meaning that their statistical difference is a negligible function.- We speak of
*computational zero-knowledge*if no efficient algorithm can distinguish the two distributions.

## Zero cognition types [edit ]

- Proof of knowledge: the knowledge is hidden in the exponent like in the example shown above.
- Pairing based cryptography: given farad ( ten ) and f ( yttrium ), without knowing ten and yttrium, it is possible to compute f ( x×y ).
- Witness indistinguishable proof: verifiers cannot know which witness is used for producing the proof.
- Multi-party computation: while each party can keep their respective secret, they together produce a result.
- Ring signature: outsiders have no idea which key is used for signing.

## Applications [edit ]

### authentication systems [edit ]

research in zero-knowledge validation has been motivated by authentication systems where one party wants to prove its identity to a second party via some secret information ( such as a password ) but does n’t want the second party to learn anything about this clandestine. This is called a “ zero-knowledge proof of cognition “. however, a password is typically excessively little or insufficiently random to be used in many schemes for zero-knowledge proof of cognition. A zero-knowledge password validation is a special kind of zero-knowledge proof of cognition that addresses the restrict size of passwords. [ *citation needed* ] In April 2015, the Sigma protocol ( one-out-of-many proof ) was introduced. [ 9 ] In August 2021, Cloudflare, an american web infrastructure and security system company decided to use the one-out-of-many validation mechanism for private web verification using seller hardware. [ 10 ]

### ethical demeanor [edit ]

One of the uses of zero-knowledge proof within cryptanalytic protocols is to enforce honest behavior while maintaining privacy. Roughly, the theme is to force a drug user to prove, using a zero-knowledge proof, that its demeanor is correct according to the protocol. [ 11 ] [ 12 ] Because of wisdom, we know that the drug user must truly act honestly in decree to be able to provide a valid proof. Because of zero cognition, we know that the drug user does not compromise the privacy of its secrets in the work of providing the proof. [ *citation needed* ]

### nuclear disarming [edit ]

In 2016, the Princeton Plasma Physics Laboratory and Princeton University demonstrated a technique that may have applicability to future nuclear disarming talks. It would allow inspectors to confirm whether or not an object is indeed a nuclear weapon without recording, sharing or revealing the internal workings which might be secret. [ 13 ]

### Blockchains [edit ]

Zero-knowledge proof were applied in Zerocoin and Zerocash protocols which culminated in the birth of Zcoin [ 14 ] ( late rebranded as Firo in 2020 ) [ 15 ] and Zcash cryptocurrencies in 2016. Zerocoin has a built-in blend model that does not trust any peers or centralised mixing providers to ensure anonymity. [ 14 ] Users can transact in a foundation currency, and can cycle the currency into and out of Zerocoins. [ 16 ] Zerocash protocol use a similar model ( a form known as non-interactive zero-knowledge proof ) [ 17 ] except that it can obscure the transaction amount while Zerocoin can not. Given significant restrictions of transaction data on the Zerocash network, Zerocash is less prone to privacy timing attacks when compared to Zerocoin. however, this extra layer of privacy can cause potentially undetected hyperinflation of Zerocash add because deceitful coins can not be tracked. [ 14 ] [ 18 ] In 2018, Bulletproofs were introduced. Bulletproofs are an improvement from non-interactive zero-knowledge proofread where trusted frame-up is not needed. [ 19 ] It was later implemented into Mimblewimble protocol ( where Grin and Beam cryptocurrencies based on ) and Monero cryptocurrency. [ 20 ] In 2019, Firo implemented the Sigma protocol, which is an improvement on Zerocoin protocol without entrust apparatus. [ 21 ] [ 9 ] In the like year, Firo introduced the Lelantus protocol, an improvement on the Sigma protocol where the erstwhile hides the origin and come of a transaction. [ 22 ]

## history [edit ]

Zero-knowledge proof were first conceived in 1985 by Shafi Goldwasser, Silvio Micali, and Charles Rackoff in their paper “ The Knowledge Complexity of Interactive Proof-Systems ”. [ 11 ] This paper introduced the **IP** hierarchy of synergistic proof systems ( *see interactive proof system* ) and conceived the concept of *knowledge complexity*, a measurement of the total of cognition about the proof transferred from the prover to the voucher. They besides gave the beginning zero-knowledge proof for a concrete trouble, that of deciding quadratic nonresidues mod m. together with a newspaper by László Babai and Shlomo Moran, this landmark wallpaper invented interactional proof systems, for which all five authors won the first Gödel Prize in 1993. In their own words, Goldwasser, Micali, and Rackoff say :

Of particular interest is the casing where this extra cognition is basically 0 and we show that [ it ] is possible to interactively prove that a number is quadratic non remainder mod

mreleasing 0 extra cognition. This is surprising as no effective algorithm for deciding quadratic residuosity modmis known whenm’ south factorization is not given. furthermore, all knownNPvalidation for this trouble exhibit the prime factorization ofm. This indicates that adding interaction to the testify process, may decrease the sum of cognition that must be communicated in order to prove a theorem .

The quadratic nonresidue problem has both an **NP** and a **co-NP** algorithm, and so lies in the intersection of **NP** and **co-NP**. This was besides true of respective early problems for which zero-knowledge proof were subsequently discovered, such as an unpublished proof system by Oded Goldreich verifying that a two-prime modulus is not a Blum integer. [ 23 ] Oded Goldreich, Silvio Micali, and Avi Wigderson took this one footstep further, showing that, assuming the universe of unbreakable encoding, one can create a zero-knowledge proof system for the NP-complete graph coloring problem with three colors. Since every problem in **NP** can be efficiently reduced to this trouble, this means that, under this assumption, all problems in **NP** have zero-knowledge proofread. [ 24 ] The reason for the assumption is that, as in the above case, their protocols require encoding. A normally cited sufficient condition for the being of unbreakable encoding is the being of one-way functions, but it is conceivable that some physical means might besides achieve it. On peak of this, they besides showed that the graph nonisomorphism problem, the complement of the graph isomorphism problem, has a zero-knowledge proof. This problem is in **co-NP**, but is not presently known to be in either **NP** or any hardheaded class. More broadly, Russell Impagliazzo and Moti Yung american samoa well as Ben-Or et aluminum. would go on to show that, besides assuming one-way functions or unbreakable encoding, that there are zero-knowledge proofread for *all* problems in **IP** = **PSPACE**, or in early words, anything that can be proved by an interactional proof organization can be proved with zero cognition. [ 25 ] [ 26 ] not liking to make unnecessary assumptions, many theorists sought a way to eliminate the necessity of one way functions. One way this was done was with *multi-prover interactive proof systems* ( see synergistic proof organization ), which have multiple independent provers rather of only one, allowing the voucher to “ cross-examine ” the provers in isolation to avoid being misled. It can be shown that, without any intractability assumptions, all languages in **NP** have zero-knowledge proofread in such a system. [ 27 ]

Read more: Dual_EC_DRBG – Wikipedia

It turns out that in an Internet-like set, where multiple protocols may be executed concurrently, building zero-knowledge proof is more ambitious. The line of research investigating coincident zero-knowledge proof was initiated by the bring of Dwork, Naor, and Sahai. [ 28 ] One particular development along these lines has been the development of witness-indistinguishable proof protocols. The property of witness-indistinguishability is related to that of zero-knowledge, so far witness-indistinguishable protocols do not suffer from the same problems of coincident execution. [ 29 ] Another discrepancy of zero-knowledge proofs are non-interactive zero-knowledge proof. Blum, Feldman, and Micali showed that a coarse random string shared between the prover and the voucher is enough to achieve computational zero-knowledge without requiring interaction. [ 2 ] [ 3 ]

## Zero-Knowledge Proof Protocols [edit ]

The most popular interactional or non-interactive zero-knowledge proofread ( zk-SNARK ) protocols can be broadly categorized in the take after four categories : Succinct Non-Interactive ARguments of Knowledge ( SNARK ), scalable Transparent ARgument of Knowledge ( STARK ), confirmable polynomial Delegation ( VPD ), and Succinct Non-interactive ARGuments ( SNARG ). A list of zero-knowledge proofread protocols and libraries is provided below along with comparisons based on **transparency**, **universality**, **plausible post-quantum security**, and **programming paradigm**. [ 30 ] A diaphanous protocol is one that does not require any trust frame-up and uses populace randomness. A universal protocol is one that does not require a break trusted frame-up for each circumference. ultimately, a credibly post-quantum protocol is one that is not susceptible to known attacks involving quantum algorithm .

ZKP System | Publication year | Protocol | Transparent | Universal | Plausibly Post-Quantum Secure | Programming Paradigm |
---|---|---|---|---|---|---|

Pinocchio[31] | 2013 | zk-SNARK | No | No | No | Procedural |

Geppetto[32] | 2015 | zk-SNARK | No | No | No | Procedural |

TinyRAM[33] | 2013 | zk-SNARK | No | No | No | Procedural |

Buffet[34] | 2015 | zk-SNARK | No | No | No | Procedural |

ZoKrates[35] | 2018 | zk-SNARK | No | No | No | Procedural |

xJsnark[36] | 2018 | zk-SNARK | No | No | No | Procedural |

vRAM[37] | 2018 | zk-SNARG | No | Yes | No | Assembly |

vnTinyRAM[38] | 2014 | zk-SNARK | No | Yes | No | Procedural |

MIRAGE[39] | 2020 | zk-SNARK | No | Yes | No | Arithmetic Circuits |

Sonic[40] | 2019 | zk-SNARK | No | Yes | No | Arithmetic Circuits |

Marlin[41] | 2020 | zk-SNARK | No | Yes | No | Arithmetic Circuits |

PLONK[42] | 2019 | zk-SNARK | No | Yes | No | Arithmetic Circuits |

SuperSonic[43] | 2020 | zk-SNARK | Yes | Yes | No | Arithmetic Circuits |

Bulletproofs[44] | 2018 | Bulletproofs | Yes | Yes | No | Arithmetic Circuits |

Hyrax[45] | 2018 | zk-SNARK | Yes | Yes | No | Arithmetic Circuits |

Halo[46] | 2019 | zk-SNARK | Yes | Yes | No | Arithmetic Circuits |

Virgo[47] | 2020 | zk-SNARK | Yes | Yes | Yes | Arithmetic Circuits |

Ligero[48] | 2017 | zk-SNARK | Yes | Yes | Yes | Arithmetic Circuits |

Aurora[49] | 2019 | zk-SNARK | Yes | Yes | Yes | Arithmetic Circuits |

zk-STARK[50] | 2019 | zk-STARK | Yes | Yes | Yes | Assembly |

Zilch[30] [51] | 2021 | zk-STARK | Yes | Yes | Yes | Object-Oriented |