Non-interactive zero-knowledge proof

Non-interactive zero-knowledge proofs are cryptographic primitives, where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the statement itself. This makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries.

The key advantage of non-interactive zero-knowledge proofs is that they can be used in situations where there is no possibility of interaction between the prover and verifier, such as in online transactions where the two parties are not able to communicate in real time. This makes non-interactive zero-knowledge proofs particularly useful in decentralized systems like blockchains, where transactions are verified by a network of nodes and there is no central authority to oversee the verification process.

Most non-interactive zero-knowledge proofs are based on mathematical constructs like elliptic curve cryptography or pairing-based cryptography, which allow for the creation of short and easily verifiable proofs of the truth of a statement. Unlike interactive zero-knowledge proofs, which require multiple rounds of interaction between the prover and verifier, non-interactive zero-knowledge proofs are designed to be efficient and can be used to verify a large number of statements simultaneously.

History

Blum, Feldman, and Micali showed in 1988 that a common reference string shared between the prover and the verifier is sufficient to achieve computational zero-knowledge without requiring interaction. Goldreich and Oren gave impossibility results for one shot zero-knowledge protocols in the standard model. In 2003, Shafi Goldwasser and Yael Tauman Kalai published an instance of an identification scheme for which any hash function will yield an insecure digital signature scheme.

The model influences the properties that can be obtained from a zero-knowledge protocol. Pass showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols; e.g., they do not preserve deniability. Non-interactive zero-knowledge proofs can also be obtained in the random oracle model using the Fiat–Shamir heuristic.

Blockchain applications

In 2012, Alessandro Chiesa et al developed the zk-SNARK protocol, an acronym for zero-knowledge succinct non-interactive argument of knowledge. The first widespread application of zk-SNARKs was in the Zerocash blockchain protocol, where zero-knowledge cryptography provides the computational backbone, by facilitating mathematical proofs that one party has possession of certain information without revealing what that information is. Zcash utilized zk-SNARKs to facilitate four distinct transaction types: private, shielding, deshielding, and public. This protocol allowed users to determine how much data was shared with the public ledger for each transaction. Ethereum zk-Rollups also utilize zk-SNARKs to increase scalability.

In 2017, Bulletproofs was released, which enable proving that a committed value is in a range using a logarithmic (in the bit length of the range) number of field and group elements. Bulletproofs was later implemented into Mimblewimble protocol (the basis for Grin and Beam, and Litecoin via extension blocks) and Monero cryptocurrency.

In 2018, the zk-STARK (zero-knowledge Scalable Transparent Argument of Knowledge) protocol was introduced by Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev, offering transparency (no trusted setup), quasi-linear proving time, and poly-logarithmic verification time. Zero-Knowledge Succinct Transparent Arguments of Knowledge are a type of cryptographic proof system that enables one party (the prover) to prove to another party (the verifier) that a certain statement is true, without revealing any additional information beyond the truth of the statement itself. zk-STARKs are succinct, meaning that they allow for the creation of short proofs that are easy to verify, and they are transparent, meaning that anyone can verify the proof without needing any secret information.

Unlike the first generation of zk-SNARKs, zk-STARKs, by default, do not require a trusted setup, which makes them particularly useful for decentralized applications like blockchains. Additionally, zk-STARKs can be used to verify many statements at once, making them scalable and efficient.

In 2019, HALO recursive zk-SNARKs without a trusted setup were presented. Pickles zk-SNARKs, based on the former construction, power Mina, the first succinctly verifiable blockchain.

A list of zero-knowledge proof protocols and libraries is provided below along with comparisons based on transparency, universality, and plausible post-quantum security. A transparent protocol is one that does not require any trusted setup and uses public randomness. A universal protocol is one that does not require a separate trusted setup for each circuit. Finally, a plausibly post-quantum protocol is one that is not susceptible to known attacks involving quantum algorithms.

Definition

Originally, non-interactive zero-knowledge was only defined as a single theorem-proof system. In such a system each proof requires its own fresh common reference string. A common reference string in general is not a random string. It may, for instance, consist of randomly chosen group elements that all protocol parties use. Although the group elements are random, the reference string is not as it contains a certain structure (e.g., group elements) that is distinguishable from randomness. Subsequently, Feige, Lapidot, and Shamir introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero-knowledge proofs.

Pairing-based non-interactive proofs

Pairing-based cryptography has led to several cryptographic advancements. One of these advancements is more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the pairing evaluation in a commitment. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the sub-group hiding and under the decisional linear assumption. These proof systems prove circuit satisfiability, and thus by the Cook–Levin theorem allow proving membership for every language in NP. The size of the common reference string and the proofs is relatively small; however, transforming a statement into a boolean circuit incurs considerable overhead.

Proof systems under the sub-group hiding, decisional linear assumption, and external Diffie–Hellman assumption that allow directly proving the pairing product equations that are common in pairing-based cryptography have been proposed.

Under strong knowledge assumptions, it is known how to create sublinear-length computationally-sound proof systems for NP-complete languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.

References