Zero-Knowledge Proofs and Privacy: A Technical Look at Privacy

Abstract

Building trust in modern business and in social interactions is a critical need as our networks continue to grow and as we engage deeply with unknown people and companies from various parts of the planet. Zero-Knowledge (ZK) technology is a powerful enabler of this trust. It allows a person to demonstrate they know something, have something, or can do something without revealing the actual information or process. We describe the fundamental concepts of cryptography and ZK, their use and limitations, and discuss how ZK technology can be used from a personal as well as a business perspective.

Introduction

Data breaches and the digital invasion of privacy seem to have become an inevitable part of daily life. In securing our privacy, we have two formidable tasks: communicating information securely and keeping information secure. The essence of privacy is to keep either the identity, transactions, or data private, ideally all three. Much of the data we exchange is for the purpose of verifying, validating, and proving that people are who they are, that they have what they claim to possess, or can do or have certain abilities.

There are various approaches to privacy, ranging from regulation, education, corporate policies, paying for privacy, physical security, and technology. In this chapter, we cover the technical approach to privacy, beginning with the foundations and reviewing an intriguing set of techniques collectively known as zero-knowledge proofs. To stimulate interest in this topic, we define zero-knowledge proofs broadly as follows: A zero-knowledge proof (ZKP) is a method by which one party can prove to another that they are who they claim to be, have something, or know something without disclosing the details of their identity, what they have, or what they know. ZKP certainly sounds like an impossibility on the face of it and sounds like a neat trick to pull off. In this chapter, we explain how this trick is made possible through a variety of ingenious techniques.

Because of their ability to prove conclusively without actually disclosing the secret, we expect to see ZKPs become the dominant infrastructural technology that will power all electronic transactions in the future. With the widespread adoption of the ZKP-embedded infrastructure technology layer, applications do not have to engineer ZKP explicitly into their software. The situation is similar to how software developers explicitly do not program the TCP/IP stack from scratch; rather, they rely on the underlying Internet infrastructure, thanks to Dr. Vint Cerf and Dr. Bob Kahn, co-founders of the Internet, who received the ACM A.M. Turing Award in 2004—the Nobel Prize of Computer Science—for their contribution.

The technical approach to privacy through ZKP is not meant to exclude the other approaches, such as regulation and education. Privacy demands a multi-faceted approach. This is similar to automotive safety, where the technical safety of automobiles must be accompanied by clear traffic laws, a social culture where everyone obeys the traffic laws, and the drivers who go through rigorous education in order to operate their vehicles. However, the best drivers who operate their vehicles with full compliance and drive them under sober conditions may still cause accidents. It is the technology of automotive safety that then becomes the differentiating factor. Similarly, the technology ZKP can be a set of powerful guardrails that function not only as enforcers of privacy but also offer the safety net when the other approaches fall short.

Simple ZKP Examples

In order to mine the depths of cryptography, mathematics, and algorithms of ZKP, a few simple examples will demonstrate that with some ingenuity that it is possible to craft ZKP-like solutions to some interesting problems. Some of them are motivated by games, such as the four scenarios below, and a few by real-world applications.

Leaves in a Tree: Verifying a Secret Power

Consider this dialog between Alice and Bob (the traditional fictitious participants in the roles of prover and verifier used by the cryptographic community):

Alice::

“I have this weird power. I can look at any tree and instantly tell you how many leaves it has exactly.”

Bob::

“You mean an exact number, not approximately? Without counting or trying to estimate the number of leaves?”.

Alice::

“That’s right. Exactly and instantly.”

Bob::

“I don’t believe it.”

Alice::

“You point out a tree to me and I’ll tell you exactly how many leaves it has.”

Bob, pointing to a tree that’s behind her back::

“How about that one?” Alice turns around, looks at it, and says immediately, “That tree has exactly 227,927 leaves.”

How would Bob verify her power? Bob can go to that tree and count up the number of leaves. That will take Bob a very long time. Worse, while Bob is counting, some leaves are bound to fall off (it is a bit windy). There is no way Alice will tell Bob the secret of her power.

Alice suggests a method to verify her claim. “Blindfold me, then go up to the tree and remove a few leaves at random from the tree, and put them in your pocket where I can’t see them. Then come back and remove the blindfold and I’ll tell you how many leaves the tree has remaining.”

Bob follows her instructions and removes four leaves from the tree and pockets them. Bob takes care to make sure she doesn’t hear him ripping out the leaves. If she then says that the tree now has 227,923 leaves, then there is a strong possibility she has the power. Her response, however, could be a lucky guess. So, Bob repeats this process several times and Alice gets it right every time.

By this procedure, Alice has now demonstrated to you that she has power, but Bob is still in the dark about how exactly she does it.

Where’s Waldo?

Suppose you want to play the ‘Finding Waldo’ game with a few friends. (“Where’s Waldo?” is a visual puzzle where people search for the character named Waldo, who is hidden in a detailed, crowded scene.) The first three to spot Waldo get the prize, the first prize going to the one who found Waldo first. The problem with this game is how to prove you found Waldo without actually pointing to Waldo?

One solution is to use a large plain cardboard (or sheet of paper) and cut a small window in the center of it (just small enough to show Waldo’s head without revealing any of the surrounding image). Let’s say you found Waldo. You can place the cardboard on top of the Waldo game-board, positioning the hole on Waldo. Your friends can see Waldo through the hole, but they will not know where Waldo is on the game-board itself. One caveat is that the plain cardboard must be large enough in relation to the Waldo game-board so that the relative positions of each do not convey any knowledge of the orientation of the game-board. This way, you can prove that you found Waldo without giving away his position on the game-board.

Are You Old Enough To Drink?

In many bars, people who look young are required to provide an ID to ensure they are of drinking age. The usual ID that bar patrons provide is the driving license that contains the date of birth. Unfortunately, it also contains other pieces of information that should be sensitive: name and address. An unscrupulous bartender or bouncer could note the address and misuse that information. In fact, the bartender does not need to know the date of birth, just whether the patron is of eligible drinking age or not. Imagine an ID card that has no information on it besides a barcode or a QR code. Assume that the bartender is licensed, his identity has been verified and has a special mobile app keyed to his identity. The bartender scans the person’s ID card (or face) and authenticates himself through a facial recognition scan. The app connects to an authoritative source (regulated service or blockchain—see Chapter 6 for an explanation of blockchain) and responds back with a ‘yes’ or ‘no.’ Indeed, as artificial intelligence (AI) technology becomes better, more prevalent, and safer, even the mobile app would be unnecessary; walk-through facial recognition technology would be sufficient. The main point is that the bar patron has been verified to be legal drinking age without disclosing his or her actual date of birth.

Proof of Color

Suppose that you want to prove to a color-blind friend (who cannot see red and green colors) that you are not color-blind. Suppose you have two marbles that are identical but differ only in color: one red and one green marble. You want to prove that you can distinguish between them, but you do not want to tell your friend the actual color of the marbles. One way to accomplish this is to have your friend place this ball behind him and switch it with the other hidden ball with 50% probability, bring it forward to show it to you, asking you if he switched the balls or not. You both go through this process a number of times, where each time you have to say if he switched the balls or not. If you were guessing because you could not tell the colors apart, you would be right approximately only 50% of the time, otherwise your score would be 100%. This way, you could prove you have the ability to tell red and green apart, but without revealing the actual colors of the marbles.

Never Write Checks

We must also remember how legacy systems exacerbated the privacy problem, so we can learn how to avoid them in the future. The most egregious of this is the practice of check writing at retail outlets, a practice that is thankfully becoming rapidly extinct. In the 1960s, check writing was the main method of payment besides cash. Checks expose everything about the customer: full name, address, phone number, bank name, bank account number, and even the SSN (especially when tellers ask for the SSN to be written in the memo field of the check). Frank Abagnale, a notorious con artist, whose exploits were popularized by the movie “Catch Me If You Can,” took advantage of these security loopholes to steal several million dollars by creating his own near-perfect counterfeit checks and fake identities. After serving time, he became a consultant to the US federal government and became instrumental in several significant changes to the processing of checks and financial transactions. One of the authors met him at a CIO dinner, where he was a keynote speaker and advised the audience most strongly never to write checks at retail establishments.

In the next several sections, we will review the backdrop of cryptography and its mathematical foundations, then review the technical underpinnings of ZKPs.

Cryptographic Solutions

Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, it is about constructing and analyzing protocols that prevent third parties or the public from reading private messages.

Cryptography serves the dual purpose of communicating secrets in a way to prevent them from falling into unauthorized ears and also preventing unauthorized people from reading secret information. Cryptography plays a key role in the lifecycle of privacy by ensuring that:

• The sending and receiving parties are legitimate

• The medium of communication is secure

• The information is stored in a secure way

• Only authorized parties can unlock and read the information

Communicating Secrets

Cryptography, or ‘secret writing,’ has ancient roots, dating back to the beginning of recorded history. The most famous of ancient cryptography is the Caesar substitution cipher, which involves a simple exchange of letters. By modern standards, this code is very easy to break. Techniques to break substitution ciphers, developed by Al-Kindi during the ninth century, included frequency analysis (Singh, 2000). Leon Battista Alberti, an Italian Renaissance personage, developed a mechanical disk for encryption in the 1460 s and is credited to be one of the fathers of cryptography (Kahn, 1996; Selleri, 2020).

While these were rudimentary by modern standards, they helped secret communications between armies, statesmen, and merchants. The goal of cryptography has never changed since those times but has become the basis for zero-knowledge proofs in modern systems.

Evolution of Cryptographic Proofs

Cryptography has evolved from the simple to the complex, starting with the easily breakable Caesar ciphers to cryptography based on simple mathematical operations, to the more complex foundations modern cryptography through public key cryptography developed by Whitfield Diffie and Martin Hellman in the 1970s (Diffie & Hellman, 1976). Goldwasser, Micali, and Rackoff (Goldwasser et al., 1985) developed the concept of the Zero-Knowledge Proof was developed during the 1980s. Additional sophistication was introduced through the concept of zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) in 2012 (Bitansky et al., 2012), which makes verifications of cryptographic proofs computationally efficient, based on the non-interactive version of ZKP (Blum et al., 1988). The field continues to evolve rapidly, with the latest ZKP protocol being zk-STARK, developed in 2019 by Ben-Sasson, et al. (2018).

Characteristics or varieties of cryptographic proofs are transparency, universality, post-quantum security, and programming paradigm. Zk-SNARKs require a trusted setup phase prior to use. A transparent protocol such as zk-STARK, which uses public randomness, does not. This makes zk-STARK open and verifiable by any party since the algorithms are publicly available. This property is highly desirable since many experts (including hackers) can test the system for vulnerabilities, ensuring that the algorithm does not operate with some undisclosed data which, if it were to be disclosed, would compromise its security. Universality in ZKP is the ability to use the same method for multiple types of claims, whether the claim is about identity verification, compliance with securities laws, or other complex transactions. Universality, therefore, makes the system very versatile and applicable to many use cases.

Of particular concern for cryptography professions, and especially so for ZKP adopters, is how secure will their systems be after quantum algorithms become usable. While the current focus is on ZKP mechanisms that are unbreakable using classical computers, there is active research in the area of mathematical proof constructs that would be safe against hacking through quantum computers (Post-Quantum Cryptography, NIST, 2022).

The methodology used to construct ZKPs is known as the programming paradigm. zk-SNARKs, for example, uses the method of arithmetic circuits, where the computations are represented as ‘circuits’ that contain gates that perform arithmetic operations. Other examples include Boolean circuits (representing mathematical logic), Rank-1 Constraint System (R1CS) where the computations are represented as a system of polynomial equations, traditional programming techniques using procedural languages, and many others. One of these is the Interactive Proof method, which is now being replaced by zk-SNARKs.

Technical Foundations of ZKPs

This section describes some of the key concepts and terminology of ZKP technology, its foundational characteristics, protocols, and methods.

Key Concepts and Terminology

There are three important parts in the ZKP protocol, namely prover, verifier, and witness. The prover is the party that wishes to convince the verifier that it (the prover) can do something, has something, or knows something, without revealing the details of how it does it, the object or asset it has, or the specific secret. The prover generates a proof that, when verified, validates the truth of the prover’s assertion. The prover uses the witness to construct the proof and sends the proof to the verifier. For example, the prover could be a seller of shares in a company or a buyer; both have to prove that they have the shares to sell or the cash to buy without disclosing the exact number of shares or cash, or details of the holding account. The verifier is the party that needs to accept the proof by verifying it. The verifier receives the proof from the prover and attempts to verify the proof by using certain public parameters, processes, or some form of evidence. The verifier then accepts or rejects the proof based on the outcome of the verification process. The witness is some secret data that is known only to the prover that the prover uses to compute the proof.

A full understanding of cryptography and ZKP requires knowledge of many areas of mathematics, such as number theory (modular arithmetic, prime numbers, the discrete logarithm problem), algebra (groups, rings, fields, elliptic curves), computer cryptography (hash functions, random numbers, bit operations), complexity theory (big-Oh notation, NP-complete, and NP-hard theory), probability, statistics, and mathematical logic.

Foundational Characteristics

ZKP protocols must satisfy three important properties: completeness, soundness, and the zero-knowledge property:

• Completeness: An honest verifier will always be convinced by an honest prover when the statement is true.

• Soundness: No dishonest prover can convince the verifier of a false statement.

• Zero-Knowledge: The verifier learns nothing besides the validity of the prover’s statement.

Protocols, Algorithms, and Methods

There are two basic methods of communication between the prover and the verifier within the ZKP protocols: interactive and non-interactive. While the fundamental difference is in the method of communication, the method of communication has implications for real-time and high-volume systems.

Interactive protocols require multiple iterations of communication between the prover and the verifier. The prover sends a proof to the verifier or the verifier gives a challenge to the prover. The verifier verifies the proof produced by the prover. The verifier suspects that the correct proof could be a coincidence, and therefore repeats the challenge (or demands proof) multiple times until the verifier is satisfied. The verifier challenges the prover (the person who possesses a secret power of knowing the exact number of leaves in a tree without counting) to provide a count of the number of leaves after the verifier has removed a certain number of leaves without the prover’s knowledge. Only several repeated experiments of this type will convince the verifier that the prover indeed has the secret power.

Interactive proofs have two major challenges. First, the proof is not portable or transferable. Another verifier needs to repeat the process all over again. Second, they are not scalable, since both the prover and verifier need to interact over multiple iterations; in real-time systems, such a method of multiple interactions implies almost synchronous communication between the two, similar to multi-factor authentication.

Schnorr’s protocol is an example of an interactive ZKP. It is a very clever interactive technique that a prover can use to prove to the verifier that he or she knows a secret number without revealing it. Below is a very simple example that is not cryptographically secure. This example requires simple exponentiation and modulus arithmetic to understand:

• The Setup Phase: In this phase, the prover selects two numbers, a generator g and a modulus p, which should be a very large prime number for cryptographic security. Technically, g should be a primitive root modulo p. The prover calculates a public key, y as follows: y = g^x mod p.

  Let us use some simple numbers for ease of illustration.

  Suppose the prover’s secret number is x = 6.

  The prover selects g = 2, p = 17.

  The prover calculates the public key, y = g^x mod p = 2⁶ mod p = 64 mod 17 = 13.

  The prover shares the public key y = 13 with the verifier.

• The Commitment Phase: The prover now ‘commits’ to using g and p by generating a random number r (not the prover’s secret number!). Let r = 11.

  The prover calculates another number, t as follows: g^r mod p = 2¹¹ mod 17 = 2048 mod 17 = 8.

  The prover gives the commitment number t = 8 to the verifier.

  Note that the prover only committed to using g and p, which the verifier also knows, but the prover has not shared the secret number (x = 6) with the verifier.

• The Challenge Phase: The verifier now challenges the prover by generating a different random number, c. Suppose c = 2 (a small number just for illustration). The verifier gives the challenge number (c = 2) to the prover.

• The Response Phase: The prover uses the verifier’s challenge number c = 2 to generate a response number, s, as follows: r + c * x = 11 + 2 * 6 = 11 + 12 = 23.

  The prover gives the number s = 23 to the verifier.

  The Verification Phase: The verifier, at this point, has the following information:

  g = 2 (the generator), p = 17 (the modulus), y = 13 (the public key), and t = 8 (the commitment), all given by the prover; c = 2 (the verifier’s own challenge number), and finally, the prover’s response number to the verifier’s challenge number, s = 23.

  The verifier calculates two quantities using the known numbers:

  First, g^s mod p = 2²³ mod 17 = 9.

  Second: t * y^c mod p = 8 * 132 mod 17 = 9.

  Since both the results (9) agree, the verifier is assured that the verifier knows the secret number.

In reality, computer software programs of the prover and verifier perform the protocol described above. The reason the Schnorr protocol works is that the exchange of some data (g, p, and y) in the setup phase, establishes trust between the prover and verifier, but not to the extent that the prover is willing to share a secret with the verifier. The prover also commits to using the data and the method of calculation (the exponentiation and modulo arithmetic). The description above does not make the protocol fully secure. To do so, the prover and verifier should follow other process requirements. For example, the verifier should pick a different random number r every time the protocol is repeated, the verifier should not send the challenge number c to the prover until the prover has first committed by sending the commitment number t to the verifier, the modulus number p should be a very large prime number, and the generator g should be the primitive root of p.

The protocol works because the calculation of the secret number x by the verifier is computationally hard using g, p, and y. A simple example is that if the prover had some milk and wanted to assure the verifier of that fact without disclosing the exact amount of milk in the prover’s possession, the prover simply pours some milk into a cup of black coffee and gives it to the verifier. The verifier can see the milk that has been added to the cup of coffee but is not able to figure out how much milk the prover poured without extensive chemical analysis. In other words, combining milk and coffee is easy; separating them is very hard. This is analogous to computational infeasibility, and such infeasibility is at the heart of cryptographic techniques.

Interactive proofs, as described above, require an interactive process to function. Non-interactive proofs, on the other hand, require only a single interaction or message from the prover to the verifier. The prover generates proof without requiring a challenge from the verifier. The verifier can check the proof without requiring any interaction with the prover. In this protocol, the verification can happen asynchronously. Examples include zk-SNARKs, zk-STARKs, Bulletproofs, and the non-interactive version of Sigma protocols.

Zk-SNARK (Bitansky et al., 2012), the most well-known among them, stands for Zero-Knowledge Succinct, Non-Interactive Argument of Knowledge. The proof is succinct, meaning it is short, small in size, and can be verified quickly regardless of how complex the original statement or data may be. This brevity is an important property when transactions need to be verified rapidly, as in online or retail financial transactions. An ‘argument’ differs from a proof in that an argument need not prove the verifier’s statement with complete certainty. It is designed to be generally secure but may fail if the verifier is dishonest. The reason this possibility of failure is acceptable in practice is because real-world verifiers for transactions that truly matter are those whose own identity is verified and they are usually regulated parties (e.g., money transmitters, banks, healthcare organizations, etc.). Arguments are typically more efficient than proofs.

zk-STARK (Ben-Sasson et al., 2018) stands for Zero-Knowledge Scalable Transparent ARgument of Knowledge. Unlike zk-SNARK, it does not require a trusted setup before using it. The proof and the verification process can be made public since anyone can verify without requiring any secret data to be used in the verification process. This mechanism is highly scalable since it can handle large amounts of data and complex computations efficiently. A further benefit is that zk-STARK is post-quantum secure, which means it is resistant to attacks by quantum computers in the future. The proofs are themselves small and quickly verifiable, making this ZKP mechanism attractive for many applications that are very sensitive to scaling, require transparency, and depend on independent and repeated verifications.

Bullerproofs (Bünz et al., 2018) are a type of cryptographic tool that a prover can use to prove to the verifier that the prover has or knows a secret number. The prover creates a proof to state that the secret number is within a certain range, without revealing the actual number. The prover performs complex cryptographic operations (this is done by computer, not by hand) to provide the verifier a digitally secure proof that the secret number is within a certain range (who also verifies the proof by computer).

Sigma protocols (Groth & Kohlweiss, 2015) use a three-step interactive conversation between the prover and verifier. The three steps are commitment, challenge, and response. The prover creates a commitment of some random number (not the secret) and sends it to the verifier. The verifier sends a random challenge number to the prover. The prover takes the challenge and combines it numerically with the secret and sends the result back to the verifier. The verifier performs complementary calculations that ‘unpack’ this last result and compares it with the original commitment number from the prover to see if it is the same or not.

Commitment schemes are cryptographic protocols that implement hiding and binding of messages. For example, a message that is placed inside an opaque envelope and sealed by the sender cannot be read by the receiver unless and until the sender unseals it. In addition, the sender cannot alter the message since the receiver has possession of the sealed envelope. In this protocol, the sender is known as the committer since he or she commits to the data by sealing it. The receiver or verifier cannot see the message, hence the ‘hiding.’ Because the committer cannot change the message without the verifier’s knowledge, the committer is ‘bound’ to honor the message. Secure commitments play a key role in fostering trust in widely distributed and decentralized systems. Commitment schemes have had a long history of continuing development and innovation (Brassard et al., 1988; Even, 1982).

Homomorphic encryption, first proposed by Rivest, Adelman, and Deaouzon (Rivest et al., 1978), is a fascinating innovation in cryptography and ZKP where computations can be performed on encrypted data without needing to decrypt it first. The practical Fully Homomorphic Encryption (FHE) scheme was introduced much later (Gentry, 2009). For example, assume that a service provider is engaged to compute the commission of a broker-dealer in a financial services transaction; however, neither party to the transaction wants to expose the original amount of the transaction or the amount of commission paid to the broker-dealer. Using homomorphic encryption, the service provider can apply the broker-dealer’s percentage of commission to the encrypted amount, derive the encrypted amount, and send both to the parties involved in the transaction, who can then decrypt the numbers securely. This process ensures privacy of the original data yet allows the service provider to apply complex rules to calculate commission and certify that the rules have been applied correctly. This mechanism is especially useful for performing data analytics, which is becoming widely used in many companies, on sensitive data.

Given that non-interactive proofs have significant advantages over interactive proofs in terms of scalability, computational efficiency, and the non-requirement for synchronous, real-time interactions, the Fiat-Shamir heuristic is an important technique. Introduced back in 1986–1987 by Amos Fiat and Adi Shamir, this heuristic guides the conversion of an interactive proof to a non-interactive version.

ZKP Use Cases

ZKPs can be used in both personal and business situations. This section outlines some of the more common use cases. The implementation of ZKPs can happen in many ways, ranging from reengineering existing processes, creating new processes, using new technologies (AI, blockchain), or new devices. In use cases involving or requiring ZKP, researchers follow the principle of least information that will prove the case.

Personal Privacy

Digital Identity Verification. Identity verification is crucial in situations where private data, regulated transactions, or money are involved. ZKP is specifically useful when some or all of the personally identifiable information (PII) should not be disclosed. In many of these situations, the verifying party only needs to authenticate some aspect of the identity and does not need access to the actual data itself. For example, only people above the age of eighteen can buy securities, vote, or drink. Their actual date of birth need not be disclosed. Residency requirements (such as those in universities) only require that the person’s residence or tenure in a particular jurisdiction satisfy some constraints. The actual address itself need not be revealed. In many financial transactions involving non-bearer instruments in particular, the holder is required to have their ‘Know Your Customer’ (KYC) verification done successfully. This process is usually done using information provided by data aggregators such as Lexis-Nexis, ComplyAdvantage, Trulioo, or Jumio. Licensed compliance officers check the information itself. KYC verification typically includes checking bad actors and sanctions lists. Needless to say, not everyone who needs to know the outcome of the KYC check requires obtaining the actual data itself.

The other aspect of identity verification is for secure login to online applications and authorization to the application’s capabilities. This system has implications for how the information is stored and protected. One can imagine a future where everyone owns their own information and stores it encrypted in a widely distributed blockchain. They would disclose only the relevant aspects of their data and answer only the question at hand (age, for example). They would refuse access to the actual data (date or birth, for example), while the verifier can be assured that the data is truthful and untampered.

Secure Messaging. This capability currently exists within secure messaging apps. The message that should be kept secret and available only to the intended recipient is hashed, encrypted with the public key of the recipient, and signed by the private key of the sender. The sender also separately encrypts parts of the message that will allow an intermediary to verify the claims of the message without reading the rest of the message. Secure file-sharing is included in this use case, where ZKPs can be used to prove ownership of a file, grant permission to access a file, verify the type of contents in the file, or the presence or absence of certain types of information in the file. Such verification is accomplished specifically through commitment schemes that separate the verification process into two parts.

Secure and Anonymous Voting. ZKPs can be used for voting, where the challenge is either security, anonymity, or both. ZKPs exist to verify identity without disclosing the identity to other parties. Anonymous voting with ZKPs proves to the stakeholders that the person voted, but not how. Indeed, with fully decentralized security coupled with ZKPs, stakeholders can be assured that voting has taken place and that quorum has been achieved, without revealing who voted and who did not, let alone how they voted. A complete solution with ZKPs would also prevent double voting. Many of the concerns with fake voters and errors in vote counting would be prevented while maintaining voter privacy.

Health Data Privacy. Privacy of health information is a sensitive topic that is subject to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (See Chapter 10 for a detailed discussion of healthcare data privacy). ZKPs can help individuals prove that they meet certain criteria, including fitness levels (such as the ability to perform certain jobs, but without disclosing specific fitness parameters), vaccination status (such as proof of meeting travel requirements but without disclosing the actual vaccinations), presence or absence of a medical condition (such as diabetes, but without revealing A1c or blood glucose readings), and ordering prescriptions without disclosing their name (as well not disclosing to the shipper the type of package, but proving that the contents meet the hazardous materials constraints).

Location privacy. ZKPs can help prove to service applications that the user is within a geographical region without disclosing the address. Knowing the location (without necessarily disclosing the address) is important for delivering or denying certain types of services. Additionally, knowing the location is also useful for the application of AI (machine learning and data analytic) techniques to better serve customers. For example, a business can suggest UV products to online visitors from regions that are suffering from a heat wave. Government agencies can send advisories on imminent extreme weather or disease outbreak to people online. Intermediaries for financial securities can enable or disable transfers if they contravene the blue-sky laws (“Frequently asked questions about Exempt Offerings,” the SEC). Each country has its own data privacy laws and requirements to adhere to GDPR (“Does the GDPR apply to companies outside of the EU?”), while some countries have privacy laws based on state, territory, or region, such as, for example, the California Consumer Privacy Act (CCPA).

Private financial transactions. ZKPs can be used to provide insights to advisors (human or robo) so that they can better tailor financial plans for their customers, without revealing any detailed financial data. For example, a CPA will require complete financial details, but a financial advisor may only need to know their customer’s risk profile (high, medium, or low, depending on age, investment experience, and level of funds to invest, without disclosing the actual numbers).

Some cryptocurrency technologies use ZKP to shield private transactions in the public blockchains. Zcash, a cryptocurrency that was designed to be more privacy-enhancing than Bitcoin, for example, uses zk-SNARKs for shielded transactions, where the details of the sender, the receiver, and the transaction amount are encrypted, while allowing miners to use zk-SNARKs to verify the validity of the transaction. Selective disclosure for reasons of audit or meeting regulatory compliance requests is also possible through ZKPs.

Privacy in Social Media Interactions. There is no doubt that social media has transformed the nature of social interactions. They have expanded the reach, scope, and scale of interactions, from the confines of the local community to the entire planet. Online marketers have taken advantage of this information to provide targeted advertisements and recommendations. While this is useful in tailoring the experience of the online user and making it more meaningful and productive, it does not require the marketer to have access to many other pieces of information about the user. Scammers, on the other hand, use sensitive information to create fake identities and perpetrate fraud. Assuming online social media platforms evolve to incorporate stronger data privacy policies and encryption, ZKPs can be used to provide proof of certain conditions or behaviors of the user without disclosing the actual data. For example, online recommendation engines can use ZKP to target recommendations more precisely than regular collaborative filtering (which is well-known and quite prevalent among the larger online businesses) to adults and seniors without knowing the users’ actual date of birth. Similarly, users can enable sharing of their preferred products without disclosing their identity.

Educational Records. Using ZKPs, students can prove that they meet certain qualifications or that they have completed certain courses without revealing their full educational records (or transcripts) which contain grades. Similarly, politicians and other government officials can provide proof of attendance at or graduation from institutions as declared in their public bios, and that their qualification is in good standing, without disclosing any more details.

Privacy with Sunshine Laws. States in the US have enacted Sunshine Laws in varying degrees and scope to ensure transparency in government. In many cases, however, these laws also impinge on the privacy of the government officials, most especially salaries. If the intent is to assure the public that the salaries of government officials are equitable and in line with the general population, or to assure the lack of any discriminatory practices, ZKPs can provide that proof without disclosing the actual salaries.

Privacy with Internet-of-Things (IoT). ZKPs can allow users to control their devices (smart home, drones, cars, etc.) by proving their identity and authorization to control them without disclosing private information. This is an important capability since many IoT devices and technology infrastructures are mediated by independent third parties.

Privacy in business. Privacy in business mirrors many of the same concerns as privacy for individuals since many of the business and even social interactions are between consumers and businesses. In addition to the business-to-consumer (B2C) privacy concerns, business-to-business (B2B) privacy concerns also need to be addressed in order to increase trust in business settings.

Employee Verification. Companies can verify employee’s credentials, qualifications, and background information without accessing or storing sensitive data. Typically, these services are offered to companies by third-party service providers. Companies need not see sensitive information about candidates but use ZKPs to verify information provided by these third-party services. Similarly, when outside agencies (such as a mortgage company processing an employee’s loan application) require employment verification, the company can provide a zero-knowledge proof of employment and the number of years of tenure with the company without disclosing the employee’s details, such as the exact dates of employment. If the verifier requires additional personal data, the verifier should either obtain directly from the loan applicant or obtain through similar ZKP solutions with other providers).

Intellectual property. Companies can protect their intellectual property by proving ownership of copyrighted and confidential material without disclosing the contents themselves. ZKPs can provide not only proof of ownership but also prove the presence of certain types of information within the document using commitment techniques.

Contract Documents. Many company contracts are confidential documents and their contents are not disclosed to parties that are not involved in the contract. Companies, however, may need to prove that they have signed certain agreements, such as pre-orders (order commitments), that impact their ability to secure financing. ZKPs help prove that these contracts are legitimate and that the company is reporting the order book truthfully without revealing the details to potential competitors. This capability of ZKPs is particularly useful in supply chains where multiple parties are involved, but individual arrangements need to be kept private while assuring the other parties that the agreements are in place. Supply chains and networks have complicated business models that require verification of different pieces of information while ensuring that the details are private. Multi-party computation is an important ZKP technique that was covered in Chapter 7.

Verification of Organizational Structure. Companies may have corporate investors or have merger and acquisition (M&A) deals. Part of the due diligence for such transactions is performing KYC verification of the officers and board of directors of the corporate parties. Included is also verification of other affiliations of the individuals to ensure there are no conflicts of interest. ZKPs allow all parties to verify such information without requiring disclosure of the underlying data.

Privacy in Smart Contracts. Smart contracts in blockchain execute code based on business logic. Smart contracts use data and rules that are encoded within them. ZKPs help smart contracts execute the business logic without exposing any of the underlying data. This is especially important since smart contract logic is available to all the participants on the chain so that validation and consensus can be formed before committing the results of the smart contract computation to the distributed ledger.

Challenges and Limitations

ZKPs are subject to three critical challenges: computational efficiency, trusted setup prior to use, and scalability.

Issues with Computational Costs and Efficiencies

Computational performance and operational costs are critical factors in the design and implementation of enterprise software systems. In the case of ZKPs, they take on added importance depending on the potentially high volume of transactions. There is a tradeoff between low cost and high performance on one hand and security and privacy on the other. Generating zero-knowledge proofs that can capture rich business scenarios can be computationally intensive, requiring complex mathematical operations that may not be feasible in real-time, high-volume scenarios. The verification process is generally less computationally demanding than proof generation; however, it too incurs computational costs that may not meet the business needs. These tradeoffs are especially important in decentralized ledger networks, where every node may need to verify a proof and participate in a consensus process, thus increasing the overall computational cost and performance.

Various ZKP schemes offer different tradeoffs. For example, zk-SNARK proofs are quicker to verify but require a trusted setup, while zk-STARKs do not require a trusted setup but are more computationally intensive. Cryptographic research is continually testing the boundaries of such tradeoffs: increase speed, reduce cost, increase security, and increase privacy.

Issues With Trusted Setup

Many cryptographic schemes require that both parties exchange some initial secret information before they communicate the first secret message. Examples of such initial information include code books, substitution keys, or initial sharing of decrypting keys. This process of initial exchange of information is also a requirement in certain ZKP mechanisms such as zk-SNARKs. In the initial phase (prior to first use), a shared piece of data called the Common Reference String, is generated using a random string (called the ‘toxic waste’). To prevent leakage of the random string used to generate the public parameters, some implementations such as Zcash perform ‘ceremonies,’ which are standardized interactions between multiple parties. Newer ZKP schemes such as zk-STARKs eliminate the need for this trusted setup, thereby reducing the risk of compromised secret keys.

Scalability Issues

ZKP transactions can be computationally intensive, sometimes requiring several thousand computations for every ZKP transaction. In large, decentralized networks such as Ethereum, this complexity creates an enormous computational burden since every node has to perform the same verification of the proof to achieve consensus. This computation burden could result in slow transaction processing times and limit the network’s throughput, making it difficult to scale the system to accommodate a large number of users or transactions. ZKP schemes like zk-SNARKs produce relatively small proofs, while zk-STARKs can generate larger proofs, creating computational, storage, and transmission challenges.

Conclusion

The world is getting smaller in many ways; logically yet perhaps paradoxically, the bubble in which individuals and companies live is getting bigger every day. Increased number of participants, frequent and rapid interactions, increased distances, and lack of reliable intermediaries in many of the business and social interactions cause the challenge in establishing trust in people, companies, and transactions. At the same time, there is considerable anxiety over privacy of data. ZKP technology is all about enabling the increasing engagement and trust while reducing, if not eliminating, the concerns over privacy of data. ZKPs offer several interesting solutions to meet this challenge. Technology solutions can use ZKPs independently of blockchain but incorporating them into a blockchain can significantly enhance the value proposition of blockchain solutions. ZKPs can enable verification of blockchain transactions without violating the privacy of the participants. ZKPs can make blockchain applications more scalable through succinct schemes such as zk-SNARKs. Research and innovation in this space, as well as cautious experimentation by practitioners, is continuing at a brisk pace.