Non-interactive zero-knowledge proof

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Non-interactive zero-knowledge proofs are zero-knowledge proofs where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the transaction itself. This function of encryption makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries. The core trustless cryptography "proofing" involves a hash function generation of a random number, constrained within mathematical parameters (primarily to modulate hashing difficulties) determined by the prover and verifier.[1]

With this cryptographic engine, the prover must demonstrate the validity of the transaction, by solving the hash of a random number. Finally, proof of the answer is returned to the verifier, without revealing its value.[2]

There are many different methods for establishing a cryptographic proof of hash validity. Perhaps the most notable method, proof of work, involves computing the proper hash value by means of brute force guessing using computational power. A far more scalable approach involves the more modern proof of stake, which leverages the pooled public-key authenticity of blockchain validator networks.[3]


Blum, Feldman, and Micali[4] showed in 1988 that a common reference string shared between the prover and the verifier is sufficient to achieve computational zero-knowledge without requiring interaction. Goldreich and Oren[5] gave impossibility results[clarification needed] for one shot zero-knowledge protocols in the standard model. In 2003, Shafi Goldwasser and Yael Tauman Kalai published an instance of an identification scheme for which any hash function will yield an insecure digital signature scheme.[6] These results are not contradictory, as the impossibility result[clarification needed] of Goldreich and Oren does not hold in the common reference string model or the random oracle model. Non-interactive zero-knowledge proofs however show a separation between the cryptographic tasks that can be achieved in the standard model and those that can be achieved in 'more powerful' extended models.[citation needed]

The model influences the properties that can be obtained from a zero-knowledge protocol. Pass[7] showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols; e.g., they do not preserve deniability. Non-interactive zero-knowledge proofs can also be obtained in the random oracle model using the Fiat–Shamir heuristic.

Blockchain Applications[edit]

In 2012, Alessandro Chiesa et al developed the zk-SNARK protocol, an acronym for zero-knowledge succinct non-interactive argument of knowledge.[8] The first widespread application of zk-SNARKs was in the Zerocash blockchain protocol, where zero-knowledge cryptography provides the computational backbone, by facilitating mathematical proofs that one party has possession of certain information without revealing what that information is.[9] Zcash utilized zk-SNARKs to facilitate four distinct transaction types: private, shielding, deshielding, and public. This protocol allowed users to determine how much data was shared with the public ledger for each transaction.[10]

In 2017, Bulletproofs[clarification needed] was released, which enable proving that a committed value is in a range using a logarithmic (in the bit length of the range) number of field and group elements.[11] Bulletproofs was later implemented into Mimblewimble protocol (the basis for Grin and Beam, and Litecoin via extension blocks) and Monero cryptocurrency.[12]

In 2018, the zk-STARK (zero-knowledge Scalable Transparent ARgument of Knowledge)[13] protocol was introduced[by whom?],[14] offering transparency (no trusted setup), quasi-linear proving time, and poly-logarithmic verification time.[15]


Originally,[4] non-interactive zero-knowledge was only defined as a single theorem-proof system. In such a system each proof requires its own fresh common reference string. A common reference string in general is not a random string. It may, for instance, consist of randomly chosen group elements that all protocol parties use. Although the group elements are random, the reference string is not as it contains a certain structure (e.g., group elements) that is distinguishable from randomness. Subsequently, Feige, Lapidot, and Shamir[16] introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero-knowledge proofs.

Pairing-based non-interactive proofs[edit]

Pairing-based cryptography has led to several cryptographic advancements. One of these advancements is more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the evaluation of the pairing in a commitment. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the sub-group hiding[17] and under the decisional linear assumption.[18] These proof systems prove circuit satisfiability, and thus by the Cook–Levin theorem allow proving membership for every language in NP. The size of the common reference string and the proofs is relatively small; however, transforming a statement into a boolean circuit incurs considerable overhead.

Proof systems under the sub-group hiding, decisional linear assumption, and external Diffie–Hellman assumption that allow directly proving the pairing product equations that are common in pairing-based cryptography have been proposed.[19]

Under strong knowledge assumptions, it is known how to create sublinear-length computationally soundproof systems for NP-complete languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.[20][21]


  1. ^ Goldreich, Oded; Krawczyk, Hugo (1996). "On the Composition of Zero-Knowledge Proof Systems". SAIM. 25 (1): 169–192. doi:10.1137/S0097539791220688. Retrieved 4 November 2022.
  2. ^ Rackoff, Charles; Simon, Daniel (1991). "Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack". Advances in Cryptology — CRYPTO '91. Lecture Notes in Computer Science. Vol. 576. Springer. pp. 433–444. doi:10.1007/3-540-46766-1_35. ISBN 978-3-540-55188-1. S2CID 10098664. Retrieved 4 November 2022.
  3. ^ Rajitha, Nair; Dorai, Ramya (2021). "Evaluation of Performance and Security of Proof of Work and Proof of Stake using Blockchain". IEEE. 3 (1). Retrieved 4 November 2022.
  4. ^ a b Manuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103–112. 1988
  5. ^ Oded Goldreich and Yair Oren. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology. Vol 7(1). 1–32. 1994 (PS)
  6. ^ Shafi Goldwasser and Yael Kalai. On the (In)security of the Fiat–Shamir Paradigm. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS'03). 2003
  7. ^ Rafael Pass. On Deniability in the Common Reference String and Random Oracle Model. Advances in Cryptology – CRYPTO 2003. 316–337. 2003 (PS)
  8. ^ Bitansky, Nir; Canetti, Ran; Chiesa, Alessandro; Tromer, Eran (January 2012). "From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again". Proceedings of the 3rd Innovations in Theoretical Computer Science Conference on - ITCS '12. ACM. pp. 326–349. doi:10.1145/2090236.2090263. ISBN 9781450311151. S2CID 2576177.
  9. ^ Ben-Sasson, Eli; Chiesa, Alessandro; Garman, Christina; Green, Matthew; Miers, Ian; Tromer, Eran; Virza, Madars (18 May 2014). "Zerocash: Decentralized Anonymous Payments from Bitcoin" (PDF). IEEE. Retrieved 26 January 2016.
  10. ^ Ben-Sasson, Eli; Chiesa, Alessandro. "What are zk-SNARKs?". Retrieved 3 November 2022.
  11. ^ Bünz, Benedikt; Bootle, Jonathan; Boneh, Dan; Poelstra, Andrew; Wuille, Pieter; Maxwell, Greg (May 2018). "Bulletproofs: Short Proofs for Confidential Transactions and More" (PDF). 2018 IEEE Symposium on Security and Privacy (SP): 315–334. doi:10.1109/SP.2018.00020. Retrieved 2 December 2022.
  12. ^ Odendaal, Hansie; Sharrock, Cayle; Heerden, SW. "Bulletproofs and Mimblewimble". Tari Labs University. Archived from the original on 29 September 2020. Retrieved 3 December 2020.
  13. ^
  14. ^ Scalable, transparent, and post-quantum secure computational integrity, Ben-Sasson, Eli and Bentov, Iddo and Horesh, Yinon and Riabzev, Michael, 2018
  15. ^ Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev (March 6, 2018). "Scalable, transparent, and post-quantum secure computational integrity" (PDF). International Association for Cryptologic Research. Retrieved October 24, 2021.{{cite web}}: CS1 maint: uses authors parameter (link)
  16. ^ Uriel Feige, Dror Lapidot, Adi Shamir: Multiple Non-Interactive Zero-Knowledge Proofs Under General Assumptions. SIAM J. Comput. 29(1): 1–28 (1999)
  17. ^ Jens Groth, Rafail Ostrovsky, Amit Sahai: Perfect Non-interactive Zero Knowledge for NP. EUROCRYPT 2006: 339–358
  18. ^ Jens Groth, Rafail Ostrovsky, Amit Sahai: Non-interactive Zaps and New Techniques for NIZK. CRYPTO 2006: 97–111
  19. ^ Jens Groth, Amit Sahai: Efficient Non-interactive Proof Systems for Bilinear Groups. EUROCRYPT 2008: 415–432
  20. ^ Jens Groth. Short Pairing-Based Non-interactive Zero-Knowledge Arguments. ASIACRYPT 2010: 321–340
  21. ^ Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. TCC 2012: 169–189