Zero-knowledge proofs in Tezos

Tezos will use zero-knowledge proofs too. Did someone analyze their points? Can we use some of the ideas for zcash?

Quote from Tezos paper:

Zcash makes an impressive use of zero-knowledge proofs to provide full, information theoretic, anonymity, but the risk – however remote – of undetected hyperinflation in the event of a bug in the proof circuit makes some users uncomfortable.

Our initial plan is to strike a compromise and integrate Zcash’s proof circuit in the protocol, but restrict its operations to a special token issued on the Tezos blockchain. This token will be convertible 1 to 1 with Tezos tokens, but the chain will keep track of how many tokens have been converted so that undetected in action in the privacy preserving token cannot spill over onto the main token. Users who trust the security of the privacy preserving token will have full use of its functionality while those who don’t will remain protected as long as they do not make use of the privacy feature. This mechanism replicates the economic behavior of a side chain, but on a single ledger.
In the long run, the team intends to replace all operations on the blockchain with zero-knowledge proofs. Instead of downloading an entire blockchain a client will be able to download a single proof attesting that the entire blockchain has been validated starting from the genesis hash. However, to that end, they will likely make use of STARKs, zero knowledge proofs similar to SNARKs but which do not require a trusted setup.

2 Likes

The Zcash developers have been working with Professor Eli Ben Sasson on the possible use of STARKs in a production environment like Zcash (or any other public blockchain). But for now it seems the proof sizes are way too large to be viable.

To quote Prof. Sasson:
"I summarized the main advantages of STARK over SNARK, as already pointed out in my video talks: more scalable prover (currently \~10X faster), leaner crypto assumptions (Fiat Shamir), post-quantum security, no trusted setup. Main disadvantage is proof size (currently \~2000X longer, or ~ 600KB; as @arielg noted it could go down, say, to 100K for ZCash statements, this is an optimistic guess, not something we've actually done yet). I also repeated that even if it's not reasonable to use STARKs for single tx's, due to their size, their scalability should be useful if/when used to aggregate many many tx's. But the very first thing that needs to be done is to get the paper published and peer reviewed, which will take some more time."

That quote is from https://chat.zcashcommunity.com in the #zcash-wizards channel. Feel free to drop by the chat and see the rest of the conversations or post a question for Prof. Sasson about STARKs.

I hope one day that STARKs will be ready for use on a public Blockchain, and when they are ready I expect Zcash to be the first to use them.

2 Likes