Hi, I'm Xu Mingen, the author of Block Potential .

Block Potential is a paid subscription media that provides 2 articles and 1 episode of podcast every week. The content is produced by me full-time, providing human-speaking, insightful blockchain graphics and audio interviews. If you like my articles, you are welcome to pay to subscribe to support Taiwan's original blockchain content.

To the point.

Last Saturday, I was at the Taiwan Internet Governance Forum with several experts in the blockchain field to discuss the current development of blockchain. To watch the video content, click here . There were two sessions related to blockchain that day. The first session was to discuss the regulatory issues of blockchain, and the last session was to discuss the development of blockchain.

I don't know how many members there are, and they are still mining? If you're mining ether, you're doing the same thing as Google co-founder Sergey Brin.

In addition, he also mentioned the concept of "zero-knowledge proof" at the blockchain summit as "mind-boggling". This made everyone curious about what black technology zero-knowledge proof is, and why did the founder of Google make such a surprise?

In the field of blockchain, zero-knowledge proofs is a well-known technical term. However, most people discuss it like MakerDAO , nodding their heads to say they heard it and embarrassingly saying they don't know much.

Zero-knowledge proof is a technology that is recognized as difficult in the blockchain field. This technology has just come out, and now I start to understand that it should be the time when the threshold is the lowest. However, it also has a lot of room for improvement. Today, let's start with what the blockchain has to do with zero-knowledge proofs.

The Blockchain Dilemma: Privacy, Verifiability

We used to use a ledger as an analogy to the blockchain, and the people responsible for bookkeeping are called miners.

When the miners are keeping accounts, they will first make sure that the balance in the transfer address (or account) is sufficient, and the money can be used at any time, and it has not been scheduled to be spent elsewhere. Based on the verification requirements of miners, the current design of many blockchains is to disclose the transaction details of each address on the Internet, so that the software running on the miner's computer can check the balance in the addresses one by one.

On the other hand, because the transaction details are forced to be publicly available on the Internet for miners to check, as long as everyone knows the address of the other party, they can openly check all his transaction records, and there is no privacy at all.

Thinking about it in terms of a bank account makes it easier to understand what's so scary about this.

This is like if someone knows my remittance account number, he can openly check the income and expenditure records of my bank account on the Internet. It's just that what can be queried now is the income and expenditure records of cryptocurrencies that are rarely used by most people. For example, you can try to find the ether payment address of the author of the article at the bottom of this article, and then paste the address into the search box here , and you can see how many people tipped him when.

So why do the bank transfer services we use now do not need to disclose our account balances to be able to keep accounts correctly?

The bank's transfer service is to completely disclose personal account information to the bank. In other words, the bank fully knows the income and expenditure records of your account, but the bank is strictly supervised and cannot disclose these information to the outside world. However, there is no bank responsible for bookkeeping on the blockchain, but miners who run mining software around the world. Therefore, the original design of the blockchain is to force everyone to disclose account information.

Therefore, the development of the blockchain faces a dilemma: users want to maintain privacy, but miners must know the transaction records of users for accounting. This is in line with the conclusion I have concluded before : the "anonymous public" design of the Bitcoin blockchain is actually exactly the opposite of the "real-name secret" that is actually required.

In the past few months, we have seen many countries, including Taiwan, start requiring exchanges to add "real-name authentication" to the account registration process, in order to prevent crime. In addition, today we can also understand that users will pay more attention to the privacy of cryptocurrency transactions in the future, and do not want to be completely disclosed on the Internet as they are now.

However, miners cannot check transactions if the transaction records are not made public. How to do this?

This is where zero-knowledge proofs come in.

Keep it secret, but verifiable

The effect of zero-knowledge proofs is that you do not need to let the miners know the exact balance in your account, but the miners can still know the money in your account and whether there is enough money to pay for this consumption.

I quote from MIT Media Lab's explanation of zero-knowledge proofs:

You have two pool balls in your hand, green and red, which are identical except for the color. Let's say I'm red-green colorblind, so it looks to me like you're holding two identical pool balls. The question is, can you convince me, a colorblind, to believe that the colors of the two balls are indeed different without mentioning any color information?

sure!

You only need to give the two balls to me, who is colorblind, and then ask me to take them behind the back and change the left and right order at will, and then take them out to let you "guess" which ball was originally in the left hand, and which hand it is now switched to.

For you, you can tell at a glance that what was originally held in the left hand is green, and now the green goes to the right hand, you don't have to guess at all, you can easily point out that the ball has changed positions. However, this is simply surprising for the colorblind! Because as far as I can see, these are exactly the same balls, and you must have just guessed by luck.

However, after repeating the test a few times, I'll soon believe what you said, there must be some difference between the two balls, I just can't see it. Also, you didn't reveal anything about the color at all.

This is called a zero-knowledge proof.

There is absolutely no mention of color information in our interactions. In other words, if both parties have "zero knowledge" about the color, you can still use other methods to convince the colorblind that the two balls are different in color.

For those who can see the colors, of course, they can see that the two colors are different at a glance, but for those who are colorblind and want to know where the two balls are different, they have to use zero-knowledge proof to convince him.

Did you discover it?

The color blindness here is like the miners on the blockchain. If everyone does not disclose the transaction details on the Internet, then users have to use the zero-knowledge proof method to convince the miners who check that they really have the money. It can be spent, but he can't see it.

Of course, using zero-knowledge proofs to convince miners that they have enough money is much more complicated than convincing color blindness, and the computational workload of the computer will be very large. Pool ball is just a simplified example for easy understanding, but the logic of both is exactly the same.

Quite counterintuitive! So, Sergey Brin would say it's an incredible technology.

Now that we go back and look at the importance of zero-knowledge proofs to the blockchain, it will become much clearer. Through zero-knowledge proof, the two roles (user and miner) that originally seemed to be a zero-sum game on the blockchain can now take into account their respective privacy (secrecy) and verification requirements (accountability).

So, is anyone really using zero-knowledge proofs?

Yes, the first blockchain to use zero-knowledge proof techniques is called Zcash , and the actual method is called zk-SNARKs, which is one of many zero-knowledge proof methods and the most famous one.

Zcash can encrypt the sender, recipient, and amount on the transaction record, so miners have no way of knowing the details of these transactions, but they can still verify the transaction. However, most users' transactions on Zcash are still unencrypted.

Why? Because the cost is relatively high, we will discuss it in the next paragraph.

In addition, smart contracts on Ethereum can already use the zero-knowledge proof method of zk-SNARKs. However, Ethereum does not completely cut in from the perspective of privacy, but applies zero-knowledge proof from the perspective of saving computing costs.

Through zk-SNARKs, Ethereum miners can no longer re-execute the transaction calculation, but only need the other party to provide proof. It's like I don't really need to know that you can do math in your first to third year of high school, but you can be sure that you know high school math just by looking at your high school diploma. However, this is only worthwhile if the cost of producing the proof is much lower than the actual computing cost.

To put it simply, zero-knowledge proof is a new method that can take into account the privacy of users and the verification needs of miners. But as we mentioned at the beginning, zero-knowledge proof has just appeared, and there are still many weaknesses to be studied and improved.

Technology is worth looking forward to

Even though software developers can now apply zk-SNARKs to Ethereum smart contracts, not many people actually use them. The main consideration is that zk-SNARKs take too long to calculate and the amount of calculation is too large.

It’s easy to understand that the computation time is too long. Originally, miners could complete the check within 1 second, but now it takes 7 seconds or even as long as 40 seconds, which will slow down the operation efficiency of the overall blockchain.

As for the amount of calculation, we just discussed last week that the calculation method of the miner fee on Ethereum is the unit price (gas price) multiplied by the calculation amount (gas limit). Therefore, when zk-SNARKs are applied to smart contracts, users of smart contracts have to pay high miner fees. If the unit price is increased due to urgent delivery, the miner fee will be even more expensive.

In addition, the current upper limit of the capacity of each block (block) of Ethereum is about 8,000,000 gas . If it takes millions of gas to execute the smart contract every time, then other transactions have no space to write the block, and can only wait for the next block to write, which is equivalent to further slowing down the operation speed of the blockchain .

In the current situation that various blockchains have the primary goal of improving operational efficiency and solving scalability problems, the priority of adopting zero-knowledge proofs is not so high. Therefore, the widespread adoption of zk-SNARKs in blockchain should be a few years away, and there is no need to panic. For developers, now may be a good time to invest in research.

Finally, let's look at it from a regulatory perspective.

The more privacy-conscious the technology, the more criminals like it. Originally, the police could clearly trace the flow of transactions based on the transaction records published on the Internet by the Bitcoin blockchain. Although they did not know who was behind these transaction addresses, as long as they were matched with other information (such as IP addresses) Chance to find the manipulator.

However, if the blockchain adopts zero-knowledge proof in the future, it will make government supervision more difficult. Therefore, it is worth looking forward to how the government will adjust the scale between user privacy and supervision in the future. Or from a technical point of view, maybe a few years later, there will be new technologies that can meet the needs of both at the same time, just like zero-knowledge proof meets the needs of privacy and verification at the same time.

This article thanks Chen Changwu and Liang Zhicheng for assisting in reviewing the manuscript