Zero-Knowledge Proof (ZKP)
17/04/2026
A zero-knowledge proof (ZKP) is a cryptographic protocol in which one party (the prover) convinces another (the verifier) that a statement is true — without revealing any additional information beyond the fact that it is true. Zero-knowledge proofs were introduced by Shafi Goldwasser, Silvio Micali, and Charles Rackoff in their 1985 paper "The Knowledge Complexity of Interactive Proof Systems" — a result that won the Gödel Prize (1993) and contributed to Goldwasser and Micali's Turing Award (2012).
The three properties
Every zero-knowledge proof system satisfies:
- Completeness — if the statement is true, an honest prover can convince an honest verifier
- Soundness — if the statement is false, no cheating prover can convince the verifier (except with negligible probability)
- Zero-knowledge — the verifier learns nothing beyond the truth of the statement; no information about why the statement is true leaks
The canonical intuition: proving you know a password without revealing the password.
Modern proof systems
- zk-SNARK (Succinct Non-interactive ARgument of Knowledge) — very small proofs (hundreds of bytes), constant-time verification. Classical constructions (Groth16, PGHR13) require a circuit-specific trusted setup; PLONK and Marlin use a universal updatable setup; Halo 2 (developed by Electric Coin Company for Zcash) uses a polynomial commitment with no trusted setup.
- zk-STARK (Scalable Transparent ARgument of Knowledge) — introduced by Ben-Sasson et al. (2018). Transparent (no trusted setup), rely only on hash functions, and are plausibly post-quantum secure. Proofs are larger (tens to hundreds of KB). Used by StarkWare in Starknet and StarkEx.
- Bulletproofs — short range proofs with no trusted setup. Used by Monero for confidential amounts since 2018.
- Nova / HyperNova, Plonky2 / Plonky3 — modern folding-scheme and recursive SNARK systems, optimized for incremental computation.
Uses in crypto
Privacy
- Zcash — shielded transactions using zk-SNARKs (Groth16 → Halo 2)
- Aztec Network, Aleo, Namada — privacy-focused smart contracts
- Monero — Bulletproofs for range proofs
- Tornado Cash — zk-SNARK mixing (US Treasury sanctions partially overturned by the 5th Circuit in 2024)
Scalability — ZK-rollups
- zkSync Era, Starknet, Polygon zkEVM, Scroll, Linea — compress thousands of L2 transactions into a single validity proof posted to Ethereum. These rollups use ZK for succinctness, not for hiding data.
Identity and credentials
- Worldcoin — proof of personhood from iris scans without revealing the scan itself
- zk-email — proving email receipts without revealing email contents
- Polygon ID, Semaphore — on-chain identity without linkable wallet history
Verifiable computation
- zkML (EZKL, Modulus Labs) — proving an AI model ran correctly on specific inputs
- On-chain coprocessors (Axiom, Herodotus) — proving off-chain computation results
Common misconception — "ZK" ≠ "private"
A zk-rollup advertises "ZK" in its name but typically does not provide user privacy. The zero-knowledge property here is used for succinctness — one small proof attests to many transactions — not for hiding data. All transactions remain public on the rollup. For user privacy, additional design is required (Aztec, Aleo).
