# Zero-Knowledge Proofs and Private On-Chain Applications

At Taurus we do not passively “monitor trends”, we participate in them: since two years we’ve been studying zero-knowledge technologies and collaborated with some of the leading organizations in this space to assess the security of their solutions. Based on that experience, this post will succinctly present:

- The concept of private on-chain application
- The concept of zero-knowledge proof systems
- Why we believe it’s important for financial applications

## Private On-Chain Applications

The concept of private on-chain applications can be seen as a mix of two notions you might be familiar with:

**Smart contracts**, or computer programs whose code is stored on a blockchain,. Two important properties of smart contracts are 1) the code and arguments of the program are*visible to anyone*, because these can be read from the public blockchain, and 2) the full program must be executed to be verified by the nodes, which prevents*scalability*to more participants and more complex programs.**Private token transfers**, as implemented by Zcash and Monero. These are transactions of blockchain tokens where the transfer information (sender, recipient, amount) do not appear on the public blockchain. Instead, the blockchain records a*zero-knowledge proof*that such a transfer was performed—we will explain what these proofs are in the second part of the post.

As you may have guessed, private on-chain applications can be seen as smart contracts (thus implementing arbitrary operations, not only token transfers), in such a way that the blockchain records zero-knowledge proofs that the application was correctly executed, but otherwise hides the program’s logic and argument.

This sounds like magic, doesn’t it? But as cryptographer Moti Yung once said, “if it looks impossible to an engineer, then it’s cryptographically interesting”. Let us now introduce the key cryptographic ingredient:

## Zero-Knowledge Proofs

In information security, the term “zero-knowledge” is sometimes used as a grandiose way to say that some security architecture is soundly designed, applying the need-to-know concept to the realm of IT components. However, zero-knowledge has a rigorous definition in the context of cryptographic research, and it’s quite different.

A zero-knowledge proof is first and foremost a *cryptographic protocol*, where a party (the prover) convinces another party (the verifier) that the know the solution to a mathematical problem, but without revealing said solution. Cryptographers’ favorite example is the Schnorr protocol, which lets you prove that you know *x* = log_{g}*y* to a verifier who knows *y* and the logarithm’s basis *g*.

Zero-knowledge proofs for such simple equations are fairly trivial, and efficient. The biggest challenge that cryptographers tackled in the last few years is how to make such proofs work efficiently for more complex operations, and ultimately for *arbitrary operations*.

The first step was *solved for token transactions* (as illustrated by the Zcash protocol), where proofs were created to verify that, informally put, “a coin not previously spent was sent from a first user to a second user and their hidden balances have been adjusted accordingly and the first user cannot send this coin again”.

Making zero-knowledge proofs work for simple token transactions was a major accomplishment. Generalizing the technique to arbitrary operations then appeared to be hardly impossible an undertaking. Yet after excruciating efforts, researchers found approaches to solve the problem, culminating with techniques such as ZEXE.

## Why it matters

The first benefit of zero-knowledge based applications is scalability, or consuming less resources to verify operations recorded on a blockchain. It’s fairly obvious that if benefits everyone.

Private computation has countless respectable applications, but let us highlight the potential benefits for digital finance:

**Data protection**: Client identifiable information (CID), financial balances, and metadata would remain private.**Compliance**: Privacy is not (necessarily) a device to evade regulatory compliance. Instead, it can be an enabler, by enforcing need-to-know and seggregation of duties at a technical level.**Applications**: Where most regulated institutions currently limit their use of blockchains to relatively basic tokens, they could now perform more complex operations on-chain at a reasonable cost.

## References

Zero-knowledge and private computation is a rich field with a variety of techniques, platforms, and set of properties in terms of privacy and performance. You may have heard the term “ZK Rollup”, which is a general term for techniques addressing scalability, but not necessarily privacy.

Some of the leading projects in that space include Aleo, Aztec, and Starkware.

For the more mathematically inclined, you will find lists of resources on https://zkp.science/ and https://github.com/matter-labs/awesome-zero-knowledge-proofs/.

*Thanks to Adrian Hamelink, Antony Vennard, and Lúcás Meier for their feedback on a draft of this post. *