Zero-Knowledge Proofs: Zcash, Ethereum, Coda, Leverj etc.

by Martin Banov

A brief overview of zero-knowledge explanation implementations/applications in blockchain-based systems (e.g., Ethereum, Zcash, Leverj, Coda, REN).

This is part two of a two-part array on zero-knowledge proofs. Part one examines in fact the family of cryptographic protocols famous as zero-knowledge proofs including zk-SNARKS AND zk-STARKS. We suggest starting there.

Zcash: Bitcoin + Zerocoin. Implementation Specifics.

Zcash, a obvious and determined early actor in the cryptosphere, radically builds on Bitcoin’s codebase (i.e., is a Bitcoin fork), fluctuating the Bitcoin custom with the combined ability to optionally disguise unchanging BTC sell in a apart pool (of devoted ones) that hides from open perspective information about sender, receiver, balances or value transacted (allowing for resourceful avowal to selected parties underneath resources that need it). In that aspect, Zcash integrates the Zerocash protocol/cryptographic scheme (a peer-reviewed custom for decentralized unknown e-cash, creatively due by Matthew Green in 2013) into a Bitcoin accord protocol.

ZCash transaction pools: unchanging and shielded.

Generating the SNARK open parameters (the initial public/private pivotal pair, the private part of which is to be destroyed) of Zcash takes place through a multi-party mathematics protocol (MPC) referred to as “the ceremony.” Several participants each beget one shard of the public/private pivotal set, then mix the open shards to beget the open parameters of the Zcash network and destroy the private shards (the MPC custom ensures that as long as at slightest one of the 6 shards is broken the poisonous rubbish will be unfit to recreate). 

Zcash node client.

Zero-knowledge sell in Zcash are certified by bend the validation duty into an homogeneous arithmetic circuit, violation down the judicious stairs into the smallest probable operations that could paint them. A relating imprisonment system (Rank 1 Constraint System, shortened R1CS) is then assembled to safeguard exactness and all gets bundled and translated into the polynomial denunciation of a Quadratic Arithmetic Program (QAP), followed by the capricious checks of polynomials at incidentally selected sites in sequence to determine the proof. The routine of constructing zk-SNARKs in Zcash is described in more detail here, while Vitalik Buterin explains QAPs in a blog post here.

Example of a transaction between safeguarded addresses from the Zchain block explorer.

Zcash launched in 2016 with obvious cryptographer, confidence specialist, and cypherpunk Zooko Wilcox as CEO. Aside from Professor Eli Ben-Sasson as the first scientist, other notables names compared with the plan include Arthur Breitman (Tezos) and Vitalik Buterin as advisors. The Zcash village forum can be found here and the updated custom selection (November 14, 2018) here

ZClassic, a flare off Zcash, differs from a prototype in that there are no founders fees (as with Zcash, where founders take 20% of the rewards for the first 4 years heading to a poignant thoroughness of the supply) and all rewards go directly to the miners instead. Apart from that, ZClassic (ZCL) uses the same trusted parameters as Zcash. ZenCash is nonetheless another bend off along the lines of ZClassic which tries to enhance the ZK functionality (utilizing the same libsnark libraries) to embody other pardonable applications such as publishing, storage, secure chat, a book system, etc. ZenCash works with IOHK in researching and building the specifications of some of a system components (such as the book system, DAG-like scalability solutions, etc.) and both it and, sincerely recently, also Ethereum Classic (likewise IOHK affiliated) suffered 51% attacks which severely put into doubt the viability of Proof-of-Work accord systems.

Ethereum: Applications in Smart Contracts and dApps, Financial Engineering, Off-Chain Computations With Reliable On-Chain Verifications

The Ethereum Metropolis custom upgrade introduced the ability to well verify zk-SNARKs on-chain (allowing for certain agreement variables to be effectively made private). So, rather than storing tip information on-chain, it can instead be stored with the users who are means to infer they are operative in suitability with the manners of the agreement around SNARKs (with each use requiring their possess devoted setup, though once a circuit for a duty exists it can easily be reproduced). 

While Zcash boundary a operation of focus to safeguarded UTXO silver payments and as such uses the same circuit/computation for every charge in its zk-SNARK system setting, zk-SNARKs in Ethereum are not singular to a singular computational problem but concede anyone to set up a specific zk-SNARK system for their specific duty though carrying to launch a apart blockchain for the purpose (allowing for capricious off-chain computations to be accurate on-chain). Some of the several applications of ZKP in Ethereum, including most new developments, are illustrated and epitomised in a nutshell in the examples that follow. These embody a ubiquitous purpose zk-SNARKs toolkit for on-chain corroboration of proofs (to be embedded in intelligent contracts), private and devoted sell of Ethereum-based assets, loginless ZKP authentication schemes, etc.  

ZoKrates: A toolbox for zk-SNARKs on Ethereum

ZoKrates is a circuit compiler for zkSNARKs (developed by Cornell Blockchain) used for formulating programs off-chain and joining them to the Ethereum blockchain, thereby expanding the capabilities of one’s dApp. SNARKs concede for verifying computations on-chain for a fragment of the cost of using them and carrying an whole universe (all nodes on the network) concurrently govern them in sequence to determine their effect (something that is apparently impractical). The corroboration costs of zkSNARKs, in other words, are eccentric of their computational complexity (thus, retard complexity boundary also do not ask in zkSNARK formulations, permitting for throughput to be increased). 

With Byzantium, Ethereum introduced the zkSNARK precompiles (i.e., Elliptic Curve addition, scalar multiplication, pairing checks, etc.) that yield the necessary usable condensation and production for zkSNARKs which concede for seamless formation with Ethereum (from module formula selection to on-chain corroboration of the execution of the module code). 

ZoKrates provides a domain-specific high-level denunciation with Python-like syntax for more conveniently naming computations in a more epitome way (than arithmetic circuits or R1 imprisonment systems, though still rather closely imitative them). The compiler transforms these programs into provable imprisonment systems (arithmetic circuits identical to a sudoku puzzle) that concede for execution to be accurate on-chain and from which the zkSNARK is generated. The package includes collection for setup phase, declare mathematics (finding a analogous resolution to the given imprisonment system), the explanation era itself and intelligent agreement corroboration (as Solidity formula that can be used to determine the mathematics on-chain, customarily exported in the stream operative office as verification.sol).

Jacob Eberhart giving a display about ZoKrates at an Ethereum Developers Conference (showing a blueprint of the ZoKrates internal architecture).

The high-level denunciation supports a obsolete form (positive numbers), indispensable statements and assertions, loops (for), conditionals (if-else) and defining of functions. Gas costs for on-chain verifications change a bit depending on the number of submit parameters given with the proof, but the categorical cost is consistent and rather high (but stays sincerely uniform, regardless of the complexity of the computation).

# compile
./zokrates compile -i new_program.code
# perform the setup phase
./zokrates setup
# govern the program
./zokrates compute-witness -a 337 113569
# beget a explanation of computation
./zokrates generate-proof
# trade a reduction verifier
./zokrates export-verifier

The above are the commands of the provided command-line interface for compiling formula into an inner illustration of arithmetic circuits. The module is gathered and executed off-chain, computing a declare for the gathered module (creating a declare record in ./witness) and generating a devoted setup for it (creating a explanation pivotal and a verifying pivotal found at ./proving.key and ./verifying.key). 

The ZoKrates documentation is available here

Zk-Dai: Private Transactions of Stable Assets (MakerDAO Managed Insurance Derivatives)

A good example of how ZoKrates can be used is the zk-SNARK-based Dai transaction horizon grown by a group at the recent ETHSingapore hackathon. ZkDai is a zero-knowledge doing of MakerDAO’s Dai – a stablecoin boldly soft-pegged to the US dollar and managed by the Maker DAO (the MKR token holders), Ethereum’s “central bank.” 

A discerning explanation of manually formulating a zkDai note using ZoKrates, Kyber swap, Truffle, and MetaMask.

The dApp uses Kyber swap to modify an volume or sum value of tokens into Dai and then generates a proportional value of zkDai (as a tip note) on-chain. A note is represented as a tuple of the open pivotal of the note owners and the value of the note in Dai: 

Note = (ph, v)

What is saved on-chain however is the crush of that note, Hash(pk,v). In sequence to spend a note, one must zk-prove he knows the tip (private) pivotal that corresponds to pk and the value of the note, producing a ZKP of the note crush on the on-chain registry (that is, a current explanation of the computation C(sk, v) = h, where h is a crush of the note). Zk-Dai records are spent like UTXOs - records amounting to the value to be transacted are bundled together and propagated to the receiver in form of a new zkDai note while any remaining leftover value becomes a new note reserved to the owner's key. 

ZkDai is identical to the AZTEC custom we look into next, as both work via tip notes. These same beliefs could easily be practical to any other Ethereum asset, bringing a absolute apparatus for engineering of financial instruments (that deliver singular remoteness properties) to the ecosystem.  

AZTEC: Anonymous Zero-knowledge Transactions With Efficient Communication

AZTEC is a ZK custom on Ethereum that enables devoted sell around encrypted 'notes' and join-splitting transactions. Instead of zk-SNARK schemes, however, it creates use of Boneh-Boyen signatures to emanate joining schemes with rarely fit operation proofs. AZTEC records enclose the Ethereum residence of the note’s owners and an encrypted illustration of how much ‘value’ the note binds ("commitment"), in further to private information about the value of the note and a viewing key enabling decryption of the note (but not spending).

A crypto-asset that conforms to the AZTEC custom will enclose a note registry, which allows a intelligent agreement to redeem the open information of every unspent note that exists at present. A devoted transaction takes place by assigning value and tenure to records and explanation their attribute around AZTEC ZK proofs which the AZTEC token agreement will countenance and record in a note registry. The AZTEC token intelligent agreement effectively serves as a protector of the resources (ERC-20 tokens or other) while they are in devoted note form.

The paper of the AZTEC custom selection is available here

Loginless ZK Authentication Systems (in App-specific Plasma Side-chains)

Leverj, a Plasma side-chain formed hybrid sell (previously combined about) creates use of a loginless zero-knowledge authentication intrigue on a platform. After registration with the exchange, ZKA (zero-knowledge authentication) is set up and the user is asked to pointer a user agreement through the customer program app (e.g., MetaMask). The server then validates the signature and creates an comment with the particular Ethereum residence compared with the API key.

The browser generates the API pivotal using a web3 library alongside an compared tip pivotal which is downloaded client-side without being eliminated or stored server-side. The API pivotal is mapped to a analogous Ethereum comment residence around an on-chain Registry Contract that marks pivotal tenure and rights/privileges. The API pivotal represented by the Ethereum residence does not have entrance to a user’s supports but only authorizes trading.

The API pivotal tip is stored in the browser’s internal storage, and all requests to the server are sealed using this key. This resource enables secure communication between user and server while avoiding event cookies thereby expelling a operation of ordinarily compared conflict vectors.

Coda: Constant-Sized Blockchain around a Recursive Composition of zk-SNARKs

In terms of scalability, Coda is an example of a custom progressing a constant-sized blockchain (compressed into a little snapshot) via zk-SNARKs. In existent blockchain designs, the more people are transacting at a time, the harder and slower corroboration becomes. Coda creates it probable to effectively determine the whole blockchain while only downloading a small volume of information using a recursive mixed of zk-SNARKs (based on cycles of elliptic curves). 

Traditional blockchain (above) and Coda (below).

Coda is grown by O(1) Labs who also say an OCaml front-end for essay R1CS (Rank 1 Constraint System) SNARKs for verifiable mathematics (based on the libsnark back-end) called Snarky

The Coda custom selection paper (draft) is available here. There is also an podcast with CEO Evan Shapiro and CTO Izaak Meckler that covers in more fact the matters of blockchain scalability challenges, the laconic computational firmness record Coda uses and the domain-specific denunciation for zkSNARK computations (Snarky) employed.

Ren Project: Zero-Knowledge Dark Pools and Cross-Chain Swaps

A quite desirous endeavour utilizing ZKP technologies, Republic Protocol was incepted in 2017 with the purpose of building a decentralized resolution for dim pools around secure multi-party computations. Generally, dark pools are mediums for trade derivatives, bonds and other financial instruments in a way that maintains trades confidential, dim from the open reach of the ubiquitous investing public. Dark pools have been around for the last thirty-five years or so and a lot of exchanges and broker-dealers possess dim pools (such as the vast eccentric ones like Liquidnet and Instinet to the more broker-dealer-owned dim pools like J.P.Morgan or Fidelity). Roughly 15% of the volume of equities traded are pronounced to take place on dim pools.

Republic Protocol began as a plan aiming to come up with such solutions for the crypto-economy and went on to, in the process, develop into the Ren Project, as explained in a recent blog post from January, "Ren - The Evolution of a Protocol":

For Republic Protocol, the way to grasp this remoteness has been a bespoke secure multiparty mathematics (sMPC) engine. However, around our progress, village and stakeholder feedback has indicated that to comprehend the full intensity of the dim pool, finish end-to-end remoteness is indispensable at every theatre of the user journey: gripping balances private, gripping sequence relating private, and even gripping on-chain allotment private. In response to this, we have developed our sMPC engine into something more stretchable and more absolute and begun investigate into suites of techniques and collection to grasp this end-to-end privacy. This perfection of these elements will turn something distant more powerful: Ren, an ecosystem of unstoppable privacy.

The initial proceed while building Republic Protocol was to emanate a bespoke sMPC resolution specialized for dim pools. However during the routine of building the sequence relating engine using sMPC, we detected that pattern stipulations restricting the doing of critical dim pool functionality could be overcome if we combined a ubiquitous purpose practical appurtenance that was powered by our latest advancements to sMPC technology. This guided us towards building RenVM.

RenVM is the practical appurtenance and the core member underpinning the whole Ren stack, designed for carrying out any decentralized mathematics in finish remoteness by leveraging a mixed of secure multi-party computations (sMPCs) and zkSNARKs. The Ren stack includes a ubiquitous zero-knowledge transaction covering extended with a cross-chain interoperability covering and a dim pool covering for tip sequence matching.


The Ren stack, underpinned by the RenVM, a practical appurtenance built around secure multi-party computations and zkSNARKs.

Darknodes in Ren consecrate a apart off-chain peer-to-peer network using on a DHT (distributed crush tables) pattern that passively observes the Ethereum blockchain, gripping lane of who registers and submits a REN bond (a good behavior bond) on Ethereum. This prevents potentially antagonistic nodes from entrance along and entering the network. The web of darknodes is where computations are executed by particular nodes, complementing the servicing blockchain. While Ren/Republic is primarily implemented on Ethereum, it could easily be deployed on any other sequence providing identical intelligent agreement functionalities.

zkTransaction Layer

The zkTransactor is a decentralized focus deployed to RenVM. A private pivotal is personally generated for the start blockchain (e.g., Ethereum) and only the zkTransactor has control over supports sent to it. Users can deposition balances into it (via the compared open pivotal that designates the address) and zkTransactions are made between open addresses by interacting with the zkTransactor (which acts as a kind of unconstrained mediator). All balances and transfers that way sojourn hidden. Users can at any time repel remaining balances or supports sent to the zkTransactor.

Such doing easily resolves probable regulatory issues by ancillary zkTransactors specific to different jurisdictions and means to infer correspondence while at the same time minimizing potentially disastrous consequences from detriment of privacy.  

SwapperD: A Wallet for Privacy Preserving Cross-Chain Swaps

SwapperD is to be a wallet interfacing with RenVM and zkTransactors that will yield remoteness preserving cross-chain swaps seamlessly between different blockchains and ecosystems. By providing nonetheless another resource for facilitating cross-chain interoperability, Ren aims to yield a simple, concept process for the whole courtesy to perform trustless swaps between blockchains, bridging the differently now fragmented ecosystem.

As an audited, open-source tool, SwapperD is designed to be easily integrated into third-party applications portion as a customary for cross-chain settlements. Once zkTransactors have been finished for mixed blockchains, SwapperD will be upgraded to directly use RenVM for more efficient, more powerful, and totally tip cross-chain swaps. 

Dark Pools and Darknodes

RenEx is the strictly upheld dim pool that demonstrates the use of a dim sequence book powered by Darknodes (live trade is finished at Defining a customary for a dim sequence book would concede any celebration to set up and muster their possess dim pool sell customized to their specific functions and circumstances, each dim pool defining their possess set of manners tailored to work in different jurisdictions with their analogous regulatory mandate and support for different allotment options, both centralized and decentralized. 


A peer-to-peer DHT network mapping keys to values on a blockchain. Ren darknodes form their possess apart middleware that routes messages between nodes and maps certified nodes to their staked REN on the blockchain (which stores value). Darknodes lift out computations between themselves that can then be accurate as possibly current or shabby on the blockchain around zero-knowledge proofs and zkSNARKs.

Notable Partnerships 

In Sep last year Ren announced their partnership with TrueUSD (which was then integrated with RenEx), a stablecoin legally corroborated and redeemable 1:1 with the US dollar. Unlike Tether (USDT), TUSD is directly redeemable for fiat around the portal. 

Ren is also one of the two merchants (the other being Kyber) concerned in WBTC (Wrapped Bitcoin) that launched on the 31st of Jan this year.


Like other likewise oriented startups (e.g., DigixDAO), Republic Protocol is formed in Singapore and at the time of using the ICO (in Jan 2018), CEO Taiyang Zhang was 21 years old. The team, including CTO Loong Wang, is mostly from Australia and the Australian National University. Wang, as can be seen from his LinkedIn profile, specializes in distributed systems and parallel/functional programming. 

Summary and Conclusion

Zero-knowledge explanation schemes that safety the confidentiality of transaction metadata are a essential member of an open financial system, distributed crypto-economies and the permissionless open record-keeping that coordinates their activity. Various implementations concede for shortening the probable marketplace impact of specific actions and incomparable orders, substantiating dim pools and avoiding the neglected courtesy of meddling eyes and antagonistic opportunism. Additionally, they benefaction poignant implications for on-chain scalability by almost minimizing on-chain footprint, relocating formidable computations off-chain (but being capable of reliably verifying their integrity). 

Other critical applications embody ensuring suitable on-chain governance structures by providing verifiable, unknown voting schemes that forestall information leakage. Using ZKPs, authorised electorate can infer their right to expel a list though divulgence their identity, creation the voting system anonymous. In addition, ZKPs concede electorate to ask a verifiable explanation that their opinion was enclosed in the final total by the entity stating the results. This creates the opinion results auditable by the electoral body, even if the votes themselves are not manifest on a public blockchain, while guaranteeing that the pithy manners of the procession and custom horizon are legitimately followed through. 

Other distributed ledgers and system architectures will positively follow through along and exercise their possess versions of zero-knowledge explanation systems as the space develops, evolves and matures. Either way, the intensity applications of ZKP enhance way over just cryptocurrencies and are theme to continual ongoing educational and institutional investigate on many different fronts by many different kinds of actors (e.g., applications to do with security, detecting system harm attempts and counterfeiting, malware showing and anti-virus in distributed networks, expelling the need for many kinds of escrow services, improving authentication systems and entrance control, more firmly structuring information and information flows and even potential applications in chief disarmament talks). 

That concludes part two of our two-part array on zero-knowledge proofs. Part one examines in fact the family of cryptographic protocols famous as zero-knowledge proofs including zk-SNARKs and zk-STARKS.

Links and Resources

ZoKrates Gitter and documentation (for zkSNARK constructions on Ethereum). is a good example of a elementary SKP app - a zero-knowledge cue manager and devoted information protected combined in Javascript. Everything submitted is locally encrypted by the browser before transmitted with the passphrase famous only to the user client-side. is a podcast focusing on DLT and ZKP applications.  

Zcash public forum and Rocket chat.

primer on ZKP by Matthew Green

"ZkSNARKs in a Nutshell", a great exegetic paper by Christian Reitwießner.

Horizen (formerly ZenCash) official site.

ZClassic official site.

Disclaimer: information contained herein is supposing though deliberation your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or questionnaire for, any sell in cryptocurrencies.

Article source:

Leave a Reply