🔐 Zero-Knowledge Proof. How Does It Work?
I chose one of the well-known privacy and security techniques to explain the concept.
Once upon a time, in a medieval town, there was a merchant named Lucas who sold rare and expensive jewels. Lucas had a secret: he knew the location of a hidden vault full of precious diamonds, but he never wanted to reveal it to anyone. One day, a nobleman came into his shop, ready to buy a diamond, but he wanted to make sure Lucas actually had access to the vault before paying. The problem was, Lucas didn’t trust the nobleman enough to show him where the vault was hidden. That’s when Lucas had a brilliant idea.
He said to the nobleman, “I’ll prove that I can access the vault without showing you where it is.” Lucas then took the nobleman to a forest full of trails, each one leading to an identical-looking entrance. Lucas walked into one of the trails alone and, after a few minutes, came back holding a diamond in his hand. The nobleman was impressed because Lucas had clearly proven he had access to the vault without revealing which trail was the right one or where the diamonds were hidden.
Just like Lucas was able to prove he knew something (the location of the vault) without revealing the actual secret, ZKP allows someone to prove the truth of a statement without sharing the underlying data. This technique is used in modern systems to protect privacy; for example, in financial transactions, where it’s possible to verify that someone has enough balance for a purchase without exposing their bank statement or personal details.
So why did I start with that little story?
In privacy and security projects, there are various types of cryptographic techniques, whether to pseudonymize personal data or to strengthen system security overall.
One of those techniques is ZKP. About eight years ago, I worked on a project using it with Hyperledger Fabric and Blockchain. The idea is simple: proving you know something without revealing what it is. In my case, it was a digital identity project, and ZKP made perfect sense; I needed to prove that I was who I said I was, without exposing the secret behind my identity verification, and blockchain helped make that possible.
Think about it like showing you know the vault's password without actually saying it. Or proving you've solved a Sudoku puzzle without showing the solution. Sounds like magic, but it’s actually math. And more importantly, it’s one of the keys to ensuring privacy in decentralized applications.
Blockchains like Ethereum and Bitcoin are great at keeping immutable records, but they expose all the data; which opens the door to risks like the so-called “poison attack.”
Note: Poison attacks are a real risk, but their effectiveness depends on the attacker’s financial investment, which is why they tend to be rare or have limited impact. Causing a large data leak on a public blockchain would cost the offender a significant amount of money.
With ZKPs, however, you can preserve trust and verifiability in transactions without revealing their content. In other words, you can prove that a rule was followed without disclosing the data that supports it. And that changes the game for applications involving identity, finance, contracts, and even artificial intelligence.
When combined with technologies like Hyperledger Fabric, ZKPs make even more sense. Imagine a group of companies competing with each other, but needing to validate joint transactions in a shared system. With ZKP, one company can perform an action on the blockchain and prove it to the others, without revealing its identity or any sensitive transaction details. It's like saying: “Trust me, but don’t ask how I know.”
And let’s be honest, this kind of approach is way more sophisticated than hiding data in spreadsheets or password-protected ZIP files (nobody still does that, right?).
What’s most fascinating is how this field, once reserved for elite cryptographers, is now becoming accessible to everyday developers. There are specific programming languages, frameworks, and even study groups emerging to make this technology more practical and usable. The future of privacy in blockchain doesn’t just depend on theory, it depends on our ability to actually implement these ideas in real-world systems. And from the looks of it, ZKPs are ready to move out of the lab and into the systems we use and trust every day.
Want a real-world example?
I guess most people have heard about the World Network case by now, right? 1
This case, involving the collection of human iris biometrics in exchange for issuing a digital identity, sparked widespread debates around privacy and security. The World Network uses devices called Orbs to capture iris images from users and generate a unique identifier known as the World ID. These biometric identifiers are then linked to a decentralized system to create a digital identity. In return, users receive financial rewards, such as the Worldcoin (WLD) token. The goal is to build a global infrastructure for proof of personhood, used to fight bots, authenticate transactions, and enable universal access to the digital economy.
One of the project’s key technical elements is its use of Zero-Knowledge Proofs (ZKP), which allow users to prove they have a valid World ID without revealing any additional information about their identity or biometrics. This ensures that biometric data is processed and stored locally on the Orb device, never being transmitted in full to central servers. Only identification codes are used for verification, which significantly reduces the risk of exposing sensitive personal data.
The decision to use ZKP is crucial because it strikes a balance between the demand for privacy and the need for global-scale authentication.
This mechanism prevents third parties, including World Network itself, from having direct access to users’ iris images or other personal information.
Show me the code!
Okay, of course I’m not turning this article, which is already pretty long, into a programming tutorial. There are plenty of frameworks out there for implementing ZKPs in different languages. I’ll just share one small example to illustrate the idea.
Tools like zk-SNARKs and zk-STARKs offer frameworks for integrating ZKP into systems. And languages like Rust, which have dedicated ZKP libraries, can be really helpful. It’s important for developers to understand not just the mathematical foundations of ZKPs, but also how to apply them in real-world scenarios.
For instance, in an anonymous voting system, you could use zk-SNARKs to ensure that a vote is valid without revealing who cast it. With snarkjs
, you can create a circuit to check if the voter’s age is over 18, generate the proof using groth16.full
, and then prove and verify it with groth16.verify
.
Start small to get a feel for it, like this basic example using the snarkjs
library in JavaScript:
const { groth16 } = require("snarkjs");
// proof verification
const proof = await groth16.fullProve({ input: 18 }, "circuit.wasm", "zkey");
const verified = await groth16.verify("verification_key.json", proof);
console.log("Valid vote?", verified);
This proves that the user is over 18 without exposing their exact age. Of course, the example above is heavily simplified, just to show what a practical implementation of the core idea behind a ZKP might look like. That said, the entire system and infrastructure around it must also be designed with the same purpose in mind: to preserve privacy while enabling verification.
Hope you enjoyed it! Until next time!
https://www.reuters.com/technology/verified-human-worldcoin-users-queue-up-iris-scans-2023-07-25/