Merge pull request #52 from dusk-network/mocello/51_zkp

moCello · web-flow · commit 7abb0bb12236 · 2025-05-21T15:33:40.000+02:00
content: Updating ZKP article
diff --git a/src/content/docs/learn/deep-dive/cryptography/zkp.md b/src/content/docs/learn/deep-dive/cryptography/zkp.md
@@ -5,76 +5,158 @@ description: Discover how zero-knowledge proofs empower privacy, security and sc
 
 ## Introduction
 
-Zero Knowledge Proofs (ZKPs) are cryptographic techniques that allow a prover to convince a verifier that a given statement is true without revealing any additional information.
+A Zero-Knowledge Proof is a method by which one party (the prover) can convince another party (the verifier) that they know a value or that a statement is true, *without* revealing any information beyond the fact that the statement is true.
 
-ZKPs represent a significant advancement in the field of cryptography and privacy-preserving computation, as they expand the range of problems that can be solved and the methods by which they can be approached. ZKPs introduce new mathematical abstractions and tools to reason about information and its manipulation.
+This capability is pivotal in scenarios where privacy and confidentiality are paramount, such as in secure communications, authentication systems, and blockchain technologies. Dusk Network leverages ZKPs to ensure data privacy and compliance within its decentralized infrastructure.
 
-Zero Knowledge Proofs allow for more expressive and powerful privacy-preserving protocols, as the primary focus is on the relationships and transformations between different pieces of information, rather than the specific values themselves.
+---
+
+## What is a ZKP?
+
+Zero-Knowledge Proofs are a powerful cryptographic technique that allows one party to prove knowledge of a certain fact or solution, without revealing *why* the fact is true or *what* the solution is.
+
+Put differently: a prover can convince a verifier that they know something, without giving away any details about that knowledge.
+
+This concept has wide-ranging implications. In practice, it means proving ownership of data, the correctness of a computation, or the satisfaction of a policy—without disclosing the underlying data itself.
+
+To illustrate, let’s take an analogy from graph theory.
+
+### Example: Proving a Graph is 3-Colorable
+
+Imagine you are given a complex graph—nodes connected by edges. Your challenge is to assign one of three colors to each node, in such a way that no two connected nodes share the same color. This is known as **3-coloring**, a well-known computational problem.
+
+Now, suppose you claim to have a valid 3-coloring of the graph. Instead of revealing the full coloring (which could be sensitive, or valuable in a competitive setting), you want to prove to someone else that your solution exists and is correct.
+
+Here’s how you could do it—zero-knowledge style:
+
+1. You place the graph on a table and cover each node with a cone, hiding its color.
+2. The verifier picks an edge at random and asks you to lift the cones on the two nodes connected by that edge.
+3. You reveal the colors of just those two nodes.
+4. The verifier checks that the two nodes are indeed differently colored.
 
-ZKPs offer a unique computing paradigm that focuses on privacy-preserving computation, allowing for the verification of computations without revealing the underlying data or the specifics of the computation itself.
+Since the verifier chooses the edge randomly, and you don’t know in advance which one will be selected, you must have colored *all* connected nodes differently to pass the test consistently.
 
-ZKPs can also be viewed as a form of knowledge-compression technology, as by leveraging SNARKs they allow for a succinct proof size and reduced communication overhead.
+By repeating this process enough times with fresh shuffles of the hidden coloring, the verifier becomes statistically confident that your 3-coloring is valid—without ever seeing the full solution.
 
-ZKPs can be also used as a means of verifiable computation, as they enable the prover to prove the correctness of the computation without revealing any information about the computation’s input, output, or internal detail.
 
-To understand how a ZKP works, it is useful to know some basic concepts:
+This is the essence of a Zero-Knowledge Proof:
+- You demonstrate the **validity** of a statement.
+- You reveal **no information** beyond that validity.
+- You do so in a way that is repeatable, verifiable, and cryptographically secure.
 
-- **Statement**: A claim or assertion that the prover wants to prove to a verifier. A statement is publicly known information.
-- **Witness**: a secret that the prover possesses that is used to prove the statement. The witness is the necessary element for the Prover to generate a valid proof. In a ZK setup, the Prover wants to prove to the - Verifier that he knows the witness, without showing it.
-- **Prover**: The party trying to prove the statement is true, without revealing the witness.
-- **Verifier**: The party verifying the statement’s truth without learning the witness.
+---
+
+## zk-SNARKs: Efficient Zero-Knowledge Proofs
+
+Among the many types of ZKPs, one of the most widely used in blockchain is the **zk-SNARK**:
 
-## SNARKs
-Zero Knowledge Proofs are usually built using a Succinct Non-Interactive Argument of Knowledge (SNARK). The reason is that a SNARKs provides a succinct proof (short and fast to verify). By using SNARKs and adding Zero Knowledge proprieties, we obtain efficient zk-SNARKs.
+> **zk-SNARK** stands for **Zero-Knowledge Succinct Non-interactive Argument of Knowledge**.
 
-The proprieties of a SNARK are:
+Let’s break that down:
+- **Zero-Knowledge**: Nothing is revealed beyond the truth of the statement.
+- **Succinct**: The proof is small and quick to verify.
+- **Non-interactive**: No back-and-forth is required between prover and verifier.
+- **Argument of Knowledge**: The prover must *actually* know the information they claim to know.
+
+Dusk Network leverages zk-SNARKs to build private smart contracts and confidential transactions that remain verifiable by the network—without exposing sensitive data.
+
+---
+
+## Why Are ZKPs Important?
+
+ZKPs are crucial for building systems that are:
+- **Private**: Sensitive data remains confidential.
+- **Scalable**: Proofs can be tiny and fast to verify.
+- **Trustless**: No need to rely on central authorities or share secrets.
+
+In Dusk’s ecosystem, ZKPs enable features like:
+- **Private token transfers**
+- **Confidential smart contract logic**
+- **On-chain compliance checks without data leakage**
+
+---
 
-- **Completeness**: An honest Prover always will convince the verifier.
-- **Soundness**: if the prover lies, the verifier will reject the answer with a high probability.
-- **Succinctness**: proof is short, and verifying time is fast.
-- If the SNARK is also zero-knowledge, the verifier does not learn anything about the message itself.
+## How Do zk-SNARKs Work?
 
+To understand how zk-SNARKs function, we need to look at two core ideas:
 
-## Arithmetic Circuits
+### 1. Arithmetic Circuits
 
-Once we have the computation trace of the statement we want to prove, we can arithmetic circuits to translate that computation into algebraic equations.
+Think of an arithmetic circuit as a kind of mathematical checklist.
 
-An arithmetic circuit is a mathematical model that can represent a computer program via relations between polynomials. Using math, we can leverage the propriety of polynomials to prove statements.
+For example, suppose you want to prove you know a number $m$ such that a specific hash function $H$ applied to $m$ gives $h$:
 
-In order to construct a SNARK, the computation to be proven needs to be translated into an arithmetic circuit. By doing so, it is possible to perform very specific arithmetic operations (such as additions and multiplications over the finite field). 
+$$
+H(m) = h
+$$
 
-An arithmetic circuit takes as inputs some elements in the finite field and produces an element of the field as output. It is important to notice that the bigger is the computation that needs to be proven, the bigger the number of gates that are needed in the circuit. More specifically, the circuit is constrained to have a maximum number of gates equal to the degree of the polynomial.
+In regular terms, you’d just show $m$. But if $m$ is private (say, a secret key), you can instead create a circuit that checks whether:
 
-If you want to know more about circuits, you can have a look at the [deep dive into circuits](/learn/deep-dive/cryptography/circuits).
+$$
+H(m) - h = 0
+$$
+
+If this evaluates to zero, then your claim is valid.
+
+This circuit can be compiled into a form that zk-SNARKs can understand, and you can generate a proof without showing $m$.
+
+Each circuit takes:
+- **Public inputs** (like $h$)
+- **Secret inputs** (like $m$, called the **witness**)
+
+The goal is to prove the circuit output is zero without revealing the witness.
+
+### 2. The SNARK Process
+
+zk-SNARKs involve three main steps:
+
+1. **Setup**
+   A special algorithm generates parameters tailored to the circuit. These are shared between the prover and verifier.
+
+2. **Prove**
+   The prover uses their secret (the witness) and the setup data to generate a proof.
+
+3. **Verify**
+   The verifier checks the proof using only the public inputs and setup data.
+
+If the proof checks out, the verifier is convinced the prover knows a valid secret—without learning anything about it.
+
+---
+
+## Setup Types: Trusted vs Trustless
+
+A zk-SNARK system needs an initial setup, and this can be done in different ways:
+
+- **Trusted Setup**: Involves generating parameters using secret randomness. If this randomness is compromised, it can compromise the system. That's why secure ceremonies (often involving multiple independent participants) are used to make sure none of this "toxic waste" leaks.
+
+- **Trustless Setup**: Utilizes methods that do not require any party to trust another, often employing publicly verifiable randomness to generate parameters. This setup often has trade-offs in proof size or verification speed.
+
+### Dusk Network's Approach
+
+Dusk Network conducted a **multi-party computation (MPC) ceremony** to securely generate the parameters needed for its ZKP systems. This process involved multiple participants contributing random inputs to create a common reference string (CRS), ensuring that as long as at least one participant is honest, the resulting parameters are secure. The ceremony was designed to be transparent and verifiable, reinforcing the integrity of Dusk's cryptographic foundations.
+
+For more details on Dusk's trusted setup ceremony, you can visit their GitHub repository: [Dusk Trusted Setup](https://github.com/dusk-network/trusted-setup)
+
+---
 
-An arithmetic circuit can resemble a Directed Acyclic Graph (DAG), where Internal nodes are gates that represent an arithmetic operation (x,+,-,:), and inputs are the variables.
+## Summary: Why It Matters
 
-![Circuit](../../../../../assets/zk-gates.png)
+Zero-Knowledge Proofs (ZKPs) are not just a cryptographic innovation—they are the cornerstone of Dusk Network’s mission to create a financial system that is both private and compliant. By integrating ZKPs into its core architecture, Dusk enables a new paradigm of decentralized finance that respects user privacy while adhering to stringent regulatory standards.
 
+### Bridging Privacy and Compliance
 
-## How to construct a zk-SNARK
+Traditional financial systems often force a trade-off between privacy and compliance. Dusk Network challenges this dichotomy by employing advanced ZKP technologies, such as zk-SNARKs, to ensure that transactions are confidential yet verifiable. This means users can prove the validity of their transactions without revealing sensitive information, aligning with privacy regulations like the General Data Protection Regulation (GDPR).
 
-The state-of-art when it comes to constructing SNARKs, boils down to:
+### A Compliant Privacy Model
 
-- Representing the computer program via an arithmetic circuit, by using addition and multiplication gates. This transformation allows to represent the computation in the form of algebraic relations. The reason why this is important is that when working with elliptic curves (or other cryptographic primitives) complex algebraic expressions can be efficiently verified (in contrast to the operations of a computer program's bytecode).
-- Converting the circuit description obtained from the arithmetization step into a polynomial identity. In other words, using the arithmetization to obtain a bunch of equations that prove properties of polynomials. By doing so, multiple instances of the arithmetic gates can be succinctly represented via polynomials (therefore enabling succinct commitments to them). One important thing to notice is that the more complex the program is, the higher is the degree of the correspondent polynomials. 
-- Committing to the polynomial representation using a Polynomial Commitment Scheme. Different PCS come with different tradeoffs, properties and cryptographic assumptions. It is usually preferrableusing commitment schemes with a constant proof size (that doesn’t depend on the size of the circuit).
-- Evaluating the polynomial identity at a random point, several times. If a polynomial identity holds at a random point, it is almost guaranteed to hold at every other point (Schwartz–Zippel lemma). Being able to verify these polynomial relationships by only looking at a single point of evaluation is the reason why we can do it so efficiently.
+At the heart of Dusk's approach is the Phoenix transaction model, a pioneering framework that combines privacy with regulatory compliance. Phoenix allows for the inclusion of encrypted sender information within transactions, which can be decrypted by authorized parties when necessary. This design ensures that while transaction details remain confidential, they can still be audited to meet Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements.
 
-The above allows for the following flow:
+### Empowering Users and Institutions
 
-- A prover wants to convince a verifier that they have correctly performed a computation on secret input data.
-- The prover creates a zero-knowledge proof demonstrating the correctness of the computation while keeping the input data secret.
-- The verifier checks the proof to confirm the correctness of the computation without learning any information about the input data.
-- The prover successfully conviced the verifier that the statement is true without revealing the secret witness.
-Because of the above steps, what happens in practice is the following:
+Dusk's vision is to democratize access to financial services by bringing institution-level assets to everyone's wallet. Through privacy-preserving smart contracts and programmable digital assets, users can engage in financial activities—such as trading, lending, and investing—without compromising their personal data. Institutions benefit from streamlined compliance processes and reduced custodial risks, fostering a more inclusive and efficient financial ecosystem.
 
-Which more specifically consists in:
+### A New Standard for Decentralized Finance
 
-- The prover encodes the witness by using a Polynomial Commitment Scheme, which is a cryptographic tool that allows the prover to commit to a polynomial.
-- The prover and verifier engage in an Interactive Oracle Proof (IOP), by interacting via oracle queries. During this interactive stage, the verifier queries the oracle at specific points to check the consistency of the witness with the statement.
-- The interactive proof is transformed into a non-interactive one by using the Fiat-Shamir heuristic. This is achieved by replacing the verifier’s random challenges with a deterministic hash function. The prover is then able to generate the non-interactive proof combining the PCS and IOP.
-- The prover sends the non-interactive proof to the verifier, who can now efficiently verify the proof without any further interaction with the prover.
-- The verifier checks the proof and, if it’s valid, becomes convinced that the statement is true without learning any additional information about the witness.
+By embedding ZKPs into its Layer 1 protocol, Dusk sets a new standard for decentralized finance—one where privacy and compliance coexist. This approach not only protects individual freedoms but also ensures that the financial system remains transparent and accountable. In essence, Dusk leverages the power of ZKPs to build a blockchain that is both secure and socially responsible.
 
-If you want to know more about SNARKs, you can have a look at the [deep dive into zk-SNARKs](/learn/deep-dive/cryptography/iop_pcs).
+For a deeper understanding of how Dusk integrates ZKPs into its architecture, explore our technical documentation on the [Phoenix transaction model](https://dusk.network/news/phoenix-security-proofs).
