A brief history of zero
HomeHome > Blog > A brief history of zero

A brief history of zero

Jun 28, 2023

ZK-SNARKs. ZK-apps. ZK this. ZK that.

These two letters, shorthand for zero-knowledge proofs, are everywhere in the world of crypto. Every new startup seemingly includes some iteration of ZK in its pitch deck. Even established blockchains like Polygon, which does business with companies like Starbucks and Mastercard, have marketed new products based on the buzz letters.

Some crypto enthusiasts are so excited about zero-knowledge proofs that they believe they’ll "become an important part of the way the economy works" and will eventually be "taught in high school," Jason Morton, an associate professor of mathematics at Penn State who is on leave to build his own startup, joked to Fortune.

And some go even further. "Zero-knowledge proofs are going to become a fundamental part of humanity's infrastructure," Zooko Wilcox, CEO of Electric Coin Co., which leads the development of cryptocurrency Zcash, told Fortune.

But what do zero-knowledge proofs actually do? And how did this buzzy piece of mathematics become so, well, buzzy?

In 1985, academics Shafi Goldwasser, Silvio Micali, and Charles Rackoff published what Michael Walfish, a professor of computer science at New York University, called a "monster paper." Titled "The Knowledge Complexity of Interactive Proof-Systems," it was the first theoretical articulation of zero-knowledge proofs, he told Fortune.

The cryptographic technique, in essence, allows you to prove that you know something without revealing what you know. To make the abstract concrete, imagine two friends: one color-blind and one not. There's a red ball and a blue ball. The color-blind friend hides the two behind her back, possibly mixing them up, presents them, and the friend with better vision says whether they’ve been switched. The friend who's examining the balls—guessing or even possibly lying—has a fifty-fifty shot to pick the right one. But if the exercise is repeated a million times, the friend with the better vision almost certainly can't pick the correct ball by happenstance. By the end of the exercise, the color-blind friend still has "zero knowledge" of which ball is which color but knows that her friend does.

The privacy benefits of zero-knowledge proofs are obvious. We can, for example, maintain ownership of our own banking data and, through a zero-knowledge proof, verify that we computed our credit scores correctly—without revealing our private banking information. Or we can prove to employers that we know our Social Security ID without showing them the nine-digit number.

However, the proofs are complicated and computationally intensive to produce, and for years remained in the realm of theory, not practice.

In the early 1990s, researchers outlined a more general category of proofs called succinct proofs, according to Dan Boneh, a professor of computer science and electrical engineering at Stanford.

These cryptographic computations allow someone to verify something is true without needing to parse through each and every statement. An auditor can, for example, quickly make sure someone correctly submitted a tax return without seeing data from the return or checking every mathematical operation.

How succinct proofs work is more difficult to illustrate through a concrete example than zero-knowledge proofs. "Succinctness is magic," Boneh told Fortune. "There's no good physical explanation for why it's possible."

That being said, "succinctness," or needing significantly less time to prove something true, is what excites most crypto entrepreneurs and investors. Blockchains like Ethereum are slow, decentralized computers. As developers create more complex applications, the time and computing power needed to run the applications on blockchains increase. Succinct proofs can solve this problem by "proving" that code ran correctly off-chain, or on more powerful computers that aren't blockchains.

Why mention succinct proofs in the same breath as zero-knowledge proofs? The effort needed to turn the former into the latter is generally minimal, multiple cryptographers told Fortune. Hence, people tend to conflate the two terms.

"You can have succinct proofs that are not zero-knowledge," Boneh told Fortune. "And you can have zero-knowledge proofs that are not succinct."

From the 1990s onward, zero-knowledge and succinct proofs were largely the realm of academia. But beginning in 2010, researchers realized that they could implement them on modern-day machines, Walfish, the professor at New York University, told Fortune.

With the rise of faster computers and the availability of funding for cryptography research, he said, those like Justin Thaler, a researcher at a16z Crypto and an associate professor at Georgetown, outlined how to generate zero-knowledge and succinct proofs on actual machines.

The emergence of cloud computing, according to Thaler, also added further impetus toward implementation. Laptops or smartphones are slower than the combined power of a fleet of Amazon servers, but with a succinct proof, one desktop can verify that a swath of computers correctly ran a program. "It's not me doing the computing," Thaler said of cloud computing. "Why should I trust the answer with someone else?"

And in 2009, the anonymous Satoshi Nakamoto invented Bitcoin and the blockchain. With the launch of blockchains came the need to reduce their computational workloads. "It's a slow computer that's expensive to operate," Boneh said of a blockchain. "And because of that, you want to basically have to do as little work as possible."

"Giving people freedom from the central bank controlling the money supply and from all the cops and authoritarians and nosy neighbors and everyone who wants to control everyone, those are all part of the whole Bitcoin value proposition," Wilcox, the Electric Coin Co. CEO, told Fortune.

But while Bitcoin was once seen as a secure ledger where users could send and receive digital currency beyond the government's prying eyes, investigators and enterprising analysts eventually figured out how to track transactions and trace them back to flesh-and-bone individuals.

In 2013, academics, building off improvements in zero-knowledge proof implementations, outlined proposals for "Zerocoin" and then "Pinocchio Coin," which promised to make Bitcoin's pseudonymous transactions "fully anonymous."

The authors of Zerocoin eventually teamed up with Wilcox, a computer scientist and self-proclaimed cypherpunk, to launch Zcash. The cryptocurrency was perhaps the first implementation of zero-knowledge proofs at a scale large enough that those beyond academia were interacting with the mathematical technique daily.

To launch the new cryptocurrency, there needed to be what has since been dubbed "The Ceremony," an elaborate days-long affair to ensure that no bad actor discovers the secret cryptographic key needed to instantiate the cryptocurrency. (If bad actors had the key, they could print Zcash by the handful.)

In 2016, Wilcox and his team successfully performed the "The Ceremony," which included slicing into a Lenovo desktop used to generate the secret key with an angle grinder and burning the electronic waste, and launched Zcash, whose tokens still trade hands to this day.

While the initial "Ceremony," or what academics call a trusted setup, was successful, it was also incredibly involved. And Wilcox and his team would need to redo it anytime they wanted to create a new zero-knowledge proof for a different set of computations.

So researchers and developers devised ways to tamp down on how elaborate "The Ceremony," needed to be, according to Riad Wahby, an assistant professor of electrical and computer engineering at Carnegie Mellon.

"From 2016 onwards, there was this move towards either eliminating the trusted setup phase, or at least making it so that you could do the trusted setup once and then reuse it for any computation," he told Fortune.

By 2019, developers suddenly had far more efficient means to generate zero-knowledge proofs without burning Lenovo desktops or organizing an international group of cryptographers in Denver.

At the same time, Ethereum, a blockchain that is essentially a slow, decentralized computer, was exploding in popularity. More developers were creating more sophisticated applications to run on it, and they in turn needed ways to improve apps’ speed.

Most zero-knowledge proofs, remember, are "succinct," or allow someone to prove something is true without auditing each and every statement. To exploit this property, developers "roll up," or compile and evaluate en masse, transactions off-chain and prove that they did so accurately by producing a zero-knowledge or succinct proof. A blockchain network needs only to verify the proof, which takes considerably less time compared with checking every transaction.

A flood of ZK, or zero-knowledge, roll-up solutions soon emerged across the world of crypto—like Aztec, zkSync, and others—to join projects, like Zcash, that exploit the privacy quality of zero-knowledge proofs. (In fact, the majority of ZK roll-ups are not privacy preserving at all, says Wahby.)

Researchers are now continuing to push the capabilities of zero-knowledge proofs to both make them more efficient as well as allow developers to easily "program" them, or put computer programs into a proof without customizing one for a new program each and every time.

"People really, really think this is the big problem with proofs right now," Wahby of Carnegie Mellon told Fortune. "They’re really, really hard for programmers to use."

Even so, some are beginning to use them to tackle problems more existential than improving slow blockchains. Researchers are, for example, designing zero-knowledge proofs to verify whether the right A.I. algorithm ran, verification that becomes all the more important when a machine learning model is, hypothetically, diagnosing cancer or trading billions of dollars.

Wilcox of Zcash believes that, within five to 10 years, zero-knowledge proofs will work in the background whenever we interact with technology. "All of that is going to rely on zero-knowledge proofs to make it so that you’re not getting hacked and exploited by a foreign nation-state every time you open your phone or get into your car," he told Fortune.

If Wilcox's predictions prove true, perhaps we’ll move beyond ZK this and ZK that and forget the letters entirely. "Zero-knowledge proofs have evolved to the status," he added, "where they are now ready to be used for all purposes."

Learn more about all things crypto with short, easy-to-read lesson cards. Click here for Fortune's Crypto Crash Course.