To understand ZK is to become a believer


If you’ve been paying attention to the ever-changing landscape of blockchain technology, you may have noticed that recently a new buzzword has been making the rounds: “Zero-Knowledge” or “ZK”.

By: Aleo Loading...

To understand ZK is to become a believer [Sponsored]

If you’ve been paying attention to the ever-changing landscape of blockchain technology, you may have noticed that recently a new buzzword has been making the rounds: “Zero-Knowledge” or “ZK”. If you have been paying attention to cryptography for the past 30 years, it’s incredibly exciting that this concept is finally getting something close to mainstream attention for the very first time. There is a kind of cult associated with ZK because once you understand what it is and what it can do it has a way of infecting your mind with all of the seemingly magical ways that it can change the world (for the better). The members of the ZK cult with the technical chops required to actually advance the field have a tendency to ONLY work on ZK, and that is almost certainly because they find it difficult to THINK about anything other than ZK. That’s because of the promise it holds.

What is ZK?

ZK in simplest possible terms is all about creating a cryptographic proof that a statement about some data is true, without needing to actually reveal the data. By law the example chosen for this is the classic:

“I know a valid solution to this unsolved sudoku puzzle”

Using ZK, a prover Peter could construct a Zero Knowledge Proof (ZKP) of this statement concerning a particular sudoku puzzle if and only if he actually knew a valid solution to it, and a verifier Viviane would be absolutely convinced of the statement without having to actually see any of the withheld solution. If you want to learn a little more about the math that actually makes this work see this explainer video.

Beyond sudoku puzzles, what useful things can be done with this primitive? For blockchains there are two great applications:

  1. Privacy Preserving proofs about secret information
  2. Succinct verification of arbitrarily long computation

Both are exciting, the latter leads to greater efficiency, while the former allows for the end of mass digital surveillance and data harvesting.

ZK Power #1: Privacy

We all like having good search engines. We all like having good personalized recommendation engines for music, videos, news, or even potential romantic partners. It’s better to have ads that are more likely to be something one would actually be interested in buying than not. We all like being able to prove things about ourselves in order to gain exclusivity. All of these things are crucial to the modern internet and are absolutely impossible without some amount of personalized “tuning” to the individual using them. Unfortunately, what this means is that large companies hoover up every waking moment of our digital lives and save them forever in order to facilitate these personalized engines. ZK changes all that.

With ZK, recommendation engines don’t need to survey someone’s entire history to know what they likely want. The only information they need to work with are simple ZKPs stating minimal details about their interests. The company serving ads doesn’t need to know someone’s entire search history to know that they are interested in buying a car. All they need is a ZKP on that individual’s search history suggesting that they might be interested in buying a car and that they clicked on their ad. While we’re at it, the advertiser might also like a ZKP that the person clicking through was a real person and not just a bot. When it comes to blockchains, this kind of privacy is going to be crucial as well. Nobody, not you, not the banks, not Wall Street, not the governments want the world’s financial system to be completely public on an open ledger for all to see. Nobody wants a system where knowing your bank address shows you your bank balance and all your transaction history. The blockchain doesn’t technically need to know any of that either, the blockchain just needs to know that the smart contracts executed correctly, everything else it is more than happy to keep private, which leads us on to:

ZK Power #2: Scalability

Remember the part of Hitchhiker’s Guide to the Galaxy where the Deep Thought supercomputer disappointingly announces the answer to Life, the Universe, and Everything as “42” after a 7.5 million year long computation? Realistically, the administrators’ first thought would be that at some point, the computer made a mistake. But how would they verify that the computation executed correctly? Naively they could re-run the entire computation and see if it came to the same conclusion as the original computation. That’s fine for computation that takes a few seconds, not so much when it takes 7.5 million years. ZK’s second superpower is to allow proofs to be created of some computation that is tiny in size (say 1kb), takes milliseconds to verify, and can convince the person checking that a computation of ANY length (even 7.5 million years) ran correctly. However, that magic comes at a cost because predictably it is WAY more computationally expensive to create this proof than it would be to simply run the program without the proof. Therefore ZK isn’t necessarily a catch-all for verifiable computation, it’s only really worth the tradeoff if either it would be infeasible for the verifier to compute the full program themselves, or else the same program is expected to be verified enough times in order to make the increase in proof time less than the decrease in cumulative verifier time. There is a fairly obvious use case that falls into BOTH of those categories: blockchain.

Oh right, this is about Aleo

Remember how insane the idea of having to verify some enormous computation by just brute-force running it yourself sounded? Well that’s exactly how nearly all smart contract blockchains work today! In order to run a full node and verify things yourself, you must execute each and every smart contract execution from genesis to current time, which is of course insane and the reason why nobody actually runs full nodes on these kinds of blockchains and why they are horribly centralized as a result.

Aleo is the exception. In fact smart contracts aren’t even executed on-chain. The way a smart contract works on Aleo is that the person who wants to authorize a smart contract to do something with their funds, runs the computation of that smart contract off chain, while creating a proof of that computation, then publishes JUST THE PROOF to the blockchain. This tiny proof is all that is needed to convince validators and full node verifiers that the smart contract executed correctly, and it only takes milliseconds to verify, even if it took 7.5 million years to create the proof. This is a radically more sensible way to do validation of smart logic for blockchains and will actually allow decentralized verification by users rather than depending solely on validators.

Having a smart contract chain that only cares about these bare-minimum proofs at the protocol level also allows Aleo to be privacy preserving. In essence all this proof says is that “Smart Contract X did a thing correctly”, the sender, receiver, and amounts of currency involved are all completely hidden and therefore private. In fact Aleo is one of the ONLY blockchains where transactions are actually encrypted to their receiver. Currently there are a large number of exciting-sounding blockchain projects that have been using ZK only for Scalability (which is cool) but not for Privacy (which is cooler). On the other hand there have also been many projects claiming that they WOULD use ZK for privacy but ultimately didn’t. The reason for this is simple: creating privacy preserving smart contracts is really hard and essentially requires a bottom-up redesign of the whole architecture, which is exactly what Aleo did.

Execution off-chain also has the interesting effect that there is NO NEED FOR GAS on Aleo. You will still need transaction fees to pay for block space, but there are no protocol level per-operation fees for smart contract execution, which means that applications on Aleo have theoretically unlimited runtime. The only limit is what you are able to construct the proof for, or how much you would be willing to pay for someone else to construct the proof for you.

Because ZK proof construction of computation is so much more expensive than just running that computation normally there are going to be many applications that you either couldn’t or wouldn’t WANT to create proofs for on your laptop at home, it would simply take too long. There is going to be a market for delegated proof construction to Provers, who operate very efficient server farms specifically to fill this need. A foundational design decision that is entirely unique to Aleo is the ability to delegate proof construction IN A PRIVACY PRESERVING WAY to external Provers. We expect a healthy market of Provers to be critical to getting as much of the internet as possible inside ZK, which was the motivation for a clever bootstrapping mechanic to get the market started before high user demand even exists: the coinbase puzzle.

The coinbase puzzle enables the Aleo blockchain to mint new tokens to buy proofs from provers even when nobody else is. If a Prover finds themselves for any amount of time not actively working on a paid proof job for a user, they may switch their machines over to the coinbase puzzle, where they churn out vast amounts of “proofs for nobody”, that they then send to validators. The validator aggregates all of the proofs that the Prover created, and then similarly to how a mining pool works, the number of proofs a Prover made in a particular time period dictates what proportion of the coinbase puzzle reward they earn for that given time period. We expect this to be a game changer in helping to support a large market of Provers and hopefully even incentivize development of specialized “ZK ASICs” to maximize access to Aleo and to ZK in general.

In service of all of this ZK magic, Aleo has created a low level VM called AVM for compiling computer code into ZK math, and a high level language called Leo that compiles into the AVM. Aleo will also have an on-chain program registry that will allow for smart contract code to be (optionally) hosted directly on chain for accessibility and to minimize the risk of man-in-the-middle attacks tricking users into signing on fraudulent versions of smart contracts. If you’d like to dig into this further and write your own Private Applications see.

Aleo Endgame

In summary, Aleo is a complete redesign on how a smart contract blockchain should work if you want to maximize privacy and decentralization. A startling amount of completely novel and groundbreaking research and work has gone into making Aleo realize this goal. While there are already a significant number of projects borrowing wholesale from the work and research that went into assembling Aleo, in order to truly compete along these levels, their only choice would be to essentially tear down their entire architecture and rebuild themselves in the image of Aleo.

If you want to find out more about Aleo, as well as to participate in the final Testnet, go to