1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Zero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which
one party (the prover) can prove to another party (the verifier) that a given statement is true while
the prover avoids conveying any additional information apart from the fact that the statement is
indeed true. The essence of zero-knowledge proofs is that it is trivial to prove that one possesses
knowledge of certain information by simply revealing it; the challenge is to prove such possession
without revealing the information itself or any additional information.[1]

If proving a statement requires that the prover possess some secret information, then the verifier
will not be able to prove the statement to anyone else without possessing the secret information.
The statement being proved must include the assertion that the prover has such knowledge, but
without including or transmitting the knowledge itself in the assertion. Otherwise, the statement
would not be proved in zero-knowledge because it provides the verifier with additional
information about the statement by the end of the protocol. A zero-knowledge proof of knowledge
is a special case when the statement consists only of the fact that the prover possesses the secret
information.

Interactive zero-knowledge proofs require interaction between the individual (or computer
system) proving their knowledge and the individual validating the proof.[1]

A protocol implementing zero-knowledge proofs of knowledge must necessarily require interactive

input from the verifier. This interactive input is usually in the form of one or more challenges such
that the responses from the prover will convince the verifier if and only if the statement is true, i.e.,
if the prover does possess the claimed knowledge. If this were not the case, the verifier could
record the execution of the protocol and replay it to convince someone else that they possess the
secret information. The new party's acceptance is either justified since the replayer does possess
the information (which implies that the protocol leaked information, and thus, is not proved in
zero-knowledge), or the acceptance is spurious, i.e., was accepted from someone who does not
actually possess the information.

Some forms of non-interactive zero-knowledge proofs exist,[2][3] but the validity of the proof relies
on computational assumptions (typically the assumptions of an ideal cryptographic hash
function).

Contents
Abstract examples
The Ali Baba cave
Two balls and the colour-blind friend
Where's Wally?
Definition
Practical examples
Discrete log of a given value
Short summary
Hamiltonian cycle for a large graph
Completeness
Zero-knowledge
https://en.wikipedia.org/wiki/Zero-knowledge_proof 1/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Soundness
Variants of zero-knowledge
Zero knowledge types
Applications
Authentication systems
Ethical behavior
Nuclear disarmament
Blockchains
History
Zero-Knowledge Proof Protocols
See also
References

Abstract examples

The Ali Baba cave

There is a well-known story presenting the fundamental ideas of zero-

knowledge proofs, first published by Jean-Jacques Quisquater and
others in their paper "How to Explain Zero-Knowledge Protocols to Your
Peggy randomly takes
Children".[4] It is common practice to label the two parties in a zero-
either path A or B, while
knowledge proof as Peggy (the prover of the statement) and Victor (the
Victor waits outside
verifier of the statement).

In this story, Peggy has uncovered the secret word used to open a magic
door in a cave. The cave is shaped like a ring, with the entrance on one
side and the magic door blocking the opposite side. Victor wants to know
whether Peggy knows the secret word; but Peggy, being a very private
person, does not want to reveal her knowledge (the secret word) to
Victor or to reveal the fact of her knowledge to the world in general.
Victor chooses an exit
path
They label the left and right paths from the entrance A and B. First,
Victor waits outside the cave as Peggy goes in. Peggy takes either path A
or B; Victor is not allowed to see which path she takes. Then, Victor
enters the cave and shouts the name of the path he wants her to use to
return, either A or B, chosen at random. Providing she really does know
the magic word, this is easy: she opens the door, if necessary, and
returns along the desired path.
Peggy reliably appears
However, suppose she did not know the word. Then, she would only be
at the exit Victor names
able to return by the named path if Victor were to give the name of the
same path by which she had entered. Since Victor would choose A or B at
random, she would have a 50% chance of guessing correctly. If they were
to repeat this trick many times, say 20 times in a row, her chance of successfully anticipating all of
Victor's requests would become vanishingly small (1 in 220, or very roughly 1 in a million).

Thus, if Peggy repeatedly appears at the exit Victor names, he can conclude that it is extremely
probable that Peggy does, in fact, know the secret word.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 2/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

One side note with respect to third-party observers: even if Victor is wearing a hidden camera that
records the whole transaction, the only thing the camera will record is in one case Victor shouting
"A!" and Peggy appearing at A or in the other case Victor shouting "B!" and Peggy appearing at B.
A recording of this type would be trivial for any two people to fake (requiring only that Peggy and
Victor agree beforehand on the sequence of A's and B's that Victor will shout). Such a recording
will certainly never be convincing to anyone but the original participants. In fact, even a person
who was present as an observer at the original experiment would be unconvinced, since Victor
and Peggy might have orchestrated the whole "experiment" from start to finish.

Further notice that if Victor chooses his A's and B's by flipping a coin on-camera, this protocol
loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any
person watching the recording later. Thus, although this does not reveal the secret word to Victor,
it does make it possible for Victor to convince the world in general that Peggy has that knowledge—
counter to Peggy's stated wishes. However, digital cryptography generally "flips coins" by relying
on a pseudo-random number generator, which is akin to a coin with a fixed pattern of heads and
tails known only to the coin's owner. If Victor's coin behaved this way, then again it would be
possible for Victor and Peggy to have faked the "experiment", so using a pseudo-random number
generator would not reveal Peggy's knowledge to the world in the same way that using a flipped
coin would.

Notice that Peggy could prove to Victor that she knows the magic word, without revealing it to
him, in a single trial. If both Victor and Peggy go together to the mouth of the cave, Victor can
watch Peggy go in through A and come out through B. This would prove with certainty that Peggy
knows the magic word, without revealing the magic word to Victor. However, such a proof could be
observed by a third party, or recorded by Victor and such a proof would be convincing to anybody.
In other words, Peggy could not refute such proof by claiming she colluded with Victor, and she is
therefore no longer in control of who is aware of her knowledge.

Two balls and the colour-blind friend

Imagine your friend is red-green colour-blind (while you are not) and you have two balls: one red
and one green, but otherwise identical. To your friend they seem completely identical and he is
skeptical that they are actually distinguishable. You want to prove to him they are in fact
differently-coloured, but nothing else; in particular, you do not want to reveal which one is the red
and which is the green ball.

Here is the proof system. You give the two balls to your friend and he puts them behind his back.
Next, he takes one of the balls and brings it out from behind his back and displays it. He then
places it behind his back again and then chooses to reveal just one of the two balls, picking one of
the two at random with equal probability. He will ask you, "Did I switch the ball?" This whole
procedure is then repeated as often as necessary.

By looking at their colours, you can, of course, say with certainty whether or not he switched them.
On the other hand, if they were the same colour and hence indistinguishable, there is no way you
could guess correctly with probability higher than 50%.

Since the probability that you would have randomly succeeded at identifying each switch/non-
switch is 50%, the probability of having randomly succeeded at all switch/non-switches
approaches zero ("soundness"). If you and your friend repeat this "proof" multiple times (e.g. 100
times), your friend should become convinced ("completeness") that the balls are indeed differently
coloured.

The above proof is zero-knowledge because your friend never learns which ball is green and which
is red; indeed, he gains no knowledge about how to distinguish the balls.[5]
https://en.wikipedia.org/wiki/Zero-knowledge_proof 3/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Where's Wally?

Where's Wally? (titled Where's Waldo? in North America) is a picture book where the reader is
challenged to find a small character called Wally hidden somewhere on a double-spread page that
is filled with many other characters. The pictures are designed so that it is hard to find Wally.

Imagine that you are a professional Where's Wally? solver. A company comes to you with a
Where's Wally? book that they need solved. The company wants you to prove that you are actually
a professional Where's Wally? solver and thus asks you to find Wally in a picture from their book.
The problem is that you don't want to do work for them without being paid.

Both you and the company want to cooperate, but you don't trust each other. It doesn't seem like
it's possible to satisfy the company's demand without doing free work for them, but in fact there is
a zero-knowledge proof which allows you to prove to the company that you know where Wally is in
the picture without revealing to them how you found him, or where he is.

The proof goes as follows: You ask the company representative to turn around, and then you place
a very large piece of cardboard (several times larger than the book) over the picture in the book
such that the center of the cardboard is positioned over Wally. You cut out a small window in the
center of the cardboard such that Wally is visible. You can now ask the company representative to
turn around and view the large piece of cardboard with the hole in the middle, and observe that
Wally is visible through the hole. The cardboard is large enough that the company rep cannot
determine the position of the book under the cardboard. You then ask the representative to turn
back around so that you can remove the cardboard and give back the book.

As described, this proof is an illustration only, and not completely rigorous. The company
representative would need to be sure that you didn't smuggle a picture of Wally into the room.
Something like a tamper-proof glovebox might be used in a more rigorous proof. The above proof
also results in the body position of Wally being leaked to the company representative, which may
help them find Wally if his body position changes in each Where's Wally? puzzle.

Definition
A zero-knowledge proof of some statement must satisfy three properties:

1. Completeness: if the statement is true, the honest verifier (that is, one following the protocol
properly) will be convinced of this fact by an honest prover.
2. Soundness: if the statement is false, no cheating prover can convince the honest verifier that
it is true, except with some small probability.
3. Zero-knowledge: if the statement is true, no verifier learns anything other than the fact that
the statement is true. In other words, just knowing the statement (not the secret) is sufficient to
imagine a scenario showing that the prover knows the secret. This is formalized by showing
that every verifier has some simulator that, given only the statement to be proved (and no
access to the prover), can produce a transcript that "looks like" an interaction between the
honest prover and the verifier in question.

The first two of these are properties of more general interactive proof systems. The third is what
makes the proof zero-knowledge.

Zero-knowledge proofs are not proofs in the mathematical sense of the term because there is some
small probability, the soundness error, that a cheating prover will be able to convince the verifier
of a false statement. In other words, zero-knowledge proofs are probabilistic "proofs" rather than
deterministic proofs. However, there are techniques to decrease the soundness error to negligibly
small values.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 4/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

A formal definition of zero-knowledge has to use some computational model, the most common
one being that of a Turing machine. Let , , and be Turing machines. An interactive proof
system with for a language is zero-knowledge if for any probabilistic polynomial time
(PPT) verifier there exists a PPT simulator such that

where is a record of the interactions between and . The

prover is modeled as having unlimited computation power (in practice, usually is a
probabilistic Turing machine). Intuitively, the definition states that an interactive proof system
is zero-knowledge if for any verifier there exists an efficient simulator (depending on
) that can reproduce the conversation between and on any given input. The auxiliary string
in the definition plays the role of "prior knowledge" (including the random coins of ). The
definition implies that cannot use any prior knowledge string to mine information out of its
conversation with , because if is also given this prior knowledge then it can reproduce the
conversation between and just as before.

The definition given is that of perfect zero-knowledge. Computational zero-knowledge is obtained

by requiring that the views of the verifier and the simulator are only computationally
indistinguishable, given the auxiliary string.

Practical examples

Discrete log of a given value

We can apply these ideas to a more realistic cryptography application. Peggy wants to prove to
Victor that she knows the discrete log of a given value in a given group.[6]

For example, given a value , a large prime and a generator , she wants to prove that she knows
a value such that , without revealing . Indeed, knowledge of could be used as a
proof of identity, in that Peggy could have such knowledge because she chose a random value
that she didn't reveal to anyone, computed and distributed the value of to all
potential verifiers, such that at a later time, proving knowledge of is equivalent to proving
identity as Peggy.

The protocol proceeds as follows: in each round, Peggy generates a random number , computes
and discloses this to Victor. After receiving , Victor randomly issues one of the
following two requests: he either requests that Peggy discloses the value of , or the value of
. With either answer, Peggy is only disclosing a random value, so no
information is disclosed by a correct execution of one round of the protocol.

Victor can verify either answer; if he requested , he can then compute and verify that it
matches . If he requested , he can verify that is consistent with this, by
computing and verifying that it matches . If Peggy indeed
knows the value of , she can respond to either one of Victor's possible challenges.

If Peggy knew or could guess which challenge Victor is going to issue, then she could easily cheat
and convince Victor that she knows when she does not: if she knows that Victor is going to
request , then she proceeds normally: she picks , computes and discloses to
https://en.wikipedia.org/wiki/Zero-knowledge_proof 5/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Victor; she will be able to respond to Victor's challenge. On the other hand, if she knows that
Victor will request , then she picks a random value , computes
, and discloses to Victor as the value of that he is expecting. When
Victor challenges her to reveal , she reveals , for which Victor will verify
consistency, since he will in turn compute , which matches , since Peggy multiplied
by the modular multiplicative inverse of .

However, if in either one of the above scenarios Victor issues a challenge other than the one she
was expecting and for which she manufactured the result, then she will be unable to respond to the
challenge under the assumption of infeasibility of solving the discrete log for this group. If she
picked and disclosed , then she will be unable to produce a valid
that would pass Victor's verification, given that she does not know . And if
she picked a value that poses as , then she would have to respond with the
discrete log of the value that she disclosed – but Peggy does not know this discrete log, since the
value C she disclosed was obtained through arithmetic with known values, and not by computing a
power with a known exponent.

Thus, a cheating prover has a 0.5 probability of successfully cheating in one round. By executing a
large enough number of rounds, the probability of a cheating prover succeeding can be made
arbitrarily low.

Short summary

Peggy proves to know the value of x (for example her password).

1. Peggy and Victor agree on a prime and a generator of the multiplicative group of the field
.
2. Peggy calculates the value and transfers the value to Victor.
3. The following two steps are repeated a (large) number of times.
1. Peggy repeatedly picks a random value and calculates .
She transfers the value to Victor.
2. Victor asks Peggy to calculate and transfer either the value or the
value . In the first case Victor verifies . In the
second case he verifies .

The value can be seen as the encrypted value of . If is truly

random, equally distributed between zero and , this does not leak any information about
(see one-time pad).

Hamiltonian cycle for a large graph

The following scheme is due to Manuel Blum.[7]

In this scenario, Peggy knows a Hamiltonian cycle for a large graph G . Victor knows G but not the
cycle (e.g., Peggy has generated G and revealed it to him.) Finding a Hamiltonian cycle given a
large graph is believed to be computationally infeasible, since its corresponding decision version is
known to be NP-complete. Peggy will prove that she knows the cycle without simply revealing it
(perhaps Victor is interested in buying it but wants verification first, or maybe Peggy is the only
one who knows this information and is proving her identity to Victor).

https://en.wikipedia.org/wiki/Zero-knowledge_proof 6/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

To show that Peggy knows this Hamiltonian cycle, she and Victor play several rounds of a game.

At the beginning of each round, Peggy creates H , a graph which is isomorphic to G (i.e. H is
just like G except that all the vertices have different names). Since it is trivial to translate a
Hamiltonian cycle between isomorphic graphs with known isomorphism, if Peggy knows a
Hamiltonian cycle for G she also must know one for H .
Peggy commits to H . She could do so by using a cryptographic commitment scheme.
Alternatively, she could number the vertices of H , then for each edge of H write on a small
piece of paper containing the two vertices of the edge and then put these pieces of paper face
down on a table. The purpose of this commitment is that Peggy is not able to change H while
at the same time Victor has no information about H .
Victor then randomly chooses one of two questions to ask Peggy. He can either ask her to
show the isomorphism between H and G (see graph isomorphism problem), or he can ask her
to show a Hamiltonian cycle in H .
If Peggy is asked to show that the two graphs are isomorphic, she first uncovers all of H (e.g.
by turning over all pieces of papers that she put on the table) and then provides the vertex
translations that map G to H . Victor can verify that they are indeed isomorphic.
If Peggy is asked to prove that she knows a Hamiltonian cycle in H , she translates her
Hamiltonian cycle in G onto H and only uncovers the edges on the Hamiltonian cycle. This is
enough for Victor to check that H does indeed contain a Hamiltonian cycle.

It is important that the commitment to the graph be such that Victor can verify, in the second case,
that the cycle is really made of edges from H . This can be done by, for example, committing to
every edge (or lack thereof) separately.

Completeness

If Peggy does know a Hamiltonian cycle in G , she can easily satisfy Victor's demand for either the
graph isomorphism producing H from G (which she had committed to in the first step) or a
Hamiltonian cycle in H (which she can construct by applying the isomorphism to the cycle in G ).

Zero-knowledge

Peggy's answers do not reveal the original Hamiltonian cycle in G . Each round, Victor will learn
only H 's isomorphism to G or a Hamiltonian cycle in H . He would need both answers for a single
H to discover the cycle in G , so the information remains unknown as long as Peggy can generate a
distinct H every round. If Peggy does not know of a Hamiltonian cycle in G , but somehow knew in
advance what Victor would ask to see each round then she could cheat. For example, if Peggy knew
ahead of time that Victor would ask to see the Hamiltonian cycle in H then she could generate a
Hamiltonian cycle for an unrelated graph. Similarly, if Peggy knew in advance that Victor would
ask to see the isomorphism then she could simply generate an isomorphic graph H (in which she
also does not know a Hamiltonian cycle). Victor could simulate the protocol by himself (without
Peggy) because he knows what he will ask to see. Therefore, Victor gains no information about the
Hamiltonian cycle in G from the information revealed in each round.

Soundness

If Peggy does not know the information, she can guess which question Victor will ask and generate
either a graph isomorphic to G or a Hamiltonian cycle for an unrelated graph, but since she does
not know a Hamiltonian cycle for G she cannot do both. With this guesswork, her chance of
fooling Victor is 2−n , where n is the number of rounds. For all realistic purposes, it is infeasibly
difficult to defeat a zero-knowledge proof with a reasonable number of rounds in this way.
https://en.wikipedia.org/wiki/Zero-knowledge_proof 7/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Variants of zero-knowledge
Different variants of zero-knowledge can be defined by formalizing the intuitive concept of what is
meant by the output of the simulator "looking like" the execution of the real proof protocol in the
following ways:

We speak of perfect zero-knowledge if the distributions produced by the simulator and the
proof protocol are distributed exactly the same. This is for instance the case in the first
example above.
Statistical zero-knowledge[8] means that the distributions are not necessarily exactly the same,
but they are statistically close, meaning that their statistical difference is a negligible function.
We speak of computational zero-knowledge if no efficient algorithm can distinguish the two
distributions.

Zero knowledge types

Proof of knowledge: the knowledge is hidden in the exponent like in the example shown
above.
Pairing based cryptography: given f(x) and f(y), without knowing x and y , it is possible to
compute f(x×y).
Witness indistinguishable proof: verifiers cannot know which witness is used for producing the
proof.
Multi-party computation: while each party can keep their respective secret, they together
produce a result.
Ring signature: outsiders have no idea which key is used for signing.

Applications

Authentication systems

Research in zero-knowledge proofs has been motivated by authentication systems where one party
wants to prove its identity to a second party via some secret information (such as a password) but
doesn't want the second party to learn anything about this secret. This is called a "zero-knowledge
proof of knowledge". However, a password is typically too small or insufficiently random to be
used in many schemes for zero-knowledge proofs of knowledge. A zero-knowledge password proof
is a special kind of zero-knowledge proof of knowledge that addresses the limited size of
passwords.

In April 2015, Sigma protocol (one-out-of-many proofs) was introduced.[9] In August 2021,
Cloudflare, an American web infrastructure and security company decided to use the one-out-of-
many proofs mechanism for private web verification using vendor hardware.[10]

Ethical behavior

One of the uses of zero-knowledge proofs within cryptographic protocols is to enforce honest
behavior while maintaining privacy. Roughly, the idea is to force a user to prove, using a zero-
knowledge proof, that its behavior is correct according to the protocol.[11][12] Because of
soundness, we know that the user must really act honestly in order to be able to provide a valid
proof. Because of zero knowledge, we know that the user does not compromise the privacy of its
secrets in the process of providing the proof.
https://en.wikipedia.org/wiki/Zero-knowledge_proof 8/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Nuclear disarmament

In 2016, the Princeton Plasma Physics Laboratory and Princeton University demonstrated a
technique that may have applicability to future nuclear disarmament talks. It would allow
inspectors to confirm whether or not an object is indeed a nuclear weapon without recording,
sharing or revealing the internal workings which might be secret.[13]

Blockchains

Zero-knowledge proofs were applied in Zerocoin and Zerocash protocols which culminated in the
birth of Zcoin[14] (later rebranded as Firo in 2020)[15] and Zcash cryptocurrencies in 2016.
Zerocoin has a built-in mixing model that does not trust any peers or centralised mixing providers
to ensure anonymity.[14] Users can transact in a base currency, and can cycle the currency into and
out of Zerocoins.[16] Zerocash protocol use a similar model (a variant known as non-interactive
zero-knowledge proof)[17] except that it can obscure the transaction amount while Zerocoin
cannot. Given significant restrictions of transaction data on the Zerocash network, Zerocash is less
prone to privacy timing attacks when compared to Zerocoin. However, this additional layer of
privacy can cause potentially undetected hyperinflation of Zerocash supply because fraudulent
coins cannot be tracked.[14][18]

In 2018, Bulletproofs were introduced. Bulletproofs are an improvement from non-interactive

zero-knowledge proof where trusted setup is not needed.[19] It was later implemented into
Mimblewimble protocol (where Grin and Beam cryptocurrencies based on) and Monero
cryptocurrency.[20] In 2019, Firo implemented the Sigma protocol, which is an improvement on
Zerocoin protocol without trusted setup.[21][9] In the same year, Firo introduced the Lelantus
protocol, an improvement on the Sigma protocol where the former hides the origin and amount of
a transaction.[22]

History
Zero-knowledge proofs were first conceived in 1985 by Shafi Goldwasser, Silvio Micali, and
Charles Rackoff in their paper "The Knowledge Complexity of Interactive Proof-Systems".[11] This
paper introduced the IP hierarchy of interactive proof systems (see interactive proof system) and
conceived the concept of knowledge complexity, a measurement of the amount of knowledge
about the proof transferred from the prover to the verifier. They also gave the first zero-knowledge
proof for a concrete problem, that of deciding quadratic nonresidues mod m. Together with a
paper by László Babai and Shlomo Moran, this landmark paper invented interactive proof systems,
for which all five authors won the first Gödel Prize in 1993.

In their own words, Goldwasser, Micali, and Rackoff say:

Of particular interest is the case where this additional knowledge is essentially 0 and
we show that [it] is possible to interactively prove that a number is quadratic non
residue mod m releasing 0 additional knowledge. This is surprising as no efficient
algorithm for deciding quadratic residuosity mod m is known when m’s factorization is
not given. Moreover, all known NP proofs for this problem exhibit the prime
factorization of m. This indicates that adding interaction to the proving process, may
decrease the amount of knowledge that must be communicated in order to prove a
theorem.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 9/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

The quadratic nonresidue problem has both an NP and a co-NP algorithm, and so lies in the
intersection of NP and co-NP. This was also true of several other problems for which zero-
knowledge proofs were subsequently discovered, such as an unpublished proof system by Oded
Goldreich verifying that a two-prime modulus is not a Blum integer.[23]

Oded Goldreich, Silvio Micali, and Avi Wigderson took this one step further, showing that,
assuming the existence of unbreakable encryption, one can create a zero-knowledge proof system
for the NP-complete graph coloring problem with three colors. Since every problem in NP can be
efficiently reduced to this problem, this means that, under this assumption, all problems in NP
have zero-knowledge proofs.[24] The reason for the assumption is that, as in the above example,
their protocols require encryption. A commonly cited sufficient condition for the existence of
unbreakable encryption is the existence of one-way functions, but it is conceivable that some
physical means might also achieve it.

On top of this, they also showed that the graph nonisomorphism problem, the complement of the
graph isomorphism problem, has a zero-knowledge proof. This problem is in co-NP, but is not
currently known to be in either NP or any practical class. More generally, Russell Impagliazzo and
Moti Yung as well as Ben-Or et al. would go on to show that, also assuming one-way functions or
unbreakable encryption, that there are zero-knowledge proofs for all problems in IP = PSPACE,
or in other words, anything that can be proved by an interactive proof system can be proved with
zero knowledge.[25][26]

Not liking to make unnecessary assumptions, many theorists sought a way to eliminate the
necessity of one way functions. One way this was done was with multi-prover interactive proof
systems (see interactive proof system), which have multiple independent provers instead of only
one, allowing the verifier to "cross-examine" the provers in isolation to avoid being misled. It can
be shown that, without any intractability assumptions, all languages in NP have zero-knowledge
proofs in such a system.[27]

It turns out that in an Internet-like setting, where multiple protocols may be executed
concurrently, building zero-knowledge proofs is more challenging. The line of research
investigating concurrent zero-knowledge proofs was initiated by the work of Dwork, Naor, and
Sahai.[28] One particular development along these lines has been the development of witness-
indistinguishable proof protocols. The property of witness-indistinguishability is related to that of
zero-knowledge, yet witness-indistinguishable protocols do not suffer from the same problems of
concurrent execution.[29]

Another variant of zero-knowledge proofs are non-interactive zero-knowledge proofs. Blum,

Feldman, and Micali showed that a common random string shared between the prover and the
verifier is enough to achieve computational zero-knowledge without requiring interaction.[2][3]

Zero-Knowledge Proof Protocols

The most popular interactive or non-interactive zero-knowledge proof (zk-SNARK) protocols can
be broadly categorized in the following four categories: Succinct Non-Interactive Arguments of
Knowledge (SNARK), Scalable Transparent ARgument of Knowledge (STARK), Verifiable
Polynomial Delegation (VPD), and Succinct Non-interactive ARGuments (SNARG). A list of zero-
knowledge proof protocols and libraries is provided below along with comparisons based on
transparency, universality, plausible post-quantum security, and programming
paradigm.[30] A transparent protocol is one that does not require any trusted setup and uses
public randomness. A universal protocol is one that does not require a separate trusted setup for
each circuit. Finally, a plausibly post-quantum protocol is one that is not susceptible to known
attacks involving quantum algorithms.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 10/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Zero-knowledge proof (ZKP) systems

Publication Plausibly Post- Programming
ZKP System Protocol Transparent Universal
year Quantum Secure Paradigm

Pinocchio[31] 2013 zk-SNARK No No No Procedural

Geppetto[32] 2015 zk-SNARK No No No Procedural

TinyRAM[33] 2013 zk-SNARK No No No Procedural

Buffet[34] 2015 zk-SNARK No No No Procedural

ZoKrates[35] 2018 zk-SNARK No No No Procedural

xJsnark[36] 2018 zk-SNARK No No No Procedural

vRAM[37] 2018 zk-SNARG No Yes No Assembly

vnTinyRAM[38] 2014 zk-SNARK No Yes No Procedural

Arithmetic
MIRAGE[39] 2020 zk-SNARK No Yes No
Circuits
Arithmetic
Sonic[40] 2019 zk-SNARK No Yes No
Circuits
Arithmetic
Marlin[41] 2020 zk-SNARK No Yes No
Circuits
Arithmetic
PLONK[42] 2019 zk-SNARK No Yes No
Circuits
Arithmetic
SuperSonic[43] 2020 zk-SNARK Yes Yes No
Circuits
Arithmetic
Bulletproofs[44] 2018 Bulletproofs Yes Yes No
Circuits
Arithmetic
Hyrax[45] 2018 zk-SNARK Yes Yes No
Circuits
Arithmetic
Halo[46] 2019 zk-SNARK Yes Yes No
Circuits
Arithmetic
Virgo[47] 2020 zk-SNARK Yes Yes Yes
Circuits
Arithmetic
Ligero[48] 2017 zk-SNARK Yes Yes Yes
Circuits
Arithmetic
Aurora[49] 2019 zk-SNARK Yes Yes Yes
Circuits

zk-STARK[50] 2019 zk-STARK Yes Yes Yes Assembly

Object-
Zilch[30] [51] 2021 zk-STARK Yes Yes Yes
Oriented

See also
Arrow information paradox
Cryptographic protocol
Feige–Fiat–Shamir identification scheme
Proof of knowledge
Topics in cryptography
Witness-indistinguishable proof
Zero-knowledge password proof

https://en.wikipedia.org/wiki/Zero-knowledge_proof 11/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

Non-interactive zero-knowledge proof

References
1. "What is a zero-knowledge proof and why is it useful?" (https://www.expressvpn.com/blog/zero
-knowledge-proofs-explained/). 16 November 2017.
2. Blum, Manuel; Feldman, Paul; Micali, Silvio (1988). Non-Interactive Zero-Knowledge and Its
Applications (http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA222698). Proceedings of the
Twentieth Annual ACM Symposium on Theory of Computing (STOC 1988). pp. 103–112.
doi:10.1145/62212.62222 (https://doi.org/10.1145%2F62212.62222). ISBN 978-0897912648.
S2CID 7282320 (https://api.semanticscholar.org/CorpusID:7282320).
3. Wu, Huixin; Wang, Feng (2014). "A Survey of Noninteractive Zero Knowledge Proof System
and Its Applications" (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4032740). The Scientific
World Journal. 2014: 560484. doi:10.1155/2014/560484 (https://doi.org/10.1155%2F2014%2F
560484). PMC 4032740 (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4032740).
PMID 24883407 (https://pubmed.ncbi.nlm.nih.gov/24883407).
4. Quisquater, Jean-Jacques; Guillou, Louis C.; Berson, Thomas A. (1990). How to Explain Zero-
Knowledge Protocols to Your Children (http://www.cs.wisc.edu/~mkowalcz/628.pdf) (PDF).
Advances in Cryptology – CRYPTO '89: Proceedings. Lecture Notes in Computer Science.
Vol. 435. pp. 628–631. doi:10.1007/0-387-34805-0_60 (https://doi.org/10.1007%2F0-387-3480
5-0_60). ISBN 978-0-387-97317-3.
5. Chalkias, Konstantinos. "Demonstrate how Zero-Knowledge Proofs work without using maths"
(https://www.linkedin.com/pulse/demonstrate-how-zero-knowledge-proofs-work-without-using-c
halkias). CordaCon 2017. Retrieved 2017-09-13.
6. Chaum, David; Evertse, Jan-Hendrik; van de Graaf, Jeroen (1987). An Improved Protocol for
Demonstrating Possession of Discrete Logarithms and Some Generalizations. Advances in
Cryptology – EuroCrypt '87: Proceedings. Lecture Notes in Computer Science. Vol. 304.
pp. 127–141. doi:10.1007/3-540-39118-5_13 (https://doi.org/10.1007%2F3-540-39118-5_13).
ISBN 978-3-540-19102-5.
7. Blum, Manuel (1986). "How to Prove a Theorem So No One Else Can Claim It". ICM
Proceedings: 1444–1451. CiteSeerX 10.1.1.469.9048 (https://citeseerx.ist.psu.edu/viewdoc/su
mmary?doi=10.1.1.469.9048).
8. Sahai, Amit; Vadhan, Salil (1 March 2003). "A complete problem for statistical zero knowledge"
(http://dash.harvard.edu/bitstream/handle/1/4728406/Vadhan_StatZeroKnow.pdf?sequence=2)
(PDF). Journal of the ACM. 50 (2): 196–249. CiteSeerX 10.1.1.4.3957 (https://citeseerx.ist.ps
u.edu/viewdoc/summary?doi=10.1.1.4.3957). doi:10.1145/636865.636868 (https://doi.org/10.1
145%2F636865.636868). S2CID 218593855 (https://api.semanticscholar.org/CorpusID:21859
3855). Archived (https://web.archive.org/web/20150625193124/http://dash.harvard.edu/bitstre
am/handle/1/4728406/Vadhan_StatZeroKnow.pdf?sequence=2) (PDF) from the original on
2015-06-25.
9. Groth, J; Kohlweiss, M (14 April 2015). "One-Out-of-Many Proofs: Or How to Leak a Secret
and Spend a Coin". Annual International Conference on the Theory and Applications of
Cryptographic Techniques. Lecture Notes in Computer Science. Berlin, Heidelberg:
EUROCRYPT 2015. 9057: 253–280. doi:10.1007/978-3-662-46803-6_9 (https://doi.org/10.100
7%2F978-3-662-46803-6_9). ISBN 978-3-662-46802-9.
10. "Introducing Zero-Knowledge Proofs for Private Web attestation with Cross/Multi-Vendor
Hardware" (https://blog.cloudflare.com/introducing-zero-knowledge-proofs-for-private-web-atte
station-with-cross-multi-vendor-hardware/). The Cloudflare Blog. 2021-08-12. Retrieved
2021-08-18.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 12/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

11. Goldwasser, S.; Micali, S.; Rackoff, C. (1989), "The knowledge complexity of interactive proof
systems" (http://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Proof%20System
s/The_Knowledge_Complexity_Of_Interactive_Proof_Systems.pdf) (PDF), SIAM Journal on
Computing, 18 (1): 186–208, doi:10.1137/0218012 (https://doi.org/10.1137%2F0218012),
ISSN 1095-7111 (https://www.worldcat.org/issn/1095-7111)
12. Abascal, Jackson; Faghihi Sereshgi, Mohammad Hossein; Hazay, Carmit; Ishai, Yuval;
Venkitasubramaniam, Muthuramakrishnan (2020-10-30). "Is the Classical GMW Paradigm
Practical? The Case of Non-Interactive Actively Secure 2PC" (https://doi.org/10.1145/3372297.
3423366). Proceedings of the 2020 ACM SIGSAC Conference on Computer and
Communications Security. CCS '20. Virtual Event, USA: Association for Computing Machinery:
1591–1605. doi:10.1145/3372297.3423366 (https://doi.org/10.1145%2F3372297.3423366).
ISBN 978-1-4503-7089-9.
13. "PPPL and Princeton demonstrate novel technique that may have applicability to future
nuclear disarmament talks - Princeton Plasma Physics Lab" (http://www.pppl.gov/news/2016/0
9/pppl-and-princeton-demonstrate-novel-technique-may-have-applicability-future-nuclear).
www.pppl.gov.
14. Hellwig, Daniel; Karlic, Goran; Huchzermeier, Arnd (3 May 2020). "Privacy and Anonymity".
Build your own blockchain - A practical guide to distributed ledger technology (https://link.sprin
ger.com/chapter/10.1007/978-3-030-40142-9_5). SpringerLink. p. 112. doi:10.1007/978-3-030-
40142-9_5 (https://doi.org/10.1007%2F978-3-030-40142-9_5). ISBN 9783030401429.
Retrieved 3 December 2020.
15. Hurst, Samantha. "Zcoin Announces Rebranding to New Name & Ticker "Firo" " (https://web.ar
chive.org/web/20201101141745/https://www.crowdfundinsider.com/2020/10/168504-zcoin-ann
ounces-rebranding-to-new-name-ticker-firo/). Crowdfund Insider. Archived from the original (htt
ps://www.crowdfundinsider.com/2020/10/168504-zcoin-announces-rebranding-to-new-name-ti
cker-firo/) on 30 October 2020. Retrieved 4 November 2020.
16. Bonneau, J; Miller, A; Clark, J; Narayanan, A (2015). "SoK: Research Perspectives and
Challenges for Bitcoin and Cryptocurrencies" (https://ieeexplore.ieee.org/document/7163021).
2015 IEEE Symposium on Security and Privacy. San Jose, California: 104–121.
17. Ben-Sasson, Eli; Chiesa, Alessandro; Garman, Christina; Green, Matthew; Miers, Ian; Tromer,
Eran; Virza, Madars (18 May 2014). "Zerocash: Decentralized Anonymous Payments from
Bitcoin" (http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf) (PDF). IEEE.
Retrieved 26 January 2016.
18. Orcutt, Mike. "A mind-bending cryptographic trick promises to take blockchains mainstream" (h
ttps://www.technologyreview.com/s/609448/a-mind-bending-cryptographic-trick-promises-to-ta
ke-blockchains-mainstream). MIT Technology Review. Retrieved 2017-12-18.
19. Bünz, B; Bootle, D; Boneh, A (2018). "Bulletproofs: Short Proofs for Confidential Transactions
and More" (https://ieeexplore.ieee.org/document/8418611). IEEE Symposium on Security and
Privacy. San Francisco, California: 315–334. doi:10.1109/SP.2018.00020 (https://doi.org/10.11
09%2FSP.2018.00020). ISBN 978-1-5386-4353-2. S2CID 3337741 (https://api.semanticschola
r.org/CorpusID:3337741). Retrieved 3 December 2020.
20. Odendaal, Hansie; Sharrock, Cayle; Heerden, SW. "Bulletproofs and Mimblewimble" (https://w
eb.archive.org/web/20200929160834/https://tlu.tarilabs.com/cryptography/bulletproofs-and-mi
mblewimble/MainReport.html). Tari Labs University. Archived from the original (https://tlu.tarila
bs.com/cryptography/bulletproofs-and-mimblewimble/MainReport.html#current-and-past-effort
s) on 29 September 2020. Retrieved 3 December 2020.
21. Andrew, Munro (30 July 2019). "Zcoin cryptocurrency introduces zero knowledge proofs with
no trusted set-up" (https://web.archive.org/web/20190730210721/https://www.finder.com.au/zc
oin-cryptocurrency-introduces-zero-knowledge-proofs-with-no-trusted-setup). Finder Australia.
Archived from the original (https://www.finder.com.au/zcoin-cryptocurrency-introduces-zero-kn
owledge-proofs-with-no-trusted-setup) on 30 July 2019. Retrieved 30 July 2019.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 13/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

22. Aram, Jivanyan (7 April 2019). "Lelantus: Towards Confidentiality and Anonymity of Blockchain
Transactions from Standard Assumptions" (https://eprint.iacr.org/2019/373). Cryptology ePrint
Archive (Report 373). Retrieved 14 April 2019.
23. Goldreich, Oded (1985). "A zero-knowledge proof that a two-prime moduli is not a Blum
integer". Unpublished Manuscript.
24. Goldreich, Oded; Micali, Silvio; Wigderson, Avi (1991). "Proofs that yield nothing but their
validity". Journal of the ACM. 38 (3): 690–728. CiteSeerX 10.1.1.420.1478 (https://citeseerx.ist.
psu.edu/viewdoc/summary?doi=10.1.1.420.1478). doi:10.1145/116825.116852 (https://doi.org/
10.1145%2F116825.116852). S2CID 2389804 (https://api.semanticscholar.org/CorpusID:2389
804).
25. Russell Impagliazzo, Moti Yung: Direct Minimum-Knowledge Computations. CRYPTO 1987:
40-51
26. Ben-Or, Michael; Goldreich, Oded; Goldwasser, Shafi; Hastad, Johan; Kilian, Joe; Micali,
Silvio; Rogaway, Phillip (1990). "Everything provable is provable in zero-knowledge". In
Goldwasser, S. (ed.). Advances in Cryptology—CRYPTO '88. Lecture Notes in Computer
Science. Vol. 403. Springer-Verlag. pp. 37–56.
27. Ben-or, M.; Goldwasser, Shafi; Kilian, J.; Wigderson, A. (1988). "Multi prover interactive proofs:
How to remove intractability assumptions" (http://theory.lcs.mit.edu/~cis/pubs/shafi/1988-stoc-b
gkw.pdf) (PDF). Proceedings of the 20th ACM Symposium on Theory of Computing: 113–121.
28. Dwork, Cynthia; Naor, Moni; Sahai, Amit (2004). "Concurrent Zero Knowledge". Journal of the
ACM. 51 (6): 851–898. CiteSeerX 10.1.1.43.716 (https://citeseerx.ist.psu.edu/viewdoc/summar
y?doi=10.1.1.43.716). doi:10.1145/1039488.1039489 (https://doi.org/10.1145%2F1039488.103
9489). S2CID 52827731 (https://api.semanticscholar.org/CorpusID:52827731).
29. Feige, Uriel; Shamir, Adi (1990). Witness Indistinguishable and Witness Hiding Protocols.
Proceedings of the Twenty-second Annual ACM Symposium on Theory of Computing (STOC).
pp. 416–426. CiteSeerX 10.1.1.73.3911 (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=1
0.1.1.73.3911). doi:10.1145/100216.100272 (https://doi.org/10.1145%2F100216.100272).
ISBN 978-0897913614. S2CID 11146395
(https://api.semanticscholar.org/CorpusID:11146395).
30. Mouris, Dimitris; Tsoutsos, Nektarios Georgios (2021). "Zilch: A Framework for Deploying
Transparent Zero-Knowledge Proofs" (https://ieeexplore.ieee.org/document/9410618). IEEE
Transactions on Information Forensics and Security. 16: 3269–3284.
doi:10.1109/TIFS.2021.3074869 (https://doi.org/10.1109%2FTIFS.2021.3074869). ISSN 1556-
6021 (https://www.worldcat.org/issn/1556-6021).
31. Parno, B.; Howell, J.; Gentry, C.; Raykova, M. (May 2013). "Pinocchio: Nearly Practical
Verifiable Computation". 2013 IEEE Symposium on Security and Privacy: 238–252.
doi:10.1109/SP.2013.47 (https://doi.org/10.1109%2FSP.2013.47).
32. Costello, Craig; Fournet, Cedric; Howell, Jon; Kohlweiss, Markulf; Kreuter, Benjamin; Naehrig,
Michael; Parno, Bryan; Zahur, Samee (May 2015). "Geppetto: Versatile Verifiable
Computation". 2015 IEEE Symposium on Security and Privacy: 253–270.
doi:10.1109/SP.2015.23 (https://doi.org/10.1109%2FSP.2015.23). hdl:20.500.11820/37920e55-
65aa-4a42-b678-ef5902a5dd45 (https://hdl.handle.net/20.500.11820%2F37920e55-65aa-4a42
-b678-ef5902a5dd45).
33. Ben-Sasson, Eli; Chiesa, Alessandro; Genkin, Daniel; Tromer, Eran; Virza, Madars (2013).
"SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge". Advances
in Cryptology – CRYPTO 2013: 90–108. doi:10.1007/978-3-642-40084-1_6 (https://doi.org/10.
1007%2F978-3-642-40084-1_6). hdl:1721.1/87953 (https://hdl.handle.net/1721.1%2F87953).
34. Wahby, Riad S.; Setty, Srinath; Ren, Zuocheng; Blumberg, Andrew J.; Walfish, Michael (2015).
"Efficient RAM and Control Flow in Verifiable Outsourced Computation". Proceedings 2015
Network and Distributed System Security Symposium. doi:10.14722/ndss.2015.23097 (https://
doi.org/10.14722%2Fndss.2015.23097).

https://en.wikipedia.org/wiki/Zero-knowledge_proof 14/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

35. Eberhardt, Jacob; Tai, Stefan (July 2018). "ZoKrates - Scalable Privacy-Preserving Off-Chain
Computations". 2018 IEEE International Conference on Internet of Things (iThings) and IEEE
Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social
Computing (CPSCom) and IEEE Smart Data (SmartData): 1084–1091.
doi:10.1109/Cybermatics_2018.2018.00199 (https://doi.org/10.1109%2FCybermatics_2018.20
18.00199).
36. Kosba, Ahmed; Papamanthou, Charalampos; Shi, Elaine (May 2018). "xJsnark: A Framework
for Efficient Verifiable Computation" (https://doi.org/10.1109%2FSP.2018.00018). 2018 IEEE
Symposium on Security and Privacy (SP): 944–961. doi:10.1109/SP.2018.00018 (https://doi.or
g/10.1109%2FSP.2018.00018).
37. Zhang, Yupeng; Genkin, Daniel; Katz, Jonathan; Papadopoulos, Dimitrios; Papamanthou,
Charalampos (May 2018). "vRAM: Faster Verifiable RAM with Program-Independent
Preprocessing" (https://doi.org/10.1109%2FSP.2018.00013). 2018 IEEE Symposium on
Security and Privacy (SP): 908–925. doi:10.1109/SP.2018.00013 (https://doi.org/10.1109%2FS
P.2018.00013).
38. Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (20 August 2014).
"Succinct non-interactive zero knowledge for a von Neumann architecture" (https://www.useni
x.org/conference/usenixsecurity14/technical-sessions/presentation/ben-sasson). Proceedings
of the 23rd USENIX conference on Security Symposium. USENIX Association: 781–796.
39. Kosba, Ahmed; Papadopoulos, Dimitrios; Papamanthou, Charalampos; Song, Dawn (2020).
"MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-
SNARKs" (https://eprint.iacr.org/2020/278).
40. Maller, Mary; Bowe, Sean; Kohlweiss, Markulf; Meiklejohn, Sarah (6 November 2019). "Sonic:
Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference
Strings" (https://doi.org/10.1145/3319535.3339817). Proceedings of the 2019 ACM SIGSAC
Conference on Computer and Communications Security. Association for Computing
Machinery: 2111–2128. doi:10.1145/3319535.3339817 (https://doi.org/10.1145%2F3319535.33
39817). hdl:20.500.11820/739b94f1-54f0-4ec3-9644-3c95eea1e8f5 (https://hdl.handle.net/20.5
00.11820%2F739b94f1-54f0-4ec3-9644-3c95eea1e8f5).
41. Chiesa, Alessandro; Hu, Yuncong; Maller, Mary; Mishra, Pratyush; Vesely, Noah; Ward,
Nicholas (2020). "Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS" (http
s://link.springer.com/chapter/10.1007/978-3-030-45721-1_26). Advances in Cryptology –
EUROCRYPT 2020. Springer International Publishing: 738–768. doi:10.1007/978-3-030-
45721-1_26 (https://doi.org/10.1007%2F978-3-030-45721-1_26).
42. Gabizon, Ariel; Williamson, Zachary J.; Ciobotaru, Oana (2019). "PLONK: Permutations over
Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge" (https://eprint.iacr.o
rg/2019/953).
43. Bünz, Benedikt; Fisch, Ben; Szepieniec, Alan (2020). "Transparent SNARKs from DARK
Compilers" (https://link.springer.com/chapter/10.1007/978-3-030-45721-1_24). Advances in
Cryptology – EUROCRYPT 2020. Springer International Publishing: 677–706.
doi:10.1007/978-3-030-45721-1_24 (https://doi.org/10.1007%2F978-3-030-45721-1_24).
44. Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; Poelstra, Andrew; Wuille, Pieter; Maxwell,
Greg (May 2018). "Bulletproofs: Short Proofs for Confidential Transactions and More" (https://d
oi.org/10.1109%2FSP.2018.00020). 2018 IEEE Symposium on Security and Privacy (SP):
315–334. doi:10.1109/SP.2018.00020 (https://doi.org/10.1109%2FSP.2018.00020).
45. Wahby, Riad S.; Tzialla, Ioanna; Shelat, Abhi; Thaler, Justin; Walfish, Michael (May 2018).
"Doubly-Efficient zkSNARKs Without Trusted Setup" (https://doi.org/10.1109%2FSP.2018.0006
0). 2018 IEEE Symposium on Security and Privacy (SP): 926–943.
doi:10.1109/SP.2018.00060 (https://doi.org/10.1109%2FSP.2018.00060).
46. Bowe, Sean; Grigg, Jack; Hopwood, Daira (2019). "Recursive Proof Composition without a
Trusted Setup" (https://eprint.iacr.org/2019/1021).

https://en.wikipedia.org/wiki/Zero-knowledge_proof 15/16
1/23/22, 4:25 AM Zero-knowledge proof - Wikipedia

47. Zhang, Jiaheng; Xie, Tiancheng; Zhang, Yupeng; Song, Dawn (May 2020). "Transparent
Polynomial Delegation and Its Applications to Zero Knowledge Proof" (https://ieeexplore.ieee.o
rg/document/9152704). 2020 IEEE Symposium on Security and Privacy (SP): 859–876.
doi:10.1109/SP40000.2020.00052 (https://doi.org/10.1109%2FSP40000.2020.00052).
48. Ames, Scott; Hazay, Carmit; Ishai, Yuval; Venkitasubramaniam, Muthuramakrishnan (30
October 2017). "Ligero: Lightweight Sublinear Arguments Without a Trusted Setup" (https://dl.a
cm.org/doi/10.1145/3133956.3134104). Proceedings of the 2017 ACM SIGSAC Conference on
Computer and Communications Security. Association for Computing Machinery: 2087–2104.
doi:10.1145/3133956.3134104 (https://doi.org/10.1145%2F3133956.3134104).
49. Ben-Sasson, Eli; Chiesa, Alessandro; Riabzev, Michael; Spooner, Nicholas; Virza, Madars;
Ward, Nicholas P. (2019). "Aurora: Transparent Succinct Arguments for R1CS" (https://link.spri
nger.com/chapter/10.1007%2F978-3-030-17653-2_4). Advances in Cryptology –
EUROCRYPT 2019. Springer International Publishing: 103–128. doi:10.1007/978-3-030-
17653-2_4 (https://doi.org/10.1007%2F978-3-030-17653-2_4).
50. Ben-Sasson, Eli; Bentov, Iddo; Horesh, Yinon; Riabzev, Michael (2019). "Scalable Zero
Knowledge with No Trusted Setup" (https://link.springer.com/chapter/10.1007/978-3-030-2695
4-8_23). Advances in Cryptology – CRYPTO 2019. Springer International Publishing: 701–
732. doi:10.1007/978-3-030-26954-8_23 (https://doi.org/10.1007%2F978-3-030-26954-8_23).
51. "Transparent Zero-Knowledge Proofs With Zilch" (https://trustworthy-computing.medium.com/tr
ansparent-zero-knowledge-proofs-with-zilch-2031a63fcef3). Medium. 2021.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Zero-knowledge_proof&oldid=1066635197"

This page was last edited on 19 January 2022, at 09:45 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License;

additional terms may apply. By using
this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.

https://en.wikipedia.org/wiki/Zero-knowledge_proof 16/16