What Are the Theoretical Foundations of Zero-Knowledge Proofs?
A zero-knowledge proof (ZKP) is a cryptographic protocol between a prover and a verifier. The prover wants to convince the verifier that a particular statement is true - without revealing any of the underlying information that makes it true.
Three properties must hold for a ZK-proof to be valid:
- Completeness: If the statement is true and the prover is honest, the verifier will always be convinced.
- Soundness: If the statement is false, no cheating prover can convince the verifier - except with negligible probability.
- Zero-knowledge: The verifier learns nothing about the witness (the secret underlying the proof) beyond the bare fact that the statement is true.
In blockchain contexts, the statements being proved are computational. The computation is encoded as an arithmetic circuit - a representation of any program as a network of addition and multiplication operations over a finite field. The prover's secret (the witness) is an assignment of values to that circuit that satisfies all constraints.
How Is a Real Program Turned Into a Circuit?
Before any proof can be generated, the computation must be translated from something a developer writes into something a proof system can reason about. This process is called arithmetization, and it is where most of the practical engineering effort in a ZK project actually goes.
Developers typically work in a domain-specific language - Circom, Noir, Cairo, Leo, or a Rust-based framework like Halo2 or arkworks. These languages compile high-level code into a constraint system: a long list of polynomial equations that the witness must satisfy. The two dominant representations are R1CS (Rank-1 Constraint System), used by Groth16 and older SNARKs, and PLONKish arithmetization, used by PLONK, Halo2, and most modern systems. STARKs use a different representation called AIR (Algebraic Intermediate Representation), better suited to repetitive, VM-style computation.
The practical consequence is that not every program is cheap to prove. Branches, variable-length loops, and operations that are natural on a CPU - like bitwise XOR or SHA-256 - can be extremely expensive inside a circuit. A single SHA-256 hash can cost tens of thousands of constraints. Circuit design is therefore a discipline in its own right, and poorly arithmetized code is the most common reason ZK systems underperform in production.
Why Do zk-SNARKs Require a Trusted Ceremony?
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) are the dominant family of ZKPs in production blockchain systems. They are succinct (proofs are tiny - a few hundred bytes), non-interactive, and fast to verify.
The tradeoff is that most SNARK constructions require a trusted setup - a one-time cryptographic ceremony that generates the parameters the prover and verifier use. If the randomness from this ceremony, often referred to as toxic waste, is not properly destroyed, a malicious participant could forge proofs for false statements. In practice, this risk is mitigated through multi-party computation ceremonies in which the parameters are secure as long as at least one participant is honest.
Which SNARK Implementations Are Used in Production?
Groth16 is the most battle-tested SNARK in production. Its proofs consist of just three elliptic curve group elements - the smallest proofs of any known system - making on-chain verification extremely gas-efficient. It requires a circuit-specific trusted ceremony, meaning a new ceremony is needed for each new program being proved.
PLONK introduced a universal trusted setup: a single ceremony whose parameters can be reused for any circuit up to a certain size. This dramatically reduces operational overhead when deploying new circuits. PLONK also supports custom gates, making it more flexible than Groth16 for general-purpose proving.
Halo2 eliminates the trusted setup requirement entirely by using the Inner Product Argument (IPA) as its commitment scheme, together with a recursive proof composition technique that allows proofs to verify other proofs. It is the basis of Zcash's Orchard shielded pool and the Scroll zkEVM.
What Is a Polynomial Commitment Scheme, and Why Does It Matter?
Underneath every modern SNARK sits a polynomial commitment scheme - the cryptographic primitive that actually carries most of the system's cost, security, and tradeoffs. The prover commits to large polynomials representing the circuit's execution, and later proves specific evaluations of those polynomials without revealing them.
Three schemes dominate the landscape:
- KZG, used by Groth16 and PLONK, produces very small proofs and has fast verification, but requires a trusted setup and relies on elliptic curve pairings.
- IPA (Inner Product Argument), used by Halo2 and Bulletproofs, needs no trusted setup, but proofs are larger and verification is slower.
- FRI, used by STARKs, relies only on hash functions. It is transparent and post-quantum secure, but produces the largest proofs of the three.
The choice of commitment scheme is effectively the choice of the entire proof system's personality. It determines whether the system needs a ceremony, how large proofs are, how expensive on-chain verification is, and whether the system survives the arrival of quantum computers.
How Do zk-STARKs Avoid a Trusted Setup?
zk-STARKs (Scalable Transparent ARguments of Knowledge) rely exclusively on collision-resistant hash functions - a more conservative cryptographic assumption.
The key properties:
- Transparent: No trusted setup of any kind. All parameters are public and verifiable.
- Scalable: Prover time scales quasi-linearly with computation size, and verification time scales polylogarithmically.
- Larger proofs: STARK proofs are tens to hundreds of kilobytes - significantly larger than SNARK proofs - which increases on-chain verification costs.
- Post-quantum secure: STARKs are not vulnerable to quantum algorithms that break elliptic curve cryptography.
What Does Proving Actually Cost?
Succinct verification hides an asymmetry that shapes every production deployment: proving is expensive, verification is cheap. A Groth16 proof can be verified on-chain in milliseconds for a few hundred thousand gas, but generating that same proof may take seconds to minutes on a powerful server, and can consume tens of gigabytes of RAM for large circuits.
This asymmetry drives real infrastructure decisions. Proving is often offloaded to specialized hardware - GPUs for general-purpose SNARKs, and increasingly FPGAs and dedicated ASICs for high-throughput systems like zk-rollups. Decentralized proving networks (such as those used by some rollups and coprocessors) split the work across many machines. The cost of a single proof ranges from fractions of a cent for small circuits to several dollars for a full zkEVM block.
For developers, the practical takeaway is that ZK is not "free privacy" or "free verification". Every feature added to a circuit has a measurable cost in prover time, memory, and electricity.
Why Is Recursion a Turning Point?
A proof system that can verify its own proofs inside another proof unlocks a qualitatively different design space. This is called recursive proof composition, and it is the technique behind most modern scaling systems.
With recursion, a single short proof can attest to the correctness of thousands of earlier proofs, or to an entire chain of state transitions. This is how zk-rollups compress a full block of Ethereum transactions into one proof that settles on L1, and how systems like Mina Protocol maintain a constant-size blockchain regardless of history length. Halo2 and Nova-style folding schemes have made recursion dramatically cheaper in the last few years, turning it from an exotic research technique into a standard building block.
Where Are ZK Proofs Actually Used Today?
The production use cases fall into a few clear categories:
- Scaling: zk-rollups such as zkSync, Scroll, Polygon zkEVM, and Starknet use proofs to compress L2 execution into L1-verifiable commitments.
- Privacy: Systems like Zcash, Aztec, and Tornado Cash-style mixers hide transaction details while preserving public verifiability of the rules.
- Identity and compliance: Selective disclosure (proving age, residency, or KYC status without revealing the underlying documents) is an active area, particularly around standards like EU's eIDAS 2.0 and zkPassport-style systems.
- Verifiable computation: Off-chain computation - oracles, machine learning inference, database queries - can be proved correct and verified cheaply on-chain.
What Should a Team Consider Before Choosing a ZK Stack?
There is no universally best proof system. The right choice depends on a handful of concrete questions: Is on-chain verification cost the main constraint, or prover latency? Is post-quantum security a hard requirement? Is a trusted setup operationally acceptable? How often will the circuit change? Does the team need recursion, and at what depth?
Groth16 remains unbeatable for fixed, high-volume circuits where gas cost dominates. PLONK and Halo2 are the default choices for general-purpose proving and evolving circuits. STARKs win where transparency, post-quantum security, or massive computation scale matter more than proof size. In practice, many production systems combine multiple proof systems - for example, generating STARK proofs for heavy computation and wrapping them in a SNARK for cheap on-chain verification.
The mathematical veil is thinner than it first appears. Behind it is a set of engineering tradeoffs - arithmetization, commitment schemes, setup assumptions, prover costs, and recursion - that determine whether a ZK system is a research curiosity or a production-grade piece of infrastructure.
FAQ: Understanding Proof Systems and the Trusted Ceremony
What is a "Trusted Ceremony" and why is it critical for security?
The Trusted Ceremony (also known as the Setup Phase) is the process of generating the cryptographic parameters needed to create and verify SNARK proofs. If this process is compromised or the input data is not destroyed, the system becomes vulnerable to forged proofs. Understanding this risk is vital when choosing a ZK architecture.
What exactly is "Toxic Waste"?
This is a technical term for the secret random values used during a Trusted Ceremony. If these values survive after the ceremony is complete, whoever possesses them could create tokens out of thin air or forge transactions in systems like Groth16. This is why Multi-Party Computation (MPC) is used: as long as at least one participant is honest and destroys their part, the system is secure.
Why are newer systems like PLONK or STARK moving away from specific ceremonies?
ZK engineering is evolving toward eliminating trust assumptions. PLONK introduced a universal setup that is performed once for many applications, reducing operational risk. STARKs go a step further by being "transparent," meaning they require no ceremony at all, making them immune to human errors during system initialization.
Does the choice between SNARK and STARK affect on-chain costs?
Yes. While STARKs offer higher security (no ceremony, post-quantum resistance), they produce much larger proofs. This results in higher L1 gas costs for verification. Choosing a proof system is always an engineering tradeoff between cost, speed, and trust assumptions.
Build Secure Zero-Knowledge Infrastructure with Neti
Implementing Zero-Knowledge Proofs is not just about choosing an algorithm; it is about precise security engineering. Whether you are implementing the battle-tested Groth16 model or transitioning to fully transparent STARKs, Neti provides the expertise required to manage a secure Trusted Ceremony and eliminate the risk of Toxic Waste.
Secure your infrastructure against architectural vulnerabilities. Our team helps you design and audit ZK solutions that protect your assets and ensure the highest standards of on-chain privacy.
Contact Neti Today for a Privacy Infrastructure Audit
