Original title: ArkStream Capital: Milestones of Zero-Knowledge Proof Technology Development in the Past Forty Years

Original author: Ren, ArkStream Capital

Abstract

Zero-knowledge proof (ZKP) is widely regarded as one of the most important technological innovations in the blockchain field since distributed ledger technology, and it is also a key area of venture capital. This paper systematically reviews the historical literature and latest research on zero-knowledge proof technology in the past forty years.

First, the basic concepts and historical background of zero-knowledge proof are introduced. Then, the circuit-based zero-knowledge proof technology is analyzed, including the design, application and optimization methods of models such as zkSNARK, Ben-Sasson, Pinocchio, Bulletproofs and Ligero. In the field of computing environment, this paper introduces ZKVM and ZKEVM, and discusses how they can improve transaction processing capabilities, protect privacy and improve verification efficiency. The article also introduces the working mechanism and optimization methods of zero-knowledge Rollup (ZK Rollup) as a Layer 2 expansion solution, as well as the latest progress in hardware acceleration, hybrid solutions, and dedicated ZK EVM.

Finally, this article looks forward to emerging concepts such as ZKCoprocessor, ZKML, ZKThreads, ZK Sharding, and ZK StateChannels, and explores their potential in blockchain scalability, interoperability, and privacy protection.

By analyzing these latest technologies and development trends, this article provides a comprehensive perspective for understanding and applying zero-knowledge proof technology, demonstrating its great potential in improving the efficiency and security of blockchain systems, and providing an important reference for future investment decisions.

Foreword

Today, as the Internet is entering the Web3 era, blockchain applications (DApps) are developing rapidly, with new applications emerging almost every day. In recent years, blockchain platforms have hosted millions of users' activities and processed billions of transactions every day. The large amount of data generated by these transactions usually includes sensitive personal information such as user identity, transaction amount, account address and account balance. Given the openness and transparency of blockchain, this stored data is open to everyone, which raises a variety of security and privacy issues.

Currently, there are several cryptographic techniques that can address these challenges, including homomorphic encryption, ring signatures, secure multi-party computation, and zero-knowledge proofs. Homomorphic encryption allows operations to be performed without decrypting ciphertext, which helps to protect the security of account balances and transaction amounts, but cannot protect the security of account addresses. Ring signatures provide a special form of digital signature that can hide the identity of the signer, thereby protecting the security of account addresses, but cannot protect account balances and transaction amounts. Secure multi-party computation allows computing tasks to be distributed among multiple participants without any participant knowing the data of other participants, effectively protecting the security of account balances and transaction amounts, but also cannot protect the security of account addresses. In addition, homomorphic encryption, ring signatures, and secure multi-party computation cannot be used to verify whether the prover has enough transaction amount in a blockchain environment without revealing the transaction amount, account address, and account balance (Sun et al., 2021).

Zero-knowledge proof is a more comprehensive solution. This verification protocol allows the correctness of certain propositions to be verified without revealing any intermediary data (Goldwasser, Micali & Rackoff, 1985). The protocol does not require complex public key facilities, and its repeated implementation does not provide malicious users with the opportunity to obtain additional useful information (Goldreich, 2004). Through ZKP, the verifier is able to verify whether the prover has sufficient transaction amount without revealing any private transaction data. The verification process involves generating a proof containing the transaction amount claimed by the prover, which is then passed to the verifier, who performs a predefined calculation on the proof and produces the final calculation result to conclude whether to accept the prover's statement. If the prover's statement is accepted, it means that they have sufficient transaction amount. The above verification process can be recorded on the blockchain without any falsification (Feige, Fiat & Shamir, 1986).

This feature of ZKP makes it play a core role in blockchain transactions and cryptocurrency applications, especially in terms of privacy protection and network expansion, making it not only the focus of academic research, but also widely regarded as one of the most important technological innovations since the successful implementation of distributed ledger technology, especially Bitcoin. It is also a key track for industry applications and venture capital (Konstantopoulos, 2022).

As a result, many ZKP-based network projects have emerged, such as ZkSync, StarkNet, Mina, Filecoin, and Aleo. As these projects develop, algorithmic innovations about ZKP are endless, and new algorithms are reportedly released almost every week (Lavery, 2024; AdaPulse, 2024). In addition, hardware development related to ZKP technology is also progressing rapidly, including chips optimized for ZKP. For example, projects such as Ingonyama, Irreducible, and Cysic have completed large-scale fundraising, which not only demonstrates the rapid progress of ZKP technology, but also reflects the shift from general-purpose hardware to specialized hardware such as GPUs, FPGAs, and ASICs (Ingonyama, 2023; Burger, 2022).

These developments show that zero-knowledge proof technology is not only an important breakthrough in the field of cryptography, but also a key driving force for the wider application of blockchain technology, especially in improving privacy protection and processing power (Zhou et al, 2022).

Therefore, we decided to systematically organize the relevant knowledge of zero-knowledge proof (ZKP) to better assist us in making future investment decisions. To this end, we comprehensively reviewed the core academic papers related to ZKP (sorted by relevance and number of citations); at the same time, we also analyzed the materials and white papers of the leading projects in this field in detail (sorted by their financing scale). This comprehensive data collection and analysis provides a solid foundation for the writing of this article.

I. Basics of Zero-Knowledge Proof

1. Overview

In 1985, scholars Goldwasser, Micali and Rackoff first proposed Zero-Knowledge Proof (ZKP) and Interactive Zero-Knowledge (IZK) in the paper "The Knowledge Complexity of Interactive Proof-Systems". This paper is the foundation of zero-knowledge proof and defines many concepts that have influenced subsequent academic research. For example, the definition of knowledge is "the output of unfeasible computation", that is, knowledge must be an output and an unfeasible computation, which means that it cannot be a simple function but a complex function. Unfeasible computation can usually be understood as an NP problem, that is, a problem whose solution can be verified in polynomial time. Polynomial time means that the running time of the algorithm can be expressed as a polynomial function of the input size. This is an important criterion for measuring the efficiency and feasibility of an algorithm in computer science. Since the solution process of NP problems is complex, they are considered infeasible computations; but their verification process is relatively simple, so they are very suitable for zero-knowledge proof verification (Goldwasser, Micali & Rackoff, 1985).

A classic example of NP problems is the traveling salesman problem, in which the shortest path to visit a series of cities and return to the starting point is found. Although finding the shortest path may be difficult, given a path, it is relatively easy to verify whether this path is the shortest. Because verifying the total distance of a specific path can be completed in polynomial time.

Goldwasser et al. introduced the concept of "knowledge complexity" in their paper to quantify the amount of knowledge leaked by the prover to the verifier in an interactive proof system. They also proposed an interactive proof system (IPS), in which the prover and the verifier prove the authenticity of a statement through multiple rounds of interaction (Goldwasser, Micali & Rackoff, 1985).

In summary, the definition of zero-knowledge proof summarized by Goldwasser et al. is a special interactive proof in which the verifier does not obtain any additional information except the truth value of the statement during the verification process; and three basic characteristics are proposed, including:

1. Completeness: the fact that an honest prover can convince an honest verifier if the argument is true;

2. Soundness: if the prover does not know the content of the statement, he can only deceive the verifier with a negligible probability;

3. Zero-knowledge: after the proof process is completed, the verifier only obtains the information that "the prover has this knowledge" and cannot obtain any additional content (Goldwasser, Micali & Rackoff, 1985).

2. Zero-knowledge proof example

To better understand zero-knowledge proofs and their properties, the following is an example of verifying whether the prover has some private information. The example is divided into three stages: setup, challenge, and response.

Step 1: Setup

In this step, the prover's goal is to create a proof that he knows some secret number s, but without revealing s directly. Let secret number;

Choose two large prime numbers p and q, and compute their product  . Let prime numbers   and, computed;

Compute, here, v is sent to the verifier as part of the proof, but it is not enough for the verifier or any bystander to infer s. ;

Choose a random integer r, compute   and send it to the verifier. This value x is used in the subsequent verification process, but again does not reveal s. Let random integer, computed.

Step 2: Challenge

The verifier randomly selects a bit a (can be 0 or 1) and sends it to the prover. This "challenge" determines the next steps the prover needs to take.

Step 3: Response

According to the value of a sent by the verifier, the prover responds:

If, the prover sends (here r is the number he randomly selected before).

If, the prover calculates and sends it. Let the random bit sent by the verifier, according to the value of a, the prover calculates;

Finally, the verifier verifies whether is equal to according to the received g. If the equality is established, the verifier accepts the proof. When , the verifier calculates the verifier calculates, and the right side verifies  ; When  , the verifier calculates the verifier calculates, and the right side verifies.

Here, we see that the verifier calculated that the prover successfully passed the verification process without revealing his secret number s. Here, since a can only be 0 or 1, there are only two possibilities, the probability of the prover passing the verification by luck (when a is 0). But the verifier then challenges the prover again, and the prover keeps changing the relevant numbers and submitting them to the verifier, and can always successfully pass the verification process. In this way, the probability of the prover passing the verification by luck is (infinitely close to 0), and the conclusion that the prover does know a secret number s is proved. This example proves the integrity, reliability and zero-knowledge of the zero-knowledge proof system (Fiat & Shamir, 1986).

2. Non-interactive zero-knowledge proof

1. Background

Zero-knowledge proof (ZKP) is usually an interactive and online protocol in the traditional concept; for example, the Sigma protocol usually requires three to five rounds of interaction to complete the authentication (Fiat & Shamir, 1986). However, in scenarios such as instant transactions or voting, there is often no opportunity for multiple rounds of interaction, especially in blockchain technology applications, offline verification functions are particularly important (Sun et al., 2021).

2. NIZK proposal

In 1988, Blum, Feldman and Micali first proposed the concept of non-interactive zero-knowledge (NIZK) proof, proving the possibility that the prover and the verifier can complete the authentication process without multiple rounds of interaction. This breakthrough makes instant transactions, voting, and blockchain applications feasible (Blum, Feldman & Micali, 1988).

They proposed that non-interactive zero-knowledge proofs (NIZK) can be divided into three stages:

1. Setup

2. Computation

3. Verification

The setup stage uses a computation function to convert security parameters into public knowledge (available to both the prover and the verifier), usually encoded in a common reference string (CRS). This is how proofs are computed and verified using the correct parameters and algorithms.

The computation stage uses a computation function, input, and proof key, and outputs the computation result and proof.

In the verification stage, the validity of the proof is verified by the verification key.

The common reference string (CRS) model they proposed is based on all participants sharing a string to implement non-interactive zero-knowledge proofs for NP problems. The operation of this model relies on the trusted generation of the CRS, where all participants must have access to the same string. Schemes implemented in this model are secure only if the CRS is generated correctly and securely. Although such schemes are generally simple to implement and have small proof sizes, they are challenging to set up, as the generation of CRSs can be complex and time-consuming for a large number of participants (Blum, Feldman & Micali, 1988).

Subsequently, NIZK technology has experienced rapid development, and a variety of methods have emerged to transform interactive zero-knowledge proofs into non-interactive proofs. These methods differ in the construction of the system or the assumptions of the underlying encryption model.

3.Fiat-Shamir Transformation

Fiat-Shamir Transformation, also known as Fiat-ShamirHeurisitc (heuristic), or Fiat-Shamir Paradigm (paradigm); proposed by Fiat and Shamir in 1986, is a method that can transform interactive zero-knowledge proofs into non-interactive ones. This method reduces the number of interactions by introducing hash functions, and relies on security assumptions to ensure the authenticity of the proof and its difficult-to-forge properties. Fiat-Shamir Transformation uses public cryptographic hash functions to replace some randomness and interactivity, and its output can be regarded as CRS to some extent. Although this protocol is considered secure in the random oracle model, it relies on the assumption that the output of the hash function is uniformly random and independent of different inputs (Fiat & Shamir, 1986). Canetti, Goldreich, and Halevi's research in 2003 showed that although this assumption holds in theoretical models, it may encounter challenges in practical applications and therefore has the risk of failure when used (Canetti, Goldreich & Halevi, 2003). Micali later improved this method by compressing multiple rounds of interaction into a single round, further simplifying the interaction process (Micali, 1994).

4. Jens Groth and his research

Jens Groth's subsequent research has greatly promoted the application of zero-knowledge proofs in cryptography and blockchain technology. In 2005, he, Ostrovsky, and Sahai jointly proposed the first perfect non-interactive zero-knowledge proof system applicable to any NP language, which can guarantee universal combinatorial security (UC) even in the face of dynamic/adaptive adversaries. In addition, they used the number theory complexity assumption to design a concise and efficient non-interactive zero-knowledge proof system, which significantly reduced the size of CRS and proof (Groth & Sahai, 2005).

In 2007, Groth, Cramer and Damgård began to commercialize these technologies. Through experimental verification, their public key encryption and signature schemes have significantly improved efficiency and security, although these schemes are based on the assumption of bilinear groups (Groth & Sahai, 2007). In 2011, Groth further explored how to combine fully homomorphic encryption with non-interactive zero-knowledge proofs, and proposed a scheme to reduce communication overhead, so that the size of NIZK is consistent with the witness size of the proof (Groth, 2011). In the following years, he and other researchers have further studied pairing-based techniques, providing compact and efficient non-interactive proofs for large-scale claims, although these proofs still do not leave the bilinear group framework (Bayer & Groth, 2012; Groth, Kohlweiss & Pintore, 2016; Bootle, Cerulli, Chaidos, Groth & Petit, 2015; Groth, Ostrovsky & Sahai, 2012; Groth & Maller, 2017).

5. Other Research

In specific application scenarios, non-interactive zero-knowledge proofs for specific verifiers have shown their unique practical value. For example, Cramer and Shoup used a public key encryption scheme developed based on a method based on a universal hash function to effectively resist selected ciphertext attacks in 1998 and 2002. In addition, in the key registration model, a new non-interactive zero-knowledge proof method was successfully developed, which is applicable to solving all NP-class problems. The key is that participants need to register their own keys for subsequent verification (Cramer & Shou, 1998, 2002).

In addition, Damgård, Fazio, and Nicolosi proposed a new method to improve the existing Fiat-Shamir transformation in 2006, allowing non-interactive zero-knowledge proofs without direct interaction. In their method, the verifier first needs to register a public key to prepare for subsequent encryption operations. The prover uses additive homomorphic encryption to operate on the data without knowing it, generating encrypted information containing the answer as a response to the challenge. The security of this method is based on the "complexity leverage hypothesis", which holds that certain computational problems that are considered difficult to solve may be solved for adversaries with extraordinary computing resources (Damgård, Fazio & Nicolosi, 2006).

The concept of "weakly attributable reliability" proposed by Ventre and Visconti in 2009 is an alternative to this hypothesis, requiring that when an adversary presents a false proof, he must not only be aware of its falsity, but also know how he successfully fabricated this false evidence. This requirement significantly increases the difficulty of deception because the adversary must clearly identify his means of deception. In practice, an adversary using this concept needs to provide a specific proof containing ciphertext information for a specified verifier. It is difficult to complete the proof without the private key of the verifier, so that when the adversary attempts to forge a proof, his behavior is exposed through detection (Ventre and Visconti, 2009).

The Unruh transform is an alternative to the Fiat-Shamir transform proposed in 2015. The Fiat-Shamir method is generally not safe against quantum computation and can produce insecure schemes for some protocols (Unruh, 2015). In contrast, the Unruh transform provides non-interactive zero-knowledge proofs (NIZKs) that are provably secure against quantum adversaries for any interactive protocol in the random oracle model (ROM). Similar to the Fiat-Shamir method, the Unruh transform does not require additional setup steps (Ambainis, Rosmanis & Unruh, 2014).

In addition, Kalai et al. proposed an argumentation system for arbitrary decision problems based on private information retrieval technology. This method adopts the multi-prover interactive proof system (MIP) model and converts MIP into an argumentation system through the method of Aiello et al. This construction runs in the standard model and does not rely on the random oracle assumption. This method has been applied to some zero-knowledge arguments based on "Proofs-for-Muggles" (Kalai, Raz & Rothblum, 2014).

Based on these technologies, non-interactive zero-knowledge proofs (NIZK) have been widely used in various fields that require high security and privacy protection, such as financial transactions, electronic voting, and blockchain technology. By reducing the number of interactions and optimizing the proof generation and verification process, NIZK not only improves the efficiency of the system, but also enhances security and privacy protection capabilities. In the future, as these technologies are further developed and improved, we can expect NIZK to play an important role in more fields, providing a solid technical foundation for more secure and efficient information processing and transmission (Partala, Nguyen & Pirttikangas, 2020).

III. Circuit-based zero-knowledge proof

1. Background

In the field of cryptography, the traditional Turing machine model shows certain limitations, especially when dealing with highly parallelized and specific types of computing tasks (such as large-scale matrix operations). The Turing machine model requires a complex memory management mechanism to simulate an infinitely long paper tape and is not suitable for directly expressing parallel computing and pipeline operations. In contrast, the circuit model, with its unique computing structure advantages, is more suitable for certain specific cryptographic processing tasks (Chaidos, 2017). This article will discuss in detail Zero-Knowledge Proof Systems Based on Circuit Models, which place special emphasis on using circuits (usually arithmetic circuits or Boolean circuits) to express and verify the computational process.

2. Basic concepts and characteristics of circuit models

In circuit-based computational models, a circuit is defined as a special computational model that can convert any computational process into a series of gates and connections that perform specific logical or arithmetic operations. Specifically, circuit models are divided into two main categories:

Arithmetic circuits: Mainly composed of addition and multiplication gates, used to process elements on finite fields. Arithmetic circuits are suitable for performing complex numerical operations and are widely used in encryption algorithms and numerical analysis.

Logic circuit: It is composed of basic logic gates such as AND gate, OR gate, NOT gate, etc., and is used to process Boolean operations. Logic circuits are suitable for performing simple judgment logic and binary calculations, and are often used to implement various control systems and simple data processing tasks (Chaidos, 2017).

3. Circuit design and application in zero-knowledge proof

In a zero-knowledge proof system, the process of circuit design involves expressing the problem to be proved as a circuit. This process requires a lot of "reverse thinking" to design zk circuits: "If the claimed output of a calculation is true, the output must meet certain requirements. If these requirements are difficult to model with only addition or multiplication, we require the prover to do additional work so that we can more easily model these requirements." The design process usually follows the following steps (Chaidos, 2017):

Problem representation: First, convert the problem to be proved, such as the calculation process of a cryptographic hash function, into the form of a circuit. This includes breaking down the computational steps into basic units in the circuit, such as gates and wires.

Circuit optimization: Through technical means such as gate merging and constant folding, the circuit design is optimized to reduce the number of gates and computational steps required, thereby improving the operating efficiency and response speed of the system.

Convert to polynomial representation: To adapt to zero-knowledge proof technology, the optimized circuit is further converted to polynomial form. Each circuit element and connection corresponds to a specific polynomial constraint.

Generate a common reference string (CRS): During the system initialization phase, a public reference string including a proof key and a verification key is generated for use in the subsequent proof generation and verification process.

Proof generation and verification: The prover performs calculations on the circuit based on its private input and CRS to generate a zero-knowledge proof. The verifier can verify the correctness of the proof based on the public circuit description and CRS without knowing the prover's private information (Chaidos, 2017).

Zero-knowledge proof circuit design involves converting a specific computational process into a circuit representation and ensuring the accuracy of the computational results by constructing polynomial constraints while avoiding leaking any additional personal information. In circuit design, the key task is to optimize the structure of the circuit and generate an effective polynomial representation in order to improve the efficiency of proof generation and verification. Through these steps, zero-knowledge proof technology can verify the correctness of the calculation without leaking additional information, ensuring that the dual needs of privacy protection and data security are met (Chaidos, 2017).

4. Potential defects and challenges

Disadvantages include:

1. Circuit complexity and scale: Complex calculations require large circuits, resulting in a significant increase in the computational cost of proof generation and verification, especially when processing large-scale data;

2. Difficulty of optimization: Although technical means (such as gate merging, constant folding, etc.) can optimize circuits, designing and optimizing efficient circuits still requires deep expertise;

3. Adaptability to specific computing tasks: Different computing tasks require different circuit designs, and designing efficient circuits for each specific task may be time-consuming and difficult to promote;

4. Difficulty in implementing encryption algorithms: Implementing complex cryptographic algorithms (such as hash functions or public key encryption) may require a large number of logic gates, making circuit design and implementation difficult;

5. Resource consumption: Large-scale circuits require a lot of hardware resources, which may encounter bottlenecks in actual hardware implementation in terms of power consumption, heat, and physical space (Goldreich, 2004; Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

Solutions and improvement directions:

1. Circuit compression technology: Reduce the number of required logic gates and computing resources by studying and applying efficient circuit compression technology;

2. Modular design: Improve the reusability and scalability of circuit design by modularizing circuit design, and reduce the workload of redesigning circuits for different tasks;

3. Hardware acceleration: Use dedicated hardware (such as FPGA or ASIC) to accelerate circuit calculation and improve the overall performance of zero-knowledge proof (Goldreich, 2004; Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

IV. Zero-knowledge proof model

1. Background

Circuit-based zero-knowledge proofs have poor versatility and require the development of new models and algorithms for specific problems. There are a variety of high-level language compilers and low-level circuit combination tools to generate circuits and design algorithms. The conversion of related calculations can be completed by manual circuit construction tools or automatic compilers. Manual conversion usually produces more optimized circuits, while automatic conversion is more convenient for developers. Performance-critical applications usually require manual conversion tools (Chaidos, 2017; Partala, Nguyen & Pirttikangas, 2020; Sun et al., 2021).

This article will discuss the most famous ones. In general, these models are extensions or variations of the zkSNARKs technology, each trying to provide optimizations in specific application requirements such as proof size, computational complexity, setup requirements, etc.

Each protocol has its specific applications, advantages, and limitations, especially in terms of setup requirements, proof size, verification speed, and computational overhead. They are used in various fields, ranging from cryptocurrency privacy and secure voting systems to general computations verified in a zero-knowledge manner (Čapko, Vukmirović & Nedić, 2019).

2. Common Algorithm Models

1. zkSNARK Model: In 2011, it was proposed by cryptographers Bitansky et al. as an abbreviation of "Zero-Knowledge Succinct Non-Interactive Argument of Knowledge". It is an improved zero-knowledge proof mechanism. If there is an extractable collision resistant hash (ECRH) function, then it is possible to implement SNARK for NP problems, and it demonstrates the applicability of SNARK in various scenarios such as computational delegation, succinct non-interactive zero-knowledge proof, and succinct two-party secure computation. This study also shows that the existence of SNARK means the necessity of ECRH, establishing the fundamental connection between these cryptographic primitives (Bitanskyet al., 2011).

The zkSNARK system consists of three parts: setup, prover, and verifier. The setup process generates a proving key (PK) and a verification key (VK) using predefined security parameters l and an F-arithmetic circuit C. All inputs and outputs of this circuit are elements in the field F. PK is used to generate verifiable proofs, while VK is used to verify the generated proofs. Based on the generated PK, the prover generates a proof p using input x ∈ Fn and witness W ∈ Fh, where C(x, W) = 0 l. Here, C(x, W) = 0 l means that the output of circuit C is 0 l, and x and W are the input parameters of circuit C. n, h, and l represent the dimensions of x, W, and C output, respectively. Finally, the verifier uses VK, x, and p to verify p, and decides to accept or reject the proof based on the verification result (Bitanskyet al., 2011).

In addition, zkSNARK has some additional features. First, the verification process can be completed in a short time, and the size of the proof is usually only a few bytes. Second, there is no need for synchronous communication between the prover and the verifier, and any verifier can verify the proof offline. Finally, the prover algorithm can only be implemented in polynomial time. Since then, a variety of improved zkSNARK models have emerged, further optimizing its performance and application scope (Bitanskyet al., 2011).

2. Ben-Sasson's Model: Ben-Sasson et al. proposed a new zkSNARK model for program execution on von Neumann RISC architectures in 2013 and 2014. Then, based on the proposed universal circuit generator, Ben-Sasson et al. built a system and demonstrated its application in verifying program execution. The system consists of two components: a cryptographic proof system for verifying the satisfiability of arithmetic circuits, and a circuit generator that converts program execution into arithmetic circuits. The design outperforms previous work in both functionality and efficiency, especially the universality of the circuit generator and the additive dependence of the output circuit size. Experimental evaluation shows that the system can process programs up to 10,000 instructions and generate concise proofs at a high security level with a verification time of only 5 milliseconds. Its value lies in providing an efficient, general and secure zk-SNARKs solution for practical applications such as blockchain and privacy-preserving smart contracts (Ben-Sasson et al., 2013, 2014).

3. Pinocchio model: Parno et al. (2013) proposed a complete non-interactive zero-knowledge argument generation suite (Parno etal., 2013). It includes a high-level compiler that provides developers with an easy way to convert computations into circuits. These compilers accept code written in high-level languages, so both new and old algorithms can be easily converted. However, in order to generate circuits of appropriate size, there may be some restrictions on the code structure.

Another feature of Pinocchio is the use of a mathematical structure called Quadratic Arithmetic Programs (QAPs), which can efficiently convert computational tasks into verification tasks. QAPs can encode arbitrary arithmetic circuits as a set of polynomials, and only linear time and space complexity are required to generate these polynomials. The proof size generated by Pinocchio is 288 bytes, which does not change with the complexity of the computational task and the size of the input and output. This greatly reduces the overhead of data transmission and storage. Pinocchio's verification time is typically 10 milliseconds, which is 5-7 orders of magnitude less than previous work. For some applications, Pinocchio can even achieve faster verification speeds than local execution. Reduce worker proof overhead: Pinocchio also reduces the worker's proof generation overhead by 19-60 times compared to previous work (Parno et al., 2013).

4. Bulletproofs model: In 2017, Benedikt Bünz et al. (2018) designed a new non-interactive ZKP model. No trusted setup is required, and the proof size grows logarithmically with the size of the witness value. Bulletproofs are particularly suitable for interval proofs in confidential transactions, and can prove that a value is within a certain range by using the minimum number of group and field elements. In addition, Bulletproofs also supports the aggregation of interval proofs, making it possible to generate a single proof through a concise multi-party computation protocol, greatly reducing communication and verification time. The design of Bulletproofs makes it highly efficient and practical in distributed and trustless environments such as cryptocurrencies. Bulletproofs are not strictly traditional circuit-based protocols, they are not as concise as SNARKs, and it takes longer to verify Bulletproofs than SNARK proofs. But it is more efficient in scenarios where a trusted setup is not required.

5. Ligero model: A lightweight zero-knowledge proof model proposed by Ames et al. (2017). The communication complexity of Ligero is proportional to the square root of the size of the verification circuit. In addition, Ligero can rely on any collision-resistant hash function. In addition, Ligero can be a zkSNARK scheme in the random oracle model. This model does not require a trusted setup or public key cryptosystem. Ligero can be used for very large verification circuits. At the same time, it is suitable for medium-large circuits in applications.

3. Schemes based on linear PCP and discrete logarithm problems

Ishai and Paskin (2007) proposed using additive homomorphic public key encryption to reduce the communication complexity of interactive linear PCP. Subsequently, Groth et al. published several studies from 2006 to 2008 and proposed a NIZK scheme based on the discrete logarithm problem and bilinear pairing, achieving perfect completeness, computational correctness, and perfect zero knowledge. This scheme expresses statements as algebraic constraint satisfaction problems and uses a cryptographic commitment scheme similar to Pedersen commitments to achieve sublinear proof length and non-interactivity without the Fiat-Shamir heuristic. Although a large CRS and strong cryptographic assumptions of "exponential knowledge" are required, a sufficiently long CRS can achieve constant proof length. The verification and proof costs are high, and a "simulated extractability" security model is recommended. This type of scheme is based on linear PCP and/or discrete logarithm problems, but neither is quantum-resistant (Groth, 2006, 2006, 2008; Groth & Sahai, 2007).

6. Groth 16 model: is an efficient non-interactive zero-knowledge proof system proposed by Jens Groth in 2016. The protocol is based on elliptic curve pairing and quadratic arithmetic programs (QAP) and aims to provide concise, fast and secure zero-knowledge proofs.

7. Sonic model: M. Maller et al. (2019) proposed an updateable CRS model based on Groth, using polynomial commitment schemes, pairings, and arithmetic circuits. A trusted setup is required, which can be achieved through secure multi-party computation. Once the CRS is generated, circuits of arbitrary size are supported.

8. PLONK model: A general zk-SNARK proposed in 2019 that uses permutation polynomials to simplify arithmetic circuit representations, making proofs simpler and more efficient; it is versatile and supports recursive proof combination (Gabizon, Williamson & Ciobotaru, 2019). The PLONK model claims to reduce the proof length of Sonic and improve proof efficiency, but it has not yet been peer-reviewed.

9. Marlin Model: An improved zk-SNARK protocol that combines the efficiency of algebraic proof systems with the universal and updatable setup properties of Sonic and PLONK, providing improvements in proof size and verification time (Chiesa etal., 2019).

10. SLONK Model: A new protocol introduced by Zac and Ariel in a paper on ethresear, an extension of PLONK that aims to solve specific computational efficiency problems and enhance the functionality of the original PLONK system, usually involving changes in underlying cryptographic assumptions or implementations (Ethereum Research, 2019).

11. SuperSonic Model: A novel polynomial commitment scheme that transforms Sonic into a zero-knowledge scheme that does not require a trusted setup. Not quantum-resistant (Bünz, Fisch & Szepieniec, 2019).

4. Proofs-for-Muggles

Proofs-for-Muggles is a new zero-knowledge proof method proposed by Goldwasser, Kalai, and Rothblum in 2008. This method constructs interactive proofs for polynomial-time provers in the original interactive proof model and is applicable to a wide range of problems. Through the transformation of Kalai et al., these proofs can be turned into non-interactive zero-knowledge proofs (Kalai, Raz & Rothblum, 2014).

12. Hyrax model: Based on proofs-for-muggles, Wahby et al. (2018) first designed a low-communication, low-cost zero-knowledge argument scheme Hyrax, which is low cost for provers and verifiers. In this scheme, there is no trusted setup in this argument. If applied to batch statements, the verification time has a sublinear relationship with the arithmetic circuit size, and the constant is very good. The running time of the prover is linear with the arithmetic circuit size, and the constant is also very good. Non-interactivity is achieved using the Fiat-Shamir heuristic, based on the discrete logarithm problem, and quantum security is not achieved.

13. Libra model: The first ZKP model with linear prover time, concise proof size, and verification time. In Libra, in order to reduce the overhead of verification, the zero-knowledge mechanism is implemented through a method that can mask the prover's response with a slightly random polynomial. In addition, Libra requires a one-time trusted setup, which only depends on the input size of the circuit. Libra has excellent asymptotic performance and excellent efficiency of the prover. Its performance in proof size and verification time is also very efficient (Xie etal., 2019).

In terms of the computational complexity of the prover algorithm, Libra outperforms Ben-Sasson's model, Ligero, Hyrax, and Aurora. In addition, the computational complexity of Libra's prover algorithm is independent of the circuit type (Partala, Nguyen & Pirttikangas, 2020).

14. Spartan model: A zero-knowledge proof system proposed by SrinathSetty (2019) that aims to provide efficient proofs without the need for a trusted setup; non-interactivity is achieved using the Fiat-Shamir transformation. It is known for its lightweight design and ability to efficiently handle large circuits.

5. Zero-knowledge based on probabilistically verifiable proofs (PCP)

Kilian (1992) constructed the first interactive zero-knowledge argument scheme for NP, achieving polylogarithmic communication. The scheme uses collision-resistant hash functions, interactive proof systems (IPs), and probabilistically verifiable proofs (PCPs). The prover and the verifier (as a random algorithm) communicate through multiple rounds, and the verifier tests the prover's knowledge of the statement. Usually only one-sided errors are considered: the prover can always defend the true statement, but the verifier may accept a false statement with a low probability. In 2000, Micali used the Fiat-Shamir transformation to transform the scheme into a single-message non-interactive scheme. The following implementation can be regarded as adopting this approach:

15. STARK model: In 2018, ZK-STARKs (Scalable Transparent ARgument of Knowledge) technology was proposed by Ben-Sasson et al. in 2018 to solve the inefficiency of zk-SNARKs in processing complex proofs. At the same time, it solves the problem of verifying the integrity of calculations on private data, and can provide transparent and post-quantum secure proofs without relying on any trusted party.

In the same year, Ben-Sasson and others founded StarkWareIndustries and developed the first scalability solution StarkEx based on ZK-STARKs. According to Ethereum's official documentation, it can achieve non-interactivity in the random oracle model through the Fiat-Shamir paradigm. This construction is quantum-resistant, but its security relies on non-standard cryptographic assumptions about Reed-Solomon codes. ZK-STARKs has the same characteristics as ZK-SNARKs, but includes the following advantages: a) Scalability: The verification process is faster. Transparency: The verification process is public. Larger proof size: requires higher transaction fees (StarkWare Industries, 2018, 2018)

16. Aurora Model: Ben-Sasson et al. (2019) proposed a Succinct Non-Interactive Argument Based on STARK (SNARG). The non-interactivity is based on the Fiat-Shamir construction. It is applicable to the satisfiability of arithmetic circuits. The argument size of Aurora is polylogarithmic with the circuit size. In addition, Aurora has several attractive features. In Aurora, there is a transparent setting. There is no effective quantum computing attack that can crack Aurora. In addition, fast symmetric encryption is used as a black box. Aurora optimizes the proof size. For example, if the security parameter is 128 bits, the proof size of Aurora is at most 250 kilobytes. Aurora and Ligero optimize the proof size and computational overhead, making them very suitable for zero-knowledge proofs on resource-limited devices. These optimizations not only improve efficiency, but also expand the scope of application of zero-knowledge proof technology, enabling it to be applied in more practical scenarios.

17. Succinct Aurora Model: Proposed in the same paper by Ben-Sasson et al. (2019): An extension of the Aurora protocol that provides a more optimized proof size and verification process. It maintains the transparent setup and security features of Aurora while enhancing efficiency.

18. Fractal Model: Proposed by Chiesa et al. (2020), a preprocessed SNARK that uses recursive composition to improve efficiency and scalability. It takes advantage of logarithmic proof size and verification time and is particularly suitable for complex computations.

6. Classification based on the setup phase of CPC (Common Proof Construction)

Generation 1 (G 1) - Each circuit requires a separate trusted setup. zkSNARKs, Pinocchio, and Groth 16

Generation 2 (G 2) - Initially set up once for all circuits. PlonK, Sonic, Marlin, slonk, and Libra

Generation 3 (G 3) - Proof systems that do not require a trusted setup. Bulletproofs, STARKs, Spartan, Fractal, Supersonic, Ligero, Aurora, and SuccinctAurora (Čapko, Vukmirović & Nedić, 2019; Partala, Nguyen & Pirttikangas, 2020).

V. Overview and Development of Zero-Knowledge Virtual Machines

1. Background

The previous part is more about the development of zero-knowledge proof ZKP in cryptography. Next, we will briefly introduce its development in the computer field.

In 2019, Andreev et al. first proposed the concept of ZK-VM at the "ZkVM: Fast, Private, Flexible Blockchain Contracts" conference as a way to implement a zero-knowledge proof system. The goal of ZK-VM is to generate zero-knowledge proofs by running virtual machine programs to verify the correctness of program execution without leaking input data.

VM, (Virtual Machine, virtual machine) is a software-simulated computer system that can execute programs, similar to a physical computer. VM is usually used to create an independent operating system environment, perform software testing and development, etc. VM or VM abstraction can be understood as CPU abstraction in most cases, which refers to the abstraction of the complex operation and architecture of the computer's processing unit (CPU) into a set of simple, operational instruction set architectures (ISA) to simplify the design and execution of computer programs. In this abstraction, computer programs can be run through virtual machines (VMs) that simulate the operational behavior of real CPUs (Henderson, 2007).

Zero-knowledge proofs (ZKPs) usually need to be executed through CPU abstraction. The setting is that the prover runs a public program on private input and hopes to prove to the verifier that the program is executed correctly and produces the asserted output without revealing the input or intermediate state of the calculation. CPU abstraction is very useful in this case because it allows the program to run in a controlled virtual environment while generating proofs (Arun, Setty& Thaler, 2024).

Example: The prover wants to prove that he has a password with a hash value without revealing the password:

Password → Hash function → Hash value

Private → Public

In general, the prover should be able to run code that performs the hash operation and generate a "proof" that allows anyone to verify the correctness of the proof, that the prover does have a valid preimage of the given hash value.

Systems that generate these VM abstract proofs are often called "zkVMs". This name is actually misleading because ZKVM does not necessarily provide zero knowledge. In short, ZKVM is a virtual machine focused on zero-knowledge proofs, which extends the functionality of traditional VMs, can generally lower the threshold for the development of zero-knowledge circuits, and can instantly generate proofs for any application or computation (Zhang et al., 2023).

2. Classification of existing ZKVM

According to the design goals, they are mainly divided into three categories:

1. Mainstream ZKVM

These ZKVMs use existing standard instruction set architectures (ISAs) and compiler toolchains and are suitable for a wide range of applications and development environments.

· RISCZero (2021): uses the RISC-V instruction set and has a rich compiler ecosystem (Bögli, 2024).

· PolygonMiden (2021): Based on standard ISA, it enables simple and efficient development (Chawla, 2021).

· zkWASM (2022): zkWASM implements zero-knowledge proofs for the WebAssembly (WASM) instruction set, a widely adopted standard instruction set (DelphinusLab, 2022).

2. EVM-equivalent ZKVM

· These ZKVMs are specifically designed to be compatible with the Ethereum Virtual Machine (EVM) and can run Ethereum's bytecode directly.

zkEVM projects: Multiple projects are working on achieving bytecode-level compatibility with the EVM, such as zkSync (MatterLabs, 2020) and Polygon Hermez (Polygon Labs, 2021).

3. Zero-knowledge optimized (zero-knowledge friendly) ZKVM

These ZKVMs optimize the efficiency and performance of zero-knowledge proofs and are designed for specific application scenarios.

· Cairo-VM (2018): Simple and compatible with SNARK proofs, its instruction set is specially designed to be arithmetic-friendly, facilitating the implementation of basic arithmetic operations such as addition, multiplication, etc. in zero-knowledge circuits (StarkWare, 2018).

· Valida (2023): Optimized for specific applications, such as reducing the computing resources and time required to generate proofs by optimizing algorithms; its lightweight design makes it suitable for a variety of hardware and software environments (LitaFoundation, 2023).

· TinyRAM (2013): Not dependent on standard toolchains: Due to its simplified and optimized design, it is usually not supported by LLVM or GCC toolchains and can only be used for small-scale custom software components (Ben-Sasson et al., 2013).

The current general view is that simpler VMs can be converted into circuits with fewer gates per step. This is most evident in the design of particularly simple and apparently SNARK-friendly VMs such as TinyRAM and Cairo-VM. However, this requires additional overhead because many primitive instructions are required to implement the primitive operations of real-world CPUs on simple VMs (Arun, Setty & Thaler, 2024).

3. Front-end and back-end paradigms

From a programming perspective, ZKP systems can generally be divided into two parts: the frontend and the backend. The frontend part of the ZKP system mainly uses low-level languages to represent high-level languages. For example, a general computational problem can be represented using a lower-level circuit language, such as R 1 CS circuit constraint construction calculation (for example, circom uses R 1 CS to describe its front-end circuit). The backend part of the ZKP system is the cryptographic proof system, which mainly converts the circuit described in the low-level language of the frontend into generating proofs and verifying correctness. For example, the commonly used backend system protocols include Groth 16 and Plonk (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

Typically, the circuit will gradually "execute" each step of the computational program (with the help of untrusted "suggested input"). Executing a step of the CPU conceptually involves two tasks: (1) identifying the basic instructions that should be executed in that step, and (2) executing the instructions and updating the CPU state appropriately. Existing front ends implement these tasks through carefully designed gates or constraints. This is time-consuming and error-prone, and also causes the circuit to be much larger than it actually needs to be (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

4. Advantages and disadvantages of the ZKVM paradigm

Advantages:

1. Leverage existing ISAs: For example, RISC-V and EVM instruction sets can leverage existing compiler infrastructure and tool chains without building infrastructure from scratch. Existing compilers can be directly called to convert witness check programs written in high-level languages into assembly code for the ISA and benefit from previous audits or other verification work.

2. Single circuit supports multiple programs: zkVM allows one circuit to run all programs until a certain time limit is reached, while other methods may require re-running the front end for each program.

3. Circuits with repetitive structures: The front end outputs circuits with repetitive structures, and the back end for these circuits can process faster (Arun, Setty& Thaler, 2024; Zhang et al., 2023).

Disadvantages:

1. Overhead caused by universality: In order to support all possible CPU instruction sequences, zkVM circuits need to pay the price for their universality, resulting in an increase in circuit size and proof cost.

2. High-cost operations: It is very expensive to implement certain important operations in zkVM, such as cryptographic operations. For example, ECDSA signature verification takes 100 microseconds on a real CPU and millions of instructions on RISC-V instructions. Therefore, the zkVM project contains hand-optimized circuits and lookup tables for computing specific functions.

3. High proof cost: Even for very simple ISAs, the prover cost of existing zkVMs is still high. For example, the prover of Cairo-VM needs to encrypt and submit 51 domain elements at each step, which means that executing one original instruction may require millions of instructions on a real CPU, limiting its applicability in complex applications (Arun, Setty & Thaler, 2024; Zhang et al., 2023).

VI. Overview and Development of Zero-Knowledge Ethereum Virtual Machine

1. Background

ZKEVM (Zero-Knowledge Ethereum Virtual Machine) and ZKVM (Zero-Knowledge Virtual Machine) are both virtual machines that apply zero-knowledge proof (ZKP) technology. The Ethereum Virtual Machine (EVM) is part of the Ethereum blockchain system and is responsible for handling the deployment and execution of smart contracts. EVM has a stack-based architecture and is a computing engine that provides computing and storage of specific instruction sets (such as log operations, execution, memory and storage access, control flow, logging, calling, etc.). The role of EVM is to update the state of Ethereum after applying the operations of smart contracts. ZKEVM is designed specifically for Ethereum and is mainly used to verify the correctness of smart contract execution while protecting transaction privacy. ZKEVM converts the EVM instruction set to the ZK system for execution. Each instruction requires proof, including state proof and execution correctness proof (Čapko, Vukmirović & Nedić, 2019).

The current mainstream solutions for ZKEVM include STARKWARE, ZkSync, Polygen-Hermez, Scroll, etc. The following is a brief introduction to these projects (Čapko, Vukmirović & Nedić, 2019):

STARKWARE: Founded by Ben-Sasson et al. (2018), it is committed to using STARK zero-knowledge proof technology to improve the privacy and scalability of blockchains

zkSync: Matter Labs, founded by Alex Gluchowski et al. (2020), proposed an Ethereum Layer 2 expansion solution based on zk-rollups.

Polygon-Hermez: Hermez was originally an independent project and was released in 2020. After being acquired by Polygon in August 2021, it became PolygonHermez, focusing on high-throughput zk-rollups solutions.

Scroll: Founded by Zhang and Peng (2021), it achieved higher transaction throughput and lower gas fees, thereby improving the overall performance and user experience of Ethereum.

Generally, according to the compatibility level with EVM, it can be divided into (Čapko, Vukmirović & Nedić, 2019):

1.EVM-EVM-compatibility Smart contract function level compatibility, such as STARKWARE, zkSync

2.EVM-equivalence, EVM instruction level compatibility (equivalence), such as polygen-Hrmez, scroll

See Figure 1 for the improvement solution of the Ethereum system based on zero knowledge

Figure 1  Improvement solution of the Ethereum system based on zero knowledge

2. ZKEVM Working principle

Node program processing: Node program processes and verifies execution logs, block headers, transactions, contract bytecodes, Merkel proofs, etc., and sends these data to zkEVM for processing.

Generate ZK proofs: zkEVM uses circuits to generate ZK proofs of execution results (state and execution correctness proofs). These circuit functions are mainly implemented using tables and special circuits.

Aggregate proofs: Use aggregate circuits to generate smaller proofs from large proofs, such as using recursive proofs.

Send to L1 contract: Aggregate proof is sent to L1 contract execution in the form of transaction (Čapko, Vukmirović & Nedić, 2019).

3. Implementation process of ZKEVM

Get data: Get data from Ethereum blockchain system, including transactions, block headers, contracts, etc.

Process data: Process and verify execution logs, block headers, transactions, contract bytecode, Merkel proofs, etc.

Generate proof: Use circuit to generate ZK proof to ensure the state update and execution correctness of each instruction.

Recursive proof: Compress the generated large proof into a smaller aggregate proof.

Submit proof: Submit the aggregate proof to the L1 contract to complete the transaction verification (Čapko, Vukmirović & Nedić, 2019).

4. Features of ZKEVM

Improve transaction processing capabilities: Execute transactions through ZKEVM on L2 to reduce the load of L1.

Privacy protection: Protect transaction privacy while verifying smart contract execution.

Efficient verification: Use zero-knowledge proof technology to achieve efficient state and execution correctness verification (Čapko, Vukmirović & Nedić, 2019).

VII. Overview and Development of Zero-Knowledge Layer 2 Solutions

1. Background

The Ethereum blockchain is one of the most widely adopted blockchain ecosystems. However, Ethereum faces serious scalability issues, resulting in high usage costs. Zero-Knowledge Layer 2 Solutions (ZK Rollup) is based on zero-knowledge proofs (ZKP) and is a Layer 2 solution for Ethereum expansion, overcoming the defect of long final confirmation time of OptimisticRollups transactions (Ganguly, 2023).

2. Working Mechanism of ZK Rollup

ZK Rollup allows scalability within a single transaction. Smart contracts on L1 are responsible for processing and verifying all transfers, ideally generating only one transaction. This is done by executing transactions off-chain to reduce the use of computing resources on Ethereum and putting the final signed transaction back on-chain for processing. This step is called ValidityProof. In some cases, verification may not be completed within a single proof, and additional transactions are required to publish the data on the rollup to the Ethereum main chain to ensure the availability of the data (Ganguly, 2023).

In terms of space, the use of ZK Rollup improves efficiency because it does not need to store data like ordinary smart contracts. Each transaction only requires verification of the proof, which further confirms the minimization of data, making them cheaper and faster (Ganguly, 2023).

Although ZK Rollup contains the term "ZK" (zero knowledge) in its name, they mainly use the simplicity of zero-knowledge proofs to improve the processing efficiency of blockchain transactions, rather than focusing primarily on privacy protection (Ganguly, 2023).

3. Disadvantages and optimizations of ZKRollup

ZK Rollup (zero-knowledge rollup) as a Layer 2 solution for Ethereum scalability, although it excels in improving transaction processing efficiency, its main problem is that the computational cost is very high. However, through some optimization schemes, the performance and feasibility of ZK Rollup can be significantly improved ((Čapko, Vukmirović & Nedić, 2019).

1. Optimizing the calculation of cryptographic algorithms

Optimizing the calculation process of cryptographic algorithms can improve the efficiency of ZK Rollup and reduce computing time and resource consumption. For example, Plonky 2, proposed by PolygonZero (formerly MIR), is a decentralized ZK Rollup solution. Plonky 2 is a recursive SNARK that is 100 times faster than other Ethereum-compatible alternatives and combines the best features of STARKs and SNARKs:

Plonk and FRI: Provide fast proofs and no trusted setup.

Support recursion: Improve efficiency through recursive proofs.

Low verification cost: Through 64-bit recursive FRI and Plonk for efficient proof.

2. Mix Optimistic and ZK Rollup

For example, PolygonNightfall is a hybrid Rollup that combines the features of Optimistic and ZK Rollup, aiming to increase transaction privacy and reduce transfer fees (up to 86%).

3. Develop a dedicated ZK EVM

The dedicated ZK EVM is designed to improve the ZK Rollup algorithm and can optimize the zero-knowledge proof process. Here are a few specific solutions:

AppliedZKP: An open source project funded by the Ethereum Foundation that implements ZK for Ethereum EVM native opcodes, using cryptographic algorithms such as halo 2, KZG, and Barreto-Naehrig (BN-254) elliptic curve pairing.

zkSync: zkEVM, developed by Matter Labs, is a custom EVM that compiles contract code into YUL (the intermediate language of the Solidity compiler) and then into supported custom bytecode, using ultraPlonk, an extended version of Plonk.

Polygon Hermez: A custom EVM-compatible decentralized Rollup that compiles contract code into supported microinstruction sets, using Plonk, KZG, and the Groth 16 proof system.

Sin 7 Y zkEVM: Implements ZK of EVM native opcodes and optimizes specialized opcodes, using halo 2, KZG, and RecursivePlonk.

Polygon Miden: A general zero-knowledge virtual machine based on STARK.

4. Hardware Optimization

Hardware optimization can significantly improve the performance of ZK Rollup. Here are several hardware optimization solutions:

DIZK (DIstributedZero Knowledge): Optimizes by distributing zkSNARK proofs on a computing cluster. The hardware architecture includes two subsystems, one for polynomial computation (POLY) with large-size number theoretic transforms (NTTs), and the other for performing multi-scalar multiplication (MSM) on elliptic curves (ECs). PipeMSM is a pipelined design MSM algorithm for implementation on FPGAs.

FPGA-based ZKP hardware accelerator design: includes multiple FFT (Fast Fourier Transform) units and decomposition of FFT operations, multiple MAC (Multiply-Add Circuit) units, and multiple ECP (Elliptic Curve Processing) units to reduce computational overhead. The FPGA-based zk-SNARK design reduces the proof time by about 10 times.

Hardware acceleration of the Bulletproof protocol: implemented via a CPU-GPU collaboration framework and parallel Bulletproofs on GPUs (Čapko, Vukmirović & Nedić, 2019).

VIII. Future Development Direction of Zero-Knowledge Proof

1. Development of Accelerated Computing Environment

Zero-knowledge proof protocols (such as ZKSNARKs and ZKSTARKs) usually involve a large number of complex mathematical operations during execution, which need to be completed in a very short time, placing extremely high demands on computing resources (such as CPU and GPU), resulting in high computational complexity and long computational time. In addition, generating and verifying zero-knowledge proofs requires frequent access to large-capacity data, which places high demands on memory bandwidth. The limited memory bandwidth of modern computer systems cannot efficiently support such high-frequency data access requirements, resulting in performance bottlenecks. Ultimately, high computational loads lead to high energy consumption, especially in blockchain and decentralized applications, when a large number of proof calculations need to be performed continuously. Therefore, although software optimization solutions can partially alleviate these problems, it is difficult to achieve the high efficiency and low energy consumption levels of hardware acceleration due to the physical limitations of general-purpose computing hardware. Hybrid solutions can achieve high performance improvements while maintaining flexibility (Zhang et al., 2021).

ZK-ASIC (Application Specific Integrated Circuit)

During 2020, several projects emerged, aiming to improve the efficiency of zero-knowledge proof (ZKP) generation and verification process by accelerating hardware such as GPU or FPGA (Filecoin, 2024; Coda, 2024; GPU groth 16 prover, 2024; Roy et al., 2019; Devlin, 2024 ；Javeed& Wang, 2017).

2021: Zhang et al. proposed a pipeline-based zero-knowledge proof acceleration scheme, using the Pippenger algorithm to optimize multi-scalar multiplication (MSM) and reduce data transmission latency by "unrolling" the fast Fourier transform (FFT) (Zhang etal., 2021).

ZKCoprocessor

Axiom (2022) proposed the concept of ZKCoprocessor, or ZK coprocessor. A coprocessor refers to a separate chip that enhances the CPU and provides specialized operations such as floating-point operations, cryptographic operations, or graphics processing. Although the term is no longer commonly used as CPUs become more powerful, GPUs can still be considered a coprocessor for CPUs, especially in the context of machine learning.

The term ZK coprocessor extends the analogy of physical coprocessor chips to blockchain computing, allowing smart contract developers to statelessly prove off-chain computations of existing on-chain data. One of the biggest bottlenecks facing smart contract developers remains the high cost of on-chain computing. Since gas is calculated for each operation, the cost of complex application logic quickly becomes unfeasible. ZK coprocessors introduce a new design pattern for on-chain applications, removing the limitation that computations must be completed in the blockchain virtual machine. This enables applications to access more data and run at a larger scale than before (Axiom, 2022).

2. The Proposal and Development of ZKML

The Concept of ZKML

Zero-Knowledge Machine Learning (ZKML) is an emerging field that applies zero-knowledge proof (ZKP) technology to machine learning. The core idea of ZKML is to allow machine learning calculation results to be verified without leaking data or model details. This not only protects data privacy, but also ensures the credibility and correctness of the calculation results (Zhang et al., 2020).

The Development of ZKML

In 2020, Zhang et al. systematically proposed the concept of ZKML for the first time at the 2020 CCS conference, demonstrating how to perform zero-knowledge proofs for decision tree predictions without leaking data or model details. This laid the theoretical foundation for ZKML.

In 2022, Wang and Hoang further studied and implemented ZKML, and proposed an efficient zero-knowledge machine learning reasoning pipeline, showing how to implement ZKML in real-world applications. The study showed that despite the complexity of ZKP technology, through reasonable optimization, acceptable computing performance can be achieved while ensuring data privacy and computational correctness.

3. Developments in ZKP expansion technology

The concept of ZKThreads

In 2021, StarkWare proposed the concept of ZKThreads, which aims to combine zero-knowledge proof (ZKP) and sharding technology to provide scalability and customization for decentralized applications (DApps) without fragmentation problems. ZKThreads improves security and composability by directly falling back on the base layer to ensure real-time performance at each step.

ZKThreads is mainly optimized in three aspects: single-chain structure, rollup liquidity problem, and Proto-Danksharding.

Single-chain solution: In the traditional single-chain architecture, all transactions are processed on one chain, resulting in excessive system load and poor scalability. ZKThreads significantly improves processing efficiency by distributing data and computing tasks to multiple shards.

ZK-rollups solution: Although ZK-rollups have significantly increased transaction processing speed and reduced costs, they are usually run independently, resulting in liquidity fragmentation and interoperability issues. ZKThreads provides a standardized development environment that supports interoperability between different shards and solves the problem of liquidity fragmentation.

Proto-Danksharding technology: This is an internal improvement scheme of Ethereum that reduces the transaction cost of zk-rollups by temporarily storing data blocks. ZKThreads further improves on this basis, reducing the reliance on temporary data storage through a more efficient sharding architecture, and improving the overall efficiency and security of the system (StarkWare, 2021).

The concept of ZK Sharding

After that, in 2022, NilFoundation proposed the concept of ZK Sharding, which aims to achieve Ethereum's scalability and faster transaction speed by combining zero-knowledge proof (ZKP) and sharding technology. This technology aims to divide the Ethereum network into multiple parts to process transactions in a cheaper and more efficient way. The technology includes zkSharding, which uses zero-knowledge technology to generate proofs to ensure that transactions across different shards are valid before being submitted to the main chain. This approach not only improves transaction speed, but also reduces the fragmentation of on-chain data, ensuring economic security and liquidity.

4. Development of ZKP interoperability

ZK State Channels

In 2021, the concept of ZK State Channels was proposed by Virtual Labs, combining zero-knowledge proof (ZKP) and state channel technology, aiming to achieve efficient off-chain transactions through state channels, while using zero-knowledge proof to ensure the privacy and security of transactions.

Original solutions replaced by ZK State Channels

1. Traditional State Channels:

Original solution: Traditional state channels allow two users to conduct peer-to-peer (P2P) transactions in smart contracts by locking funds. Since the funds are locked, signature exchanges between users can be carried out directly without any gas fees and delays. However, this method requires predefined addresses, and the opening and closing of channels requires on-chain operations, which limits its flexibility.

Alternative: ZK StateChannels provides support for unlimited participants, allowing dynamic entry and exit without pre-defined user addresses. In addition, through zero-knowledge proofs, ZK StateChannels provides instant cross-chain access and self-verified proofs, solving the flexibility and scalability issues of traditional state channels.

2. Multi-chain support:

Original solution: Traditional state channels usually only support transactions on a single chain and cannot achieve cross-chain operations, which limits the user's scope of operation.

Alternative solution: ZK StateChannels uses zero-knowledge proof technology to achieve instant cross-chain transactions and asset flows without the need for intermediate bridges, greatly improving multi-chain interoperability.

3. Predefined address restrictions:

Original solution: In traditional state channels, the addresses of transaction participants must be predefined when the channel is created. If new participants join or leave, the channel must be closed and reopened, which increases operational complexity and costs.

Alternative solution: ZK StateChannels allows dynamic joining and exiting. New participants can join existing channels at any time without affecting the operations of current users, greatly improving the flexibility of the system and user experience.

4.ZK Omnichain Interoperability Protocol

In 2022, ZKOmnichain Interoperability Protocol was proposed by Way Network to achieve cross-chain asset and data interoperability based on zero-knowledge proof. The protocol enables full-chain communication and data transmission by using zkRelayer, ZK Verifier, IPFS, Sender and Receiver.

The Omnichain project focuses on cross-chain interoperability and aims to provide a low-latency, secure network that connects different blockchains. It enables seamless transfer of assets and data between blockchains by introducing standardized cross-chain transaction protocols. This approach not only improves the efficiency of transactions, but also ensures the security of cross-chain operations.

Way Network can be seen as a specific implementation of the Omnichain concept, especially in the use of zero-knowledge proof technology to enhance privacy and security. Way Network's technical architecture enables it to achieve seamless interoperability between chains while maintaining decentralization and efficiency.

In summary, Omnichain provides an overall framework for cross-chain interoperability, while Way Network provides stronger privacy protection and security for this framework through zero-knowledge proof technology.

IX. Conclusion

This paper provides a comprehensive literature review on zero-knowledge proof (ZKP) technology and its recent developments and applications in the blockchain field. We systematically reviewed ZKP in the blockchain environment, surveyed the most advanced zero-knowledge proof schemes applicable to blockchain and verifiable computing, and explored their applications in anonymous and confidential transactions and privacy smart contracts. This paper lists the advantages and disadvantages of these academic peer-reviewed schemes and methods, provides references for practical evaluation and comparison of these schemes, and emphasizes the skills and knowledge that developers need to have when choosing a suitable scheme for a specific use case.

In addition, this paper also looks forward to the future development direction of zero-knowledge proof in hardware acceleration, blockchain scalability, interoperability and privacy protection. Through a detailed analysis of these latest technologies and development trends, this paper provides a comprehensive perspective for understanding and applying zero-knowledge proof technology, demonstrating its great potential in improving the efficiency and security of blockchain systems. At the same time, this research lays a solid foundation for subsequent research on ZK project investment.

References

· Ames, S., Hazay, C., Ishai, Y. and Venkitasubramaniam, M. (2017) 'Ligero', Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp.2087-2104.DOI: https://doi. org/10.1145/3133956.3134104.

· AdaPulse (2024) 'The Convergence of Zero-Knowledge Proofs and Decentralized Systems: Part 1', AdaPulse.Available at: https://adapulse.io/the-convergence-of-zero-knowledge-proofs-and-decentralized-systems-part-1 (Accessed: 30 June 2024).

· Ambainis, A., Rosmanis, A. and Unruh, D. (2014) 'Quantum attacks on classical proof systems: The hardness of quantum rewinding', in Pro ceedings of the IEEE 55th Annual Symposium on Foundations of Computer Science (FOCS 2014), pp.474-483.

· Andreev, O., et al. (2019) 'ZkVM: Fast, Private, Flexible Blockchain Contracts'. Available at: https://catieyun.github.io/presentations/zkvm.html (Accessed: 30 June 2024).

· Arun, A., Setty, S. and Thaler, J. (2024) 'Jolt: SNARKs for Virtual Machines via Lookups', in Joye, M. and Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024, Lecture Notes in Computer Science, vol.14656.Cham: Springer.Available at: https://doi.org/10.1007/978-3-031-58751-1_1 (Accessed: 30 June 2024).

· Axiom (2022) 'What is a ZK Coprocessor?'.Available at: https://blog.axiom.xyz (Accessed: 3 0 June 2024).

· Bögli, R. (2024) 'Assessing RISC Zero using ZKit: An Extensible Testing and Benchmarking Suite for ZKP Frameworks'. 'Decentralized Speed: Advances in Zero Knowledge Proofs', a16z.Available at: https://a16z.com/decentralized-speed-advances-in-zero-knowledge-proofs/ (Accessed: 30 June 2024).

· Blum, M., Feldman, P. and Micali, S. (1988) 'Non-interactive zero-knowledge and its applications', Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing (STOC '88), pp.103-112.DOI: https://doi.org/10.1145/62212.62222.

· Bootle, J., Cerulli, A., Chaidos, P., Groth, J. and Petit, C.(2015) 'Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting', EUROCRYPT 2016: Advances in Cryptology, Lecture Notes in Computer Science, vol. 9666, pp.327-357.Available at: https://link.springer.com/chapter/10.1007/978-3-662-49896-5_12 (Accessed: 30 June 2024).

· Bayer, S. and Groth, J. (2012) 'Efficient zero-knowledge argument for correctness of a shuffle', EUROCRYPT 201 2: Advances in Cryptology, Lecture Notes in Computer Science, vol. 7237, pp.263-280.Available at: https://link.springer.com/chapter/10.1007/978-3-642-29011-4_16 (Accessed: 30 June 2024).

· Bitan sky, N., Canetti, R., Chiesa, A. and Tromer, E.(2011) 'From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again',Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2011/443.pdf (Accessed: 30 June 2024).

· Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P. and Maxwell, G. (2018) 'Bulletproofs: Short Proofs for Confidential Transactions and More', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2017/1066.pdf (Accessed: 30 June 2024).

· Ben-Sasson, E., Chies a, A., Genkin, D., Tromer, E. and Virza, M.(2013) 'SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge (extended version)', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2013/507.pdf (Accessed: 30 June 2024).

· Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E. and Virza, M.(2014) 'Succinct Noninteractive Zero Knowledge for a Von Neumann Architecture', in Proceedings of the 23rd USENIX Security Symposium, pp.781-796.

· Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E. and Virza, M.(2014) 'Zerocash: Decentralized Anonymous Payments from Bitcoin', in Proceedings of the 2014 IEEE Symposium on Security and Privacy.

· Ben-Sasson, E., Bentov, I., Horesh, Y. and Riabzev, M.(2018) 'Scalable, Transparent, and Post-Quantum Secure Computational Integrity', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2018/046.pdf (Accessed: 30 June 2024).

· Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M. and Ward, N.(2019) 'Aurora: Transparent Succinct Arguments for R1CS', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2018/828.pdf (Accessed: 3 May 2024).

· Chaidos, PI gon-unveils-miden (Accessed: 30 June 2024).

· Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, P. and Ward, N.(2019) 'M: Preprocessing zkSNARKs with Universal and Updatable SRS'. [online] Available at: https://eprint.iacr.org/2019/1047.pdf (Accessed: 30 June 2024).

· Coda Protocol (n.d.) 'Gpu groth16 prover'.Available at: https://github.com/CodaProtocol/gpu-groth16-prover-3x (Accessed: 30 June 202 4).

· Chiesa, A., Ojha, D. and Spooner, N. (2020) 'FRACTAL: Post-Quantum and Transparent Recursive Proofs from Holography'. [online] Available at: https://eprint.iacr.org/2019/1076.pdf (Accessed: 3 May 2024). quote>

· Čapko, D., Vukmirović, S. and Nedić, N. (2019) 'State of the Art of Zero-Knowledge Proofs in Blockchain', Faculty of Technical Sciences, University of Novi Sad, Novi Sad, Serbia. Available at: dcapko@uns.ac.rs, srdjanvu@uns.ac.rs, nemanja.nedic@uns.ac.rs (Accessed: 30 June 2 024).

· Cramer, R. and Shoup, V.(1998) 'A practical public-key encryption scheme secure against adaptive chosen ciphertext attack', in Advances in Cryptology – CRYPTO』98, pp.13-25.Springer.

· Cramer, R. and Shoup, V.(2002) 'Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption', in Advances in Cryptology – EUROCRYPT 2002, pp.45-64. -restricted signature schemes'. [online] Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2003/150 (Accessed: 28 Jun.2024).

· Devlin, B.S. (n.d.) 'Fpga snark prover targeting the bn128 curve'.Available at: https://github.com/bsdevlin/fpga_snark_prover (Accessed: 30 June 2024).

· Damgård, I., Fazio, N. and Nicolosi, A. (2006) 'Non-Interactive Zero-Knowledge from Homomorphic Encryption', in Theory of Cryptography Conference (TCC 2006 ), Lecture Notes in Computer Science, vol. 3876, pp.41-59.Available at: https://iacr.org/archive/tcc2006/38760041/38760041.pdf (Accessed: 28 Jun.2024).

· Ethereum Research (2019) 'SLONK—a simple universal SNARK'. [online] Available at: https://ethresear.ch/t/slonk-a-simple-universal-snark/6420 (Accessed: 28 Jun.2024).

· Filecoin Project (n.d.) 'bellperson: Gpu parallel acceleration for zk-snark'.Available at: https://github.com/filecoin-project/bellperson (Accessed : 30 June 2024).

· Fiat, A. and Shamir, A. (1986) 'How To Prove Yourself: Practical Solutions to Identification and Signature Problems', in Advances in Cryptology—CRYPTO‖ 86, pp.186–194.DOI: https://doi.org/10.1007/3-540-47721-7_12.

· Feige, U., Fiat, A. and Shamir, A. (1986) 'Zero-Knowledge Proofs of Identity', in Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC 1986 ), pp.210-217.DOI: 10.1145/12130.12146.

· Ganguly, P. (2023) Zero-Knowledge Proofs Origination and Early Twenty-First Century Use Cases.Master of Science (Computer Science) thesis, New York University, Tandon School of Engineering.UMI Dissertation Publishing, ProQuest CSA, 789 E. Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106-134.

· Goldreich, O. (2004) 'Zero-Knowledge Twenty Years After Its Invention', Electronic Colloquium on Computational Complexity (ECCC), Report No.63. Available at: https://eccc. weizmann.ac.il/report/2004/063/ (Accessed: 30 June 2024).

· Goldwasser, S., Micali, S. and Rackoff, C. (1985) 'The knowledge complexity of interactive proof-systems', Proceedings of the seventeenth annual ACM symposium on Theory of computing - STOC 』85.DOI: https://doi.org/10.1145/22145.22178.

· Groth, J. and Sahai, A. (2005) 'Perfect Non-Interactive Zero Knowledge for NP'. [online] Available at: https://eprint.iacr.org/2005/290.pdf (Accessed: 27 June 2024).

· Groth, J. (2006) 'Simulation-sound NIZK proofs for a practical language and constant size signature groups', ASIACRYPT 2006: Advances in Cryptology, Lecture Notes in Computer Science, vol. 4284, pp.444-459.Available at: https://link.springer.com/chapter/10.1007/11935230_29 (Accessed: 30 June 2024).

· Groth, J., Ostrovsky, R. and Sahai, A. (2006) 'Fully concurrent non-malleable zero-knowledge', EUROCRYPT 2006 Advances: in Cryptology, Lecture Notes in Computer Science, vol. 4004, pp.214-235.Available at: https://link.springer.com/chapter/10.1007/11761679_14 (Accessed: 30 June 2024).

· Groth, J. and Sahai, A. (200 7) 'Efficient non-interactive proof systems for bilinear groups', SIAM Journal on Computing, vol. 41, no. 5, pp.1193-1232. Available at: https://epubs.siam.org/doi/10.1137/080725386 (Accessed: 30 June 2024).

· Groth, J. (2 008) 'Sub-linear zero-knowledge arguments for linear algebra', CRYPTO 2008: Advances in Cryptology, Lecture Notes in Computer Science, vol. 5157, pp.192-206. Available at: https://link.springer.com/chapter/10.1007/978-3-540-85174-5_11 (Accessed: 30 June 2024).

· Groth, J. (2011) 'Minimizing Non-interactive Zero-Knowledge Proofs Using Fully Homomorphic Encryption', Journal of Cryptology, 24(4), pp.591-623.

· Groth, J., Ostrovsky, R. and Sahai, A.(2012) 'New techniques for non-interactive zero-knowledge', Journal of the ACM, 59(3), pp.1-35. Available at: https://dl.acm.org/doi/10.1145/2220357.2220361 (Accessed: 30 June 2024).

· Groth, J.(2016) 'On the Size of Pairing-based Non-interactive Arguments'. [online] DOI: https://doi.org/10.1007/978-3-662-49896-5.

Groth, J., Kohlweiss, M. and Pintore, F. (2016) 'One-time simulation-s ound QA-NIZK arguments and applications to ring signatures', ASIACRYPT 2016: Advances in Cryptology, Lecture Notes in Computer Science, vol. 10031, pp.102-132.Available at: https://link.springer.com/chapter/10.1007/978-3-662-53887-6_4 (Accessed: 30 June 2024).

· Groth, J. and Maller, M. (2017) 'Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs', CRYPTO 2017: Advances in Cryptology, Lecture Notes in Computer Science, vol. 10402, pp.581-612. Available at: https ://link.springer.com/chapter/10.1007/978-3-319-63715-0_20 (Accessed: 30 June 2024).

· Gabizon, A., Williamson, Z.J. and Ciobotaru, O. (2019) 'PLONK: Permutations over Lagrange-bases for Oe cumenical Noninteractive arguments of Knowledge', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/953 (Accessed: 30 June 2024). line] Available at: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/12/2008-DelegatingComputation.pdf (Accessed: 30 June 2024).

· Henderson, F. (2007) 'Introduction to Virtual Machines', Proceedings of the Linux Symposium.Available at: https://www.kernel.org/doc/ols/2007/ols2007v1-pages-1-10.pdf (Accessed: 30 June 2024).

· Ingonyama (2023) 'Hardware Review: GPUs, FPGAs and Zero Knowledge Proofs', Ingonyama.Published on: May 4, 2023 .Available at: https://www.ingonyama.com/blog/hardware-review-gpus-fpgas-and-zero-knowledge-proofs (Accessed: 30 June 2024).

· Ishai, Y. and Paskin, A. (n.d.) 'Evaluating Branching Programs on Encrypted Data', Theory of Cryptography, pp.575 –594.DOI: https://doi.org/10.1007/978-3-540-70936-7_31.

· Kalai, Y.T., Raz, R. and Rothblum, R.D. (2014) 'How to delegate computations: The power of no-signaling proofs', Proceedings of the Annual ACM Symposium on Theory of Computing, New York, NY, USA, pp.485-494.

· Javeed, K. and Wang, 10.1002/cta.2359.

· Kilian, J. (1992) 'A note on efficient zero-knowledge proofs and arguments (extended abstract)', Proceedings of the 24th Annual ACM Symposium on Theory of Computing, pp.723-732.

· Konstantopoulos, G. (2022) 'Hardware Acceleration for Zero Knowledge Proofs', Paradigm.Available at: https://www.paradigm.xyz/2022/04/zk-hardware (Accessed: 30 June 2024).

· Lita Foundation (2023) 'Announcing Lita's Valida C Comp iler & zkVM'.Available at: https://www.lita.foundation (Accessed: 30 June 2024).

· Lavery, S. (2024) 'Compact and Secure Zero-Knowledge Proofs for Quantum-Resistant Cryptography from Modular Lattice Innovations', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2024/652 (Accessed: 30 June 2024).

· Maller, M., Bowe, S., Kohlweiss , M. and Meiklejohn, S.(2019) 'Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2019/099 (Accessed: 28 June 2024).

· Matter Labs (2020) 'Introducing zkSync: The missing link to the mass adoption of Ethereum',Matter Labs Blog.Available at: https://blog.matter-labs.io/introducing-zksync-the-missing-link-to-the-mass-adoption-of-ethereum (Accessed: 30 June 2024).

· =nil; Foundation (2023) 'zkSharding for Ethereum'.Available at: https://nil.foundation/zksharding (Accessed: 30 June 2024).

· Partala, J., Nguyen, T.H. and Pirttikangas, S.(2020) 'Non-Interactive Zero-Knowledge for Blockchain: A Survey', IEEE Access.Received November 27, 2020, accepted December 13, 2020, published December 21, 2020, current version December 31, 2020.DOI: 10.1109/ACCESS.2020.3046025.

· Parno, B., Howell, J., Gentry, C. and Raykova, M. (2013) 'Pinocchio: Nearly practical verifiable computation', Security and Privacy – S&P 2013, pp.238-252.IEEE.

· Polygon Labs (2021) 'Deep Dive on Polygon Hermez: Bringing Scalability to Ethereum Using zk-Technology'.Available at: https://polygon.technology/blog/polygon-unveils-miden (Accessed: 30 June 2024).

·Polygon Technology (2021) 'Polygon Miden: A STARK-Based zk-Rollup'.Polygon Community Forum.Available at: https://forum.polygon.technology/t/polygon-miden-deep-dive-a-stark-based-zk -rollup/299 (Accessed: 30 June 2024).

· Roy, S.S., Turan, F., Jarvinen, K., Vercauteren, F. and Verbauwhede, I. (2019) 'FPGA-based high-performance parallel architecture for homomorphic computing on encrypted data', 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp.387-398.DOI: 10.1109/HPCA.2019.00051.

· RISC Zero (2021) 'zkVM Overview', RISC Zero Developer Docs.Available at: https://dev.risczero.com/api /zkvm (Accessed: 30 June 2024).

· Setty, S. (2019) 'Spartan: Efficient and general-purpose zkSNARKs without trusted setup', Cryptology ePrint Archive. Available at: https://eprint.iacr.org/2019/550 (Accessed: 30 June 2024).

· Sun, X., Yu, F.R., Zhang, P., Sun, Z., Xie, W. and Peng,>

· StarkWare Industries (2018) 'StarkEx Documentation'.Available at: https://docs.starkware.co/starkex/index.html (Accessed: 30 June 2024).

· StarkWare Industries (2018) 'About Us'.Available at: https://starkware.co (Accessed: 30 June 2024).

· StarkWare (2018) 'Cairo Programming Language'.Available at: https://www.cairo-lang.org (Accessed: 30 June 2024).

· StarkWare (2021) 'ZKThreads: A canonical ZK sharding framework for dApps'.Available at: https://starkware.co/zkthreads (Accessed: 30 June 2024).

· Unruh, D. (2015 ) 'Non-interactive zero-knowledge proofs in the quantum random oracle model', in Oswald, E. and Fischlin, M. (eds) Advances in Cryptology.Berlin, Germany: Springer, pp.755-784.

· Ventre, C. and Visconti, I.(2009) 'Co-sound Zero-Knowledge with Public Keys', Lecture Notes in Computer Science, pp.287–304.DOI: https://doi.org/10.1007/978-3-642- 02384-2_18.

· Virtual Labs (2021) 'ZK State Channel vs. State Channel'.Available at: https://docs.virtual.tech (Accessed: 30 June 2024).

· Way Network (2022) 'ZK Omnichain Interoperability Protocol'.Available at: https://way.network (Accessed: 30 June 2024).

· Wang, H. and Hoang, T. (2022) 'ezDPS: An Efficient and Zero-Knowledge Machine Learning Inference Pipeline', arXiv.org.DOI: https://doi.org/10.48550/arXiv.2212.05428.

· Wahby, R.S., Tzialla, I., shelat, a., Thaler, J. and Walfish, M. (2018) 'Doubly-efficient zkSNARKs without trusted setup', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2017/1132.pdf (Accessed: 28 June 2024).

· Xie, T., Zhang, J., Zhang, Y., Papamanthou, C. and Song, D.(2019) 'Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation', Cryptology ePrint Archive.Available at: https://eprint.iacr.org/2019/317 (Accessed: 28 June 2024).

· Zhou, Y., Wei, Z., Ma, S. and Tang, H.(2022) 'Overview of Zero-Knowledge Proof and Its Applications in Blockchain', in Sun , Y., Cai, L., Wang, W., Song, X. and Lu, Z. (eds) Blockchain Technology and Application.CBCC 2022.Communications in Computer and Information Science, vol.1736.Singapore: Springer.Available at: https://doi.org/10.1007/978-981-19-8877-6_5 (Accessed: 30 June 2024).

· Zhang, B., Lu, G ., Qiu, P., Gui, X. and Shi, Y.(2023) 'Advancing Federated Learning through Verifiable Computations and Homomorphic Encryption', Entropy, 25(11), p.1550.Available at: https://doi .org/10.3390/e25111550(Submission received: 11 September 2023 / Revised: 1 November 2023 / Accepted: 4 November 2023 / Published: 16 November 2023).

· Zhang, Y.,Wang, S., Zhang, X., Dong, J., Mao, X., Long, F., Wang, C., Zhou, D., Gao, M. and Sun, G. (2021) 'PipeZK: Accelerating Zero -Knowledge Proof with a Pipelined Architecture', IEEE Xplore.DOI: https://doi.org/10.1109/ISCA52012.2021.00040.

· Zhang, J., Fang, Z., Zhang, Y. and Song, D.(2020) 'Zero Knowledge Proofs for Decision Tree Predictions and Accuracy', Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.DOI: https://doi.org/10.1145/3372297.3417278.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia