惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
AI
AI
SecWiki News
SecWiki News
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Engineering at Meta
Engineering at Meta
博客园 - 叶小钗
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
N
News and Events Feed by Topic
Cloudbric
Cloudbric
B
Blog
Cisco Talos Blog
Cisco Talos Blog
V
Vulnerabilities – Threatpost
N
News and Events Feed by Topic
V
Visual Studio Blog
A
Arctic Wolf
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
S
Security @ Cisco Blogs
博客园 - 聂微东
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Apple Machine Learning Research
Apple Machine Learning Research
Y
Y Combinator Blog
G
GRAHAM CLULEY
L
LINUX DO - 热门话题
量子位
NISL@THU
NISL@THU
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Troy Hunt's Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Tenable Blog
月光博客
月光博客
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
D
Docker
www.infosecurity-magazine.com
www.infosecurity-magazine.com
雷峰网
雷峰网
博客园 - 司徒正美
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
Help Net Security
Help Net Security
D
DataBreaches.Net

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Zero-Knowledge Proofs: The Intersection of Scalability and Privacy
Meriç Cintos · 2026-05-08 · via DEV Community

Zero-knowledge proofs represent one of the most powerful primitives in modern cryptography, enabling a prover to convince a verifier that a statement is true without revealing any information beyond the validity of that statement itself. This capability has shifted from theoretical interest to production infrastructure, particularly in blockchain systems where both scalability and privacy constraints demand solutions that scale without exposing sensitive data.

The intersection of these two properties—the ability to process thousands of transactions while keeping user information private—defines the frontier of practical cryptography in distributed systems. Understanding how zero-knowledge proofs achieve this requires examining both the mathematical foundations and the engineering patterns that make these systems work at scale.

Cryptographic Foundations of Zero-Knowledge Proofs

A zero-knowledge proof satisfies three formal properties: completeness, soundness, and zero-knowledge itself. Completeness means that if a statement is true, an honest prover can always convince an honest verifier. Soundness guarantees that if a statement is false, a dishonest prover cannot convince an honest verifier except with negligible probability. Zero-knowledge ensures that the verifier learns nothing beyond the truth of the statement.

These properties rest on the assumption that certain computational problems remain difficult to solve. The security of many zero-knowledge systems relies on the hardness of discrete logarithm problems or the factorization of large integers. A prover must demonstrate knowledge of a solution to a hard problem without actually revealing the solution itself. This is accomplished through an interactive protocol where the prover commits to a value, the verifier issues a challenge, and the prover responds in a way that is consistent with the commitment.

The simplest conceptual example involves graph isomorphism. Suppose we have two graphs that the prover claims are isomorphic. The prover cannot simply reveal the mapping between vertices without giving away the solution. Instead, the prover randomly permutes one of the graphs and commits to the result. The verifier then challenges the prover to either prove that the permuted graph is isomorphic to the original, or to the other graph. The prover responds correctly only if the original claim was true. By repeating this protocol multiple times, the verifier becomes confident in the truth of the statement while learning no information about the actual isomorphism.

Interactive proofs work well for understanding the concept, but they require multiple rounds of communication and the verifier's presence during execution. The Fiat-Shamir transformation eliminates this requirement by replacing the verifier's random challenge with a cryptographic hash function. The prover applies a hash function to its commitment, treating the output as the challenge, and then computes a response based on that hash value. Because the hash output appears random and the prover cannot predict it in advance, the security properties remain intact, but now a single non-interactive proof can be verified at any time without the prover's involvement.

Non-interactive zero-knowledge proofs unlock the possibility of publishing proofs on blockchain systems, where verifiers are smart contracts that execute deterministically and independently. A prover generates a proof, submits it to the chain, and the contract verifies it without requiring communication with the prover.

Arithmetic Constraints and Circuit Languages

Practical zero-knowledge systems work by converting a computational statement into arithmetic constraints over a finite field. Rather than proving knowledge of a specific secret directly, systems prove that the prover knows a witness that satisfies a set of polynomial equations.

Consider a simple example: proving knowledge of two numbers whose product is a specific public value. Let us say the prover knows a and b, and wants to prove that a × b = c, where c is public. The prover commits to a and b through some commitment scheme. The proof then demonstrates that there exist values satisfying the constraint equation without revealing what a and b are.

In practice, developers express computational problems in a domain-specific language that compiles down to arithmetic circuits. A circuit is a system of polynomial equations where each equation corresponds to a logical or arithmetic gate. For instance, if a program multiplies two numbers, that multiplication becomes a polynomial constraint. If a program hashes a value, the circuit must contain all the arithmetic constraints that express the hash function's computation in terms of field operations.

Languages like Circom let developers write circuits in a syntax resembling JavaScript. A Circom program takes inputs, applies constraints, and produces outputs. The developer specifies which inputs are public (known to the verifier) and which are private (known only to the prover). The compiler then transforms the program into a constraint system, typically expressed as rank-1 constraint systems (R1CS), a standardized format that many proof systems consume.

A rank-1 constraint system is a list of equations of the form (a · w) * (b · w) = (c · w), where w is a vector containing all witness values (including both public and private inputs), and a, b, c are coefficient vectors. The dot product notation represents a linear combination of witness values. Every arithmetic operation in the original program translates into one or more R1CS constraints.

Proof Systems: Understanding the Trade-offs

Different zero-knowledge proof systems make different choices about proof size, verification time, prover time, and required cryptographic assumptions. No single proof system dominates across all dimensions, and the choice depends on the specific application.

SNARKs (Succinct Non-interactive Arguments of Knowledge) produce very small proofs, typically a few hundred bytes. A SNARK proof can be verified in milliseconds, making these proofs highly efficient for blockchain verification where gas costs scale with computation. The trade-off is that SNARK proofs require a trusted setup: a ceremony where cryptographic parameters are generated and destroyed, and anyone participating in the setup could theoretically forge proofs if they retained the setup randomness.

SNARKs typically use pairing-based cryptography, which relies on elliptic curves with a bilinear pairing. The pairing operation allows combining two group elements from different curves to produce a result in a target group, enabling certain cryptographic constructions impossible with standard elliptic curve operations alone.

STARKs (Scalable Transparent Arguments of Knowledge) eliminate the trusted setup requirement entirely, relying instead on hash functions that are believed to be collision-resistant. STARKs produce larger proofs than SNARKs (typically kilobytes rather than bytes) and require more verification time, but the removal of trusted setup reduces the surface area for attacks and simplifies deployment. STARKs use the FRI protocol (Fast Reed-Solomon Interactive Oracle Proofs), which decomposes a polynomial commitment into smaller sub-problems that can be solved recursively.

Bulletproofs offer a middle ground, providing relatively small proofs without a trusted setup, though with higher verification complexity than SNARKs. Bulletproofs use logarithmic-sized arguments and rely on discrete logarithm assumptions similar to SNARKs, but without requiring pairings.

The choice between these systems in production depends on specific constraints. If proof size is critical (as it is for on-chain verification), SNARKs with trusted setup may be acceptable if the setup ceremony is sufficiently transparent. If eliminating trust assumptions is paramount, STARKs accept larger proofs. If neither extreme is suitable, systems like Bulletproofs provide a compromise.

ZK-Rollups: Scaling Through Aggregated Proofs

A ZK-rollup is a layer-2 scaling solution that processes thousands of transactions off-chain, generates a single zero-knowledge proof attesting to their correctness, and submits both a compressed state update and the proof to the main blockchain. The main chain verifies the proof in a single transaction, ensuring that all rolled-up transactions are valid without re-executing them.

The architecture consists of several key components. A rollup operator maintains a state tree representing all user balances and contract state off-chain. Users submit transactions to the operator's mempool. The operator collects transactions into batches, executes them sequentially, updates the state, and then generates a proof that attests to the validity of the entire batch and the correctness of the state transition.

The proof demonstrates several properties simultaneously. First, it proves that each transaction in the batch was executed according to the rollup's rules: valid signatures, sufficient balances, and correct state transitions. Second, it proves that the state root before processing the batch combined with the batch of transactions produces the new state root. Third, it proves that all constraints of the rollup protocol were satisfied.

Generating this proof requires encoding the entire batch execution as an arithmetic circuit. The circuit takes the previous state root, the batch of transactions, and a Merkle proof for each account's current balance as private inputs. It then verifies signatures, checks balance constraints, executes the transactions, updates the state tree, and outputs the new state root. The circuit is large—processing a typical batch of 2000 transactions might require 10-50 million constraints—but the circuit is generated once per batch, not per transaction.

The gas cost of posting a ZK-rollup proof to Ethereum is dominated by the verification step itself, plus the cost of publishing the compressed batch data and the new state root. Verification typically costs 200,000-500,000 gas depending on the proof system and the specific circuit, which is amortized across all transactions in the batch. A batch containing 2000 transactions thus pays roughly 100-250 gas per transaction just for proof verification, compared to 21,000 gas for a minimal Ethereum transaction.

The state tree structure itself requires careful design. ZK-rollups typically use Merkle trees or sparse Merkle trees to represent the state, allowing efficient proofs of account inclusion and balance transitions. A sparse Merkle tree maps account addresses to their balances, with empty branches represented implicitly rather than stored. This allows constant-size Merkle proofs regardless of the total number of accounts in the system.

Mathematical Models and Constraint Systems

Designing a production ZK-rollup requires precisely modeling the mathematical guarantees that the system provides. The core model expresses the relationship between states and valid transitions.

A rollup state can be represented as S = (root, nonce), where root is the Merkle root of the account tree and nonce is a counter that increments with each batch. A batch B is a sequence of transactions [tx1, tx2, ..., txn]. A valid state transition S → S' via batch B requires that executing B starting from state S produces state S'.

More formally, we define a transition relation T(S, B, S') that holds true if and only if:

  1. For each transaction txi in B, the transaction's sender exists in the state tree at S
  2. The sender's account in S has sufficient balance to cover the transaction's value plus fees
  3. The transaction's signature is valid under the sender's public key
  4. Executing the transaction updates the state tree correctly, producing intermediate state Si
  5. After all transactions execute in sequence, the final state equals S'

The zero-knowledge proof demonstrates that this relation T holds without revealing any of the intermediate states, account balances, or transaction contents beyond what is publicly necessary.

The circuit representation of this relation requires expressing each condition as polynomial constraints. For transaction signature verification, the circuit encodes elliptic curve operations as field arithmetic. For state tree updates, the circuit verifies Merkle proofs and computes new roots. For balance checks, the circuit reads account values from the state tree and verifies arithmetic constraints.

A simplified version of the constraint logic for a single transaction might look like:

// Verify sender exists in the state tree
merkle_proof_valid(sender_merkle_proof, sender_address, old_root) == true

// Read sender's balance
sender_balance = merkle_path_value(sender_merkle_proof, balance_index)

// Verify sufficient balance
sender_balance >= transaction_amount + transaction_fee

// Compute new sender balance
new_sender_balance = sender_balance - (transaction_amount + transaction_fee)

// Verify recipient balance update (if recipient is a new account, new balance = transaction_amount)
recipient_balance_new = (recipient_exists ? recipient_balance_old : 0) + transaction_amount

// Update state tree with new balances
new_root = update_merkle_root(old_root, sender_address, new_sender_balance, recipient_address, recipient_balance_new)

Enter fullscreen mode Exit fullscreen mode

Each operation in this sequence becomes one or more polynomial constraints in the arithmetic circuit. Merkle proof verification is the most constraint-intensive operation, as hash functions like Keccak require thousands of constraints to express in polynomial form.

Proving and Verification Performance

The time required to generate a proof scales with the circuit size and grows faster than linearly. For a circuit with 10 million constraints using an SNARK, proof generation might require 10-30 seconds on a modern CPU, or a few seconds using specialized hardware like GPUs. Proof verification, by contrast, is nearly constant-time regardless of circuit size, typically completing in 50-200 milliseconds.

This asymmetry makes ZK-rollups economically viable. A single operator or sequencer incurs the cost of generating proofs, but that cost is amortized across all users in a batch. Verification happens once on-chain for all transactions, paying a fixed gas cost rather than a per-transaction cost.

Proof generation can be optimized through batching and parallelization. Multiple batches can be proven in parallel if sufficient hardware is available. Some proof systems support recursive composition, where a proof of proofs allows further aggregation. For instance, several rollup batches can each generate a proof, and then those proofs can be combined into a single proof attesting to all batches. This reduces the on-chain verification cost even further when multiple batches are accumulated.

The memory requirements for proof generation depend on the proof system. SNARKs typically require holding the entire constraint system in memory, which can be gigabytes for large circuits. STARKs have different memory characteristics but generally scale less favorably than SNARKs in terms of runtime for typical circuit sizes.

Privacy Guarantees and Limitations

A fundamental property of zero-knowledge proofs is that they provide privacy regarding the witness (the prover's secret), but the public inputs and outputs remain visible to the verifier. In a ZK-rollup, this means the batch of transactions and the before-and-after state roots are public on-chain, but the proof itself reveals nothing about individual account balances or transaction internals beyond what is necessarily public.

However, privacy in a ZK-rollup is limited by the nature of the public data. If accounts are linked to real identities through on-chain interactions, an observer can analyze the transaction graph and make inferences about behavior even without seeing transaction contents directly. The zero-knowledge property prevents the proof itself from leaking information, but does not protect against inference attacks based on public transaction patterns.

Some ZK-rollup designs include additional privacy features, such as encrypted transaction data. In these systems, transactions are encrypted under a rollup-specific key that only the operator knows. The proof attests to the correctness of decryption and execution without the verifier ever seeing the plaintext. This prevents external observers from analyzing the transaction graph, though the rollup operator remains able to see all transaction contents.

The trade-off between privacy and verifiability is fundamental. A ZK-rollup that publishes all transaction data on-chain allows anyone to verify the operator's work independently, but sacrifices user privacy. A ZK-rollup that encrypts transactions improves privacy but requires trusting the operator to not censor transactions or steal funds, as full verification becomes impossible for external observers.

Implementation Considerations

Building a ZK-rollup system requires careful engineering across multiple layers. The circuit design must be correct, as any error in the constraint system could allow invalid transactions to be proven valid. Circuit audits by independent cryptographers are standard practice.

The proof system selection determines acceptable trade-offs. If minimizing on-chain verification cost is primary, SNARKs with trusted setup are standard. If removing trust assumptions is critical, STARKs are preferred despite larger proof sizes. Some systems use multiple proof systems, with a faster SNARK for initial verification and a slower but trustless STARK for final settlement.

The state tree implementation must support efficient proof generation and verification. Sparse Merkle trees are common, but alternative structures like Ethereum's Verkle trees are under exploration. The hash function used in the tree must be efficiently expressible as constraints; keccak-256 is common on Ethereum rollups but requires many constraints, while specialized hash functions like Poseidon are designed specifically for arithmetic circuit efficiency.

The operator architecture must ensure liveness and prevent censorship. A centralized operator can refuse to include transactions, forcing users to wait or use alternative mechanisms. Some designs include a forced transaction exit mechanism, allowing users to withdraw funds without the operator's cooperation if the operator becomes unavailable.

Data availability remains a separate concern from zero-knowledge proofs themselves. The batch data must be available on-chain or on a separate data availability layer so that users can compute their account state and generate proofs of withdrawal if needed. A ZK-rollup without adequate data availability can hide fraud from observers, defeating the purpose of on-chain verification.

If you are building a Web3 application or need professional documentation for complex technical systems, my Fiverr profile at https://fiverr.com/meric_cintosun covers Web3 documentation, smart contract development, and full-stack Next.js applications.