Zero Knowledge Influencer: Are ZKPs Worth the Hype?
going after a16z yet again
New year, same old me: taking shots at crypto narratives.
And crypto is searching for a new one after 2022’s bloodbath. So far in 2023, a16z has shown us the way with a $100m round for Aztec, a zero-knowledge proof focused company my old employer ConsenSys was one of the first investors in (disclosure, I wrote a memoir about ConsenSys that you should check out).
(Note: I don’t want to spend too much time explaining zero knowledge proofs (ZKPs), as there are many explainers already. ELI5: a ZKP is a way to prove data is true (e.g., that you live in NYC) without sharing underlying data (your address) utilizing fancy cryptography.)
ZKPs are being touted as the next catalyst for crypto, a “game changer” that will make blockchain safe and scalable using revolutionary technology. It seems odd I would choose to criticize something so promising, but ever since I first worked with a ZK team five years ago I found one fact troubling: that ZKPs have actually been around for 3 decades but never found much adoption - although some of the related cryptography proved to be important - a story that seemed all too familiar to me. I started to grow cynical.
I’m going to argue that ZKPs are part of the blockchain shell game. Because blockchains have so many technical faults, ZKPs are touted as a solution - and the two together are so confusing it’s easy to pass another complicated concept over our heads. Both are immature technologies where the perfect solution resides at some point in the future, and that’s the ideal formula for more influencers to shill their bags.
In blockchain-land, ZKPs actually create a paradox: as the US and other governments squash privacy solutions like Tornado Cash, every permutation of ZKP-based privacy - fully private, partially private, rollups - is a loaded trap. Ultimately, we’ll see that while using ZKPs plus blockchains to solve our data and privacy issues in the tech world might seem like the holy grail, it’s more like a Hail Mary.
Some background on zero knowledge proofs and why they matter
By default, blockchains have no privacy. That’s why criminals who use them are often quickly caught - everyone’s assets and transactions are fully visible. The account feels anonymous as a string of numbers and letters, but eventually your activity will be linked to an exchange who will happily give your information away to law enforcement.
Why does it matter? Because if we want to get Starbucks and Goldman into actually using crypto for business, they can’t be advertising their financial activities to everyone. Public transactions are a non-starter. And without that, crypto remains a “toy” ecosystem, as Matt Levine writes.
ZKPs are truly brilliant mathematics being built by very smart people, some of whom are my former colleagues. Unfortunately, the same is true about many things in crypto, and we’ve seen where that can lead. The technical work is spectacular, even if the business case might not be there. But because there are financial incentives being dangled by VCs to keep at it, they will keep going and making leaps.
Three doors to nowhere
There are three ways a blockchain could “improve” its privacy: a fully private blockchain where every transaction is ZKP-based, a partially private one with the option to use ZKPs or not, and a hybrid of public-private chains using rollups. Unfortunately, a combination of laws, technological limitations, and trust turn ZKPs and “private blockchains” into a giant catch-22. There’s a “ZKP trilemma” similar to Vitalik Buterin’s “blockchain trilemma”: no solution can offer untraceable privacy, compliance with the law, and decentralization. When it comes down to it, the only reason to use a ZKP today on a blockchain is to commit a crime.
The fully private model
Fully private blockchains in fact already exist - and have existed - for a while. Yet usage remains terribly low. Why is that?
First, to be fully private requires mammoth computing power for many transactions that do not need it. This adds needless cost and is partly why privacy is “optional” in so many chains. To bring this Ethereum as of today would undo all the progress on energy-waste that the Merge achieved.
In fact, we can see this in Zcash’s own website, which shows less than 20% of transactions are at all private, and Chainalysis notes that less than 1% are “fully” private. This number has more or less held steady for years, except for a spike around a well publicized roll out. And worth noting, we have no idea if Zcash is fudging those numbers by entering its own transactions!
Why might the numbers be so low? Zcash requires massive computing power and user skill, and even then these ZKP-based blockchains can only do the simplest of operations - transfers. The time and cost of these remains slow - often more than 30 seconds, and 10x+ the cost of an already expensive Ethereum transaction. Years of research on specialized hardware likely remain ahead.
That brings us to a massive limitation with no real solution today. All of the excitement around “web3” is for smart contracts, but there are no functional zero knowledge smart contract chains. This is quite limiting - without it, there are no DeFi applications, loans, yield, and all the other things people have been excited about. While there are some theoretical and testnet-type implementations, they have significant caveats. That’s because most of the ZK implementations so far use the UTXO model, similar to Bitcoin, which significantly impairs programmability.
That’s a problem. As Vitalik said last year, people “don’t just want, like a scalable money thing.” But for now, that’s all ZKPs can do.
That leaves payments as the only use case - the electrified fence of private chains. That’s because AML laws - which require screening of every transaction - can’t be applied to a fully private chain, making them essentially illegal. The pressure on Tornado Cash highlights the coming pressure that has led many exchanges to fully delist coins.
So why aren’t these founders in jail? Pretty simple - while promising privacy with one side of the mouth, on the other side Zcash encourages regulators and exchanges to track their users’ transactions. From their own website:
“Zcash requires the use of payment addresses for all transactions. This allows VASPs to issue a unique deposit address to each customer, thus allowing Zcash deposits to be unequivocally attributed to a specific customer. Zcash also requires that customers provide a payment address in order to receive withdrawals, allowing VASPs to conduct sanctions screening, or restrict withdrawals to whitelisted addresses…The required originator and beneficiary information can be attached directly to a shielded transaction using the encrypted memo field.”
Zcash’s response is to say “Who? Not me!” by funding a report that instead it’s Monero that is widely used by criminals. Which they might have a point - Coinbase doesn’t list Monero at all, and in the US only Kraken does.
The partial privacy model
The partial privacy model offers two options: public transactions or private transactions. This is the existing “privacy” setup on Ethereum and several other chains, like ZCash and Mina. This would seemingly solve the computation issue: those who need privacy can pay for it.
But these existing chains are only hiding a more serious problem: they’re not that private. Numerous studies show that blockchain analytics firms like Chainalysis can trace transactions due to the need to “convert” money from public to private and back, especially when exchanges like Coinbase don’t allow shielded withdrawals. We can think of the shielded pool as the phone booth Clark Kent goes into. The disguise doesn’t isn’t convincing when Superman comes out 30 seconds later.
Your only solution is to either mix your transactions, wait random amounts of time, or batch them with someone else…and if you trust the people running those services more than a bank, I’ve got a bridge on Solana to sell you.
Zooco Wilcox himself admits that Zcash’s privacy only comes from “money at rest,” e.g., don’t actually use it for your daily business. If Bitcoin is digital gold, Zcash is a digital safe…or something.
Private accounts on Zcash have also taken to regularly spamming the network, and there’s not much that can be done without knowing the hacker’s identity. Zcash also does nothing to protect your IP address, so lazy criminals be warned.
Other protocols like Mina have put out research that keeps all transactions private below a dollar limit of a few thousand dollars, meaning everything above that is forced to be public, which seems like a non-starter for any real business.
Hybrid - a private rollup
Rollups are the future of Ethereum, according to Vitalik - for now. Aside from inspiring hunger for fruit snacks, rollups are a “Layer 2” that batches transactions together. That should shift a blockchain like Ethereum from sluggish to zippy.
Rollups so far have suffered from similar problems as other zkp-chains - no smart contract functionality or app-specific rollups with many limitations. But some newer rollups have managed to fix that.
But, rollups have a number of tradeoffs, making them possibly the worst of all worlds - creating compromises for privacy, decentralization, and legal status.
Zkrollups currently require you to lock up assets on Ethereum, which means your assets are still transparent. The blockchain is then updated in batches, which means you can likely trace transactions and figure out counterparties from within the batch. Unless you use a mixer…and you know where that will go.
Add to that that none of the zk-rollups today are actually private, and so this is just theoretical/promises today.
Zk-rollups require a sequencer, which means a centralized party that puts transactions in order. This is the key to achieving “Visa”-like scalability - but seems to defeat the entire purpose of using a blockchain in the first place. How long would it take until a zk-rollup team rug pulls by issuing an infinite amount of tokens - with no one even knowing about it?
Most rollups are custom built (and sometimes run) by centralized companies, like StarkWare and Polygon. They have built rollups that are not fully open source or that are custom versions of EVM, so the company needs to exist to maintain/debug the code, and traditional corporations would have to build apps specifically for these environments. Unlikely!
As centralized entities that process financial transactions, rollups would likely be under significant regulatory scrutiny under banking, AML, and securities laws. If the rollup was decentralized, as some plan to do “eventually,” these smaller chains could become targets for hacks, front running (MEV), or spam.
The standard reply to all these issues is you’d have “choice” among many different rollups to make tradeoffs. But bridging assets to L2s, and from one rollup to another, is full of technical and economic problems, locking up capital, reducing privacy, increasing room for user error and fake UIs, and generally just being a pain. This is the same “push” model that makes Ethereum gas as fun as a root canal - you need to go back to Coinbase every time to buy more and guess how much Eth you might need. Rollups, like Ethereum, can’t “pull” funds as you need them because your funds are sitting in MetaMask, where you are the sole authorized party to move them. And again, if someone else is authorized, what’s the point of crypto at all?
Rollups may work as a scalability solution, but have few, if any, solutions, for the many usability problems they could create if they implemented privacy.
This is a general problem with crypto - since everything is built around developer adoption (“look, we’re the fastest, easiest one for launching your app/token!”), roadmaps tend to be pretty anti-user.
Thinking about trust
As I mentioned above, ZKPs have been around for decades but had little business use until blockchains appeared. And yet they seem to be an incredibly cool and useful concept on first review with brilliant cryptographers at Stanford and so on working on them. Why wouldn’t Alice want to maximize privacy? How is this not front page news?
But we see the three doors of ZKPs-in-blockchain don’t lead anywhere. Can we find a use case for a ZKP itself? Let’s think about the standard “Alice wants to pay Bob privately” example.
For Alice to need a ZKP, two conditions need to be true:
(1) she does not trust Bob (not revealing her information) and Bob does not trust her (he will not simply accept her word for it)
(2) she does not want anyone else to know about her transaction with Bob (otherwise she could rely on a trusted third party to verify).
Really, we should call them zero-trust proofs, since that’s the environment we need them in. But how often is that really the case?
It’s important to note that transactions are always an exchange. And yet ZKPs are very much focused on the one-way transmission of information, rather than trades. If she does not trust Bob, why is she doing business with him? To make any trade, there needs to be trust that the good being given in return for money is real!
More explicitly: if you don’t trust the car dealership enough to view your credit score, how can you trust them not to sell you a lemon? You’re going to a smoothie shop where you think they might be poisoning the food.
And for the reverse, if Bob doesn’t trust Alice - how can he stay in business? The smoothieman isn’t going to refuse to sell to each individual person until they prove they have funds - or at least that’s not a problem in current society, because they can trust your credit card instead.
This is, in fact, a very deep flaw in the entire model of using smart contracts. Blockchains are actually tools for asset transfers, not exchange. A true trade requires two simultaneous transfers - which is in fact how many smart contracts get hacked, by simply hacking one leg of the transfer with fake deposits or fake tokens, to get things for free.
As for the second condition - Alice wanting privacy from everyone, so she can’t rely on a third party - while often valid, is difficult to maintain. Our existing financial system is already private - the only participants with knowledge of a transaction are you, the store, and the intermediaries (bank/network). To gain privacy from the credit card company or the bank, we must make the transaction fully unintelligible to anyone else - a challenge, because if Bob is Alice’s doctor, she might need to show the insurer at some point how much she paid. Or to the government to claim a tax refund. Or to a spouse who wants to share an account. Eventually, maintaining this level of selective data permissioning will cause a migraine or lead to Swiss cheese access to private data.
Very quickly we see this use case of one-way transmission with an untrusted counterparty and no third party is difficult to apply in today’s economy. There are simply better ways to handle our other cases: if we do trust the Bob, but no one else, we can use a normal encrypted connection; or if not, we can rely on a third party that simply provides an attestation (rather than the data itself) or a confirmation via an API.
Now there are some on-offs I’ve heard, like activists living in Iran or Syria who get funding secretly. But unless their local grocery accepts Zcash or Monero, they’ll have to exchange to fiat, and that opens up a huge vulnerability that exposes them both to government tracing or being cheated out of their funds.
Let’s try some of the other use cases Packy McCormick suggests in his post about ZKPs:
“I could prove that I know the password to an account without entering the password and risking its exposure”
This is already the case! Your Internet services should be using encryption and hashed/salted passwords so that the plaintext is never available.
“or that I have enough money to cover rent for the next year without telling some random broker all of the details of my personal finances”
As noted above, this is a problem of one-way information transmission rather than one of actual goods exchange. One-way information transmission can be solved by some basic encryption or a simple API - your new apartment’s leasing office sends a confirmation request and the bank provides an affirmation or denial, just like many services use Plaid to get KYC/login info from your bank. So this is not a technological issue as much as laziness on the part of bank developers. (In fact, Packy admits as much at the end of the passage.)
The only reason that this API couldn’t or wouldn’t be built eventually is because the information isn’t held by a company that is compliant with standard cybersecurity practices. When would you ever leave trusted information with such an entity…except on a blockchain?
Knaves and Fools
So let’s come to it. Why would you need a ZKP? Pretty much only because you’re transacting on a blockchain.
And most of us have been through every blockchain use case already - trading NFTs, throwing money at random ICOs - using public blockchains. So why do you need a private one?
Because you want to buy a house with a blockchain? Hmm, real estate registries are already public.
Users in general seem pretty happy to use these “toy” financial applications with all their information out there in the public eye. The only strong motivation to use crypto for real transactions but keep them private at the moment is out of libertarian principle or to avoid government scrutiny. And for the latter, odds are that’s because you’re a tax cheat or a criminal.
Why do I (and why should you) care?
Is it just because I’m a jerk who likes to kick crypto while it's down? Or want to beef with a bunch of math PhDs?
Not really. ZKPs are rising in importance to Ethereum’s future, so there’s multiple reasons to be wary:
With all the zk-rollups being launched this year, it’s inevitable there will be tokens - it’s probably half the motivation to do it. Be wary of marketed panaceas!
Don’t get dumped on
Let’s be honest, there’s a litany of Substacks and podcasts out there that only exist to soak up $50k sponsored “explainer” posts for whatever new crypto doodad is willing to pay. These influencers are usually taking “advisory roles” for some more tokens, to help shill while they usually rewrite the user docs or a Wikipedia article on ZKPs. Related to (1), don’t help them shed their bags on you.
False sense of security
Actually, the worst thing I could imagine is that someone convinces an activist in Iran that ZKPs will save them from government scrutiny - and they get caught anyway, or lose their funds, or end up in prison. Just because Edward Snowden is a crypto fan doesn’t mean it’s the ideal way to protect your privacy.
Overall, my sense is even to implement the current ZKP roadmap on Ethereum would take 5 years - given the cryptographic inventions needed, and then the need to build libraries, and then the need to build apps. And by that point, quantum breakthroughs might compromise the entire project.
I probably seem glib in my criticisms of privacy, considering ZKPs are an extremely popular topic nowadays because we are all sensitive about our privacy online. Everyday more and more of our life becomes digital - our relationships, our finances, our homes. But the idea that ZKPs would shield that information when used in the anarchic, adversarial environment that a blockchain creates gives a false sense of security.
Cryptographic breakthroughs like RSA have undoubtedly made our lives better and safer, and ZKP research could lead to similar breakthroughs. Given how early we are, and how cryptography tends to come in sudden leaps, I could eventually be proven wrong about ZKPs specifically. But when mixed with cryptocurrency, it’s hardly a safe bet.