THE VERIFIER
READ News Reports The Verifier - In Print
CATEGORIES Artificial Intelligence Zero-Knowledge Blockchain Robotics & Autonomy Compute & Infrastructure Policy & Society Editorial briefings
LISTEN & MEET The Verifier Podcast Events
STANDARDS Editorial standards Corrections log Editorial independence About
SUBSCRIBE - IN BRIEF
Zero-Knowledge Explainer 3 sources

Zero-Knowledge Proofs, Explained Without the Hype

A proof that reveals nothing except its own validity sounds like a contradiction. It isn't - and it's quietly becoming one of the most important ideas in computing.

3 sources on file
Zero-Knowledge Proofs, Explained Without the Hype - The Verifier illustration

Suppose you want to convince someone you know a secret - a password, the solution to a puzzle, the contents of a sealed document - without revealing the secret itself. At first this sounds impossible. A proof, surely, is something you show; showing it gives it away. The surprising result at the heart of modern cryptography is that this intuition is wrong.

The idea was formalised in 1985 by Shafi Goldwasser, Silvio Micali and Charles Rackoff, in a paper on the “knowledge complexity” of interactive proofs. They asked a precise question: how much knowledge must a prover leak in the course of convincing a verifier that a statement is true? Their answer - that the leaked knowledge can be exactly zero - won them the Turing Award’s cryptographic lineage and named a field.

The three properties every ZK proof must have
PropertyPlain English
CompletenessIf the statement is true, an honest prover always convinces the verifier
SoundnessIf it’s false, no cheating prover can convince them - except with negligible luck
Zero-knowledgeThe verifier learns the statement is true, and nothing else at all

Three properties

A zero-knowledge proof system has to satisfy three conditions at once. Completeness: if the statement is true, an honest prover can convince an honest verifier. Soundness: if the statement is false, no cheating prover can convince the verifier except with negligible probability. And zero-knowledge: the verifier learns nothing beyond the fact that the statement is true - not the witness, not the secret, nothing that couldn’t have been produced without the prover at all.

That last property has a beautifully strict definition. A proof is zero-knowledge if a simulator, given only the statement and no secret, can produce a transcript indistinguishable from a real interaction. If a fake conversation is indistinguishable from a real one, the real one cannot have carried any secret information. The knowledge leaked is provably nil.

If a fake conversation is indistinguishable from a real one, the real one cannot have carried any secret.

From interaction to a single message

The original proofs were interactive: a back-and-forth of challenges and responses, like a sceptic repeatedly testing a claimant until cheating becomes statistically absurd. Interaction is awkward for the internet, where you often want to post a proof once and let anyone check it later. The Fiat-Shamir transform, and a line of work on succinct non-interactive arguments, collapsed the conversation into a single string a prover can publish and a verifier can check alone.

Those non-interactive proofs - SNARKs and STARKs - are what turned zero-knowledge from a theoretical marvel into infrastructure. They let a blockchain verify that thousands of transactions were executed correctly by checking one small proof, or let a system attest that a computation ran as specified without re-running it.

A story you can hold

The classic illustration, from a famous late-1980s paper, involves a cave. The cave is a ring with a magic door at the back that opens only to a secret word. You claim to know the word; I don’t believe you. So I stand at the entrance while you walk in and choose, out of my sight, the left passage or the right. Then I shout which side I want you to come out of. If you know the word, you can always comply - open the door and emerge wherever I demanded. If you don’t, you can only comply when you happened to pick the side I later named: a coin flip.

One round proves little. Twenty rounds in a row, and the odds of bluffing your way through are worse than one in a million. Yet notice what I have learned at the end: nothing but the fact itself. I never heard the word, never saw the door open, and could not even convince a third party by replaying our exchange - for all they know, we choreographed it. That last property has a name, and it is the strange heart of the field: the proof convinces you, live, and no one else. Every construction in this article is, at bottom, an industrialisation of that cave.

Removing the conversation

Interactive proofs have an obvious practical problem: the verifier has to be present, asking the challenges. The escape is a beautiful trick from 1986 known as the Fiat-Shamir transform: instead of a live verifier choosing random challenges, the prover derives the challenges from a cryptographic hash of the transcript so far. The hash function plays the role of an incorruptible, unpredictable questioner. The result is a non-interactive proof - a single string anyone can check, any time, with no conversation at all. That single string is what gets posted to blockchains, attached to credentials, and shipped in the systems this desk covers.

Where you already rely on it

This is not laboratory mathematics. Zero-knowledge proofs secure billions of dollars of value in production blockchain systems today: rollups post validity proofs so that a whole batch of transactions can be trusted by checking one succinct certificate, and privacy systems let users demonstrate ownership or eligibility without exposing their accounts. The proving is slow and the engineering is unforgiving - but the technology crossed from paper to production years ago, and the systems built on it have held.

Why it matters beyond cryptocurrency

Zero-knowledge is often introduced through blockchains, which is a shame, because the idea is far more general. Any time you want to prove a fact about private data - that you are over eighteen without showing your date of birth, that a model produced an output without revealing its weights, that a document existed on a date without publishing the document - a proof that reveals nothing but its own validity is the right tool.

The engineering is hard and the performance costs are real, which is why much of the coverage on this desk concerns the gap between what these systems promise and what they currently deliver. But the underlying claim is settled and, once absorbed, slightly vertiginous: proof and disclosure are separable. You can demonstrate that something is true while keeping the reason to yourself.

GROTH16~128 bytes · 3 pairings to verifyPLONK~400 bytes · universal setupSTARKtens of kilobytes · no setup, post-quantum hash assumptionsPROOF SIZE, LOG-ISH SCALE (NOT TO SCALE - STARKS WOULD LEAVE THE PAGE)
Fig. A - What you pay for removing the trusted setup: bytes. Sources: Groth 2016; PLONK 2019; STARK literature.

From parlour trick to planetary scale - the 2025 postscript

When this explainer was first drafted, the honest caveat was that proving anything large remained slow. That caveat aged badly, in the best way: through 2025 the time to prove an entire Ethereum block collapsed from minutes to seconds - a roughly sixty-fold improvement in a year - and by early 2026 consumer-GPU rigs were proving essentially every block in under twelve seconds. The cave story above is no longer a metaphor for a laboratory technique. It is a description of infrastructure now fast enough to sit underneath a global settlement layer, which is exactly where Ethereum’s roadmap is putting it. The mathematics did not change. The engineering caught up to it - and the caveat that replaced the old one is about proving-system security margins, covered in our recursion analysis on this desk.

GO DEEPER
  • Two proof families - SNARKs against STARKs, and what each trades for its superpower.
  • Proofs of proofs - the recursion techniques behind 2025’s real-time milestone.
  • The ceremony - how 141,416 strangers generated one secret nobody knows.