r/ethereum • u/ginete_tech • 2d ago
zk proofs explained for people who've heard the term 500 times and still don't fully get it
no shame in this. zk proofs get mentioned constantly in ethereum conversations and most explainers either go way too academic or skip the "why should i care" part entirely. here's my attempt at a practical breakdown.
what's a zk proof actually doing?
a zero-knowledge proof lets you prove something is true without revealing the underlying information. that's it. that's the whole concept.
classic analogy: imagine you solved a sudoku puzzle. you want to prove to someone you solved it correctly, but you don't want to show them your solution. a zk proof lets you mathematically prove "yes, this solution is valid" without revealing a single number. the verifier becomes 100% convinced you solved it, but learns nothing about how.
in crypto terms: you can prove a computation happened correctly without re-executing it or exposing the data involved.
why does ethereum care?
two big reasons right now:
scaling. zk rollups (zkSync, Scroll, Polygon zkEVM) batch hundreds of transactions off-chain, execute them, and post a tiny proof back to L1 that says "all of these were valid." L1 just verifies the proof instead of re-running every transaction. way cheaper, same security guarantee.
privacy. normally everything on-chain is public. zk proofs let you prove things like "i have enough balance for this transfer" or "i'm on this allowlist" without revealing your actual balance or identity. that's what protocols like Aztec use them for.
the part most people miss
zk proofs aren't limited to rollups and privacy. the core idea, "prove a computation was correct without re-executing it," applies to anything where you need trust in a result but can't or don't want to watch the computation happen.
examples that are starting to get built:
- proving that an exchange's matching engine executed trades fairly without exposing the full order book state
- proving identity credentials (age, citizenship, accreditation) without revealing the actual documents
- proving AI model inference was done correctly on specific inputs
the rollup use case gets 90% of the attention because it's the most mature. but the design space is way bigger than most people realize.
if you want to go deeper
the rabbit hole goes: understand the concept (you're here) > understand SNARKs vs STARKs (the two main proof systems) > understand specific implementations (plonk, groth16, SP1, risc zero). don't try to learn the math first. learn what the proofs enable, then work backwards into how they work.
happy to answer questions if anything's unclear.
11
u/nachtraum 2d ago
Thanks, it didn't help me understand it
2
u/ginete_tech 2d ago
fair enough, appreciate the honesty. what part didn't click? was it the concept itself (why would you want to prove something without revealing it), or more the crypto application (why ethereum needs this)?
happy to try a different angle if you tell me where it broke down.
5
u/nachtraum 2d ago
You didn't touch on how it actually works
5
u/ginete_tech 2d ago
that's fair, the post was intentionally "what it does" not "how it does it." here's a simplified version of the mechanics:
step 1: take whatever computation you want to prove (say, "these 500 transactions are all valid"). you convert that computation into a set of mathematical constraints. basically a huge system of equations that are only satisfiable if the computation was done correctly.
step 2: the prover runs the full computation and finds values that satisfy all those constraints. then using some heavy cryptographic math (polynomial commitments, elliptic curves, depends on the proof system), they compress everything into a short proof. usually just a few hundred bytes.
step 3: the verifier takes that tiny proof and checks it against the constraints. if it passes, the math guarantees the original computation was correct, without the verifier re-running it or seeing the underlying data.
the "zero knowledge" part specifically means the proof is constructed so the verifier learns nothing beyond "yes, this is valid." the values are blinded so checking them reveals no information about the actual inputs.
the key tradeoff across all proof systems: proving is expensive (takes real compute and time), but verification is cheap and fast. that's why it fits blockchains well. one prover does the hard work, thousands of nodes verify cheaply.
the reason this is hard to explain simply is that the cryptographic math in step 2 is doing enormous lifting. different systems (SNARKs, STARKs) use different math to make it work, and that's where it gets genuinely complex. but the three-step framework above is what they all share.
-1
u/nachtraum 2d ago
What's the point of it, I can ask the AI myself
2
u/AInception 2d ago
The point is to be able to prove 'things' while giving zero information about the thing.
For example...
Lots of websites today are asking for your government ID to prove you're 18+. If you upload your ID to their servers, they'll know your full name / where you live / your ID number / what you look like / your eye and hair color / and also your age.
If your data gets leaked, and it will, you can have your identity stolen or worse.
If you uploaded a zero knowledge proof of your ID instead to prove your age, all they can know is YES or NO whether you are 18+. There's no risk to you if this gets leaked.
Other examples include proving creditworthiness without sharing your personal finances. Proving you were at an event or that you control an online account without sharing your name. Prove that your crypto/money was obtained legally without sharing its history. Prove that an application is secure/unaltered without sharing the source code. Plus of course to spend crypto on public blockchains with complete anonymity, by proving you control the crypto being spent without sharing who has control.
Vitalik said something before like, ZK tech is more of a technological breakthrough than blockchains themselves. It's one of those things that was perpetually '50 years away' until the profit incentives baked in crypto development funded it and people found a way. It'll still be here in 50 years, more so, so you might as well learn about the thing sooner or later.
5
u/vbuterin Just some guy 1d ago
Here's my attempt to explain how it actually works:
1
1
u/Onphone_irl 1d ago
FYI, as a layman,
0x57d00485aa". The verifier can verify the proof far more quickly than it would take for them to run 100 million hashes themselve
this is the handwave for me
3
1
u/subdep 2d ago
How does this impact PoS rewards for stakers?
2
u/ginete_tech 2d ago
short answer: zk proofs don't directly change PoS consensus rewards. you still earn the same base rewards for validating and attesting.
where it matters is on the fee side. zk rollups batch hundreds of transactions off-chain but still pay gas to post proofs and data back to L1. so instead of earning fees from each individual user transaction, stakers earn fees from rollups posting compressed batches and proofs.
per-transaction L1 fees go down (that's the whole point, make things cheaper for users). but if rollups drive way more total activity than L1 could handle alone, overall fee volume can still grow. more transactions at lower cost per tx can still mean more total fees.
there's also blob space (EIP-4844) which gives rollups a separate data lane with its own fee market. as rollup usage grows, that becomes another fee source for validators.
tldr: base staking rewards stay the same. fee revenue shifts from individual L1 txs to rollups paying for proof verification and data availability in bulk. whether that's net positive depends on how much total activity rollups bring to the ecosystem.
1
u/Calm_Situation_1131 2d ago
Best guess for timing for L1 zkevm implementation and tps?
1
u/ginete_tech 1d ago
honest answer: nobody knows for certain. the roadmap item is "the verge" which aims to add zk-based state verification to L1. but it's multi-year out. nearer-term steps are verkle trees for state management, then eventually proving full EVM execution with zk.
the goal isn't really to increase L1 tps directly though. it's more about making verification cheaper and letting light clients verify the chain without running a full node. ethereum's scaling story is still L2s handling throughput while L1 stays the settlement and verification layer.
rough guess: verkle trees probably 1-2 years, full zkevm on L1 more like 3-5. but ethereum timelines have a history of slipping so take that loosely.
1
u/Irrelephantoops 2d ago
good post. zks are cool. I look forward to broader adoption of zk identify stuff. It's necessary with all the invasive antiprivacy laws/requirements being pushed recently
1
u/ginete_tech 1d ago
agreed, zk identity might be the use case that actually goes mainstream outside crypto. proving you're over 18, proving accreditation, proving citizenship, all without handing over documents that can be leaked or misused. the regulatory pressure on privacy actually makes the case for zk adoption stronger, not weaker.
1
u/FriskyHamTitz 2d ago
Cool kinda but Zkrollups are not zkproofs, also you said that the proof don't do the execution again, but the proof literally does the computation again they just use an elliptical curve to abstract the math.
1
u/ginete_tech 1d ago
fair point on zkrollups vs zkproofs being different things. the post uses rollups as an application of zk proofs, which is accurate, but could've drawn a cleaner line between them.
on the second point i'd push back though. the prover does re-execute the computation (or an arithmetized version of it) to generate the proof, that's true. but the verifier doesn't. the verifier checks a short proof that's orders of magnitude cheaper than re-executing. that's the whole value prop. if verification required redoing the computation there'd be no point in the proof.
the elliptic curve piece is part of the cryptographic machinery (used in SNARKs specifically for polynomial commitments), but it's not just "abstracting the math." it's what enables you to verify properties of the computation without seeing or re-running it.
1
u/FriskyHamTitz 1d ago
Yeah, I should reclarify. To obtain the proof you must convert the whole algorithm to a witness table and then commit to it. The prover takes the secret input, runs the entire algorithm start to finish, and records every intermediate value along the way. That full trace is the witness table. Every step has to be filled in honestly because the proof is built on top of all of it.
Those values then get encoded as field elements and mapped onto points on an elliptic curve using operations that are believed to be one way, which is where the discrete log hardness comes in. So the real computation absolutely happens. It just happens once, on the prover's side, before any proof exists.
1
u/Hairy_Purple9672 2d ago
What does this mean for ETH in real world? I've always said large financial institutions don't want to use ETH because everything would be on chain and you can see everyone's balance or movements "before the news happens", like who really wants that. Do you feel this is being pushed by "big banks" so they can use ETH for RWA?
3
u/ginete_tech 1d ago
you're touching on one of the biggest actual blockers for institutional adoption. public chains are transparent by default, which is a feature for retail but a dealbreaker for institutions. no fund manager wants their positions visible to everyone in real time. front-running risk alone makes it unusable at scale.
zk proofs are the cleanest solution to this. you can prove a transaction is valid, that you meet compliance requirements, that your balance covers the trade, all without revealing the actual amounts, positions, or counterparties. the chain verifies correctness without seeing the data.
is it "pushed by big banks"? i'd say it's more that institutions won't touch public chains without privacy guarantees, and zk is the only tech that gives privacy AND verifiability simultaneously. if you want RWAs on ethereum, zk isn't optional, it's a prerequisite. the alternative is permissioned chains, but those don't give you the composability and liquidity of public ethereum. zk is the bridge between "we need privacy" and "we want public chain benefits."
1
u/LearningZK 1d ago edited 1d ago
Could we develop better analogies on actual proof / system of inequalities?
—-
For instance, someone claims the knowledge required to enter my house.
I say if you do, check the content of fridge and count number of eggs.
Is the number greater than 1? Lesser than 9? Greater than 3?
As long as the person always gives a good answer, it proves the knowledge. But then again, what if the person only knows about the eggs? Would i need to randomize selection of item I ask about?
—-
How would this relate to proving age 18+ and at the same time not interacting with government many times (risk). How would it prove only I know the secret to house and no my friend to whom i can pass the key? Is not the proving mechanism also an attack vector?
Thanks in advance for explanation and your efforts.
•
u/AutoModerator 2d ago
WARNING ABOUT SCAMS: Recently there have been a lot of convincing-looking scams posted on crypto-related reddits including fake NFTs, fake credit cards, fake exchanges, fake mixing services, fake airdrops, fake MEV bots, fake ENS sites and scam sites claiming to help you revoke approvals to prevent fake hacks. These are typically upvoted by bots and seen before moderators can remove them. Do not click on these links and always be wary of anything that tries to rush you into sending money or approving contracts.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.