Zero-knowledge proofs are a powerful technology that can be used to develop applications and eliminate the need for a middleman. However, creating a ZKP from scratch is nearly impossible without being a genius or a math professor. Therefore, there are numerous ZK protocols available that enable non-experts to build ZK applications.
But it is important to get what Zero-Knowledge proofs can enable and what can’t. I’ll quickly explain a few consumer applications and how they’re using Zero Knowledge and our (Clave) approach to ZK-enabled consumer apps.
1. ZK is a Real Thing that We See in Consumer Apps:
1.1 World App: The World App is a popular consumer app that uses Zero-Knowledge proofs. It has over 2 million users, with more than 500,000 daily active users. The app's main function is to provide users with World ID, which allows them to scan their iris and obtain proof of their uniqueness as a way to verify their humanness. This unique proof can then be shared with third parties for verification purposes, without revealing the user's iris data.
They’re using ORB-specific hardware that is designed to scan Iris with AI and create a unique ZK proof. The reason why they’re using Zero Knowledge proofs is clear: they want to have a privacy-preserving way to prove humanness.
They’re facing a lot of problems with their protocol and are working on improving it, which I’ll dive into later.
1.2. ZK-Email Protocol and Two Applications Built on Top of It: Universal Recovery and ZK-P2P:
Most mail services use DKIM to ensure that the contents of an email are not altered and are signed by the user. They utilize Elliptic Curve Cryptography for this purpose. The mail service provides Each mail account with a private key, and the mail gets signed with this key. To verify the DKIM signature, you need to know the signature itself, the account's public key, and the account's message. However, the question arises of how to make this process privacy-preserving and scalable.
The solution is Zero Knowledge proof. Zero Knowledge is required to prove that a specific public key has signed a DKIM Signature and that the message is valid without disclosing the data. Since DKIM uses an RSA signature, verifying it can be expensive. However, ZK proofs can make it cheaper (if the batch feature is supported, which is currently not the case).
In summary, the ZK Email protocol allows developers to verify DKIM signatures in a privacy-preserving manner. Since ZK-Email is a protocol, products need to be built on it. We already have two products: Universal Recovery (by Clave) and ZK-P2P (by ZK-P2P team)
1.2.1 ZK-P2P: ZK-P2P utilizes the ZK-Email protocol to facilitate secure peer-to-peer exchanges between fiat and cryptocurrencies while ensuring user privacy. It allows direct onramp or offramp through Venmo or HDFC (a popular payment app in India) with only logging in via the email address associated with a Venmo account.
1.2.2 Universal Recovery: The current recovery solutions offered by wallets are broken. Most of them depend on centralized parties or have a poor user experience. For instance, existing social recovery solutions cannot be widely adopted since only 1% of the global population has an on-chain account. Therefore, we need to find a way to eliminate the necessity for an on-chain account.
We utilized ZK-Email to convert users’ Mail accounts into on-chain accounts, allowing email addresses to act as guardians in a trustless manner. As a result, users will be able to use their friends or their own mail accounts to initiate a recovery from their accounts.
We have also explored Risc0 (A general ZKVM where you can compute any Risc programs and get proof of the execution) and if it can be helpful for verifying passkeys.
With the new general ZK VM protocols like Risc0, Sp1 (A General ZK VM - similar to Risc0), building Zero Knowledge applications has never been easier or more accessible. Nonetheless, these systems still face certain issues, which are currently being worked by several teams.
2.Main issues we faced with ZK in Consumer Apps:
2.1.1 Problem 1: Verifying proofs is expensive: Many of the widely-used general zkVMs and application-specific ZK protocols utilize Groth16, which requires approximately 150-200k gas when used with Solidity verifiers. This level of gas consumption remains substantial, especially when considering the scenario of processing one proof per transaction.
2.1.1 Solution 1: Proof Singularity: Nebra is developing a solution to address this issue: ZK Aggregation. Rather than verifying one proof per transaction, Nebra aggregates multiple proofs and verifies them collectively, which significantly reduces the gas cost per proof. And they have just received a grant from WorldCoin Foundation to develop an aggregation solution for World App.
Proof Singularity is not only solution in here, we have chains that optimized for Zero Knowledge proofs. Aztec, Aleo and thanks to state diffs zkSync are some examples that can reduce the gas cost of verifying the proofs.
2.2.1. Problem 2: Proof Generation Takes a Long Time: Products leveraging zero-knowledge (ZK) proofs becomes an asynchronous , as real-time proof generation is not possible -yet-. This is not a problem for most of the applications but some of the use cases need an access to global consensus.
2.2.2. Solution 2: New Generation ZK Proof systems: Thanks to genius cryptographers in our industry, we saw a huge improvement on the proof generation time. Plonky3, Starks and new Snarks… real-time proving is not a meme anymore.
2.3.1. Problem 3: Client Side Proving is Still a Meme: I think that every crypto consumer app should have a client side proving option for their users. I can understand that most of the proof systems that enables client side proving is not cheap and fast enough but it can be put as an escape option. This is needed for removing possible censorships and the need of trust for privacy.
2.3.2 Solution 3: Puzzle Wallet, Zcash, Aztec and many more: Zcash is the most widely used ZK-enabled application; it supports private transactions through client-side proof generation within its wallet applications. Puzzle Wallet on Aleo and other privacy-first chains are working towards similar achievements. However, this differs for ZK applications that utilize ZK for scalability. Almost all of them support only server-side proving.
Our Approach to Zero Knowledge Proofs as a Consumer App Builders:
We simply ask two questions, if we answer yes to both of them; then we build.
Is this removing any trust assumptions from our application & protocol?
Is this improving the user experience?
And we have no cryptographer in our team, we just use existing tools and think that existing tools are enough for building ZK applications on consumer applications. If you don’t believe us, go and try ZK Doom, built on Risc0.
Thank you for reading. Special thanks to Mattwyatt from Puzzle, Andy from PSE and Alex. Please note: While I am not a cryptographer or an expert in zero-knowledge proofs, I am an enthusiast deeply interested in Web3. This article is intended for personal educational purposes only. If you think that I made mistake in this blog post, please send me a DM via X.