The emergence of blockchain provided humanity with “trust without intermediaries,” but it also introduced unwanted transparency requiring all history to be public and inefficiency requiring all data to be verified directly. The technology that re-emerged to solve this is Zero-Knowledge Proofs (ZKP).
ZKP is a technology that can “mathematically prove the truth of certain information without revealing the information itself,” offering a solution that preserves both privacy and trust.
Starting from early zk-SNARKs, followed by zk-STARKs, and later technologies like PLONK and Halo2, various ZK systems have been developed, becoming increasingly flexible and practical.
The essence of ZK technology can be summarized in two points: first, “concealment”, which hides information; second, “compression”, which makes complex computations succinct. The former solves privacy issues, while the latter addresses system scalability.
The blockchain ecosystem has served as a perfect “sandbox” to test and refine ZK technology. As a result, applications such as ZK rollups and privacy protocols have rapidly grown and produced real-world outcomes.
ZK technology is now moving beyond simple applications into a massive trust-producing infrastructure industry, including zkVMs, hardware acceleration (e.g., ASICs), and Prover·Verifier networks. Expansion into AI, finance, healthcare, and other industries where data privacy and integrity are critical is already in sight.
Supporting this trend, billions of dollars in VC funding are flowing into ZK infrastructure, and a skilled developer ecosystem is taking shape—opening a new economic paradigm centered around “proving” and “verifying.”
Ultimately, ZK will become a societal safety mechanism that verifies the behavior of autonomous agents in the coming age of AI and robotics, and a new trust framework for digital interactions.
Source: seeklogo.com | Douglas Adams
“For travelers exploring the vast and sometimes perplexing crypto·blockchain universe, venturing into the ZK galaxy.”
This guide is a technical companion for those embarking on a journey into the unfamiliar world of “Zero-Knowledge (ZK).” It covers the core principles of Zero-Knowledge Proofs, real-world applications, and the possibilities that lie ahead. But there’s no need to be intimidated by mathematical formulas or flashy technical jargon. With plenty of examples, this guide is designed so anyone can understand and gain valuable insights.
Before we begin this journey together, there is one question we must address: Why should we embark on this exploration in the first place? The answer to that question is where this guide begins.
The emergence of blockchain technology was a declaration that the “relational trust” that has supported human society could be replaced with “computational truth” grounded in mathematics and cryptography. Under the philosophy of “Don’t Trust, Verify,” we envisioned a new era of trust without intermediaries.
“To gain trust, I must prove myself — but that doesn’t mean I want to expose everything about me.”
But this ideal collided directly with a fundamental dilemma humanity has faced for ages: the paradox of trust. This paradox is an ancient problem that has accompanied civilized society. Historically, we solved it by creating massive “trust institutions” — banks, courts, governments — that assumed high social costs in return for protecting our secrets and guaranteeing our credibility.
With the arrival of blockchain, these expensive intermediaries could now be replaced. Yet in return, blockchain demanded transparency. Just as one must disclose extensive financial information to receive a bank loan, every blockchain transaction must be publicly visible in order to be verifiable.
Source: Arkham
However, this transparency poses a significant barrier for users. The full disclosure of activity history means that strategies or financial information can be exposed to anyone. This is especially problematic for institutions, as it directly conflicts with their need for strict privacy controls. For individuals as well, completely public transaction histories reveal sensitive information such as asset size or spending habits making them vulnerable to unwanted tracking and surveillance.
In the end, the “computational truth” promised by blockchain demanded two things: transparency for verification and redundant computation to guarantee integrity. But transparency infringes on privacy, and redundancy creates severe inefficiency. These two issues extend beyond technical limitations — they clash directly with fundamental aspects of human nature, making the conflict even more apparent.
The Instinct for Privacy
Source: BBC Radio 4
Sociologist Erving Goffman compared humans to “actors on the stage of society.” We all perform roles, yet behind the curtain — in the backstage — we remove our masks and return to our true selves. Complete transparency in blockchain erases this backstage space. A world where every action is permanently recorded and universally accessible threatens our innate desire for autonomy and freedom from surveillance and control.
To preserve privacy on a blockchain, we need unlinkability and untraceability between transactions. But public blockchains like Bitcoin and Ethereum provide the opposite. Anyone can trace transactions, and by analyzing relationships between addresses, even behavioral patterns can be inferred. Transparency, meant to establish trust, ironically removes the “room to breathe” that humans instinctively seek.
The Instinct for Efficiency
Humans naturally follow the “Principle of Least Effort.” In a world of limited resources, survival depends on gaining maximum output with minimal energy. Yet blockchain fundamentally opposes this instinct. Its architecture requires every participant to re-execute and verify every transaction — as if, to make sure one person understands a book, everyone must read the entire book aloud together. This redundancy secures trust at the cost of efficiency, but it runs counter to the deeply rooted human tendency to simplify complexity and conserve energy.
Naturally, the question arises: “Isn’t there a way to prove only what’s necessary without revealing everything?”
To answer this, several technologies emerged — each reflecting a different philosophical stance on where trust should be placed.
1.3.1 Trusted Execution Environments (TEE)
The most intuitive method is using a trusted hardware vault — a Trusted Execution Environment (TEE). Technologies like Intel SGX or AMD SEV create an isolated secure enclave inside the CPU, protected from the operating system or other processes. Sensitive data and code are processed only within this enclave, and only the final result is released. It resembles a secure bank vault where only authorized personnel gather inside to discuss a contract, and only the finalized contract is brought outside.
However, this model requires full trust in the vault manufacturers — Intel, AMD, and similar vendors. Moreover, architectural vulnerabilities like Spectre and Meltdown, which exploit CPU optimization features to extract data from normally inaccessible memory, along with voltage manipulation attacks and various side-channel exploits, have raised increasing doubts about hardware-based trust.
1.3.2 Multi-Party Computation (MPC)
Another approach is Multi-Party Computation (MPC), where information is hidden, split into pieces, and computed jointly. MPC allows multiple participants to compute a combined result (e.g., average salary of a group) without revealing their individual inputs. It typically relies on secret sharing: data is divided into multiple shares distributed among participants, and only a threshold number of shares can reconstruct the original secret — while any single share reveals nothing.
MPC provides strong privacy guarantees, but it often requires multiple rounds of complex communication between participants, leading to significant communication overhead. Furthermore, it carries the risk of malicious collusion among participants.
1.3.3 Homomorphic Encryption (HE)
Homomorphic Encryption (HE) is a cryptographic scheme that allows computation directly on encrypted data. When operations (like addition or multiplication) are applied to ciphertexts, decrypting the result yields the same output as performing the equivalent operations on the original plaintext.
This means data can be sent to an untrusted environment (e.g., a cloud server), and the server can process or analyze it without ever decrypting it. The most powerful form — Fully Homomorphic Encryption (FHE) — allows unlimited additions and multiplications and is theoretically capable of supporting arbitrary computations on encrypted data.
At this point, ZKPs emerge not merely as a technical solution, but as the most elegant philosophical compromise between trust and privacy. ZKPs perfectly separate “proving” from “revealing,” without requiring trust in specialized hardware like TEEs or complex interaction like MPC. Trust is built purely through the logic of mathematics.
From a privacy standpoint, ZK allows one to prove what they know without exposing who they are. Like showing that you can open a door without revealing the shape of the key, it enables trust to form without invading personal space. It is a technology that restores our “right to wear a mask” in the digital arena.
From an efficiency perspective, ZK focuses not on “how much data must be exposed” but on proving that “the result is correct.” Instead of verifying thousands of transactions individually, one can present a single short and elegant proof that all transactions were processed correctly. This compression of complex computation into minimal logic is a technical aesthetic — creating maximum trust from minimal information.
Ultimately, ZKPs provide the ideal answer that preserves the blockchain’s core value of verifiable truth while satisfying both privacy and efficiency. This is why Ethereum co-founder Vitalik Buterin called ZKPs the “Endgame.” They are the “final puzzle piece” that resolves the long-standing tension between technology and human nature, leading blockchain and the digital world into their next stage.
ZKPs are actually quite an old concept. Their origin dates back to 1985, a time when the word blockchain didn’t even exist. Three MIT cryptographers — Shafi Goldwasser, Silvio Micali, and Charles Rackoff — posed a fundamental question in their paper, “The Knowledge Complexity of Interactive Proof Systems.”
“How can we prove that we possess certain knowledge without revealing the knowledge itself?”
What they proposed was that the amount of knowledge conveyed by a proof can be quantified mathematically. The representative example from their paper is the Hamiltonian path problem. A Hamiltonian path is a route through a graph that visits every vertex exactly once. Because finding such a path is extremely difficult, the knowledge of such a path holds great informational value. Therefore, verifying whether someone truly knows this path is also important.
Here is a simplified explanation of the proof method they introduced:
Peggy claims she knows a Hamiltonian path, and Victor wants to verify whether this is true.
Peggy randomly permutes the Hamiltonian graph to create an “encrypted version” and presents it to Victor. She transforms the graph because she wants to prove she knows the path without revealing it, as the path itself is sensitive information.
Victor selects a random edge or route in the graph and asks Peggy whether it is part of the Hamiltonian path.
Peggy answers whether Victor’s selected path is included or not.
As this process is repeated many times, Victor becomes increasingly confident that “Peggy truly knows the Hamiltonian path.” Yet, he still learns nothing about the actual path.
If Peggy were lying and merely guessing, she would eventually contradict herself during repeated checks. Conversely, if she consistently answers correctly over many trials, Victor can be mathematically certain — with very high probability — that she possesses the secret knowledge.
Through this experiment, the three researchers established the concept of a proof that reveals nothing except the truth of a statement — the foundation of zero-knowledge proofs.
This was the first mathematical demonstration that proof can be completely separated from knowledge itself.
The Hamiltonian path example above may feel a bit abstract. To explain it more intuitively, cryptographer Jean-Jacques Quisquater introduced the analogy known as “The Cave of Alibaba.”
Situation: Inside a circular cave, there are two paths, A and B, and between them is a door that opens only when a secret password is spoken. The prover, Peggy, claims she knows this password, but she does not want to reveal it to the verifier, Victor. She only wants to prove, “I really know the password.”
The proof process goes as follows:
Entry: Victor stays outside the cave, while Peggy chooses either path A or B at random and walks inside to reach the door.
Challenge: Once Peggy is inside, Victor calls out from the entrance, “Come out through path A!” or “Come out through path B!” at random.
Response: Peggy comes out through the requested path. If she truly knows the password, she can always emerge from whichever path Victor demands, because she can open the door and switch paths.
Repetition: This process is repeated many times.
Now, consider the possibility that Peggy is lying. If she doesn’t know the password, she must hope Victor asks her to return through the same path she entered. Thus, the probability that she comes out correctly is only 50%. She might get lucky once or twice, but if the experiment is repeated 20 times, the chance of a liar succeeding 20 times in a row becomes (1/2)^20 — less than one in a million.
As this process is repeated, Victor can become almost certain that Peggy truly knows the password, without ever hearing the password itself. The core insight of Alibaba’s cave is that one can prove a truth while keeping the content of that truth completely hidden.
Source: Where’s Waldo?
In addition to “Alibaba’s Cave,” there is another intuitive way to explain the concept of zero-knowledge proofs — the childhood puzzle “Where’s Waldo?” Here, the prover Peggy must convince the verifier Victor that she has found Waldo in the picture without revealing Waldo’s actual location.
The proof proceeds as follows:
Preparation: Peggy covers the original picture with a large sheet of paper. This sheet hides the entire picture but can have a small hole cut out exactly the size of Waldo. Victor first checks that the sheet fully covers the picture.
Proof Creation: Out of Victor’s sight, Peggy cuts a hole in the sheet at the position where Waldo is located.
Presenting the Proof: Peggy shows Victor only the small cutout area while the rest of the picture remains covered.
Verification: Through the hole, Victor can clearly see Waldo’s defining features (red striped shirt, glasses, etc.).
Repetition: Since one instance could be luck or trickery, Victor may repeat this with another picture and demand proof again.
Through this process, Peggy convincingly proves that she has found Waldo, but Victor learns nothing about Waldo’s location because the sheet hides the entire picture except for the tiny window. Only the fact that Peggy “found Waldo” is revealed. The more the process is repeated, the smaller the chance that Peggy is lying. Thus, the Where’s Waldo? example also demonstrates how zero-knowledge proofs allow one to prove a fact without revealing any additional information.
The “Alibaba’s Cave” and “Where’s Waldo?” examples intuitively illustrate the three essential properties every ZKP must have:
Completeness: If the statement is true, an honest prover should always be able to convince the verifier. In the cave example, if Peggy truly knows the password, she can always emerge from whichever path Victor requests. In the Waldo example, she can always reveal Waldo through the hole. In other words, a true claim must always be provable.
Soundness: If the statement is false, no cheating prover should be able to deceive the verifier. If Peggy doesn’t know the password, her chance of repeatedly guessing correctly drops exponentially toward zero; if she doesn’t know Waldo’s location, the probability that Waldo appears in the cutout also approaches zero. Ultimately, falsehood is mathematically exposed.
Zero-Knowledge: The verifier learns only whether the statement is true — nothing more. After many rounds, Victor becomes convinced that Peggy knows the password but learns nothing about what it is; he is convinced she knows Waldo’s location but learns nothing about where he actually is. This is the essence of zero-knowledge: the knowledge is proven, yet never revealed.
When these three properties work together, ZKPs form a mathematical framework for establishing trust.
Early ZKPs had one critical limitation: they required real-time interaction between prover and verifier — an interactive structure. In this setup, the verifier sends random challenges and the prover must respond immediately. This means the two parties must stay connected at the same time. Such a structure imposes major constraints in distributed, asynchronous environments like blockchains.
The back-and-forth challenge–response process increases communication overhead, and in situations with unstable or interrupted connections, the protocol simply cannot function. Because of this, ZKPs were long regarded as theoretically fascinating but practically limited. To overcome this, researchers introduced a new approach: non-interactive zero-knowledge proofs.
In a non-interactive ZKP, the prover generates a single proof once, and the verifier can check it anytime, anywhere — with no real-time interaction required. The introduction of non-interactive proofs transformed ZKPs into a far more efficient and practical tool.
This advancement laid the foundation for ZK systems to function safely in distributed, asynchronous environments like blockchains, marking a pivotal turning point that brought ZKPs into real-world systems.
This chapter explains ZKP systems and includes some technical content. However, examples are included throughout to aid understanding, so even if parts feel difficult, grasping the core concepts and examples will be more than enough.
To understand ZKPs more clearly, let’s first look at a conceptual framework that divides the ZK proof process into a frontend and a backend. The specific ZK systems will be discussed afterward.
Frontend: This defines what needs to be proven. It includes the arithmetic transformation process that converts the information to be proven into a mathematical form that a cryptographic proving system can understand. R1CS, PLONKish, and AIR fall into this category. In other words, the frontend acts as a “translator” converting human logical expressions into the language of the proving system.
Backend: This determines how the proof will be generated. It takes the arithmetic circuits produced by the frontend and turns them into an actual cryptographic proof. Concrete proving systems like elliptic-curve pairings, KZG commitments, FRI, IPA, and Bulletproofs belong here. The backend uses the “constraint blueprint” created by the frontend to build a secure and efficient “proof structure.”
With this conceptual division into frontend and backend, ZKP systems can now be freely composed in different combinations depending on the purpose. For example, one can design an arithmetic circuit using a PLONKish frontend, then pair it with a FRI backend to build a trustless, highly parallelizable ZK system.
This modular approach not only accelerated the evolution of ZK technology, but also provided the foundation for building optimal systems tailored to various application environments.
Frontend: R1CS (including QAP)
Backend: Elliptic-Curve Pairing
3.2.1 Concise Proofs Sculpted with Mathematics
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive ARgument of Knowledge) are the first practical scheme that enabled non-interactive zero-knowledge proofs. To this day, this proof method is widely used in implementations represented by the name “Groth16,” and through a sophisticated process that transforms information into mathematical polynomials, it enables “small and fast proofs.” The proving process of zk-SNARKs goes through three major stages of mathematical transformation.
Step 1: Arithmetization — Turning Information into Polynomials
The goal of the first step is to transform a claim (piece of information) such as “I know that x = 2 is a solution to the equation x³ + 2x² + x + 1 = 19” into a mathematically representable form.
Flattening: Complex equations or program operations are broken down into simple operations of the form A + B = C or A B = C. The figure above shows how the complex operation (A + B) (B + C) is represented as simple primitive operations: GATE 1 (addition gate), GATE 2 (addition gate), and GATE 3 (multiplication gate).
Rank-1 Constraint System (R1CS): Next, each separated operation is converted into an inner-product form of vectors. In other words, each operation is represented by three vectors a, b, c and a witness vector s such that, for each gate G1, G2, G3, (s · a) (s · b) = (s · c) holds. The image above shows this transformation process. In the table, the rows 1, A, B, C, s1, s2, s3 represent the witness (all values needed for the operations) and the constant (1), and each GATE column group (p, q, r) forms the vectors that define the R1CS constraints. Concretely, G1[p: (A + B) 1 = s1] expresses the addition in GATE 1 as an inner product, G2[q: B C = s2] expresses the multiplication in GATE 2, and G3[r: s1 s2 = s3] expresses the multiplication in GATE 3. Through this, the entire circuit is converted into a system of linear constraints.
Quadratic Arithmetic Program (QAP): The circuit that has been flattened and vectorized via R1CS is extended into a polynomial P(x) through Lagrange interpolation, and is evaluated at points like x = 1, 2, 3 to generate the polynomials A(x), B(x), C(x). These polynomials are then combined with the polynomial Z(x) = (x - 1)(x - 2)(x - 3) to form the core QAP equation: A(x) B(x) = C(x) Z(x). Here, Z(x) becomes 0 at specific points (x = 1, 2, 3), ensuring that the equation holds only when all gate constraints are satisfied. During proof generation, the witness is substituted into the polynomials to compute t(x) = A_s(x) * B_s(x) - C_s(x), and it is checked whether dividing by Z(x) leaves no remainder.
Up to this arithmetization step, the process can be compared to proving the claim: “I assembled this IKEA bookshelf exactly according to the manual.”
Flattening: Break the complex assembly process into very simple steps like “Insert screw A into hole B.”
R1CS: Standardize each step into a unified “quality inspection form” such as “(part) × (tool) = (result)” and record them consistently.
QAP: Instead of checking hundreds of inspection sheets one by one, compress all that information into one huge “master blueprint.” This way, the many questions like “Was the N-th assembly step followed correctly?” are reduced to a single question: “Does your master blueprint satisfy all the requirements of the original manual?”
This single master blueprint then becomes the basis for verifying information very efficiently in the later stages.
Step 2: Implementing Succinctness and Non-Interactivity
Because the information has been reduced to a single polynomial relation, zk-SNARKs can leverage this to enable extremely succinct verification in asynchronous environments.
Using the Schwartz–Zippel Lemma: Checking whether two polynomials are identical by comparing all terms is highly inefficient. Instead, zk-SNARKs use the Schwartz–Zippel Lemma, which states: “The probability that two distinct polynomials evaluate to the same value at a random point is close to 0.”
Succinct Proofs: Based on this principle, the verifier does not need to inspect the entire polynomial. A trusted party secretly selects a random point t₀, and the verifier only checks whether A(t₀) B(t₀) - C(t₀) = H(t₀) Z(t₀) holds at that point. This makes the verification process extremely fast and short, regardless of the original computational complexity. Moreover, the prover only needs to present the result at t₀, with no need for multiple rounds of interactive queries, enabling proof and verification even in asynchronous environments.
This process can be likened to a DNA paternity test mediated by an “International Genetic Registry.” Instead of the verifier (the court) directly comparing entire DNA sequences, the International Genetic Registry (trusted party) secretly selects a specific “marker” (t₀) as the basis. The prover (the alleged father) is tested beforehand at this registry and receives a “sealed certificate” that contains only the value of that marker, not the full DNA data.
Later, the prover can submit this certificate to the verifier (the court) at any time without real-time interaction. The court then simply checks whether the certificate conforms to the registry’s standards. Since this corresponds to correctly matching one case out of an astronomically large space (e.g., 2^256 possibilities), the court can be almost 100% confident about the paternity using this single succinct proof.
Step 3: Zero-Knowledge and Trusted Setup
However, if the actual value at t₀ were exchanged in the clear, the secret value being proved (e.g., x = 2) could be revealed. To prevent this, zk-SNARKs combine elliptic-curve cryptographic techniques to achieve zero-knowledge.
Elliptic Curve Pairing: The prover does not reveal the actual polynomial values directly; instead, they encrypt those values as points on an elliptic curve and submit them. Because solving the discrete logarithm problem on elliptic curves is computationally infeasible, it is practically impossible to recover the original values from these points. The verifier performs pairing operations on the submitted points to check whether the relation A(t₀) * B(t₀) = C(t₀) holds correctly. During this process, the verifier learns nothing about the underlying values, but can still be certain that the proof is valid. This property guarantees zero-knowledge.
Trusted Setup: This is the process of generating random point t₀ and the necessary cryptographic values in advance, and publishing them so everyone can use them. These published values are called public parameters. If the secret values used internally (such as t₀) are leaked externally, anyone could forge valid-looking proofs. For this reason, these secret values are called “toxic waste,” and must be completely destroyed once the setup is finished.
This step can be likened to a scenario where a pharmaceutical company must prove a drug’s effectiveness to a regulator. Instead of submitting the actual secret ingredients (A, B) and the resulting compound (C) as-is, the company dissolves each ingredient into a special solvent that hides the molecular structure (elliptic-curve encryption). The regulator does not directly analyze the content but uses a device called a “relationship analyzer” to check whether the energy wavelength relationship among the three solutions satisfies the formula (A * B = C) (elliptic-curve pairing). In this way, the regulator can verify the correctness of the formula without learning the secret composition of the drug.
However, this whole verification process is only trustworthy if there is confidence that the “relationship analyzer” itself was built fairly. The device must be manufactured by a trusted third party such as an international standards organization to prevent tampering, and the one-time “initial blueprint” used during manufacturing must never be leaked. If this blueprint were exposed, anyone could build a counterfeit device capable of fooling the system. Therefore, this blueprint is treated as “toxic waste,” and after the device is completed, it must be destroyed completely in front of all stakeholders to establish the trust that “no one can manipulate the system.”
In conclusion, zk-SNARKs are a mathematical system that transforms information into polynomial form, enables efficient verification at a single point, and encrypts the entire process so that no information is leaked while still proving correctness. Thanks to this structure, zk-SNARKs achieve both efficiency and privacy, and have become a core foundation of modern zero-knowledge proof technology.
3.2.2 Understanding zk-SNARKs Through a Sudoku Puzzle
To intuitively understand the mathematical principles explained earlier, let’s look at an example using a Sudoku puzzle.
Claim: “I know the solution to this Sudoku puzzle.” However, the solution itself is not revealed.
Arithmetization: First, the large rule — “this Sudoku is a valid solution” — is broken into hundreds of small rules. For example, “All numbers in row 1 must be different”, “Each cell must contain a value between 1 and 9,” etc. All these split rules are then combined into one giant “master rule” polynomial. Satisfying this polynomial means satisfying all Sudoku rules at once.
Succinctness & Non-interactivity: Instead of checking every cell of the Sudoku, the verifier asks the prover: “Show me that the ‘master rule’ polynomial evaluates correctly at a certain random value.” The prover precomputes the result and submits it in the form of a proof. The verifier does not need to see the entire puzzle; checking this one small proof is enough. As a result, verification is extremely succinct, and requires only a single submission rather than multiple rounds — making it non-interactive.
Zero-knowledge & Trusted Setup: Of course, the proof must not reveal the actual solution. Therefore, all computations are performed in an encrypted form, coordinated by a third party responsible for the cryptographic setup. Because of this, the verifier learns nothing about the answer but can still be confident that the prover indeed knows the correct solution.
3.2.3 Limitations of zk-SNARKs: The Shadow of Trusted Setup
zk-SNARKs provide strong performance and efficiency, but they ultimately face the structural limitation known as the trusted setup. If a malicious party obtains the secret values used during setup, they could generate unlimited valid-looking proofs for statements that are not true — completely destroying the trust in the system.
Thus, the existence of a trusted setup introduces a vulnerability to a centralized single point of failure. If the setup process is carried out by a single entity or small group, there is a risk that they could act maliciously or be compromised by external attacks, causing the secret values to leak. In the end, system security depends on having “one perfectly trustworthy ceremony,” which is an inherent irony.
For this reason, the trusted setup is considered one of the most critical attack vectors in zk-SNARK systems. To mitigate this, implementations often use multi-party computation (MPC) for setup ceremonies, or they adopt newer ZKP systems that require no trusted setup at all.
Frontend: AIR (including APR, ALI)
Backend: FRI
Source: freeCodeCamp
zk-STARKs (Zero-Knowledge Scalable Transparent ARgument of Knowledge) are an alternative introduced to solve the “trusted setup” problem found in zk-SNARKs. zk-STARKs have two key characteristics:
Scalable: The proof generation time of zk-STARKs (N polylog N) grows almost linearly with the computation complexity N, and the verification time (polylog N) is practically close to constant time, making it extremely fast and efficient.
Transparent: Since all system parameters are generated through publicly verifiable randomness, the “trusted setup” and “toxic waste” issues found in zk-SNARKs do not exist.
3.3.1 Mathematical Principles of zk-STARKs
The reason zk-STARKs can achieve transparency without trusted setup while also delivering scalability is that they rely on cryptographic tools different from those used in zk-SNARKs. While zk-SNARKs use R1CS as the frontend and elliptic-curve pairings as the backend, zk-STARKs use AIR, APR, ALI for the frontend and FRI for the backend.
Algebraic Intermediate Representation (AIR)
The goal of zk-STARKs’ AIR — transforming computation into verifiable polynomial form — is the same as the goal of zk-SNARKs’ R1CS, but the method is notably different. AIR models computation in the form of an “execution trace” table and expresses the correctness of this table using polynomials.
This transformation process has two steps:
Execution Trace Modeling: The prover constructs an execution trace table that records every computation step in order. Each row of the table represents one “step” of computation, and each column represents a “state variable” (CPU register values, memory state, etc.) at that step.
Execution Trace Validation: Since the table may not be trustworthy, the prover must define polynomial constraints to guarantee correctness. These constraints come in two types, Boundary Constraints which validate the beginning and end of the computation, and Transition Constraints which define how the state changes from one step to the next.
The execution trace and its polynomial constraints become the inputs for the next phase.
Algebraic Placement and Routing (APR)
Now the prover combines the execution trace with its constraints. APR’s goal is to reduce the complex question, “Does the execution trace satisfy all constraints?” into a single question: “Is a certain polynomial of low degree?”
Polynomialization of the Trace: Each column of the table is converted into a “low-degree” polynomial f(x).
Applying Constraints: The transition and boundary constraints from AIR are applied to f(x) to form a new “constraint polynomial” 𝜓*(x)*.
Generating the Quotient Polynomial: Using a vanishing polynomial V(x), the prover computes a quotient Q(x) = 𝜓(x) / V(x). If the prover is honest, 𝜓(x) is divisible by V(x) and Q(x) is a polynomial of low degree. If the prover cheated — even in just one value — then 𝜓(x) will not divide cleanly, and Q(x) will not be a valid polynomial or will have very high degree.
Thus APR reduces “Was the computation done correctly?” to “Is Q(x) low degree?”
Algebraic Linking IOP (ALI)
But in real computations, there are numerous constraints. After the APR stage, as many quotient polynomials Q1(x), Q2(x), … are generated as there are different constraint types. Verifying each of these polynomials individually in the backend (FRI) would be highly inefficient. ALI is the stage that compresses all these quotient polynomials into a single “composition polynomial.”
Random Combination: The verifier generates random blending factors.
Composition Polynomial Creation: The prover uses these random factors as weights to combine all quotient polynomials into one. (Example: CP(x) = a1·Q1(x) + a2·Q2(x) + …)
Simplifying the Verification Problem: If the prover is honest, all Q(x) polynomials are low-degree, so the combined CP(x) also remains low-degree. If even one Q(x) has been tampered with and has high degree, the randomness causes CP(x) to become high-degree with very high probability.
At this point, all frontend steps of zk-STARKs are complete. The original question, “Was the complex computation performed correctly?” is now reduced to the single question: “Is this one composition polynomial CP(x) truly low-degree?” Producing the proof for this final question is the responsibility of the backend, FRI.
Fast Reed–Solomon Interactive Oracle Proof of Proximity (FRI)
FRI, the backend of zk-STARKs, aims to guarantee the integrity of the entire computation by proving that the composition polynomial produced by the frontend truly has the promised low degree. If the computation was performed honestly, the resulting CP(x) will always be low-degree. Therefore, proving this low-degree property is equivalent to proving the correctness of the computation.
The proof process consists of two major steps:
Commit: The prover evaluates the polynomial CP(x) at many different values of x. These evaluation values are stored in a Merkle tree, and only the final Merkle root hash is revealed to the verifier. This hash uses a collision-resistant hash function, which is public and requires no secret information, meaning there is no trusted setup or toxic waste.
Non-interactive Repeated Folding: Originally, the prover and verifier would exchange many rounds of queries — like a “20-questions” game — to simplify the polynomial through repeated folding. For non-interactive proofs, zk-STARKs use the Fiat–Shamir heuristic, which replaces the verifier’s random queries with randomness derived from hash functions. This converts the interactive folding protocol into a written exam the prover performs alone, repeating the folding process until the polynomial is reduced sufficiently.
The prover bundles all commit and folding steps into a final proof. The verifier checks this proof by following the hash chain for each step to confirm that the prover followed the protocol correctly. All randomness is based on publicly verifiable randomness, so no secrets or trusted setup are needed. Through this mechanism, zk-STARKs eliminate the trusted setup problem inherent in zk-SNARKs and achieve fully transparent zero-knowledge proofs.
However, this transparency and decentralization come at a cost: zk-STARK proofs inevitably become larger. Collision-resistant hash functions cannot encode information as densely as the elliptic-curve machinery used in zk-SNARKs, so proof sizes are necessarily bigger. A zk-STARK proof is not merely a compact summary of the final result—rather, it is a detailed “log” that allows the verifier to audit the computational steps securely.
As a result, zk-STARK proofs are far larger than zk-SNARK proofs (288 bytes), typically ranging from tens to hundreds of kilobytes. This creates practical constraints: transmitting such proofs over a network requires more storage and bandwidth.
3.3.2 Understanding zk-STARKs Through a Large-Scale Accounting Audit
The proving and verification process of zk-STARKs can be illustrated using the example of auditing a massive 1M-line accounting ledger.
Scenario: A company’s CFO (prover) reports to the CEO (verifier), “The 1M-line accounting ledger has been processed perfectly.” The CEO does not have the time to review all 1M lines but wants a fast way to verify whether the CFO’s claim is true.
AIR: The CFO prepares the original 1M-line accounting ledger (execution trace). Each row represents an individual transaction, and each column represents a state variable such as account balance or transaction amount. The CFO also writes two constraints required for the ledger to be valid. The final balance of every transaction must exactly equal the previous final balance plus the current transaction amount. The starting balance must be 0, and the final balance must match the current actual balance (e.g., $5M).
APR: The CFO converts the ledger and its constraints into a mathematical graph that encodes the validity checks. If the CFO wrote the ledger honestly, this graph has the value “0” at all one million points. If the CFO altered even one line, the graph will show a non-zero value at that point, causing the graph to “stick out.” Here, the question “Was the accounting ledger written correctly?” is transformed into “Is this graph completely flat?”
ALI: In reality, there are many constraints to check, which means dozens of such “flat graphs” must be created. So the CEO instructs the CFO to randomly mix these graphs together into one “combined graph.” This way, the CEO only needs to check whether this single combined graph is flat, rather than examining each individual graph.
FRI: The CFO submits a summarized version (a Merkle root) of the combined graph to the CEO. This summary is produced using publicly known values—no secret parameters or hidden information are involved. Next, the CEO should instruct the CFO to simplify the summary further, but since the CEO is often busy or away, the CFO autonomously creates increasingly simplified summaries. This process is repeated several times, and once sufficiently simplified, the CFO bundles all summary steps (intermediate summaries, final summary, etc.) into a single “final proof” and submits it to the CEO.
Verification: The CEO receives just this one proof and verifies whether the CFO manipulated the ledger by checking only a few random points. For example, the CEO may verify that the transformation from the 3rd summary to the 4th summary was performed correctly. If these checks pass, the CEO can trust the CFO’s audit without inspecting all one million lines of the ledger.
There is no universal master key that fits every situation. This is why many specialized zero-knowledge proof systems have emerged, each optimized for different purposes and environments.
3.4.1 Evolution of zk-SNARKs (Groth16): PLONK
Frontend: PLONKish
Backend: KZG
Early zk-SNARKs, exemplified by Groth16, were implemented on a mathematical structure called R1CS. R1CS was a powerful framework capable of transforming complex computations into a provable form, but it had a fundamental limitation: it required a circuit-specific trusted setup. This meant that even if a program’s logic changed slightly, the entire costly and security-sensitive trusted setup process had to be repeated.
PLONK was introduced to solve this problem. PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge) takes a far more flexible and reusable approach, differing from R1CS starting at how computations are represented.
The most fundamental difference lies in the frontend. Groth16’s R1CS breaks every computation into simple quadratic constraints of the form A * B = C. Complex programs must be decomposed into countless multiplication gates of an arithmetic circuit. This structure is simple but rigid, because every type of operation must be forced into the same format.
In contrast, PLONK’s arithmetic representation (known as PLONKish) separates operations into gate constraints and copy constraints.
Gate constraints express the actual logic (a + b = c, etc.)
Copy constraints express the wiring, such as “the output c of gate 1 must be the input a of gate 2.”
Where R1CS expresses everything through many A * B = C constraints, PLONKish models gate logic with constraint polynomials and wiring consistency through permutations. The permutation check efficiently validates all wiring consistency in one shot.
You can understand the permutation check more intuitively with the example of a massive warehouse. This warehouse contains many sections (gates), and each section is connected by conveyor belts (wires). For example, an item (value) “shipped out” from section A must arrive as an “incoming item” at sections B and C. This corresponds to the circuit’s copy constraints.
The goal of the permutation check is not to check one by one whether “the item from A actually reached B and C,” but to collect all “outgoing item lists” and “incoming item lists,” and verify in one shot that the two lists contain exactly the same elements, regardless of order.
If an item from A disappears or a wrong item shows up at C, the lists will differ, and verification fails. PLONK’s permutation argument is simply the mathematical encoding of this idea — proving that every value in the circuit moved correctly and consistently according to the specified wiring.
This difference in preprocessing directly affects the trusted setup performed in the backend. R1CS-based systems like Groth16 required a separate trusted setup for each circuit. Whenever the program changed even slightly, a completely new setup had to be run — expensive and inconvenient in practice.
PLONK, however, primarily uses the KZG (Kate–Zaverucha–Goldberg) polynomial commitment scheme as its backend. KZG also requires a trusted setup, but what it produces is a Structured Reference String (SRS), a universal public parameter.
It is universal because, thanks to the permutation argument, the trusted setup is completely decoupled from the specific gate logic of a circuit. In other words, the SRS is generated for the general polynomial space that can express any circuit, not for any specific circuit itself.
Once the universal SRS is generated, one setup can be reused to prove and verify thousands or tens of thousands of different PLONK circuits (within a maximum size limit). The SRS is also updatable, meaning new participants can add randomness to strengthen its security.
While Groth16 still maintains advantages — tiny proof size and fast verification for specific static circuits—it suffers heavily when circuits change frequently, because each change requires a new trusted setup ceremony. This is why systems such as zk-EVMs and ZK rollups — which must frequently update or generate dynamic circuits — favor PLONK’s universality, modularity, and reusable trusted setup. zkSync, Polygon zkEVM, Scroll, and others use PLONK or its variants such as Halo2 and UltraPLONK, and Zcash also transitioned to Halo2 after the Sapling upgrade.
3.4.2 Evolution of Recursive Proofs: Halo2
Frontend: PLONKish (R1CS in the case of Zcash)
Backend: Elliptic Curve Cycles (including folding schemes)
Halo: Limits of Trusted Setup
The early implementation of zk-SNARKs known as Halo was used in Zcash’s early shielded transactions. Like Groth16, Halo still required a trusted setup, which meant it carried both centralization risks and efficiency drawbacks. Halo2 was introduced to solve these limitations.
Beginning of Trustless Recursion
Halo2’s biggest breakthrough is that it solved the trusted setup problem in the backend. This became possible thanks to an innovative cryptographic structure called an elliptic-curve cycle.
In this structure, two elliptic curves verify each other’s computations in a cyclical relationship — one curve verifies operations performed on the other, and the second curve verifies operations on the first. Through this cyclic verification, the system can internally construct infinite recursive proofs without relying on external trusted parameters (such as an SRS or secret randomness).
Recursive Proofs and Folding Schemes: Maximizing Efficiency
Another key feature of Halo2 is that it makes recursive proofs extremely efficient. A recursive proof means creating a new proof (B) that proves the correctness of another proof (A). This is essential when complex computations need to be split into smaller steps and verified layer by layer. However, generating a heavy zk-proof for every single step would be highly inefficient. Halo2 solves this problem with a technique known as a folding scheme.
A folding scheme “folds” multiple proof targets into one. Instead of generating a heavy proof at every step — potentially tens of thousands of times — Halo2 performs a lightweight folding operation that merges two proof targets into a single one. By repeating this folding process continuously, all computations eventually collapse into one final compressed object.
A single ZKP is generated only once at the very end for this final object. Thanks to this design, even if millions of computations are accumulated, the verification cost stays nearly constant. This makes it practical to prove extremely complex and lengthy computations — such as those in zkEVM environments.
Frontend: Flexibility Through PLONKish
Halo2 uses PLONKish as its frontend because PLONKish allows developers to define custom gates, enabling far more flexible and efficient expression of complex circuits compared to R1CS. (For reference, Zcash’s implementation of Halo2 still uses R1CS as its frontend.)
Ultimately, Halo2 combines a trustless backend, efficient recursion through folding, and a flexible frontend to become a universal platform capable of verifying entire complex program executions. Notably, Zcash adopted Halo2 in its NU5 upgrade, successfully eliminating centralized trusted setup, and zkEVM rollup projects such as Scroll leverage Halo2’s efficient recursive proof structure to handle the heavy computation required for verifying Ethereum transactions.
3.4.3 Backend for Range Proofs: Bulletproofs
Bulletproofs are classified as a backend in zero-knowledge proof systems, and they are particularly notable for producing very small proofs without requiring a trusted setup. The key reason Bulletproofs can generate such small proofs is their recursive compression technique for inner-product proofs.
This compression technique avoids proving a large computation (e.g., the inner product of two vectors of length N) all at once. Instead, at each step, the prover reduces the problem size by half. During each reduction, the original information is transformed into a smaller representation, and only a tiny amount of extra data (a few cryptographic group elements) is added to the proof to show that the transformation is valid. This process repeats until the problem size becomes 1, small enough to be checked directly.
Whereas Halo2’s folding scheme merges multiple proofs or computation steps into one to gain efficiency, Bulletproofs’ recursion gradually reduces the dimensionality inside a single proof. In other words a folding scheme is like “merging many receipts into one,” while Bulletproofs are like “folding a long receipt in half repeatedly to make it smaller.”
Thanks to this approach, Bulletproof proof size grows very efficiently. Since only a constant amount of data is added at each recursive step, the final proof size increases only by a few bytes even if the computation doubles. Whether proving 1M operations or 2M, the difference in proof size is minimal. This makes Bulletproofs particularly advantageous in blockchain environments, where all data must be stored and smaller proofs save substantial space.
However, this compression comes with a trade-off: slow proving and slow verification. In particular, verification time increases linearly with the size of the computation. If the workload doubles, verification time almost doubles as well—something burdensome in blockchain networks where many nodes must verify transactions simultaneously.
This is why Bulletproofs are not suited for complex general computations (such as zkEVM). Instead, they are optimized for simple but frequently repeated statements, most famously range proofs. Range proofs allow someone to prove that a number (e.g., a transaction amount) lies within a valid range (e.g., ≥ 0) without revealing the number itself. This prevents users from secretly inflating their balances and is a key mechanism in privacy protocols.
In conclusion, Bulletproofs are a backend protocol that sacrifices verification speed in exchange for highly compressed proofs without a trusted setup. Thanks to these properties, they have been adopted as core components of Confidential Transactions in privacy-focused blockchains such as Monero and Beldex, playing a major role in achieving both privacy and efficiency on-chain.
So far, we have examined various zero-knowledge proof systems and protocols such as zk-SNARKs, zk-STARKs, PLONK, Halo2, and Bulletproofs. The table below provides a side-by-side comparison of these systems, making it easy to understand their strengths, weaknesses, and the types of applications where each technology is most appropriate.
The various ZKP systems we explored earlier share two core characteristics: “concealment”, which hides information, and “compression”, which reduces computation. These two principles are reshaping digital trust structures around privacy protection and computational efficiency. In a future digital environment where personalization and processing performance are increasingly important, concealment and compression are likely to become key tools that provide both safety and flexibility.
ZKP “concealment” shifts the notion of privacy from passive defense to active control. While traditional encryption locked data inside a “black box” that no one could open, ZKPs allow you to keep that box locked while still proving, for example, “There is a blue ball inside this box.” In other words, the technology makes it possible to prove a property of data without revealing the data itself. As a result, privacy transforms from something that is merely hidden into a form of programmable privacy where information can be selectively disclosed only to the extent needed.
This concept of concealment is fundamentally changing the structure of Digital Identity. Today’s identity verification still follows an “all-or-nothing” approach. For instance, to prove you are over 19, you must present your entire ID card — revealing your name, address, resident registration number, and other unnecessary personal information. This is a classic case of overexposure, where excessive information is revealed to prove a single required fact.
While recent systems such as mobile IDs appear to solve this problem by selectively showing only the necessary information, from the perspective of data sovereignty, they remain a centralized proxy model in which a trusted third party (such as a telecom provider or platform) stores all user information and performs verification on behalf of the user.
In other words, even if the convenience store clerk does not directly check your resident registration number, a large intermediary institution is still querying and verifying your entire identity information behind the scenes. Since the entity proving the information is the institution — not the individual — this method remains a transitional stage that has not fully escaped the fundamental structure of overexposure.
ZKPs overturn this model entirely. By separating the original data from the proof about that data, an individual can prove “I am over 19” without showing any form of ID. Trust can be established without revealing the ID itself, enabling the realization of Self-Sovereign Identity (SSI), where individuals manage their own information and choose what to disclose.
Source: Ethereum Foundation
This power of concealment has now moved beyond simple technological functionality to become a core value of blockchain protocols. The Ethereum Foundation recently announced “A New Commitment to On-Chain Privacy”, presenting a vision to provide privacy features natively at the protocol level using ZK technologies. These features include stealth addresses that can hide transaction information and privacy-focused authentication systems that allow users to prove qualifications without exposing identity data.
Ultimately, ZK–based concealment is no longer an optional feature of specific applications — it is becoming a fundamental right that protects individual freedom and safety in the digital world. This evolution shows that technology is becoming more than just a tool for implementing trust; it is growing into a new form of social infrastructure that mathematically guarantees personal sovereignty and freedom.
“How can we trust someone else’s computation without re-executing it ourselves?”
Decentralized systems have long suffered from the Verifier’s Dilemma. Blockchains — the most representative decentralized systems — have secured trust through redundant execution, where every participant re-executes every transaction. While secure, this approach has led to severe inefficiencies.
However, compression, one of the key properties of ZK technology, completely changes this paradigm. A single prover performs a complex computation and produces a short, concise proof of its result. All other verifiers can then trust the entire computation by checking just that one proof. What is being compressed is not merely file size or data volume — it is the computational integrity itself: the fact that the computation was carried out correctly according to the rules. The execution of a complex program that may span billions of steps can be summarized into one small, elegant cryptographic proof.
For example, a thousand-page book can be summarized into one page, giving a rough idea of the storyline. But such a summary can never guarantee that every sentence in the original is accurate or that nothing has been omitted or distorted. To verify that, one must read the entire original.
ZKPs, however, do not summarize the book. Instead, they mathematically prove that “this copy of the book matches the original, letter for letter.” This is not a summary — it is an integrity certificate. By inspecting this tiny certificate, a verifier can be assured that the copy perfectly matches the original without comparing thousands of pages manually.
The power of compression is a core tool for solving one of the greatest challenges facing blockchains: scalability. Traditional blockchains inevitably face bottlenecks because every node must process every transaction. But ZK rollups and other forms of verifiable computing aim to break through this bottleneck.
A powerful L2 or off-chain prover processes thousands or tens of thousands of transactions at once, then generates a single ZKP stating: “All these transactions were executed correctly according to the rules.” The main blockchain only needs to verify this one proof, effectively replacing validation of tens of thousands of transactions with a single operation. In other words, the entire computation is compressed into one proof. This method dramatically increases blockchain throughput without sacrificing decentralization or security. As a result, the network can process thousands of transactions per second while maintaining the same level of trust and security.
In summary, while concealment narrows the scope of trust to protect individual privacy, compression broadens the scope of trust to enhance system-wide efficiency. When combined, these two forces transform ZKPs from a mere cryptographic technique into the foundation of a new digital order where trust, speed, and privacy coexist.
Why, then, has a technology that originated in the 1980s only recently begun receiving explosive attention? The reason is simple: for a long time, there was virtually no place for zero-knowledge proofs within our financial and social systems. Centralized intermediaries — banks, governments, and courts — have monopolized “trust” based on social consensus. They protected our secrets (concealment) and guaranteed the validity of transactions (compression). In return, we willingly handed over certain costs and authority.
But the rise of decentralized systems like blockchain completely disrupted this order. Under the philosophy of “Don’t trust, verify,” blockchain replaced socially constructed trust with mathematical proof. However, in doing so, it created a dilemma between privacy and efficiency. ZKPs finally found the stage they were meant to exist on within this very dilemma. Thus, blockchain became the first massive sandbox where zero-knowledge technology could be tested and refined.
Since then, the blockchain ecosystem has come to recognize ZK technology as a tool for privacy protection and scalability enhancement. This demand created an unprecedented opportunity, drawing enormous capital and talent into ZK research. As the technology was applied to real-world problems, it quickly evolved from an academic concept into an engine driving actual industries. As a result, a virtuous cycle emerged: demand drove innovation, and innovation created new demand.
ZK technology, forged within the sandbox of blockchain, is now forming a vast ecosystem of its own. Each project within this ecosystem serves as an early model pointing toward future universal ZK applications. These projects embody the core capabilities of ZK — compression and concealment — in concrete systems and applications, turning the technology’s potential into reality.
In this chapter, we explore how the ZK ecosystem is organized, and examine which ZK techniques each project employs and what types of services they aim to build.
ZK technology is redefining the structure and operating model of blockchain infrastructure and applications. This transformation is especially active within Ethereum, ZK rollup–based L2 infrastructure, and privacy-centric infrastructures and apps.
5.1.1 Ethereum’s ZK–Native Roadmap
Among major L1 blockchains, Ethereum is the most systematic and fastest in adopting ZK technology. Its ultimate goal is to make ZK native to the Ethereum protocol itself.
Privacy: Commitment Toward On-Chain Anonymity
Every Ethereum transaction is publicly visible to anyone. While this transparency secures trust, it has long been criticized for exposing users’ financial activity directly on-chain.
To address this issue, the Ethereum Foundation released an official statement in September and October 2025 declaring privacy protection as a core value of the network. This is considered a turning point in Ethereum’s evolution into foundational infrastructure for global finance and identity systems. Vitalik Buterin also emphasized the importance of privacy, notably criticizing the EU’s Chat Control policy in a public post.
Source: Privacy Stewards of Ethereum
Ethereum’s privacy-enhancement efforts are being realized through concrete technologies and projects led by a dedicated organization within the Ethereum Foundation. The PSE (Privacy Stewards of Ethereum) team, under the new leadership of Igor Barinov and Andy Guzman, aims to build end-to-end privacy across the entire Ethereum ecosystem — covering the full lifecycle of data. PSE outlines three key research pillars:
Private Writes: Technologies that enable transactions to be processed privately
Private Reads: Methods to access blockchain data without exposing IP or account information
Private Proving: Techniques enabling fast, low-cost ZK-proof generation even on low-power devices
Aligned with these research pillars, PSE has included several concrete technical developments and projects in its roadmap:
Stealth Addresses: A mechanism that generates new one-time addresses per transaction to break the linkage between sender and receiver. While not directly using ZK, it significantly enhances user privacy. As of October 2025, the Ethereum Foundation is extending this concept through ERC-5564 with stealth IDs.
PlasmaFold: An L2 solution offering high throughput and instant withdrawals via off-chain transaction processing. Using ZK technology, it enables confidential transfers and selective disclosure of information — balancing regulatory compliance with DeFi usability.
zkID: A ZK-based decentralized identity verification system that protects user privacy while supporting selective disclosure for KYC/AML compliance, GDPR requirements, and confidential transactions. Positioned at the core of the Private Writes and Private Proving tracks, zkID strengthens the privacy infrastructure of Ethereum.
Alongside these technological efforts, on October 9, 2025, the Ethereum Foundation announced the Developer Legal Defense Fund, a joint funding initiative with the Keyring Network, to expand support for privacy-related projects. The primary purpose of this initiative is to support the legal defense of Tornado Cash developers Roman Storm and Alexey Pertsev and to clearly assert the principle that “Code is not a crime.”
A notable point is the shift away from one-off donations and grants toward a market-linked funding model. The Ethereum Foundation and Keyring Network use zkVerified Vaults, created in collaboration with Euler Finance. When users deposit USDC into these private, regulation-friendly vaults, protocol fees are automatically routed to the Legal Defense Fund and then distributed to Roman and Alexey.
Through this on-chain flywheel model, the Ethereum Foundation aims to foster sustained research and development of privacy-preserving technologies and, in the long term, support sustainable growth across the Ethereum ecosystem.
Scalability: Infinite Throughput via zkEVM
Ethereum’s long-standing scalability challenge reached a turning point with the introduction of ZK rollup technology. ZK rollups process transactions off-chain first, then submit only a ZKP to the mainnet proving that the results are valid. This dramatically reduces the load on the mainnet, enabling the processing of thousands of TPS (transactions per second). Through this, Ethereum gains scalability while maintaining both security and decentralization.
The later emergence of the Zero-Knowledge Ethereum Virtual Machine (zkEVM) pushed this evolution further. The zkEVM is a fully EVM-compatible environment, allowing developers to migrate existing dApps without modification. As a result, ZK technology has smoothly integrated into the developer ecosystem and accelerated the mainstream adoption of ZK-based scalability. Ethereum thus strengthens both scalability and privacy while solidifying itself as a developer-friendly platform.
Ethereum’s roadmap aims to directly integrate ZK technology into the protocol. The ongoing goal, known as the “Enshrined zkEVM,” refers to a structure where the validity of an Ethereum block itself is verified by a ZKP. In this model, validators no longer need to re-execute every transaction — they only need to check a single ZKP. Verification efficiency increases dramatically, enabling Ethereum alone to achieve performance levels around 10K TPS while reducing node hardware requirements and strengthening decentralization.
Furthermore, Ethereum’s ultimate “endgame” vision expands beyond the zkEVM toward a general-purpose zkVM based on the RISC-V architecture. This moves away from the complexity of the EVM, achieves over 100× higher proving efficiency, and ultimately aims to replace the EVM entirely — realizing near-infinite scalability and enabling personal-node proving (home proving).
Source: ethproofs.org
The first requirement to achieve this vision is real-time proving capable of completing ZKPs within the 12-second block interval. The Ethereum Foundation has set an even stricter goal — processing 99% of all blocks within a 10-second latency window, accounting for the roughly 1.5 seconds needed for network-wide propagation. Currently, Succinct’s SP1 Hypercube and Brevis’s Pico Prism are closest to meeting this target.
As innovation that started from ZK rollups progresses through the zkEVM and eventually toward protocol integration, some worry that L2 rollups will disappear once the zkEVM is fully implemented at the L1 level. However, this is incorrect.
Ethereum’s roadmap is built on a strict separation of roles between L1 and L2.
L1 serves as the “settlement layer” responsible for final security and record-keeping, while L2 acts as the “execution layer” where users interact with fast and low-cost transactions. The zkEVM embedded at L1 does not compete with the execution environment of L2 — it simply verifies the ZKPs submitted by L2 quickly and cheaply at the protocol level. This directly reduces operational costs for L2s.
As an analogy: imagine local courts (L2s) processing many cases quickly, while the supreme court (L1) gives final approval that those judgments are valid. Introducing the zkEVM is like automating the “approval stamp” process, making it much faster — not eliminating the local courts, but reducing their burden and enabling them to process more cases efficiently.
This complementary relationship is reflected in Ethereum’s technical roadmap.
For example, PeerDAS — planned for the 2025 Fusaka upgrade following Dencun — is not designed to increase L1 execution capacity. Instead, it focuses on data availability, reducing L2 data storage costs and expanding data space.
If Ethereum intended to replace L2s, it would not be pursuing such L2-centric upgrades. L1 improvements strengthen L2 competitiveness, demonstrating a cooperative structure where L1 provides a robust foundation and L2 innovates freely on top of it.
At the same time, integrating ZK technology directly into L1 — as with the Enshrined zkEVM — must be approached with caution. As noted in Ethereum Foundation research, generating proofs requires substantial computation and may become a vector for denial-of-service attacks. Premature adoption of ZK at the protocol level could threaten Ethereum’s core values of liveness and stability. Gradual introduction with extensive stress testing is therefore essential.
Ultimately, Ethereum’s ZK roadmap is a strategy to achieve mainstream adoption by enhancing both privacy and scalability. This evolution positions Ethereum as the foundational infrastructure for a safer, faster, and more open digital economy.
5.1.2 ZK Rollups
These are L2 ecosystem projects designed to solve Ethereum’s scalability problem by leveraging the “compression” power of ZK.
gnark-Plonk Frontend: PLONKish
Backend: KZG
Linea is a zkEVM-based Ethereum L2 network developed by ConsenSys to address Ethereum’s scalability challenges. Using ZK rollup technology, it processes transactions off-chain and submits only a ZKP to Ethereum mainnet, achieving high throughput and low fees. Linea uses $ETH as its native gas token and offers full Type-2 EVM compatibility, allowing developers to migrate existing Ethereum dApps without code changes.
The Linea network is built on the Go-based gnark-Plonk proving library, accelerating the growth of its ecosystem. Because gnark-Plonk is implemented in Go, it significantly reduces memory usage during proof generation compared to other ZK systems. Its modular design also makes integration and customization within the Ethereum ecosystem easier for developers.
In early October 2025, Linea launched the $LINEA token rewards program through MetaMask to boost user participation. Additionally, SWIFT confirmed that it will build its blockchain-based payment and settlement platform on Linea with participation from over 30 major financial institutions, including Bank of America — signaling growing institutional interest.
Airbender Frontend: AIR
Backend: FRI
zkSync Era and zkSync Lite are ZK rollup–based Ethereum L2 solutions developed by Matter Labs, representing two phases of zkSync’s evolution. zkSync Lite, the earlier version, focused on payments and simple token swaps and did not support smart contracts. zkSync Era, by contrast, integrates a zkEVM and supports EVM-compatible smart contracts, enabling complex applications such as DeFi, NFTs, and dApps. As of 2025, Era serves as the primary zkSync mainnet, while Lite remains limited as a legacy version.
zkSync Era initially used the Boojum ZK system but began transitioning to the Airbender ZK system after its announcement in June 2025. Airbender, built on zk-STARKs, enhances both security and scalability and now shapes zkSync’s primary technical direction. With the “Atlas” upgrade released on October 7, 2025, zkSync Era achieved 30,000 TPS and sub-second finality, elevating its performance to institutional and enterprise-grade levels. This shift demonstrates zkSync Era’s evolution from a simple dApp platform to full institutional infrastructure.
To accelerate institutional adoption, zkSync Era also introduced the “Prividiums” initiative. Prividiums combines the control of private blockchains with the security and interoperability of public blockchains. Designed as a permissioned, private Ethereum-based L2, it enables institutions to participate in digital asset markets securely, efficiently, and in compliance with regulatory requirements.
zk-STARKs Frontend: AIR
Backend: FRI
StarkNet is an Ethereum L2 based on ZK rollups that uses STARK proving technology to solve Ethereum’s scalability challenges. Its core components are the Cairo programming language — purpose-built for ZK proof generation — and the Cairo VM. These enable developers to efficiently write and deploy smart contracts, while users benefit from massive scalability, fast transactions, and low fees.
StarkNet combines the Turing-complete Cairo language with zk-STARKs to address blockchain scalability, security, and decentralization. By generating validity proofs for off-chain transactions, it enables trust-minimized verification on L1 using only minimal data. In September 2025, the v0.14.0 “Grinta” architecture strengthened the zk-STARK proving stack, reducing proving costs and ensuring security through neutral transaction inclusion and ordered execution. Combined with decentralized sequencing and preconfirmation features, StarkNet minimizes ZK proof latency to improve UX, and plans to further enhance privacy and scalability through decentralized proving.
On October 15, 2025, StarkNet announced a partnership with Alpen Labs to build a trust-minimized bridge enabling direct BTC transfers to StarkNet without intermediaries or wrappers. This bridge uses Alpen Labs’ “Glock verifier” to verify BTC transactions directly on the Bitcoin network, enabling BTC holders to use StarkNet for staking, lending, and other BTCFi activities.
In November 2025, StarkNet introduced the S-two prover — a successor to the Stone prover — offering up to 100× faster, cheaper, and more efficient proof generation. Built in Rust, S-two enables client-side proving and decentralized proving, opening the door to new use cases such as privacy-preserving DeFi, ZK identity authentication, and verifiable AI.
OP-Succinct SP1
Frontend: AIR
Backend: FRI + KZG
Katana is a ZK rollup–based Ethereum L2 network incubated by Polygon Labs and GSR, launched on mainnet on July 1, 2025. It is designed as a DeFi-focused chain offering “real yield” and “deep liquidity,” aiming to solve liquidity fragmentation in the DeFi ecosystem. Katana adopts Polygon’s Agglayer CDK, enabling smooth sharing of bridges and liquidity across other L2 chains. As of October 2025, it holds approximately $550M in TVL.
Technically, Katana is based on OP Stack but is upgraded to a ZK rollup through integration of Succinct’s OP-Succinct SP1 validity proofs. This hybrid design eliminates the seven-day withdrawal delay typical of optimistic rollups, providing fast finality within one hour and extremely low fees — less than $0.005 per transaction.
Following Succinct’s announcement of ZK support in May 2025, Katana completed audits and stress tests by late June and successfully launched its mainnet in July, drawing significant attention. It is currently in a centralized “Stage 0,” with centralized sequencers and proposers, but plans to progress to “Stage-1” by introducing multiple independent sequencers and permissionless proving. Long term, Katana aims to reach 100,000 TPS and full decentralization through Polygon’s “GigaGas” roadmap.
OpenVM
Frontend: AIR
Backend: FRI + KZG
Scroll is a ZK rollup–based Ethereum L2 developed under the motto “Ethereum devs for Ethereum devs.” Its defining feature is a zkEVM that offers full compatibility with EVM bytecode. Developers can deploy Solidity or Vyper code to Scroll without any modifications.
Scroll’s architecture consists of the OpenVM and the decentralized prover network “Roller.” OpenVM uses a zk-STARKs-based protocol to efficiently prove the validity of off-chain transaction execution without requiring trust assumptions. This allows Scroll to submit highly compact proofs to Ethereum, reducing gas costs by over 90% and achieving scalability of over 2,000 TPS. The Roller network distributes proof generation across multiple provers to remove single points of failure, increase security, and enable permissionless participation — enhancing both privacy and decentralization.
In April 2025, Scroll rolled out the “Euclid” upgrade, migrating from its previous Halo2-based zkEVM to OpenVM. It also achieved L2BEAT’s “Stage-1” rollup classification, meaning it now supports a Security Council and forced transactions. Future roadmap milestones include reaching Stage 2, achieving 10,000 TPS, and fully decentralizing the Roller network.
PLONK
Frontend: PLONKish
Backend: KZG
Aztec is a privacy-focused Ethereum ZK rollup L2 that aims to become a “private world computer,” enabling selective privacy across transactions, identity, and computation. Since its founding in 2018, it has focused on developing zk-SNARK technology and, as of 2025, is operating a public testnet. It is preparing for mainnet launch with over 23,000 validators onboarded, and its ecosystem includes zk.money v1 and v2 — private payment networks that are the only ZK rollups to have reached “Stage-2”.
Source: l2beat.com
Aztec’s architecture is based on a ZK-ZK rollup and the PLONK proving system, maximizing client-side data protection and on-chain efficiency. Its hybrid UTXO + account model enables selective privacy for transactions, identity, and computation. Developers can build private apps without deep ZK expertise using the Rust-based Noir language, and the Aztec Virtual Machine (AVM) allows the development of advanced privacy-preserving applications.
Throughout 2025, Aztec has been shipping key updates preparing for mainnet. In September, the v2.0.3 upgrade introduced low-memory proofs and a redesigned slashing system. In October, Aztec teased “the next stage of ZK rollup evolution,” and on October 15 released a cross-chain bridge demo with Zcash. The demo showcased “post-transaction utility,” converting ~$1.1B worth of private ZEC into USDC through zk.money — garnering major attention.
Airbender
Frontend: PLONKish
Backend: FRI
Abstract is an Ethereum-based ZK rollup L2 developed by Igloo Inc., the parent company of the Pudgy Penguins NFT collection. Mainnet launched on January 27, 2025. Unlike DeFi-centric L2s, Abstract brands itself as a “Digital Playground,” focusing on consumer-facing applications such as gaming, social, and NFTs. Targeting crypto beginners, it offers a no-gas experience through passkeys, account abstraction, and sponsored transactions. This strategy lowers the Web3 onboarding barrier and leverages the Pudgy Penguins IP to attract new users naturally.
Technically, Abstract uses zkSync’s ZK Stack — customized to inherit Ethereum L1 security via ZK rollups. The ZK Stack is a modular framework allowing developers to configure components such as proving systems, data availability layers, and sequencing infrastructure. Airbender provers support high-performance proving exceeding 15,000 TPS.
As of October 2025, the Abstract ecosystem includes over 160 game- and NFT-focused protocols, such as DOGAMÍ, Anichess, and Pudgy Party. Total TVL is around $35.9M, bridged TVL $185.26M, and daily DEX volume exceeds $12M, indicating rapid growth. The 2025 roadmap includes:
September: Binance US deposits/withdrawals
October: Abstract 3.0 upgrade (advanced chain abstraction)
Q4 2025: Governance token TGE
Late 2025–2026: Sequencer decentralization
zk-STARKs
Frontend: AIR
Backend: FRI
Paradex is a high-performance cryptocurrency perpetual DEX built as the first appchain on StarkNet. It supports perpetual futures and options trading and was incubated by Paradigm, a leading global crypto investor. After launching on StarkNet mainnet in July 2023, Paradex grew rapidly by combining CEX-like convenience with DEX-level security and privacy. As of October 2025, Paradex has surpassed $123B in cumulative trading volume, $1B in daily volume, and $105M in TVL.
Technically, Paradex is a ZK rollup appchain built on the StarkNet stack (SN Stack). It uses zk-STARKs to verify transaction validity and inherits Ethereum L1 security. Off-chain execution minimizes gas costs while ensuring correctness. Paradex also integrates StarkNet’s SHARP (SHARed Prover), enabling recursive proof aggregation and institutional-grade privacy (non-disclosure of trade details).
In September 2025, Paradex introduced the Zero Fee Paradigm (ZFP), eliminating trading fees for retail traders and dramatically increasing user acquisition. The community also anticipates the $DIME token TGE and major airdrop scheduled for late 2025–early 2026. Meanwhile, the XP Warzone Season 2 points program continues to drive high user engagement.
zk-STARKs — zk-SNARKs Hybrid
Frontend: AIR + R1CS
Backend: FRI + Elliptic-Curve Pairing
Polygon zkEVM is an Ethereum L2 built by Polygon Labs, providing full bytecode-level EVM equivalence. Developers can deploy existing Ethereum smart contracts and tools (MetaMask, Hardhat, etc.) to Polygon zkEVM with zero code changes.
Polygon zkEVM uses a STARK–SNARK hybrid system:
Off-chain batching of transactions
zk-STARK proof generation
Compression into a zk-SNARK for efficient on-chain verification
This design reduces on-chain verification costs to around 200–400K gas.
2025 marks a major turning point for Polygon zkEVM. Polygon Labs plans to sunset the current mainnet beta version by late 2026. The existing zkEVM beta has entered its “legacy” phase and is being phased out. Going forward, Polygon’s ZK development will be led by Zisk, a new subsidiary headed by co-founder Jordi Baylina.
Vitalik Buterin publicly praised Polygon for “significantly accelerating progress in the zkEVM field” by investing substantial early resources, drawing attention to the possibility that future Ethereum contributions may align more closely with Zisk’s ongoing work.
5.1.3 Privacy Protocols
These are ecosystem projects designed to integrate the “hiding” capability of ZK into the protocol so that all transactions and applications guarantee privacy by default.
zk-SNARKs (Halo2)
Frontend: R1CS
Backend: Elliptic-curve cycles
Zcash is a privacy cryptocurrency launched in 2016 that uses zk-SNARKs to provide “shielded transactions” that fully hide the sender, recipient, and transaction amount. Based on the Bitcoin codebase (total supply 21M), Zcash strengthened decentralization and security through the 2022 Halo2 upgrade, which removed the trusted setup.
Zcash’s shielded transactions operate through encrypted UTXOs and a “Nullifier set”. When a user transacts, they submit a Nullifier, which is a hash of the unique value of the UTXO. The network checks only whether this Nullifier has already been used, preventing double spending without revealing which UTXO was spent.
This process is similar to a secret ballot. Each coin (UTXO) is an anonymous “ballot” with a “secret stamp” (the r value) known only to its owner. When spending, the user uses this stamp to create a “ballot confirmation slip” (Nullifier) and submits it to the “completed ballots board” (Nullifier set). The network checks whether the slip is already on the board to prevent double voting (double spending). zk-SNARKs serve to prove only that “I have a valid ballot and issued this confirmation,” while never revealing which ballot was used or by whom.
As of October 27, 2025, Zcash has regained attention as the leading privacy coin, surging 550% in the past month and trading around $360. Institutional demand is rising significantly, with about $46M flowing into the Grayscale Zcash Trust (ZCSH). Around 20% of the supply (3.5M ZEC) is deposited in the shielded pool, and shielded transaction usage has risen by 27%, showing rapid on-chain adoption of privacy functionality.
Zcash plans to evolve into a full privacy network through the NU7 upgrade by introducing Zcash Shielded Assets (ZSA), enabling the issuance and private trading of various tokens — such as private stablecoins or real-world assets (RWA) — within the shielded pool. Draft ZIPs for ZSA issuance keys and FROST multisig spending keys, as well as NU7 protocol specification changes, are currently underway.
Recently, after on-chain analyst ZachXBT pointed out a privacy vulnerability (traceability) in the Zashi wallet, the Zashi team acknowledged the issue and made implementing Ephemeral Transparent Addresses for all NEAR Intent features its top development priority. They announced plans to resolve the issue. The Zcash ecosystem also aims to fully transition from the legacy consensus software zcashd to zebrad by 2026 to accelerate development and strengthen security, in collaboration with Zallet and Zaino.
zk-SNARKs
Frontend: R1CS
Backend: Elliptic-curve pairings
Tornado Cash is a decentralized Ethereum-based privacy protocol (mixer) that uses zk-SNARKs to break the link between deposits and withdrawals, preventing traceability. This is possible because of the following mechanism:
When depositing, the user generates two secret values off-chain: a nullifier and a secret. The hash of these two values, called a commitment, is sent to the smart contract. The contract adds this commitment to a Merkle tree; while this action is recorded on-chain, the original commitment value remains private.
To withdraw the deposited assets, a completely new address is used. The user scans all deposit events off-chain to reconstruct the Merkle tree, then generates a Merkle proof showing they are a valid member of the tree, along with a Nullifier hash that prevents double spending. Using this information, the user generates a ZKP and submits it to the contract.
The smart contract verifies that the proof is valid, that the Merkle root exists, and that the Nullifier hash has not been used before. Once validated, the contract sends the funds to the designated new address. Through this process, the link between deposit and withdrawal addresses is completely severed, protecting user privacy.
Due to this structural design, Tornado Cash faced heavy regulation from the U.S. Treasury (OFAC) in August 2022. By March 2025, however, Tornado Cash had resolved much of its legal uncertainty and escaped the strictest regulatory constraints. A federal court ruled that smart contracts are not sanctionable property. Additionally, in the Roman Storm case, the U.S. Department of Justice (DOJ) stated that writing code itself is not a crime, reducing legal liability for developers.
zk-SNARKs
Frontend: R1CS
Backend: Elliptic-curve pairings
Aleo is an L1 blockchain based on zk-SNARKs, aiming to provide a privacy-first application platform that ensures both personal data protection and regulatory compliance. Launched in 2024, Aleo enables developers to build secure and efficient privacy dApps through its Rust-based programming language, Leo. Aleo has raised about $280M from major institutional investors such as a16z and Coinbase Ventures, and its custom consensus algorithm, AleoBFT, ensures high throughput and network stability.
Aleo executes transactions off-chain via the AleoVM, submitting only the resulting ZKP on-chain. This ensures that sensitive transaction data is not exposed while still allowing the network to verify transaction validity securely. By outsourcing the heavy proof-generation workload off-chain, Aleo also achieves improved scalability and efficiency.
Aleo has gained attention for presenting a balanced model of privacy and regulatory compliance. On October 1, it partnered with Paxos to launch USAD, the world’s first privacy-preserving U.S. dollar stablecoin. USAD encrypts wallet addresses, transaction amounts, and timestamps by default, while allowing optional selective disclosure for audits when necessary. This design complies with the GENIUS Act passed by the U.S. Congress in July 2025. Strengthening its regulatory-friendly privacy infrastructure, Aleo appointed Yaya Fanusie as Global Head of Policy on October 8 and added two new strategy executives on October 17, accelerating global expansion.
zk-SNARKs
Frontend: R1CS
Backend: Elliptic-curve pairings
Railgun is an on-chain zk-SNARKs privacy infrastructure supporting multiple chains, including Ethereum, Polygon, BNB Chain, and Arbitrum. It encrypts transaction history, sender, recipient, and amount information when users interact with DeFi services, enabling a private transaction environment. Because of these characteristics, Railgun is gaining attention as a compliant alternative to Tornado Cash. As of October 31, 2025, its TVL surpassed $210M, solidifying its position as a regulation-friendly privacy solution.
With a zk-SNARKs-based transaction-shielding structure, Railgun allows users to shield ERC-20 tokens or NFTs into a private pool and perform various DeFi activities — such as swapping, lending, and transferring — anonymously. All operations occur directly on-chain without needing a bridge, maintaining compatibility with existing dApps. Railgun also blocks illicit funds through Private Proofs of Innocence (PPOI), which enables users or institutions to prove fund “cleanliness” without third-party data sharing. It additionally offers tax reporting integration, meeting institutional and regulatory requirements.
In 2025, Railgun emerged as a new central player in the privacy market. In October of the same year, Railgun officially joined the Ethereum Foundation’s Kohaku project, aimed at strengthening wallet security and privacy. Shortly after, Railgun released a private multisig wallet for institutional investors. When on-chain analyst ZachXBT used the PPOI mechanism to trace funds involved in the Bittensor hack, Railgun’s regulatory compatibility and security were demonstrated through a real-world case.
[Not ZK] Ring Signatures + RingCT
Backend: Bulletproofs
Monero, launched in 2014, is one of the original privacy coins, providing default anonymity for all transactions. It hides the sender, recipient, and amount using technologies such as Ring Signatures, RingCT, and Stealth Addresses. While Ring Signatures and RingCT are not ZK technologies themselves, Monero introduced Bulletproofs, a ZK-based range-proof system, into RingCT in 2018 — reducing proof size by 80% and significantly lowering transaction fees. Monero thus combines ZK techniques with ring-signature technology in a complementary manner to maximize user privacy.
However, in August 2025, Monero faced a severe security threat. The Qubic mining pool, led by an IOTA co-founder, temporarily captured over 51% of Monero’s total hashrate and attempted a reorganization attack. Qubic claimed the attack was non-malicious, but Monero’s price dropped 19% in a short period. Fortunately, community backlash and miner response reduced Qubic’s share of the hashrate to around 35%, easing the threat and stabilizing the network.
Following the incident, major exchanges such as Kraken temporarily suspended Monero deposits to strengthen security. When deposits reopened, they required 720 block confirmations (about 24 hours). This event underscored Monero’s need for decentralized security and highlighted both the risks of excessive influence by a single mining pool and the resilience of Monero’s community-driven ecosystem.
[WIP] zk-SNARKs
Frontend: R1CS
Backend: Elliptic-curve pairings
Beldex is a privacy-focused L1 blockchain based on the CryptoNote protocol, using ring signatures and stealth addresses to ensure transaction anonymity and privacy. Launched in 2018, Beldex transitioned from a Proof-of-Work (PoW) mechanism to Proof-of-Stake (PoS) to improve efficiency and scalability. It has built a privacy-centric dApp ecosystem — such as BChat (anonymous messenger), BelNet (decentralized VPN), and the Beldex Browser — moving steadily toward becoming a comprehensive privacy-preserving internet infrastructure.
Established in January 2022, Beldex Research Labs is currently working on implementing zk-SNARKs in a sidechain. The research aims to reduce private transaction size and enhance privacy. As of 2025, the project is in the conceptual and development stages, with zk-SNARKs expected to support Beldex’s vision of “programmable confidentiality.” Recently, Beldex has also begun integrating AI and Fully Homomorphic Encryption (FHE) technologies to further strengthen data protection and security.
5.1.4 DeFi
PLONK
Frontend: PLONKish + Poseidon2 Hash Function
Backend: FRI
Source: DefiLlama
Lighter is an Ethereum L2–based decentralized perpetual futures exchange (Perp DEX) that aims to combine CEX-level trading performance with the decentralization of DeFi. Unlike typical zkVM approaches, it uses custom ZK circuits to verify all components of a central limit order book (CLOB) — including order matching, liquidation, and risk management — on-chain. This minimizes MEV and price manipulation while achieving thousands of TPS and millisecond-level latency. Lighter secured investment from major backers such as a16z, and launched its public mainnet in September 2025, earning the nickname “Hyperliquid killer.”
Using a PLONK-based zk-SNARKs ZK-rollup architecture, Lighter leverages Ethereum as the settlement layer while maximizing the efficiency of order matching and liquidation. Its proprietary hybrid Order Book Tree — which uses the Poseidon2 hash function — encodes price-time priority with high precision, enabling efficient order management.
Building on this technical foundation, Lighter offers retail traders zero trading fees and up to 25× leverage, while user assets are safely stored on Ethereum L1 for security and interoperability. Risk management is handled not through Auto-Deleveraging (ADL) but via the Lighter Liquidity Pool (LLP) and an insurance fund. Lighter also runs S1 (completed) and S2 (ongoing) points programs, rewarding users based on trading volume, PnL, and position maintenance, which has successfully bootstrapped early liquidity.
As of October 21, 2025, Lighter has exceeded $1.1B TVL and $4B in daily trading volume after mainnet launch, posing a real threat to Hyperliquid. On October 20, Vitalik Buterin cited Lighter as a real-world ZK application, highlighting its “hyperscale” potential and extremely low proof cost ($0.0001 per tx), driving massive community attention.
zk-STARKs (StarkEx)
Frontend: ARI
Backend: FRI
edgeX is an Ethereum L2–based decentralized perpetual futures exchange (Perp DEX) founded in 2023 and incubated by Amber Group. Under the mission “Liquidity for All,” edgeX focuses on offering CEX-level execution speed and deep liquidity. It has grown rapidly, surpassing $355B in cumulative trading volume.
Using the StarkWare StarkEx engine — powered by zk-STARKs — edgeX achieves up to 20,000 TPS, low latency, and strong guarantees for execution integrity and privacy. It also supports MPC wallets, social login for easy onboarding, and sub-accounts designed for professional traders, enabling flexible hedging and bidirectional positions.
Since June 2025, edgeX’s “Open Season” points program has driven major increases in deposits and trading activity, reaching $13B monthly trading volume. Among Perp DEXs that have not yet held a TGE, edgeX ranks #1 in fee revenue (over $52M as of October 2025).
zk-STARKs
Frontend: AIR
Backend: FRI
dYdX v4 is the upgraded version of the decentralized perpetuals platform dYdX, incorporating zk-STARK technology. Migrating from Ethereum L2 (v3) to its own chain in early 2024, v4 uses zk-STARKs to provide transaction privacy while delivering CEX-level speed and gasless CLOB-style trading. Ahead of launching Solana spot trading in November, dYdX v4 has reached over $200M in daily trading volume.
zk-SNARKs (Groth16)
Frontend: R1CS
Backend: Elliptic-curve pairings
ZKP2P is a P2P protocol designed to allow users to directly exchange fiat and crypto (on/off-ramp) without centralized exchanges or KYC, using existing payment apps like Venmo and Revolut. Developed with grants from Ethereum’s privacy initiative PSE (Privacy Stewards of Ethereum), ZKP2P supports more than 20 chains including Base and Solana. The seller escrows crypto, the buyer sends fiat, and once the transaction is proven, the crypto is released — offering zero platform fees, low spreads (0.5–1%), and settlement in under 60 seconds.
This system is enabled by ZK technology using the zkEmail library. When a user sends fiat off-chain (e.g., through Revolut), a ZKP is generated proving that a valid payment occurred. The proof verifies only essential details—amount, recipient, currency — while keeping sensitive personal information (like name or bank details) off-chain. After the smart contract verifies the ZKP, the escrowed crypto is automatically released to the buyer, ensuring both privacy and trustless settlement.
ZKP2P recently launched V3 on the Base network, greatly improving automation and composability for better UX and LP management. During V2, it recorded over $100k in daily volume and 10,000 ZKP settlements. After the V3 launch, it expanded further by adding support for Revolut JPY (Japanese yen).
5.1.5 Games and NFTs
zk-SNARKs (Groth16-like)
Frontend: R1CS
Backend: Elliptic-curve pairings
The game, named after the Dark Forest Hypothesis from the novel The Three-Body Problem, is the world’s first fully decentralized real-time strategy (RTS) game. Its core innovation is the use of zk-SNARK technology to create a battlefield of hidden information. Within the vast universe deployed on the Gnosis Chain, players explore and conquer while cryptographically hiding the locations of their planets and their movement paths. All actions are verifiable on-chain, and a plugin system allows players to freely use AI bots or custom clients.
Dark Forest began as a community-driven game and was recently rebooted through Adventure Layer, integrating AI agents. It is also strengthening real-time privacy-proof capabilities through technical collaboration with Ingonyama, achieving a 5–10× improvement in Groth16 provers and solidifying its presence in the ZK gaming space.
5.1.6 Interoperability
Union Build is a modular L1 blockchain protocol that uses ZKP to enable trust-minimized cross-chain interoperability. In December 2024, Union Build raised $12M in a Series A led by Gumi Cryptos Capital and LongHash Ventures, bringing its total funding to $16M including a prior $4M seed round.
Aiming to solve blockchain fragmentation, Union Build uses ZKP-based interoperability to support alternative virtual machines (AltVMs) such as IBC and MoveVM. Powered by the $U token, the network functions as a “Universal Settlement Layer” that combines Ethereum rollups with IBC, and by 2025 it has achieved integrations with over 50 protocols. On September 4, 2025, it successfully launched its mainnet, ushering in an era of trustless cross-chain messaging. Just prior to launch, on August 27, it announced support for the Base network, further strengthening accessibility within the Ethereum ecosystem.
5.2.1 ZK Virtual Machines (zkVMs) and Hardware Acceleration
These are ecosystem projects that provide zkVMs, universal verification engines that allow developers with no cryptography background to generate ZKPs from code written in general-purpose programming languages, or projects that provide hardware acceleration for such systems.
SP1 zkVM
Frontend: RISC-V based AIR
Backend: FRI + Elliptic-curve pairings
SP1 is a RISC-V–based general-purpose zkVM developed by Succinct Labs, allowing developers to convert Rust or other LLVM-compatible code into ZKPs without requiring specialized cryptography expertise. SP1 is paired with the decentralized Succinct Prover Network and is used across Ethereum, Ethereum L2s, Mantle, and other blockchains, offering full EVM compatibility.
At its core, SP1 uses the RISC-V architecture — an open instruction set introduced by UC Berkeley in 2010 — known for its standardized design, low power consumption, high scalability, and strong security. The Hypercube architecture, released in May 2025, dramatically improved SP1 performance. Previously, generating proofs required 60 RTX 4090 GPUs. After optimization, Hypercube reduced this to just 16 RTX 5090 GPUs, enabling the proving of 99.7% of Ethereum blocks within 12 seconds and 95.4% within 10 seconds. This breakthrough cuts ZK rollup costs by up to 10× and represents a major step toward real-time proofs (RTP).
In July 2025, SP1-CC was introduced, leveraging ZK co-processors to prove smart contract calls, significantly reducing on-chain computation costs.
On October 9, 2025, Succinct, in collaboration with Nethermind and the Ethereum Foundation, completed formal verification of SP1 Hypercube’s 64-bit RISC-V constraint system, mathematically proving its correctness.
In the November update, SP1 became the first hash-based universal zkVM to remove dependence on “Proximity Gap Conjectures” entirely — critical because recent research revealed flaws in the assumptions underlying other hash-based zkVMs. SP1 eliminated this risk at the root. Succinct also introduced SP1-2FA, which adds TEE-based protection to strengthen the security layer.
SP1 Hypercube is expected to be open-sourced soon. It will be integrated not only into the Succinct Prover Network and OP Succinct but also into future Arbitrum deployments, delivering major improvements in cost, performance, and security.
Pico Prism zkVM
Frontend: RISC-V based AIR
Backend: FRI + Elliptic-curve pairings
Pico Prism is a zkVM developed by Brevis with the goal of enabling Ethereum’s “real-time proofs (RTP)” on consumer-grade hardware. Announced on October 15, 2025, this technology aims to mathematically prove complex smart-contract execution, cryptographic operations, and state transitions — scaling Ethereum by up to 100× while reducing verification speeds to smartphone-level responsiveness. Pico Prism aligns with the Ethereum Foundation’s goals of sub-10-second proofs and sub-$100k hardware requirements, and it has achieved results closest to these targets, earning support from Vitalik Buterin. The industry expects Pico Prism to contribute to Ethereum’s “Gigagas” L1 target of 10,000 TPS.
Built on a modular architecture, Pico Prism separates the proving workflow into an emulation phase and a hierarchical recursive-proof phase. GPUs handle the heavy computation and proof generation, while CPUs focus on coordination and orchestration. This division of labor maximizes parallel pipeline efficiency and allows scaling from a single machine to multi-GPU and multi-node deployments. As a result, Pico Prism can process proofs at Ethereum-mainnet scale.
In terms of performance, as of September 1, 2025, Pico Prism successfully proved 96.8% of EVM blocks with a 45M gas limit within 10 seconds (average 6.9 seconds). This experiment used 64 RTX 5090 GPUs (≈$128k hardware). Although 64 high-end GPUs are not yet consumer-grade, Pico Prism demonstrated a 50% lower cost, 71% faster proving speed, and 3.4× performance advantage compared to Succinct’s SP1 Hypercube. Pico Prism aims to eventually prove 99% of all blocks in under 10 seconds using ≤16 RTX 5090 GPUs, hardware under $100k, and ≤10 kW of power consumption.
Airbender zkVM
Frontend: RISC-V based AIR
Backend: FRI
Airbender is a zkVM developed by Matter Labs (zkSync) to enable Ethereum’s RTP using consumer-grade hardware. Unveiled at the Permissionless conference in June 2025, Airbender mathematically proves smart-contract execution, block verification, and interoperability processes — boosting throughput on the zkSync chain by up to 100× while targeting a proof cost of $0.0001 per transaction.
Airbender uses a modular design that splits the proving workflow into an emulation phase and a recursive zk-STARK phase. GPUs handle intensive computation and proof generation, while CPUs focus on configuration and orchestration. This separation significantly increases parallel-pipeline efficiency and enables smooth scaling from a single machine to multi-GPU or multi-node setups.
On November 21, 2025, Airbender successfully generated a full proof of an Ethereum L1 EVM block using only two RTX 5090 GPUs — on a $4k hardware setup consuming just 1 kW of power. This is a 32× reduction compared to the earlier 64-GPU requirement. The result was showcased live at the EthProofs Day demo. Airbender now targets proving 99.9% of all blocks within 10 seconds using ≤1 RTX 5090 GPU, with a total system cost under $5k and power draw under 1 kW.
zk-STARKs with Groth16 Recursion
Frontend: AIR + R1CS
Backend: FRI + Elliptic-curve pairings
RISC Zero is a RISC-V–based general-purpose zkVM capable of executing arbitrary programs written in Rust or C++. Its goal is to enhance blockchain scalability, interoperability, and security. Founded in 2021, RISC Zero has raised over $52M from investors such as a16z and Bain Capital Crypto, and is now maintained as an open-source project.
Released in April 2025, R0VM 2.0 delivered a 7–10× performance improvement over previous versions, enabling real-time proofs for ZK rollups, co-processors, bridges, and more through GPU proving and accelerator circuits. The “application-defined precompiles” introduced in zkVM 1.2 allow developers to plug in custom logic, improving proof generation speed by 2–5×.
In October 2025, RISC Zero partnered with Ligero Inc. to integrate client-side ZK proving into the RISC Zero stack, enabling multi-layer recursive proofs. The team also open-sourced a $120k GPU cluster, making sub-12-second proofs accessible to anyone and continuing to stay competitive in zkVM benchmarks.
ZisK zkVM
Frontend: RISC-V based AIR
Backend: PIL2 (FRI-based)
ZisK is the standalone product that emerged from Polygon Labs’ zkEVM development effort after it spun out as an independent project in June 2025. Led by Polygon co-founder Dario Baylina, ZisK aims to prove Ethereum blocks in real time and enables the verifiable execution of programs written in Rust, C++, Go, and other high-level languages.
Using a modular architecture, ZisK separates the proving process into a trace-generation stage and a distributed proof-generation stage. Proof creation is handled by PIL2, a zk-STARK–based module, and gRPC coordination allows multiple GPUs and nodes to work together. This design maintains 128-bit quantum resistance while significantly increasing parallel efficiency, enabling seamless scaling from a single node to full clusters.
As of October 28, 2025, ZisK successfully achieved real-time proofs for all Ethereum mainnet blocks, using a 24-GPU setup (3 nodes × 8 RTX 5090s). It delivered an average proving time of 7.68 seconds, with over 95% of all blocks completed in under 10 seconds. The results were published in an official announcement, and ZisK is now focused on reducing latency, lowering hardware requirements, and strengthening orchestration. Security has been reinforced through an OpenZeppelin audit.
Cysic is a decentralized computing network built around ZK proofs, advancing its “ComputeFi” initiative. Initially focused on developing ZK-proof accelerator ASIC chips, Cysic’s updated October 2025 whitepaper expanded its mission to transform idle hardware into open, verifiable, and user-owned compute resources, moving beyond the constraints of centralized clouds like AWS. Backed by $12M from investors such as Polychain and HashKey, Cysic now provides “Proof-as-a-Service” using GPUs and ASICs, positioning itself as a critical Web3 scalability infrastructure.
Cysic’s core strength lies in its Dual Hardware Approach, supporting both GPUs and ASICs, and its hardware-agnostic, workload-agnostic (AI, ZK, HPC) architecture. The network operates not on PoW or PoS, but on Proof of Compute (PoC) — a consensus mechanism where participants perform real computational tasks and prove their performance. Rewards are paid in a dual-token model ($CYS and $CGT), with slashing ensuring network reliability.
Source: Cysic
The Phase III testnet, launched in September, has processed over 7M proofs per day, with 118,000+ provers and 200,000+ verifiers, handling more than 13M transactions, demonstrating strong scalability and stability. Through collaboration with the Succinct Prover Network, Cysic deployed C1 ASIC chips and GPU clusters, reducing proof costs by 10×. Cysic plans to launch its mainnet and TGE in Q4 2025, and post-launch efforts include chain and contract audits, hardware-node integration, governance-vote infrastructure, and ecosystem expansion to support real-time Ethereum proofs and AI launchpads.
5.2.2 Prover Network
A decentralized ecosystem project that provides a system designed to distribute and process the computationally intensive task of generating ZKPs among multiple specialized participants (provers) to handle it faster and more efficiently.
Succinct Prover Network — Succinct
Source: Succinct
The Succinct Prover Network is a decentralized ZKP network developed by Succinct Labs, which launched its mainnet in August 2025. It acts as a distributed marketplace where various applications — such as blockchain, AI, and gaming — can request proof generation through a global prover pool. The network is powered by the PROVE token and aims to solve inefficiency, latency, and interoperability issues inherent in traditional centralized infrastructure by decentralizing the proving process.
The Succinct network reduces costs and wait times through staking and bidding mechanisms. It also integrates the SP1 zkVM, which supports general-purpose programming languages, allowing developers to easily implement ZKPs using their existing tech stack, significantly improving efficiency and accessibility. On October 8, 2025, private proving functionality was added by combining TEE and GPU with SP1’s Hypercube engine, enabling protection of input data privacy.
Additionally, by integrating ZK-ASICs (C1 chip) through a partnership with Cysic, proof generation speed increased by over 100×. Collaborations with Mantle and Optimism enabled the “OP Succinct” upgrade, providing high scalability, robust security, and support for large TVL. Succinct is spreading the concept of computational assetization and is playing a leading role in ushering in the era of real-time ZKPs. As the ZK ecosystem grows, adoption is expected to accelerate across DeFi, AI, and beyond.
Boundless Prover Network — RISC Zero
Source: Boundless
The Boundless Prover Network is a decentralized ZK compute marketplace incubated by RISC Zero and operated on the Base mainnet. Its core is the PoVW (Proof of Verifiable Work) mechanism, which rewards provers with ZKC tokens for performing genuinely useful ZK proof computations — instead of meaningless puzzle-based work like in PoW. Anyone can participate as a prover without permission, and the network aims to supply general-purpose ZK compute power to applications such as rollups, bridges, and DeFi.
Another strength of Boundless lies in its collateral and slashing system. Provers must lock up ZKC tokens as collateral to perform proving tasks, and in case of failure, 50% of the collateral is burned while the remaining 50% becomes a bounty for the next prover. Proof requesters can pay fees in ETH, USDC, and other tokens, but provers must always use ZKC as collateral, meaning network usage directly increases demand for ZKC.
Boundless officially launched on Base mainnet on September 15, 2025, starting with over 2,500 provers and now operating with more than 2,700 participants using the RISC Zero zkVM — demonstrating strong network effects and scalability. The project continues to accelerate infrastructure expansion through strategic partnerships, including Google Cloud and integration with the Fermah prover network.
Fermah is a universal zero-knowledge proof marketplace that aims to make ZK proofs the foundational infrastructure for all computing. Launched in September 2024, this decentralized network connects “Seekers” (those who need proofs) with provers who provide computing resources such as GPUs and FPGAs. Its core engine, the Fermah Matchmaker, efficiently intermediates this matching process, enabling fast and low-cost proof generation for AI, DeFi, and more.
Fermah’s greatest strengths are universality and credible neutrality. It is not tied to any specific system, broadly supporting various ZK proof systems — including zkVMs like RISC Zero and SP1, as well as zkEVM and Groth16 — giving developers high flexibility and choice. It also allows delegation of sensitive data without compromising privacy, making it ideal for DeFi and zkML (zero-knowledge machine learning) use cases.
In March 2024, Fermah partnered with ZKsync to decentralize proof generation and reduce costs. The project also raised $5.2M in funding, led by a16z’s CSX and Lemniscap, and is emerging as a key platform addressing the major bottleneck of the ZK ecosystem: proving infrastructure.
5.2.3 Verifier Network
Verification of ZKPs requires fewer resources than proof generation, but ecosystem projects are still emerging to further increase efficiency in this area.
zkVerify is a modular L1 blockchain developed by Horizen Labs, designed as a specialized network dedicated solely to the verification of ZKPs. Launched on mainnet on September 30, 2025, zkVerify distinguishes itself with sub-second verification speed and more than 90% lower costs compared to traditional L1s, while supporting a wide range of proof systems including zk-SNARKs and zk-STARKs. Performance is further maximized through hardware acceleration using Cysic’s C1 chip.
In the zkVerify network, the VFY token is used for fee payments, NPoS (Nominated Proof-of-Stake) staking, and governance participation. It supports a multichain environment including Ethereum and Base, and has already integrated with ApeChain, Ankr (80+ chain RPC), and Phala (TEE), rapidly expanding its ecosystem into AI, gaming, DePIN, and more.
Aligned Layer is a ZKP verification-only layer operating as an AVS of EigenCloud, aiming to process ZK proofs quickly and inexpensively on the Ethereum mainnet. It handles individual proof verification rapidly at a low cost of around ~250K gas, and solves Ethereum’s gas-limit constraints through its “proof aggregation service,” which uses recursive proofs to batch thousands of proofs into a single verification.
The key strengths of Aligned Layer are its universality and security. It supports a wide variety of proof systems — including SP1, RISC Zero, and Groth16 — and ensures strong security through participation from over 52 decentralized operators, utilizing 2/3 consensus and slashing mechanisms. The $ALIGN token is used for proof-verification fee payments and network-security staking, and developers can integrate proof-verification capabilities in under five minutes using the modular ZK stack and CLI tools. As of October 2025, Aligned Layer has launched “ZK Arcade” to enhance developer accessibility and has secured more than 40 partnerships — including ZKsync and Fermah — rapidly growing as a verification infrastructure.
5.2.4 ZK Coprocessors and Data Infrastructure
Ecosystem projects necessary for verifiable computing, where complex computations are performed off-chain while the results are managed by the blockchain’s smart contracts.
Brevis is a ZKP–based off-chain computing platform that aims to build an “Infinite Compute Layer,” enabling smart contracts to process complex computations and access on-chain data at low cost. To achieve this, Brevis leverages the concept of a ZK coprocessor, designed so that dApps can execute heavy computations efficiently off-chain while preserving L1 blockchain security, submitting only the zero-knowledge proof of the computation on-chain. In this process, Pico Prism — Brevis’s custom zkVM — is responsible for generating the proofs.
Backed by major investors such as a16z and Dragonfly, Brevis uses ZK technology to enable trusted data processing and verification, aiming to fundamentally solve blockchain scalability limitations. It is currently integrated with 20+ protocols including PancakeSwap and Euler Finance, and is used for implementing advanced data-driven logic such as dynamic fee computation, long-term contribution–based liquidity reward optimization, and AI inference. Brevis has received public support from Vitalik Buterin and Ethereum Foundation researchers, making it one of the most notable projects in the ZK ecosystem.
Brevis is currently running the “Proving Grounds” points campaign for community expansion: Phase 1 (social tasks) is ongoing, and Phase 2 (on-chain missions using the ZK coprocessor) begins on November 3. With the upcoming token launch (TGE), Brevis is expected to become a key infrastructure provider offering on-chain data intelligence across DeFi, AI, gaming, and more.
Herodotus is an Ethereum-based ZKP infrastructure project and data-access middleware designed to allow smart contracts to reliably query and utilize on-chain data across L1, L2, and appchains. Its core feature is storage proofs, which guarantee data integrity and trust. This framework securely supports a wide range of use cases such as DeFi solvency proofs, complex cross-chain interactions, and data-driven off-chain computation.
Herodotus is built on StarkWare’s SHARP (Shared Prover) system and provides ZK proof generation and verification through the “Atlantic” API, serving as a ZK coprocessor within the Ethereum ecosystem. The Herodotus Data Processor (HDP) processes off-chain data and submits results on-chain as ZK proofs. Its HDP-SP1 version, integrated with the SP1 zkVM, enhances performance and enables fast, reliable data verification.
As of October 2025, Herodotus is collaborating with the Ethereum Foundation to advance real-time applications of ZK proofs (Core Program Brasil) and is expanding partnerships with major projects including Cysic, Scroll, and zkSync.
5.2.4 zkTLS
zkTLS is a technical approach that uses ZKPs to overcome the structural limitations of TLS (Transport Layer Security), the internet security protocol responsible for encrypting web traffic, authenticating servers, and ensuring data integrity.
zkPass is a zkTLS-based decentralized oracle protocol that converts sensitive Web2 user data into ZKPs that can be verified on-chain without revealing the original information, serving as a privacy bridge between Web2 and Web3. Notably, proofs can be generated on mobile devices in under one second, enabling secure use cases such as social-account ownership verification and financial-record verification for DeFi, KYC, and more.
As of October 2025, zkPass has raised a total of $15 million from Binance Labs, Animoca, and others, and will begin a $2M IDO at a $100M FDV through KaitoAI Capital on October 27. A December TGE and a Q1 2025 zkTLS protocol upgrade are planned. With 25+ partnerships, zkPass aims to lead the development of a “Verifiable Internet” and the standardization of the zkTLS ecosystem, accelerating data onboarding for DeFi and AI.
Reclaim Protocol uses zkTLS technology to convert Web2 data — such as bank-transaction history, social-media activity, and API outputs — directly into ZKPs without relying on centralized intermediaries. Data owners can allow verification on-chain without exposing sensitive raw data, solving the privacy vulnerabilities and high-cost issues found in conventional KYC and identity-verification solutions.
In October 2025, Reclaim Protocol participated in the Privacy App Showcase at Devconnect (hosted by the Ethereum Foundation), highlighting real-world privacy solutions in payments, identity verification, VPNs, and more alongside RAILGUN, 0xbow.io, and Fileverse. It also collaborated with the Fold app to launch an EPF (Employees’ Provident Fund) passbook-tracking feature in India — an implementation demonstrating safe blockchain integration of Web2 financial data using zkTLS. On October 10, 2025, Biometric Update covered a demo showing website-data verification without visual material, highlighting the project’s potential in biometrics and data-verification workflows.
Primus Labs is a privacy-focused data-infrastructure project that uses zkTLS and zkFHE to securely connect sensitive Web2 data (e.g., bank balances, social-media activity) with Web3 applications. The goal is to build a verifiable data economy without risking data leakage.
To implement zkTLS, Primus Labs officially launched its distributed network “AlphaNet” in October 2025. In this testnet, randomly selected nodes capture web-session data inside a TEE and generate ZKPs. This design eliminates the risks of centralization or collusion among nodes, providing a trustworthy data-verification mechanism.
In 2025, Primus Labs rapidly expanded its ecosystem through major partnerships with Phala (TEE security), Nillion (private oracle), and Artela (verifiable AI agents). It also hosted “zkTLS Day” at Devconnect, showcasing applications across DeFi credit scoring, eKYC, RWA verification, and more.
ZK technology, which has grown within the blockchain ecosystem, is now showing its potential to solve problems in the broader digital world beyond blockchain infrastructure.
5.3.1 Decentralized Identity (DID)
ZK technology enables individuals to prove certain qualifications without revealing personal information, protecting privacy in digital identity.
Semaphore — Groth16-based
Frontend: R1CS
Backend: Elliptic-curve pairings
Worldcoin is a digital identity system created to distinguish humans from bots in the age of AI, issuing a digital ID called “World ID” that allows users to prove they are a “Unique Human.” ZK technology enables users to cryptographically prove the statement “I am a verified human” without exposing any personal information.
Worldcoin integrates Semaphore, an Ethereum-based ZK protocol, enabling users to anonymously prove membership in the “verified human group” through signal transmission. When a user needs to prove they are human within a dApp, the Semaphore protocol generates a zero-knowledge proof showing the user is included in a Merkle tree of verified members. The specific identity or position within the Merkle tree is never revealed, preserving full anonymity while proving only the fact “I am a human.” This makes it useful for dApp access, online voting, bot-resistant advertising, and other privacy-preserving authentication scenarios.
As of October 2025, Worldcoin supports over 5M monthly active users by scaling its ZKP technology. In July 2025, Worldcoin launched the ZK rollup “World Chain” in collaboration with Succinct Labs, enabling all transactions to be ZK-proven and significantly improving scalability and cost efficiency.
Keyring Network is a compliance platform for DeFi built on ZKP technology, designed to help institutional investors safely bridge traditional finance (TradFi) with the DeFi ecosystem. Founded in 2022, Keyring Network gained attention after raising a $6M seed round in March 2024. By converting traditional KYC data into ZKPs, it allows institutions and individuals to meet regulatory requirements such as AML (anti–money laundering) without exposing sensitive private information. This is achieved through its “zkVerified” system, which verifies regulatory compliance while preserving user privacy.
Another core component, “Keyring Connect,” is a ZK-KYC tool that enables rapid onboarding and whitelist registration within three hours by reusing verification data from existing platforms such as Binance. This also supports enterprise solutions, including RWA tokenization and automated B2B payments.
As of October 2025, Keyring Network is collaborating with the Ethereum Foundation after launching “zkVerified Vaults” on the Ethereum mainnet. Notably, the initial fees from these vaults are being donated to the legal defense fund for Tornado Cash developers, symbolizing their philosophy of balancing compliance with privacy. Additionally, in June 2025, Keyring Network successfully launched “zkVerified Markets” on the Avalanche network in collaboration with Euler Finance, Pyth, and others.
UltraGroth — Groth16-based
Frontend: R1CS
Backend: Elliptic-curve pairings
Rarimo is a digital identity protocol based on ZKP technology, designed to decentralize users’ social identities and protect privacy. Rarimo’s Freedom Tool is a ZK-based voting system that leverages biometric passport data, enabling users to anonymously prove voter eligibility or citizenship (Proof-of-Citizenship) without disclosing any personal information. This system integrates with projects such as Bionetta (privacy app) and ZK Graph (social graph), aiming to create an ecosystem that preserves privacy even in highly censored environments.
Rarimo has attracted international attention after raising $2.5M in a vision round backed by Vitalik Buterin. The Freedom Tool has been strengthened as an open-source project and has been used in real democratic-movement voting by anti-government activists in Russia and Georgia, demonstrating its real-world impact. In addition, Rarimo is expanding its scope into AI ethics and digital rights by proposing a ZK-based AI registry for likeness protection, integrated with OpenAI’s Sora.
zk-SNARKs (Groth16)
Frontend: R1CS
Backend: Elliptic-curve pairings
zkMe is a decentralized network that provides privacy-preserving identity verification using ZK technology. zkMe’s Identity Oracle Network securely connects off-chain ID data and web APIs to smart contracts, enabling a scalable identity solution that is not tied to any specific blockchain. This allows zkMe to provide privacy-focused verification across various chains and applications.
Its flagship service, zkKYC, enables KYC compliant with FATF standards without any centralized data storage. Through the “Accredited Investor Credential (zkPoAI)” feature, users can also prove they meet U.S. regulatory requirements without revealing sensitive financial information — supporting safer participation in RWA tokenization and DeFi. As of October 2025, zkMe supports over 30 blockchains, including Polygon, BNB Chain, and TON. Users can manage their identity via the Identity Hub and earn rewards through an XP points system.
PLONK
Frontend: PLONKish
Backend: KZG
zkPassport is a privacy-first digital ID solution for the Web3 environment, enabling users to verify themselves without revealing sensitive personal information such as name or age. Through a mobile app, users scan the NFC chips of electronic passports or national IDs, and the data is processed locally on the device using PLONK-based ZKPs with Noir-language circuits. Because proofs are generated locally and never sent to external servers, the risk of data leakage is eliminated at its root. The goal is to improve on traditional KYC vulnerabilities and prevent Sybil attacks.
zkPassport currently supports IDs from over 120 countries and has been integrated into the Aztec testnet, where it’s used to verify node operators' humanity for Sybil resistance. It is also introducing biometric verification (face-matching) to prevent identity theft and AI-generated spoofing.
zk-SNARKs
Frontend: R1CS
Backend: Elliptic-curve pairings
Self Protocol is an open-source, privacy-preserving identity-verification protocol that allows users to prove their identity or attributes (e.g., age, nationality) without exposing sensitive personal information. It connects to electronic passports from over 174 countries through NFC scanning in a mobile app and uses zk-SNARKs to generate ZKPs. When a user scans their passport, all data is processed locally on the device, and only a ZK proof — such as confirming that the user is “over 18” — is produced. This eliminates data-leak risks and is applicable to Sybil resistance, airdrop protection, and “human verification” on social media.
Self Protocol was created in February 2025 when core contributors from Celo acquired the OpenPassport project. Its key features include Pass (ZK verification) and Connect (phone-number–to-wallet linking), aiming to build Web3 identity infrastructure that preserves user privacy. In the second half of 2025, it launched a ZK Residency program to expand the developer ecosystem, and in late October announced integration with the Turkish national ID system. Integration with Google Cloud is also accelerating the adoption of ZK ID technology across Web3 and AI.
5.3.2 zkML (Verifiable AI)
Modulus Labs is a zkML research project that enables the results of machine-learning (ML) model execution to be verified on-chain using ZKPs. Founded in 2022, Modulus aims to solve AI’s “black box” problem, provide trustworthy AI outputs on the blockchain, and protect user privacy.
Its core technology, the ZKTorch compiler, converts PyTorch machine-learning models into zero-knowledge proof circuits, allowing developers to integrate existing ML models into on-chain environments such as DeFi, gaming, and digital art. In December 2024, Modulus Labs was acquired by Tools for Humanity (TFH), the parent company of Worldcoin, strengthening TFH’s capabilities in AI security and cryptographic research. Modulus' zkML benchmarks published in 2023 became an industry milestone, and by 2025 the project was cited by the U.S. Patent and Trademark Office (USPTO), reflecting its growing influence.
zk-STARKs
Frontend: AIR
Backend: FRI
Giza is a zkML platform and zero-knowledge execution layer that enables developers to make AI model inference verifiable on-chain. Founded in 2023, Giza raised $3M from CoinFund and other investors. In June 2025, it introduced the LuminAIR zkML framework and is developing Orion (based on Circle STARK proofs) to bring AI agents into the DeFi ecosystem.
The Giza ecosystem operates around the GIZA token and offers tools such as Swarms (a network of AI agents) and Pulse (a one-click AI deployment tool). These features ensure the computational integrity of AI agents while positioning Giza as a leading project within the AI-privacy coin and DeAI narratives.
ZKPs have now gone beyond being a single technology and have established themselves as an independent technological paradigm with its own research trends and market economy. At the frontier of this paradigm, efforts are being made to further advance ZK technology, while the market is witnessing the birth of new economic models.
6.1.1 Hardware Acceleration
The cost of generating ZKPs is considered the biggest barrier to the technology’s mass adoption. To address this, competition to develop ASIC chips dedicated to ZK computation is intensifying worldwide, going beyond traditional GPU-based processing. This is transforming ZK from a simple software technology into a massive infrastructure industry combined with the semiconductor sector.
As real-world research examples, studies using FPGAs and GPUs to accelerate core ZK operations such as NTT (Number Theoretic Transform) and MSM (Multi-Scalar Multiplication) have been published. Papers such as PipeZK and UniZK demonstrate that hardware designs optimized for specific zero-knowledge proof architectures can achieve performance improvements of several hundred to several thousand times compared to traditional CPUs.
Startups such as Ingonyama (Israel) and Ulvetanna (United States) are also leading the market by developing semiconductor chips dedicated to zero-knowledge computation. These hardware advances are expected to dramatically reduce proof generation time, greatly enhancing the economic viability and practicality of zero-knowledge technology.
6.1.2 Algorithmic Research
Recursive proofs such as folding schemes have radically improved the efficiency of ZK systems. Research continues to refine specific components of ZKP systems or resolve limitations in existing techniques step by step to further enhance efficiency.
GENES: GENES proposes a recursive proof structure that merges multiple proofs into one based on R1CS merging. Traditionally, recursive proof systems based on zk-SNARKs required an initial setup — such as a CRS (Common Reference String) — for each iteration. GENES overcomes this limitation. This approach could drive meaningful progress in L1 blockchain design and ZK-based scaling systems.
DUPLEX: Existing lookup arguments, such as Plookup, are techniques in ZKPs used to efficiently verify the presence of specific values within a table or to check multiple values. These methods mainly focused on limited table sizes or simple operation structures. Recent research is pushing beyond these constraints by introducing new ways to efficiently handle more complex table operations and large-scale datasets. DUPLEX in particular introduces an RSA-based cryptographic structure to improve both efficiency and scalability of lookup arguments. Once such schemes become practical, complex cryptographic hash functions and table-based logic within smart contracts or zkVM computations could be processed at significantly lower proof costs, greatly expanding the real-world applicability of ZKPs.
6.1.3 Other Research
Poseidon2b: Poseidon is a hash algorithm designed to operate far more efficiently within ZKP systems than traditional hash functions like Keccak-256. In 2023, it was upgraded to Poseidon2, optimized for prime-field environments, achieving major reductions in constraint counts. In October 2025, a further-advanced version, Poseidon2b, was officially released. This version adopts a structure specialized for binary extension fields, enabling dramatic improvements in proof size and proving speed for binary-native ZK systems such as Binius. As a result, Ethereum is considering migrating to a Poseidon-based hashing family to maximize proof efficiency at both the ZK-rollup and L1 levels. This was proposed by Vitalik Buterin in February 2025, but the corresponding proposal (EIP-5988) was not included in the Pectra upgrade.
FairZK: Proving via ZK that a machine learning model satisfies fairness conditions has highly practical value in real-world applications. For example, if one can prove that an algorithm does not discriminate against a particular group without revealing the model’s parameters or training data, both trustworthiness and privacy can be ensured. FairZK introduces a mathematical bounding technique for expressing fairness constraints and implements a system that proves these constraints in an efficient ZK form. Notably, the system supports models with 47M parameters, achieving proving speeds several times to several thousand times faster than previous approaches. This line of research suggests that ZK technology may evolve into a core mechanism not only for ensuring AI legitimacy and transparency but also for regulatory compliance and the construction of responsible AI systems.
FibRace: ZKP generation has traditionally been viewed as a server- or high-performance-hardware-centric task. FibRace challenges this assumption by experimentally testing whether real-time proof generation is feasible on mobile devices. The project conducted a large-scale benchmark experiment in which smartphone users generated proofs for the relatively lightweight computation of Fibonacci numbers and competed on performance. The results showed that most modern smartphones can complete proofs within five seconds. This study demonstrates in practice that “proof generation on end-user devices is possible,” marking an important milestone that points toward the realistic implementation of lightweight-client-centric ZK applications.
ZK technology is evolving beyond a blockchain scalability solution into a new computing paradigm where trust can be programmed and verified. This shift is evidenced by three key trends: venture capital (VC) investment, the expanding developer base, and the emergence of specialized markets where “proving” and “verifying” themselves become monetized.
6.2.1 Confidence in Future Infrastructure: Shift in VC Investment
The clearest indicator of growth in the ZK market is, unsurprisingly, the flow of capital. Venture capital firms now perceive ZK technology not as a single application (e.g., ZK-rollups) but as a foundational infrastructure for future digital interactions. As a result, investment is shifting beyond the application layer toward deeper infrastructure layers such as zkVMs, ZK hardware acceleration, and coprocessors.
Until the early 2020s, ZK startup funding was limited to small-scale R&D-focused capital raises. However, beginning in 2021–2022, substantial capital inflows centered around ZK rollups began, with approximately $1.35B invested in 2022 alone.
Even during the broader crypto market correction of 2023, infrastructure investment in the ZK space continued steadily at around $200M. From 2024 onward, a clear trend emerged in which funds concentrated on core infrastructure layers such as zkVMs, ZK hardware acceleration, and coprocessors.
By 2025, VC funding flowing into ZK projects surpassed $3.2B as of Q3, and cumulative investment since 2020 exceeded $11B. More than 60% of this capital was concentrated within the most recent two years, indicating a shift in market focus from “ZK applications” to “ZK infrastructure.”
This trend is also visible in individual cases. In 2024, Cysic raised $12M to build ZK hardware-acceleration infrastructure. Major projects such as StarkWare, zkSync, and Aztec Network are also shifting toward infrastructure-focused directions such as zkVM development, modular ecosystem expansion, and hardware integration.
Ultimately, VCs have begun viewing ZK not as a mere “scalability solution” but as the foundational structure for future blockchain systems and digital computing. As the crypto capital markets show signs of recovery, ZK technology has secured its position as one of the most strategic and long-term investment sectors.
6.2.2 Qualitative Leap Through Technological Maturity and Expanded Developer Base
The massive inflow of capital into ZK technology has not merely resulted in an increase in the number of projects. Capital has translated into human capital — an influx of skilled developers — which has driven qualitative maturation across the entire ZK ecosystem. ZK is no longer the domain of a small group of cryptographers; it has become a practical technology industry equipped with concrete development tools and frameworks.
Source: Electric Capital
According to the 2024 Electric Capital Developer Report, the number of monthly active developers in the ZK ecosystem has stabilized at 2,054, entering a maturity phase following its 2023 peak. This is not a sign of slowdown but of stabilization. A total of 823 developers — 40% of the ecosystem — work full-time, indicating the formation of a sustainable core talent base that is not swayed by short-term trends. The fact that this developer base remained intact even during market corrections shows that ZK technology has established itself as a long-term technological pillar rather than a temporary fad.
Source: Electric Capital
The numbers further demonstrate this maturation. On-chain deployments using ZK technology increased from 40 in 2020 to 639 in 2024, a more than 16× jump. While the number of developers has stabilized, productivity and real-world application have skyrocketed. This indicates that ZK technology has moved beyond the research-centric phase and has become a “practically deployable infrastructure technology” supported by more than 25 ZK proof frameworks. In particular, the steady activity of core developer groups on major L2s such as Starknet and zkSync Era supports the view that this shift is not temporary growth but the beginning of a sustained, long-term development phase.
6.2.3 Commodification of “Trust”: Emergence of Proof and Verification Markets
The advancement of ZK technology has brought about a new transformation characterized by a separation of roles. The process of producing ZKPs (proving) and the process of consuming them (verification) are now decoupled, giving rise to a rapidly growing “Proof-as-a-Service” market. The 2025 report from Chorus One shows that this new economic model is already functioning in practice.
Rollup-centric proof transactions, which numbered around 580M in 2024, grew to 4.4B in 2025 (as of Q3) — a 7.6× increase in just one year. This explosive growth is the result of more than 130 general-purpose applications and infrastructure projects entering the market, expanding proof demand far beyond rollups alone. This demonstrates that ZK technology is no longer an add-on dependent on a specific blockchain but has grown into an independent, modular industry.
The verification market has only just entered its early public-launch phase. With major projects like zkVerify and Aligned Layer beginning full-scale operations, it is still too early to discuss macro indicators such as year-over-year growth rates. However, even their initial operational data is enough to demonstrate the enormous potential of this market.
Source: zkverify.io
For example, Aligned Layer already processes more than 1,000 proofs per second, and zkVerify has verified over 6M proofs during its testnet phase alone. Both projects are integrating with major L2s and applications such as Arbitrum and ApeChain, and they have demonstrated 90–91% lower verification costs compared to Ethereum L1. Ultimately, the separation and service-based distribution of proving and verification signals the rise of a new economic order in which trust itself becomes a commodified asset.
Rapidly growing ZK technology is now stepping outside the “sandbox” of blockchain and evolving into a general-purpose technology for establishing trust in the digital world. At its core, ZK is a method of mathematically proving the integrity of data and computation without revealing the underlying information. Because of this fundamental value, ZK technology shows strong potential to expand beyond the blockchain ecosystem and into the broader digital industry.
6.3.1 Expansion into Every Industry Where Trust Is Needed
The versatility of ZK technology is now spreading into industries far beyond blockchain. The ability to “prove truth without revealing data” serves as a crucial solution for fields such as AI, finance, and healthcare — domains that demand both data reliability and privacy.
AI and Robotics – Proof of Operational Integrity and Responsibility: ZK enables autonomous vehicles or robots to prove that “their path planning complied with safety regulations” without revealing sensitive sensor data. In the event of an incident, manufacturers or operators can demonstrate that the system behaved correctly without exposing proprietary algorithms or driving logs. This becomes a practical tool for ensuring accountability and trust in AI systems.
Finance – Coexistence of Privacy and Regulatory Compliance: In finance, ZK enables the coexistence of confidentiality and compliance. JPMorgan’s Kinexys (formerly Onyx) project is implementing a system that proves AML compliance without exposing customer financial data. This opens a new frontier in privacy-preserving, regulation-friendly finance.
Healthcare – Balancing Privacy Protection and Data Sharing: In healthcare, ZK allows sensitive patient data to remain private while still being usable. A patient can prove “I have no family history of this disease” without revealing full medical records, and researchers can prove that “this dataset is based on 10,000 real patients.” The 2025 HIMSS study highlights that such approaches are gaining attention as practical solutions to ethical and legal challenges around medical data sharing.
Journalism and Democracy – Proving Authenticity: ZK is being used to guarantee the trustworthiness of information. News organizations can protect sources while proving report accuracy. Capture time, location, and edit history of images or videos can be verified to combat deepfakes. In fact, some countries, including Switzerland, have piloted ZK-based electronic voting systems, experimenting with a model that ensures both transparency and anonymity.
6.3.2 Economic Value Beyond Blockchain
If ZK technology expands beyond the blockchain ecosystem, the market can break free from its blockchain-dependent structure and develop along an independent growth curve. In other words, through decoupling, the ZK industry gains the potential to grow faster than the blockchain industry itself.
A glimpse of this shift appears when comparing market growth rates. According to the 2025 MarketsandMarkets report, the blockchain market is expected to grow at a 64.2% CAGR through 2030. Meanwhile, the 2025 Chorus One report projects that the zero-knowledge market will grow at a 68% CAGR over the same period (from $97M → $134M). The 4% difference may seem small, but it indicates that ZK technology is no longer confined to blockchain — it is expanding into AI, secure computation, data privacy, and other industries.
Support for this trend comes from VanEck’s forecasts. According to their report, annual revenue for AI-related crypto projects is expected to reach $10.2B by 2030 under the base scenario. ZK technology is highlighted as one of the core growth drivers, regarded as critical for solving issues of AI copyright, data integrity, and system safety. Among these, the “safety” segment alone is estimated to reach $1.1B.
In this way, ZK technology is establishing itself as essential trust infrastructure for AI adoption, and its influence is likely to grow. In the long term, the ZK market will fully decouple from blockchain’s growth trajectory and develop into an independent market with its own demand structure and economic logic.
Ultimately, ZK technology will not only form its own market size but also act as a catalyst enabling trust-based digital interactions across major industries including AI, finance, and healthcare. This trend demonstrates that zero-knowledge is accelerating the commodification of trust.
For ZK technology, which had long been waiting for real-world application, blockchain was the perfect partner. A trustless environment with no intermediaries, where every step must be repeatedly verified — this extreme setting became the destined stage where the idea born in an MIT lab in 1985 finally entered the real world. Within it, we witnessed ZK rollups breaking through scalability limits and privacy protocols protecting individual freedom. Passing through this harsh proving ground, ZK technology established itself as an industrial technology safeguarding tens of billions of dollars in value.
But the journey of ZK technology no longer remains inside blockchain. Having been fully trained in this incubator, the technology is now ready to head into the broader digital world. Blockchain was the first killer app that proved the potential of ZK — but it was never the final destination. The essence of ZK is “the ability to prove truth without revealing information,” a universal principle applicable to any digital interaction that requires trust.
Today, through zkVMs, proving networks, and verification networks, ZK technology is evolving into a massive Trust Factory that produces trust itself — beyond blockchain. In 2025 alone, more than $3.2B in VC capital flowed into the field, reinforcing the transformation of this technology into a robust industrial infrastructure. With this strengthened technical foundation and abundant capital, ZK technology is now preparing to merge with industries such as healthcare and finance.
The next stage for ZK technology is the upcoming era of AI and robotics. Soon, we will coexist with autonomous agents that make decisions and act without direct human intervention. In that future, our questions will be:
“How do we trust the actions of systems we do not directly control?”
How can an autonomous vehicle prove that it complied with all safety regulations?
How can an AI doctor guarantee it followed the latest medical guidelines without revealing its medical algorithms?
How can an AI financial agent prove that it executed trades fairly — without insider information or market manipulation — without revealing proprietary trading strategies?
The only mathematical answer to these questions is ZKPs. Technologies like zkML are transforming all AI and robotic decisions and actions into verifiable logs, becoming a societal fail-safe that clarifies decision grounds and accountability. This means that ZK is expanding its domain of trust from the digital world into the physical world itself.
Of course, such a future will not arrive automatically. For ZK to become universal infrastructure, many challenges still lie ahead:
The barrier of complexity: Higher difficulty risks new centralization as trust concentrates in a few experts.
The performance–security tradeoff: A single flaw can collapse the entire trust structure.
Limits of verification: ZK guarantees the honesty of computation, but not the ethics behind a decision.
The paradox of regulation: The power to hide information may clash with societal oversight.
Thus, we must move beyond viewing ZK as merely a “blockchain scaling solution.” The mountains ahead are not limitations of the technology but the next chapters that this newly emerging paradigm must work through. Reducing complexity, standardizing security, and aligning the philosophy of the technology with social consensus will be the processes that strengthen the ZK ecosystem.
ZKPs will become a new grammar of trust — rewriting how we handle truth in the digital age. What began as a curiosity in an MIT lab in 1985 has now grown into foundational technology that restores lost privacy, reconstructs trust, and breaks down the barriers of inefficiency.
And today, we stand at the Dawn of a Great Transition.
Dive into 'Narratives' that will be important in the next year
Sui
Nillion
FLock.io