Terminology Glossary

Common terms and definitions in zero-knowledge proofs

Foundations & Future

🧱 Fundamentals ⚙️ Proof Systems 🔗 Constraint Systems 🔐 Cryptographic Primitives 🚀 Advanced Concepts 🌐 ZK Applications 📐 Mathematical Foundations

🧱

Fundamentals

# Zero-Knowledge Proof (ZKP): A cryptographic method that allows one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. → Prover · Verifier · Witness
# Prover: The party in a zero-knowledge protocol that possesses secret information (the witness) and wants to convince the verifier of a statement's truth without revealing the secret. → Verifier · Witness
# Verifier: The party in a zero-knowledge protocol that checks the validity of a proof without learning any secret information beyond whether the statement is true or false. → Prover · Proof
# Witness: The secret input or private data that the prover uses to generate a proof. The witness is never revealed to the verifier but is essential for creating a valid proof. → Prover · Public Input
# Public Input: Data that is known to both the prover and verifier, used alongside the witness to generate and verify proofs. Also called public parameters or instance. → Witness · Statement
# Statement: The claim being proven in a zero-knowledge proof. It typically asserts that the prover knows a witness satisfying certain conditions without revealing the witness itself. → Witness · Circuit
# Soundness: A security property ensuring that a dishonest prover cannot convince the verifier of a false statement, except with negligible probability. → Completeness · Zero-Knowledge
# Completeness: A property guaranteeing that an honest prover with a valid witness can always convince the verifier that the statement is true. → Soundness · Zero-Knowledge
# Knowledge Soundness: A stronger form of soundness that guarantees if a prover can convince a verifier, then the prover must actually 'know' the witness (extractable via an extractor algorithm). → Soundness · Extractor

⚙️

Proof Systems

# zkSNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge): A type of ZKP that is succinct (small proof size), non-interactive (no back-and-forth communication), and provides a proof of knowledge. Most zkSNARKs require a trusted setup. → zkSTARK · Trusted Setup · Succinctness
# zkSTARK (Zero-Knowledge Scalable Transparent Argument of Knowledge): A type of ZKP that is transparent (no trusted setup required), scalable, and post-quantum secure. STARKs typically have larger proof sizes than SNARKs but avoid trusted setup assumptions. → zkSNARK · FRI · Transparency
# PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge): A universal zkSNARK construction that uses a single trusted setup for all circuits of a given size. It's widely adopted due to its flexibility and efficiency. → Universal Setup · KZG · Polynomial Commitment
# Groth16: One of the most efficient zkSNARK constructions in terms of proof size and verification time. Requires a circuit-specific trusted setup but produces very compact proofs. → Trusted Setup · Pairing-based
# Halo: A recursive proof composition technique that eliminates the need for a trusted setup by using a novel polynomial commitment scheme. Enables efficient proof aggregation. → Recursion · IPA · Accumulation
# Bulletproofs: A non-interactive zero-knowledge proof system that doesn't require a trusted setup. Known for efficient range proofs but has linear verification time. → Range Proof · IPA
# Nova: A folding scheme for incrementally verifiable computation (IVC) that enables efficient recursive proof composition with minimal overhead per step. → Folding · IVC · Recursion

🔗

Constraint Systems

# R1CS (Rank-1 Constraint System): A constraint system where each constraint is of the form (a · s) * (b · s) = (c · s), where a, b, c are vectors and s is the witness vector. Used in Groth16 and other SNARKs. → Constraint · QAP · Witness
# Plonkish: A family of arithmetization schemes based on PLONK that use a table-based approach with custom gates and lookup arguments. Includes Halo2, Plonky2, etc. → PLONK · Custom Gates · Lookup
# AIR (Algebraic Intermediate Representation): A constraint system used in STARKs that represents computation as polynomial constraints over an execution trace. Constraints are checked at every row of the trace. → STARK · Execution Trace · Transition Constraints
# QAP (Quadratic Arithmetic Program): A representation of R1CS constraints as polynomials, enabling efficient verification using polynomial identity testing. Core to many SNARK constructions. → R1CS · Polynomial
# Circuit: An arithmetic circuit representing a computation as a directed acyclic graph of addition and multiplication gates over a finite field. The standard way to express computations in ZK systems. → Gate · Wire · Constraint
# Constraint: A mathematical equation that must be satisfied by the witness values. Circuits are compiled into sets of constraints that the prover must satisfy. → Circuit · R1CS · Satisfiability
# Arithmetization: The process of converting a computation into an arithmetic representation (like R1CS, AIR, or Plonkish) that can be used in a zero-knowledge proof system. → R1CS · AIR · Circuit

🔐

Cryptographic Primitives

# Polynomial Commitment: A cryptographic primitive that allows a prover to commit to a polynomial and later prove evaluations of that polynomial at specific points without revealing the entire polynomial. → KZG · FRI · IPA
# KZG Commitment (Kate-Zaverucha-Goldberg): A polynomial commitment scheme using elliptic curve pairings. Produces constant-size commitments and proofs but requires a trusted setup. → Polynomial Commitment · Pairing · Trusted Setup
# FRI (Fast Reed-Solomon Interactive Oracle Proof of Proximity): A protocol used in STARKs to prove that a committed function is close to a low-degree polynomial. Enables transparent (no trusted setup) polynomial commitments. → STARK · Reed-Solomon · Low-Degree Test
# IPA (Inner Product Argument): A polynomial commitment scheme that doesn't require pairings or trusted setup. Used in Bulletproofs and Halo. Has logarithmic proof size but linear verification time. → Bulletproofs · Halo · Polynomial Commitment
# Pedersen Commitment: A cryptographic commitment scheme that is computationally binding and perfectly hiding. Often used to commit to values in ZK protocols. → Commitment · Hiding · Binding
# Merkle Tree: A tree data structure where each leaf contains a hash of data and each non-leaf node contains a hash of its children. Used for efficient membership proofs in ZK systems. → Hash Function · Membership Proof
# Fiat-Shamir Transform: A technique to convert an interactive proof into a non-interactive one by replacing the verifier's random challenges with hash outputs of the transcript. → Non-Interactive · Random Oracle

🚀

Advanced Concepts

# Recursion: The technique of verifying a proof inside another proof, enabling proof composition and aggregation. Essential for scaling ZK systems. → IVC · Folding · Aggregation
# IVC (Incrementally Verifiable Computation): A technique where each step of a computation produces a proof that verifies all previous steps, enabling efficient verification of long-running computations. → Recursion · Nova · Folding
# Folding Scheme: A technique to combine multiple instances of a relation into a single instance, enabling efficient recursive proof composition without full SNARK verification at each step. → Nova · IVC · Accumulation
# Lookup Argument: A technique that allows proving that values in a computation belong to a predefined table, enabling efficient implementation of non-arithmetic operations. → Plookup · Custom Gates
# Custom Gates: In Plonkish systems, gates that go beyond simple addition and multiplication, allowing more efficient representation of specific operations. → Plonkish · Gate
# Proof Aggregation: Combining multiple proofs into a single proof that can be verified more efficiently than verifying each proof individually. → Recursion · Batching
# Trusted Setup: A one-time ceremony to generate public parameters for certain ZK systems. The secret randomness used must be destroyed; if compromised, fake proofs could be created. → CRS · Powers of Tau · Toxic Waste
# Universal Setup: A trusted setup that can be reused for any circuit up to a certain size, unlike circuit-specific setups that must be regenerated for each new circuit. → PLONK · Trusted Setup

🌐

ZK Applications

# zkRollup: A Layer 2 scaling solution that bundles (rolls up) transactions off-chain and posts a validity proof on-chain, inheriting the security of the base layer while increasing throughput. → Layer 2 · Validity Proof · Data Availability
# zkEVM: A zero-knowledge virtual machine compatible with the Ethereum Virtual Machine, allowing existing Ethereum smart contracts to run with ZK proof generation. → zkRollup · EVM · Compatibility
# zkVM (Zero-Knowledge Virtual Machine): A virtual machine that can generate zero-knowledge proofs of program execution. Examples include RISC Zero, SP1, and various zkEVMs. → zkEVM · RISC-V
# Private Transaction: A blockchain transaction where details like sender, receiver, or amount are hidden using zero-knowledge proofs while still proving validity. → Zcash · Tornado Cash
# Verifiable Computation: Using ZK proofs to verify that a computation was performed correctly without re-executing it, enabling trustless outsourcing of computation. → zkVM · Proof of Computation
# zkML (Zero-Knowledge Machine Learning): Applying zero-knowledge proofs to machine learning, enabling verification of ML inference without revealing the model or input data. → Verifiable Computation · Privacy

📐

Mathematical Foundations

# Finite Field: A field with a finite number of elements, typically denoted F_p for prime p. All arithmetic in ZK circuits is performed over finite fields. → Prime Field · Extension Field · Modular Arithmetic
# Elliptic Curve: A curve defined by an equation of the form y² = x³ + ax + b over a field. The group structure of points on elliptic curves is fundamental to many ZK constructions. → Pairing · Scalar Multiplication
# Pairing (Bilinear Pairing): A bilinear map e: G₁ × G₂ → G_T between elliptic curve groups. Enables verification of polynomial equations in the exponent, crucial for SNARKs like Groth16. → Elliptic Curve · KZG
# Lagrange Interpolation: A method to find a polynomial that passes through a given set of points. Used extensively in polynomial-based ZK systems for encoding constraints. → Polynomial · FFT
# FFT (Fast Fourier Transform): An efficient algorithm for polynomial multiplication and evaluation. Critical for performance in ZK systems that work with large polynomials. → NTT · Polynomial
# NTT (Number Theoretic Transform): The finite field analog of FFT, used for efficient polynomial operations in ZK proof systems. Requires the field to have roots of unity. → FFT · Finite Field
# Schwartz-Zippel Lemma: A fundamental result stating that a non-zero polynomial of degree d evaluated at a random point is zero with probability at most d/|F|. Basis for polynomial identity testing in ZK. → Polynomial · Soundness