This is the most important folder in this entire library.
After months of studying math and cryptographic primitives, you're finally here: Zero-Knowledge Proofs—the ability to prove you know something without revealing what you know.
ZK proofs are revolutionary:
- Privacy-preserving computation: Prove statements without revealing data
- Blockchain scaling: Verify computations without re-executing them
- Anonymous credentials: Prove attributes without revealing identity
- Secure voting: Prove you voted without revealing your choice
- Confidential transactions: Prove validity without revealing amounts
8-16 weeks of intensive study (10-20 hours/week)
This is the hardest but most rewarding section.
Before starting this folder, you MUST have completed:
- ✅ 01_ESSENTIAL_Math_Foundations/ - Number theory, algebra, finite fields
- ✅ 02_ESSENTIAL_Crypto_Primitives/ - Elliptic curves, pairings, hashes, commitments
If you skipped those: GO BACK. You will not understand this material without that foundation.
- zero knowledge/ - Classical ZK papers (GMW, Schnorr, Fiat-Shamir)
- NIZK/ - Non-Interactive Zero-Knowledge proofs (foundational papers from crypto conferences)
- commitment_schemes/ - Pedersen commitments, homomorphic commitments, polynomial commitments, structure-preserving signatures
- groth_sahai_proofs/ - Efficient non-interactive proof systems for bilinear groups (ESSENTIAL for SNARKs)
- snark_foundations/ - Core SNARK theory (Pinocchio, QSP, Groth16)
- plonky_stack/ - Modern SNARK variants (PLONK, HyperPlonk, Circle STARKs, Spartan)
- universal_updatable/ - Universal and updatable setups (PLONK, Marlin)
- recursion_and_folding/ - Recursive SNARKs (Nova, Halo 2)
- starks_polynomial_iops/ - STARK foundations and polynomial IOPs (FRI, DEEP-FRI, Aurora)
- bulletproofs_ipa/ - Bulletproofs and inner product arguments (no trusted setup)
- textbooks/ - Comprehensive learning materials and tutorials
- ⭐⭐⭐ Pedersen Commitment Scheme (1989) - Verifiable secret sharing and commitments
- ⭐⭐⭐ Groth-Sahai Proof Systems (2008) - Complete and full versions of the foundational paper
- ⭐⭐⭐ Polynomial Commitments - Foundation for modern SNARKs
- ⭐⭐⭐ PLONK & Variants - Universal trusted setups, HyperPlonk, Circle STARKs
- ⭐⭐⭐ Nova & Halo 2 - Recursive SNARKs, folding techniques
- ⭐⭐ Homomorphic Trapdoor Commitments (2009) - Advanced commitment constructions by Groth
- ⭐⭐ Structure Preserving Signatures (2010) - Connection between commitments and signatures
- ⭐⭐ Spartan - Efficient arguments without trusted setup
- ⭐⭐ Bulletproofs & IPA - Short proofs and confidential transactions
- "Proofs, Arguments, and Zero-Knowledge" - Complete modern treatment of ZK systems
Goal: Understand what zero-knowledge means
Start Here:
-
⭐⭐⭐ "Zero-Knowledge Proofs (2016) [lecture] - Miller.pdf"
- READ THIS FIRST
- Clear, accessible introduction
- Sets the stage for everything else
-
⭐⭐⭐ "Proofs that yield nothing but their validity" (1991) - Goldreich, Micali, Wigderson
- THE foundational paper
- Shows every NP statement has a ZK proof
- Challenging but essential
Key Concepts:
- Completeness: Honest prover convinces honest verifier
- Soundness: Dishonest prover cannot cheat
- Zero-knowledge: Verifier learns nothing except validity
- Simulator: Can fake transcripts without witness
Self-Check: Can you explain ZK to someone without a crypto background?
Read:
-
⭐⭐⭐ "Efficient Identification and Signatures for Smart Cards (1989) - Schnorr"
- Schnorr identification protocol
- Foundation of sigma protocols
- Simple and elegant
-
⭐⭐⭐ "Zero-Knowledge Proofs of Identity (1988) - Feige, Fiat, Shamir"
- Interactive ZK identification
- Fiat-Shamir heuristic preview
-
Papers on Sigma protocols (Σ-protocols)
Key Concepts:
- Interactive proofs vs. non-interactive
- Sigma protocols: Special three-move structure
- Commitment → Challenge → Response
- Schnorr protocol for discrete log
- Honest-verifier zero-knowledge (HVZK)
Implement: Code a simple Schnorr protocol
Read:
- ⭐⭐⭐ Papers on Fiat-Shamir transform
- ⭐⭐ Random oracle model papers
- ⭐⭐⭐ "Proof Systems for General Statements about Discrete Logarithms (1997) - Camenisch, Stadler"
Key Concepts:
- Fiat-Shamir heuristic: Interactive → Non-interactive
- Random oracle model
- Proof composition and AND/OR proofs
- Camenisch-Stadler notation
Self-Check: Can you convert an interactive ZK proof to non-interactive?
Goal: Understand what makes SNARKs work
Read from snark_foundations/:
-
⭐⭐⭐ "Pinocchio: Nearly Practical Verifiable Computation"
- Introduces R1CS and practical SNARKs
- Foundation of modern systems
-
⭐⭐⭐ "Quadratic Span Programs and Succinct NIZKs without PCPs"
- QAP constructions
- Efficient proving systems
-
⭐⭐⭐ "On the Size of Pairing-Based Non-Interactive Arguments" (Groth16)
- Most efficient pairing-based SNARK
- Used in Zcash, Filecoin, etc.
Key Concepts:
- Arithmetic circuits vs. Boolean circuits
- R1CS (Rank-1 Constraint Systems)
- QAP (Quadratic Arithmetic Programs)
- Why we need pairings
- Trusted setup
Critical: Understand the flow: Computation → Circuit → R1CS → QAP → Proof
Read everything in these subfolders:
snark_foundations/- Core SNARK theory and Groth16universal_updatable/- PLONK and universal setupsplonky_stack/- Modern variants and optimizations
Key papers:
⭐⭐⭐ Efficient Non-interactive Proof Systems for Bilinear Groups (2008) - Groth, Sahai
- Located in
groth_sahai_proofs/ - Foundation for all modern zkSNARKs
- Introduces NIZK proofs for bilinear groups
- Critical for understanding pairing-based SNARKs
⭐⭐⭐ PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge
- Located in
universal_updatable/ - Universal trusted setup (not circuit-specific!)
- Foundation for modern SNARK landscape
⭐⭐ HyperPlonk: PLONK with Linear-Time Prover and High-Degree Custom Gates
- Located in
plonky_stack/ - Significant efficiency improvements
⭐⭐ Spartan: Efficient and general-purpose zkSNARKs without trusted setup
- Located in
plonky_stack/ - No trusted setup alternative
Key Concepts:
- Preprocessing vs. universal SNARKs
- Common reference string (CRS)
- Proving key and verification key
- Pairing-based SNARKs (why you needed folder 02!)
- Trusted setup ceremonies
- Polynomial commitment schemes
Implement: Try Circom/SnarkJS to write your first zkSNARK
Read from recursion_and_folding/:
-
⭐⭐⭐ "Nova: Recursive Zero-Knowledge Arguments"
- Folding approach to recursive proofs
- No universal trusted setup needed
-
⭐⭐⭐ "Halo 2019: Recursive Proofs without Trusted Setup"
- Inner product arguments for recursion
- Practical recursive systems
Also explore:
starks_polynomial_iops/- Transparent alternatives to SNARKs- Bulletproofs from
bulletproofs_ipa/- No trusted setup range proofs
Key Concepts:
- SNARK efficiency comparison
- Trusted setup alternatives
- Recursive SNARKs and proof composition
- Transparent systems (STARKs, Bulletproofs)
- Folding vs. composition approaches
Read from new folders:
Commitment Schemes (commitment_schemes/):
-
⭐⭐⭐ "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing" (1989) - Pedersen
- Pedersen commitments (fundamental)
- Foundation for many ZK proofs
-
⭐⭐⭐ "Polynomial Commitments"
- Essential for modern SNARKs
- KZG and other schemes
-
⭐⭐ "Homomorphic Trapdoor Commitments to Group Elements" (2009) - Groth
- Advanced commitment constructions
-
⭐⭐ "Structure Preserving Signatures and Commitments to Group Elements" (2010)
- Connection between signatures and commitments
STARKs & Transparent Systems (starks_polynomial_iops/):
-
⭐⭐⭐ "Scalable, Transparent, and Post-Quantum Secure Computational Integrity"
- STARK foundations
- No trusted setup, post-quantum
-
⭐⭐⭐ "Fast Reed-Solomon Interactive Oracle Proofs of Proximity"
- FRI protocol (core of STARKs)
-
⭐⭐⭐ "Aurora: Transparent Succinct Arguments for R1CS"
- Using polynomial IOPs without pairings
-
⭐⭐ "DEEP-FRI: Sampling Outside the Box Improves Soundness"
- FRI optimizations
Bulletproofs & Inner Products (bulletproofs_ipa/):
- ⭐⭐⭐ "Bulletproofs: Short Proofs for Confidential Transactions and More"
- No trusted setup
- Efficient range proofs
- Inner product arguments
Key Concepts:
- Commitment schemes and their properties
- Polynomial commitments (KZG, FK, others)
- Range proofs without trusted setup
- Transparent proofs vs. pairing-based
- FRI and polynomial IOPs
- Inner product arguments
- Bulletproofs applications
Implement: Simple range proof using Pedersen commitments or Bulletproofs
Read:
-
⭐⭐⭐ "Zerocash: Decentralized Anonymous Payments from Bitcoin (2014)"
- Must read: Shows zkSNARKs in production
- Basis for Zcash cryptocurrency
- End-to-end system design
-
⭐⭐⭐ "Zerocash [extended] (2014)"
- Full details
- Practical considerations
-
Look at papers in 06_IMPORTANT_Applications/cryptocurrencies/
Key Concepts:
- Practical zkSNARK systems
- Performance considerations
- Security in the real world
- Trusted setup in practice
-
Garbled Circuits & ZK:
- "How to Garble Arithmetic Circuits (2012)"
- "Zero-Knowledge Using Garbled Circuits (2013)"
- Connection to MPC
-
PCPs and Probabilistic Proofs:
- "The History of the PCP Theorem (2005)"
- "On the Concrete Efficiency of Probabilistically-Checkable Proofs (2012)"
- Theoretical foundations
-
SNARKs for RAM:
- "Fast Reductions from RAMs to Delegatable Succinct Constraint Satisfaction Problems (2012)"
- More general computation models
-
Post-Quantum ZK:
- "Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives (2017)"
- Future-proof ZK
-
Composition & Frameworks:
- "A Framework for Practical Universally Composable Zero-Knowledge Protocols (2011)"
- Security under composition
- ⭐⭐⭐ Zero-Knowledge Proofs lecture - Miller
- ⭐⭐⭐ Proofs that yield nothing but their validity - Goldreich, Micali, Wigderson
- ⭐⭐⭐ Efficient Identification and Signatures - Schnorr
- ⭐⭐⭐ Pedersen Commitments (Verifiable Secret Sharing) - 1989
- ⭐⭐⭐ Groth-Sahai Proofs - Foundation for all modern SNARKs
- ⭐⭐⭐ All papers in
snark_foundations/- Pinocchio, QSP/QAP, Groth16 - ⭐⭐⭐ PLONK from
universal_updatable/- Modern universal setup - ⭐⭐⭐ Polynomial Commitments - Essential for SNARKs
- ⭐⭐⭐ Zerocash papers - Real-world zkSNARK application
- ⭐⭐ Zero-Knowledge Proofs of Identity - Feige, Fiat, Shamir
- ⭐⭐ Proof Systems for General Statements about Discrete Logarithms - Camenisch, Stadler
- ⭐⭐ Nova (Recursive SNARKs) from
recursion_and_folding/ - ⭐⭐ Halo 2 - Recursive proofs without trusted setup
- ⭐⭐ STARKs papers from
starks_polynomial_iops/- Transparent alternatives - ⭐⭐ Bulletproofs from
bulletproofs_ipa/- No trusted setup - ⭐⭐ Homomorphic Trapdoor Commitments - Groth 2009
- ⭐⭐ Structure Preserving Signatures - Advanced commitment techniques
- ⭐⭐ HyperPlonk and modern SNARK variants from
plonky_stack/
- ⭐ PCP papers (very theoretical)
- ⭐ Garbled circuits for ZK
- ⭐ DEEP-FRI and FRI optimizations
- ⭐ Circle STARKs
- ⭐ Post-quantum ZK
- ✅ Completeness, Soundness, Zero-Knowledge
- ✅ Interactive vs. Non-Interactive
- ✅ Witness vs. Statement
- ✅ Simulator and simulation
- ✅ Honest-verifier vs. Malicious-verifier
- ✅ Three-move structure
- ✅ Schnorr protocol
- ✅ OR and AND composition
- ✅ Fiat-Shamir transform
- ✅ Arithmetic circuits
- ✅ R1CS representation
- ✅ QAP encoding
- ✅ Why pairings are needed
- ✅ Trusted setup
- ✅ Groth16 construction
- ✅ How to write ZK-friendly circuits
- ✅ Common pitfalls
- ✅ Performance considerations
❌ Don't:
- Skip the foundational GMW paper - it's essential
- Try to understand SNARKs before Sigma protocols
- Ignore the math - QAPs require algebra knowledge
- Rush through - this is the hardest material
- Forget to implement - coding solidifies understanding
✅ Do:
- Start with Miller's lecture (accessible intro)
- Understand Schnorr protocol deeply
- Work through R1CS → QAP conversion by hand
- Implement simple protocols
- Join ZK communities for help
- Be patient - this takes months to master
- Implement Schnorr identification in Python
- Code Fiat-Shamir transform
- Create AND/OR proof composition
- Write simple arithmetic circuit
- Convert circuit to R1CS
- Use Circom to write first zkSNARK
- Implement simple range proof
- Build ZK authentication system
- Create ZK Sudoku verifier
- Circom + SnarkJS: Write zkSNARKs in circuits
- ZoKrates: ZK toolbox for Ethereum
- libsnark: C++ SNARK library
- Bellman (Rust): Used by Zcash
- arkworks (Rust): General ZK toolkit
- gnark (Go): Consensys framework
This folder focuses on classical ZK and SNARKs. Modern developments include:
- PLONK: Universal trusted setup
- STARKs: Transparent (no trusted setup), post-quantum
- Nova: Recursive SNARKs
- Halo 2: No trusted setup, recursive
- Marlin: Universal setup
- Spartan: Efficient arguments
You'll need to supplement with recent papers (2019-2024) for these.
- 01_ESSENTIAL_Math_Foundations: All the algebra and number theory
- 02_ESSENTIAL_Crypto_Primitives: Pairings, commitments, hashes
- 04_ESSENTIAL_MPC: Garbled circuits, ZK in MPC protocols
- 06_IMPORTANT_Applications: Cryptocurrencies, anonymous credentials
- Private computation
- Blockchain scalability
- Anonymous systems
- Verifiable computation
Q: How long does it really take to learn ZK? A: 3-6 months for basics, 6-12 months to be proficient, years to master. Be patient.
Q: Do I need a PhD to understand this? A: No, but you need strong foundations (folders 01-02) and persistence.
Q: What's the difference between zkSNARKs and zkSTARKs? A: SNARKs use pairings (need trusted setup), STARKs use hashes (transparent). Read STARK papers separately.
Q: Can I skip the theory and just use libraries? A: You can use libraries, but you won't understand security implications or be able to design systems.
Q: What should I learn first: SNARKs or STARKs? A: SNARKs (this folder). STARKs are newer and build on different foundations.
Q: Is the trusted setup a dealbreaker? A: Depends on application. Ceremonies can make it practical (see Zcash). Or use transparent systems (STARKs, Bulletproofs).
After finishing this folder, you should be able to:
✅ Explain zero-knowledge to non-experts ✅ Understand and code Sigma protocols ✅ Convert computations to arithmetic circuits ✅ Understand R1CS and QAP representations ✅ Explain how zkSNARKs work ✅ Use Circom to write simple ZK circuits ✅ Understand trusted setup tradeoffs ✅ Read modern ZK papers ✅ Design basic ZK systems
If you can't do most of these, spend more time in this folder.
- Weeks 1-3: Foundations
- Weeks 4-8: SNARKs theory
- Weeks 9-12: Range proofs and applications
- Weeks 13-16: Advanced topics + implementation
- Weeks 1-2: Foundations (skip some advanced theory)
- Weeks 3-5: SNARKs (focus on Groth16)
- Weeks 6-7: Applications (Zerocash, range proofs)
- Week 8: Hands-on implementation
- Follow conservative plan
- Read ALL papers thoroughly
- Implement everything from scratch
- Contribute to open-source ZK projects
If interested in MPC: → 04_ESSENTIAL_MPC/README.md
If interested in FHE: → 05_ESSENTIAL_FHE_and_Lattices/README.md
For applications: → 06_IMPORTANT_Applications/README.md
For modern systems:
- Research PLONK, STARKs, Nova, Halo 2
- Join ZK research communities
- Read recent papers (2020+)
Check out the comprehensive implementation guide:
→ 00_START_HERE/IMPLEMENTATION_GUIDE.md
This guide includes:
- Modern ZK proof systems (PLONK, STARKs, Halo 2, Nova)
- Programming languages (Circom, Cairo, Noir, ZoKrates)
- Production frameworks (snarkjs, arkworks, gnark)
- Online courses and tutorials
- Recent papers (2018-2025) with download links
- Practical projects and hands-on exercises
- Community resources and Discord servers
Essential companion to the theory papers in this folder!
- ZKP MOOC (Berkeley/Stanford)
- 0xPARC ZK Learning Group
- ZK Whiteboard Sessions (YouTube)
- ZKProof.org
- zkSNARKs Discord servers
- Ethereum ZK research forums
- "Proofs, Arguments, and Zero-Knowledge" - Thaler (2022)
- "Mathematics of Public Key Cryptography" - Galbraith
- Vitalik Buterin's ZK posts
- StarkWare blog
- Zcash blog
Reaching this folder means you've invested months in building foundations. The journey through zero-knowledge is challenging but incredibly rewarding.
This is where cryptography gets magical.
Take your time. Work through the papers methodically. Implement concepts. Ask questions. Join communities.
Welcome to the world of Zero-Knowledge Proofs!
Remember: Quality over quantity. Better to deeply understand 10 core papers than superficially skim 50.