Non-Interactive Zero-Knowledge for Blockchain: A Survey

We survey the state-of-the-art non-interactive zero-knowledge argument schemes and their applications in confidential transactions and private smart contracts on blockchain. The main goal of this paper is to serve as a reference for blockchain application developers in finding the most suitable scheme for a particular use case. We give an overview and compare the state-of-the-art protocols for confidential transactions and private smart contracts regarding the protection of the transaction graph and amounts, data and functionality. However, our main focus is on state-of-the-art zero-knowledge argument schemes. We briefly describe their backgrounds, proof lengths and computational complexities and discuss their cryptographic security models. Our focus is on seminal, otherwise notable and, especially, implemented methods that are ready to be applied in practice. We also survey the existing implementations of transforming computations into circuit representations required by those methods. We note that the existing schemes have different strengths and drawbacks regarding usability, setup, proof length and proving and verification costs.


I. INTRODUCTION
We are increasingly dependent on services provided by smart devices and communication networks. Massive collection of data has enabled the development of new consumer devices such as smart home appliances, as well as the improvement of the efficiency of industrial applications. However, massive data collection has also lead to security and privacy issues. For example, a centralized Internet-of-Things (IoT) architecture involves a single point of trust which is a major target for malicious entities. Decentralization can provide a solution to this problem. In particular, blockchain has found use in the creation of trustless, decentralized environments for managing the integrity of data for applications such as IoT [1]- [3].
Virtually any functionality can be implemented on a blockchain network using smart contracts that enable devices to automatically verify and execute transactions between entities [4]. Blockchain and smart contracts enable decentralized The associate editor coordinating the review of this manuscript and approving it for publication was Wenbing Zhao . applications (DApps) [5] to be run on a peer-to-peer network. These applications are controlled and run by the network as a whole enabling the users to retain the ownership and control of their data. Progress in such a direction is important. For example, the General Data Protection Regulation (GDPR) requires better protection on sensitive data and grants European Union citizens more control over it.
Blockchain itself does not ensure that the user data stays private. Even though designed to hide user identities using pseudonyms, it is a misconception that a blockchain is anonymous. There are several challenges regarding the security and privacy of blockchain. For example, transaction privacy cannot be guaranteed due to the visibility of the sender and receiver addresses and transaction amounts [6], [7]. In addition, pseudonyms can be linked to individuals based on their connection patterns [8].
There are privacy-protection techniques for blockchain such as mixing services, blind and ring signatures and homomorphic commitments. However, zero-knowledge argument schemes are going to be one of the main building blocks of privacy-preserving blockchain applications. They can be used to assure the validity of a statement or the knowledge of secret values without disclosing any information apart from the fact that the prover knows those things. Such functionality enables us to guarantee the validity of the data on the blockchain without disclosing sensitive information. It can also implement verifiable computing which enables computation offloading to untrusted entities for edge computing. Through verifiable computing a client can verify the validity of the computation from a proof of its correctness.
In order to implement privacy-preserving applications for blockchain, developers need to be aware of the existing privacy protection and zero-knowledge schemes, their properties and suitability for different use cases. In this paper, we have conducted a survey of zero-knowledge based privacy-protection methods targeted for blockchain applications and an extensive survey on the state-of-the-art zero-knowledge argument schemes. However, there is a vast literature on the development of such protocols and it would be intractable to include all of that work in the limited space. We have concentrated on peer-reviewed schemes that either 1) are seminal or otherwise notable, 2) are recent and amongst the most optimized variants of their class or 3) have a practical implementation that blockchain application developers could immediately apply in practice. We classify these schemes into five main classes based on their properties. Regarding practical implementations, there are also general purpose libraries that have implemented multiple approaches to zero-knowledge and we devote a separate section to those. In order to achieve the required functionality, all of the schemes require computations to be transformed into a circuit representation. Therefore, we also discuss existing implementations for circuit generation.
The paper is organized as follows. Section II gives an overview of blockchain technology, its use cases and privacy issues. In Section III, we describe the concept of a zero-knowledge proof and the requirements for their practical applicability. Section IV presents a survey of zero-knowledge based privacy-protection schemes for blockchain applications. Section V is devoted to circuit generation tools that are required for the applications of zero-knowledge arguments. In Sections VI to X, we discuss the five classes of zeroknowledge argument schemes. In Section XI, general purpose libraries are presented. Section XII is devoted to the discussion of the theoretical and practical performance of these schemes. Finally, Section XIII provides the conclusion.

A. RELATED WORK
We concentrate on zero-knowledge argument schemes for blockchain applications. To the best of our knowledge, there does not exist a recent survey on the topic. There exists a large body of work concentrating on cryptocurrencies and on the blockchain itself [9]- [12], as well as on the security threats and challenges related to blockchain technology [13], [14]. Privacy aspects have been considered in [15]- [17] and privacy-preservation in public blockchains in [18]. Range proofs based on zero-knowledge have been surveyed in [19].
Surveys concentrating on threats and challenges to the security of blockchain-based IoT can be found in [20]- [22]. Contrary to our survey, the performance of practical implementations of zero-knowledge argument schemes has not been considered in these surveys. However, for general information on the threats and challenges regarding security and privacy, we refer to the extensive work in the aforementioned surveys.

II. BLOCKCHAIN AND PRIVACY
Blockchain can be considered as a database which is distributed and decentralized over a peer-to-peer network. It utilizes cryptographic algorithms to verify and record data into a series of blocks which is distributed to the peers. These blocks are linked into an immutable chain and new verified blocks are connected to previous ones using cryptographic hashing. As a result, the blockchain is tamper-resistant; it is computationally infeasible to alter data that has already been published in the chain. In order to form a unique blockchain, the network peers need to be able to verify the validity of the data for the next block and to achieve a consensus on it. The central novelty of blockchain is the elimination of intermediaries or trusted parties in this process.
Combining confidentiality with public verifiability is not easy. Privacy issues related to blockchain technology can be found, for example, in the surveys of Khalilov and Levi [17], Feng et al. [23] and Herskind et al. [24]. All nodes need to be able to verify the validity of the data. This leads to issues such as de-anonymization by linking identities to blockchain addresses or vice versa. In addition, the contents of the blockchain can be analyzed to determine the real world identities corresponding to each bit of data. The behavioral aspects of the submitted data can be also analyzed. For example, the time of the day of the submission may betray information about the geo-location of the blockchain address controller. Other attributes can also be monitored to create a profile of the individual. Regarding smart contracts, fields in the contract can be analyzed to determine the identities of the contractual parties. Even if certain fields of the contract are declared private, the transactions related to the contract may reveal information about the contract.
The only way to prevent these kinds of attacks is to make the stored data confidential. However, if data is encrypted it is impossible to publicly verify its validity using conventional methods. Fortunately, zero-knowledge schemes provide such functionality.

III. ZERO-KNOWLEDGE PROOFS
Non-interactive zero-knowledge proofs are the main building blocks for privacy on the blockchain. They enable us to demonstrate the validity of a statement without leaking any other information. A zero-knowledge protocol is a versatile building block for many privacy-oriented applications. They have been used to realize, among others, digital signature schemes, electronic voting, verifiable computing and user identification protocols.
Goldwasser, Micali and Rackoff considered the question of proving a proposition in zero-knowledge in their seminal work in [25]. Independently, a similar question was posed by Brassard, Chaum and Crépeau [26]. In general, there are two participants in a zero-knowledge proof system. The prover, in possession of a possible witness to the validity of a proposition, wants to convince a verifier. The following three properties need to be satisfied: 1) Completeness. Knowing a witness to the validity of a statement, the prover is able to convince the verifier. 2) Soundness. A malicious prover is not able to convince the verifier in the case that the statement is false. 3) Zero-knowledge. The verifier learns nothing except that the statement is true.
In applications, we often require that the prover can efficiently extract a witness for the statement when the verifier is convinced. Such a strengthening of the soundness condition is called a proof of knowledge.
Under the assumption that there is a secure encryption scheme, all problems in the class of decision problems solvable in non-deterministic polynomial time, NP, have interactive zero-knowledge proofs [27]. Depending on the requirements, the three properties can be satisfied either perfectly, probabilistically or using computational restrictions. For example, in zero-knowledge with computational soundness, the soundness is only satisfied against polynomial time adversaries. Zero-knowledge schemes with computational soundness are called argument systems in order to distinguish them from zero-knowledge proofs that always have perfect soundness. In argument systems the prover is restricted to polynomial-time computation which is a reasonable assumption in practice. Analogous conditions can be defined for computational zero-knowledge.

A. NON-INTERACTIVE ZERO-KNOWLEDGE ARGUMENTS
Zero-knowledge proofs (in the traditional sense) are interactive, online protocols. However, for blockchain applications we need offline functionality such as non-interactive verification. Only the class of decision problems solvable in bounded-error probabilistic polynomial time, BPP, has non-interactive zero-knowledge proofs in the standard model without any setup [28], [29] meaning that additional assumptions or functionality are needed.
There are multiple widely used methods for transforming interactive zero-knowledge proofs into non-interactive ones. They make different assumptions regarding the setup of the system or the underlying cryptographic model. The following approaches have been adopted by the methods surveyed in this paper: 1) The common reference string (CRS) model. Blum, Feldman and Micali gave the first non-interactive zeroknowledge (NIZK) proof for any problem in NP based on the participants sharing a string [30]. The CRS needs trusted setup and all participants need to have access to the same string. Any scheme following this model can be secure only if the CRS was generated correctly and securely. For a large number of participants the CRS generation can be a complex and time consuming process. Therefore, CRS-based schemes are hard to setup. However, they are typically also efficient to operate and the proofs are small. 2) The Fiat-Shamir heuristic [31] is a method of creating a digital signature scheme from an interactive proof of knowledge protocol that uses public randomness. The Fiat-Shamir transform replaces interaction and (a part of) the randomness by an application of a public cryptographic hash function, whose outputs, in some sense, can be interpreted as the CRS. The security is preserved in the random oracle model (ROM) [32]: we assume that the output of the hash function is uniformly random and independent for different inputs. The random oracle model is significantly stronger than the standard model and not all security properties of zero-knowledge are preserved [33]. However, no complex setup is needed. [34] is an alternative technique to the Fiat-Shamir heuristic. In general, the Fiat-Shamir method is not secure against quantum computing and yields insecure schemes for some protocols [35]. The Unruh transformation gives a provably secure NIZK proof for any interactive one against quantum adversaries in the ROM. Similar to Fiat-Shamir, no setup is needed. 4) Kalai et al. [36] suggested an argument system for any decision problem using private information retrieval.

3) Unruh transformation
The method applies a model of multi-prover interactive proof systems (MIP). A MIP is converted into an argument system based on the methods of Aiello et al. [37] and the construction works in the standard model without the random oracle assumption. This approach is used in some of the proofs-for-muggles based zero-knowledge arguments (see Section VII).
In general, there are two main classes of zero-knowledge arguments: 1) -protocols are interactive proof-of-knowledge protocols that can be transformed into non-interactive versions using the Fiat-Shamir paradigm. Methods based on -protocols are efficient at proving algebraic statements such as those related to the discrete logarithm problem. For non-algebraic statements and, in particular, for general computations -protocols tend to be inefficient. 2) Zero-knowledge succinct non-interactive arguments of knowledge (SNARKs) [38] follow the common reference string model. They typically produce very short proofs compared to -protocols, but the CRS needs to be generated in advance. Some schemes require trusted setup or the application of costly methods such as secure multiparty computation for the CRS [39].
In addition, in general the CRS cannot be reused if the computation changes. However, there are emerging models well suited for blockchain applications that address these issues by maintaining a CRS that can be updated [40]. If only public randomness can be used, the scheme is called transparent.

B. REPRESENTING STATEMENTS AND COMPUTATIONS
If not proving algebraic statements, state-of-the-art zeroknowledge argument systems require the computation to be presented as a circuit. Depending on the method, the circuit needs to be either Boolean or arithmetic. In order to apply an existing zero-knowledge argument scheme, a developer thus needs to transform the computation into a circuit. Fortunately, there are tools that can be applied to make the conversion. We have collected existing circuit generation methods into Section V.

C. OUR CLASSIFICATION
We attempt to classify state-of-the-art zero-knowledge arguments and their implementations into groups with similar design choices and properties. A non-overlapping classification is difficult, because suggestions typically borrow techniques from each other and combine techniques from -protocols and SNARKs. Here, we attempt a classification that is based on both the design approach and the typical differences in the operating characteristics of the schemes, such as prover and verifier complexities, proof lengths and best-case applicability.
In our classification, there are five main classes of constructions: 1) zero-knowledge based on interactive oracle proofs (IOP) and probabilistically checkable proofs (PCP), 2) schemes based on the so called ''proofs-for-muggles'' approach, 3) schemes based on linear PCPs and the discrete logarithm problem, 4) zero-knowledge based on quadratic arithmetic programs (QAP) and 5) schemes based on secure multiparty computation (MPC). We present these approaches briefly together with existing schemes following them. A sixth class could be added to the list: an approach based on non-interactive computing protocols using fully homomorphic encryption [41]. However, these methods are still too expensive in terms of computation to be considered practically feasible.
There is a vast literature on the theory of zero-knowledge argument systems and their applications and it would be impractical to include all of that work into this survey. Therefore, we have concentrated on methods that are seminal or otherwise influential, methods that are recent and, especially, those that have an implementation. Further references can be found from the cited literature.
The next section presents a survey of zero-knowledge based privacy-protection methods for blockchain applications. Zero-knowledge argument schemes have been surveyed in the subsequent sections. Finally, there are general purpose libraries that gather several implementations into a single package and provide tools for circuit generation. These methods have been collected into Section X.

IV. ZERO-KNOWLEDGE IN BLOCKCHAIN APPLICATIONS
Zero-knowledge arguments are used as a building block in many privacy solutions for blockchain-based applications. In this section, we have surveyed such solutions. Due to the history of blockchain technology, many applications concentrate on financial blockchains and transactions. However, there are also schemes that target a wider application scenario using smart contracts.
Smart contract based solutions provide flexible mechanisms without relying on trusted parties by transferring the required trust into the trust of the cryptocurrency. They enable fair exchange of goods, services and data using, for example, zero-knowledge contingent service payments (ZKCSP) [42]. In ZKCP, users can lock funds in the blockchain based on a puzzle and to release those funds once a solution is provided. Anyone demonstrating a solution, often in zero-knowledge, can claim the funds. Zero-knowledge arguments are also used to prove the solvency of cryptocurrency exchanges [43] and in blockchain applications involving Internet-of-Things (IoT) devices [44] and electronic voting [45].
Transaction data needs to be publicly verifiable for the consensus algorithm to work. Therefore, public verifiability needs to be maintained while sensitive data is protected. In the following, we have surveyed the methods for preserving the privacy of blockchain transactions and smart contracts. Zero-knowledge proofs and arguments often provide the key functionality of these methods.

A. PRIVACY OF TRANSACTIONS AND ASSETS
For commercial reasons, it is imperative to hide both your transaction amounts, as well as the parties you are doing business with. Privacy-preserving transaction schemes attempt to provide such functionality while maintaining the public verifiability of transaction validity. In the literature, confidentiality refers to the protection of account or wallet balances and transaction amounts. Anonymity refers to the protection of the transaction graph; the obfuscation of the sender and receiver addresses to make it impossible to trace who transferred assets to whom.
In Bitcoin, coins are stored in unspent transaction outputs (UTXO). Whenever a valid transaction is made, the unspent coins are forwarded into an UTXO. These unspent transaction outputs can be used as inputs for future transactions. Several cryptocurrencies follow the UTXO model and there are privacy-preservation schemes that apply only to this model. Ethereum, on the other hand, follows a different model, where the balance of a user is stored globally in an account. Cryptocurrencies based on the account model require their own privacy-preservation schemes.
Preliminary attempts to provide transaction privacy were limited due to their designed compatibility with the Bitcoin network. Such services (so called mixes, laundries or tumblers), such as CoinJoin, attempt to scramble transactions by TABLE 1. Privacy-protection schemes for transactions, the corresponding transaction model (unspent transaction outputs (UTXO) or account) and blockchain type, regulatory compliance, protection of sender and receiver addresses and transaction amounts.
bundling those of multiple entities together into an anonymity set. The aim is to make it too hard for anybody to trace transactions back to a specific individual. There exists other transaction obfuscation protocols and services inspired by CoinJoin such as CoinShuffle and TumbleBit [46]. However, the size of the anonymity set is often limited and it has been observed that these methods are not effective in practice [47]. See, for example, [23] for a summary of existing mixing services.
Transaction confidentiality can be achieved using commitment and secret sharing schemes [48] together with zero-knowledge arguments. The zero-knowledge argument is typically used to show that the sum of the inputs in a transaction is greater than that of the outputs and that the output amounts are positive. It is also infeasible to use exact values without leaking information. Therefore, ranges of values are used instead resulting in so called range proofs. One of the major limiting factors regarding the application of zero-knowledge is the actual size of such proofs. Since these proofs need to be included into the blockchain, their size should be compact.
The protection of anonymity and the confidentiality of transactions has attracted a lot of interest from the scientific community. In the following, we have presented the seminal, the most notable, as well as the most recent schemes for the protection of transactions. Most of these schemes work for public blockchains, enabling any party to join, submit transactions and become a validator. However, some schemes work only for permissioned blockchains, where participation is restricted. A comparison has been collected into Table 1. 1) Confidential Transactions [49], [50] is designed to hide transaction amounts. Sender and receiver addresses are not protected. The construction applies additively homomorphic Pedersen commitments [48] and zero-knowledge range proofs to enable public verification of the protected transactions. The protocol is compatible with transaction obfuscation schemes and can be used in conjunction with them.
2) ValueShuffle [51] is based on the CoinJoin concept and the CoinShuffle proposal that removes CoinJoin's need for a trusted third party. In addition, the Confidential Transactions protocols is applied to hide transaction amounts. Due to the application of anonymity sets, the transaction graph is only partially protected. 3) CryptoNote is a protocol for the implementation of untraceable and unlinkable cryptocurrencies using anonymity sets. It applies ring signatures, originally suggested by Rivest et al. [52] to hide the identities of the payer and the recipient, as well as the amount. However, the transaction amount is only partially hidden and attacks have been identified against CryptoNote-style blockchains [53].

4) Monero is a cryptocurrency originally based on
CryptoNote and its strengthening with the Ring Confidential Transactions (RingCT) protocol [54] that combines ring signatures with the Confidential Transactions protocol. Due to attacks on the linkability of the transactions [55], Monero has since moved to considerably stronger full zero-knowledge arguments using the Bulletproofs scheme [56] (see Section VIII). 5) Mimblewimble [57], [58] is another combination of transaction obfuscation CoinJoin together with Confidential Transactions. Non-interactive version of CoinJoin due to Saxena et al. [59] is applied to obfuscate sender and receiver addresses, while Confidential Transactions hides the transaction amounts. Transactions can be also aggregated to improve scalability and the need to download old transactions when new ones need to be verified is eliminated. The protocol has been proved secure against coin theft and inflation [60]. 6) Zerocoin [61] is a cryptographic extension to Bitcoin to improve the privacy of transactions. Its goal is to prevent the tracking of individuals by third parties by hiding the sender addresses. However, destinations and amounts remain visible. The protocol applies zero-knowledge arguments based on Schnorr signatures [62]. Non-interactivity is achieved using the Fiat-Shamir heuristic (see Section III-A). Due to the heavy application of the discrete logarithm problem, the proofs are big and the verification is slow. 7) Zerocash [63] is a cryptocurrency protocol implementing fully anonymous transactions based on SNARKs (see Section III-A). They are applied to implement a decentralized anonymous payment (DAP) scheme, where users can place coins into a shielded pool. Compared to Zerocoin, the proof length and verification time are significantly reduced, but a common reference string has to be generated beforehand. Zerocash hides the transaction graph and the amounts. Basically, any zero-knowledge argument scheme can be used as a building block for Zerocash. The original suggestion applies the Pinocchio scheme [64] (see Section IX). The Zerocash protocol is used in the Zcash cryptocurrency. 8) Policy-enforced Zerocash attempts to address the issue of cryptocurrency regulation [65]. One of the biggest problems related to decentralized currencies is their use for illegal activities such as extortion and money laundering. Policy-enforced Zerocash is a decentralized anonymous payment system that is capable of enforcing compliance to regulatory policies. The Zerocash protocol is augmented to have such properties using simulation-extractable SNARKs. 9) Quisquis [66] improves on Monero using updatable public keys. In Monero and Zerocash the size of the UTXO set increases due to transaction address obfuscation. Quisquis attempts to remove this drawback by enabling users to create anonymity sets by themselves for private transactions. Privacy is ensured by updating the public keys and zero-knowledge arguments are used to show that the keys have been updated and coins have not been stolen. However, anonymity sets do not provide perfect anonymity. 10) Decentralized Conditional Anonymous Payments (DCAP) [67] is another protocol for regulated cryptocurrencies in the UTXO model. The authors apply a zero-knowledge signature of knowledge scheme to provide conditional anonymity that is compatible with regulation requirements. However, trusted nodes are required and the authors suggest a permissioned blockchain to be used. 11) Androulaki et al. [68] propose a privacy-preserving scheme for transactions on permissioned blockchains following the UTXO model. Using zero-knowledge arguments based on bilinear pairings (see Section VIII), the scheme supports fine-grained auditing and regulation. Public blockchains are not supported. Performance measurements based on a prototype implementation using Hyperledger Fabric can be found in [68].

12)
BlockMaze [69] offers private transactions for account-based blockchains such as Ethereum. SNARKs are used to hide transaction amounts and sender and recipient addresses. The protocol is proven secure under a formal security model and implemented using the general purpose library libSNARK (see Section XI). 13) AttriChain [70] offers traceable user anonymity and private transactions on a permissioned blockchain. Due to traceability, the protocol supports regulation and policy enforcement. Threshold cryptography protects users from malicious validators and enables accountability against those regarded by the network as malicious. Zero-knowledge arguments are used to provide privacy against other users. Public blockchains are not supported. 14) Solidus [71] is a protocol for confidential transactions on public blockchains and follows the account model. Contrary to contemporary cryptocurrencies, the user accounts are maintained by banks that mediate the transactions hiding amounts and parties. However, each transaction is publicly verifiable on the blockchain using zero-knowledge arguments. Due to banks, regulation is possible, but auditing requires to open the transactions and cannot be done publicly. 15) PGC [72] is a system for confidential transactions on an account-based blockchain. The scheme trades anonymity for the support for privacy-preserving audits and regulation. The transaction graph is not hidden and a party can request users to prove their compliance with a set of policies. An integrated signature and encryption scheme is used to provide confidentiality and a non-interactive zero-knowledge argument enables users to prove compliance. 16) zkLedger [73] is a distributed ledger system designed for banks for transaction privacy and public verification with auditing. The transaction amount is protected and the transaction graph with the sender and receiver addresses is hidden. Auditing can be performed publicly. Non-interactive zero-knowledge arguments based on -protocols (see Section III-A) are applied together with cryptographic commitments. The size of a transaction grows linearly in the number of participants meaning that the protocol does not scale well. It is thus targeted for ledgers with only a moderate number of users.

B. PRIVATE SMART CONTRACTS
Smart contracts attempt to provide flexibility by enabling self-enforcement and automatically resolving transactions. In general, any computation can be included into a smart contract and they are considered as one of the most potential future applications of blockchain. The Ethereum platform offers a Turing-complete scripting language and thus enables the implementation of virtually any functional- Privacy-protection schemes for smart contracts, the transaction model and blockchain type, protection of the sender and receiver addresses, protection of input and output data, obfuscation of the computation and the supported computational functionality.
ity. Zero-knowledge schemes can be applied to protect sensitive information and the computations stored inside a smart contract. While there are suggestion for the protection of smart contract privacy that are not based on zero-knowledge such as Ekiden [74], which applies a trusted execution environment, the majority of schemes use zero-knowledge arguments. In the following, we have briefly described the stateof-the-art smart contract protection schemes. A comparison can be found in Table 2. 1) Hawk [7] implements transaction privacy in a programmable decentralized blockchain such as Ethereum. The protocol hides the transaction amounts between the pseudonyms and enables the binding of those transactions using programmable logic for offline computation. Confidentiality is not provided against parties participating in the contract and the computed function is not hidden. However, the protocol provides security against cheating parties that deviate from the protocol or abort it. A compiler can be used to transform the private portion of a contract into a circuit representation. SNARKs are applied to enforce the correctness of the contract execution, which is handled by a managing third party who can see the user's inputs and needs to be trusted. However, the manager cannot affect the execution of the protocol even by colluding with some of the parties. 2) zkay [75] is a language for writing smart contracts with encrypted data. Zero-knowledge arguments are used to prove the correctess of the data and its usage. However, user anonymity is not provided. The language has been implemented for Ethereum and the proving functionality is provided by the ZoKrates library [76] (See Section V-A). 3) Zether [77] is a mechanism for making private transactions on smart contract based platforms. It is itself implemented as a smart contract that can keep account balances hidden and to deposit, transfer and withdraw funds. However, the sender and receiver addresses are only partially protected by an anonymity set. A custom zero-knowledge scheme called -Bullets is used to incorporate advantages of both -protocols and SNARKs. The Bulletproofs scheme (see Section IX) is used as the SNARK. Interoperability is provided for other smart contracts enabling arbitrary distributed applications to be privacy-preserving. [78] is a system that enables users to generate publicly verifiable transactions that prove the correctness of an offline computation using SNARKs. This means that, contrary to other schemes, functions can be computed privately. Stateful computations are not supported meaning that only partial smart contract functionality is provided. However, the security model is stronger than that of other schemes: function privacy is also provided. 5) DSC [79] is a framework for protecting the balance and transaction amounts for smart contracts on account model blockchains. Homomorphic encryption and zero-knowledge arguments are applied to protect transactions with a mechanism for programmability. The sender and receiver are not protected. However, contrary to Hawk, no trusted parties are required. 6) PPChain [80] is a privacy-preserving permissioned blockchain architecture based on Ethereum and the account model. Regulation and smart contracts are supported. Group signatures and broadcast encryption are used to protect data from other users. However, validating and recording nodes see all data and privacy-protection is therefore only partial. In addition, a trusted manager in charge of tracing malicious behavior is needed. Smart contract operations executed through transactions are protected.

V. BOOLEAN AND ARITHMETIC CIRCUIT GENERATION
Zero-knowledge argument schemes require computations to be presented as a circuit. The efficiency of the schemes depends mainly on the size of the circuit C measured in the number of gates denoted by |C|. Therefore, circuit generation is one of the most important factors affecting practical performance. The conversion of the computation can be done with manual circuit construction tools or automatically using compilers. Manual conversion tends to produce more optimized circuits, while automatic conversion is more convenient for the developer. Manual conversion tools are typically required for performance critical application.
There are a number of both high-level language compilers and low-level circuit composition tools. We have discussed the most notable of these in the following subsections.

A. HIGH-LEVEL COMPILERS
High level compilers provide developers an easy method of transforming a computation into a circuit. These compilers VOLUME 8, 2020 accept code written in a high-level language. Therefore, both new and existing algorithms can be easily converted. However, some restrictions may have been placed on the structure of the code in order to produce a circuit of adequate size. 1) Pinocchio [64], [81] is a complete suite for producing non-interactive zero-knowledge arguments. It contains a high-level compiler to transform C code into a Boolean or arithmetic circuit representation. The resulting circuit is then converted by the compiler into a quadratic arithmetic program (QAP) (see Section IX) for the zero-knowledge argument protocol execution. 2) TinyRAM is a random-access machine designed to produce concise assembly code from programs written in high-level languages [82]. The assembly code is converted into an arithmetic circuit. 3) Buffet/Pequin is a system for the generation of circuits with easy programmability and data-dependent flows [83]. It is a part of the Pepper/Pequin project implementation (see Section XI). The system attempts to generate efficient circuits from a program written in a subset of the C language. 4) Geppetto [84] is a compiler that transforms LLVM code into a QAP. It has a library for low-level control of the circuits, as well as high-level C libraries for the optimization of several programming patterns such as loops. 5) xJsnark framework [85] is a compiler for automatic transformation of programs into optimized arithmetic circuits. A developer can write a program in a Java-like language. Experimental evaluation of the performance can be found in [85]. Code is available in Github. 1 6) ZoKrates [76] is a toolbox for zero-knowledge offchain computations on the Ethereum blockchain. Code written in a custom high-level imperative language is compiled into a Rank-1 Constraint System (R1CS) used by some schemes. A proof-of-concept implementation is available. 2 7) Isekai is a tool for the automatic generation of Boolean and arithmetic circuits from C/C++ code. It can produce circuits for most of the contemporary zero-knowledge argument schemes. The framework is available in Github. 3 8) genSTARK is a library for the generation of zero-knowledge proofs using the STARK scheme (see Section VI) based on JavaScript. Functionality can be implemented in a custom language called AirScript which can be compiled into a constraint problem especially intended for the STARK scheme. The library is available in Github. 4 Low-level circuit construction tools are often needed in scenarios where the performance of the zero-knowledge argument scheme is critical. Compared to the high-level compilers, these tools require more effort and skill from the developer, but produce circuits that are typically much smaller.
1) libSNARK is a full C++ library for SNARKs. It implements both circuit construction tools and general purpose proof systems. The circuit building modules, called Gadget Libraries, can be applied to construct a R1CS or systems of polynomial equations for zero-knowledge protocols. The zero-knowledge functionality of libSNARK is described in Section XI. The library is available in Github. 5 2) jsnark is a Java-based library for constructing circuits.
Gadgets can be combined to express the functionality of the computation. Circuits produced by the Pinocchio compiler can be also integrated. Code is available in Github. 6 3) Bellman is a Rust-based library for the formulation of constraint systems. Currently, it is under refactorization into a generic proving library. 4) snarky is an OCaml front-end for the implementation of circuits for SNARKs based on R1CS. The tool is available in Github. 7 5) Circom is a language for the generation of arithmetic circuits. A javascript-like language is used to express the functionality of the circuit. The tool is available in Github. 8 6) gnark is an open source library for writing circuits for zero-knowledge argument protocols. The library is developed in the Go language. Currently, only Groth16 (see Section VIII) protocol is supported. The source code is available in Github. 9

VI. ZERO-KNOWLEDGE BASED ON PROBABILISTICALLY CHECKABLE PROOFS
Kilian [86] constructed the first interactive zero-knowledge argument scheme for NP that achieves polylogarithmic communication. The scheme is built using collision-resistant hash functions, interactive proof systems (IP) [25], [87] and probabilistically checkable proofs (PCP) [88]- [91]. The prover and the verifier (considered as randomized algorithms) interact in multiple rounds of communication during which the verifier tests the knowledge of the prover regarding a statement. Usually, only one sided error is considered: a prover is always able to argue for a true statement, but the verifier may accept a false statement with low probability. Micali transformed the scheme into a one-message non-interactive scheme using the Fiat-Shamir heuristic [92] (see Section III-A). Subsequent works have applied Kilian's machinery in the construction of schemes using extractable collision-resistant hash functions [38], [93].
The following implementations can be considered to follow this approach. [94] is an interactive computational integrity protocol based on PCPs and follows the original suggestion of Kilian [86] and methods of Ben-Sasson et al. [95], [96]. The protocol provides publicly verifiable proofs without trusted setup. However, complete zero-knowlegde is not provided. The time and memory complexities of the prover are quasilinear in the program execution length. The proofs are succinct, but slow to verify. SCI has been implemented in practice and measurements on its performance can be found in [94]. 2) STARK is an improvement on SCI [97]. The scheme is based on interactive oracle proofs (IOP) with public randomness, but can be made non-interactive with the Fiat-Shamir paradigm in the random oracle model. The construction is post-quantum secure. However, the security depends on a non-standard cryptographic assumption regarding Reed-Solomon codes. Asymptotically, the proof length is O(log 2 |C|) and verification runs in O(|C|) time. Proving is more costly: O(|C| log 2 |C|). STARK has an implementation in C++ 10 and an evaluation of its performance can be found in [97]. There are also open-source implementations called Hodor 11 and OpenZKP 12 both written in Rust, as well as the JavaScript library genSTARK.

1) Scalable Computational Integrity (SCI)
3) Aurora is a succinct non-interactive argument (SNARG) based on STARK [98]. It is an argument system specially designed for rank-1 constraint system (R1CS). Non-interactivity is based on the Fiat-Shamir construction. The design does not use asymmetric cryptography and can thus be considered post-quantum secure. The proof length is O(log 2 |C|), can be verified in O(|C|) and proving runs in O(|C| log |C|). The Aurora protocol has been implemented in libiop available in Github. 13

VII. ZERO-KNOWLEDGE USING PROOFS FOR MUGGLES
Contrary to the setting of computational assumptions considered by Kilian [86], Goldwasser et al. [101] addressed the problem of constructing interactive proofs for polynomial time provers in the original interactive proof model. They presented a novel approach called ''proofs-for-muggles'' that works for a large class of problems. These proofs can be made non-interactive using the transformation of Kalai et al. [36] (see Section III-A). For details, see for example [101].
1) CMT. The first practical implementation of the ''proofs-for-muggles'' approach is due to Cormode et al. [102] who applied the machinery developed by Goldwasser et al. [101]. The practical performance of CMT can be found in [102]. 2) Hyrax [103] is a zero-knowledge argument system without trusted setup based on interactive proofs and cryptographic commitment schemes [104], [105]. Non-interactivity is provided using the Fiat-Shamir heuristic. The construction applies the discrete logarithm problem and is not post-quantum secure. Hyrax has been implemented based on the compiler of Giraffe 14 [106] and the full source code is freely available. 15 3) Libra [107] is zero-knowledge proof system based on the ''proofs-for-muggles'' approach that achieves optimal prover complexity of O(|C|). The proof length and verification complexity are both O(d log |C|), where d is the depth of the circuit. A trusted setup is needed and its complexity depends on the input to the circuit. The scheme applies bilinear pairing and the knowledge-ofexponent assumption and is not post-quantum secure. Non-interactivity can be implemented based on the Fiat-Shamir method. 4) Spartan [108] applies polynomial commitments to achieve improvement in verification complexity. Computations are presented as R1CS and zero-knowledge is based on existing compilers such as Libra [107]. However, no trusted setup is needed. Non-interactivity is implemented using the Fiat-Shamir transform. The prover complexity is O(|C| log |C|) while both the proof length and the verifier complexity are O(log 2 |C|).

VIII. SCHEMES BASED ON LINEAR PCPs AND THE DISCRETE LOGARITHM PROBLEM
Ishai et al. [109] suggested the possibility of applying additively homomorphic public-key cryptography to reduce the communication complexity of interactive linear PCPs. Recent results for the complexity of fully linear PCPs can be found in [110]. Groth et al. suggested the first NIZK schemes based on the discrete logarithm problem [111]- [113] and bilinear pairings that achieves perfect completeness, computational soundness and perfect zero-knowledge [114]. Similarly to 14 https://github.com/pepper-project/giraffe 15 Hyrax reference implementation: https://github.com/hyraxZK VOLUME 8, 2020 the PCP technique, the general construction at first expresses the statement as an algebraic constraint satisfaction problem. However, cryptographic commitments similar to the Pedersen commitment scheme [48] are applied to achieve sub-linear proof length and non-interactivity without the Fiat-Shamir heuristic. However, a large CRS is required and the protocol depends on a strong cryptographic assumption known as the ''knowledge-of-exponent''. With a sufficiently long CRS, a constant proof length can be achieved [114] ultimately consisting of only three underlying group elements [115], [116]. Proving and verification are costly due to exponentiations. For additional application scenarios, a stronger security model called simulation-extractability has been suggested [117].
The following schemes are based on linear PCPs and/or the discrete logarithm problem. None of these are post-quantum secure.

1) Groth's Linear SNARK. The seminal work of
Groth [113] achieves communication complexity that is proportional to the square root of the size of the circuit. 2) BCCGP. Bootle et al. [118] implemented the first non-interactive zero-knowledge proof protocol based on the discrete logarithm problem and using the techniques of Groth [113], [119]. 3) Bulletproofs [56] is based on the techniques of BCCGP [118]. The protocol is designed to provide communication-efficient proofs especially for confidential transactions through range proofs which can be efficiently aggregated. However, any NP-problem is supported and the protocol does not require trusted setup. The protocol can be extended to achieve post-quantum security and non-interactivity is provided through the Fiat-Shamir heuristic. The length of the proof is logarithmic in the number of multiplication gates of the verification circuit. The prover and verifier complexities are linear in the size of the witness w. Bulletproofs has a full implementation using arithmetic circuits. 4) Groth16 applies elliptic curve pairings and the knowledge-of-exponent assumption [114]. The method achieves a constant proof length [116], but requires pre-processing for the CRS with length quadratic in |C|. The verifier complexity is linear, while the prover complexity is quadratic in |C|. The resulting scheme satisfies perfect completeness and zero-knowledge with computational soundness. 5) Sonic [120] is a zero-knowledge scheme based on the updatable CRS model of Groth [117] using a polynomial commitment scheme, pairings and arithmetic circuits. Trusted setup for the CRS is needed and can be implemented, for example, with secure multiparty computation. However, once the CRS has been generated, any circuit of a given size is supported. The prover complexity is There is an open source implementation in Rust. 16 PLONK reduces the proof length of Sonic and improves the efficiency of the prover [121]. However, it has not yet gone through peer-review. 6) Marlin [122] is another method based on Sonic.
The CRS is updatable and universal. Verification is improved using special encoding for the statement. Non-interactivity is achieved with the Fiat-Shamir paradihm. The algorithm has been implemented in Rust and the source code is available. 17 7) Supersonic [123] applies a novel polynomial commitment scheme to turn Sonic into a zero-knowledge scheme that does not require trusted setup. The proof length and the verification complexity are O(log |C|).
The prover complexity is O(|C| log 2 |C|). The construction is not post-quantum secure.

IX. ZERO-KNOWLEDGE BASED ON QUADRATIC ARITHMETIC PROGRAMS
Gennaro et al. [124] formulated classes of algebraic satisfaction problems called quadratic span programs (QSP) for proving boolean circuit satisfiability and QAP for proving arithmetic circuit satisfiability with more efficient and simpler proof checking. QAP-based constructions are able to achieve constant length proofs and the verification is fast: linear in the length N of the input. A CRS is needed. In addition, the length of the CRS grows in the number of gates. The prover complexity is typically linear in |C|.
Existing suggestions related to this approach include the following ones. 1) GGPR. Gennaro et al. pioneered the quadratic program based approach in [124]. It was the first construction to compactly encode computations as QSP or QAP. 2) Pinocchio is a complete suite for zero-knowledge. Its zero-knowledge arguments are based on the GGPR using QAP and designed for verifiable computing [64], [81]. Computations can be verified publicly; an untrusted computer can generate proofs that anybody can check for the correctness of computation. The setup and proof generation are O(|C|). Verification is linear time in the lengths of the inputs and outputs and the proof length is constant. A compiler is provided (See Section V) and can be used to transform a C language program into a QAP.

X. ZERO-KNOWLEDGE FROM SECURE MULTIPARTY COMPUTATION
Zero-knowledge protocols are a special case of secure multiparty computation (MPC) with two participants, where Alice and Bob hold secret values a and b, respectively, and want to compute the output c = f (a, b) of a function f while keeping their inputs private. The problem of secure two party computation was originally suggested by Yao [125] who 16 https://github.com/zknuckles/sonic 17 https://github.com/scipr-lab/marlin showed how to solve it using the so called ''garbled circuits'' approach, which has been applied in many zero-knowledge argument schemes.
Ishai et al. [126] pioneered the IKOS approach (initials of the authors) of constructing zero-knowledge arguments using secure MPC together with PCPs and cryptographic commitment. The prover simulates secure MPC ''in its head'' for the verification function between n parties. The verifier gets to choose a subset of these verifiers to check the consistency of their state. Another approach applying the MPC is due to Jawurek et al. [127] who implemented zero-knowledeg by transforming statements into garbled circuits.
Proofs generated following the MPC-in-the-head paradigm are large and verification is costly. However, the approach is Boolean circuit friendly and the prover complexity is relatively low. In addition, the approach provides post-quantum security. Compared to the MPC-in-the-head, the Jawurek et al. approach has more efficient proving, but the proofs are larger and non-interactivity is hard to achieve.
The following schemes apply multiparty computation.
1) ZKGC [127] is an interactive zero-knowledge argument protocol based on Yao's garbled circuits. The construction applies secure MPC. Oblivious transfer with commitment properties is used by the prover to commit to the circuit output. The scheme has a proofof-concept implementation that has been evaluated in [127]. 2) ZKBoo [128] is based on the ''MPC-in-the-head'' approach and works for both Boolean or arithmetic circuits. No pre-processing is required and non-interactivity is realized using the Fiat-Shamir method. Proving and verifying of statements is fast. However, the proof length is O(|C|) and thus large. The protocol has a a proof-of-concept implementation. 3) ZKB++ [129] is an optimized variant of ZKBoo [128].
The proof length is reduced to half compared to ZKBoo. ZKB++ has been evaluated for both the Fiat-Shamir heuristic and a modified version of the Unruh transformation (see Section III-A), which has larger proofs. The protocol has a practical implementation and its performance evaluation can be found in [129]. 4) Ligero [130] is an interactive zero-knowledge protocol for any NP-problem without trusted setup. Noninteractivity can be realized with the Fiat-Shamir method. The protocol is based on symmetric cryptography, MPC [131] and PCPs following the work of Ishai et al. [126]. Public-key cryptography is not used and the scheme can be considered post-quantum secure. The asymptotic proof length is proportional to the square-root of the verification circuit size. The prover and verifier complexities are O(|C| log |C|).
If uniformity assumptions can be made regarding the circuit, the verifier complexity can be made linear.
There is a C++ implementation and its practical performance can be found in [130]. Ligero is also included in libiop library (see Section XI).

XI. GENERAL PURPOSE IMPLEMENTATIONS FOR ZERO-KNOWLEDGE
General purpose implementations provide several approaches to zero-knowledge arguments and combine those with circuit generation tools. The goal is to provide a library of schemes such that one of them can be picked, potentially with automatic optimization, depending on the use case. The following libraries have implemented several zero-knowledge argument schemes following the approaches mentioned above. 1) libSNARK is a C++ library that implements several general purpose proof systems. Currently, seven constructions are supported: 1) An extension to the zero-knowledge argument of Ben-Sasson et al. [132] which follows the same approach as Pinocchio [64], [81] using R1CS, 2) SNARKs for problems expressed as arithmetic circuits, 3) SNARKs for problems expressible as unitary-square constraint systems [133], 4) SNARKs for Boolean circuits for the language of two-input boolean circuit satisfiability, 5) simulationextractable SNARKs based on the method of Groth and Maller [117], 6) ADSNARK [134] for efficient SNARKs on authenticated data from a trusted source, and 7) method for proof-carrying data (PCD) for recursive composition of SNARKs to extend SNARKs to the setting of distributed networks of verifiers and provers based on the method of Bitansky et al. [135]. 2) Pepper/Pequin. Pequin, previously known as Pepper, is a complete tool chain for verifiable computing and zero-knowledge arguments. LibSNARK is used to implement the SNARK functionality. Giraffe can be used to transfer computations into constraint problems. Source code is freely available. 18 3) libiop is a C++ library for zero-knowledge arguments that apply interactive oracle proofs. It includes implementations for Ligero, Aurora and Fractal and provides a tool chain for the transformation of probabilistic interactive proofs into transparent and quantum-secure zero-knowledge arguments. Computations are expressed as R1CS. The library is available on Github. 19

XII. DISCUSSION ON THEORETICAL AND PRACTICAL PERFORMANCE
Typically, the performance of algorithms is measured by their asymptotic complexities. The asymptotic complexity gives a comparative measure for the efficiency of algorithms when the input is large. However, the asymptotic notation hides the constant terms which determine the performance for small inputs. For existing applications of zero-knowledge schemes, 18 https://github.com/pepper-project/pequin 19 https://github.com/scipr-lab/libiop the circuits are relatively small and both the asymptotic complexities and the constant terms are important. The asymptotic performance of the surveyed methods has been collected into Table 3. These asymptotics are based on the reported values in the cited publications. For some schemes the complexities were not available and those have been evaluated by the authors of this survey and should be interpreted as approximations. For ZKGC [127], the asymptotic complexities have been evaluated for the reported proofof-concept implementation which is not optimal. We have also provided references to the practical evaluations of the methods whenever such evaluations have been available. Typically, these evaluations are based on a simple computation such as the computation of a cryptographic hash function. It should be noted that the performance is largely affected by the size of the generated circuit which depends on the circuit generation tool. However, the circuit is not fixed across all existing comparisons in the literature and cannot be fixed for schemes following a different approach (for example Boolean vs. arithmetic vs. R1CS). A comprehensive evaluation with several optimized circuits for different types of computations using a fixed computational platform would be useful for comparison. However, such an evaluation does not seem to exist and is out of the scope of this survey.
There are other properties in addition to the computational complexity that are relevant for the practical applicability of the scheme. For example, some methods require trusted setup or its implementation using secure multiparty computation or another complex pre-processing phase, while others do not. The type and size of the CRS and the required randomness also vary and the cryptographic security model is not the same for all methods. These performance affecting properties have been collected into Table 4 together with the post-quantum security status and the dependence on the random oracle model.
The selection of the most efficient scheme for a specific task requires skill and knowledge from the developer. Currently there is not a single zero-knowledge argument scheme that outperforms others in every situation. At least the following aspects affect the performance: 1) the nature of the computation or statement, 2) the type of the computation (is it sequential in nature or highly parallel), 3) the input size of the computation, 4) the optimization aspects of the scenario, that is, if proving and verification complexities or proof length should be optimized and 4) the level of security required for the application. These issues need to be evaluated based on the use case.
Regarding the nature of the computation, -protocols are sufficient and more efficient than SNARKs for algebraic statements such as those involving the demonstration of the knowledge of a discrete logarithm a given a public key g a . If the computation involves the computation of block ciphers and/or hash functions then SNARKs outperform -protocols [136]. The type of the computation also has a profound effect. For example, Hyrax has been optimized for parallel circuits while Ligero works better for iterated TABLE 4. The type of randomness and/or the length and type of the common reference string (CRS), post-quantum security (PQ) and the dependence on the random oracle model (ROM) for the surveyed zero-knowledge argument schemes.
computations [97]. For practical cases, QAP tends to outperform QSP [124]. The size of the computation determines whether the asymptotics or the constant terms are relevant regarding performance. For current zero-knowledge argument schemes, practical computations can be performed only for relatively small circuits. In fact, many optimizations suggested in the literature are based on lowering the constant terms of the existing suggestions. For example, ZKBoo and ZKB++ have exactly the same asymptotic complexities, but ZKB++ has a proof length that is only half of that of ZKBoo.
For many blockchain applications, the proof length may be the deciding factor meaning that methods with constant length proofs, such as Groth16, may be optimal. However, those schemes incur a significant pre-processing penalty and have a big CRS that needs to be managed. For a developer, a collection of schemes may prove to be optimal. Automatic tools that choose the best option depending on the computation will help the developer to choose an optimal approach.

XIII. CONCLUSION
We survey the state-of-the-art zero-knowledge argument schemes suitable for blockchain and verifiable computing and their applications in anonymous and confidential transactions and private smart contracts. We explain the concept of a zero-knowledge proof and its non-interactive variants. In order to prove in zero-knowledge, the developer needs to transform the corresponding computation into a circuit representation. Therefore, we also survey the existing circuit generation tools and provide references to their implementations.
We give an overview of the protocols applying zero-knowledge for confidential transactions and private smart contracts on blockchain. We summarize their differences regarding the blockchain model and type, regulation capability and the protection of the transaction graph and amounts. For private smart contracts, we consider the privacy of data, function privacy and the supported functionality.
We conduct an extensive survey of state-of-the-art zero-knowledge argument schemes. We list the properties, asymptotic computational complexities and proof lengths of the zero-knowledge argument schemes that are peerreviewed, seminal or otherwise notable and/or have implementations. We also provide references to their practical evaluations and comparisons. Finally, we conclude that the schemes and approaches have their own advantages and disadvantages and that skill and knowledge is needed from the developer to choose the correct one for a particular use case. Since 2015, he has been a Postdoctoral Researcher with the Center for Machine Vision and Signal Analysis, Faculty of Information Technology and Electrical Engineering, University of Oulu. He has published in a wide range of topics related to information security, such as theoretical and applied cryptography, steganography, security of biomedical systems, and blockchain. He serves as a reviewer in top journals in information security. His research interests include cryptography, theory of computation, algebra, and security and privacy of biomedical systems. She is currently working as a Research Director with the Center for Ubiquitous Computing, University of Oulu. She made her postdoctoral visits to Waseda University, Japan, from 2005 to 2006, Tokyo Denki University, Japan, in 2008, and Tsinghua University, China, in 2011. Her research team Interactive Edge develops adaptive, reliable, and trusted edge computing. She is an Active Member of the international research community as a Workshop and Conference Organizer, as well as serving as a reviewer and a PC member for top journals and conferences in her field. She also works as a freelance lead AI Scientist in a Finnish Company Silo.AI. VOLUME 8, 2020