paint-brush
What I’ve Learned (and Broken) Building Zero-Knowledge Applicationsby@hackercm48cveta0000397w1iemrt0g
159 reads

What I’ve Learned (and Broken) Building Zero-Knowledge Applications

by January 12th, 2025
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

ZK Proofs lets you prove something is true without showing why it's true. It's used to prove that a credit score is above 700 without revealing the actual score. It can also be used to verify a transaction without sharing customer data.
featured image - What I’ve Learned (and Broken) Building Zero-Knowledge Applications
undefined HackerNoon profile picture
0-item
1-item

I've been putting off writing about zero-knowledge proofs for months, partly because explaining them feels like trying to describe colors to someone who's never seen them. After spending years building ZK applications - first at a failed startup and much later at other products - I'm still amazed these things work.


For those new to this: imagine proving you have enough money in your bank account to buy a house without showing your bank statement. Or proving you're old enough to vote without revealing your birth date. That's what ZK Proofs lets you do, and it still feels like magic sometimes.


Quick Backstory

I got into this ZK stuff by accident. I was working on this payment processing thing (which failed but that's a story for another time) when I ran into this problem with proving transactions were legit without sharing customer data. Like, how do you even do that?? That's when my colleague Dave (brilliant guy, terrible at documentation 😅) introduced me to ZK proofs. You can prove something is true without showing why it's true. My brain broke a little.


Anyways, fast forward to now, and I've built a bunch of stuff with ZK proofs. Some worked great, some were total disasters. Speaking of disasters - a funny story from last month. We were doing this demo for a healthcare client, showing how they could verify insurance without sharing medical records. Everything was working perfectly in testing. Like, perfectly, and trust me as a software engineer, I should've known that was a bad sign. Now, the demo starts and I feel confident, and then boom - nothing works. Complete silence in the room while I'm sweating bullets. Turns out I'd forgotten to update the circuit parameters after changing some input validation. But you know what? The client loved it because they got to see how we debug these things in real-time and trust me sometimes screwing up is the best demo you can give 😅


Here's what that debugging looked like:

// This was the broken code
let circuit = ZkCircuit::new(params);
circuit.add_input(patient_data); // Why did I think raw patient data was a good idea??

// What it should have been
let circuit = ZkCircuit::new(params);
let hashed_data = hash(patient_data);
circuit.add_input(hashed_data); // DUH


Oh yeah - pro tip: ALWAYS hash your inputs before putting them in a circuit. I learned that one the hard way.


Looking back, it is interesting how much evolution has happened in the ecosystem - before now, generating proof was this whole event. You'd start it running, go get coffee, maybe take a lunch break, but now it's so fast sometimes I don't even notice it happening.


I've got this pet project I'm working on - trying to use ZK proofs for anonymous game leaderboards. It's probably a terrible idea but I'm having fun with it. The basic concept is you prove your score is legit without revealing who you are. Here's the current state of the code:

// Warning: this is very much a work in progress and probably terrible
const gameCircuit = {
  score: Signal,
  playerHash: Signal,
  timestamp: Signal,
  // about 100 more signals because I haven't optimized anything yet
  // TODO: fix this mess before anyone sees it
};


I was going to write a whole section about where I think this tech is going, but honestly? I have no idea. And anyone who says they know for sure is probably trying to sell you something. What I do know is I'm having a great time exploring zero-knowledge tools and it’s possibilities. Recently, I explored a tiny task in a team project on proving someone's credit score is above 700 without revealing the actual score and well, mostly worked.


Moving on, if anyone reading this wants to get into ZK development - start smaller than I did, way smaller. Maybe don't make your first project an "anonymous decentralized taxi" like I did (another story for another time). Start with something simple like proving a number is positive without revealing the number. I think I can conclude here and say confidently that we need more ZK projects in the space but engineers gotta be ready for the whole hug and trust me the possibilities for solutions are limitless.


In all of this, security is very crucial and I'll add these security insights to give you a perception:

  • Most ZK-proof systems rely heavily on secure randomness for both proof generation and verification. A common mistake I’ve found in production was using predictable randomness sources. For instance, if an attacker can predict your nonce generation, they might reconstruct private inputs


  • A less obvious but equally critical security consideration is input validation before proof generation. In one particularly painful incident, we discovered that malformed inputs could leak information about the circuit structure.


These checks need to run before you even start generating the proof - once you're in the circuit, it's too late. Trust me, finding this out during a mainnet deployment is not a fun experience! I will end here so the article doesn’t get too deeply technical.


Shoot me a message if you want to chat about ZK stuff. I'm usually around, probably debugging some circuit that seemed like a good idea. Going to wrap this up because I just noticed it's pretty late and I have a meeting tomorrow. But one last thing: ZK proofs are amazing and terrifying and frustrating and magical and I still can't believe they work. Build stuff with them. Break stuff. Learn things. Just maybe backup your work first 😉