Quiz: Zero-Knowledge Proofs

Question 1

In the Ali Baba cave analogy, what prevents a dishonest Peggy (who does not know the password) from consistently fooling Victor?

  • (A) Victor checks whether the magic door has been opened
  • (B) Victor randomly chooses which side Peggy must exit from, and she cannot pass through the locked door
  • (C) Victor watches which path Peggy takes when she enters the cave
  • (D) Victor asks Peggy to recite the password after she exits

Answer: (B) Explanation: Victor waits outside while Peggy enters, so he does not see which path she takes. He then randomly requests a side. Without the password, Peggy can only comply if she happened to choose the same side Victor requests — a 50% chance per round. Over many rounds, the probability of consistently guessing correctly becomes negligibly small.

Question 2

Which of the following correctly describes the soundness property of a zero-knowledge proof?

  • (A) An honest prover will always convince the verifier
  • (B) The verifier learns nothing beyond the truth of the statement
  • (C) A dishonest prover cannot convince the verifier of a false statement (except with negligible probability)
  • (D) The proof can be verified without interaction between prover and verifier

Answer: (C) Explanation: Soundness is the security guarantee: no cheating prover can convince the verifier that a false statement is true, except with negligibly small probability. Option (A) describes completeness. Option (B) describes the zero-knowledge property. Option (D) describes non-interactivity.

Question 3

The Fiat-Shamir heuristic converts an interactive proof into a non-interactive one by:

  • (A) Having the prover and verifier agree on challenges in advance
  • (B) Replacing the verifier's random challenges with the output of a hash function applied to the prover's commitments
  • (C) Eliminating the need for challenges entirely
  • (D) Using a trusted third party to generate the challenges

Answer: (B) Explanation: The Fiat-Shamir heuristic uses a cryptographic hash function as a substitute for the verifier's random challenges. The prover computes c = H(a) where a is the prover's commitment. Because the hash function behaves unpredictably (modeled as a random oracle), the prover cannot manipulate the challenge.

Question 4

In the zk-SNARK pipeline, what is the purpose of converting R1CS constraints into a Quadratic Arithmetic Program (QAP)?

  • (A) To make the constraints human-readable
  • (B) To enable the prover to execute the computation faster
  • (C) To encode all constraints as a polynomial equation that can be checked at a single random point, achieving succinctness
  • (D) To eliminate the need for a trusted setup

Answer: (C) Explanation: The QAP transformation encodes all R1CS constraints into a single polynomial equation A(x)B(x) - C(x) = H(x)T(x). Thanks to the Schwartz-Zippel lemma, polynomial equality can be checked by evaluating at a single random point, which is why the proof is succinct — a fixed-size proof regardless of the number of constraints.

Question 5

What is the "toxic waste" in a zk-SNARK trusted setup?

  • (A) Invalid proofs that must be discarded
  • (B) Random values used to generate public parameters that, if known, would allow forging proofs
  • (C) Leftover data from failed verification attempts
  • (D) Private keys of the proof system's developers

Answer: (B) Explanation: During the trusted setup ceremony, random values are used to create the Common Reference String (CRS). If anyone retains these random values (the "toxic waste"), they could forge proofs — creating valid-looking proofs for false statements. The ceremony must be designed so that the toxic waste is destroyed.

Question 6

Which of the following is TRUE about zk-STARKs but FALSE about zk-SNARKs (specifically Groth16)?

  • (A) They produce proofs that are a few hundred bytes in size
  • (B) They require a trusted setup ceremony
  • (C) They are believed to be resistant to attacks by quantum computers
  • (D) They use elliptic curve pairings for polynomial commitment

Answer: (C) Explanation: STARKs rely on collision-resistant hash functions, which are believed to be quantum-resistant. SNARKs (Groth16) rely on elliptic curve pairings, which are vulnerable to Shor's algorithm on quantum computers. STARKs produce larger proofs (40-200 KB, not hundreds of bytes), do not require a trusted setup, and do not use elliptic curve pairings.

Question 7

The FRI commitment scheme used in zk-STARKs achieves polynomial commitment using:

  • (A) Elliptic curve pairings
  • (B) Trusted setup parameters
  • (C) Hash functions and Merkle trees
  • (D) Homomorphic encryption

Answer: (C) Explanation: FRI (Fast Reed-Solomon Interactive Oracle Proof) uses only collision-resistant hash functions and Merkle trees to commit to polynomials and prove their degree bounds. This is what makes STARKs "transparent" — no trusted setup or exotic algebraic structures are required.

Question 8

A ZK-rollup batches 10,000 transactions and posts a validity proof to Ethereum L1. What happens if the proof is invalid?

  • (A) The batch enters a 7-day challenge period for fraud proofs
  • (B) The L1 smart contract rejects the batch, and the state does not update
  • (C) The transactions are reverted after a grace period
  • (D) Validators vote on whether to accept or reject the batch

Answer: (B) Explanation: ZK-rollups use validity proofs, not fraud proofs. The L1 verifier contract checks the proof mathematically. If the proof is invalid, the contract rejects the transaction entirely — there is no challenge period, no voting, and no grace period. This is what distinguishes ZK-rollups from optimistic rollups (which use the 7-day challenge window described in option A).

Question 9

In Vitalik Buterin's ZK-EVM taxonomy, a Type 4 ZK-EVM:

  • (A) Can prove actual Ethereum consensus layer blocks
  • (B) Is fully EVM-equivalent at the bytecode level
  • (C) Compiles high-level languages (like Solidity) to a custom VM rather than EVM bytecode
  • (D) Has no differences from Ethereum mainnet whatsoever

Answer: (C) Explanation: A Type 4 ZK-EVM achieves compatibility at the source language level (e.g., Solidity) but uses a different internal virtual machine. zkSync Era is an example — it compiles Solidity to its own instruction set rather than EVM bytecode. This makes ZK proving easier but means raw EVM bytecode may not be compatible. Type 1 corresponds to (A)/(D), and Type 2 corresponds to (B).

Question 10

Which of the following is an advantage of a recursive ZK proof?

  • (A) It eliminates the need for a trusted setup in SNARKs
  • (B) It allows a single fixed-size proof to attest to the correctness of an arbitrarily long chain of computations
  • (C) It makes ZK proofs quantum-resistant
  • (D) It removes the need for the Fiat-Shamir heuristic

Answer: (B) Explanation: A recursive proof verifies a previous proof plus new computation. By chaining proofs, a single proof can attest to the correctness of an entire history of computations. Mina Protocol uses this to maintain a constant ~22 KB proof regardless of blockchain length. Recursion does not affect setup requirements, quantum resistance, or the need for non-interactivity.

Question 11

A ZK proof demonstrates that a user's bank balance exceeds $10,000 without revealing the actual balance. In this scenario, what is the "witness"?

  • (A) The statement "balance > $10,000"
  • (B) The actual bank balance (the private input known only to the prover)
  • (C) The threshold value $10,000
  • (D) The proof itself

Answer: (B) Explanation: The witness is the private input that the prover knows and uses to generate the proof. In this case, the witness is the actual bank balance. The statement is the claim being proven ("balance > $10,000"), the threshold ($10,000) is a public input, and the proof is the output of the proving algorithm.

Question 12

What is the primary reason the SNARK-STARK divide is narrowing?

  • (A) STARKs have completely replaced SNARKs in all applications
  • (B) Techniques like SNARK-wrapping (generating a STARK then compressing it with a SNARK) and transparent SNARKs combine advantages of both systems
  • (C) Quantum computers have made SNARKs obsolete
  • (D) The Ethereum Foundation has mandated a single proof system for all rollups

Answer: (B) Explanation: Hybrid approaches are emerging: StarkNet wraps STARK proofs in SNARK proofs for cheaper L1 verification. Transparent SNARKs (like Halo 2) achieve SNARK-like efficiency without trusted setups. Post-quantum SNARKs based on lattice assumptions are being developed. The boundary between the two systems is blurring through innovation, not replacement.

Question 13

A ZK-coprocessor enables a smart contract to:

  • (A) Execute computations faster by using specialized hardware
  • (B) Access and verify computations on historical blockchain data without performing those computations on-chain
  • (C) Communicate with other blockchains directly
  • (D) Bypass gas limits on Ethereum

Answer: (B) Explanation: A ZK-coprocessor performs computation off-chain (such as aggregating historical data), generates a ZK proof of correctness, and submits the result plus proof to the smart contract. The contract verifies the proof and uses the result with cryptographic guarantees. Projects like Axiom and Herodotus are building this infrastructure.

Question 14

Which property distinguishes a "proof of knowledge" from a standard "proof of truth"?

  • (A) A proof of knowledge is always non-interactive
  • (B) A proof of knowledge guarantees that the prover actually possesses the witness, not just that the statement is true
  • (C) A proof of knowledge uses STARKs instead of SNARKs
  • (D) A proof of knowledge does not require the zero-knowledge property

Answer: (B) Explanation: Knowledge soundness (the "K" in both SNARK and STARK) guarantees that a prover who produces a valid proof must actually know the witness — they cannot produce a proof by luck, copying, or any other means that does not involve knowing the secret. This is a stronger property than simply proving that a true statement has a valid witness somewhere.

Question 15

Why does the chapter describe ZK proofs as potentially "the most important cryptographic development since public-key cryptography"?

  • (A) Because ZK proofs are faster than all other cryptographic operations
  • (B) Because ZK proofs can prove any computational statement while preserving privacy — dissolving the traditional tradeoff between verification and transparency
  • (C) Because ZK proofs make all previous cryptographic techniques obsolete
  • (D) Because ZK proofs are the only defense against quantum computers

Answer: (B) Explanation: Public-key cryptography enabled secure communication between strangers. ZK proofs enable verifiable computation without data disclosure — any claim about any data can be proven without revealing the data. This dissolves the fundamental tradeoff between trust (requiring transparency) and privacy (requiring secrecy), opening entirely new categories of applications in scaling, privacy, identity, and compliance.

Scoring: 13-15 correct = Excellent mastery of ZK proof concepts. 10-12 correct = Strong understanding with minor gaps. 7-9 correct = Adequate foundation, review technical sections. Below 7 = Revisit the chapter, focusing on the three properties and SNARK/STARK distinctions.