Manta Founder in Conversation with Tsinghua Cryptography PhD: A Deep Dive into the ZK Space
TechFlow Selected TechFlow Selected
Manta Founder in Conversation with Tsinghua Cryptography PhD: A Deep Dive into the ZK Space
The topic covers ZK fundamentals, ZK research and applications, and how Manta leverages ZK to solve Web3 privacy issues.
Navigating Web3 tides with focused insightsAt 21:00 Beijing time on July 23, Shumo Chu, co-founder of Manta Network, was invited by the Tsinghua University Blockchain Association (THUBA) to join a Twitter Space conversation with cryptography PhD candidate Sputnik. The discussion covered ZK fundamentals, ZK research and applications, and how Manta leverages ZK to solve Web3 privacy issues. Below is the full transcript of the dialogue:
Yiki (Host):
Hello everyone, I'm Yiki, vice president of the Tsinghua Blockchain Association (THUBA). Since our founding in 2017, we've been active for five years and hosted nearly 200 events. In August, we'll be holding our first hackathon—stay tuned and feel free to sign up. Now, could Shumo please briefly introduce what Manta does, along with a short introduction about yourself?
Shumo:
Hello everyone, it's a great honor to be here. I'm Shumo, co-founder of Manta Network. Let me start by introducing Manta—we were founded around October 2020. At that time, we saw a major issue in blockchain (Web3): privacy. We believed strongly in the future of the Web3 industry, but if this industry were to go mainstream, having all on-chain transactions transparent would be unacceptable. We believe privacy is a fundamental right. If you look at the architecture of most public blockchains today, you’ll find almost none offer privacy, except for rare cases like Monero or Zcash.
Our original goal was to solve this privacy problem. How? We first built an on-chain private payment product—MantaPay—which has already launched two testnet versions. You can think of it as a bring-your-own-token version of Zcash. This product is deployed in the Polkadot ecosystem, though we plan to expand to multiple chains. Our next step, currently under development for about six months (not yet officially released), is building private asset smart contracts. In one sentence, Manta aims to become the privacy layer for the entire Web3 stack. In the future, we envision that in every traditional Web3 operation, users will have an option—“privatize by Manta”—making their transactions automatically private.
As for myself, I completed my PhD at the University of Washington, focusing on database systems and formal verification. After graduation, I worked as a research scientist at Algorand for a year, then served as an assistant professor at UC Santa Barbara. Now I’m fully dedicated to Manta Network.
Yiki:
Thank you. Sputnik, could you also briefly introduce yourself and share your current research focus?
Sputnik:
Hello everyone, I'm Sputnik. Currently, I lead the ZK research direction at THUBA. Personally, I'm pursuing a PhD in cryptography at Tsinghua, focusing on privacy-preserving technologies in blockchain, including algorithms and applications related to zero-knowledge proofs. Our ZK research group aims to build a community discussion platform open to the public, fostering exchanges between academia and industry. Everyone is welcome to join. It’s a pleasure to discuss ZK applications with Shumo today—welcome, everyone.
What Is ZK?
Yiki:
First, Shumo, could you give us a simple overview of what ZK is—the principles and applications—for those who are new to the topic?
Shumo:
ZK stands for zero-knowledge proof. It was theoretically studied for many years, with foundational work dating back 20–30 years ago—most notably the GMR paper by Goldwasser, Micali, and Rackoff. People long believed it was theoretically feasible but impractical. A key milestone came with Zcash, where several professors collaborated to build the first practical implementation. They developed a usable construction called libsnark, which powered the initial version of Zcash, proving that ZK could indeed be applied in real-world systems.
As Micali once described, ZK can be thought of as "encryption on computation." Traditional encryption protects data—transforming plaintext into ciphertext. But ZK is even more powerful: it encrypts computation itself. For example, suppose you want to prove you know something—say, that 3 + 5 = 8—but without revealing the inputs (3, 5) or output (8). Instead, you use commitments to these values and convince someone the equation holds true, without disclosing the actual numbers. In blockchain terms, this means convincing validators or node operators of correctness at a very high level, without exposing sensitive data.
Yiki:
Thank you, Shumo. From your perspective, Sputnik, how would you define ZK, and how do you see its development?
Sputnik:
From a cryptographic standpoint, the ZK protocol is quite simple—it can be summarized in one sentence: it's a two-party cryptographic protocol involving a prover and a verifier. The prover must convince the verifier they know a secret, while revealing no additional knowledge. That's the essence of "zero-knowledge."
But what exactly does "zero-knowledge" mean? Cryptographically, it requires some information-theoretic rigor: during interaction, the verifier gains no new capabilities or knowledge beyond what they already had. As Shumo mentioned earlier, proving 3 + 5 = 8 without revealing the numbers themselves. This often involves using a cryptographic commitment—a value that binds you to a secret while hiding it, similar to a hash function. The binding property ensures that once committed, changing the underlying value changes the commitment. The hiding property ensures others can't deduce the hidden value just from the commitment. Later, you can "open" it and provide a zero-knowledge proof that convinces others your commitment was valid. That’s the cryptographic view of ZK.
Yiki:
Since you’ve just explained ZK from a research perspective, could you further elaborate on how ZK is currently studied in academia? What are the main areas of focus?
Sputnik:
In academic research, there are different directions. Some are highly theoretical—like provable security—which relies heavily on formal methods. We won’t dive deep into that now. On the application side, researchers develop new, optimized algorithms that outperform existing ones. Then there are system-level implementations like Zcash—designed by the professors Shumo mentioned. The protocol was proposed in 2014, and the system launched in 2016. That’s essentially applying algorithmic advances to real-world use cases. Those are the primary research directions.
Yiki:
You've been involved in crypto research through THUBA for quite some time. How do you see the relationship between ZK research and the crypto industry? Is there good alignment?
Sputnik:
I think ZK research has produced many results and various algorithms, but when it comes to industrial integration, performance improvements and other optimizations are still needed. Some algorithms may show strong theoretical results, but their practical implementations might not perform as well. Perhaps Shumo can explain how far ZK applications have progressed in the industry.
Shumo:
Research is extremely important. However, the gap between research and practical application lies in focus: research emphasizes computational complexity, while real-world applications care more about actual performance. One advantage of cryptography is that theoretical performance usually aligns closely with practice—there aren’t large hidden constants. Still, implementing an algorithm often requires significant engineering effort and team coordination.
Secondly, the engineering complexity behind low-level ZK protocols—such as R1CS and Plonk circuits—is immense. That’s why we at Manta are building OpenZL (an open-source zero-knowledge proof library), serving as a middle layer to boost developer efficiency. I believe the gap between research and industry lies precisely in such middle-layer abstractions. Of course, deep understanding of cryptographic foundations still benefits engineering greatly.
Yiki:
Thank you. Earlier we touched on some ZK applications. Could Sputnik elaborate further on ZK use cases both within and outside blockchain?
Sputnik:
Within blockchain, ZK applications mainly fall into two categories: privacy and scalability. Privacy includes projects like Zcash, which many of you may know as “Zerocoin.” It achieves transaction-level confidentiality by hiding the three core elements of a transfer—the sender, the receiver, and the amount—improving upon earlier designs like Zcoin.
The second area is scalability. When people talk about blockchain scaling, they often refer to increased TPS. How does ZK relate to Layer 1 scaling? Recall that ZK is fundamentally a proof system. While privacy leverages its zero-knowledge property, scalability uses its verifiability. A familiar term today is ZK rollup—Ethereum is actively exploring this path. The idea is to offload computation off-chain, so the main chain only needs to reach consensus on final results. A blockchain state consists of account balances; each transaction updates these balances—that’s a computation process. We aim to perform this computation off-chain, then submit both the updated state and a validity proof to the chain. Validators only need to verify the proof, which is much faster than re-executing the entire computation. This is how ZK rollups achieve scalability. These are the current blockchain applications of ZK.
Outside blockchain, ZK is used in privacy-preserving computation. Though increasingly integrated with blockchain, privacy computing often involves secure multi-party computation—where multiple parties jointly compute a result without revealing private inputs. ZK protocols frequently appear as components within these systems. That covers the general landscape.
Yiki:
Thank you. Now, why is ZK important? If you were explaining ZK to university students, Shumo, how would you frame it?
Shumo:
At a fundamental level, it's about trust between people. The entire blockchain system aims to solve trust problems. As Sputnik mentioned, ZK applications are already critical. First, on-chain privacy—currently, ZK is the only viable solution for hiding information while maintaining consensus. Second, rollups—bundling transactions and submitting validity proofs. Broadly speaking, society is moving toward eliminating intermediaries in trust-building processes. ZK has evolved from specialized protocols to enabling verification of arbitrary computations—there’s clearly a Moore’s Law-like acceleration happening.
How to Learn ZK:
Yiki:
Understood. Following up, Shumo, based on your own experience learning ZK, could you offer beginners some advice on getting started from scratch?
Shumo:
First, clarify your purpose—why are you learning ZK? The technical depth varies significantly depending on your goals. If you aim to master ZK, start with foundational cryptography. Many young cryptographers begin with public lectures, such as those by Professor Dan Boneh from Stanford, which cover the basics of modern cryptography.
Second, explore open-source libraries on GitHub and start coding. Essentially, combine foundational theory with hands-on practice—learn the basics and write code early.
Yiki:
I see—very insightful. Theory and coding are both essential. Sputnik, what’s your take? Since you come from a mathematics background, do you have any recommendations for students starting out?
Sputnik:
I majored in mathematics as an undergrad, later specializing in information security, and began studying cryptography in my third year. For those seeking systematic understanding and practical skills, I recommend starting with basic cryptographic concepts—signatures, hash functions, MACs—and learning how to formally define zero-knowledge.
For a gentler introduction, I recommend the paper “How to Explain Zero-Knowledge Protocols to Your Children,” presented at CRYPTO in the 1990s—one of the most prestigious cryptography conferences. It uses the well-known story of Alibaba and the Forty Thieves, along with the “cave of zero knowledge,” to illustrate ZK properties and tools like simulators (used to prove zero-knowledge). I also run a personal repo and podcast—search “Zero-Knowledge Cave” on Xiaoyuzhou FM—where I discuss this paper and various ZK applications.
Current State and Future of the ZK Ecosystem:
Sputnik:
Next, let’s discuss the current ZK landscape. We’ve talked about ZK and learning resources. Now, from an industry perspective, Shumo, why is the ZK application space so competitive? There are so many ZK-based projects—zkSync, Zcash, even efforts by the Ethereum Foundation. Behind them are strong cryptography teams. Starkware’s co-founder Eli Ben-Sasson, for instance, is an Israeli professor and also a Zcash founder. What are your thoughts on this phenomenon?
Shumo:
Well, it depends on how you interpret “competitive.” Indeed, whether existing or early-stage projects, I can say confidently it will only get more competitive—not less. But I see this competition as positive for both the ZK field and Web3 overall. Web3 is permissionless—anyone believes they can succeed, hence the intense competition. Yet, despite appearances, these projects aren’t doing identical things. Starkware, for example, has its own unique programming language.
The key question is how to enter this competitive space. Rather than copying trending projects, think about unmet needs and how to solve real problems. In short, competition is inevitable. For anyone entering ZK, find your unique angle instead of imitating others.
Sputnik:
Regarding ZK rollups, could you compare leading players like zkSync, Starkware, and Scroll? What distinguishes them?
Shumo:
I don’t build ZK rollups myself, but I can share some insights. A key distinction is EVM equivalence—whether a project fully supports EVM compatibility.
zkSync takes an “EVM-compatible” approach. Instead of embedding the full EVM in-circuit, they built their own VM. Embedding EVM directly is technically challenging and introduces complications. This allows zkSync to launch earlier—likely being the first among these to deploy on mainnet. However, being compatible only at the Solidity level means many Ethereum tools, like debuggers, won’t work.
Scroll and Hermez claim full EVM equivalence, which I believe is better, as it enables seamless use of existing toolchains.
Starkware’s prover remains closed-source so far. And the Ethereum Foundation’s initiative is purely experimental—unlikely to ever go live.
Sputnik:
One final question: we’ve discussed ZK applications in privacy and rollups. But for developers, these often require specialized crypto teams. Ideally, especially for rollups, we’d like the middleware to be invisible to users. So, are there possibilities for more accessible products—something ordinary users can actually feel and use?
Shumo:
Excellent question—and yes, absolutely. First, ZK rollups themselves aren’t private, but they can be deployed as middleware (e.g., zkSync) without requiring developers to understand ZK. However, privacy-focused applications often require deeper ZK knowledge. For example, interacting with Manta’s private asset platform may involve writing ZK circuits.
Second, while cryptography background helps, advancements in high-level languages and tools mean developers no longer need to manually write low-level circuits—just as high-level programming languages eliminated the need for assembly. The barrier to ZK programming is steadily decreasing. It will take time, but eventually, developers won’t need to master every cryptographic detail. New ZK programming languages and libraries keep emerging.
Sputnik:
Thank you, Shumo. I get a clear picture of your vision for ZK. Let’s shift back to Manta. I know Manta is developing MantaPay—an anonymous payment system. Could you explain MantaPay and how it differs from Zcash?
Shumo:
From a problem-solving perspective, we’ve certainly learned from Zcash’s successes. But a major difference is that Zcash supports only a single asset type, whereas we support multiple. Conceptually, Zcash aimed to build everything from scratch. We see privacy as infrastructure that empowers the broader ecosystem—not just our own payment system.
Technically, we benefited from starting later—we adopted newer cryptographic techniques, including ZK-friendly hash functions. Our circuit size is about 1/10 that of Zcash’s, resulting in better performance and user experience. These are the key similarities and differences. Of course, we stand on the shoulders of giants and have learned much from Zcash.
Sputnik:
Thank you for explaining MantaPay. One follow-up question: I’m personally curious about trusted setup. Let me first explain the concept. In some cryptographic algorithms, a trusted setup phase is required to generate certain parameters. Zcash’s original design used such a process. From what you’ve shared, does MantaPay also require a trusted setup? Given that newer algorithms exist that don’t require it, why did you choose to adopt it? Are there advantages?
Shumo:
Yes, there are definite advantages, and it’s widely used today. There are two main types of zero-knowledge proof systems: Groth16, which we use, and Plonk. Each has trade-offs. Groth16 requires a trusted setup, while Plonk doesn’t (or requires only application-specific setups). Through testing, we found Groth16 offers superior performance.
From a cryptographic standpoint, the two differ in circuit design and proof systems. We chose trusted setup purely for performance reasons. Users have different devices—proof generation time varies. We cannot “discriminate” against slower users. Whether proof generation takes 2 seconds or 20 seconds makes a huge difference in user experience. That’s our primary performance consideration.
Second, the security of trusted setup is manageable. The Manta community will include many participants, and we may invite respected figures from the industry to join the ceremony. This ensures honesty. That’s why we use trusted setup.
Yiki:
Thank you, Shumo. Today’s AMA has lasted about an hour and we’re nearing the end. We’ve covered a wide range—from the basics of ZK, to learning paths, to the current state of ZK research and industry. Our guest session concludes here. Thank you both, Shumo and Sputnik, for your insightful sharing.
About THUBA
The Tsinghua University Blockchain Association (THUBA) is a student-led and self-governed organization formed by Tsinghua students passionate about blockchain technology. THUBA aims to bridge blockchain communities across universities globally and is dedicated to educating and nurturing future leaders in Web3.
About Manta Network
Manta Network is dedicated to building a better Web3 world through privacy protection. Manta’s product design starts from first principles, leveraging cutting-edge cryptographic architectures like zkSNARK to provide end-to-end privacy for blockchain users. While ensuring privacy, Manta also delivers interoperability, usability, high performance, and auditability, enabling users to conduct private transfers and trades across any parachain assets. Manta’s vision is to provide more accessible privacy services for the entire blockchain ecosystem.
Manta’s founding team comprises seasoned crypto professionals, professors, and scholars with backgrounds from Harvard, MIT, and Algorand. Manta has received investments from Polychain, ParaFi, Binance Labs, Multicoin, CoinFund, Alameda, DeFiance, and Hypersphere. Manta is also a grant recipient of the Web3 Foundation, a member of the Substrate Builder Program, and part of the UC Berkeley Blockchain Accelerator.
We're Hiring!
View open positions: https://jobs.lever.co/MantaNetwork
Follow official channels for more on Manta/Calamari:
Website:https://manta.network/
Github:https://github.com/Manta-Network
Twitter:https://twitter.com/MantaNetwork
Medium:https://mantanetwork.medium.co
Telegram:https://t.me/mantanetwork
Discord:https://discord.gg/ZtSuSKRy8X
Telegram (Chinese):https://t.me/mantanetwork_zh
Twitter (Chinese):https://twitter.com/manta_china
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@MantaNetwork
