OPRR Flash Depth Data

Search Extension

Interpretation of zk, zkVM, zkEVM and their future

2022-05-25 18:26

Read this article in 19 Minutes

The native zkEVM is the future of the blockchain, and the generic zkVM is the future of Web3.

Original title: " Foresight Ventures: Interpreting zk, zkVM, zkEVM and their future "

Original author: Suning Yao @ Foresight Ventures

TL; DR

Zero-knowledge proof technology can guarantee the integrity, correctness and privacy of calculations, and has applications in blockchain expansion and privacy.

zk- SNARK and zk-STARK have their own advantages, and their reasonable combination has more potential.

zkVM can endow applications with zero-knowledge proof capabilities. zkVM is divided into mainstream, EVM or new instruction set.

EVM adaptation includes EVM compatibility, equivalence and Specification adaptation.

zkEVM is an EVM-compatible and zero-knowledge proof-friendly environment, mainly divided into native and compiled genres.

Based on native zkEVM It is the future of Ethereum and blockchain.

The general zkVM supporting Solidity ecology is the future of Web3.

0. Zero-knowledge proof

Not rigorous but easy to understand to introduce zero-knowledge proof:

You are in elementary school. The teacher is the verifier, and you as the student are the certifier. How do you prove that you have mastered the solution formula of the quadratic equation in one variable? Then you need a math test.

The teacher will randomly select 10 related questions, and if you have mastered them, you can solve them all. In this process, you do not have to recite or write down the solution formula specific content, but the teacher can easily verify your knowledge mastery.

Actually, this is the method used by Tartaglia and Cardano (yes, that’s the name) to compete for who is the discoverer of the cubic equation in one variable. They don’t want to tell each other the content of their formulas, but by doing the questions, they can Easily verifiable without revealing knowledge in the process, to determine whether they have mastered this knowledge.

What is the zero-knowledge proof What is the use? The use is that the whole process can save computing power and compress space on the chain, and at the same time protect privacy, which is in line with the trustless characteristics of blockchain and the genes of cryptography.

1. SNARK and STARK

The "zk" used or mentioned in the blockchain field is usually not true zero knowledge Proof, and often Validity Proof. Due to the confusion of related vocabulary, some places in this article will continue these "misuses".

In the current blockchain landscape, zk can be said to be the most cutting-edge and optimal solution for blockchain expansion (Validity Proof without zk) and privacy technology (real zk). .cash, ZCash, zkSync, zk.money, Filecoin, and Mina are used in projects such as.

The current technical solutions are mainly divided into There are two types of SNARK and STARK. The S in STARK stands for scalable, which means that the proven statement has a repeated structure, and SNARK supports arbitrary circuits, which are preprocessed to achieve concise proofs. The The technical practice of SNARK occupies a dominant position, and STARK is mainly adopted by StarkWare in the products that have been launched on a large scale. The following is a comparison between them.

From the perspective of Meme, STARK is better than SNARK (Star Wars, Star Trek).

If SNARK is Ethereum 2.0, then STARK will be the future of Ethereum 3.0. Seriously speaking, the advantage of STARK lies in

- lower gas (more scalable )

- larger batch size (more scalable * 2)

- more Fast proof (better scale * 3)

- No trusted setup (the generated parameters are only valid for the current application, if there is a modification, you need to re-setup)

- post-quantum security

But the proofs generated by STARK are larger in size and also Quite a lot, due to some limitations of WASM, additional operations may be required during construction (here is SNARK). Mir gave a practice of AIR-based STARK in Starky some time ago, which is Part of Plonky2 (the relationship between Plonky2 and Starky is more complicated...). I personally think that the large size can be optimized by various methods, but the time complexity of the algorithm itself is difficult to further compress.

These zero-knowledge proof technologies can be combined reasonably to build more powerful applications. For example, Polygon Hermez uses SNARK to verify the correctness of STARK, thereby reducing the time required for the final release of the proof gas fee.

In conclusion, both SNARK and STARK are excellent zero-knowledge proof technologies, each with its own advantages and disadvantages, and their reasonable combination has more potential.

2. zkVM

The aforementioned Tornado.cash and zk. money are similar zero-knowledge proof applications that only support transfer operations, and do not support general-purpose calculations. Analogously, these applications only have the functions of Bitcoin, which is far less than Turing completeness of Ethereum, let alone building an ecology (Smart contracts on Bitcoin have never been ecologically developed).

zkVM is a virtual machine that is guaranteed to be safe, verifiable and credible by zero-knowledge proof , simply put, enter the old state and program, and return the new state. It can give all applications the superpower of zero-knowledge proof.

Miden The talk at ETH Amsterdam gave a nice picture of what zkVM is all about.

zkVM Advantages:

Easy to use: developers can use zkVM to run without learning cryptography or zero-knowledge development Program guarantees computing security (does not mean there is no threshold at all)

General: zkVM can generate proofs for any program and calculation.

Succinct: A relatively small number of constraints can describe the entire VM (without repeating the circuit of the entire VM).

Recursion: Free recursion Features. Same as generality, the verification of VM can be done through VM. This is very interesting, for example, you can put a zkVM in zkVM, which is similar to the concept of L3 mentioned by StarkWare.

Disadvantages of zkVM:

Special computing architecture: not all zero-knowledge proofs The system can be used to do zkVM.

Performance problem: the circuit needs to be optimized, and it can be optimized for specific calculations.

There are three major types of mainstream zkVM, and their instruction sets are in parentheses: mainstream (WASM, RISC-V), EVM (EVM bytecode), ZK-Optimized (new instruction set, for zero-knowledge Proof of optimization, such as Cairo and zkSync). The following is a type comparison chart based on Miden's speech at ETH Amsterdam:

Most of the things that the zero-knowledge proof development ecology does are to allow developers to use the Circom library (and snarkyjs) or other newly created languages (languages like Leo or Cairo have strange restrictions) To do the development of general zk DApp, but it is not as direct and easy to learn as Solidity on Ethereum.

In addition, There are also many projects, such as zkSync, Scroll, or many companies under Polygon are trying to make zkEVM or other zkVM.

3. EVM

EVM is the virtual machine of Ethereum, and it can also be understood as a set of execution environment for running smart contracts.

For several years, various public chains have been trying to be compatible with EVM, so as to be connected to the development ecology of Ethereum. For this concept, EVM compatibility, equivalent and other definitions have been derived.

- EVM Compatibility: Adaptation at language level such as Solidity.

- EVM Equivalence: Adaptation at EVM bytecode level.

- EVM Specification Adaptation: It is commonly referred to as the real zkEVM, and in most cases it is even an optimized superset of backward compatibility, which can provide account abstraction (that is, each account is a smart contract) and other EVM No features provided.

4. zkEVM

Let's interpret zkEVM again. Define it In other words, zkEVM is a virtual machine compatible with EVM and friendly to zero-knowledge proofs, which can guarantee the complete correctness of programs, operations, and input and output.

For general computing, zkEVM needs to solve two difficulties:

a) The circuit is complex

Different contracts need to generate different circuits, and these circuits are "complex".

This aspect mainly depends on various optimizations, such as Aleo (but it is not a type of direct ZK... just to illustrate optimization) through distributed Cluster to concurrently calculate Proof, or through various hardware optimizations to accelerate .

b) Design difficulties

zkEVM Not only the EVM needs to be reconstructed, but also the overall state transition of Ethereum must be reconstructed with zero-knowledge proof technology.

I didn’t expect it when EVM was designed It will be very difficult to do zkEVM in the future. It leads to the routes of two sects, all of which are in the picture.

Or according to the architecture of the VM, it looks like this (thanks to Scroll Tech for the original picture summary!). Opcode refers to EVM Opcode. The StarkWare part uses Warp to convert Solidity into Cairo contracts, Or write contracts directly with Cairo, you can also get a good development experience and a full set of tools.

At the level of developers and users, I think there is basically no difference between these solutions, but in terms of infrastructure, the farther to the right the better the EVM compatibility, and can seamlessly connect to infrastructure such as Geth. But the development progress is basically slower.

5. zkEVM and zkVM

I think the existence of zkEVM is to renovate and patch the Ethereum ecology, which can contribute to the prosperity of Ethereum and its ecology, but the existence of zkVM does not necessarily strengthen Ethereum, but also has more Great imagination.

StarkNet's Cairo VM may not be the most perfect zkVM in my imagination, but it can do more things than EVM or zkEVM, At the same time, these are not just functional expansions at the EIP level. Machine learning models can be run on Cairo VM, and there is even a machine learning model platform being built on StarkNet.

Compared to zkEVM, a zkVM will be easier to build (no need to worry about the technical debt of EVM), more flexible (no need to worry about EVM update), easier to optimize (the software and hardware optimization of circuits and provers is much simpler and cheaper than building zkEVM Many).

Of course, one of the smallest but fatal shortcomings of zkVM is that if zkVM cannot support EVM compatibility (Solidity language level), then zkVM will be difficult Like EVM, there is the most complete and mature Web3 development ecosystem.

zkVM may be a bigger trend, which can make the vertical optimization of EVM become an EVM ecosystem Horizontal expansion, beyond the limitations of EVM.

6. The future of zkVM

If Can there be a general zkVM that allows smart contracts in all programming languages, not just Solidity, not just Cairo, but Rust, C++, Go, to run safely with the blessing of zero-knowledge proof? (Stellar tried, but failed .)

As @kelvinfichter said: Why zkEVM if zkMIPS? As @KyleSamani said: EVM is a bug not a feature. Why zkEVM if zkVM?

Winterfall or Distaff or Miden VM and other zkVM are not very good Development friendliness. Nervos has RISC-V VM, but Nervos does not use zero-knowledge proof technology.

The best solution under the current situation is to build a WASM or RISC-V zkVM should preferably support languages such as Rust, Go, C++, and even Solidity (zkSync seems to be able to make great contributions). If there is such a general zkVM, it will be a blow to zkEVM.

The number of Web3 developers accounts for about 0.07% of all developers, and it can be inferred that the number of Solidity developers will actually be less than 0.07%, and they will use Cairo It is even less to write contracts or write circuits with Leo. Such a perfect zkVM is aimed at almost 100% of developers, and any developer can get a perfect zero-knowledge operating environment with almost any language.