Article Rewrite:
Author: Joseph Bonneau
Translator: DAOSquare
Editor’s Note: Field Notes is a series where we report from the field on important industries, research, and other activities. In this issue, Joseph Bonneau, a research partner at a16z crypto and assistant professor at New York University, attended the 11th zkSummit in Athens on April 10th and took notes. The event was hosted by the Zero Knowledge podcast and had approximately 500 attendees with four talks held throughout the day. The following is a summary of Bonneau’s report, covering the latest developments in zero-knowledge hardware, SNARK performance, and auction network design, including some mentions of Jolt, a new approach to SNARK design by the a16z crypto research and engineering team that is already twice as fast as the current state-of-the-art technology, with more improvements on the horizon.
ZK Hardware
Support for hardware acceleration of proof generation has long been a goal of the community. The first two talks held on the main stage provided an overview of the current developments in this area.
Justin Drake, a researcher at the Ethereum Foundation, outlined ZK hardware, including a taxonomy of companies in the field. The list includes companies using general-purpose hardware, such as Ulvetanna, companies manufacturing custom hardware, including Accseal, Cysic, and Fabric, and companies running decentralized proof networks, such as Aleo. He predicted that the “endgame” for zkVM, such as Jolt enhanced by Binius, a hardware-optimized SNARK verification system, and other upcoming optimizations and dedicated hardware, could achieve a 1000x improvement in computational costs and potentially impact the final battle-tested version of Ethereum. He also mentioned that the Ethereum Foundation will announce a competition with a $20 million prize for formal verification of provers and verifiers.
Jim Posen, co-founder of Ulvetanna, discussed Binius and the general concept of designing proof systems and hardware simultaneously. Binius uses binary field towers and the sumcheck protocol, which Jolt is also based on. One interesting conclusion from early testing of Binius is that the performance of the Groestl hash function (SHA-3 runner-up) is significantly better than Keccak (the official SHA-3 standard), so using Groestl may be more advantageous in certain applications.
Decentralized Prover Networks
Many in the field envision a future where large-scale statement proofs, such as the correctness of a batch of transactions in Rollup, are completed by a competitive, decentralized marketplace of specialized provers.
Uma Roy, co-founder of Succinct, discussed the upcoming Prover Network by Succinct. She outlined various potential mechanism designs for decentralized prover networks and predicted that designs based on competitions (winner-takes-all) or mining (winner-takes-all with modulo randomness) would not yield good results. She said that the design goals should be, in order, minimal cost, maximum latency, and censorship resistance. She predicted that issuance/staking models might work, but auction models are most likely to succeed, eventually resembling today’s block construction. She mentioned that Succinct is building a generic auction network to support multiple zkVM proofs, not just Succinct’s own SP 1, such as Jolt/Lasso.
Wenhao Wang, a PhD student at Yale University, talked about a new paper on prover network economics that was published on the morning of the talk. The paper was co-authored by him, Ben Fisch (Espresso Systems), and Ben Livshits (Matter Labs). Wenhao mentioned that bilateral auctions are susceptible to collusion between provers and bidders, and they introduced an alternative mechanism called Proo-phi, which introduces new matching transactions and proof mechanisms. Proof-phi requires setting capacity parameters, which seems to be a key open design question.
Daniel Kales, co-founder and CTO of TACEO, discussed proof markets that support multi-party computation (MPC), specifically using MPC to maintain privacy between small clients with private witnesses and untrusted large provers. He talked about how we choose combinations of proof systems for linear operations, such as the Fast Fourier Transform algorithm, which are relatively cheap in MPC and can minimize costs.
ZK Credentials
Three separate sessions discussed efforts to build zero-knowledge credentials from existing identity systems. Each relies on a different existing identity system.
Aayush Gupta and Sora Suegami, co-founders of ZK Email, talked about zero-knowledge proofs of email address ownership. These rely on proving knowledge of DKIM signatures on emails sent to a specific address, and DKIM has been widely deployed by major email providers (though primarily as an anti-spam measure). Many applications could benefit from ZK proofs of user control over email addresses, including sending funds to email addresses and anonymous reporting.
Alin Tomescu, research scientist at Aptos Labs, discussed Aptos Keyless, which interacts with traditional web2 identities using OpenID Connect. OpenID Connect is a technology that supports “log in with Facebook, Google, etc.” for third-party websites. Aptos Keyless interacts with existing OpenID providers and proves user control over a given address, enabling applications like sending funds to Google or Facebook accounts.
Michael Elliot and Derya Karli of zkPassport discussed how to build anonymous credentials from existing e-passports. For example, users could prove they hold a US passport and are over 25 years old without revealing their passport number or exact age.