By Joseph Bonneau, DAOSquare
Editor’s Note: Field Notes is a series where we report from the field at important industry, research, and other events. In this installment, Joseph Bonneau, a16z crypto research partner and assistant professor at NYU, attended the 11th annual Zero Knowledge Summit (zkSummit) in Athens on Wednesday, April 10, and took notes. The event, hosted by the Zero Knowledge Podcast, had approximately 500 attendees and featured four simultaneous talks over the course of a single day. Below is a summary of Bonneau’s presentation, which covers the latest in zero-knowledge hardware, SNARK performance, and auction network design, including some mention of Jolt, a new approach to SNARK design from the a16z crypto research and engineering team that is already 2x faster than the current state-of-the-art, with more improvements to come.
ZK Hardware
Hardware support for proof generation has long been a community goal. The first two talks on the main stage provided an overview of current developments in this area.
Justin Drake, a researcher at the Ethereum Foundation, gave an overview of ZK hardware, including a taxonomy of companies in the space. The list includes companies using general-purpose hardware (such as Ulvetanna), companies making custom hardware (including Accseal, Cysic, and Fabric), and companies running decentralized proof networks (such as Aleo). He predicted that "endgame" zkVMs such as Jolt enhanced by Binius (a hardware-optimized SNARK verification system), and other upcoming optimizations as well as specialized hardware could achieve 1,000x computational overhead and could impact the final, fully battle-tested version of Ethereum. He also predicted that hardware will focus primarily on non-ZK succinct proofs, and that most proofs will use Groth16 wrappers on the face. He also mentioned that the Ethereum Foundation will announce a competition for formal verification for provers and verifiers with a $20 million prize.
Ulvetanna co-founder Jim Posen talked about Binius, and the general concept of designing proof systems and hardware simultaneously. Binius uses the binary tower field and sumcheck protocol, which Jolt is also based on. An interesting conclusion from early testing of Binius is that the hash function Groestl (a SHA-3 runner-up) performs significantly better than Keccak (the official SHA-3 standard), so using Groestl may be more advantageous in certain applications.
Decentralized Prover Network
Many in the space envision a future where proof generation for large statements (e.g., the correctness of a batch of transactions in a Rollup) is done by a competitive, decentralized market of professional provers.
Succinct co-founder Uma Roy talked about Succinct’s upcoming prover network. She presented various potential mechanism designs for decentralized prover networks, and predicted that designs based on competition (first to prove wins) or mining (first to prove wins, modulo randomness) would not lead to good results. She said the design goals should be, in that order: minimum cost, maximum latency, and censorship resistance. She predicted that the issuance/staking model might work, but the auction model is most likely to win out, and may end up looking like today's block construction. She said Succinct is building a general auction network for proving to support multiple zkVMs, not just Succinct's own SP1, such as Jolt/Lasso.
Yale PhD student Wenhao Wang talked about a new paper on the economics of prover networks that was published the morning of the talk, which he co-authored with Ben Fisch (Espresso Systems) and Ben Livshits (Matter Labs). Wenhao mentioned that bilateral auctions are vulnerable to collusion between provers and bidders, and they introduced an alternative mechanism called Proo-phi, which introduces a new matching transaction and proof mechanism. Proof-phi requires setting capacity parameters, which seems to be a key open design problem.
Daniel Kales, co-founder and CTO of TACEO, talked about supporting proof markets for multi-party computation (MPC), and in particular using MPC to maintain privacy between small clients with private witnesses and trustless large provers. He talked about how we can choose a combination of proof systems that perform linear operations (like the Fast Fourier Transform algorithm) that are relatively cheap in MPC and that minimize costs.
ZK Credentials
Three different events discussed efforts to build zero-knowledge credentials from existing identity systems. Each relied on a different existing identity system.
Aayush Gupta and Sora Suegami, co-founders of ZK Email, talked about ZK proofs of email address ownership. These rely on proving knowledge of a DKIM signature for an email sent to a specific address, and DKIM has been widely deployed by major email providers (although primarily as an anti-spam measure). Many applications can use ZK to prove that a user controls an email address, including applications such as sending money to an email address, and anonymous reporting.
Alin Tomescu, a research scientist at Aptos Labs, talked about Aptos Keyless, which uses OpenID connect to interact with traditional web2 identity. OpenID connect is the technology that enables "login with Facebook, Google, etc." for third-party websites. Aptos Keyless interacts with existing OpenID providers and proves that a user controls a given address, making applications like sending money to a Google or Facebook account possible.
Michael Elliot and Derya Karli of zkPassport discussed how anonymous credentials can be built from existing electronic passports. For example, a user can prove that they hold a US passport and are over 25 years old, without revealing their passport number or exact age.