zkVMs: The Next Chapter of Blockchain

•

(1/28) zkVMs, Verifiable Compute and the Next Chapter of Blockchain Everything from cloud computing to the internet itself relies on explicit and implicit trust. But it's 2024, trust is breaking down, and the world is hungry for a trustless solution A beginners guide to zkVMs

(2/28) Imagine we have a very computationally intense program - one so resource intensive that we wouldn't be able to run it on any personal devices or consumer hardware that we could realistically get our hands on. Fortunately, we live in 2024; the cloud has us covered!

(3/28) Now let's say this program is responsible for some very high stakes, irreversible decisions. Whatever this program says will have massive consequences on your life. Are you comfortable executing on someone else's hardware? Do you trust the result?

(4/28) Bottom line: whoever controls the hardware ultimately controls the program. Maybe they can manipulate the execution to influence the result, or maybe they just ignore the result and send you whatever they want you to do. Distributed computing inherently requires trust.

(5/28) Fortunately, we have a solution: through the magic of zero-knowledge cryptography (ZK), we are able to implement verifiable computing. ZK allows us to generate proofs that mathematically guarantee that an output resulted from the honest execution of unaltered code. x.com/LogarithmicRex/status/1867243214706721202

(6/28) Think of a verifiable program running in the cloud - ever answer would also come with a proof. Once verified, we know with mathematically certainty that the answer was the honest, based on the code we provided. Any manipulation at all, and the proof would not verify.

(7/28) This sounds great, but it's very challenging to implement. The basics of the underlying cryptography is incredibly arcane and difficult... and that's just the start. In order to create these systems, you need to build a structure specific to each verifiable program.

(8/28) These structures (circuits) are a mathematical representation of the verifiable program. They are very abstract and difficult, and even tiny code changes require brand new circuits. A major bottleneck to verifiable compute is the time/expertise needed to create circuits.

(9/28) For a long time, the consensus understanding was that in order to make verifiable compute a reality, we needed to drastically reduce the effort it takes to create a circuit. But here’s a thought: what if we created a circuit for an entire virtual machine?

(10/28) Let’s take a quick detour to discuss virtual machines (VMs). A VM is a software-based emulation of a physical computer that exists inside a host computing environment. Imagine running a program that models a Windows-based computer inside of your Macbook (eg @parallels). x.com/LogarithmicRex/status/1574208089661747200

(11/28) The important thing to understand about VMs: - they are programs that emulate a fully functioning computer - like a fully functional computer, they are capable of running other programs So here’s the provocation: what if we could use ZK to make a VM verifiable?

(12/28) A verifiable VM eliminates the circuit bottleneck by altering what is being proved. When using an application-specific circuit, you are proving the program’s execution. When using a VM-specific circuit, you are proving the VM executed whatever program it was given.

(13/28) Think like this: a verifiable VM generates a proof that gaurentees that the VM is acting honestly. Consequently, whatever program is given to the VM was executed honestly. If the VM honestly executed the program, then we know the program itself was executed honestly.

(14/28) While this all may feel like trivial word play, the ramifications are huge: if you can build a circuit for a VM, you don’t need to build circuits for specific programs. In other words, a single circuit can prove every program. Bottleneck solved.

(15/28) At first, this paradigm was applied to blockchain-specific VMs, specifically @ethereum’s EVM. This is the idea behind zkEVM rollups: prove the validity of every transaction and smart contract by proving the entire EVM. Verification guarantees the rollups validity. x.com/logarithmicrex/status/1569334975614582784?s=46&t=a-_27ks-01Qh0N76AOoudw

(16/28) However, the EVM is… weird. Like all blockchain VMs, it makes very specific design choices that are non-applicable/don’t make sense in regular computing. For example, gas is a meaningless concept (with no analogies) when you’re using your iPhone.

(17/28) What if, instead of using ZK to make a blockchain-specific VM verifiable, we made a generic VM verifiable? What if all programs (blockchain or not) could be proved by executing it within this generic VM? The answer: we can! We call them zkVMs!

(18/28) A zkVM is a VM designed to execute any/all programs that can run on a regular computer while automatically generating ZK proofs. Proof verification gives mathematical certainty that whatever came out of the zkVM would be exactly the same as running the program locally.

(19/28) There are a couple of factors in selecting which VM to use for a zkVM. First, it must be generic and support the full spectrum of compute - it must be able to be execute all programs. Second, it should be lightweight. More features make circuit design more difficult.

(20/28) The third is the most nuanced - it must be open source. Remember, the ZK proof only gives you certainty that the VM executed the code according to the rules of the VM. If the VM isn’t open source, we don’t know the rules… valid execution may not be fair execution.

(21/28) Fortunately, we don’t need to design a VM from scratch… the open source community has been working on this exact problem since at least 2010. RISC-V is a widely used, open standard that defines how software communicates with hardware. x.com/LogarithmicRex/status/1875236095459496226

(22/28) RISC-V refers specifically to how software is translated to a language that a CPU can understand, but it’s all we need in order to build a lightweight (but fully expressive) VM. And so, if we can create a circuit around RISC-V, we’ve essentially created a generic zkVM.

(23/28) In fact, we have multiple working implementations in production... some transforming how blockchain technology is built and works today. Particularly notable are @RiscZero, SP1 ( @SuccinctLabs ) and Jolt ( @a16zcrypto ) - although many teams are shipping aggressively.

(24/28) Just like all things in life, zkVMs are not just a free lunch - there’s a significant cost vs running the same code in a non-zk VM. Generating a proof costs time and resources, and a zkVM is generating a proof for EVERYTHING.

(25/28) Fortunately, we live in the ZK renaissance! ZK tech (specifically performance) is progressing at a rate that has surprised even the most bullish researchers… …and things are only accelerating. Soon the overhead of ZK will be unnoticeable and irrelevant.

(26/28) When ZK is cheap and automatic, all programs can be verified by any computational environment. Verification allows us to effectively project computation; once verified, it's like it was done locally. The bigger disparity between environments, the more powerful the effect

(27/28) For me, the most exciting application is for blockchain. By nature, blockchains are inherently resource-constrained. ZK/verifiable compute allows us to project any type or scale of computation directly on-chain. ZK is what will transform Ethereum into the World Computer. x.com/LogarithmicRex/status/1861788897057140780

(28/28) In summary, a zkVM is a general purpose computing platform, capable of executing any program a regular computer can, which automatically generate ZK proofs. Proof verification gives mathematical certainty a program was executed honestly - as if it was executed locally.