By Joseph Bonneau
Compiled by: DAOSquare
Editor’s Note: Field Notes is a series where we report from the field at important industry, research, and other events. In this installment, Joseph Bonneau, a16z crypto research partner and assistant professor at NYU, attended and took notes from the 11th zkSummit in Athens on Wednesday, April 10. The event, hosted by the Zero Knowledge podcast, had approximately 500 attendees and featured four simultaneous talks over the course of a single day. Below is a summary of Bonneau’s presentation, covering the latest in zero-knowledge hardware, SNARK performance, and auction network design, including some mention of Jolt, a new approach to SNARK design from the a16z crypto research and engineering team that is already 2x faster than the current state-of-the-art, with more improvements coming soon.
ZK Hardware
Hardware support for proof generation has long been a community goal. The first two talks on the main stage provided an overview of current developments in this area.
Justin Drake, a researcher at the Ethereum Foundation, gave an overview of ZK hardware, including a taxonomy of companies in the space. The list includes companies using general-purpose hardware (such as Ulvetanna), companies making custom hardware (including Accseal, Cysic, and Fabric), and companies running decentralized proof networks (such as Aleo). He predicted that the endgame of zkVMs, such as Jolt enhanced by Binius (a hardware-optimized SNARK verification system), and other upcoming optimizations as well as specialized hardware, could achieve 1,000x computational overhead and could affect the final, fully battle-tested version of Ethereum. He also predicted that hardware will focus primarily on non-ZK succinct proofs, and most proofs will use Groth 16 wrappers on the face. He also mentioned that the Ethereum Foundation will announce a competition for formal verification of provers and verifiers with a prize of $20 million.
Jim Posen, co-founder of Ulvetanna, talked about Binius, and the general concept of designing proof systems and hardware simultaneously. Binius uses the binary tower field and sumcheck protocol, which Jolt is also based on. An interesting conclusion from early testing of Binius is that the hash function Groestl (the SHA-3 runner-up) performs significantly better than Keccak (the official SHA-3 standard), so using Groestl may be more advantageous in certain applications.
Decentralized Prover Network
Many in the space envision a future in which proof generation for large statements (e.g., the correctness of a batch of transactions in a Rollup) is performed by a competitive, decentralized market of professional attesters.
Succinct co-founder Uma Roy talked about Succincts upcoming prover network. She walked through various potential mechanism designs for a decentralized prover network and predicted that designs based on competition (first to prove wins) or mining (first to prove wins, modulo randomness) would not lead to good results. She said the design goals should be: minimum cost, maximum latency, and censorship resistance, in that order. She predicted that the issuance/staking model might work, but the auction model is most likely to win out and may end up looking like todays block construction. She said Succinct is building a general auction network for proving to support multiple zkVMs, not just Succincts own SP 1, such as Jolt/Lasso.
Yale PhD student Wenhao Wang talked about a new paper on the economics of prover networks that was published the morning of the talk, which he co-authored with Ben Fisch (Espresso Systems) and Ben Livshits (Matter Labs). Wenhao mentioned that bilateral auctions are vulnerable to collusion between provers and bidders, and they introduced an alternative mechanism called Proo-phi, which introduces a new matching transaction and proof mechanism. Proof-phi requires setting a capacity parameter, which seems to be a key open design problem.
Daniel Kales, co-founder and CTO of TACEO, spoke about the proof market that supports multi-party computation (MPC), specifically using MPC to maintain privacy between small clients with private witnesses and trustless large provers. He talked about how we can choose a combination of proof systems to perform linear operations (such as the Fast Fourier Transform algorithm) that are relatively cheap in MPC and can minimize costs.
ZK Credentials
Three different events discussed efforts to build zero-knowledge credentials from existing identity systems. Each relied on a different existing identity system.
Aayush Gupta and Sora Suegami, co-founders of ZK Email, talked about ZK email address ownership proofs. These rely on proving knowledge of the DKIM signature of an email sent to a specific address, and DKIM has been widely deployed by major email providers (although mainly as an anti-spam measure). Many applications can use ZK to prove that a user controls an email address, including sending money to an email address, and anonymous reporting.
Alin Tomescu, a research scientist at Aptos Labs, talked about Aptos Keyless, which uses OpenID connect to interact with traditional web2 identities. OpenID connect is a technology that enables login with Facebook, Google, etc. to third-party websites. Aptos Keyless interacts with existing OpenID providers and proves that the user controls a given address, making it possible to do things like send money to a Google or Facebook account.
Michael Elliot and Derya Karli of zkPassport discussed how anonymous credentials can be constructed from existing electronic passports. For example, a user could prove that they hold a US passport and are over 25 years old, without revealing their passport number or exact age.
