Zero-Knowledge (ZK) technology serves as a bridge for the mass adoption of cryptography. Whether in Web2 or Web3, anything involving Zero-Knowledge Proofs (ZKPs) is poised to create substantial value. This article introduces the basics of ZK and zkVM, provides a high-level overview of the processes within a zkVM, and proposes a set of criteria for evaluating zkVM implementations.
Introduction to Zero-Knowledge Proofs
A Zero-Knowledge Proof (ZKP) allows one party (the prover) to demonstrate to another party (the verifier) that they possess certain knowledge without revealing any details about that knowledge. More specifically, ZKPs can prove knowledge of a piece of data or the result of a computation without disclosing the underlying data or inputs. The process of creating a zero-knowledge proof involves a series of mathematical models that transform computational results into a piece of verifiable, yet meaningless, information.
In some cases, the effort required to verify a proof—after multiple rounds of algebraic transformations and cryptographic operations—is less than that needed to perform the original computation. This unique combination of security and scalability makes zero-knowledge cryptography an exceptionally powerful tool.
zkSNARKs and zkSTARKs
zkSNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge):
- Rely on an initial setup process (which may be trusted or untrusted) to establish verification parameters.
- Require at least one interaction between the prover and the verifier.
- Produce small proofs that are easy to verify.
- Used by rollups like zkSync, Scroll, and Linea.
zkSTARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge):
- Do not require a trusted setup.
- Use publicly verifiable randomness to create trustless verifiable systems.
- Highly scalable, capable of quickly generating and verifying proofs even for large datasets.
- Non-interactive; no back-and-forth between prover and verifier.
- Generate larger proofs, making verification more computationally intensive than some SNARKs.
- Used by Starknet and zkVMs like Risc Zero and Succinct Labs.
It's worth noting that all STARKs are SNARKs, but not all SNARKs are STARKs.
Understanding zkVM
A Virtual Machine (VM) is a program that runs other programs. In this context, a zkVM is a virtual computer implemented as a system for generating zero-knowledge proofs. It serves as a general-purpose circuit or tool for generating ZKPs for any program or computation.
zkVMs eliminate the need for developers to learn complex mathematics and cryptography when designing and writing ZK applications. They allow developers to execute programs written in their preferred language and generate ZKPs, making it easier to integrate and interact with zero-knowledge technology. Broadly speaking, most references to zkVMs implicitly include the compiler toolchain and proof system attached to the executing VM, not just the VM itself.
Key Components of a zkVM
The design and implementation of each component are determined by the choice of proof system (SNARK or STARK) and the zkVM’s Instruction Set Architecture (ISA). The ISA specifies the capabilities of the VM (data types, registers, memory, etc.) and the sequence of operations performed when executing a program. The choice of ISA can fundamentally impact the accessibility, usability, speed, and efficiency of the proof generation process.
Key components include:
- Compiler: Translates high-level code (e.g., C, Rust, Solidity) into machine code interpretable by the VM.
- Virtual Machine: Executes the machine code and produces an execution trace—a step-by-step record of the program’s operations.
- Proof System: Converts the execution trace into a zero-knowledge proof using mathematical transformations and cryptographic commitments.
Abstract zkVM Process Flow
The general workflow of a zkVM can be broken down into several stages:
Compilation Phase
- The compiler translates a program written in a conventional language (e.g., C++, Rust, Solidity) into machine code. The format of this machine code is determined by the chosen ISA.
Virtual Machine Phase
- The VM executes the machine code and generates an execution trace—a sequence of steps representing the program’s execution. The trace format is predetermined by the choice of arithmetization and polynomial constraint sets.
Verification Phase
- The prover receives the trace and represents it as a set of polynomials subject to constraints, effectively mapping the computation into algebraic form.
- The prover uses a Polynomial Commitment Scheme (PCS) to commit to these polynomials. This allows the prover to create a "fingerprint" of the data without revealing the data itself.
- The prover runs a Polynomial Interactive Oracle Proof (PIOP) to show that the committed polynomials represent a valid execution trace satisfying the given constraints.
- The Fiat-Shamir heuristic is applied to convert the interactive proof into a non-interactive one, using pseudorandom challenges.
- The prover generates an evaluation or "opening" proof to convince the verifier that the polynomial evaluations are correct relative to the commitments.
Verifier Phase
- The verifier checks the proof using the constraints or commitments, following the proof system’s verification protocol. The verifier accepts or rejects the result based on the proof’s validity.
In summary, a zkVM proof demonstrates that for a given program, output, and initial conditions, there exists some input that leads the program to produce the given output when executed on the VM.
👉 Explore advanced zkVM strategies
Evaluating a zkVM
What criteria should we use to evaluate a zkVM? The answer depends on the use case. Market research indicates that for most commercial applications, the most important attributes are speed or core-time efficiency. Some applications are price-sensitive and prioritize low energy consumption and capital usage; for these, core-time efficiency may be the key metric. Others, especially in finance or trading, are latency-sensitive and prioritize speed.
Most public performance comparisons focus solely on speed, which is important but not a holistic measure of performance. Several critical attributes measure the reliability of a zkVM; many fall short of production-ready standards, even for market-leading implementations.
We propose that zkVMs be evaluated based on the following criteria, divided into two subsets:
Baseline: Reliability Measures
- Correctness: The VM must execute computations as intended, and the proof system must satisfy its claimed security properties.
- Security: Involves tolerances for reliability, completeness, and zero-knowledge properties.
- Trust Assumptions: Assumptions about the honesty of provers and verifiers required for the zkVM to operate reliably.
Performance: Functional Measures
- Efficiency: The resources consumed by the prover, measured in core-time and space efficiency.
- Speed: The wall-clock time required to generate a proof.
- Succinctness: The size of the generated proof and the complexity of verifying it.
The zkVM Trilemma
Optimizing one attribute often comes at the expense of others:
- Speed: Fast proof generation but larger proofs and higher resource consumption.
- Succinctness: Smaller proofs and faster verification but slower proof generation.
- Efficiency: Lower resource usage but potentially slower proof generation and less succinct proofs.
A good approach is to define acceptable levels for each attribute and then optimize for the most critical one while ensuring others remain sufficient.
Frequently Asked Questions
What is the difference between zkSNARKs and zkSTARKs?
zkSNARKs require a trusted setup and produce small, easily verifiable proofs. zkSTARKs do not need a trusted setup and are highly scalable but generate larger proofs. All STARKs are SNARKs, but not vice versa.
Why are zkVMs important?
zkVMs allow developers to generate zero-knowledge proofs without deep expertise in cryptography. They enable broader adoption of ZK technology by simplifying the integration process.
What are the main challenges in zkVM development?
Balancing speed, efficiency, and succinctness is a key challenge. Ensuring correctness and security while minimizing trust assumptions is also critical for production-ready systems.
How do I choose the right zkVM for my project?
Consider your application’s priorities: if latency is critical, focus on speed; if cost is a concern, prioritize efficiency. Always evaluate baseline reliability measures like correctness and security.
Can zkVMs be used outside blockchain?
Yes, zkVMs have applications in various fields, including data privacy, authentication, and secure computation, wherever verifiable trustless computation is beneficial.
What is the role of the Instruction Set Architecture (ISA) in a zkVM?
The ISA defines the machine code that the VM can execute. It influences the zkVM’s accessibility, usability, and proof generation efficiency.
Conclusion
zkVMs represent a significant advancement in making zero-knowledge technology accessible and practical. By abstracting away complex cryptographic details, they empower developers to leverage ZK proofs for a wide range of applications. Evaluating a zkVM requires a balanced consideration of correctness, security, trust assumptions, efficiency, speed, and succinctness. As the technology evolves, these frameworks will help in identifying the most suitable solutions for specific use cases.
In future articles, we will delve deeper into the common arithmetic and cryptographic processes within zkVMs, building on the foundational knowledge shared here.