Original author: Fu how
Original source: Odaily Planet Daily
2024 Hong Kong Web3 嘉年华期间,以太坊联合创始人 Vitalik Buterin 发表演讲《Reaching the Limits of Protocol Design》。 在本次演讲中,Vitalik 就如何提高 zk-snark 的效率展开阐述。
In his speech, Vitalik pointed out that the current development of blockchain is premised on sacrificing privacy and scalability, and the attributes of zk-snark can remedy the sacrifice of privacy and scalability. In Ethereum, it takes about 400 milliseconds for an Ethereum node to validate a block, while it takes about 20 minutes for zk-snark to validate an Ethereum block, resulting in a 3,000-fold increase in the network's privacy and scalability. Therefore, if you want to run zk-snark into the existing blockchain network, you need to provide a kind of "real-time proof", if the proof generation time is reduced, then the blockchain operation speed can be improved, and the privacy and scalability can be improved.
What is the best way to achieve "proof in real time"? Odaily will break down the ideas provided by Vitalik in his presentation and give a short introduction to the corresponding project.
ZK-SNARK implements "just-in-time" in three directions
Before that, let's take a look at zk-snark, zk-snark stands for concise non-interactive zero-knowledge proof, for better understanding, let's explain it separately:
- Zero-knowledge proofs: Provers are able to convince verifiers that a certain assertion is true without providing any useful information to the verifier.
- Concise: means that the transaction verification process does not involve a large amount of data transmission, and the verification algorithm is simple.
- Non-interactive: There is no need for interaction between the prover and the validator.
The following is a flowchart of how ZK-SNARK works. A brief interpretation of zk-snark from the diagram:
- With Setup, a random number is used to generate the confidence parameter F, and the proof key pk and the verification key v are generated
- The prover enters the private input W and the public input x, generates the proof π, and signs it with the private key pk. π is encrypted with elliptic curves, hiding W
- Validator verifies proof: The validator holds v, enters x and π, confirms that the verifier knows W. The validator has no way of knowing W
- Result returns: TRUE if validation is successful, FALSE otherwise.
Through the above introduction of Zcash's zk-snark related process, it is not difficult to find that zk-snark has not many steps when verifying the proof, and at the same time, according to the characteristics of zk-snark, the verification time is not much, according to the corresponding zk-snark related statistics, the verification proof time is generally not more than 80 milliseconds, so the reason that affects zk-snark to become an obstacle to the operation of the public chain lies in the proof provided by the prover.
The above figure is a summary of the current mainstream ZK-SNARK related technologies, from which it is not difficult to find that the size of the proof, the time of proof generation, and the verification time are the standards for measuring the relevant ZK-SNARK technology. Aside from the verification time, most of the zk-snark proofs are inconsistent with the standards of Vitalik using Ethereum as an example at the beginning of this article in terms of proof size and generation time.
To this end, Vitalik provides three optimization directions for the implementation of zk-snark "real-time proof" in this talk.
- Parallelization and aggregation: Improve the efficiency of validating large blocks through parallel computing and proof aggregation. Each computation step can be independently attested, and then these proofs can be aggregated, reducing computational time and resource consumption during the verification process. This can be achieved by leveraging the characteristics of parallel computing and distributed systems to speed up the validation process for large-scale blocks.
- Hardware design improvements: Design ASICs specifically for SNARK computation to improve computational efficiency. Similar to the ASICs used in mining, SNARK ASICs can accelerate the SNARK computation process through customized hardware structures and optimized algorithms, resulting in faster verification and lower costs.
- Algorithm improvements: The SNARK algorithm is further optimized, including Groth 16, lookup table, 64-bit snark, 32-bit stark, etc., to improve the efficiency and scalability of the algorithm. In addition, more efficient hash functions and signature algorithms can be researched and developed to make them more suitable for SNARK computation, further improving the verification speed and resource utilization.
Vitalik advocates the first solution direction - parallel computing and proof aggregation, which needs to optimize the relevant public chain and zk-snark operation process, such as the recursive attribution of the Plonk algorithm in the previous zk-snark algorithm, but there is no better solution for parallel computing and proof aggregation to solve the corresponding problems.
As for algorithm improvement, at present, in the field of zk-snark, from the perspective of performance, the mainstream is still the Groth 16 algorithm, and the subsequent zk-snark algorithm is mostly to solve the problem of trusted settings, and there is no more progress in running speed and proof generation time, and in the zk-snark algorithm, the trusted setting is about simple, and the faster the running speed, but the worse the security. For this reason, on the premise of safety, the ZK-SNARK increase speed needs to be continuously built.
The above two solutions are mainly supported by theory, which will take a long time to make a breakthrough, so aside from theory, can we quickly achieve "real-time proof" through other methods? Hardware design improvement may be the best shortcut to achieve the goal.
ZK hardware acceleration may enable "real-time proof" as soon as possible
From the previous article about zk-snark performance, it is not difficult to see that the real limitation of zk-snark performance lies in the generation of proofs, where the size of the proof and the size of the circuit determine the time for proof generation. At present, most projects are becoming more and more complex, their proof size and circuit size are also increasing, and the computing power to generate proofs is also increasing, so the ZK hardware acceleration project came into being.
ZK hardware acceleration mainly provides computing power support for polynomial-type NTT tasks and elliptic curve MSM tasks in proof generation, which mainly have simple running logic, and most of the calculation logic is repetitive, and can be parallelized and computational.
ZK hardware is not much different from mining hardware, and there are still three types: GPU, FPGA, and ASIC. However, the GPU/FPGA solution is currently more common in the field of ZK hardware acceleration, which is easier to implement and easier to obtain related accessories, but compared with the first two, ASIC has greater potential and is also one of the current growth points in the field of ZK hardware acceleration.
At present, the ZK hardware acceleration project provides computing power services for related ZK projects in two ways, including hardware sales and SaaS computing services. As the name suggests, hardware sells mining machines like Bitmain, and SaaS computing power services are more like providing a computing power marketplace where ZK projects can purchase computing power to help projects generate ZK proofs.
At present, the field of ZK hardware acceleration is relatively niche, and if it weren't for Vitalik's speech, most people would not know what projects exist. For this reason, the Odaily Planet has sorted out the projects in this sector, among which Cysic, Ingopedia, Supranational, Ulvantanna and Aura Dine are the more well-known projects at present.
Among them, Cysic is currently paying more attention, and its launch of FPGA/ASIC hardware acceleration is more prominent in computing performance, and there is also a computing power market to provide customers with computing power support services; Auradine is more comprehensive, its main promotion is Bitcoin mining machines, and at the same time provides corresponding ZK computing hardware, but ZK hardware is not its main product; Ulvantanna focuses on using FPGA clusters to provide computing power support for ZK projects, and it is worth mentioning that Web3 well-known capital Paradigm is an investor, the Supranational project is a peculiar project, with Twitter and its official website updated as of May last year, and Ingopedia offers both GPU-based and FPGA-based hardware acceleration services.