Because of Kevaundray Wedderburn, Alex Stokes, Tim Beiko, Mary Maller, Alexander Hicks, George Kadianakis, Dankrad Feist, and Justin Drake for suggestions and assessment.
Ethereum goes all in on ZK. Ultimately we count on emigrate to utilizing ZK proofs in any respect ranges of the stack, from consensus layer signature aggregation to onchain privateness with shopper facet proving, and improve the protocol to be easier and extra zk-friendly. However step one will probably be an L1 zkEVM.
How we will ship an L1 zkEVM in lower than a yr
The quickest and most secure technique to ship an L1 zkEVM is to begin by giving validators the choice to run shoppers that, moderately than re-executing execution payloads, statelessly confirm a number of (let’s say three) proofs generated by totally different zkVMs every proving totally different EVM implementations. As a result of proof verification is so quick and proof measurement so succinct, downloading and verifying a number of proofs may be very affordable and permits us to use the identical protection in depth as current shopper range to zkVMs.
For this plan to initially confirm execution proofs offchain, all we want from the protocol is a few type of pipelining in Glamsterdam to permit for extra proving time.
Initially, we count on few validators to run ZK shoppers. Over time, their safety will probably be demonstrated in manufacturing. With the EF additionally placing sources into formal verification, specification writing, audits, and bug bounties; we count on adoption will slowly enhance.
When a supermajority of stake is snug working ZK shoppers, we will enhance the gasoline restrict to a degree that will require validators working affordable {hardware} to confirm proofs as an alternative of re-executing blocks. As soon as all validators are verifying execution proofs, the identical proofs will also be utilized by an EXECUTE precompile for native zk-rollups.
Defining realtime proving for the L1
Our biggest benefit in executing this plan is the flexibility to harness all the zkVM business in direction of making Ethereum by far the biggest ZK utility on the planet. Many zkVMs are already proving Ethereum blocks and efficiency breakthroughs are being introduced on a weekly foundation.
With a purpose to keep the safety, liveness, and censorship-resistance properties of the L1 the Ethereum Basis is proposing a standardized definition of realtime proving for zkVM groups to work in direction of.
On the proof system facet, zkVMs focusing on realtime proving ought to intention for 128 bits of safety, which we take into account the precise long-term goal for Ethereum L1. Nevertheless, we’re prepared to simply accept a minimal of 100 bits of safety within the preliminary months of deployment, to accommodate short-term engineering challenges in reaching 128 bits. Proof measurement ought to stay underneath 300KiB and should not depend on recursive wrappers that use trusted setups. We count on proof programs to maneuver to 128-bit safety by the point ZK shoppers are in manufacturing and to additional tighten safety necessities (e.g. relating to conjectures) as proving time decreases.
With the present slot time of 12 seconds and most time to propagate information throughout the community of ~1.5 seconds, realtime means 10 seconds or much less. We count on zkVMs to have the ability to show at the very least 99% of mainnet blocks on this window, with the tail finish (in addition to artificial DOS vectors) mitigated in future onerous forks.
With a purpose to keep the best ranges of liveness and censorship resistance, our definition of realtime proving goals to allow “residence proving” with the concept that a number of the solo stakers who presently run validators from residence will opt-in to proving. Although we count on to harden censorship resistance by enforced transaction inclusion earlier than verifying ZK proofs is made obligatory, residence proving is a crucial closing safeguard.
Since proving within the cloud is already fairly low cost with multi-GPU spot cases, the main focus for zkVM groups focusing on realtime proving will largely be optimizing for working provers on-prem the place the specs are way more constrained. On-prem realtime proving ought to require a most capital expenditure of 100k USD (at time of writing it requires ~$80k in stake to run a validator). We count on this to come back down over time even because the gasoline restrict is elevated.
Greater than {hardware} value, probably the most important constraint for residence proving utilizing GPUs is power utilization. Most residential properties have at the very least 10kW getting into from the road and a few can have circuits supposed for electrical home equipment or charging electrical autos with 10kW capability. Due to this fact, realtime proving have to be doable on {hardware} working at 10kW or much less.
This brings us to our working definition of realtime proving:
- Latency: <= 10s for P99 of mainnet blocks
- On-prem CAPEX: <= 100k USD
- On-prem energy: <= 10kW
- Code: Absolutely open supply
- Safety: >= 128 bits
- Proof measurement: <= 300KiB with no trusted setups
The race to realtime
Between now and Devconnect Argentina, we hope to see zkVM groups proceed innovating in direction of realtime residence proving, and for the main zkVMs to change into future core infrastructure for Ethereum.
