Original text author: Fox Tech CTO Lin Yanxi, Fox Tech CEO Kang Shuiyue

secondary title

Small Application Scenario

secondary title

Medium-sized application scenarios

secondary title

Large application scenarios

Layer 2 of zkRollup and zkEVM are the ultimate applications of zero-knowledge proofs in Web3, which are used to deal with state changes brought about by various possibilities in a VM or EVM. Compared with the complexity of small applications, it means an order of magnitude increase. They have higher requirements for technology and development workload, and there is still one technological leap away from achieving the ideal user experience.

first level title

Efficient algorithms and a mature development stack are the core branches

A complete set of zero-knowledge algorithms needs to go through the stages of theoretical research, development tool construction and specific application development from research to application. Among them, the efficiency problem is one of the biggest bottlenecks in the next stage of zero-knowledge proof application, which includes the efficiency of the algorithm and the efficiency of development.

In terms of algorithm efficiency, different zero-knowledge proofs use different methods to express the circuit to be proved, and are based on different mathematical difficulties behind them. These factors will affect the efficiency of the algorithm. Specifically, the important efficiency indicators of a zero-knowledge proof algorithm include proof size, proof time, verification time, etc. At present, a large number of algorithms can achieve shorter verification time, and various aggregation techniques can also compress the proof size, while proof time is the main bottleneck.

image description

Figure 1: Various zero-knowledge proof algorithms

It is expected that in the future, more teams will invest more research energy in the algorithm of zero-knowledge proof to find the algorithm that best meets the characteristics of the project. For example, Layer 2 projects such as FOX insist on designing an algorithm that reaches the theoretical lower bound of the key indicator of proof time, linear complexity O(C), and logarithmic verification time without trusted settings. This algorithm is very suitable for supporting a scalable network with no upper limit on capacity.

image description

first level title

Hardware Acceleration Helps Open Branches and Leaves

Hardware acceleration is the key to further improving the efficiency of zero-knowledge proofs and bringing large-scale applications closer to maturity. And this involves two issues: first, which operations can be accelerated, and second, which hardware can be used to accelerate.

For the first question, the main difference between different zero-knowledge proofs lies in the method of polynomial commitment. Algorithms such as Plonk adopted by Matter Labs and Ultra-Plonk adopted by Scroll are polynomial commitments based on KZG, so Prover involves a large number of FFT calculations and ECC Dot-multiply MSM operations are used to generate polynomials and commitments, both of which are computationally expensive. Specifically, MSMs have the potential to be sped up by running on multiple threads, but are memory-intensive and slow even when highly parallelized, while FFTs rely heavily on frequent shuffling of data while the algorithm is running, making them very Difficult to speed up by distributing load across computing clusters. Therefore, the acceleration of these operations currently means high costs.

In addition, STARK developed by Starkware and FOAKS developed by FOX mainly involve hash operations in the process of FRI. Although FFT is also available, the amount is not large. Therefore, these two algorithms can use hardware acceleration to improve the efficiency of operations.

At the hardware level, there are mainly three options: GPU, FPGA, and ASIC, each with different characteristics:

• GPU: GPU can accelerate parallel computing through certain algorithms. The effect of using GPU acceleration depends on the specific algorithm. For example, the FOAKS algorithm used in FOX does not have a large number of FFT and MSM operations, and its ZKEVM design itself contains a large number of parts that can be calculated in parallel, so that a large number of calculations can be obtained through the GPU. Efficiency improvement.

• FPGA: FPGA is a programmable integrated circuit, so developers can customize and optimize the mining machine for the ZK algorithm.

• ASIC: An ASIC is an integrated circuit chip specially tailored for a specific purpose. However, because ASIC is too customized, it will require more time and cost. Perhaps the iteration of hardware will gradually develop towards ASIC with the increase of the industry scale, but it will not be completed in one step. After professional hardware manufacturers such as Bitmain enter this field, ASIC may become a mainstream option.

first level title

zkPOW mechanism design is the icing on the cake

Finally, with complete hardware and software, mechanism design is the last step to make it stable and progressive. The early Prover of each zkRollup project is usually closer to the traditional centralized service: it is deployed on the cloud, and the project party exclusively enjoys this part of the benefits. However, under the narrative of Web3, the work of Prover in the future is bound to develop in the direction of decentralization, and such development also has the following advantages:

• More people will be able to share the computing power generated by the proof, and the shared income will be bound to the interests of the project. This incentive mechanism will have more localized computing power, so as to jointly build and grow the ecosystem with project parties and foundations.

• A good decentralized mechanism will drive greater power to promote technological progress, allowing more experts from all parties to devote energy to research to continuously improve system efficiency and allow users to obtain a better experience.

• The decentralized mechanism will better adapt to the dynamic changes in demand.

However, there are quite a few challenges in the decentralization of the proof process, such as what kind of consensus cooperation should be adopted by all parties after decentralization, which level of the proof process should be assigned decentralized tasks, how to maintain communication efficiency and avoid possible aggression, etc.

Nevertheless, some ideal possible solutions have been enshrined in the vision of some projects. For example, the design of FOX includes a zkPOW solution, which can achieve the following goals:

• Increase computing power by introducing randomness: The calculation of generating zero-knowledge proofs is different from traditional POW calculations. In the scenario where randomness is not introduced, the party with the highest computing power will always be rewarded for generating proofs, resulting in Other parties withdraw, and after obtaining the monopoly, the computing power provider no longer has the motivation to increase computing power, losing the original intention of decentralization.

• Realize distribution fairness by introducing a computing power income algorithm: A fair distribution scheme will make the expected income of each computing power provider proportional to its computing power in the long run, which means that this scheme will allow zkMiner to Gain income by investing computing power, and it is difficult to obtain excess incentive income through illegal means. In the long run, a fair computing power income algorithm can also ensure the stability of the number of computing power providers in the system, and it also means a higher ability to resist attacks.

In FOX's zkPOW design, participants who submit proofs within a time window after the first proof is submitted can obtain incentives of different proportions. At the same time, by introducing randomness, the submitted content of each proof is different. It means that each proof submission must go through a complete proof calculation. And through carefully designed proportional distribution, the expected income of each participant will be proportional to its computing power, which will generate positive incentives for each participant to improve computing efficiency, and ultimately benefit the users of the project and enjoy safer and more Faster and cheaper zkRollup service.