Host: Faust, Geek web3
Guests: Vincent, DevRel of Scroll; Leo, Co-founder of Cysic; Siyuan, TechLead of ABCDE Capital; Kiwi, Researcher of OKXVentures; Marco, DevRel of Aleo; Lynndell, Cryptography Expert of Bitlayer
The detailed questions covered in this Space include:
Both Cysic and Lumoz have made ZK acceleration their core vision, and Cysic has also proposed the slogan of real-time generation of ZK proofs. How will these technologies affect Ethereum's Danksharding roadmap?
There have been rumors about changes to the mining algorithm of Aleo. Aleo was originally a privacy public chain, and the mining algorithm was directly related to ZK. Some people have said that Aleo seems to have switched back to a hash algorithm similar to mainstream PoW public chains (the guests clarified this matter).
What is the future vision of ZK mining, and how will the ZK-DePIN track continue?
How do you view the commercialization and marketization of ZK-DePIN, and what are the unresolved pain points?
The mining revenue model of ZK mining
How do the teachers propose to solve the problem of significant differences in proof generation efficiency among different miners?
Text: 1. Faust: Can you please explain the impact of ZK hardware acceleration on Ethereum's Danksharding roadmap?
Background: The Danksharding roadmap proposes the concepts of Verkle Tree and stateless clients, where ordinary Ethereum nodes/clients do not need to store the complete state tree locally. The block will directly provide the state data associated with each transaction and use ZK proofs to prove that this data comes from Ethereum's state tree (Verkle Tree). Verkle Tree has made significant improvements to Ethereum's current Merkle Tree storage structure to facilitate the generation of ZK proofs for data segments from Verkle Tree.
Leo: In simple terms, real-time generation of ZK proofs can greatly improve the efficiency of light clients and Verkle Tree. Compared to Merkle Tree, Verkle Tree generates more branches/paths. If you use Merkle Proof to prove that a data segment comes from a branch of Verkle Tree, you need to open many other branches.
If you use ZK instead of Merkle Proof, you can greatly improve efficiency and compress a lot of data into a small size. However, if you only use a general CPU or GPU to generate ZKP, it is actually very complex.
I previously worked on a project at Algorand called Algorand state proof, which required opening many branches of the Merkle Tree through Merkle Proof, but this approach was very inefficient. Therefore, you need to use ZK's Real Time Generation, or use this kind of Specialized Prover to significantly improve the efficiency of generating zk proofs.
Vincent: At the Web3 Hong Kong conference in April, Vitalik mentioned the importance of ZK proofs for maximizing protocol efficiency. His previous statements and technical explorations also reflect his emphasis on ZK. Previously, it took about two to three hours for Scroll to generate a full compatible zkevm Proof, but with the existing hardware acceleration solution, it has been reduced to 10 minutes. However, this is still not fast enough for our desired generation speed.
In an ideal environment, the adoption of ZK will be very high and will permeate all aspects. However, the past generation speed of ZK is not enough to support a high adoption rate. If real-time generation of ZK proofs becomes a reality, we will not have to compromise on security, trustlessness, and verifiability, and can directly use ZK to solve many previously unsolvable problems. After this, project innovations, including application innovations, will definitely be more lightweight. In the ZK hardware acceleration community, everyone is full of confidence and hopes to make breakthroughs in this direction together.
Siyuan: I believe that Layer2, especially the use of ZK in the second layer, is most crucial for achieving fast finality of transactions. Only by quickly turning the transaction traces of Layer2 into ZK Proofs and sending them to L1 for verification can the final state of L2 be determined. For cost considerations, some companies may not generate proofs for every L2 block or only generate proofs for a few blocks. In addition, according to Vitalik's vision, after switching to Verkle tree at the first layer, he hopes that each block will generate an immediate ZKP. Without ZK hardware acceleration, it will be difficult to achieve this vision, so we are very optimistic about Cysic.
2. Faust: There have been rumors about changes to the mining algorithm of Aleo, as Aleo was originally a privacy public chain, and the mining algorithm was related to ZK. Now it seems to have switched back to a hash algorithm similar to mainstream PoW public chains. I would like to ask the guests for their views on these rumors.
Marco: The situation is as follows: recently, in Aleo's Testnet Beta, its POW algorithm indeed used a hash algorithm, and then added it to a Merkle Tree to calculate the final size. However, this version is only a temporary version and is not the final version. The final version will be released by the Aleo official in July, and we hope everyone can be patient.
In addition, the CEO of Aleo Foundation, Alex, once mentioned at a meeting that his ideal PoW algorithm has two main requirements: one is to promote the practical application development of ZK algorithms to solve more practical problems, and the other is to ensure the fairness of mining. Therefore, they will make adjustments according to this train of thought, and we hope everyone will stay tuned.
Leo: I would like to add to this topic. Before Aleo mining, the Coinbase puzzle was done using MSM to make polynomial commitments, and it was just changed from MSM to using a Merkel tree to make polynomial commitments. From the perspective of ZK, there is not much difference, it's just that one component inside has changed from the previous MSM-based to a Hash-based, and this Hash-based has various hash functions, it is actually a mix of hash functions.
Vincent: Personally, I would also like to ask Marco, from Aleo's perspective, what insights do you have on the entire ZK hardware acceleration ecosystem? Now, including ASIC chips like Cysic, or Ingonyama's FPGA-based ZK acceleration solution, do these products have any impact on Aleo's development or future plans?
Marco: I personally feel that they do, after all, the core problem plaguing the entire ZK field now is that ZK Proof generation is too slow. Not long ago, Vitalik mentioned that it takes 20 minutes to generate a proof for an Ethereum block using the SNARK proof system, but Ethereum generates a block every 12 seconds, so there is a very large gap. I hope there will be more good ZK acceleration solutions to solve the above problem.
3. Faust: Next, I would like to discuss the topic of ZK mining or ZKDePIN. First, I would like to ask Leo about the vision for ZK mining and how the ZK-DePIN track will continue?
Leo: Actually, we provide ZK proof generation services to some ZK projects, and Cysic itself is a startup company. We don't have enough money to buy or rent servers, so we want to unite the community to integrate resources. Currently, we have hundreds of servers, all of which are running at full capacity. This is very different from traditional AI-Depin projects, where many machines are just idling. People are only pursuing a high uptime and airdrops, but with Cysic Network, your machine will truly empower practical applications and won't be idle. The resource utilization is higher, and the rewards you receive are not just Cysic Tokens, but also incentives from major ZK projects.
This also benefits the decentralization of ZK Provers, as having multiple Provers generating a proof can reduce reliance on a single Prover. We not only rely on the equipment of large miners but also mobilize community members to bring their idle hardware into the ecosystem to provide services.
Siyuan: Cysic actually has two types of customers. One is professional ToB clients, and the other is quite interesting. Cysic has launched a small ZK acceleration card that allows you to quickly generate ZKPs on your home computer, making it convenient for developers and even ordinary users.
Leo: Siyuan just mentioned that we will mass-produce our own ZK hardware next year. This hardware comes in two forms. **The first is ZK air, which is similar to what Siyuan mentioned earlier, it's about the size of an Apple laptop charger and can be connected to your computer via Type-C to help you run ZK generation locally. It should be very fast, about 8-10 times more powerful than a 4090 card, making it suitable for developers to do many things.
Vincent: Regarding ZK-Depin, the traditional Depin's imagination is often limited to mining on mobile phones, smartwatches, and similar devices, but ZK hardware acceleration is completely different. We at Scroll will soon have a decentralized Prover Market, which has been announced in our roadmap. Our future Prover section will follow a Permissionless market model, and there will be some complex revenue models involved, but the details are still being perfected. Our direction is clear, to evolve towards fast ZK generation and to avoid the Matthew effect.
Marco: Regarding the small ToC device from Cysic, I can add two points. Aleo transfers have a demand for local ZKP generation on the client side. If you generate ZKPs locally in your browser, it can be very slow, taking several minutes or even longer. But because Aleo focuses on private transactions, there is a strong demand for ZKP generation, making Cysic's ToC small device very meaningful.
4. Faust: What are the pain points that have not been resolved in the commercialization or marketization of ZK hardware acceleration?
Leo: We can think of ZK acceleration as a form of Proof of Work, where you hope to generate ZKPs as quickly as possible in exchange for rewards. This is actually not fundamentally different from the ASICs of traditional PoW public chain hash algorithms. But there are many variations in ZK-related algorithms. Unlike hash functions, which are relatively fixed, in the ZK ecosystem, different project teams use different ZK proof systems, some are based on KZG commitments, some are based on FRI, and they are basically all different.
As a hardware manufacturer, Cysic actually hopes that everyone can move towards a unified approach, converge on a specific ZK proof system, and continuously optimize and achieve extreme acceleration for this proof system, rather than being as diversified as it is now, as this is very detrimental to ZK acceleration.
Marco: Personally, I think there are both challenges and opportunities in algorithm improvement and performance optimization. Last year, in the ZPrize competition, the best GPU implementation of MSM, according to the ZPrize 2023 MSM GPU best practice, StorSwift and yrrid, still takes over 360 milliseconds for calculations with a data volume of 2^20. If it could be reduced by another order of magnitude, ZK would be more easily promoted. The lack of uniformity in proof systems, as mentioned by the previous guest, is indeed a concern in hardware acceleration. Considering the input-output ratio, each project is hesitant to make significant investments.
Leo: We are actually the architect of this year's MSM acceleration track in ZPrice, and this year has seen an improvement of about 20%-30% compared to last year. However, MSM still needs to interact with other modules for ZK proof generation, and the efficiency of PCIE will become a bottleneck for data transfer. Last year, we built a powerful FPGA machine that can complete calculations of around 2^26 MSM in about 10 milliseconds. This is already the maximum speed achievable, but it still cannot achieve real-time ZK proof generation, and many calculation steps still take several minutes. In our view, "real-time generation" means controlling the proof generation time of any ZK circuit to about 1-5 seconds, which requires better methods to achieve.
5. Faust: What are your thoughts on the ZK Prover Market or the mining revenue model for ZK mining?
Leo: Miners' main income comes from the tokens of the project teams, such as Scroll, Zksync, and Starknet. The miners' income largely depends on the token price of the project teams. In the long run, it will be a very large market, especially after the Bitcoin halving. I think ZK should gradually expand in the hardware or for ZK mining.
Vincent: We at Scroll have done some research on the Prover Market. The size of the Prover Market will depend on the number of ZK projects and their demand. As more and more projects adopt zero-knowledge proof technology, the demand for Provers will also increase. This demand is complementary, meaning that the popularization and application of zero-knowledge proof technology will drive the growth of the Prover Market.
In terms of generality, there is a demand for ZK hardware acceleration in various applications and algorithms, such as the well-known Snark algorithm. However, whether a large-scale unification of ZK systems can be achieved depends on whether a universal application scenario covering all ZK projects can be developed. This requires evaluating and optimizing the allocation of computing power to avoid resource shortages for small projects and prevent excessive concentration of resources in projects that already have strong computing power.
Marco: From Aleo's perspective, we are also considering a Prover Market solution. If I want to make a private transfer, I do need someone to help me calculate the ZKP because it's too slow to calculate locally, taking a long time. I am willing to pay someone to calculate the ZKP for me. There are some products being proposed, but the key issue is security, because if you ask someone to calculate the ZKP for you, you have to provide them with data, which can lead to privacy leaks. Some proposals are considering how to solve these issues.
6. Faust: Finally, CKB/Nervos co-founder Jan asked a question, that both Lumoz and Polygon have mentioned the concept of the Prover Market, but there is a Matthew effect here, where miners with stronger hardware will always generate ZK proofs before others, and the vast majority of mining revenue will ultimately be controlled by one or two large miners. How do you think this problem of significant differences in proof generation efficiency among different miners can be solved?
Leo: I think this is an age-old topic, about how to balance efficiency and fairness. This can actually be approached differently at different stages. Perhaps in the early stages, we focus more on efficiency. We hope to provide customers with better and faster services to attract more customers, so that the snowball effect will grow. When the snowball is growing, we can start to focus on fairness. Cysic's own hardware has already started shipping, and at the beginning of shipping, it is possible to purchase some cost-effective hardware to achieve similar efficiency to others.
From the protocol design perspective, you can also make some corresponding adjustments. Because at that time, everyone's hardware speed has improved significantly. When there is a good improvement, for example, let's assume that a is the fastest, b is the second fastest, and c is the third fastest. Note that here, a could represent a group, b could be a group, and c could be a group. You can make adjustments through scheduling so that groups with slightly slower speeds can still participate and still receive some benefits.
Of course, fairness cannot be forced. For example, if their investment is not as high as that of the large miner's prover, they should not actually receive such a large profit from a fairness perspective. This is a design philosophy that we will use later.
Marco: This is a difficult question to answer. From the perspective of PoW, we would hope to lower the threshold, just like during Aleo's testnet3, where a proof can be calculated by both a 4090 and a mobile device, and the rewards are calculated based on the capability ratio. If it is to serve actual business needs, we still hope to do it quickly and well. Whoever calculates it first wins the incentive. Large miners with hardware have benefits for the ZK demand side, but it is really difficult to solve the fairness issue.
Lynndell: I think it's best to let this issue take its natural course. Even with Bitcoin, it's the same - whoever has the most computing power or the most mining pool power gets a lot of the mined coins. Other ordinary users have no chance and can only provide computing power to join the mining pool. So, it's the same with ZK, it's almost identical to PoW, relying on computing power, so it's best to let it take its natural course.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
