In our last post, we discussed the emergence of ZK virtual machines (ZKVM) and the potential they hold for revolutionizing the way we build and deploy privacy-preserving software. We highlighted ZKWasm as a solution that makes zero-knowledge programming accessible to a wider audience. Today, we're taking a closer look at the SuperNova ZKP scheme and how it can be used in a ZKWasm implemented to expand the horizons of privacy-preserving technologies.
Recap: What is ZKWasm?
ZKWasm is an innovative technology that allows developers to write zero-knowledge applications in any programming language that compiles to WebAssembly (wasm), a portable virtual machine supported by web browsers, cloud platforms, and blockchains. By leveraging ZKWasm, developers can create privacy-preserving applications without needing to specialize in zero-knowledge proof technology.
The SuperNova Scheme and how it works with ZKWasm
The SuperNova scheme offers a cutting-edge cryptographic proof system that is highly compatible with modern Zero-Knowledge Virtual Machines (ZKVMs). It provides several advantages, such as succinctness, zero-knowledge, an "à la carte" cost profile, and incremental verifiable computation (IVC). By using the SuperNova Zero-Knowledge Proof (ZKP) scheme to implement ZKWasm, performance gains can be realized as expensive SNARK do not need to run at each recursion step.
Incremental verifiable computation offers various benefits over traditional proving systems. IVC maintains a low memory footprint, as the prover only requires space that corresponds to each step's essential requirements, as opposed to saving the entire computation history. They excel in environments that involve distributed and parallel proof generation, enabling the prover to execute the program, monitor input and output variables, state transitions, and create proofs concurrently on CPUs or GPUs for every computation step. Additionally, these individual proofs can be consolidated into one comprehensive proof that the verifier can inspect.
SuperNova is a generalization of an earlier scheme Nova. The main difference is that the prior no longer requires a universal circuit for execution. More technically put, SuperNova adds a selector function ϕ which generalizes Nova to multiple instructions. This allows ZKWasm to choose the instruction to be executed at each step rather than the full universal circuit.
A few projects are already using Nova as part of their ZKP layer, notably: Lurk (A zero-knowledge Turing complete programing language) and Nova Scotia (Circom to Nova middleware). ICME Labs would be happy to collaborate with any teams working on a SuperNova implementation extending the original Nova library. Contact us on Twitter! We expect that Srinath Setty and the original Nova team may already working on this .🔥
The Current State of ZKWasm Implementations
Most existing ZKWasm implementations are based on the Halo2 scheme, which was created by ElectricCoinCo for Zcash. While Halo2 is efficient for specialized machines or outsourced provers, it may not be ideal for client-side applications. This presents a challenge in making ZKWasm more efficient and accessible for privacy-preserving applications on end-user devices.
ICME Labs intends for users to run zero-knowledge proofs in their browsers with ZKWasm, therefore we need a highly performant system that works for many default use-case. Moreover, client-side proving is often a requirement for true 'zero-knowledge' applications. Any data sent to a cloud, may ruin the chances of success for truly privacy preserving web applications.
ICME Labs: Pioneering the implementation of the SuperNova ZKP Scheme in ZKWasm
To address the performance challenges associated with current ZKWasm implementations, ICME Labs is exploring alternative ZKP schemes, such as the folding ZKP scheme SuperNova, that offer better performance. Nova requires an additively homomorphic commitment scheme; options and configurations exist here for optimizations. Additionally, we are investigating recursive ZKP schemes and CPU-friendly fields, like those used in Plonky2 with FRI. Our goal is to make ZKWasm efficient enough for client-side applications.
By default Nova uses 'relaxed R1CS', which is an arithimitization with a few added terms added to regular R1CS. Nico a researcher at geometry.xyz has written about his relaxed PLONK arithmetization called "Sangria". This scheme allows for a plonkish Nova implementation with 'lookup arguments' and custom gates of degree 2. We are very keen to see this work is extended for SuperNova and the PLONK work flow. As of writing there is no existing implementation of Sangria — that we are aware of.
By using the SuperNova ZKP scheme in our ZKWasm implementation, larger zero-knowledge applications can run seamlessly in users' browsers without any specialized hardware requirements. By using ZKWasm: many existing programs can be compiled directly from their original programming language into web-serving zero-knowledge applications, blockchain can use the succinctness properties of SNARK with less overhead — and business users can utilize the advanced cryptography of zero-knowledge proof without the need to train specialized developer teams.
The Future of ZKWasm and Privacy-Preserving Technologies
With the utilization of the SuperNova scheme, ZKWasm has the potential to unlock new use cases for privacy-preserving technologies in various domains, such as gaming, DeFi, healthcare, supply chain, custom layer-two rollups, reputation protocols, and identity solutions. By making ZKP applications accessible to a wider audience, ZKWasm can revolutionize how we build and deploy decentralized applications.
ZKWasm is an exciting development in the realm of privacy-preserving technologies, and the integration of the folding SuperNova ZKP scheme holds the key to overcoming performance challenges associated with current implementations. As ICME Labs continues to work on making ZKWasm more efficient and accessible, we can look forward to a future where ZK-powered applications run seamlessly in every browser, empowering users with unprecedented privacy and control.
Contact us on Twitter if you are interested in collaborating or just want to speak more.