Exploring Decentralized Proof Markets
This is the decade of Zero-Knowledge Proofs (ZKPs). The Web3 industry has popularized this technology through privacy coins like ZCash and coin mixers such as TornadoCash. With advancements in technology and continuous intensive research, researchers have realized that ZKPs can be used not only for privacy but also to scale blockchain infinitely through L2 Rollups known as zkRollups. In theory, Zero-Knowledge Proofs should always be computationally easy to verify. zkRollups utilize zkVMs to generate proofs for large computations, producing a succinct proof that can be verified on-chain cheaply. This opens the door to new possibilities, enabling public blockchains to have privacy while running computation-intensive applications without compromising decentralization and security. zkVMs are virtual machines that can execute arbitrary op-codes given some input and provides a output with a zk-proof as a receipt of correct computation.
Until now, generating proofs for lightweight computations for privacy coins (like ZCash) or coin mixers (such as TornadoCash) was relatively easy and could be done on resource-constrained devices. However, zkVMs have introduced verifiable computing, which allows large computations to be verified quickly without rerunning the entire process. These computations often require significant computational power, specialized hardware, FPGAs, and ASICs — resources that an average user likely does not possess. Consequently, users must rely on third parties to perform these computations and generate proofs on their behalf. Based on how proofs are generated we can categorize proving systems into:
-
Client-Side Proving: where clients themselves generates proofs of their computation and interacts with the protocol.
-
Server-Side Proving: where client depends on a third-party server to generate the proof. The server need not be a trusted server as the proof of computation can be verified easily by the client as it doesn’t require high computation.
Server-side proving is entering the market and is set to explode in the coming years. Currently, many blockchain projects are utilizing it:
- Validity rollups such as Scroll, Starknet, and zkSync use it to scale Ethereum by moving computation off-chain.
- Middleware projects like Risc0 provide trustless off-chain computation.
- Layer 1 blockchains like Mina uses recursive SNARKs to keep the blockchain succinct and enable privacy smart contracts.
However, server-side proving introduces new challenges, such as a high risk of centralization, which can lead to low server network liveness, censorship, and a less competitive market. As a result, it is natural for applications to prefer a decentralized network of provers to overcome these issues.
Decentralized Proof Markets
Proof markets are open marketplaces where applications can submit requests for verifiable computing. In these markets, provers compete to handle various tasks. As more applications adopt Zero-Knowledge Proofs (ZK), the demand for proof markets is increasing, surpassing the need to manage proving in-house. Applications will prefer a decentralized proof market that is both performant enough to handle large computations and flexible enough to accommodate different application needs. This necessitates careful consideration of design choices and trade-offs for creating a decentralized proof market.
Incentivization
Provers should have both incentives and disincentives to maintain market integrity and performance. This can be achieved using a stake-based mechanism, where a minimum stake amount is required to prevent Sybil attacks, and portions of the stake can be slashed as a disincentive. In cases where slashing is too severe, a reputation-based system (similar to =nil;) can be used. Provers can be incentivized by proof request bids and disincentivized for delayed, absent, or false proof generation.
Matchmaking
Matchmaking is a process of connecting the market supply-demand and maintaining market liveness and competition. Matchmaking can be done through Orderbooks and Auctions.
- Orderbooks: Applications must submit bids to purchase proofs, while provers submit asks to sell proofs. A match occurs when an application’s bid price is higher than a prover’s ask price, and the prover’s turnaround time is shorter than the requested time. Order books are particularly suitable for low-latency use cases.
- Auctions: Provers bid on proof requests submitted by applications, competing to win the right to generate the proof. However, if the winning bid fails to produce the proof, a new auction must be conducted, making the process slow.
PoS Issuance Model vs. Auction Model for proof pricing
- Proof-of-Stake (PoS) issuance models offer relatively stable pricing with less competition and greater decentralization.
- Auction models create a more competitive market, resulting in dynamic and potentially lower proving costs, but they also carry a higher risk of centralization.
Polygon’s Hermez initially used PoE (Proof of Efficiency) based solution but currently working on different design choices. Succinct’s prover network works on auction based model.
Proof markets can have a mix of both (PoS Issuance & Auction) depending on their need to have a decentralized as well as a competitive market.
Custom Circuits vs zkVMs
Proof markets has two options:
- Provide custom circuits for each application which is faster and more efficient but have more integration and financial overhead due to complexity of designing circuits.
- Use a single general purpose zkVM which are relatively slower but supports high level programming languages like Rust, C/C++ etc. It is more developer friendly and easy to integrate.
proof market can create custom circuits for applications using zkLLVM. In contrast, general-purpose zkVMs like Risc0, SP1, and Jolt support Rust, while Valida supports C/C++ as high-level programming languages for writing verifiable computing programs.
Individual vs Aggregated Proving
On-chain zk applications require costly on-chain verification, making the proving of individual application states very gas-intensive. Instead, individual proofs can be aggregated into a single proof, allowing the gas cost to be distributed among multiple applications.
However, proof aggregation introduces additional latency, as aggregators must wait for multiple proofs to be generated before the aggregation process can occur, causing delays.
Hardware Requirements
Large computations are slow to prove, so using specialized hardware is recommended for cheaper and faster proving. However, if this hardware is not readily available on the market, it can hinder decentralization. Therefore, more ZK hardware infrastructure companies need to step up to ensure that ZK hardware is accessible to everyone. Currently, companies like Cysic, Ulvetanna, and Ingonyama are leading the way in building ZK hardware.
Privacy
Private computations are challenging to execute through proof markets, as proving needs to be outsourced. Currently, Marlin is experimenting with private computation in proof markets by establishing a secure channel between the prover and the application, allowing the application to pass their private inputs securely.
The optimal approach for witness privacy is to perform computations on the client side. However, client-side proving often results in non-succinct proofs, characterized by low prover time and high verifier time, making on-chain verification challenging. To address this, the non-succinct proof can be submitted to a proof market, where it is wrapped in a succinct proof for faster verification. The Succinct team is currently experimenting with similar solutions (opens in a new tab) .
Conclusion
Currently, proof markets are highly centralized, with prover nodes predominantly operated by the teams behind the applications that need them. However, as the Zero-Knowledge (ZK) ecosystem expands and the demand for proving increases, more provers are expected to enter the market. This growth will likely stimulate the ZK hardware industry and introduce greater diversity among operators. As decentralized proof markets develop, we can anticipate a more varied and competitive landscape, driven by advancements in ZK hardware and infrastructure. Also, in recent advancement in ZK research new schemes like Circle STARK and Binius emerged which reduces the prover overhead and proving cost significantly. Currently Starknet is working on building Circle STARK based prover named Stwo. These advancements will help proof markets to onboard more and more provers over time.