⚡ Feature: Understanding the most performant zkVM to date
with Justin Thaler, Sam Ragsdale, and Michael Zhu
a16z crypto’s engineering and research teams recently released the most performant zkVM to date: an open source implementation of Jolt. Jolt is up to 2x faster than the current state of the art, and poised to get much faster still with further optimization. But beyond just the improvement in speed, because Jolt is based on a new design paradigm, it is easier for developers to extend, and is also much easier to audit, leading to greater security.
While the ideas behind Jolt, and its theoretical foundation, Lasso, have been around for years, the a16z crypto team of three has been working on this implementation only since the release of the initial academic papers in the fall of 2023. Despite the relatively few developer hours, Jolt is already proving to be a leap forward in SNARK design. While other brilliant teams — notably those behind RISC0 and SP1 — have made great strides, we believe that Jolt has the chance to be a new way of thinking about, implementing, and improving zkVMs. Significant optimizations are already in development, and we invite the community to help us build Jolt.
Why zkVMs matter
If blockchains can be considered a “world computer” — a machine anyone in the world can help operate and secure — then SNARKs allow that world computer to offload almost all the work. SNARKs compress arbitrary computations so that anyone can quickly verify that they were done correctly. The S in SNARKs stands for succinct, which means that the proofs are concise and quick to verify — significantly faster than running the computation itself. For web3, they move expensive computations offchain while the verification happens onchain, speeding up scaling and building applications. They’re cryptographic magic.
zkVMs are SNARKs that let the prover prove that it correctly ran a specified computer program, where the program is written in the low-level assembly language of some simple CPU. The trivial way of proving the computation would be simply to send the data to the verifier, which can then run the computation on the data (“re-execution”); or to send an entire transcript of the computation to the verifier (a record of what happened at each and every step). But SNARKS speed up the verification. Many SNARKs already have very low verification costs — proofs as small as a few hundred bytes, and verified in milliseconds.
The bottleneck
While verification is fast, the cost to the prover has been the key performance bottleneck for SNARKs today. For many SNARKs in use today, proving a computation is many millions of times more resource-intensive than simply running the computation (without generating a proof). So, a computation that costs $1 to run could cost millions of dollars just to generate a valid SNARK proof that said computation ran correctly.
Without more performant SNARKs, each operation done by the world computer will be millions of times more expensive than any other computing environment. In this case, “performant” means faster, which means more throughput — without more hardware — leading to lower cost, which in turn means a more useful computing environment.
Introducing Jolt
For the blockchain world computer to succeed, we need much more efficient proof generation methods. And that’s where Lasso and Jolt come into play. Lasso, a new SNARK paradigm created by Justin Thaler, Srinath Setty, and Riad Wahby, is the foundation for Jolt. The key techniques have been available since at least 2019, but significant misconceptions about SNARK performance have held builders back from realizing their power. Lasso and Jolt unlock this power, and will change how people build scalable SNARKs.
Building Jolt has been a close collaboration between the a16z crypto research and engineering teams — which was founded to promote the deep synthesis of research and engineering, and of theory and practice — and is part of our effort to help further the ecosystem for all builders and users. That’s why the implementation of Jolt is open source — and always will be. The result is the most performant zkVM to date, with major optimizations still to come.
To understand Jolt, read:
Michael Zhu and Sam Ragsdale’s post on the open source implementation
Justin Thaler’s post on the ideas behind Jolt
an FAQ untangling this new SNARK design paradigm
Related resources, watch:
▶️📹 Jolt, zkVMs, and speeding up blockchain by Justin Thaler — a quick (five minute) explanation of what Jolt is and why it's important.
▶️📹 Correcting some SNARK misconceptions by Justin Thaler — a deeper dive into some of the common misconceptions behind Lasso (the theoretical foundation of Jolt) and how this new paradigm works.
See tweets from
📝 Bonus: Field notes from zkSummit 2024
with Joseph Bonneau
The 11th Zero Knowledge Summit (zkSummit) took place in Athens on Wednesday, April 10. The event, hosted by the Zero Knowledge podcast, had roughly 500 attendees and ran four simultaneous tracks over a single day. Below are field notes reporting on some of the talks, which covered the latest in zero knowledge hardware, SNARK performance, and auction network design — including some mentions of Jolt.
ZK hardware
Hardware support for proof generation has long been a goal of the community. The first two talks on the main stage outlined developments in that direction.
Justin Drake, researcher at the Ethereum Foundation, gave an overview of ZK hardware, including a taxonomy of companies in the space. The list included companies using general hardware (like Ulvetanna), companies making custom hardware (including Accseal, Cysic, and Fabric), and companies running decentralized prover networks (like Aleo). He predicted that an “end game” of a zkVM, such as Jolt, augmented by Binius (a hardware-optimized SNARK proving system) and other upcoming optimizations, plus dedicated hardware, could achieve a 1000x overhead over computation and could factor into the final, fully battle-tested version of Ethereum. He also predicted hardware will mostly focus on non-ZK succinct proofs, and most proofs will be Groth16-wrapped onchain. He also mentioned the Ethereum Foundation will be announcing a contest for formal verification of provers and verifiers, with $20 million in prizes.
Jim Posen, cofounder of Ulvetanna, talked about Binius, and the general concept of co-designing proof systems and hardware at the same time. Binius uses binary tower fields and the sumcheck protocol, which Jolt is also based on. An interesting takeaway from early testing of Binius is that performance was significantly better for the hash function Groestl (a SHA-3 runner up) than Keccak (the official SHA-3 standard), so it might be beneficial to use Groestl in some applications.
Decentralized prover networks
Many in the space envision a future where proof generation for large statements (e.g. correctness of a bundle of transactions in a rollup) is done by a competitive, decentralized marketplace of specialized provers.
Uma Roy, cofounder of Succinct, talked about Succinct's upcoming prover network. She covered a variety of potential mechanism designs for decentralized prover networks, and predicted that designs based on racing (first prover wins) or mining (first prover wins, modulo some randomness) would not lead to good outcomes. She said design goals should be: Minimal cost, maximum latency, and censorship resistance, in that order. She predicted that an issuance/staking model could maybe work but an auction model is mostly likely to win out and may end up looking like block building does today. Succinct is building a general auction network for proofs that will support multiple zkVMs, not just Succinct’s own SP1, such as Jolt/Lasso, she said.
Wenhao Wang, PhD student at Yale, talked about a new paper on the economics of prover networks that was released the morning of the talk, written in collaboration with Ben Fisch (Espresso Systems) and Ben Livshits (Matter Labs). Wenhao mentioned that a two-sided auction is vulnerable to collusion between provers and bidders, and they introduce an alternative mechanism called Proo-phi that involves greedily matching transactions and provers. Proof-phi requires setting a capacity parameter, which appears to be a key open design question.
Daniel Kales, cofounder and chief technology officer of TACEO, talked about multiparty computation (MPC)-enabled proof markets, specifically using MPC to maintain privacy between a small client with a secret witness and a large untrusted prover. He talked about how we can choose combinations of proof systems to mostly do linear operations (like the Fast Fourier Transform algorithm) which are relatively cheap in MPC and minimize cost.
ZK credentials
Three different talks discussed efforts to build zero-knowledge credentials out of existing identity systems. Each relied on a different existing identity system.
Aayush Gupta and Sora Suegami, cofounders of ZK Email, talked about ZK proofs of email address ownership. These rely on proving knowledge of a DKIM signature of an email sent to a specific address, and DKIM is already widely deployed by major email providers (albeit primarily as an anti-spam measure). Many applications are possible with a ZK proof that a user controls an email address, including sending money to an email address but also applications like anonymous whistleblowing.
Alin Tomescu, research scientist at Aptos Labs, talked about Aptos Keyless, which uses OpenID connect to interact with traditional web2 identities. OpenID connect is the technology that enables “log in with Facebook, Google, etc.” to third-party websites. Aptos Keyless interacts with existing OpenID providers and proves that a user controls a given address, enabling applications like sending money to a Google or Facebook account.
Michael Elliot and Derya Karli of zkPassport discussed building anonymous credentials from existing ePassports. For example, users might prove that they hold a passport from the United States and are above 25 years of age, without revealing their passport number or exact age.
I am Iron Jolt Man
-- Tim Sullivan, Robert Hackett, Eddy Lazzarin, and a16z crypto editorial
You’re receiving this newsletter because you signed up for it on our websites, at an event, or elsewhere (you can opt out any time using the ‘unsubscribe’ link below). This newsletter is provided for informational purposes only, and should NOT be relied upon as legal, business, investment, or tax advice. Furthermore, the content is not directed at nor intended for use by any investors or prospective investors in any a16z funds. Please see a16z.com/disclosures for additional important details, including link to list of investments.