Every business has a website and bank account. How will web3 change and add to this status quo?
I predict that at some point in the not-so-far future, every business will be connected to a chain via a mixture of wallet and validium technologies.
Business will use web3 wallets.…
1/ Seeing a lot of excitement on FHE recently. Here's my take in a thread: for trust-minimized applications, FHE is a game changer that enables application-level privacy. However, for it to truly shine, FHE needs to be used *alongside* other tools such as MPC and ZKP. 👇
Want to know why ZK is not the (full) end-game solution to privacy on public blockchains and how threshold (F)HE can help? Don't know what ZK/FHE means but want to know more about privacy on public blockchains? Read my post to find out!
1/ Will we see thousands or even millions of L2s? Only if L2s can horizontally scale without compromising trust-minimization.
In this short post, I argue in favor of trust-minimized systems that can horizontally scale.
Summary below 👇
1/ Thrilled to announce that I have joined
@1kxnetwork
as a Research Partner, where I will continue my work on research, development, and investment around zero-knowledge, cryptography, and crypto infrastructure more broadly.
One problem with 4337 / contract wallets: unlike EOAs, AA wallets do not specify any public encryption key. This means it's harder to build private communication between AA wallets.
Solution: we need an EIP that standardizes how 4337 wallets specify their public encryption keys.
1/ Our zkSummit talk on zkVMs is up!
We will be putting out a post version of this work soon, which will include more data from systems we didn't get to dive in for the talk.
A quick summary and excerpt of our talk in a thread! 👇
A point not appreciated by some that are bullish parallel execution: you can't ramp up execution without solving the state bloat problem first. Execution limit on many existing systems (like OP Stack) are there to limit state bloat. The actual execution is not the bottleneck.
1/ Will more computation be done verifiably (in zk)? It can if ZKPs are cheap enough! But just how cheap can zk compute be?
My recent talk "The Cost of Verifiability" at discusses this exact topic.
Summary thread below 👇
Hot take: Stylus by
@arbitrum
(EVM+WASM) and roll-ups w/ shared sequencers (
@EspressoSys
) are actually converging on the same design. 🧵👇
1/ The most powerful thing about EVM is the shared execution model, i.e. opcodes like CALLDATACOPY, DELEGATECALL, REVERT and gas accounting.
1/ Something that I'm excited about but have yet to see a team full-speed building on: web2 login account-abstraction wallets via zkSNARKs.
There are projects building this with MPC / TEEs, but I've yet to see one going full speed on this with ZK.
Finding the right problem to solve is more important than finding the solution.
This is one lesson I've learned the hard way more times than I'd like to admit.
1/ Exact two years ago, I put out an article on privacy in web3. The space has made a lot progress since, and in a way that my article had predicted. Here's a quick recap 👇
1/ An under-appreciated fact for zk (circuit) programming is that if you want a general-purposed framework where developers can write fast circuit components, the language / library need to support witness generation code that does not generate any constraints.
1/ For crypto to reach its next stage of growth, it must be used less for speculation and become more like money. We believe privacy is a necessary condition for this to occur.
@nocturne_xyz
we’re excited to introduce a new primitive to the Ethereum ecosystem—private accounts 🧵
1/ While it's sad to see this go, I hope that some of the open source work developed at
@nocturne_xyz
can be useful to others building onchain privacy or account abstraction.
Three such examples of open-sourced hidden gems in the Nocturne protocol 👇
Bittersweet news. Today we're shutting down Nocturne v1 and redirecting our efforts toward a new product in the application space. We wanted to share our rationale, shed light on the new work, and give details for exiting the current protocol.
4/ The minimum bytes per tx we observed was ~10 bytes during the inscription craze.
@zksync
was packing 5000-7000 transactions into a single L1 tx.
Look at the query - anything above 5000 transactions in a L1 tx is seeing INSANELY amortized bytes per tx.
1/ Unpopular opinion: validiums w/ centralized sequencers and DA is a valid point in the blockchain scaling design space.
Pros:
- Self-custodial
- No selective censorship (L1 inbox)
- Privacy from public observer
- Speed
Cons:
- Centralized MEV
- Possibility of liveness failure
My ZKSummit7 talk is up!
My talk argues why we need programmable threshold fully-homomorphic encryption (FHE), alongside ZK, for blockchains. It outlines a smart-contract architecture to program privacy apps expressively.
Stay tuned for the paper!
I'm trying to understand the killer use cases & apps in Web3 that require privacy, especially in evm-based ecosystems. Privacy-conscious users--what do you think twice about doing because it gives no privacy guarantees? NFTs? DeFi? Games? Please RT, reply or DM! 🙏
It's great to see what has been accomplished in a year! Congrats to the Nocturne team and those that have helped along the way!
There're still a lot more to be done for privacy on Ethereum. Onward.
1/ We're excited to announce our $6M seed round co-led by
@BainCapCrypto
&
@polychain
with participation from
@VitalikButerin
and other members of the Ethereum community.
This round will fund the deployment and continued development of private accounts on Ethereum.
Circom/Groth16 is getting pushed to the extremely here--very impressive. But the numbers demonstrate that we are in dire need of better zk infra with (1) no per circuit setup (i.e. plonk/stark) (2) better recursion threshold / custom gates (3) wasm prover and evm verifier.
These circuits are among the largest and most complex that our community members have ever built so far. You can see a full set of benchmarks below—a single tatepairing circuit requires nearly 25 million constraints to properly constrain! (13/n)
The blob "flippening": Ethereum has now published more blobs than Celestia, depsite being live for only 10% of time.
Ethereum (15 days post Dencun): 125.3K blobs (left img)
Celestia (149 days post mainnet): 123.6K blobs (right img)
Is this the beginning or the end of the blobs…
2022 was an exciting year, I look forward to continue my work on research, development & product in blockchains/Web3! I'm making a thread of all the talks I gave in 2022 around privacy, blockchain, and ZK. 🧵👇🏽
I will be giving a talk on analyzing the designs of zkVMs at zkSummit10 today at 2pm London local time (together w/
@0xtaetaehoho
). Tune in live in-person or remotely!
Good morning Denver! Very exciting week ahead!
I will be giving two talks and moderating two panels this week. If you see me in person, don't hesitate to come say hi!
1. Talks on horizontal scalability will discuss and elaborate on my recent post on the topic:…
This is a classical case of the blockchain industry reinventing terminologies, IMO.
Traditionally, VM only refers to the base EE, e.g. JVM, BPF, etc. However, blockchain VMs (like EVM, SVM, CosmWasm, etc.) refers to the entire thing: base EE + peripherals (like state, fees).…
Time for another lengthy nerdy tweet!
One thing I've had to explain to pretty much every VC is the relation between CWD (my project) and Wasm. Some people refer to CWD as a "Wasm VM"- that's a misnomer!
CWD is an execution environment ("EE"). An EE can support smart contracts…
Very thrilled to announce the first d/infra summit--a one-day event uniting researchers and builders of trust-minimized and decentralized technologies. The summit covers a diverse range of topics including ZK, FHE, MPC, consensus, distributed systems and AA.
It's finally here. Join us Feb 27 in Denver for the first d/infra Summit, hosted by
@1kxnetwork
Our one-day summit is a gathering of builders & researchers dedicated to the adoption of decentralized, resilient, and trust-minimized digital infra.
This is the way.
Horizontal scaling L2s without global bottlenecks like DA or shared sequencers is the end game.
(DA and shared sequencers are still important, just that not every L2 will be sharing the same ones.)
1k TPS is a drop in the ocean of the world's demand for Web3.
The Internet can't run on a single server.
The Internet of Value can't run on a single monolithic blockchain, no matter how fast and willing to sacrifice decentralization.
The endgame is ZK singularity:
⧫…
zkML is cool but have you seen "zk Big Data"?
Applications of verifiable compute has been limited by access to verifiable, useful data sets--especially the vast amount of on-chain data.
Excited to be supporting the Lagrange team in bringing zk distributed compute to life.
5/ Our solution is ZK Big Data: A novel proof system built for generating large batched storage proofs, concurrently with dynamic zero-knowledge distributed computation.
Our ZK Big Data stack supports any distributed computing model, ranging from MapReduce to distributed SQL.
We are looking for a crypto infrastructure analyst to join our team!
If you are driven by innovation and eager to shape the future of crypto infrastructure, we would love to hear from you!
At
@1kxnetwork
, we're deeply engaged in supporting teams building at the forefront of crypto infrastructure.
We're seeking a Research Analyst to expand our team and support our initiatives in this space.
1/ This is a little-noted distinction in the rollup world. Theoretically speaking, as the batch size grows, state-diff rollups should see higher economy of scale compare to transaction-data rollups.
2/
2. State-diff rollups (SDR) - (
@zksync
). These rollups only post aggregated state differences across batches.
Calldata compression is advantageous for both rollups (TDRs and SDRs) - but SDRs also benefit from large batches that write to a small # of state variables
Announcing the event program! Who's ready for the most technical infra conference at EthDenver? 👉
The agenda is split into two concurrent tracks:
- Presentations
- Workshops
💠Presentation schedule 💠
Lagrange is enabling onchain SQL:
```
SELECT DISTINCT(nft_ID) from DB.pudgies
WHERE owner = x AND
block_number> y AND
block_number <z LIMIT 5 OFFSET offset;
```
What are some use cases and applications unlocked by SQL queries over historical state? The possibilities here seem…
Thrilled to be supporting the incredible team at Modulus!
It is rare to find a team that aims for the stars yet adamant about keeping their feet on the ground.
@realDanielShorr
,
@nayr_oac
, and the team they have assembled at Modulus personify this perfectly.
Go Modulus!
Ecstatic to announce our $6.3M Seed round today, co-led by
@1kxnetwork
&
@variantfund
🎉
With participation from prominent funds & angels, we're building Modulus: the 𝗔𝗰𝗰𝗼𝘂𝗻𝘁𝗮𝗯𝗹𝗲 𝗠𝗮𝗴𝗶𝗰 company🪄
How does specialized ZK bring AI on-chain?
Single-sequencer roll-ups on Eth:
- Centralized ordering / MEV
- Centralized liveness (in a short timeframe)
- Decentralized validity guarantee (L1)
- Decentralized data availability
- Decentralized governance
The world is not black or white. Roll-ups are not either.
Rollups can be decentralized with 1 default sequencer/prover
L1s like Solana can be decentralized with relatively beefy full nodes
Stop blindly saying either is always centralized, thank you
Rollups (meaning those that use Eth as DA) generates ~60 TPS today [1]. At ~200B per tx (which is conservative, see [2]), they do ~12kB per second and 144kB per Eth block. With an initial target of 3 blobs (3*125kB = 475 kB) in 4844, rollups will only occupy ~30% of the DA…
Polymarket is predicting that blobs (~125 kB) will cost ~0.001 ETH.
Today, 125 kB calldata costs ~30 gwei per gas * 16 gas per byte * 125000 gas ~= 0.06 ETH
And if you think polymarket's guess that blobs will be 60x cheaper is over-optimistic, you can use the market to hedge!
That's 2.6x more "yes" than "no"--there's certainly a strong preference for privacy among my following.
As promised, list of pros and cons for each, as well as my personal views.
Why should a base layer enable privacy by default?
1. We have the tech. We know how to enable…
Good intro on zk-snarks! Especially on what it can and *cannot* do.
"but we don't really have any good way to make state information global and private at the same time."
This is possible actually using threshold FHE:
Ever wondered how specifically ZK-SNARKs are used to preserve privacy, including some of the non-obvious tricks like how to prevent double-spending, and what the limits of ZK-SNARKs are?
This post tries to explain some of these ideas:
One of my favorite parts of working in crypto is partnering with talented and dedicated infra founders during the early stages. Looking very much to the work ahead as we now have a dedicated early-stage vehicle!
We are thrilled to announce our new oversubscribed early-stage venture fund to back the best builders in the space.
Thanks
@emilyjnicolle
at
@Bloomberg
for sharing the news:
Sneak peek of my talk tomorrow at ZKSummit in Amsterdam at 10:30am! I will be discussing how threshold FHE can work synergistically with programmable ZK circuits to realize CFMMs and sealed-bid auctions with maximal privacy guarantees.
@fede_intern
@MinaProtocol
Mina's problem is that they were ahead of their time and had the wrong marketing to the Eth crowd, IMO.
It's not an ecosystem for zkApps, it's really a settlement layer for validiums with a official validating light client.
Aggregation is one key advantage for zk systems over optimistic ones. As proving overhead (κ) comes down, there will be more proofs that will need to be settled, which naturally results in a need for proof aggregation to keep L1 settlement costs down.
Aggregation is just the…
1. We are more than excited to announce NEBRA UPA, the first Universal Proof Aggregation protocol in production. NEBRA UPA brings 10x plus gas cost reduction and composability for zero-knowledge proof verification.
Excited to share something that I have been working on (together with
@kcharbo0
)--a design of a *shielded wallet* for Ethereum. We are looking for builders / co-founders to build this into a real product. Come talk to me if you are interested!
This is one of the key open questions in the onchain privacy space. Solved "in theory" but much better performance is needed in practice.
The RFP itself contains a really good summary of landscape of solutions (Bravo!). CTA for those in the cryptography / research community.
There is a lot of focus on "decentralization", but it is really just a means to an end. In your opinion, protocols should be decentralized because it provides ..
We came up with this neat hackathon idea while sitting around chatting about what can be built around AA--a contract wallet that can be sold as an NFT. There're a lot of potential with the idea that we didn't really get to fully explore and build out.
7/ To my knowledge, the above technique is pioneered by
@hdevalence
at
@penumbrazone
. I have formalized it further and extended it to using FHE in PESCA (), which is cited by (and I hope a partial inspiration for)
@zama_fhe
's fhEVM whitepaper.
I just learned today that the 7-day delay period in current optimistic rollups is set to be the worst-case time required for interactive fraud proofs (>50 rounds) to conclude.
This means that zk (one-step) fraud proofs could enable a dramatic reduction of this finality delay!
Sovereign SDK enables not only zk-rollups but also optimistic rollups with short withdrawal periods.
How?
In the SDK's zk mode, provers create zk-proofs for each rollup block.
In the SDK's optimistic mode, similar to how other optimistic rollups work, a set of bonded parties…
I had lots of fun hanging out with this incredible group of young builders this past week in Bogota. Very interesting projects coming out of this hacker house!
An insane amount of killer projects were hacked out at the
@notfellow
Hacker House at
@ETHGlobal
Bogota.
Let's take a look at what they are and get to know the talented builders!!!
So proud of the hackers not only for the projects, but also for the memories we built 💞
Great work by
@class_lambda
and
@Matterlabs_
!
Validiums are making comeback! Cheaper gas fees for users, faster settlement, better inter-op, and possibility of providing web2-style privacy!
When will this come to RaaS?
@Calderaxyz
@conduitxyz
@alt_layer
ZK is the end game.
Got Validium?
I am happy to inform that
@zksync
merged our validium PR:
I am sharing a picture with the cost improvements.
It took us more time than what we originally expected. We learnt a lot about what needs to be improved in the ZK Stack thanks to…
I'm seeing quite a number of folks referencing this paper on "Naysayer proofs" to me recently.
While the idea is neat and the concrete applications are clear, the main theoretical result of the paper seems to contain lots of ambiguities (if not straight…
1/ There is a growing acceptance and maturity of the vision of "Internet of Rollups". Just like how every company has a website, every company & project may run a rollup that connects to Ethereum, the internet of value. What would be the benefit of these rollups? 👇
It is easy to discount zk for certain use cases due to the overhead and (historically) poor dev ex. However, zk compute offers unconditional security for execution validity, compare to capped economic security that alternative solutions (like AVS or fraud proofs) provide.…
Great thread and discussion as always, truly appreciate that!
The economic cost of violate
@nebrazkp
security is breaking the security of Ethereum. You need:
1. Breaking ethereum consensus, which is much harder than a 51% attack.
2. Breaking the cryptographic guarantees. BTW,…
My take on shared vs. dedicated sequencers for L2s:
- Use a shared sequencers if your L2 need atomic composability with others.
- Don't use a shared sequencer if you don't care about atomic composability and want maximize performance or sovereignty over sequencing.
Cornell Blockchain Twitter Space Series
Theme: Scaling New Heights - A Dive into L2
⏰19th of March, 7:30PM EST
CoHost:
@nyubnf
Speakers:
@_bfarmer
Cofounder of Polygon
@_weidai
Research Partner at 1kx
@portport255
Security Engineer at Matter Labs
@0xbeamish
President of…
Poll on privacy: Suppose Ethereum is anonymous by default (all addresses are magically hidden, everywhere), *but* users can vote to deanonymize a transaction. A hack happens against a protocol, draining billions worth of assets. Would you vote to deanonymize the transaction…
10/ Making these "programmable cryptography" tools usable by devs is a great direction to start with. We have seen fast acceleration of this in ZK and it is great to see new developments in FHE and MPC by teams such as
@zama_fhe
,
@FhenixIO
,
@nillionnetwork
, plus others.
3/ However, plain FHE by itself *does not* solve the privacy issues for shared state applications (e.g.
@Uniswap
) in the blockchain setting, as someone still holds the decryption key. The key primitive that enables trust-minimized privacy is threshold FHE, aka FHE + MPC.
We desperately need privacy-preserving identity solutions in Web3. I'm beyond excited to be supporting Notebook on their quest of pushing cutting-edge zk identity products to market. Identity 🤝 privacy.
We are proud to announce that Notebook Labs has completed a $3.3 million seed round to help enhance
our zero-knowledge identity infrastructure layer that enables Web3 protocols to create Sybil-resistant log-
ins and users to enjoy anonymity and privacy.
5/ However, even threshold FHE has limitations, since the circuit model of computation cannot hiding access patterns easily. One tool that may be able to solve this is ORAM. (The recent talk by
@ElaineRShi
is a great resource.)
The d/Infra Summit was ideated around the d/acc philosophy proposed by
@VitalikButerin
--to avoid the dystopian future from technological progress, we need to embrace defense-favoring, decentralized, trust-minimized, and resilient technologies and digital infrastructure.
We have…
By sharing knowledge, resources, and expertise within the community, we can collectively drive innovation in trust-minimization. But how can we overcome challenges in adopting this tech?
@VitalikButerin
will discuss improving incentives in his virtual keynote 🔊
3/ These zkML agents would be "nearly impossibly" to shutdown, since it could be always profitable for someone to post actions on-chain for these agents.
The only option would be "sanction" the contract representing the agent, e.g. via social consensus or hard forks.
8/ To sum up, in the context of privacy:
ZKP: provides anonymity (shielded pools) & privacy of private state (Zexe by
@matthew_d_green
@secparam
@zkproofs
et al.)
FHE: provides compute on confidential data (private or shared)
MPC: distributes trust required for (shared) conf data
4/ I have discussed the potential of FHE for blockchains over the past year. This post () and this short talk during Devcon Bogota () are good resources.
Modularity in blockchains allows chains to gain scalability and interoperability without separate engineering efforts. However, the question of security in a modular world always intrigued me. I will be a mentor in the Modular Fellows program to help builders navigate.
1/ An ML-based agent (like autogpt or other LLMs) can be hosted as a zk-app-rollup where its output are verified and interpreted via an on-chain contract on Eth.
Since it controls a contract, it's able to conduct any transactions on Ethereum and beyond, via bridges and oracles.
One of the most creative projects I've seen--using CREATE2 to hide the intention of transaction (bids)! We also had an interesting discussion on potential anonymity farming projects that around this that can help bootstrap CREATE2 anonymity set.
🧂Vickery Auctions
The team implemented vickery auctions onchain through CREATE2 and Merkle Patricia Trie proofs for optimal price discovery of NFTs.
@yush_g
,
@real_philogy
,
@outdoteth
,
@0xngmi
3/ The “cost of trust” thesis of 1kx strongly resonates with me–through the use of cryptography, distributed consensus, and incentive mechanisms, “blockchain tech” can reduce the inefficiencies and reliance on trusted services and intermediaries.
@gakonst
Yes! A view function that spits out public key information is basically all that's needed IMO.
The important part is to figure out how to have a flexible format to support different types of keys and expiration rules.
2/ FHE enables compute on encrypted data. It can help solve the privacy issue with public blockchains--that every bits of information is recorded publicly on-chain.
4/ Second, Nocturne utilizes Groth16 batch proof verification. This is the only audited batch Groth16 verifier in solidity that I am aware of and should be very useful for projects using Circom for client-side proofs.
I will be in Boston for the next few days for Harvard Blockchain Conference (hosted by
@HBSCryptoClub
)!
Looking forward to discussing the future of rollups with
@_bfarmer
and Neil Bhuta of Galaxy.
Don't hesitate to say hi if you see me in person!
4/ Despite more than a decade of progress, there is still lots of room for trust-minimized technologies to grow and mature. I'm excited to play my part in driving our industry forward.
2/ First, Nocturne employed a novel "zk" batch subtree update technique that reduces onchain gas cost of maintaining a poseidon merkle tree by >90%.
(We later learned that
@worldcoin
has used a similar technique.)
@VitalikButerin
1/ The problem with using stealth addresses is that the assets of a user gets fragmented and privacy guarantee is not ideal for spending. Suppose a user have two stealth addresses each holding 100 tokens, any action that spend more than 100 tokens now links the two addresses.
Are you a blockchain entrepreneur looking to fund your next project? Don't miss our Blockchain VC Panel! Learn from venture capitalists on how to secure funding for your projects and get their insights. Let's build the future of finance together
#BlockchainVCPanel
#MITBitcoinExpo
This is one of the most controversial questions that exist in crypto today.
I will do a debrief and offer my analysis to arguments for yes vs. no after the poll concludes.
So I went from doing "crypto and security" to doing "cryptos and securities."
"Crypto and security" - cryptography and computer security, as in areas of study.
"Cryptos and securities" - cryptocurrencies and securities, as in asset classes.
Great thread by
@real_philogy
on the one major limitation of EIP-3074--authorizations have very crude level of revocation control, which is tied to a specific `nonce`.
Are there simple modifications to the spec here that can enable more fine-grained revocations? e.g. Supporting…
The `nonce` check means that as soon as you send a transaction with your wallet you'd invalidate *all* the authorizations you've made, this means you can't have long-standing authorizations e.g. for social recovery or native ETH permits. 💀
3/9
6/ Besides ORAM, there's also a paradigm of utilizing both ZKP and FHE/MPC to achieve anonymity without linear complexity blow-up--a Zcash-like shielded pool can provide the anonymity guarantee while the confidentiality of state can be delegated to FHE/MPC.
2/ OAuth2 / JWT / WebAuthn tokens can be connected directly to EIP4337 wallets in a trust-minimized manner with existing zk tech.
Even better, with hardware accel and recursion/aggregation, proving delay and verification cost can be manageable (think <10s delay and <50k gas).
2/ If these zkML agents are intelligent enough, then they are able to extract and accrual value to the Eth contract that it lives on, which it can then use to incentivize anyone to compute and post its actions on-chain.
4/ For OAuth / social logins, the only trusted component would be refreshing host keys on-chain, which require an oracle network. This can be further trust-minimized using techniques from trustless oracles like DECO & TLSNotary.
5/ This means the value of kappa gives the number of years zk proving is behind native compute.
- Efficiency of current zk compute is about the computers circa ~1988-1993
- With dedicated zk hardware, we could hope to get to computers circa ~1993-98