These new works mean that, to obtain SNARKs with performant provers, we should change essentially every component of today’s deployments, including:
- Polynomial IOPs. They should be sum-check-based to minimize the amount of data the prover needs to commit to.
- Polynomial commitment schemes. We should combine faster-prover, bigger-proof schemes like Ligero/Brakedown with recursion. Ligero/Brakedown has precisely the same security properties as FRI (they are transparent, plausibly post-quantum secure, based only on hashing, etc.)
- Hash functions. I’d advocate for using hash functions like Keccak and Grøstl, which can be proved at least as quickly as today’s supposed “SNARK-friendly” ones. If we do want to cook up hash functions with the goal of making them even friendlier to SNARKs, we’ll have to start from scratch in light of our improved understanding of the actual power and limitations of performant SNARKs.
- Instruction sets for zkVMs. We should use standard instruction sets such as RISC-V rather than ones designed around the limitations of previous proving systems. And we shouldn’t hand-design circuits implementing each instruction. Rather, zkVM designers should simply specify the evaluation table of each instruction and use a sum-check-based lookup argument like Lasso.
- The fields they work over. For a variety of technical reasons, today’s popular SNARKs require fields of relatively large characteristic (deployments typically use characteristic at least 231). SNARKs based on the sum-check protocol do not have this limitation, and D&P show how to exploit fields of very small characteristic like GF for major gains in performance.
Fortunately, the same developments that necessitate these changes also lead to SNARKs that are simpler and easier to build (although there is still room for further improvement). In particular, Jolt eliminates the need to hand-design instruction sets for zkVMs or to hand-optimize circuits implementing those instruction sets because it replaces those circuits with a simple specification of the evaluation table of each primitive instruction. This modular and generic architecture makes it easier to swap out fields and polynomial commitment schemes and implement recursion, and generally reduces the surface area for bugs and the amount of code that needs to be maintained and audited.
This simplicity is essential not only for usability and speed of development. It helps address a major security issue. SNARK-based systems consisting of many tens of thousands of lines of code, that require understanding multiple custom constraint systems or DSLs, will never be sufficiently auditable to secure billions of dollars of value.
I hope this post convinces more projects to invest in developing SNARKs that follow this design paradigm. There is a lot of building to do.
In the immediate future, some of the claims I am making still need to be fully verified via implementation (e.g., comparing D&P’s SNARKs for Keccak to those for ostensibly SNARK-friendly hashes, and fully implementing recursion to bring the proof size down). Meanwhile, our preliminary Jolt implementation (with curve-based commitment schemes) is nearly complete. Once finished, it will be worth re-implementing Jolt to use D&P’s hashing-based commitment schemes. This is somewhat involved, mainly because switching from a large prime field to a field of characteristic two necessitates redefining all the lookup tables to which Lasso is applied. I also hope that the new Lasso-based SNARKs for Plonkish circuits eases the integration of Lasso into existing tooling, as it enables the circuits that people have already written to be fed into it.
These are obvious next steps. I’m excited to see what happens once the community fully absorbs the power of the sum-check protocol to minimize commitment costs.
Justin Thaler is Research Partner at a16z and an Associate Professor in the Department of Computer Science at Georgetown University. His research interests include verifiable computing, complexity theory, and algorithms for massive data sets.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investment-list/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures/ for additional important information.