Woah this looks cool! My current (clearly outdated) mental model requires fixed inputs for a zkp, e.g., some fixed view of the chain state, some encrypted inputs, etc... I'm curious to know more how Mina overcomes these limitations.
OTOH, secure enclaves like SGX are convenient since the overhead's not bad, you can run the enclave as a networked service, make HTTPS connections, sample randomness via RDRAND, etc...
Do you think zkapps might have similar capabilities in the future? I'm not sure the analogy works all that well in blockchain land, but perhaps more as a virtual software-only enclave or something?
It's not super clear to me how you would sample private randomness, or perform remote attestation, or prevent replay attacks without a remote trusted storage.
I also remember even the best proof systems seemed to have like 100x prover overhead on CPU + memory usage, but that was a few years ago. Have things gotten better recently?
There are definitely certain scenarios, especially around verifiable compute, in which you can think of ZK as a software alternative to a secure enclave.
Interestingly, if you ask people which they would trust for a rollup, most say ZK is the more trustworthy technology. In part just because it doesn't depend on one vendor (the enclave manufacturer).
I work on the tooling layer for zkapps on Mina — Great questions!
I think in the future the overhead will improve significantly, and we can already see incremental improvements in some proof systems. For Kimchi (the proof system we’ve built for zkapps/Mina), we've instead focused on features — like infinite recursion. To really see the performance overhead reduce, we’ll need to push more of the compute into silicon (think opcodes designed for zk similar to the ones we have now to accelerate RSA). In the meantime, modern processors are fast enough that this overhead doesn’t hold back many sorts of applications.
On fixed inputs: Kimchi is “universal” in that it can recursively compose arbitrary circuits efficiently — including ones with different public and private inputs and including ones that haven’t been defined yet. This is what powers zkapps and zkapps’ ability to recursively compose circuits on itself (think application-specific rollups).
Randomness: Modern blockchains have mechanisms for trustlessly agreeing on securely generated random seeds. We can tap into that and use mechanisms like verifiable random functions (which Mina uses internally during consensus) to securely manage randomness (caveat: we haven’t built out the randomness APIs for zkapps yet so there may be some nuance here that we haven’t run into yet). If you want to learn more about how this works in Mina, read up on Ouroboros Samasika, Mina Protocol’s consensus mechanism.
Prevent replay attacks: Blockchains are designed for this :). Basically increment a nonce and feed the current nonce as one of the public inputs to the zkapp.
Remote attestation: This requires nuance to define properly as there are different solutions to different versions of this problem. I’ll outline a few here:
1. Consider the case where you trust the entity that attesting to something and they can upgrade their backend: the entity adds a snark friendly signature to their endpoint and you check the signature within the zkapp (remember since they run locally, you execution can just make async network requests)
2. Consider the case where you trust the entity but can’t convince them to change their API: here you can verify the contents of the response against the TLS signature that already exists in the modern web. Caveat: this is still a work in progress, we’re currently calling it zkOracles
3. Consider the case where you don’t trust the entity — in this case we’re talking about reading information from other zkapps or blockchains. Luckily, these all come with signatures in different shapes and sizes so the problem becomes efficiently verifying those signatures from within the zkapp. You can solve this in modern plonkish zk proof systems with custom gates. Caveat: this is also a work in progress for zkapps in Mina.
OTOH, secure enclaves like SGX are convenient since the overhead's not bad, you can run the enclave as a networked service, make HTTPS connections, sample randomness via RDRAND, etc...
Do you think zkapps might have similar capabilities in the future? I'm not sure the analogy works all that well in blockchain land, but perhaps more as a virtual software-only enclave or something?
It's not super clear to me how you would sample private randomness, or perform remote attestation, or prevent replay attacks without a remote trusted storage.
I also remember even the best proof systems seemed to have like 100x prover overhead on CPU + memory usage, but that was a few years ago. Have things gotten better recently?