Blog Article

ZkVM: a new design for fast, confidential smart contracts

Author

Oleg Andreev

Publishing date

Smart contracts

Zkvm

We’re always looking for ways to make Stellar better: more scalable, more efficient, more flexible. Usually that means we work directly on the protocol. But sometimes we take a more “blank slate” approach and imagine entirely different ways for a blockchain to function. Sidechain research like this helps us develop features and learn things that we can apply back to Stellar.

We’re excited to announce the latest example of such research, which we’re calling ZkVM, the zero-knowledge virtual machine. ZkVM is an experimental multi-asset blockchain architecture for scalable and confidential smart contracts.

ZkVM transactions contain programmable constraints over encrypted data and assets. Individuals and organizations can safely perform their transactions and custom financial agreements directly on the shared ledger, instead of keeping them in siloed databases.

The ZkVM blockchain uses a compact data model that fits in a few kilobytes. Verification of transactions is highly parallelizable and takes 1–2 ms per CPU core. Nodes can bootstrap instantly from a network-verified snapshot. Virtually any computing device can run a full node, without relying on intermediate infrastructure and trusted third parties.

Stellar and ZkVM

All existing blockchains have inherent limitations:

  • transactions are slow to relay, verify and confirm;
  • blockchains are hard to scale because every node needs to keep track of the entire system;
  • the requirement to publish all transactions is often incompatible with confidentiality needs of the markets and businesses;
  • higher-level protocols and applications are hard to build due to either lack of flexibility or inefficiency of the underlying blockchain protocol. Stellar, with its federated consensus mechanism, does very well in terms of speed and scalability. Our research on ZkVM aims at helping Stellar afford users more privacy and flexibility.

ZkVM is designed from the ground up to be a multi-asset ledger that can be used with the Stellar Consensus Protocol. It can process large volumes of transactions, allow wider use of the full validators, protect confidential data, and support the creation of a custom protocol on top of the blockchain rules, without having to upgrade the network with additional features. Stellar would benefit from any of these features.

Here’s how ZkVM works:

Transactions and contracts

ZkVM grew out of our prior work on TxVM, which in turn was influenced by the design of Bitcoin and Ethereum.

ZkVM uses a novel transaction format pioneered in TxVM: a transaction is represented as a program that manipulates flow of assets directly as first-class objects and emits the necessary updates to the blockchain state in the form of a transaction log. The transaction log then can be applied to the state of the system separately from transaction validation, which permits a highly scalable design, while offering a powerful, yet safe environment for custom contracts.

To help scale the blockchain state and permit confidential value transfer, ZkVM uses a utxo model to represent balances: all balances are represented by a set of “unspent transaction outputs” (abbreviated as utxos) that can be created and destroyed. Each transaction proves ownership of the asset values in the previously created outputs, destroying those outputs, then issues, splits and merges the values, and creates new unspent outputs.

Unspent outputs are compactly stored as merkle roots via the Utreexo scheme, which dramatically decreases the storage requirements and allows much wider deployment of fully-validating nodes.

In ZkVM each output is a contract persisted in the blockchain state. Each contract contains an arbitrary number of items that could be values or data parameters, protected by a predicate — a condition that must be satisfied in order to unlock the items.

ZkVM uses a variant of Taproot design to allow unlocking the contracts with either an ordinary cryptographic signature, or by revealing and executing an embedded sub-program that verifies custom conditions.

Contracts in ZkVM are versatile building blocks for the higher-level protocols such as accounts, order books and payment channels. This could allow a platform like Stellar to move design choices in such protocols out of the consensus-critical layer, enabling rapid experimentation with a wide range of decentralized applications.

Confidentiality

Use of the Taproot scheme in predicates offers a good trade-off between confidentiality and customization: contract logic does not need to be revealed if all parties to a contract cooperate, but still provides security in case they do not. When the contract logic has to be revealed, the data (such as balances, prices and other contract parameters) still remain secret due to use of a constraint system verified in zero-knowledge.

ZkVM is built on top of the state-of-the-art implementation of the Bulletproofs zero-knowledge proving system. Values and data are encrypted by default and represented as Pedersen commitments. ZkVM allows users to specify arithmetic and logical expressions over secret values that get automatically turned into a Bulletproofs constraint system.

The most simple transactions contain a single cloak instruction that emits constraints proving the correct distribution of M input values into N output values. Custom contract conditions may impose additional constraints on the values, such as verifying the required interest payment on a loan completely in zero-knowledge. ZkVM supports a complete set of arithmetic and boolean instructions that allow expressing arbitrary conditions commonly found in financial contracts.

Bulletproofs framework does not require trusted setup and allows each transaction to efficiently construct a unique constraint system on the fly, enabling transaction authors to create new protocols on top of ZkVM without the need to upgrade the entire network for each new feature.

The resulting transactions are compact and can be verified very efficiently. Small transactions are around 1–1.5 Kb in size, while aggregated payments have marginal cost of just 200 bytes per input-output pair. Verification is highly parallelizable and takes about 1 ms per output. As a result, ZkVM does not require users to trade off security for efficiency: all data can be encrypted by default and revealed only to authorized parties on the need-to-know basis.

Stellar will benefit greatly from the experiment in confidential smart contracts, as it opens doors to a wider range of new applications.

Learn more and participate

You can find more details about ZkVM in our whitepaper (also available as a PDF for those seeking a glossy magazine experience).

We develop the VM and all its sub-protocols under the umbrella of the open source Project Slingshot. It began with the protocol team at Interstellar and now is lead by the Stellar Development Foundation. We invite everyone to participate: please ask questions, file issues and make pull requests in our repository.