The Exploration of Economic Models for Zero-Knowledge Proofs

Author: Hugo, ZKPool

TL;DR

1. A dual-layer zero-knowledge proof (ZKP) economic model is proposed, where the shared ZKP prover pool and universal modular prover are key components of the ZKP ecosystem.

2. ZKP provers represent the next generation of blockchain computing infrastructure.

3. There are fundamental differences between proof-of-work (PoW) miners and ZKP provers.

4. The design of the ZK-rollup proof economic model faces the "impossible triangle" challenge: balancing performance, cost, and decentralization.

5. This paper analyzes several ZKP proof economic models, taking Taiko's solution as an example.

1. Introduction

In recent years, zero-knowledge proof (ZKP) technology has made significant progress. It has become increasingly popular in projects that require computational scalability or privacy protection.

ZKP, especially the SNARK (Succinct Non-interactive Argument of Knowledge) protocol, has gained widespread recognition in Ethereum's scalability direction. Ethereum's roadmap includes the goal of "Snark Everything," with Vitalik Buterin claiming that "zK-SNARKs will be as important as blockchain in the next 10 years."

Vitalik's Statement on zK-SNARK

However, generating zero-knowledge proofs is much more complex than the computation itself.

For example, in Ethereum, the computation time for a block with 10M Gas is less than 1 second, as shown in the figure below.

EVM Performance

However, for circuits in ZKEVM, generating proofs for blocks on a 128-core CPU may take over 1700 seconds. Please refer to the benchmarking results from the PSE team.

ZKEVM Benchmarking

Even using GPUs, ZKEVM takes hundreds of seconds to generate proofs. This means that the cost of using ZKP to verify EVM computations is over 1000 times higher than the original computation.

There will be enormous ZKP computational demands in the future, as there will be many ZKP projects, including L2 projects like zkSync, Scroll, Taiko, Polygon, Linea, and Aztec, as well as L1 projects like Aleo, Mina, and Risc Zero. There will also be other privacy, identity, and gaming-related projects that require ZKP computational capabilities.

MESSARI's ZKP Ecosystem Visualization

We believe that trusted computing will be as important as computation itself in the future digital world, and ZKP acceleration will become the core of the next generation of blockchain computing capabilities.

2. ZKP Requires a Different Economic Model than PoW

Proof of Work (PoW) is an algorithm used for distributed consensus. In PoW systems, participants (miners) must perform computationally intensive work to prove that they have invested a certain amount of computational resources. The goal of these algorithms is to ensure network security. Miners compete to find hash values that meet specific conditions to earn block rewards and transaction fees.

However, the purposes and characteristics of ZKP are very different.

Here is a comparison between PoW miners and ZKP provers.

Comparison between PoW Miners and ZKP Provers

Some ZKP projects, such as Aleo, still use PoW-like mechanisms, but they are not mainstream. Ethereum's success with PoS has proven that PoW is not the only viable solution for achieving blockchain decentralization. Therefore, more projects may choose non-PoW proof systems to reduce energy consumption and overall costs.

In the ZKP computational paradigm, different proof accelerators and different economic models need to be designed.

3. The Impossible Triangle Challenge of ZKP Proof Economic Models

In this context, "proof economic model" refers to the incentive mechanisms in decentralized zero-knowledge proof systems. The three key metrics of a zero-knowledge proof network are cost, performance, and decentralization. A well-designed proof economic model should satisfy all three requirements.

First, cost is a key factor in ZKP projects, especially for ZK-rollups. This is because their mission is to scale Ethereum and reduce user transaction costs. The cost of proof is a part of the total cost of ZK-rollups and other ZKP projects.

To provide a better user experience for validating layer two transactions and achieving finality, ZK proof accelerators require high-performance machines. Using parallel computing with GPUs, FPGAs, or ASICs can help alleviate bottlenecks. This is why using GPU to prove zkEVM only takes 10 minutes, while using CPU may take several hours.

Another key requirement for ZKP provers is decentralization. Decentralization means that many participants can join the proof work without needing permission and have redundancy and geographical distribution, making the entire system robust and resistant to censorship.

However, meeting all three aspects of high performance, low cost, and decentralization in the same design is an impossible challenge.

The Impossible Triangle of ZKP Proof Economics

First, there is a conflict between cost and performance. If high performance is required, expensive proof accelerators such as GPUs, FPGAs, or even GPU/FPGA clusters are needed.

As ZKP becomes more widely used in the long term, there will be a market for millions of ZK proof accelerators. By then, low-cost ZK ASIC chips could simultaneously meet the requirements for low cost and high performance. However, since we are currently in the early stages of ZKP and have not yet reached such a large market scale, the unit cost of ZK ASIC chips is relatively high. Therefore, achieving cost-effectiveness and performance at this stage remains a challenge.

Second, decentralization often requires redundancy in proof accelerators, thereby increasing the overall cost of the proof system.

For example, if a ZK-rollup project creates an L2 block in 1 second and requires high-performance GPUs to generate its proof in about 10 minutes, approximately 600 proof accelerators would be needed to meet the demand.

If we deploy 600 GPU proof accelerators for the ZK-rollup project, the computational capacity will be sufficient to meet its throughput. However, if some proof accelerators fail to complete their tasks on time due to network failures or occasional shutdowns, other proof accelerators will need to generate proofs. Increasing the number of backup proof accelerators and decentralizing ZK provers will increase the total cost of the proof system. This is also why PoW is not prevalent in ZKP projects.

The third challenge is that the extreme pursuit of performance in proof accelerators may lead to the proof network being monopolized by the fastest proof accelerators. This conflicts with the goal of decentralization.

From an economic perspective, establishing an economic system that ensures the profitability and activity of proof accelerators in the ZKP system is a challenging task. This is the challenge of the proof accelerator economic model.

4. Evolution of ZKP Proof Economic Models

Taiko is a decentralized ZK-rollup project, equivalent to Ethereum, and uses Type 1 zkEVM technology. In the early stages of the Taiko project, its focus was on designing decentralized sequencers and proof accelerators. It is the first ZK-rollup project to actively promote decentralized sequencers and proof accelerators.

Taiko introduces its economic model design principles in its documentation, which mention similar metrics:

1. Efficiently utilize proof resources

2. The cost of proof takes precedence over the speed of proof

3. Redundancy/decentralization of proof accelerators

The Taiko project has explored various solutions to the impossible triangle of ZKP proof economics and continues to evolve. Here is the history of the Taiko Testnet and its proof economic model:

1. December 28, 2022, Alpha-1: Proof accelerators were not open.

2. March 23, 2023, Alpha-2: Proof accelerators were permissionless, with the fastest proof accelerator winning, without an economic model.

3. June 7, 2023, Alpha-3: Proof accelerators were permissionless, with a dynamic reward economic accelerator.

4. June 2023: Batch auction-style economic accelerators were proposed and discussed.

5. July 18, 2023, Alpha-4: Proof accelerators were permissionless, with a staking-based economic accelerator.

6. New proposals are in progress.

Comparison of Different ZKP Proof Accelerators

4.1 Dynamic Reward Proof Economic Model (Taiko A3)

The A3 economic model includes a dynamic reward mechanism designed to incentivize proof accelerators with low costs and high performance. It includes the following rules:

• The proof accelerator that submits the proof the fastest wins.

• As the speed of proof submission by proof accelerators increases, the rewards gradually decrease.

Therefore, once a proof accelerator becomes the fastest, its optimal strategy is to submit proofs just slightly faster than competitors and wait for a while to receive higher rewards and maintain greater profits.

Next, let’s look at some phenomena observed in Taiko A3.

1. Gas Wars

Currently, the number of active proof accelerators in A3 is gradually decreasing, showing a trend towards centralization.

Trend of daily active proof accelerators on the A3 testnet

The reason for the above trend is that some high-performance proof accelerators can submit their proofs in 24 seconds, which is very fast. According to Ethereum's design, if multiple proof accelerators submit proofs within the same time window, the proof accelerator with the higher gas fee will be accepted. On the Sepolia testnet, gas fees are not real ETH and are very cheap.

Therefore, there is a gas war among these high-performance proof accelerators. They submit proofs at extremely high gas prices, sometimes reaching 2000 Gwei. Some proof accelerators with very high gas fees dominate the proof tasks.

Another strategy is to optimize performance by submitting proofs within 12 seconds. However, submitting all proofs within 12 seconds is challenging because, according to A3 design, faster speeds lead to lower rewards.

Gas fee trend of proof accelerators on the A3 testnet

High gas fees on the A3 testnet

2. Competition for Computational Resources

Another phenomenon in A3 is the increase in failed submissions. This is because only one winner is allowed to submit a proof for each block, and all other submissions will be rejected even if they generate valid proofs.

Failure rate in A3 (transactions in red boxes)

4.2 Staking-Based Proof Economic Model (Taiko A4)

In A4, Taiko adopts a staking-based proof economic model, which offers several advantages:

1. Eliminates excessive competition for computational resources, as only one proof accelerator is selected to generate the proof. If not selected, other proof accelerators do not need to compute further.

2. By giving higher weight to incentivize low-cost, high-performance proof accelerators, it does not guarantee victory.

3. Compared to auction-style solutions, the design is relatively simple.

Why do we need staking? The reason is that once a proof accelerator is selected, it needs to submit the proof honestly and promptly. If the selected proof accelerator fails to complete this task, penalties will be enforced.

An important phenomenon in A4 is that the probability of ZKP proof accelerators being penalized is high, especially during network congestion. Here is an example.

Penalty history on the A4 testnet

Next, we can discuss possible solutions.

5. Further Improvements to the Proof Economic Model

Based on our analysis, the expected zero-knowledge proof economic model should meet the following requirements:

1. Only one proof accelerator per task, with no wasted computation.

2. Mechanisms should be established to prevent monopolies and promote decentralization.

3. The selected proof accelerator should provide staking, and if they fail to generate proofs within the designated time window, they should be penalized.

4. Incentive mechanisms should encourage faster proof submissions and lower costs.

5. Proof accelerators should be compensated for high gas fees.

6. Proof windows should be extended during traffic congestion.

Let’s expand the discussion further.

This zero-knowledge proof staking mechanism is similar to Ethereum, as it incentivizes validators to be honest. However, there are differences between them.

Comparison of Ethereum Validators and Zero-Knowledge Proof Accelerators

As shown in the table, compared to Ethereum validators, zero-knowledge proof accelerators have higher costs and greater risks of being penalized. At the same time, regarding rewards, the only compensation for zero-knowledge proof accelerators comes from ZKP project parties, but it must include gas fees, computing hardware costs, and the costs of staked assets.

Here are some proposals to reduce penalty amounts, considering that zero-knowledge proof accelerators need to pay gas fees and relatively high computing hardware resource costs:

1. If the proof accelerator submits a proof within a relatively long time window, no penalties should be imposed. This is because others can submit proofs as designed, and the proof accelerator has already incurred gas fees and computing capacity costs.

2. If the proof accelerator never submits a proof, a lower penalty amount should be imposed. In this case, it may be difficult to distinguish between network/technical issues or dishonesty issues. Therefore, penalties are reasonable but should be milder, as in most cases, failures may be due to network congestion.

When there is network congestion or gas fees are extremely high, it is difficult for proof accelerators to submit proofs even with reasonable gas fees. Here are some solutions that can be considered:

1. Extend the proof window when base fees are high.

2. A more economically reasonable solution is to increase rewards when base gas fees are high.

The staking mechanism incurs some capital costs. Although there are no so-called POS rewards, ZK-rollup incorporates POS as part of the proof economic model. However, all capital has interest costs. Therefore, in a staking-based mechanism, the reward amount should be increased to cover staking costs, even though it can be included in the overall rewards for proof accelerators.

Additionally, the following improvements would be desirable:

1. To incentivize faster proof accelerators, after selecting a proof accelerator, if they submit proofs before the target proof time window, their rewards can be increased.

2. Using batch proofs helps reduce overall gas fees.

6. Dual-Layer Zero-Knowledge Proof Economic Model

Currently, many zero-knowledge proof (ZKP) projects use their own proof systems and economic models, but this approach does not facilitate the sharing of computational capabilities among ZKP projects, leading to higher costs for the entire ZKP ecosystem.

As analyzed in previous sections, ZKP projects require a complex mechanism to manage penalties, rewards, proof time windows, and other related aspects.

Moreover, there is a high barrier to becoming a proof accelerator for various ZKP projects and staking various assets.

To achieve a healthier and more cost-effective ZKP proof ecosystem, adopting a dual-layer economic model may be a good solution. After multiple iterations of the proof economic model, Taiko proposed a solution, which we further expand into a dual-layer framework.

In this approach, each ZKP project operates as the first layer, defining its own economic model. However, the selection, scheduling, penalties, rewards, and ratings of proof accelerators are delegated to the second layer, which is the shared proof accelerator pool.

Dual-Layer ZKP Economic Model

ZKPool, as a proof accelerator pool, can aggregate the demands of multiple ZKP projects and allocate tasks to proof accelerators, giving them higher utilization rates and more revenue. Additionally, it lowers the participation threshold and minimizes potential penalties.

To provide ZKP projects with optimal performance and low-cost proof accelerators, ZKPool can implement a proof market, adopting a standardized rate system to evaluate the performance of proof accelerators and create competitive mechanisms among them. This system can return the best proof accelerators to ZKP projects, and ZKPool can provide additional platform incentives based on the rating system. This approach can greatly benefit ZKP projects and ZKP proof accelerators.

Scope of Responsibilities in the Dual-Layer Economic Model

Additionally, we propose the concept of UMP (Universal Modular Prover). Universal modular provers can operate on the same hardware platform while supporting proof work for various ZKP projects.

Universal Modular Prover

The entire ZKPool will move towards decentralization and promote a healthy economic ZKP ecosystem.

Overview of ZKPool Architecture

Design principles of ZKPool:

Minimize costs for ZKP projects while maximizing revenue for proof accelerators.

Simplicity: Easy access to ZKP computational capabilities, easy to join ZKP proof accelerators.

Transparency: Maintain transparency in revenue distribution.

Not only ZKP but also artificial intelligence and spatial computing in web3 deployment will require accelerated computing resources. ZKPool can ultimately share all accelerated computing resources across Web3, which we can call the acceleration layer of Web3.

Acceleration Layer of Web3

7. Conclusion

Exploring ZKP proof economic models is a long and rewarding journey. Through our research, we identified cost, performance, and decentralization as key metrics of ZKP proof economic models. Implementing a dual-layer ZKP proof economic model can benefit the entire system. Furthermore, a shared universal proof accelerator pool is crucial for the ZKP ecosystem.

Next, we need to address and resolve these challenges to fully complete this ecosystem. Important tasks include building standard inputs for ZKP proof accelerators, reducing hardware requirements, and more. These are the areas we focus on and strive for.