A Chain Abstraction Based ZK Coprocessor by zCloak Network

zCloak Network
11 min readMar 7, 2024

--

zk-Maze Landing Page

In this article, we will introduce the latest work from zCloak Network — a chain abstraction based ZK coprocessor. This document assumes the reader has a basic understanding of Zero-Knowledge operations and a certain level of programming expertise. With this groundwork in place, we will proceed to explore the architecture and distinctive attributes of the coprocessor’s design.

Basic Concepts

The zCloak team introduced a sophisticated Zero-Knowledge (ZK) service solution in early 2024, known as the chain abstraction based ZK coprocessor, which operates across all blockchain platforms. This innovation emerged from a period of intense development and consists of two primary components: chain abstraction and the ZK coprocessor itself.

Chain abstraction is a framework that enables the application of Zero-Knowledge Proofs (ZKPs) universally across various blockchain systems. It ensures that ZKPs can be executed and recognized without being confined to the blockchain on which the result is generated.

To appreciate the ZK coprocessor, it is essential to first understand the concept of a coprocessor. Historically in computer architecture, a coprocessor is designed to enhance the overall performance of the computer. While traditional computing relies heavily on the central processing unit (CPU) for all tasks, the increasing complexity of operations often leads to CPU overload. Coprocessors are thus specialized processors that handle particular functions, such as graphics processing units (GPUs) for parallel processing in graphics rendering or cryptographic accelerators for encryption and decryption tasks.

The ZK coprocessor, as developed by zCloak, alleviates the burden of ZK-intensive computations from conventional public blockchains by leveraging off-chain, high-performance computing resources. This results in more efficient processing of these complex tasks.

At zCloak, we have employed the Internet Computer (ICP) to serve as a coprocessor for Ethereum and other public blockchains. Our innovative approach to the ZK Coprocessor, grounded in chain abstraction, simplifies the overall architecture of ZK applications and facilitates the cross-chain interoperability of ZKP verification outcomes. This model offers users complete access to the service at reduced costs, while developers benefit from straightforward integration with minimal coding requirements. Significantly, the ICP-based coprocessor is versatile enough to handle a broad spectrum of general computations, which may herald the advent of chain-abstracted AI coprocessors in the forthcoming period.

The Technical Architecture of the ZK Coprocessor

From a system architecture perspective, the chain abstraction based ZK coprocessor encompasses three main components: a general-purpose ZK Program module, a ZKP generation computing module, and a ZKP verification module. Here is the basic workflow of ZKP from the perspective of zkVM.

Figure1: the workflow of ZKP

The zkVM operates with three inputs: publicInput, secretInput, and the ZK program. The publicInput initializes the zkVM, the secretInput contains the confidential data to be safeguarded, and the ZK program represents the specific Zero-Knowledge application to be executed.

Upon execution, the zkVM output is composed into the ZKP — representing the actual Zero-Knowledge proof data — and the output, which reflects the residual state of the zkVM stack, typically indicating the ZK program’s computational results.

During the verification phase, the ZKP Verifier processes four inputs: publicInput, the ZK program, the ZKP, and the output. These inputs undergo intricate mathematical operations, culminating in a true/false result that signifies the validity of the computation.

In essence, ZK technology verifies that a known deterministic program can yield a particular outcome, given private input and known public input, thereby confirming the integrity of privacy-preserving computations without revealing the sensitive input data.

For our project, we have adopted the zk-STARK-based zkVM, specifically Polygon Miden, as the foundational proof system. The components of the Miden zkVM have been integrated with the zCloak’s zkID Software Development Kit (SDK). Notably, the ZK Program module within this SDK supports the creation of general-purpose computing programs by end-users, eliminating the need for manual zk circuit construction and enabling algorithmic functions through zk program writing alone.

The zkVM facilitates developers in executing the logic for ZKP generation in WASM format locally via the Miden zkVM. This integration streamlines the ZKP generation within web development workflows, allowing end-users to generate ZKPs locally through a step-by-step web interface.

A primary challenge we have addressed is the implementation of the ZKP Verifier module. In many ZKP projects, Ethereum smart contracts typically assume the verifier role. While leveraging Ethereum’s network security for reliable verification, this approach encounters limitations in computational capacity and scalability, often leading to prohibitive gas fees and becoming a bottleneck for ZKP system evolution.

To overcome these challenges, we have investigated the use of the Internet Computer (ICP) to fulfill the ZKP Verifier’s functions, assessing the new capabilities and performance enhancements it provides in comparison to Ethereum.

A ZKP Verifier Built on ICP

The Zero-Knowledge Proof (ZKP) verifier, developed using ICP, is characterized by three core attributes: decentralization, chain abstraction, and accessibility. The success in embodying these features stems from integrating the ZKP Verifier as a canister (smart contract) within the ICP framework.

Decentralization

In our Zero-Knowledge service architecture, the ZKP verifier is implemented within canisters on ICP’s decentralized cloud infrastructure. Each ZKP submitted to the ICP is verified by all nodes in the subnet, which guarantees the security and credibility of the verification through a multi-signature consensus process involving numerous nodes. Thus, the integrity of the ZKP verifier is as robust as the security of the ICP subnet itself. Furthermore, the WebAssembly (Wasm) virtual machine environment on ICP provides an efficient and user-friendly execution environment for the ZKP verifier programs.

Chain Abstraction

ICP’s innovative Chain Key technology brings threshold ECDSA signature — an enabler for chain abstraction based ZKP. In normal ZKP application, the verification result is only available in the same chain where the verifier smart contract is deployed. If the user wants to use the same result in other chains, they have to repeat the verification process in the target chain, causing unnecessary efforts and gas costs. While in our case, upon a successful ZKP verification, the result is digitally signed by all the nodes in the ICP subnet with tECDSA signature scheme. Users can then send this signed result to any chain they want as long as the target chain can verify an ECDSA signature — EVM chains, Solana and Sui are such examples. This method greatly improves the UX for multi-chain ZK applications.

Accessibility

Leveraging ICP’s reverse gas model, our system permits users to access the zCloak ZKP verification service without the need for account creation or incurring gas fees. This substantially reduces the entry threshold for users to engage with Zero-Knowledge technology, enabling them to experience the full suite of Web3 ZK features with the simplicity of Web2 interfaces. This approach is instrumental in fostering the broad adoption and practical use of ZK technology.

Key Benefits

Ultra-Low Costs

It is widely known that executing storage and intensive computational logic in Ethereum smart contracts incurs significant gas fees. For example, the direct verification cost for a approximately 200 KB STARK proof in an Ethereum smart contract can reach thousands of dollars.

In contrast, the overall cost reduces dramatically utilizing the ZK coprocessor solution. The cost of ZKP verification within ICP is only a few cents. Calculations indicate that the computation expense for ZKP verification itself is within one cent, and the cost of generating threshold ECDSA signatures is also around one cent.

This stands in stark contrast to the expenses associated with using Ethereum contracts for ZKP verification, which can be tens of thousands of times higher than the zCloak ZK coprocessor solution. Even when factoring in the transaction fees for writing verification results to the target chain, our ZKP verifier solution remains significantly more cost-effective than the Ethereum counterparts.

High Execution Efficiency

Within smart contracts, method invocations are subject to limitations on the size of input parameters. A typical method invocation can handle STARK proof uploads of approximately 90 KB, which is inadequate for the more commonly encountered proofs of around 200 KB.

The prevailing workaround requires splitting the proof into fragments, uploading these segments through successive transactions to the smart contract, and then having the contract piece together and validate the proof. In contrast, the ZK coprocessor approach allows for the verification of the entire STARK proof within a single transaction. This significantly improves the efficiency of ZKP verification when compared to the conventional multi-step process.

High Execution Speed

As previously mentioned, a STARK proof of standard size is typically broken down and processed over several transactions, leading to excessively long verification times for the complete proof. Our ZK coprocessor solution, however, reduces the ZKP verification time to just a few hundred milliseconds. Consequently, the overall ZK procedure can be completed with execution speeds that rival those of off-chain computations.

A Game Example

Having outlined the fundamental principles of the service, we will now explore a practical example. By examining the implementation of a simplified game, we will illustrate the method of interaction with the service.

ZK Maze Game Link: https://zkmaze.zkid.app/

The ZK Maze game currently supports testnets on the EVM and Solana ecosystems. The gameplay is simple; players navigate the character using the WASD or arrow keys to move. The game automatically transitions to the settlement page when the character escapes the maze. Achievements are generated based on the length of the player’s path, with the “Shortcut Genius” achievement for the shortest path and the “Maze Navigator” achievement for successfully escaping the maze without taking the shortest path. A “ Shortcut Genius SBT” will be minted on the target chain if the shortest path achievement is achieved.

Figure 2: Game Settlement Page

The application of ZK in this context lies in proving the escape path adheres to the map rules and determines which achievement they fulfill without revealing the exact escaping path. The game is aimed to introduce the entire process of using the chain abstraction based ZK coprocessor, with three core steps: locally generating ZKP, submitting ZKP to the ZKP verification module, and verifying the signature on-chain while consuming the ZKP verification result.

Core Steps Overview

Generate ZKP Locally

When the program detects that the user has completed the pre-game operation flow, the game front-end will invoke the zkID SDK interface locally to generate ZKP for the escape path. The specific interface is as follows:

const zkpResult = executeZkProgram(program, publicInput, secretInput);

This interface uses three parameters: program, publicInput, and secretInput.

  • program refers to the specific assembly instructions of the zkVM, containing the legality of the escape path and achievement determination logic.
  • publicInput initializes the zkVM stack status, representing the specific map information in this game.
  • secretInput represents the user's private data, indicating the exact escape path in the game. This step runs the zkVM and associated zero-knowledge programs in the user's local device to generate ZKP based on the user's game path.

Submit ZKP to ZKP Verification Module

In this step, we interact directly with the verifier service module. During the interaction, you need to provide the service with the following three paramete

  • publicInput, as mentioned above.
  • programHash, the unique hash value of the encoded program generated by the SDK interface.
  • zkpResult, the return value from the previous interface.

Before interacting with the service, the programHash needs to be generated first:

const programHash = generateProgramHash(program);

Then we can get to interact with the service officially.

Due to the deployment of the verifier service module within the ICP Canister, it is essential to know the Canister’s address. Taking one exemplary verifier as an illustration, its address is 7n7be-naaaa-aaaag-qc4xa-cai. With the contract address in hand, we can examine the contract interface. The example contract interface is as follows:

// zk.ts
export const programHash = "xxx";
export const publicInput = "xxx";
export const zkp_result = "xxx";
export const canister_id = "7n7be-naaaa-aaaag-qc4xa-cai";

export const idl_factory = ({ IDL }: { IDL: any }) => {
return IDL.Service({
greet: IDL.Func([IDL.Text], [IDL.Text], []),
public_key: IDL.Func(
[],
[
IDL.Variant({
Ok: IDL.Record({ public_key_hex: IDL.Text }),
Err: IDL.Text,
}),
],
[]
),
zk_verify: IDL.Func(
[IDL.Text, IDL.Text, IDL.Text],
[IDL.Text, IDL.Text, IDL.Vec(IDL.Text)],
[]
),
});
}

Finally, interact with the service contract using the TypeScript (TS) code below. The zk_verify method is the core function of the service contract. Invoking this method returns three values: Canister signature, publicInput hash, and zkVM computation results (game achievements).

To simplify the interaction code, specific constant values have been pre-defined in the zk.ts file.

// zkp-verify.ts
import fetch from "isomorphic-fetch";
import { Actor, HttpAgent } from "@dfinity/agent";
import {
programHash,
publicInput,
zkp_result,
canister_id,
idl_factory,
} from "./zk";

(async () => {
const agent = new HttpAgent({ fetch, host: "https://ic0.app" });

const actor = Actor.createActor(idl_factory, {
agent,
canisterId: canister_id,
});

const res = await actor.zk_verify(programHash, publicInput, zkp_result);
console.log(res);
// return value (array):
// canister signature, publicInputHash, zkp output (stack remain state)
})();

On-Chain Contract Verification and the Usage of Verification Results

As the Canister signature is generated using the threshold ECDSA signature algorithm based on the spec256k1 elliptic curve, any contract supporting spec256k1 verification logic can verify the signature of the ZKP verifier service module. Therefore, signature verification is a crucial step in this scenario, and only successful verification indicates the authenticity and trustworthiness of the verifier’s results.

We have already integrated with ecosystems such as EVM and Solana. Below is an example using a Solidity smart contract within the EVM ecosystem. The core logic is presented, and the complete example contract code can be found here: https://sepolia.arbiscan.io/address/0xce68617D6575EDe95aF1eAaC7489b06F3b107D9f#code

function verifyECDSASignature(
bytes calldata signature,
string calldata programhash,
string calldata publicinput,
string[] calldata output
) external returns (Achievement acheiventment) {
string memory outputResult = concatenateStrings(output);
bytes32 _messageHash = sha256(
abi.encodePacked(programhash, publicinput, outputResult)
);
bytes32 finalHash = _messageHash;
require(recover(finalHash, signature), "Not validate by canister");
require(
keccak256(abi.encodePacked(programhash)) ==
keccak256(abi.encodePacked(_programHash)),
"ProgramHash invalid"
);
if (
keccak256(abi.encodePacked(output[0])) ==
keccak256(abi.encodePacked("1"))
) {
_userAchievement[msg.sender] = Achievement.EfficiencyFirst;
return Achievement.EfficiencyFirst;
} else if (
keccak256(abi.encodePacked(output[0])) ==
keccak256(abi.encodePacked("2"))
) {
_userAchievement[msg.sender] = Achievement.Done;
return Achievement.Done;
}
}

The core interface above accepts four parameters: the Canister signature of the verifier service module, the zkVM program hash, publicInput, and zkVM output.

The specific logic involves verifying the Canister signature provided in the input data and subsequently comparing it with the zkVM program. If both checks pass, the contract will proceed to assess game achievements and store the results in the contract.

Conclusion

  • The zCloak Chain abstraction based ZK coprocessor is a comprehensive ZK service based on the ICP network. The ZKP verification module operates within the ICP Canister, leveraging the threshold ECDSA signature technology of ICP to sign the execution results.
  • Three main modules in the chain-abstracted ZK coprocessor are the generic ZK program generation module, the ZKP generation and computation module, and the core ZKP verification module. Among them, the ZKP verification module is the most crucial one.
  • Three key features of the zCloak ZK Coprocessor Solution are ultra-low costs, high execution efficiency, and high execution speed — all thanks to the unique functionalities provided by ICP.

In conclusion, we believe the chain abstraction based ZK coprocessor marks a significant advancement in Web3 infrastructure. It enables developers to seamlessly integrate the ZK functions into their applications with minimal coding effort. Users can benefit from a user-friendly experience reminiscent of Web2 while accessing comprehensive Web3 ZK services.

Furthermore, our commitment to enhancing decentralized multi-chain ZKP (Zero-Knowledge Proof) Verification services is ongoing. Future developments include adding support for additional ZKP systems such as Risc0 and SP1. Looking ahead, we are exploring the potential integration of LLM-based AGI coprocessors on the Internet Computer within the Web3 ecosystem.

zCloak Network is dedicated to fostering a vibrant developer community and invites individuals and organizations interested in these areas to engage and collaborate with us.

--

--

zCloak Network

zCloak Network is a Real-World Identity (RWI) infrastructure for Web3. Website: zcloak.network; Product: zkid.app