What is a zkVM and why should you care about them?

What is a zkVM and why should you care about them?

You've probably heard the term zkVM buzzing around lately, especially in the context of ZK-rollups and scaling Ethereum. This guide is meant to demystify them so you can understand what they are, how they work (at a high level), why you should care about them, and what their future might look like.

What is a zkVM?

A zkVM, or Zero-Knowledge Virtual Machine, is essentially a virtual machine capable of executing programs while providing cryptographic proofs that computations were executed correctly—without revealing sensitive details about the computation itself. zkVMs make it easy to leverage zero-knowledge proofs (ZKPs), cryptographic tools allowing one party (the prover) to mathematically prove to another (the verifier) that a particular statement or computation is true without revealing any additional information. 

This is a powerful concept as it allows arbitrary computation to simply be verified instead of requiring another party to re-execute the computation. In the past, using ZK required you to write a custom circuit (a method for representing a program as a ZK proof) for each program you wanted to prove. This complex and labor-intensive process typically uses domain-specific languages like Circom or Noir, greatly limiting the number of developers who could implement ZKPs in their products.

With general-purpose zkVMs, the entire VM is represented as a circuit, allowing any arbitrary program that runs in the VM to be proven. This acts as a specialized runtime environment and improves the accessibility of using ZK, as developers can simply prove programs written in Rust or another high-level programming language that they already know.

To understand why zkVMs are useful, we can simply look at why ZK proofs are useful. Today, ZK proofs are most useful because of succinctness property—since a proof is much smaller than the computation it proves, we can simply verify the proof to confirm its correctness. Without ZK, showing correctness requires re-execution of this computation, which is much more computationally intensive. Because they are succinct, ZK proofs effectively allow computation to be “compressed”.

This has found clear product-market fit in the use of ZK-rollups for scaling Ethereum. Using ZKPs, a rollup is able to prove that computation (transactions) happening in a block is correct and represents a valid state transition. This state proof can then be verified on Ethereum, achieving finality in a much shorter time period than optimistic rollups which have a 7 day fraud proof challenge period. This offers a much better UX to users as they are able to withdraw funds from the rollup without waiting 7 days.

The first ZK-rollups used custom-built zkEVMs which represented the EVM as custom circuits. Blocks of transactions executed on the rollup could thus be proven and verified on Ethereum. More recently, general-purpose zkVMs have been developed, making the deployment of ZK-rollups much easier. Now, a Rust-based Ethereum execution client like reth or ethrex can be run inside a zkVM, making it easy for anyone to prove the validity of an Ethereum block.

How zkVMs Work

zkVMs typically include the following components:

  • Compiler
  • VM
  • Prover
  • Verifier

These components work together to execute code written in an ordinary programming language like Rust and to generate a proof of the execution.

This process generally follows these steps:

  1. The program (e.g. written in rust) is compiled into machine code (aka bytecode) by the compiler. The format of the bytecode is defined by the instruction set architecture (ISA) used by the VM, such as RISC-V.
  2. The VM executes the bytecode to generate an execution trace, which is a series of steps representing the program being run. This will be used by the prover, which will convert the execution trace into polynomials to generate ZK proofs.
  3. The prover leverages the arithmetization process—the reduction of computational problems to algebraic problems—to prove their computational integrity statement. This process involves multiple steps that vary considerably depending on the type of proof being used, where the prover uses Polynomial Commitment Schemes (PCSs) to commit to certain polynomials and other protocols to convince the verifier that certain calculations are correct. To convert this process into a non-interactive protocol, the Fiat-Shamir Heuristic is typically used.
  4. Finally, the proof can be verified by the verifier. This verifier can be, for example, written in solidity and deployed on Ethereum. Alternatively, proofs can be verified through Aligned using a verifier written in a language like Rust, with the results posted to Ethereum. This saves at least 90% of the gas costs compared to verification in the EVM. Note: the verifier is a distinct component from the other parts of the zkVM and can be deployed separately, but is nevertheless critical as proofs must be verified to show they are valid.

To continue learning more about how zkVMs work and for an overview of the current zkVMs in production or development we recommend this resource.

Why Should I Care About zkVMs?

As zkVMs get faster and cheaper to use, we expect that they will be adopted by more and more developers. If you care about building novel applications and products, you should care about zkVMs.

We already explained that zkVMs are making it much easier and cheaper to deploy and operate ZK-rollups on Ethereum. In general, they allow us to shift expensive computation off-chain while remaining verifiable, letting more applications live on Ethereum without executing them directly in the EVM. Because any arbitrary computation can be proven, and mainstream languages like Rust can be used, this greatly expands the possible applications and the number of developers who can use ZK.

The zkVM field benefits from the many advancements we are seeing in ZK, with proving times and costs dramatically dropping each year. Now, with general purpose VMs offering an improved developer experience, many more applications can use ZK. While proving costs drop, Aligned helps minimize the cost of verifying these proofs on Ethereum, allowing these new applications to go to market sooner.

Running a zkVM can still be a cumbersome process, and the alternative to self-hosting has been to outsource proving to a service provider (you can think of this like any computation you would outsource to a cloud compute provider). This comes with centralization risks, but we are now seeing the emergence of prover networks which outsource proof generation to a distributed set of nodes. This further improves decentralization, and has the potential to decrease the costs of proving.

zkVMs are also playing a key role in the long-term Ethereum roadmap. They help enable things like light clients, multi-client and multi-proof systems for Ethereum, and of course scalability through ZK-rollups. Initiatives like ethproofs are tracking the progress by different zkVM teams towards real-time block proving.

The future of zkVMs

As zkVMs mature, we think they will become a cornerstone of the next generation of blockchain applications and beyond.

There is already a diversity of zkVMs in production or in development, each offering different features and architectures that may suit different use cases. To better understand which is best suited for our and others needs, we have been doing open-source benchmarking of zkVMs, and are closely following each project.

While prover networks will serve the needs of some users, we are also seeing advancements in client-side proving, where users generate their own proofs locally. This adds privacy, as users do not need to reveal any information to a third party. Client side proving may become more common as the efficiency of these zkVMs improves, and we are keenly following projects like Miden, which is developing a VM to enable private transactions on their rollup.

Security is also an important aspect of zkVM development, especially if used in any application where assets are at stake (e.g. a ZK-rollup or DeFi app that uses ZK). Justin Thaler recently published an article outlining his views on the stages of development for zkVMs, with a major emphasis on the necessary security stages. Teams like Risc Zero have shared their plans for their zkVM to be formally-verified, which is a great step towards offering a secure and reliable platform. We also published an article in collaboration with LambdaClass on the topic, highlighting the importance of security and the risks of complex zkVM codebases.

As zkVMs continue to improve we expect to see greater adoption and the emergence of new use cases. We hope that this article has helped you understand why they’re so useful, and invite you to continue learning and experimenting with them to build new and interesting products. Reach out if you have any ideas or want to chat!

Further reading

If you are interested in contributing to our open-source zkVM benchmarking, please see the open issues in our repo and reach out to us via the Aligned Telegram group.

Stay tuned:  🐦 Twitter | 🗨️ Telegram | 👾 Discord | 🌐 Website | 📝 Manifesto

Read more