ZK Magic (and Hello Kitty) with Brecht Devos — Taiko Tuesday Special #4
A series of conversations with the bright minds at Taiko.
Welcome to the fourth edition of Taiko Tuesday Special! This is a series of conversations I’ll be having with the bright minds at Taiko.
In the fourth installment, I had the honor of talking with Brecht Devos, co-founder and CTO of Taiko.
Brecht is best known for contributing to Loopring, the OG Ethereum ZK-rollup. He’s also the brainpower behind Taiko’s ZK efforts, which is what we’re mostly talking about in this conversation.
Let’s dive in!
P.S. Find the previous Taiko Tuesday Specials:
Ethereum Rollup Evolution with Matt Finestone — Taiko Tuesday Special #1.
Kids and Crypto with Daniel Wang — Taiko Tuesday Special #2.
Anatomy of a Crypto Community with odesium — Taiko Tuesday Special #3.
Brecht, as always, I want to start with a personal question. I’ve noticed that you aren’t very active on Twitter. We all know what kind of a place Twitter can become but it’s also where most of crypto communication happens. Do you follow certain discussions/topics or are you just not paying any attention at all? How do you approach social media in general?
Although it may not seem like it when looking at my Twitter profile, I spend quite a lot of time on Twitter. I check it a few times a day, it’s my main source for both technical and non-technical crypto news. I mostly only like some technical posts I find interesting and try to stay neutral on most things. In some rare cases, I do participate in a limited fashion in some discussions when I believe I have something to add. Twitter is the only social media website I use.
Let’s talk about zero-knowledge proofs (ZKPs) now. As we know, ZK-EVMs don’t really use ZKPs per se. Rather, and correct me here if I’m wrong, they only use the succinctness property of ZKPs. Can you explain why no general-purpose ZK-rollup uses complete ZKPs? And how difficult it would be code-wise to use full-fledged ZKPs?
ZK-SNARKS are only a tool to achieve privacy, in and of themselves they do not provide any privacy themselves. ZK-EVMs specifically do not use the privacy aspect ZKPs because Ethereum's account model is incompatible with privacy. This is also why some people prefer the term validity proofs.
ZK-EVMs aim to be like Ethereum and so are by design public blockchains where everyone needs to know exactly what happens on the chain. Everyone needs to be able to verify that each block created by the miner or validator is valid, otherwise, the block needs to be rejected. A ZK-EVM changes this a bit because now simply verifying a proof is sufficient would be sufficient to know that a block is valid. It's easy to create a ZK-EVM where everything happening within it is private, but a ZK-EVM like this would be useless because nobody except those that somehow have the state chain would be able to advance it and interact with it.
To solve that, ZK-EVMs explicitly post data on-chain to make sure everyone has access to the chain state. There are generally two ways this is done: By posting just the state changes on-chain (the deltas) or by posting the block transactions on-chain. Taiko posts the transactions on-chain for full transparency because it has some nice security benefits and allows for easy decentralization of proof generation (to generate a proof, a prover needs to execute all the transactions in the block to be able to prove that each step was executed correctly).
So, using ZKPs for privacy is not hard because of the ZKP part, but because of how the chain allows you to interact with it and how its data is stored. Aztec is building an awesome rollup with privacy and smart contracts built in (which, as I said before, cannot work like Ethereum).
Recursive ZKPs seem to be an important part of ZK-EVM systems. Can you briefly explain how recursive ZKPs work and why they’re so important? And also, Lisa asks: What type of ZKP recursion will Taiko implement? What other options did you consider?
With recursion, it's possible to prove a proof inside another proof. Instead of showing a proof of something directly, a proof is shown that a valid proof is known. This is extremely useful for multiple reasons.
One is that you can only do so much inside a single proof. One of those reasons that is simple to understand is that the more you do in a single proof the more powerful hardware you need to generate a proof.
Another one is that it allows splitting up the work between multiple independent proofs. This helps with parallelizing the proof work.
It is also useful to help reduce on-chain verification costs. The proof size and verification cost are circuit-dependent. Verifying a proof that does a lot of work will be more expensive than a smaller circuit. Recursion allows compressing verification costs down even further by verifying a proof of a big circuit inside a smaller circuit.
Currently, the recursion works by simply doing the normal proof verification logic inside another circuit. For PLONK this is quite expensive to do. For FRI-based SNARKs, this can be very efficient. There's been a couple of different schemes in the last years to achieve efficient recursion, lately folding (which isn't recursion but can sometimes be used for similar purposes) has been a hot topic. We are certainly keeping an eye on these recent advancements.
Vitalik recently said that ZK-SNARKs are going to be “as important as blockchains in the next 10 years.” Do you agree? If yes, where, outside of blockchain, do you think we’ll see ZK-SNARKs implemented?
I wouldn’t dare to disagree with Vitalik. It's hard to predict these things and I just like to focus on the technical side mostly. Verifiable computation and all kinds of things related to privacy seem like obvious use cases.
Lastly, are there any other public misunderstandings about ZKPs like the one that we talked about earlier that you’d like to correct? Or something you’d like the community to be aware of or keep an eye on?
The “out-of-the-box privacy with anything ZK” is certainly the biggest one! But fairly recently there was some discussion on Twitter where people thought that ZKPs are a bottleneck for blockchains because they can take a long time to generate. I'm not sure how common this misconception still is but that is of course not always the case.
Proof generation can be decoupled from the actual chain advancement so the chain can progress and new blocks can be created just the same as without ZKPs. After the blocks are in the chain, provers can generate a proof of these blocks in parallel. That means that there is some delay until a more efficient way to verify if a block is correct is available, but before the proof is available the block can still be verified like on a non-ZK chain.
Bonus questions:
Matt wants to know: Why do you believe dogs are superior to cats?
I also have a question for Matt: How dare you?
Lisa wants to know: Where can you find the best strawberry desserts in the world?
I don't travel much, so at this point, I haven't yet collected sufficient data on strawberry desserts around the world to draw any conclusions. I will continue to collect more data.
I want to know: Who’s a bigger fan of Hello Kitty: You or Lisa?
Me of course. All the Hello Kitties (and her friends) you see on Taiko diagrams were lobbied by me.
Brecht, thank you for your time! Keep making Ethereum better.
Thanks for reading the fourth installment of Taiko Tuesday Special!
If you liked this series, please share it on Twitter or Lens. If you don’t want to miss future editions, make sure you hit that Subscribe button and follow me on Twitter.
Got any feedback or would like to collaborate? Send me a message on Twitter!
Note: This newsletter is for educational purposes only and in no way constitutes financial, investment, or any other type of advice. Always do your own research before making financial decisions.