Thread
I have a ton of respect for anyone working on ZK tech.
But I’m skeptical of ZK Alt-L1s for two reasons:
1) There’s a false belief that ZKPs are more efficient on ZK L1s than on Ethereum
2) They're effectively impossible to upgrade.
Why you should stick with Ethereum...
[1/n]
But I’m skeptical of ZK Alt-L1s for two reasons:
1) There’s a false belief that ZKPs are more efficient on ZK L1s than on Ethereum
2) They're effectively impossible to upgrade.
Why you should stick with Ethereum...
[1/n]
ZK L1s have raised hundreds of millions of $, in part based on the narrative that ZKPs will be more efficient and cheaper to verify than on Ethereum.
So use cases like private identity, games with incomplete information (poker), ZKML, private DeFi will migrate to ZK L1s.
[2/n]
So use cases like private identity, games with incomplete information (poker), ZKML, private DeFi will migrate to ZK L1s.
[2/n]
But this just isn't correct.
Verifying a proof on Ethereum may be expensive in gas terms, but with recursion, we can amortize this cost across any number of proofs.
Since the introduction of Plonky2 by @0xPolygon we've had super fast recursive proofs on Ethereum
[3/n]
Verifying a proof on Ethereum may be expensive in gas terms, but with recursion, we can amortize this cost across any number of proofs.
Since the introduction of Plonky2 by @0xPolygon we've had super fast recursive proofs on Ethereum
[3/n]
That means that apps using ZKPs on Ethereum, for games, identity, etc, can do so at low cost by sharing verification cost.
I believe that @StarkWareLtd is already doing this with the SHARP service.
Build your ZK app on Ethereum, not on an Alt-L1.
[4/n]
I believe that @StarkWareLtd is already doing this with the SHARP service.
Build your ZK app on Ethereum, not on an Alt-L1.
[4/n]
The second issue with ZK L1s is that upgrading the proving system is effectively impossible - so you're stuck with proving tech developed years ago.
To see why this is, let's look at most programmable ZK L1s work.
[5/n]
To see why this is, let's look at most programmable ZK L1s work.
[5/n]
First, the developer starts with a custom language or DSL, writes a program, and compiles that program to a circuit, with a proving and verification key (vk).
A commitment to the vk is stored on-chain.
[6/n]
A commitment to the vk is stored on-chain.
[6/n]
With each tx, a user provides a proof showing that the program associated with the vk was executed properly.
But the vk is specific to the proving system - given a program, changing anything about the proving system (field, curve, etc) changes the verification key!
[7/n]
But the vk is specific to the proving system - given a program, changing anything about the proving system (field, curve, etc) changes the verification key!
[7/n]
This makes most ZK alt-L1s brittle and not future-proof.
Upgrading the proving system, say from the state of the art in 2019 to Plonky2, would brick every application deployed on the chain.
This isn't great! ZK tech is developing rapidly but ZK L1s can't take advantage.
[8/n]
Upgrading the proving system, say from the state of the art in 2019 to Plonky2, would brick every application deployed on the chain.
This isn't great! ZK tech is developing rapidly but ZK L1s can't take advantage.
[8/n]
So we should be skeptical of claims like "ZKPs that are far cheaper on @AleoHQ than they could be on top of Ethereum."
[9/n]
www.notboring.co/p/aleo-can-you-keep-a-secret
[9/n]
www.notboring.co/p/aleo-can-you-keep-a-secret
ZK alt-L1s do provide anonymity, which isn't a native feature of Ethereum.
But @aztecnetwork does the same thing on L2, with the added benefit of Ethereum security and access to Ethereum liquidity. 🤩
Be careful with ZK narratives and hype. Do your own research.
[10/10]
But @aztecnetwork does the same thing on L2, with the added benefit of Ethereum security and access to Ethereum liquidity. 🤩
Be careful with ZK narratives and hype. Do your own research.
[10/10]