Equilibrium's Infra Bulletin #7: Incentives For Proving Networks, ZK Range Proofs, Vulnerability in Bulletproofs
Discover more from Equilibrium’s Infra Bulletin
Equilibrium's Infra Bulletin #7: Incentives For Proving Networks, ZK Range Proofs, Vulnerability in Bulletproofs
Equilibrium Labs builds the state-of-the-art of decentralised infrastructure. We are a global team of ~35 people who tackle challenges around security, privacy and scaling.
This newsletter allows us to share more about what we read, what excites us and what we think is relevant to the space. In addition, you will get a glimpse into the organisation and our culture.
Research, Articles and Industry News:
📚Ideas On Proving Networks and Overview of Existing Designs - Recommended by Joakim:
We previously covered ways to decentralise provers, but Spalladino and Jaosef from Aztec dive deeper into proving networks and looks at nuances between the different approaches. The work is related to finding a design of a prover network that can be used in any sequencer selection algorithm. Some takeaways are:
Liveness is key for a sequencer who must produce a block within a certain window and they won’t risk revenue by relying on just a single prover. Instead, a rational sequencer will either ask many provers to compute the block (redundant compute, extra costs for users) or run their own prover.
Tradeoff between liveness and redundant compute: choosing a single prover leads to least wasted effort, but can affect liveness if the prover fails to deliver. However, requiring multiple provers for each unit of work means all provers need to be rewarded (not necessarily equally), leading to higher fees overall.
There are many ways to choose the prover including allowing the sequencer to choose freely or having the protocol choose through some verifiable random function (VRF). Both have their tradeoffs.
In whichever way the provers are chosen, they need to be rewarded. This can be done either through in-protocol payments (provers get a fraction of the block fees if their proof is included) or out-of-protocol payments (a transaction between sequencer and prover that’s handled outside the main protocol).
The post also gives an overview of different protocols in the space, including:
Mina handles the prover network through an internal marketplace (“snarketplace”) where block producers can purchase proofs from workers. The market favours low fees over speed and barriers to entry are low.
Taiko aims for a high-performance prover network with 32 participants, so barriers to entry are high. Provers are ranked based on stake and fees requested, with a VRF choosing among them. Provers are slashed if they fail to submit a proof.
Nil offers a proof market where buyers can purchase ZKPs from a set of provers. Provers are required to stake to participate and penalised if they fail to fulfil their obligations. A reputation system for provers is in development.
Key Takeaway: Having multiple provers is beneficial for liveness, censorship resistance, competition and throughput (if multiple provers can collaborate and work in parallel to generate the proof). However, choosing the right mechanism and incentive model requires careful consideration and differs depending on what you are optimising for (speed > liveness, low barriers to entry > performance...).
📚Zero-Knowledge Range Proofs: Proving Where Your Secret Lies - recommended by Hannes:
Zero-knowledge range proof (ZKRP) is a more specific type of zero-knowledge proof that allows proving that a committed or encrypted value x lies in some range [a,b] without revealing any other information about x. This allows building more efficient protocols by using tailored techniques since the statement being proven is more specific than in an arbitrary ZKP (proving you know x).
Over the last decade, several different approaches have been developed to construct ZKRPs - including hash chains, four-square decomposition or even using generic ZKPs (often less efficient for the prover, however). The bulletproof family seems most popular in practice due to their concrete efficiency, transparent setup, aggregability, and compatibility with Pedersen Commitments
Range proofs can be used in many different applications. One example is confidential transactions, where range proofs are used to prove that each output is positive and that the sum of the output amounts does not exceed the input amount. Other applications include proofs of liabilities/reserves/solvency, private voting (proving the encrypted votes contain positive values) and anonymous credentials (proving you are at least 18 years old).
Key Takeaway: Zero-knowledge range proofs can enable building more efficient protocols since the statement that’s being proven is more specific than in arbitrary ZKPs. There are many different schemes available for constructing range proofs. Choosing the right one depends on the size of the range being proven and the size of the secret value x, but bulletproofs are the most popular.
📚 A Mistake In The Bulletproofs Paper Could Have Led To The Theft Of Millions Of Dollars - Recommended by Niklas:
Trail of Bits, a security research and auditing company, recently discovered a critical vulnerability in Incognito Chain that would allow an attacker to mint arbitrary tokens and drain user funds. This is particularly concerning, since Incognito offers confidential transactions through ZKPs, so an attacker could have stolen millions of dollars of shielded funds without ever being detected or identified
The vulnerability stemmed from an insecure implementation of the Fiat-Shamir transformation of Incognito’s bulletproofs. There have been similar instances before, such as the Frozen Heart vulnerabilities that resulted from a mistake in the original bulletproofs paper.
Bulletproofs are an implementation of range proofs (covered above), which serve as a crucial foundation for confidential transactions. They limit the underlying value of the privacy coins, thus safeguarding the system from attackers minting money illicitly.
Key Takeaways: The vulnerability in Incognito Chain stemmed from an insecure implementation of the Fiat-Shamir transformation of Incognito’s bulletproofs. The team was alerted and the vulnerability was quickly patched. More information and a post-mortem can be found on Incognito’s forum.
Personal recommendations from our team:
📚Reading: Friendship Is Optimal: A tale of superintelligence within a My Little Pony universe. Sounds a bit weird at first glance, but honestly really good!
🎧Listening: I’m A Barbie Girl In The Style Of 6 Classical Composers: What could possibly be better than imagining how Chopin or Beethoven would have composed this classic? Worth watching to the end for a small surprise👀
💡Other: Truncate Town: A fun game that kind of combines the strategic aspect of chess with the creativity and wordplay of scribble. Why not give it a try?
