zkVM part I: why R0VM?
RISC Zero's zkVM, known as R0VM, is really clever, like really really clever.
To find out why, let's start with a question:
"How do we prove a program ran correctly without having to run that whole program ourselves?"
I had to set the scene with this question, otherwise I would've lost you. I'm going to assume you know why this question is useful to ask, and where it leads. This series will tackle the high-level "how" of getting from program to proof.
To begin, let's restate the question with some extra detail:
"Starting with a program X, how can I create a zero-knowledge proof of X's correct execution?"
Traditional ZK circuit languages allow you to generate a ZK proof of your program X, by converting your program into a series of mathematical constraints. This is a bespoke process, you write a specific circuit for each specific program (or more likely, a specific circuit for each part of your program and compose them together at the end). This is a time-consuming process and requires extensive domain-specific knowledge.
In the spirit of general purpose computing, let's ask a new slightly modified question:
"Starting with any arbitrary program X, how can I create a zero-knowledge proof of X's correct execution?"
The shift is subtle, but a major unlock for ZK computation. Imagine writing any computer program, in a familiar high-level language, bypassing the time-consuming circuit design, passing that program through "something", and receiving a proof of correct execution - no special ZK expertise needed. That would be magical.
Part II will cover the magical and fuzzy beginnings of that very "something".
Notes & Assumptions
I
maywill make some mistakes; I'll correct them over time.This series assumes familiarity with:
- The RISC-V ISA
- Basic CPU operation (excellent article here)
- Compilation basics (I wish I knew too)
Expect a "hand-wavy" approach to:
- Arithmetic circuits
- Zero-knowledge proof systems