Co-Founder and Head of Research at @MakeInfiniteCo. Lead a global team building the first sub-second zero knowledge proofs at scale

We have been aggressively optimizing our GPU execution to reduce the cost of our polynomial commitments. This is the dominating cost (asymptotically and concretely) of most proof systems. However, as of these most recent benchmarks, the costs of our commitment scheme are now about 40% of our overall proof time (and dropping). What's next? The other 60% 😎
The first sub-second ZK coprocessor just got even faster 🤯 We’re excited to share the latest Proof of SQL benchmarks, which show a ~40% increase in performance since the repo was made available on GitHub in June. You can now prove analytic queries against… 🟣 100k rows of data in 0.4 seconds 🟣 200k rows of data sub-second 🟣 1M rows of data in 1.2 seconds 🟣 100M rows of data in ~1 minute Full benchmarks available in the repo: spaceandtime.io/proofofsql Proof of SQL is the first sub-second ZK coprocessor (optimized specifically for SQL) that enables your smart contract to process data at the scale required to power your application in the time it needs to transact. We delivered this new primitive to expand the design space for devs to build data-driven experiences onchain, fully ZK-verified. 🧵
5
13
65
22,748
When you're looking at the Proof of SQL benchmarks, note that this graph is deceptive. It's a log-log graph, so it makes it look like performance decreases as the dataset scales. The opposite is true. In fact, performance on this graph is sublinear. We haven't even hit the asymptomatic linear scaling until we reach close to 10 million rows of data.
1/ Introducing Proof of SQL, our first generation, high performance ZK prover, which cryptographically guarantees SQL queries were computed accurately against untampered data, verified onchain or offchain. After years of development by the Space and Time (SxT) research team, Proof of SQL now targets online latencies while proving standard SQL computations over the entire history of blockchains, 1-2 orders of magnitude faster than state-of-the-art zkVMs and coprocessors. Now available on GitHub: spaceandtime.io/proofofsql
3
8
38
8,166
Super excited to launch Proof of SQL today! Proof of SQL is a ZK protocol that enables scalable data processing beyond anything we’ve seen in Web3. The trick that gives the speed unlock here is that we built the protocol around the data: the commitments are data-driven, the arithmetization is data-driven, and the acceleration is data-driven. For example, let’s think about the commitments. Merkle tree based data structures are not native to ZK: they require a minimum of n hashes to access n items of data. This is a large overhead simply for data access. Instead, we use the proof-native commitment scheme as the data structures holding the data itself. This begs the question: what commitment schemes are conducive to holding data? There are 3 major criteria that we think are critical: 1) It has to scale. In other words, it should be able to support huge amounts of data. A trusted setup of size 2^30 only can support roughly a billion data elements. That's not a lot of data. 2) It has to be succinctly updateable/appendable. In other words, we want a commitment scheme that can be incrementally modified without needing access to the entire dataset, but only needing a small cache to modify it. 3) It needs succinct evaluation proofs and fast proof and verification times. Merkle trees satisfy 1 and 2, but not 3. KZG-style commitments satisfy 2 and 3, but not 1. FRI-style commitments satisfy 1 and 3, but not 2. The Dory commitment scheme satisfies all three. That's what we use today, but stay tuned, because we can do even better. 👀🚀
The first sub-second ZK prover is finally here. cointelegraph.com/news/open-…
3
8
33
4,838
Brain teaser for y'all. How do you prove that a set of values are unique? 👇
17
3
39
5,468
Security, Scalability, Speed. Pick 3.
How did SxT build the first sub-second ZK prover? Ask @theZKjay.
2
3
28
2,034
Why aren’t more DeFi protocols using ZK coprocessors? Here's some guesses: 1. Latency issues. Who wants to wait 20 Eth blocks (or more) for a single result? The reason oracles are so popular in DeFi and coprocessors aren't yet, is because most oracles focus on delivering results back onchain quickly during a transaction (next block). 2. Lack of data. Coprocessors don't really give access to a lot of data. Some give access to historical chain data, but they can't produce proofs that process or aggregate tens of thousands (much less millions/billions) of data points of chain history. This doesn't seem to be the focus of most zkVM teams, but it certainly is our focus. 3. Developer experience can be goofy. Some are decent, but others have a cumbersome learning curve because DeFi calculations must be rewritten to follow the coprocessor's SDK. I may be bit biased because those are the big 3 things that we solve with Proof of SQL @spaceandtime. My vision is a coprocessor pipeline that simply combines a zkVM paired with a specialized zkDB rather than trying to query over entire chain histories in a powerful zkVM like RISC Zero, SP1, Jolt, Nexus, etc.
Why aren’t more DeFi protocols using ZK co processors? It seems like you could implement more complex pricing functions and better risk management with lower gas costs.
4
4
23
4,840
A ZK-proven database is the key to scaling Web3. Databases are already the bedrock of Web2. Without them, your favorite website wouldn't exist. You wouldn't see this tweet. Now imagine if Web3 not only had secure, fast, and cheap smart contracts—thanks to pioneers like @zksync—but if those smart contracts could also access databases in a lightning fast and verifiable way. This is no longer a pipe dream. Super pumped to partner with zkSync to make this the reality in Web3.
Building the future of verifiable compute with @zksync 🤝✅ We’re thrilled to collaborate with zkSync and look forward to building with its ecosystem. ⚒️ Read the announcement via @blockworks here: blockworks.co/news/space-and… As part of the collaboration, Space and Time aims to… 🟣 Natively integrate SQL capabilities into the zkEVM stack, making zkSync the first SQL-compatible smart contract platform. 🟣 Make verifiably indexed zkSync data available to the community. 🟣 Deliver sub-second ZK proofs to zkSync smart contracts. 🟣 Provide terabytes of TradFi market data to zkSync smart contracts. 🟣 Build a hyperchain on ZK Stack to serve as our network's settlement layer and TVL hub chain. zkSync is best-in-class in fulfilling the vision of trustless L2s, offering extremely fast and low-cost ZK-proven transactions. We’re excited to integrate our ZK technology with zkSync, build out our network functionality on our own hyperchain, and welcome zkSync developers to the Space and Time ecosystem. 🫡
3
4
23
2,291
Learn Yul? ✅ Port ZK verifiers? ✅ Cheap SQL on Ethereum? 👀
2
2
18
4,343
Here's a solution: Let f be a univariate polynomial who's roots are the claimed unique values. A prover can commit to this polynomial using your favorite PCS. Any scheme will work if you're smart enough. Then, the prover can commit to additional polynomials p and q. Now, all we need is evaluation proofs of f(r), p(r), and q(r). Additionally, the formal derivative f' has an evaluation that can be easily evaluated several different ways (X margins too small). Verifier simply needs to check that f(r)p(r)+f'(r)q(r)=1. Proof: Schwartz-Zippel gives soundness, Bezoit and weak Nullstellensatz give completeness.
1
12
1,487
As the community contributes to Blitzar, one thing I’m excited to see is support for more curves. Today, Blitzar supports… - BN254 - BLS12-381 - Curve25519 If you need a curve that’s not supported today, add it! Add support for Grumpkin, add support for Pasta curves. We open-sourced Blitzar so that you can improve and customize it for your use case. spaceandtime.io/blitzar What curves do you want to see supported in Blitzar?
4
12
3,869
In order to understand Blitzar you need to understand multi-scalar multiplication. MSM involves a series of calculations where each one takes a group element and multiplies it by a corresponding data element: group element 1 times data element 1, plus group element 2 times data element 2, etc. This process is repeated for a series of group and data element pairs. What makes MSM particularly powerful is its ability to perform these computations in parallel (processing multiple data points simultaneously). Blitzar executes these parallel computations really efficiently. One of the things we're working on right now is expanding the types of MSM that Blitzar can compute. Inner product argument is built around computing commitments to a really large column of data. Dory is focused on computing commitments to matrices of data - a bunch of smaller columns of data. Blitzar is already extremely performant for the first scenario, and we’re working to make it performant for the second as well. Check it out at spaceandtime.io/blitzar
3
10
3,631
Let’s talk commitment schemes. When we were building Blitzar, we started with support for a generic inner product argument using Pedersen commitments. This is similar to what bullet proofs and a variety of other protocols do. It doesn't require a trusted setup, can grow arbitrarily large, and it's relatively simple to build… but it has a linear time verifier, which doesn't work for succinct/cheap verification. The second commitment scheme we've added is the Dory commitment scheme, which also has a transparent setup and can grow arbitrarily. Dory has some nice flexibility because it's actually a commitment to a matrix rather than to just a column of data. It's also much cheaper verification, but it's still not quite cheap enough for verification onchain. Now, we're working on an in-house, custom-built, composition-based commitment scheme to support a core function required for Proof of SQL: the ability to update a commitment. This new scheme will deliver succinct verification that can be done onchain and satisfies that property of updatability, which is critical to what we’re building and a powerful primitive for other protocols. Excited to share more soon.
1
8
1,715
Pros: Asymptotically optimal verifier and can prove uniqueness of arbitrary field elements. Cons: The best way I know how to compute p and q is quasilinear time. Challenge: Do me one better. Make the prover linarithmic, the complexity of the element distinctness problem. End🧵
1
10
888
The first sub-second ZK prover is finally here. cointelegraph.com/news/open-…
1
7
578
The standard approach is to sort the values, take the difference between consecutive values and then show that they are all positive. Few problems with this approach. 1) It requires a range proof. While there are good range proofs, afaik, they mostly boil down to decomposition+lookup at some level. This can be a bit costly. 2) It requires bounding the values in order to avoid field wrapping issues. This is problematic if your values are, say, wallet addresses, which is probably the most important use case. 3) It's ugly: there's no obvious reason why uniqueness should require an ordering. In fact, field elements have no ordering and everyone insist on faking one. I'd rather not.
1
8
227
Currently looking into leveraging CUDA's warp-level primitives to make Blitzar even faster. Gotta keep stacking those 2x performance gains! 🔥
2
1
7
914
👀
Let’s take a step back. It’s kind of insane that you have to index data out of the chain into a database and then zk-prove the query result back to a smart contract on the same chain… all simply just to give your contract access to vital data/context about activity on its own chain… all simply because smart contracts have no access to data, no query engine. (and I’ll admit, my team has been building this *insane* solution for years, because it’s very powerful) Alternatively you can use block headers instead of an indexer as your source, but then your proving times are like 17 years I wonder who’s gonna build the first sql-native EVM? i.e. the first self-indexing chain, which would give smart contracts expressive data filtering and aggregations via pre-compiles I wonder if it’s going to be @theZKjay and I wonder if he’s gonna do it with a @zksync hyperchain? Really makes ya wonder
5
869
Replying to @chiefbuidl
🙏
3
75
Replying to @guywuolletjr
Why aren’t more DeFi protocols using ZK coprocessors? Here's some guesses: 1. Latency issues. Who wants to wait 20 Eth blocks (or more) for a single result? The reason oracles are so popular in DeFi and coprocessors aren't yet, is because most oracles focus on delivering results back onchain quickly during a transaction (next block). 2. Lack of data. Coprocessors don't really give access to a lot of data. Some give access to historical chain data, but they can't produce proofs that process or aggregate tens of thousands (much less millions/billions) of data points of chain history. This doesn't seem to be the focus of most zkVM teams, but it certainly is our focus. 3. Developer experience can be goofy. Some are decent, but others have a cumbersome learning curve because DeFi calculations must be rewritten to follow the coprocessor's SDK. I may be bit biased because those are the big 3 things that we solve with Proof of SQL @spaceandtime. My vision is a coprocessor pipeline that simply combines a zkVM paired with a specialized zkDB rather than trying to query over entire chain histories in a powerful zkVM like RISC Zero, SP1, Jolt, Nexus, etc.
2
2
81