Skip to main content

2 posts tagged with "zksummit"

View All Tags

· 6 min read

We recently participated in ZKHack Lisbon, ZK Hack's first in-person hackathon. Thanks to everyone who contributed projects!

Below is a list of all RISC Zero prize winners from ZK Hack Lisbon. We've provided longer descriptions for these projects as an added thank you to the four teams that won $2000.

To support future hackathon participants, we've included why our judging team loved the top projects. Our judging criteria will vary from hackathon to hackathon, but we're excited to see development in emerging ZK application spaces, inventive uses of ZK tech, and projects that demonstrate the simplicity and power of ZK. And because doing is teaching, we love submissions that either contain self-explanatory educational content or insightful supplementary docs.

RISC Zero Prize Categories

We encouraged participants at ZKHack Lisbon to submit two types of project entries:

Problem description
Challenge #1Build an application that uses the RISC Zero zkVM.
Challenge #2Write code that utilizes data serialization or deserialization crates in the guest.

RISC Zero Hackathon Prize Winners

Winning Team Projects: $2000 Level

Mindf*ck: Code Obfuscation For Fun And Profit

To obfuscate code execution, the Zeroskill team has added a Rust-based Brainf*ck interpreter to the guest program. With this addition, the execution of an interpreted program is captured by the guest zkVM.

As an example, the following "Hello, World!" program string might be passed into the guest as program input:


The guest's public outputs consist of the executed "Hello, World!" program's final memory state, the values which the Brainf*ck program dictates should be written to stdout, and a hash of the program source (the string shown above).

Even setting aside code obfuscation, this is a fantastic example of how easily nontrivial Rust code may be written for the zkVM. From an educational perspective, we loved that this team created an example of interpretable code as input (and memory layout as output!).

Zero-Knowledge Decision Tree Prediction

This team tackled a popular use case for ZK in machine learning: how can an ML provider make trustworthy predictions without disclosing their model? This problem arises in applications when the ML model is sensitive enough that releasing it might become a privacy issue.

Categorical classification with decision trees starts with a tree built from labeled data. Starting at the tree root, feature values are used to guide decisions about which path to follow down to a leaf node representing a single category as the outcome.

As a demonstration, this team's guest zkVM program used a hard-coded decision tree based on the IRIS dataset, which categorizes flowers based on their measurements. Measurements for a single flower are passed into the guest, and the classification result is added to the journal as public output.

Building an ML solution is an ambitious hackathon project. We thought that the team made great decisions about algorithms and implementation details to effectively demonstrate ZK's potential for ML in a weekend. The accompanying demonstration elevated this project from an interesting ML submission into a nice educational piece.

Zero-Knowledge Wordle

This project implemented a fair version of Wordle, in which a client makes word guesses against a server that generates feedback in the form of receipts. The journal of each receipt contains feedback about the client's word guess (i.e., "right letter, wrong position") as well as a hash of the correct answer.

The server is considered 'fair' because the client can detect whether the server moves the target during play. To accomplish this, the client confirms that the hashed correct answer has not changed from receipt to receipt.

Although the idea of playing fair Wordle isn't new, the architecture for this project was easily as interesting as the game design. The RISC Zero server uses a RISC Zero prover behind an API server. The gameplay results are stored in a contract on chain. As a working example that demonstrates running a RISC Zero verifier in WASM, we particularly appreciated the browser-based client.

Proof of Physical Item Using NFC Devices With On-Device AES Keys

This project used ZK proofs to implement message signature verification. This team used NTAG 424 chips that include an on-device AES key and support for AES-128 encryption operations.

When the NFC device is tapped, NTAG creates a SUN (Secure Unique NFC) message using an AES key, a read count, and a UID. In this project, the signed NFC message is checked by regenerating the SUN message in a guest program and confirming the messages match.

The AES key and UID remain constant for each device and are hardcoded into the guest program. (Note that this means each receipt must be verified with an image ID unique to the device on which it was generated.) The read count and expected SUN message are passed as guest inputs. Within the guest, the read count, hardcoded key, and hardcoded UID are used to generate a fresh SUN message for comparison.

We loved that this project interacts with a hardware solution and presents an interesting proof of concept for proximity-based physical interactions. We especially appreciated the use of AES in the guest.

Winning Team Projects: $1000 Level

RISC Zero HMAC Implementation

Dread Pirate Roberts Marketplace: A zkReputation-Based Marketplace For High-Value Transactions

Winning Team Projects: $500 Level

Ting Tong: A Turn-Based Guessing Game

Whitebox: Composable, Transparent, Configurable, and Verifiable Algorithms

Crosschain Escrow on L3 \<> L1 Validity Rollups

Keep on hacking <3

If you missed this zero-knowledge hackathon, you can connect with participants and find out about new events at the ZKHack Discord. If you're curious about the other ZKHack Lisbon winners, take a peek at this Twitter megathread. And while you're at it, stop by the RISC Zero Discord and say hello!

· 3 min read
Paul Gafni

First off: huge thanks to all the organizers and participants at ZK Hack & ZK Summit! Both events were fantastic; I'm already looking forward to next time.

Now that the jetlag is behind me, I wanted to share some zero-knowledge research threads that I'm excited to keep thinking about and talking about.

Folding Schemes: Nova, Supernova, and Sangria

Video Reference
Blog Reference

This is perhaps the most important emerging idea in zk research right now. These schemes achieve Incrementally Verifiable Computation (IVC) by combining instances that haven't been proven. This contrasts with the more familiar approach of proving each instance and then rolling up the results.

Nova introduced a technique for combining R1CS instances. Supernova generalized Nova to support arbitrary instruction sets. Sangria uses the same technique in order to combine (relaxed) PLONK instances.

A natural research question arises: can we apply this approach to AIR-FRI STARKs? The answer isn't obvious, as this technique depends on a homomorphic encryption scheme such as KZG.

The Red Wedding

Video Reference

This idea, proposed by the team behind TritonVM, aims to reduce the verification time (and thus, the recursion time) in a STARK system by shifting work from the Verifier to the Prover. Specifically, the Prover can generate a SNARK proof in order to alleviate the need for the Verifier to evaluate the AIR constraints at the DEEP query point.

Some research questions:

  • How does the computational cost of the inner SNARK verification compare to the cost of the AIR evaluation that it aims to replace?
  • What commitment scheme should be used for this inner SNARK?
  • What's the right scope for the SNARK verification? Should it include arithmetic or hashing operations in addition to the AIR constraint evaluation?

LogUp: Batched Lookup Arguments

Video Reference
ePrint Reference

In contexts where the Prover is repeatedly doing the same lookup, LogUp reduces the number of columns necessary in lookup tables by ~50%, relative to PLOOKUP. About 30% of the witness-generation in RISC Zero is spent generating columns for a PLOOKUP-based lookup argument; we're looking into switching to LogUp for future versions.

The premise here is that by making use of logarithmic derivatives, we can transform a grand product accumulation into a (cheaper) grand sum accumulation. The LogUp paper (linked above) frames this technique in terms of a multivariate IOP; the Tip5 paper describes a version of this technique that's better suited to the univariate context.

The Mersenne Prime 23112^{31}-1

Video Reference

In Denver last month, Daniel Lubarov discussed the idea of using the finite field of order 23112^{31} - 1 for building Plonky3. This field is particularly nice for handling finite field arithmetic, since 231=12^{31} = 1. The major obstacle is that the multiplicative group of this field isn't good for NTTs, since 23122^{31} - 2 doesn't have many 2s in its prime factorization.

There are a number of options for how to make this work:

  • changing from a FRI-based commitment scheme to one based on Orion or Brakedown
  • using a mixed-radix version of FRI that doesn't depend on high 2-adicity
  • doing NTTs in a quadratic extension field (note that the multiplicative group of the quadratic extension has order 2622322^{62} - 2^{32} and therefore has 2-adicity of 2322^{32})

Looking forward to seeing what the Polygon Zero team is brewing up on this front.

Don't be a Stranger!

We'd love to hear what you're thinking about, in regards to these questions or otherwise. Continue the conversation on Discord at ZKHack or RISC Zero.