By Hugo (Twitter: @bluepoint_eth). Special thanks to Brecht and Hao for their feedback and review.

TL;DR

1. A two-tier zero-knowledge proof (ZKP) proving tokenomics is proposed, with a shared ZKP prover pool and universal modular prover being critical components of the ZKP ecosystem.

2. ZKP provers represent the next generation of blockchain computation power

3. There is a fundamental difference between proof-of-work (PoW) miners and ZKP provers.

4. The design of the ZK-rollup proving tokenomics poses a challenge known as the “impossible trinity”: balancing performance, cost, and decentralization.

5. An analysis is presented here of several ZKP proving tokenomics, using Taiko’s solutions as an example.

1. Introduction

In recent years, Zero-Knowledge Proof (ZKP) technology has made significant progress. It has become increasingly popular in projects that require computation scaling or privacy preservation.

ZKP, specifically the SNARK (Succinct Non-interactive Argument of Knowledge) protocol, has gained widespread recognition in Ethereum’s scaling direction. Ethereum’s roadmap includes a target of “Snark Everything,” and Vitalik Buterin has claimed that “zK-SNARKs are going to be as important as blockchain in the next 10 years.”

However, generating a zero-knowledge proof is a much more complex computation than an existing computation.

For example, in Ethereum, the computation of a block with 10M Gas takes less than 1 second, as shown in the picture below.

However, generating a proof for a block in a 128-core CPU for a circuit in ZKEVM may take more than 1700 seconds. Please refer to the benchmark result from the PSE team.

Even with a GPU, a ZKEVM requires hundreds of seconds to generate a proof. This means that verifying EVM computations with ZKP costs more than 1000 times the original computation.

There will be huge requirements for ZKP computation power, as there will be many ZKP projects, including L2 projects like zkSync, Scroll, Taiko, Polygon, Linea, and Aztec, as well as L1 projects like Aleo, Mina, and Risc Zero. There will also be other privacy, identity, and gaming-related projects that require ZKP computation power.

Verifiable computation will be as important as computation itself in the future’s digital world, and ZKP acceleration will be the core of the next generation of blockchain’s computation power.

2. ZKP requires different tokenomics with POW

Proof of Work (PoW) is an algorithm used for distributed consensus. In PoW systems, participants (miners) must perform computationally intensive work to prove that they have invested a certain amount of computational resources. The goal of these algorithms is to ensure network security. Miners compete to find a hash value that meets specific conditions to gain block rewards and transaction fees.

However, ZKPs serve very different purposes and have distinct characteristics.

Here is the comparison between POW miners and ZKP provers.

Some ZKP projects, like Aleo, still use a POW-like mechanism, but they are not mainstream. Ethereum’s success with POS demonstrates that POW is not the only feasible solution for achieving blockchain decentralization. As a result, more projects might choose a non-POW proving system to decrease energy consumption and overall costs.

In the ZKP computation paradigm, it is necessary to design not only different provers but also different tokenomics.

3. The challenge of the impossible trinity of ZKP proving tokenomics

In this context, “proving tokenomics” refers to an incentive mechanism for a decentralized ZKP proving system. The three essential metrics for a ZKP proving network are cost, performance, and decentralization. A well-designed proving tokenomics should meet these three requirements.

First and foremost, cost is a critical factor in a ZKP project, particularly for ZK-rollups. Their mission is to scale Ethereum and reduce users’ transaction costs. The proving cost is a part of the overall cost of ZK-rollups and other ZKP projects. The cost includes both the cost of a single proof and the overall cost of the proving system.

To provide a better user experience for verifying layer two transactions and achieving finality, high-performance machines are required for ZK provers. GPUs, FPGAs, or ASICs using parallelized computation can help alleviate such bottlenecks. That’s why we use a GPU to prove zkEVM in 10 minutes instead of a CPU, which could take hours.

Another critical requirement for ZKP provers is decentralization. Decentralization means that many providers can join the proving work without requiring permission, and there is redundancy and geographical dispersion to make the entire system robust and resistant to censorship.

However, meeting all three aspects in the same design, high performance, low cost, and decentralization is an impossible trinity.

Firstly, there is a conflict between cost and performance. If high performance is desired, a high price for the provers, such as GPU, FPGA, or even a cluster of GPU/FPGA, is necessary.

As the usage of ZKP becomes more prevalent in the long term, there will be a market for millions of ZK provers. At that point, a low-cost ZK ASIC chip can meet both low-cost and high-performance requirements. However, since we are in the early stages of ZKP and have not yet reached such a vast market, the unit cost for a ZK ASIC chip is relatively high. Therefore, achieving both cost-effectiveness and performance remains a challenge at this stage.

Secondly, decentralization often necessitates the redundancy of provers, resulting in higher costs for the overall proving system.

For instance, if a ZK-rollup project creates an L2 block in 1 second, and generating proof for it using a high-performance GPU takes about 10 minutes, it would require about 600 provers to fulfill the demand.

n=T_prove​/T_block​

Here:

n : The number of provers

T_prove​ : Proof generation time for a block

T_block​ : Average block generation period

If we deploy 600 GPU provers for the ZK-rollup project, the computation capacity will be sufficient to meet its throughput. However, if some provers fail to finish their tasks on time due to network failures or occasional turn-offs, additional provers must generate a proof. Increasing the number of backup provers and decentralization of ZK provers increases the total cost of the proving system. This is also why POW is not popular in ZKP projects.

Thirdly, vigorously promoting the performance of provers may lead to the domination of the proving network by the fastest prover. This conflicts with the goal of decentralization.

Establishing a tokenomic system that ensures profitability and liveness for the prover in ZKP systems is a challenging task from an economic perspective. This is the challenge of proving tokenomics.

4. The evolution of ZKP proving economics

Taiko is a decentralized ZK-rollup project that is equivalent to Ethereum, and uses Type 1 zkEVM technology. At the beginning of the Taiko project, there was a focus on designing decentralized sequencers and provers. This is the first ZK-rollup project to promote decentralized sequencers and provers actively.

Taiko introduces its principle of tokenomic design in its documentation, which mentions similar metrics:

1. Efficient use of proving resources

2. Cheaper proofs over faster proofs

3. Prover redundancy/decentralization

Taiko project has explored various solutions to resolve the impossible trinity of proof ZKP proving tokenomics, and it is still evolving. Here is the history of Taiko Testnet and its proving tokenomics:

1. Dec 28th, 2022, Alpha-1: Prover is not open.

2. Mar 23rd, 2023, Alpha-2: Provers are permissionless and the fastest provers win, without an economic protocol.

3. Jun 7th, 2023, Alpha-3: Provers are permissionless with a dynamic-reward economic protocol.

4. Jun 2023: The batch auction-based tokenomics were proposed and discussed.

5. Jul 18th, 2023, Alpha-4: Provers are permissionless with staking-based economics.

6. The new proposal is on the way.

4.1 Dynamic-reward proving tokenomics (Taiko A3)

The tokenomics of A3 includes a dynamic reward mechanism designed to encourage provers to be low-cost and high-performance. It includes the following rules:

• The prover that submits the proof the fastest wins the block.

• The reward decreases as the prover submits proof faster.

Therefore, once a prover becomes the fastest, its best strategy is to submit proofs just slightly faster than their competitors and wait for a while to obtain a higher reward and keep a more significant profit.

Next, let’s take a look at some observed phenomena in Taiko A3.

The gas war

Currently, the number of active provers is gradually decreasing in A3, indicating a trend towards centralization.

The reason for the above trend is that some high-performance provers can submit their proof in as little as 24 seconds, which is very fast. According to the Ethereum design, if multiple provers submit their proof within the same window, the prover with the higher gas fee will be accepted. In the Sepolia Testnet, gas fees are not in real ETH and are very cheap.

As a result, there is a gas war among these high-performance provers. They submit proof with very high gas prices, sometimes reaching up to 2000 Gwei. Some provers with very high gas fees dominate the proving tasks.

Another strategy is to optimize performance by submitting proof in 12 seconds. However, it is difficult to submit all proofs within 12 seconds and doing so results in less reward due to the faster speed according to the A3 design.

The Computation Competition

Another phenomenon in A3 is the high number of failed submissions in competitions. This is because, for each block, only one winner is allowed to submit proof, and all other submissions, even if they generate a valid proof, will be rejected.

4.2 Staking-based proving tokenomics (Taiko A4)

In A4, Taiko employs a stake-based proving tokenomics, which provides several advantages:

1. Excessive computation is eliminated as only one prover is selected to generate a proof. The other provers do not need to work if they are not selected.

2. Encouraging low cost by giving higher weight and high-performance provers cannot guarantee a win.

3. The design is relatively simple compared to an auction-based solution.

Why do we need staking? The reason is that once a prover is selected, it needs to submit proof honestly and on time. A penalty is executed if the selected prover fails to complete this task.

One crucial phenomenon in A4 is that the ZKP prover has a high probability of being slashed, especially when there is network traffic jam. Here is an example.

Next, we can discuss possible solutions for this issue.

5. Further expected improvements in proving tokenomics

Based on our analysis, the expected ZKP proving tokenomics should meet the following requirements:

1. Each task should have one prover with no wasted computation.

2. Mechanisms should be put in place to prevent a monopoly scenario and promote decentralization.

3. The selected prover should provide a stake and receive a penalty if they fail to generate proof within a specified time window.

4. An incentive mechanism should encourage faster proof submission and lower costs.

5. Provers should be compensated for high gas fees.

6. Proof windows should be extended during traffic jams.

Let’s further expand the discussion.

This ZKP prover’s staking mechanism is similar to Ethereum’s, as it encourages the validator to be honest. However, there are differences between them.

As shown in the table, ZKP provers have higher costs and a higher risk of slashing compared with Ethereum validator. Meanwhile, regarding the reward, the ZKP prover’s only compensation comes from ZKP projects, but it has to cover gas fees, computation costs, and the cost of staking asset.

Here are some proposals to reduce the slash penalty, considering that ZKP provers need to pay the cost of gas fees and relatively high computation power:

1. If a prover submits proof within a relatively long window, no penalty should be imposed. This is because others can submit the proof according to the design, and the prover has already incurred gas fees and computation power as costs.

2. If the prover never submits the proof, a lower slash amount should be imposed. In such cases, it may be challenging to differentiate between network/technology issues or dishonesty issues. Thus, a penalty is reasonable, but it should be less severe, as in most cases, the failure might be caused by network traffic jams.

When there is a network traffic jam or very high gas fees, it is challenging for the prover to submit proof, even with reasonable gas fees. Here are some solutions that can be considered:

1. Extend the proof window when the base fee is high.

2. A more economically rational solution is to increase the reward when the base fee is high.

The staking mechanism brings some fund costs. It is true that there is no formal POS reward, as there is no formal POS mechanism, and we use POS as part of proving tokenomics. However, all the funds have interest costs. Thus, in a staking-based mechanism, the reward amount should be increased to cover staking costs, although it might be included in overall prover rewards.

In addition, the following improvements would be desirable:

1. To encourage faster provers, after the prover is selected, their rewards can be increased if they submit proof earlier than the target proof window.

2. Using batch proof for a group of blocks helps reduce the overall gas fee.

6. Two-tier ZKP proving tokenomics

Currently, many ZKP projects are using their own proving systems and tokenomics. However, this approach is not beneficial for sharing computation power across ZKP projects, which results in higher costs for the overall ZKP ecosystem.

As we analyzed in the previous section, ZKP projects require a complex mechanism to manage slash, reward, proof window, and other related aspects.

Furthermore, there is a high barrier for provers to join various ZKP projects and stake various assets.

To achieve a healthier and more cost-effective ZKP proving ecosystem, a two-tier proving tokenomics can be a good solution. Taiko proposed a solution after several rounds of iteration of proving tokenomics. We have further extended this solution to a two-tier framework.

Under this approach, each ZKP project operates as tier 1, defining its own tokenomics. However, the selection, scheduling, penalty, reward, and rating of provers are delegated to tier 2, which is a shared prover pool.

A prover pool, such as ZKPool, can aggregate the requirements of multiple ZKP projects and assign tasks to provers, enabling them to have a higher utilization rate and earn more profit. Additionally, it reduces the barrier to participation and minimizes the possible penalties.

To provide the best performance and low-cost provers to ZKP projects, ZKPool can implement a proof market with a standardized rate system to evaluate prover performance and create a competitive mechanism among provers. This system can return the best provers to ZKP projects, and ZKPool can provide extra platform incentives based on the rating system. This approach can significantly benefit ZKP projects and ZKP provers.

Here, we also propose a UMP (Universal Modular Prover) conception. A Universal Modular Prover can run on the same hardware platform while supporting the proving work of various ZKP projects.

The entire ZKPool will be directed towards decentralization and promoting an economically healthy ZKP ecosystem.

The design principle of ZKPool:

• Minimizing cost for ZKP projects while maximizing revenue for provers.

• Easy: Easy access to ZKP computation power for ZKP projects and easy join for ZKP provers.

• Transparency: Keep revenue distribution with transparency

The deployment of not only ZKP but also artificial intelligence and space computation will require significant computational power in web3. ZKPool can finally share all computation power across the entire web3, which we can call an acceleration layer for web3.

7. Conclusion

Exploring ZKP proving tokenomics has been a long journey. From our research, we have identified cost, performance, and decentralization as key metrics for ZKP proving tokenomics. Implementing a two-tier ZKP proving tokenomics system can benefit the entire system. Additionally, a shared common prover pool is critical in the ZKP ecosystem.

However, there are still challenges that must be addressed to complete this ecosystem fully. Important work includes building standard inputs for ZKP provers, reducing hardware requirements, and more. These are areas that require our attention and effort.

Reference

1. https://www.semanticscholar.org/paper/EVM-Perf%3A-High-Precision-EVM-Performance-Analysis-Busse-Eberhardt/f1e7e58eca4802356feca48e1a13a6fdec444288

2. https://grafana.zkevm-testnet.org/d/vofy8DAVz/circuit-benchmarks?orgId=1