Building the “Universal Cryptographic Adapter” or “The Universal Protocol”

Vision

As we described in the Programmable Cryptography blog post, we envision being able to construct a “Universal Protocol” that lets us supply proofs of any statement we wish. For example, one should be able to make proofs of arbitrarily complicated statements such as:

I have a birth certificate signed by my government Department of Records attesting I was born in a prime-numbered year, and also a signed bank document showing my 2024 income is at least 100 times my birth year – and I can prove this to you cryptographically without revealing anything else.

Mathematical toolbox

The math that makes this possible is loosely described by the umbrella of zero-knowledge (ZK) proofs. For a concrete example, the Three Easy Pieces novella describes one such protocol, called PLONK, which allows a user to execute arbitrary code on secret inputs and only reveal the output (but nonetheless prove the output is correct). Since then, many new protocols have emerged, as well as practical toolchains for them like Circom. This explosive growth has led to some real-life applications like TLSNotary and Proof Carrying Data.

Right now, as a rule of thumb, the cost to provide a ZK-proof of a computation is about 1,000,000 times the cost of the computation itself. Many useful operations (“redact everything but the birthdate from this document”) are so computationally cheap that, even with a million-fold slowdown, they can be performed within seconds on a mobile device. But our goal is to bring this down by another factor of 1,000x, leading to many more powerful applications than are currently possible.

Research priorities

We want to improve the performance of zero-knowledge proofs, motivated by specific real-world engineering applications. This is not an area where research can occur in a vacuum: ZK proof systems are already a well-developed field, and our theoretical understanding of them is strong. Rather, we’re iterating on these systems from the engineering side, and feedback from engineering and development informs our research priorities.

• Improved performance. At the moment, the bottlenecks on our ZK proofs are computation and memory. How close can we bring the cost of proof generation to the cost of the plaintext computation itself?

  As a pipe dream, we’d like to be able to use specialized hardware and reduce the performance overhead to a 10x slowdown. If you can do a calculation in 1 second on a CPU, we’d like to be able to prove the calculation in 10 seconds on specialized hardware.

• Proof delegation. A user has some private data on a mobile device with limited computational power. The user wants to use an untrusted external server to generate a proof – while keeping the data secure. How can we do this?

  One possible architecture here is “proofs on secret-shared data”: The user generates secret shares for the data, and sends the shares to a number of external servers; those servers can then carry out a multiparty protocol to construct a ZK proof, without ever learning the secret-shared witnesses themselves.

• Parallelization and specialized hardware. Can we take advantage of multiple cores and parallel processing to generate proofs faster?
• Protocols for specific problems. We’re most interested in specific applications: binary operations, standard cryptography (digital signatures, etc.), and recursive proofs. What can we do to generate proofs about these specific operations more efficiently?
• Long-term performance goals and limitations. Is there a lower bound on the difficulty of generating zero-knowledge proofs?