The Ethereum Foundation is launching this project to obtain the highest possible level of assurance for zkEVMs, the end goal being bug-free zkEVMs. This project will feature a combination of grants and bounties distributed across several stages over the next 18-24 months.
This project will also aim to:
The scope of this project is restricted to RISC-V zkVMs on which an EVM compiled to RISC-V can run (producing a zkEVM) and will be divided into three tracks.
The goal of the RISC-V zkVM track is to be able to verify that a RISC-V zkVM correctly implements a RISC-V CPU and the correctness of the arithmetization and circuits, specifically:
The current standard in existing RISC-V zkVMs is the RV32I base integer instruction set. The M extension for integer multiplication and division is also typically used, and the ability to support other extensions is expected.
The aim is to be flexible concerning choices of arithmetizations, but support for AIR (as required by Circle STARKs) is expected.
The goal of the EVM track is to be able to show that an EVM running on RISC-V correctly implements the EVM specification.
To be considered a good candidate for verification, an implementation of the EVM must be performant and compilable on RISC-V zkVMs; for example, revm/Reth. Extractions from formal models of the EVM, if performant, can also be considered.
The goal of the Cryptography track is to verify the specification, proofs of security for the expected security parameters, and implementation of the cryptographic primitives and protocols used by zkVMs.
Current RISC-V zkVMs currently primarily rely on FRI + Circle STARks (wrapping into Groth16 or Plonk for on-chain verification), making this our focus, although it does preclude considering alternatives.
We will support different approaches where possible to benefit from the varied expertise within the community and to make it possible to compare different approaches and to learn what works best for different components in terms of, for example, effort required, maintainability and ability to support external contributors.
If it becomes clear after a stage that one approach is better than the others, then we may focus solely on maintaining the results of that approach when moving on to the next stage. In cases where it would be advantageous to have the same method or language used for two tasks related to components that interact with each other, and it is possible to do so, this will be taken into account. Similarly, languages with a more active community (e.g., Lean and Coq for interactive theorem proving) look more attractive maintenance-wise.
RISC-V zkVMs, the EVM, and the cryptographic proof systems used are still evolving so the ability to maintain and extend work (including by external contributors), rather than performing one-off proofs, is crucial.
Everyone working on this project will contribute towards a common end goal so a high standard of openness is expected. This includes documenting work to facilitate its evaluation and use by others and being open to collaboration.
This project will be split into several stages. These are not strictly limited (i.e., work started in Stage 1 may overflow into Stage 2) but are intended to reflect different focuses and milestones as the project advances.
The goal of Stage 1 is to start from the ground up and establish maintainable and extensible frameworks to verify specific artefacts in later stages formally.
Applications are particularly welcome (but not restricted to) to address the following:
The Cryptography track is not a priority at this stage, although there is an overlap with precompiles, but work that can establish the basis required to later verify the desired PCS and PIOP may be considered.
All applications must have a written proposal in PDF format addressing the following details:
Applications are open to any individuals, teams, and organizations, and will be selected for funding on a case-by-case basis. Submitting more than one proposal is allowed as long as each proposal is distinct and relevant to the project. Funding will be subject to a KYC process.
Several independent proposals may have similar goals. In such cases, it is possible for several proposals to be funded if comparing the results of different approaches to the same problem would be useful, or if several teams can work together on similar or complementary goals. Being flexible in this regard can be a plus.
If your proposal is for general tooling, please make sure to address what this will be useful for within the expected lifetime of this project (e.g., verifying a specific artefact) and how others will also be able to use it.
Proposals for Stage 1 can be sent until further notice to [email protected]. The application review process will begin on September 16, 2024.
There are currently no open bounties.