Bitcoin kicked off the era of cryptocurrencies, where people can hold, receive and send bitcoin to each other. Bitcoin has many descendants. One notable example is Dogecoin, a memecoin created to poke fun at cryptocurrencies. However, as we'll explain in this post, Dogecoin has just become a technological forerunner among its OG blockchain counterparts.
We at Nexus have entered a partnership with QED to leverage technological synergies. Using the Nexus Zero Knowledge Virtual Machine for verifiable computation, QED can build systems where smart contract execution is certified with Groth16 proofs. Through QED’s recent work these Groth16 proofs can then be verified on Dogecoin. We envision that other blockchains may also in the future enable Groth16 verification such that they too get the ability to incorporate smart contract execution.
Smart Contracts
Ethereum, the second-largest cryptocurrency, was the first to offer smart contract functionality on top of traditional cryptocurrency transactions. Smart contracts allow users to create complex interactions that are guaranteed to execute correctly.
For instance, imagine a smart contract that maintains a house ownership registry. If Alice wants to sell her house to Bob, she can instruct the smart contract of the price she is willing to accept. Bob can then transfer the specified number of coins to the smart contract to purchase the house. The advantage of smart contracts is that they are autonomous, i.e., they can execute without human intervention. The house sale is automatically executed if Alice instructs the smart contract that she wants to sell and Bob sends the coins to buy it, otherwise nothing happens. This stands in contrast to the cumbersome process house buyers and sellers often go through, which involves lawyers acting as third parties that hold the money in escrow while the house is reregistered to the new owner, and also incurs a small risk that the third party may run off with the money.
Ethereum offers versatile smart contracts that can execute arbitrary programs (up to a gas limit). However, Ethereum's security builds on verification through recomputation. Scalability is limited because the smart contract computation is replicated across thousands of validators, each checking the same computation. As a consequence Ethereum has high transaction fees and low throughput.
The Rise of zk-Rollups and Validiums
To solve the scalability problem, zk-rollups and validiums have emerged. They use cryptographic technology known as zero-knowledge proofs (ZKPs) to scale up computation. Zero-knowledge proofs allow you to demonstrate that a claim is correct without the verifier needing to see intermediary data or carrying out a full recomputation.
The key insight behind zk-rollups and validiums is that on-chain computation is not the key requirement to run smart contracts on blockchain; what's important is just to have on-chain verification. They enable arbitrary smart contract computations to be performed off chain, with only the final proof being verified on chain via succinct ZKPs.
Succinct non-interactive arguments of knowledge (SNARKs)
What are the key properties ZKPs should have? Due to replication, it is expensive to store data on a blockchain, so ideally proofs would be small and compact. It is also expensive to replicate computation, so ideally verification of proofs would be inexpensive.
Fortunately, influential papers by Kilian 1992 and Micali 1994 gave us a theoretical understanding that it is possible to construct proofs that are small and cheap to verify. There are succinct ZKPs that can be much smaller than the data produced during a computation and much faster to verify than redoing the computation. Subsequently cryptographers have invented many different techniques to construct succinct proofs, often referred to as succinct non-interactive arguments of knowledge (SNARKs).
In 2010, I invented a new type of SNARKs using pairings. Pairing-based SNARKs have the advantage that proofs can be as small as a constant number of group elements, regardless of the size of computation they’re proving to be correct. A sequence of works invented increasingly efficient pairing-based SNARKs including Lipmaa 2012, GGPR 2013, PGHR 2013, BCIOP 2013 and Groth 2016. The latter presents a pairing-based SNARK with proofs consisting of 3 group elements, i.e., just a few hundred bytes and very efficient verification. Due to its compactness Groth16 has become a de facto standard in the industry. Recently, Groth16 has also been selected by the ZKproof standardization effort (zkproof.org) to become a de jure standard.
The Nexus zkVM also follows this strategy, wrapping up its verifiable computation in a succinct Groth16 proof to minimize the cost of verification.
Groth16-verified Smart Contracts
A lot of effort is going towards increasing Ethereum’s throughput by moving smart contract computation off chain. But, you may ask, if we do computation off chain, do we even need Ethereum’s advanced smart contract execution capabilities? The short answer is yes, verifying SNARKs is also computation and this work still needs to be done on chain. So we have not fully eliminated off-chain computation, but we have reduced it.
This is where QED enters the picture. QED has proposed a new opcode OP_CHECKGROTH16VERIFY. Observe that QED does not attempt to drastically change Dogecoin and enable general purpose on-chain computation. But QED’s opcode delivers precisely the extra capability that will make verification of Groth16 SNARKs possible. So on Dogecoin, any smart contract that is executed off-chain can be verified on chain.
Conclusion: a New Era of Smart Contracts on Dogecoin
With QED's new opcode, Dogecoin will with the help of Nexus zkVM be able to run many of the serious smart contract applications people envision. Or perhaps more in the spirit of Dogecoin: the design space of not-so-serious applications has massively increased.