Blockchains are machines designed to ensure trustless agreement without central authority. The most successful blockchains to date have either employed a proof-of-work strategy (Nakamoto consensus) or a proof-of-stake strategy. Miners on a PoW blockchain compete to expend energy to discover a random block header over the current transactions as an arbitrary hash (and thus win a prize). This is explicitly wasted energy, a sort of conspicuous consumption to secure the network. Validators on a PoS chain are chosen by weight, statistically favoring already-large actors. This effect works against decentralization of the chain, and thus diminishes its security budget.
While PoS strategies have been proposed as a way of curbing the perceived wastefulness of PoW strategies, the due question becomes whether a proof-of-work strategy can be useful while maintaining security guarantees. The answer is yes: Zero Knowledge Proof of Work (ZKPoW), in which miners compete to produce blocks containing zero-knowledge proofs to verify the submitted transactions and gain the associated block reward. How does Nockchain, as the first ZKPoW blockchain, implement this consensus in practice?
The primary actors on Nockchain are miners and users. Users submit transactions to a pool to be included in a subsequent block. At the same time, miners compete in a Nakamoto consensus to locate the next valid block by solving a proof puzzle. When a valid block has been discovered, miners quickly verify it and move on to competing for the next block with remaining and newly submitted transactions.
So far, the only real difference from classic PoW is the “proof puzzle”. What does that mean? Nockchain is built on the Nock instruction set architecture (ISA), a minimalist programming language which flexibly allows general-purpose computation but is surprisingly simple and amenable to mathematical proof strategies. The proof puzzle is a construction over Nock ISA execution traces.
The ZK-PoW Proof Puzzle
The short version: Consider a balanced binary tree with leaves to length 64; call this the “subject”. We use random numbers drawn from the Goldilocks field to completely fill the subject. If these satisfy the target difficulty, then we've found a block. We submit the new block to the chain and the block reward is dispatched by the consensus algorithm to our miner's address.
The long version:
- Given the Tip5 hash of the previous block and a random nonce as cryptographic hashes, we deterministically generate a cascade of field elements to fill the subject. (The Goldilocks field elements are integers from 0 to p-1, where p = 2⁶⁴ – 2³² + 1. They are determined from the hash and the nonce.)
- We check that the subject is valid (i.e. each leaf contains an atom, or unsigned integer rather than a pair of values).
- We generate a zero-knowledge proof of the subject and formula.
- We calculate the hash of the ZKP and check whether it satisfies (is equal to or lesser than) the target difficulty.
- If this is true, then we have produced a valid block and we submit it to the chain.
- If it is not true, then we generate a new random nonce and try again.
- If a new heaviest block arrives while we are calculating, then we use its header as an input to the puzzle and we mine on that instead as a new subject.
The target difficulty changes every two block-weeks to maintain approximately ten-minute block times as more mining proofpower comes online.
The critical property of Nockchain's ZKPoW consensus algorithm is that there is one and only one valid computational transcript for each puzzle instance, preventing miners from gaining unfair advantages through alternative solution paths. The chain is protected against selfish mining by incentivizing honest proofpower from genesis (part of the Nockchain's security budget), while the proof system itself prevents some attack vectors possible in hash-based PoW systems.
ZKPoW mining incentives coupled with NockApp applications also provide incentives for computation based on the Nock ISA to become faster and more commoditized over time.