Spectre: A ZK Coprocessor to Extend Sygma's Security
The blockchain interoperability landscape is diverse and multifaceted. Cross-chain application users expect consistent security, speed, and reasonable fees for transactions dealing with inherently different assets, amounts, and market implications.
Consider two scenarios: a gamer transferring their character NFT and a crypto whale liquidating a large stake. These examples, while targeting the same domains (source and destination chains), have so far been restricted to bridges that operate under a uniform security model with identical fees and latency. While this one-size-fits-all approach does technically get the job done, it often leads to dissatisfaction for at least one of the users and, in the worst case, for both.
A more elegant solution is possible. Enter tailored security, a set of solutions that meet the unique demands of each transaction. This approach empowers developers to make optimal security choices based on their context. By leveraging a multi-layered framework that combines Proof of Authority, Optimistic Execution, and ZK proofs, Sygma offers unparalleled flexibility.
Introducing Spectre
To address diverse needs, we created Spectre, a new interchain transport solution powered by zero-knowledge proofs of consensus.
Designed to strengthen connections between Ethereum-like domains, Spectre is particularly suited for applications where Multi-party Computation (MPC) falls short. This addition represents a key milestone in Sygma's ongoing effort to bring leading trust minimization and operational transparency to web3 developers.
The coprocessor model: verifying Ethereum consensus
Spectre implements a blockchain coprocessor to offload intensive computations from a constrained onchain execution layer to a more expansive offchain environment. Its purpose is to produce succinct proofs of Gasper consensus that can be efficiently verified on a destination chain.
This model stands in contrast to the prevailing approach where a committee of relayers posts a signature (generated via MPC) stating that the majority of them have detected a certain onchain event.
The difference may appear subtle at first, so it's crucial to note that neither the threshold signature nor its generation process is concerned with specific consensus rules—they merely confirm the signer's assertions. In contrast, the coprocessor proofs are tailored to the exact computations being verified. Therefore, no valid proof can exist for a computation that halts, for instance, due to fraudulent inputs.
Spectre’s coprocessor proofs are cryptographic arguments of knowledge, that is, SNARKs (Succinct, Non-Interactive Arguments of Knowledge). A critical aspect of Spectre is that it does not rely on trusted intermediaries and makes no probabilistic economic assumptions.
Technical details
Spectre consists of three main components:
- Spectre Prover
- Light-client Circuits
- Verifier Contracts
Spectre Prover is powered by the Halo2 proving stack. Universally recognized for its highly expressive Plonkish front-end and modular cryptographic back-end, Halo2 has been adopted by projects like Scroll, Axiom, ZCash, and plenty more. We employ the Privacy & Scaling Explorations fork, equipped with a KZG-based cryptographic compiler tailored for efficient verification in EVM.
Despite the presence of newer and potentially more performant systems like Polygon’s Plonky2 and Polyhedra’s deVirgo (close-sourced), their implementations are not nearly as battle-tested as Halo2. Even when compared to older solutions such as Circom and Rapidsnark (used in Telepathy), the total value secured by Halo2 significantly surpasses them and continues to grow.
Spectre Light-client Circuits are implemented with the halo2-lib circuit development framework, which is the latest iteration ZK toolkit developed by the same developers behind the circom-pairing library and the Axiom coprocessor. This library contains a number of non-trivial optimization tricks, while its readable SDK prevents most of the soundness bugs and improves auditability. Our team has contributed a number of features back to the halo2-lib repository, containing some foundational cryptographic primitives powering Ethereum consensus, such as pairing, BLS signatures, and hashing to curve.
Benchmarks (32-core 3.1GHz, 256G RAM)
Spectre Verifier Contracts for consensus proofs are auto-generated via the privacy-scaling-explorations/snark-verifier tool. Supplemental contract logic has been introduced exclusively to manage intermediary states during proof verifications.
It's worth noting that Spectre circuits fulfill a role similar to existing light-client-based ZK bridges for Ethereum, as they are all inherently equivalent. However, Spectre sets itself apart as the first production-grade PLONK-based ZK bridge, thanks to its foundation on the Halo2 stack. Aligned with ChainSafe's vision - security through implementation diversity - Spectre seamlessly embodies this ethos.
Using PLONK in Spectre enables greater flexibility, particularly in fine-tuning the hardware requirements for the prover. Moreover, Halo2 was designed specifically with various proof aggregation and recursion strategies in mind. This allows provers with limited resources to participate, an essential aspect of the permissionless future that Sygma envisions.
Prover is open-sourced and live on Testnet!
We’re thrilled to share that Spectre Prover and its circuits and smart contracts are now fully open-sourced and can be found at ChainSafe/Spectre. Additionally, we’ve deployed it on the Sepolia and Holesky testnets.
Designed to be permissionless and cost-effective, the Spectre Prover is contribution-friendly and accessible. Basic instructions for running it are available in our GitHub repository, and we are in the process of preparing comprehensive documentation.
Future work
As Spectre approaches Mainnet, the immediate roadmap includes an external audit and a trusted setup ceremony, both of which are currently in progress. The continuation of Spectre is dual-pronged: firstly, we plan to extend to more ecosystems such as Polkadot and Cosmos. Secondly, we aim to further the security of Ethereum routes by incorporating verification of the full Casper consensus.
Alongside these developments, another critical area of focus is innovating around Sygma’s incentivization model. Our objective is to promote the adoption of more secure, albeit costlier, transports like Spectre while simultaneously pushing for permissionless proving.
As we advance with our new developments, it's an exciting time for Sygma, Polkadot bridging, and the blockchain interoperability space as a whole. Our journey is marked by continuous innovation, yet our commitment to our core values – trust minimization, transparency, and usability – remains unwavering. Join us to explore the boundaries of the interconnected decentralized web.
About Sygma
Sygma is a cross-consensus interoperability protocol, enabling general message passing, asset transfers, non-fungible tokens, and decentralized finance. Evolved from the humble beginnings of ChainBridge, it provides native interoperability between the Ethereum and Polkadot ecosystems.
Check out our documentation or GitHub to get started.