Welcome to the 1,252 newly Not Boring people who have joined us since our last Monday post! If you haven’t subscribed, join 176,385 smart, curious folks by subscribing here:
Happy Tuesday! This post is coming to you a a day late because it’s the longest I’ve essay I’ve ever written about the most complex subject I’ve ever written about.
There have been many times in Not Boring’s brief history when I’ve realized just how lucky I am to get to write for an audience of smart, curious nerds like you. It takes a special kind of nerd to read multi-thousand word deep dives on topics ranging from blockchains to robots week after week. One of those times that stands out in my memory was in June 2021, when Jill Gunter and I wrote a piece on Zero-Knowledge Proofs called, creatively, Zero Knowledge.
Zero-Knowledge Proofs are wonky. For the first thirty or so years of their lives, they existed only deep in the research labs of academic cryptographers. They involve math that I couldn’t begin to understand, let alone explain, and when we wrote that piece, their use cases were still almost purely speculative. Despite that, and despite the fact that there were only 56,891 of us here at that time, Zero Knowledge has been viewed 113k times and was our most popular piece of the month by a landslide.
In the piece, we gave an overview of Zero-Knowledge Proofs, and predicted that you’d be hearing a lot more about them over the next five years. Fast-forward 17 months, and the zero-knowledge zeitgeist is upon us. Starkware, zkSync, Aztec, Espresso, ImmutableX, Polygon’s zkEVM, and Aleo are either live on mainnet or in various stages of testnets. If they hit their timelines, Zero Knowledge Proofs could be one of the breakout technologies of 2023.
Today, we’re going to go deep on one of the most promising companies in the zero-knowledge space: Aleo. Aleo is a L1 blockchain that uses zero-knowledge proofs to let developers build private-by-default applications. Its developers view zk-powered blockchains as the third wave. First, there was Bitcoin. Then, there was Ethereum. Now, there’s Aleo.
This essay is a Sponsored Deep Dive. While the piece is sponsored, these are all my real and genuine views – there’s no perfect blockchain; it’s all about making the right trade-offs to serve the target audience and use cases. I expect to write about other L1s and L2s, including zk Rollups, in the future. I am a maximalist minimalist.
You can read more about how I choose which companies to do deep dives on, and how I write them here.
Please, please for the love of God note that this is not investment advice. Aleo doesn’t have a token live, but it will at some point. When that time comes: please do not look back at this piece as investment advice. I am a terrible trader. This is a sponsored piece. a16z, where I’m an advisor, is an investor in Aleo. I have no idea where Aleo Credits will be priced when trading starts. I’m just fascinated by the technology and the potential applications of zero-knowledge proofs.
K? Let’s get to it.
Aleo: Can You Keep A Secret?
Imagine a Bizarro Internet that’s exactly like the internet you use today except for one detail: everything you do, send, or store on this Bizarro Internet is totally public.
When you buy a new pair of underwear on Amazon, your purchase is posted to a website that anyone with the desire and some basic skills can search.
Your balance at Bank of America is right there, too, for anyone to see.
You saddle up to the online poker table only to realize that you can see everyone’s cards… and they can see yours. This game sucks.
You message your wife and tell her you’ll be up for dinner soon and, of course, anyone who wants to see that you messaged your wife can.
Before you forget, you schedule a doctor’s appointment to get that thing checked out, and fill out an intake form online and, you guessed it, now anyone can peep that form in all its gory detail.
This Bizarro Internet would be practically unusable for anything besides public forums and showing off things that you don’t mind if other people see.
This Bizarro Internet is web3 as it stands today.
For most of the applications built on web3 to date, that level of transparency is fine, and even novel and good. If you own a CryptoPunk, you want people to know that you own a CryptoPunk. If you’re trading on a DEX, you’re mostly fine with people knowing what you bought and when. If you’re casting on Farcaster, you want that to be public anyway.
But that’s a bit circular. The web3 products built to date are almost definitionally the ones for which privacy isn’t a big deal. Zoom out to the broader internet, and you’ll find privacy at the core of every product that touches money or personal information.
If web3 is going to grow beyond these early experiments, and if decentralized networks are going to come to replace more centralized services, adding in a bit of privacy would be helpful.
That’s where Zero-Knowledge Proofs (ZKPs) come in.
A zero-knowledge proof is a type of cryptographic protocol that allows one party (the Prover) to prove to another party (the Verifier) that they know a certain piece of information, without revealing any information about the actual content of that information.
ZKPs are a way to prove that you know something, own something, or have done something without revealing any information about that something. They’re a valuable primacy primitive that were too theoretical and expensive for practical use until very recently.
As people survey the crypto wreckage, zero-knowledge proofs are a bright spot. Good bubbles leave infrastructure in their wake for the next wave to build upon, and ZKPs seem to be a treasure in the bubble’s rubble.
Zero-knowledge proofs are both a generally useful tool, and a tool tailor-made to help avoid the kind of fraud perpetrated by FTX.
Under the charmingly awkward title Having a safe CEX, Vitalik sketched out some ideas around a 2015 concept from Dan Boneh’s team at Stanford called Proof of Solvency, a way for centralized exchanges to prove that they have the funds to pay back their depositors without revealing any sensitive or proprietary information.
At the core of the proposed architecture sit zkSNARKs (short for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), a specific type of ZKP. This is how Vitalik introduced ZK-SNARKs:
ZK-SNARKs are a powerful technology. ZK-SNARKs may be to cryptography what transformers are to AI: a general-purpose technology that is so powerful that it will completely steamroll a whole bunch of application-specific techniques for a whole bunch of problems that were developed in the decades prior.
One more time for those in the back: “ZK-SNARKs may be to cryptography what transformers are to AI.”
That’s a big statement. If you’ve been living under a rock, there’s something of an AI renaissance underfoot. At the heart of all of the insane progress being made is a new architecture: transformers. (Anton explains here)
For blockchains specifically, ZKPs have two useful applications: scalability and privacy.
Together, those features mean that ZKPs let blockchains approach the performance of centralized services, and exceed their security and privacy, while maintaining the benefits of decentralization.
There are no free lunches, of course, and that comes with a trade-off. Here, the biggest trade-off is the cost of privacy. It’s historically been more expensive to generate a ZKP than to just run the computation natively, as ZKPs require more complex and computationally expensive mathematical operations, and because they rely on more specialized hardware.
By building a private-by-default L1, Aleo is making the bet that there’s enough demand from developers who are willing to pay a higher cost to build privacy into their applications, until they can shrink the cost. The team is working to grow demand by “commoditizing its complement,” specifically hardware optimized to solve zero-knowledge proofs quickly and cheaply.
ZKPs are simultaneously incredibly complex to understand at a technical level (like, way beyond my abilities) and simple to understand at the usefulness level. They mean faster blockchains and applications that are open and private. As a testament to their flexibility, zero-knowledge proofs are invoked as a solution to both too little transparency (i.e. FTX → Proof of Solvency) and too much transparency (i.e. the fact that, without them, everyone knows your full on-chain balance and transaction history).
Zero-knowledge proofs will play a major role in the future of crypto, and potentially, in the future of the internet. They were really hard to figure out, but now that they have been, they provide solutions that are strictly superior to the alternatives. How, exactly, they’ll be implemented is still up for debate.
One approach is to build zkRollups on top of existing L1 blockchains, like Ethereum. Leading players like Matter Labs (zkSync), Starkware, and Aztec are taking this approach.
Another is to start from scratch and build new L1s with scaling and privacy baked in at the base layer. That’s what Aleo is doing.
Aleo was initially conceived as an L2 on Ethereum, but ZKPs on Ethereum are larger – they have to consume the full state of the application – and Ethereum doesn’t support SNARK-friendly primitives – hash functions and elliptic curves – so the team rewrote the plan and decided to build its own L1 in order to deliver cheaper ZKPs.
Aleo is taking the most radical approach to building a zero-knowledge-based blockchain from the ground up. Instead of building an EVM-compatible chain on which developers can build apps in the familiar Solidity programming language, it created its own virtual machine, snarkVM, and programming language, Leo. Instead of relying on existing consensus mechanisms like Proof of Work (PoW) or Proof of Stake (PoS), it uses a combo of both, with a useful tweak on PoW called Proof of Succinct Work. The result should be ZKPs that are far cheaper on Aleo than they could be on top of Ethereum.
The bet it’s making is that developers will be willing to learn new tricks in order to acquire scaling and privacy superpowers.
It’s a bet that requires you to believe that not only will ZKPs be a nice feature, but that they’re foundational to a third way to build blockchains:
Wave 1: Bitcoin
Wave 2: Ethereum
Wave 3: Aleo
Understanding why Aleo is making that bet is a great way to explore the details and implications of zero-knowledge proof technology. So today, we’ll go deep on zero-knowledge, Aleo, and the future of the internet:
Zero-Knowledge Refresher
Zero Knowledge, Many Applications
From Berkeley to Blockchain
DIZK & Zexe
Aleo: Private by Default
How Aleo Works
Commoditize Your Complements: AleoBFT & ZPrize
The Zero-Knowledge Landscape
Aleonomics
Risks & Regulation
The Decade of Zero Knowledge
Now it’s time to melt our brains a little bit by diving back into zero-knowledge proofs, just in case you’ve gotten a little rusty since Jill and I wrote about them twenty months ago.
Zero-Knowledge Refresher
Zero-knowledge proofs are a fancy bit of cryptography that allows one party (the Prover) to prove to another party (the Verifier) that it knows something, without revealing any information about that thing. They let someone prove that they know a secret without giving up any information about that secret.
Those secrets can take many forms, from passwords to positions on a Battleship board to dollars in a bank account. In Zero Knowledge, Jill and I used a toy example: me proving that I have enough money to lease an apartment without giving the real estate agent my bank records and financial history.
Not Boring x Jill Carlson, Zero Knowledge
That ZKP box in the image is doing a lot of work. What’s going on in there?
There are a bunch of different ways to explain how ZKPs work without going into the “moon math.” In Zero Knowledge, we used the “Color Blind Friend” example.
My color blind friend and I are looking at balls on a table that are identical except that one is red and the other green. He is not sure that he believes me when I tell him they are two different colors. We decide to establish that they are, in fact, different colors by playing a game:
I give him the two balls to hide behind his back.
He takes one ball out and shows it to me.
Then he puts this ball back behind his back, withdraws his hand again, shows me a ball and asks, “Did I switch the balls?”
If we repeat this game enough times, and if I answer correctly every time, then I will demonstrate to him that the balls are almost certainly two different colors. Importantly, here, I have proven this to him without revealing any other information. Perhaps frustratingly for him, he still doesn’t know which ball is red and which ball is green.
Instead of our colorblind friend and two balls, we can use a “3-coloring puzzle.” The goal is to color the nodes on this graph with three different colors such that no adjacent nodes have the same color.
Like this:
Now for the ZKP. The Prover, the one who did the 3-coloring, puts bowls on top of each of the nodes, while the Verifier is out of the room.
The Verifier comes back in the room and picks an edge, any edge. The Prover needs to pick up the two bowls on top of the nodes on that edge.
So far, so good. The two adjacent balls are different colors. Now, we repeat this a bunch of times, over and over, with the Verifier stepping out and the Prover rearranging the balls each time. Imagine doing this millions of times (the Prover and Verifier move very quickly.) Each time, the Verifier picks an edge and lifts up the bowls, and voila: two different colors.
This game reveals two key properties of zero-knowledge proofs:
Soundness: if the Prover is cheating, the Verifier should be able to catch them. If the Prover didn’t really know the 3-coloring solution, then during at least one of the rounds, the Verifier will choose an edge and find two balls of the same color.
Zero-Knowledgeness: the Verifier shouldn’t learn anything about the 3-coloring, the full puzzle, which we achieve by running the game millions of times. From Mina, “anything that Verifier might have learned in one round is not relevant in the subsequent rounds, since whatever Verifier viewed can be simulated by just picking two random, but differently-colored balls in each round.”
When you actually run a ZKP, there aren’t little people running around putting balls behind their backs or putting bowls on balls, it’s all happening with complex math, elliptic curves, circuits, and specialized hardware that’s all beyond my comprehension. For a wordcel like me, these little games are useful in helping understand ZKPs enough to get the concepts, even though it would take years of studying to understand them well enough to create myself.
Anyway, ZKPs let you do a bunch of things that are really useful, on blockchains or in everyday life. They’re a cryptographic technology that can be applied beyond crypto.
In the apartment leasing example, I essentially hook up my bank account to a ZKP system, and it creates a proof based on the number in there that lets the agent know I’m in the right financial range without learning how much I’m actually worth.
Or I might log in to a website by creating a proof on my local device that I know the password, and sending that proof in place of the password to the site I’m trying to log into. No blockchain required, security enhanced. As a16z crypto GP Ali Yahya, who invested in Aleo, put it, “In security, it’s typically easier to attack than it is to defend. ZKPs have the opposite dynamic: they make it easier to defend than attack.”
Truly understanding ZKPs takes huge brains and years of study. For now, we have a lot to cover in this piece, so if you want to go deeper but still accessible, read Zero Knowledge. If you want to go really, really deep on ZKPs, a16z crypto has you covered with the Zero Knowledge Canon. And if you get all excited about ZKPs reading this, you can stay up to date with developments by listening to the Zero Knowledge Podcast. For our purposes, you’re all set.
Now we can move to the question on everyone’s mind: the use cases.
Zero Knowledge, Many Applications
Does your brain hurt yet? My brain hurts a little. So why do all of that? What do ZKPs allow you to do that you couldn’t do otherwise? What are the use cases?
I had this section later in the piece in an earlier draft, but Dan rightly suggested bringing it up top because privacy isn’t an obviously valuable value proposition.
Sure, privacy is a nice-to-have, and sure, people say they want more privacy online, and sure, regulations like GDPR and CCPA are meant to give consumers more privacy, but when it really comes down to it, are people willing to do anything differently to protect their privacy? Even simply clicking out of those GDPR-mandated popups is annoying.
To believe that ZKPs are useful, you need to believe that privacy is useful. And to believe that privacy is useful, I think, you need to re-frame the way you view privacy from “Doing the same things I do now but with more hassle so maybe Zuck knows less about me” to “Woah, there are actually a bunch of things that I can’t do now that only work with better privacy primitives.”
The goal of this section is to help with that re-framing.
Zero-knowledge proofs are useful in a wide range of applications, from obvious ones like finance to less intuitive ones like machine learning, identity, AI, voting, and gaming. And they’re critical to the future of web3. The more I dig in, the more I believe that the only way web3 scales to billions of users and “real-world” applications is by using ZKPs to turn the Bizarro Internet right side up.
Let’s go over a few of the potential applications, starting with web3 and then branching out into the wider web.
Decentralized Finance (“DeFi”)
Privacy is critical to traditional finance.
Your Chase account is private. Payments from businesses to their vendors are private. Hedge funds go to great lengths to keep details of their trades private. Switzerland is one of the richest countries in the world largely because it’s so skilled at keeping finance private.
There are a number of issues holding Decentralized Finance back – it can be scary, risky, unintuitive, and overcollateralized – but one of the biggest is the simple fact that DeFi is not private.
Anyone who knows your wallet address knows how much you hold. Payments from one wallet to another – person-to-person, business-to-business, and everything in between – are public and live permanently on-chain. Your trades on DEXes are easily front-run. DeFi’s full transparency is both a feature and a bug.
It’s a bug in that full transparency makes normal people and businesses uncomfortable. It’s going to be hard to get people to begin receiving their paycheck directly into their crypto wallet, let alone keep their full net worth in their crypto wallets, when anyone can see how much they make and how much they’re worth.
And as cool as it would be to pay for everything you need by connecting your wallet, most people don’t want their transaction history to live on the internet, for all to see. But in order to pay for things, invest in things, and borrow money, people need to prove that they actually have, can send, or can borrow as much as they need to have, send or borrow.
Going through traditional financial institutions is one way to fix this, and traditional financial institutions are pretty good, honestly. But if you believe that DeFi can build a better financial system, then you need a way to match, and even exceed, traditional financial institutions on privacy. Enter ZKPs.
ZKPs allow people to prove that they have as much money as they need to have for a particular thing without revealing how much money they have in total, and fully private ZKPs, like on Aleo, allow people to complete transactions without sharing any details of those transactions, including that they happened at all. Using ZKPs, I can shop online, send money to a friend, trade on a DEX, or take out a loan without announcing those things to the world.
That’s important for individual participation in DeFi, broadly defined, but it’s even more important for businesses. Businesses need to keep their supplier and customer relationships private, and can’t make all of their transactions public. To the extent that businesses and individuals see value in DeFi – from borrowing to sending programmed payments with stablecoins – they’ll prefer solutions that keep their specifics private.
The need for privacy will become more acute as crypto entrepreneurs work to bring “real-world assets” online and connect the traditional and decentralized financial systems. As one example, on-chain securitization seems to make a lot more sense when you can cryptographically prove things about a basket of loans without exposing all of the details of the underlying loans.
There are a number of other reasons that certain parts of DeFi work better when people have the option to keep their private information private. Proof of Solvency, which we discussed above, is one very timely application. The Zexe paper covers private DEXes and private stablecoins as two more examples. But it should be self-evident that the financial corners of the Bizarro Internet will remain Bizarro and small until privacy-preserving tools are more widespread, so we can move on.
Gaming
Recall that game of Poker at the Bizarro Internet Casino. Everyone can see everyone else’s cards. There’s no point in playing.
Creepy Image Courtesy of Stable Diffusion
ZKPs would allow you to play on-chain poker by holding everyone accountable off-chain, including the house. Online gambling is a ~$50+ billion market, and anyone who’s ever played has had the feeling at some point that they weren’t being dealt fair cards. ZKPs could fix that.
Beyond gambling, there are simple games like Battleship in which privacy is required that don’t make sense in today’s web3 but could with ZKPs.
One step further, as richer games come on-chain, ZKPs could power MMORPGs and other games that require players’ locations to be hidden from each other, a feature known as “fog of war.” Megapopular “incomplete information” games like StarCraft and EVE Online fall into this category.
More interestingly, widespread and cheap ZKPs can enable entirely new types of games on-chain. The most popular fully on-chain game to date, Dark Forest (inspired by the book), uses zkSNARKs to hide players’ locations from each other. This excellent MIT Technology Review piece on Dark Forest goes in-depth on how the game’s creator leveraged ZK and blockchain technology to build a game that he otherwise wouldn’t have been able to.
Dark Forest via DFWiki via MIT Technology Review
The first paragraph in the blog post announcing Dark Forest in August 2020 was all about ZK:
Applied zero-knowledge (ZK) cryptography on Ethereum has advanced by leaps and bounds in the last eighteen months. New tools like iden3’s SnarkJS have for the first time enabled efficient, in-browser ZK proving and verification. These recent advancements in applied zkSNARK technology have allowed us to build Dark Forest: a fully decentralized and persistent RTS (real-time strategy) game.
Dark Forest was built on top of Ethereum with older generation zkSNARKs and hardware. As Aleo and others bring down the cost and increase the accessibility of zkSNARKs, there will likely be many more creative experiments building games that could only be built with them.
Federated Learning
OK, OK, that’s just crypto stuff though. What if I don’t care about DeFi or bringing games on-chain?
One of the most fascinating ideas for the application of ZKPs to something “real-world useful” comes from Federated Learning.
Federated Learning is a machine learning technique that allows multiple devices, such as smartphones or IoT sensors, to train a shared model without sharing their data with a central server. It allows for the collection of a large, decentralized dataset without compromising the privacy of the individual data sources.
While there are many potential approaches to Federated Learning (see Nicole Ruiz’s The Future is Federated (Learning) here), ZKPs are a promising solution.
One of the most exciting applications of ZKPs in Federated Learning is in healthcare research. Currently, healthcare data is siloed across the institutions that run trials and experiments, and patients’ Electronic Healthcare Records (EHRs) are siloed with their providers. There’s no easy way for researchers to access all of that rich data without violating HIPAA, which means that we’re undoubtedly missing out on discoveries that could save lives.
With ZKPs, people could opt-in to share their data for large-scale research studies, or healthcare organizations could opt-in to share patient or study participants’ data with each other, with all of the identifying information stripped away and anonymized. The model would essentially reach out to all of the different endpoints and ask questions of the data, get a proof of the information they’re requesting without getting the information itself, and train on a much larger and richer dataset than would otherwise be possible.
That’s just one example, and it’s early, but it’s easy to imagine many more examples in which you might want to contribute your data in exchange for payment or access to the output of a model without giving up any of your actual information.
Identity
Speaking of personal information, ZKPs can be used in creating more identity products that allow people to verify information about themselves without doxxing themselves.
For example, you could imagine a Decentralized Identity (DID) solution that would allow people to submit their driver’s license, passport, background check, credit score, and other sensitive information using ZKPs to confirm that certain things are true without revealing any information about themselves.
This might be useful in a web3 context, like passing KYC checks without revealing all of your personal information, but might also be useful beyond web3, like proving that you are a citizen of a country without revealing anything else about yourself. Think about registering for a visa or buying a SIM card in a foreign country. You need to upload your passport every time! There’s gotta be a safer way. Keeping all of this information in one DID or online passport, securely, would make transacting online and abroad a much smoother and safer experience.
Separately, companies like Worldcoin are using ZKPs to let people prove that they’re human without giving up any of their information. When Worldcoin launched, there was a lot of hand-wringing about its approach – scanning peoples’ irises to mint their unique identity – and worries that it was building up a collection of Irises that it would use to… take over the world or something. In this case, ZKPs ensure that Worldcoin can verify that each person has only registered once without touching or storing any of their personal information, including iris scans.
Voting
Speaking of government-issued documents, election integrity is a hot button issue, let’s hit it!
Zero-knowledge proofs could be used to improve the voting process in a three ways:
Online Voting. ZKPs could enable secure online voting by allowing people to cast their vote without worrying about revealing their identity or having their vote leaked, while giving governments proof that they are who they say they are, have only voted once, and more.
Verification. ZKPs could be used to verify the authenticity of votes without revealing the vote itself or the identity of the voter. Might be useful if any sitting President were to baselessly challenge the results of a democratic election, as one random example.
Anonymity. ZKPs could allow voters to cast their ballots without revealing their identities to anyone. This could help to prevent vote buying and other forms of electoral corruption, and could also provide greater assurances of privacy for voters. Of course, the nations in which corruption is most likely are probably least likely to adopt this type of system, but more democratic nations could adopt the technology first.
In this case, the challenge with adoption will be institutional more than it is technological now that the tools are available. It’s likely that these techniques will be adopted and battle tested outside of governments – say in DAO voting – long before governments adopt them.
Artificial Intelligence
Finally, I’d be remiss if I didn’t speculate a little bit about AI here. This one is somewhat related to the Federated Learning example, but I want to address some different points.
Deep Fake Detection. In The Dawn of Mediocre Computing, Venkatesh Rao called crypto and AI yin and yang, writing, “AIs can be used to generate “deep fakes” while cryptographic techniques can be used to reliably authenticate things against such fakery.” I think he’s talking about ZKPs. As it gets easier and easier to fake images and even videos, the need for ways to prove that an image is authentic is becoming more acute. One approach to help here might be to create cameras that cryptographically sign images. If the image is altered, the signature disappears.
Data Integrity. A similar approach could be applied beyond images to any document or dataset online. ZKPs can be used to prove that a certain version of the document hasn’t been tampered with, or that the dataset consists of the data it says it does, without revealing the contents of the dataset itself, which may be proprietary.
Code Validation. Many of the models powering AI – like GPT-3 – are proprietary, very expensive to train, and very valuable. It makes sense that OpenAI wouldn’t want to give anyone access to their model, but at the same time, we’re putting a lot of trust in OpenAI. ZKPs might allow OpenAI and others to prove that the model does certain things without sharing the full source code.
Separately, to the extent that running AI models on-chain is useful – and I think that decentralized governance of models will be, at least – ZKPs make it practical for the first time. Given Aleo’s structure, for example, a model could run off-chain for however long it needs to run, and then send proofs of the outputs down to the chain. Running a large model on Ethereum or another traditional L1 wouldn’t be possible.
Certain of the applications we’ve covered could be done without ZKPs, using some other method. I wrote about how Evervault helps companies deal with PII, for example. Footprint is building one-click KYC using different cryptography, for another. And there are multiple approaches to federated learning being pursued, as a third.
On the other hand, those are just a handful of the use cases I and people I talked to could come up with. If the history of open systems has taught us anything, they’re just scratching the surface. If the goal is to flip the model of the internet to one in which people opt-in with their data, social media products seem like a good target for further exploration, but there are many others.
When I asked Ali for his thoughts on potential applications, he made a broader point:
The kinds of things we can build on blockchains is more limited than we think because everything has to be fully public, and it’s hard to imagine the extent to which that’s true,” he told me. We’ll be surprised, the same way we were surprised by what could be done with smart contracts initially.
Beyond the specific use cases we’ve discussed, zero-knowledge proofs’ biggest proponents believe that they hold the potential to rewire the internet, to build privacy into everything we do online and put people in control of their data. We’re really only twenty or so years into the life of the consumer internet, and it’s clear that there are, uhhhh, areas for improvement.
Baking privacy into the infrastructure of the internet doesn’t mean living in a Dark Forest in which no one knows anything about anyone else; it means letting people choose what to share and what to keep private, like we do offline.
The most useful way I’ve found to think about crypto done right is that it gives digital assets physical properties with digital superpowers. Bitcoin behaves like gold, but can be stored and transferred more easily. NFTs can behave like unique goods with lower storage costs, programmability, and composability. I think ZKPs can do the same thing for information, locking it in a secure filing cabinet at home without the dead trees and with seamless connection to the broader internet, as-needed.
If zero-knowledge proofs can become cheap and ubiquitous enough, they hold the potential to bake privacy into everything we do online, flipping the data sharing paradigm from “opt-out-with-a-lot-of-headache” to “opt-in simply.” As even more information comes online, and as it becomes harder to tell what to trust, ZKPs could help fix problems we can’t quite imagine today.
That’s the vision of the world that attracted Howard Wu to ZKPs.
From Berkeley to Blockchain
Howard Wu’s story begins like many crypto entrepreneurs’ stories begin: with youthful entrepreneurship and Bitcoin mining.
Howard first scratched his entrepreneurial itch in high school, when he made his first money online by setting up an eBay store to sell custom PCs. When he read an article that mentioned Bitcoin in 2011, he discovered another way to monetize his custom rig skills and started mining. That was a good time to mine Bitcoin: “At $0.10, I was breakeven. If the price went back to $0.30, it would be super profitable,” he recalled. Spoiler: the price did indeed break $0.30.
Source: CoinMarketCap
I couldn’t find a price chart that goes back to when Howard started mining. CoinMarketCap’s begins in April 2013, at which point Bitcoin was already trading at $134, or 1,340x higher than Howard’s breakeven price. By that point, though, something else had started happening that captured Howard’s attention more than the price: other coins started popping up.
Litecoin, Namecoin, Peercoin, Ripple, Dogecoin, Gridcoin, Primecoin, NXT. By 2013, each of these coins existed, each with its own unique twist on how to use a blockchain to do something new. Howard started reading the whitepapers, studying the protocols, and learning about concepts like consensus and decentralization. Then a freshman at UC Berkeley, studying computer science and applied mathematics, Howard decided to focus his research on the emerging crypto space, working with a professor there to write papers on Proof of Stake and Proof of Lapsed Time.
Howard started his foray into programmable blockchains as an Ethereum developer, learning Solidity and contributing cryptographic libraries to the ecosystem. Soon, though, after stumbling on a mention of ZKPs in a professor’s bio, Howard found a new love.
From that point forward, looking back, everything he did built towards what Aleo would become.
At Berkeley, where he also helped start what is now one of the top college blockchain clubs, Howard began to work with Professor Alessandro Chiesa, who would go on to co-invent Zerocash and co-found Zcash and StarkWare. The two teamed up on libsnark, the first popular library for zkSNARKs (in C++). Among the first public repositories that Howard created on Github, back in 2017, were a zcash wallet and a libsnark tutorial, cementing his status as a zkOG.
github.com/howardwu
After school, Howard spent a year at Google working on distributed systems, but was soon drawn back to Berkeley, where he pursued his masters in Electrical Engineering and Computer Sciences, focused on zero-knowledge proofs.
That experience, combined with natural ability, cemented Howard’s status as, in Kora Management’s Daniel Jacobs’ words, “One of the leading lights of ZKs and a few standard deviations from normal, in a good way.”
The proof is in the papers. At Berkeley, alongside Chiesa and others, he worked on two papers that would prove foundational for the zero-knowledge space, and for Aleo: DIZK and Zexe.
DIZK & Zexe
DIZK and Zexe were two huge steps towards Aleo, even though Aleo wasn’t even a twinkle in Howard’s eye at that point.
Simply put, DIZK created a system to distribute ZKP generation across machines to scale and speed up computations possible with SNARKs, while Zexe took DIZK a step further, enabling full privacy and increased scalability.
DIZK & Zexe Papers
Let’s dig into each.
Before DIZK, zkSNARKs were already in use in the wild in systems like Zcash, but proving was a monolithic process running on a single machine, and was limited by the memory of the machines on which provers ran. If you think of a zkSNARK like a circuit, pre-DIZK systems “could only support statements of up to 10-20 million gates, at a cost of more than 1 ms per gate.” While 10 million gates sounds like a lot, evidently, it isn’t, and the number of gates limited both the types of applications that could be run with zkSNARKs and the speed with which they could be run. The speed, 1 ms per gate, meant that to run a computation using 10 million gates would take nearly three hours. It was too limited and slow for practical use beyond smaller programs, like sending Zcash.
distributes the execution of a zkSNARK across a compute cluster, thus enabling it to leverage the aggregated cluster’s memory and computation resources. This allows DIZK to support circuits with billions of gates (100× larger than prior art) at a cost of 10 µs per gate (100× faster than prior art).
While the authors conceded that DIZK still had serious limitations – “its overhead is still prohibitive for many practical applications” – they were encouraged by the pace of progress in the space, writing that “the recent progress on zkSNARKs has been nothing short of spectacular, which makes us optimistic that future advancements will address these challenges.”
That’s worth pausing on for a second. Recall Joe Weisenthal’s observation that bubbles “often leave behind productive infrastructure in their wake.” In the case of crypto, advances in zkSNARKs, and ZKPs more generally, are an example of that productive infrastructure. A technology understood to be useful but largely limited to the confines of academic cryptographic research for nearly forty years, ZKPs have attracted more bright minds and dollars in the past five years than in the previous three decades. Jill and I wrote a whole section in our piece, titled “The Upside of Hype,” explaining this phenomenon.
But as we’re learning again, when the hype fades, it’s important to have real use cases to show for the work. To that end, the paper went through two examples of practical applications made possible by DIZK: proving the authenticity of edited photos and the integrity of machine learning models. As advances in AI have made deep fakes trivial, and have brought us to rely increasingly on machine learning models, those use cases are massively more important today than they were just four years ago.
DIZK represented an orders-of-magnitude improvement in scalability, but there were still a couple of issues:
It wasn’t scalable enough to run many of the applications we take for granted.
It didn’t provide full privacy.
Zexe: Enabling Decentralized Private Computation, published in 2020, addressed those issues, and related issues with blockchains more generally. We’re going deep here, but it’s important, so stick with me. Zexe provides solutions to the scalability and privacy problems inherent in previous blockchains, including prior ZKP work.
Scalability. In the paper, they call it “Succinctness,” writing, “a transaction can be validated in time that is independent of the cost of the offline computation whose correctness it attests to.”
Explaining this concept on the Zero Knowledge Podcast, Howard said that when people talk about scalability, they’re typically talking about transactions per second (TPS), but what Zexe cared most about was the size of applications that can run on the protocol, or application runtime. “On Ethereum, with 10 second block times and gas, applications can only run for so long,” he said. “Zexe gets around it by performing application runtimes off-chain and just verifying proofs on-chain.”
Instead of re-executing transactions, which could be all different sizes based on the application running, verifiers check the output and the proof and know that the transaction was correct.
This improves scalability because it allows miners to spend less time checking every execution, and because every execution takes the same time to check. (This is why Aleo doesn’t need gas like Ethereum does – I’ll explain in a bit, don’t worry.) It also means the ability to fit far more transactions into a single block and applications that can run far longer than a typical on-chain application while maintaining the ability to ensure the validity of the outputs.
As Alex put it to me, “It’s using math to put a gun to your head off-chain.”
Privacy. Before Zexe, the options were no privacy (Bitcoin, Ethereum, etc…) or data privacy (Zcash), but no option provided function privacy. What does that mean?
There are two layers of privacy: data privacy and function privacy.
Data privacy means that only the people involved in a transaction should know the specifics of the transaction, like the amount being sent in a transaction or the addresses involved. But with data privacy, people do know that a transaction has occurred with a specific token or that a particular application has been used.
Function privacy means that the application or token used also is not known to the public. This is pretty much the way the regular internet works. If I wire someone money using Chase, the public obviously doesn’t know that I sent that person money or how much I sent, but they also don’t know that there was a wire sent in USD from a Chase account. That’s the type of privacy that Zexe enables.
Zexe was a breakthrough in the practicality and usefulness of using zero-knowledge proofs in blockchains, but it was still an academic exercise.
Meanwhile, Howard had co-founded a venture capital firm focused on privacy-preserving technologies, Dekrypt Capital, alongside Jonathan Allen, Jack Baumruk, and Ronen Kirsch. Dekrypt funded projects like Matter Labs, the company behind the ZK L2 zkSync, and O (1) Labs, creators of the Mina Protocol.
At Dekrypt, Howard tried to fund teams to build based on Zexe, as he explained on the Zero Knowledge Podcast: “In my role as a VC, we tried finding teams to commercialize Zexe and one of the challenges we found is that finding good pairs of people is very difficult for this technology.”
The challenge was, you needed both someone on the business side who could create the business model and develop the ecosystem and one of a handful of people in the world who understood Zexe well enough to not only build with it, but also build a set of tools to allow any developer to build with it.
Turns out, even though he wasn’t planning on building it himself, Howard was the perfect person to build a Zexe-based protocol on the developer side, and after a push from his team at Dekrypt, he decided to do it.
Enter: Aleo.
Aleo: The Private-by-Default Blockchain
One way to categorize blockchains is on two axes: privacy and programmability.
When Howard surveyed the landscape, he saw compelling blockchains in each category…
Low Privacy, Low Programmability: Bitcoin
High Privacy, Low Programmability: Zcash
Low Privacy, High Programmability: Ethereum
… except one: High Privacy, High Programmability. That was Aleo’s opportunity. The ability to have applications that were both private and programmable is why he began researching Zexe in the first place.
Why did Howard care about private and programmable blockchains? To fix the internet.
The question he asked, as he told the Zero Knowledge Podcast, was: “How can you provide users with experiences that are truly private while providing service providers with the right information to serve them well?”
The way the internet works today, for the most part, is that we exchange our personal data for free services, and services in turn use that data to convince advertisers to pay them to run ads. “If you’re not paying for the product, you are the product,” and all that. Howard describes that model as “incentive-incompatible” and thinks that there are far more clever models we can tap into.
The challenge is, the internet, again for the most part, is pretty great. And people love free stuff a lot more than they love paying for stuff. But Howard noticed that freedom on the internet was decreasing alongside quality and user experience. If you think about your experience on Twitter or Facebook or even Google, it’s hard to disagree with him. Correlation is not causation, but teens were happier before social media, when the internet sucked less and it was harder for a million people to yell at you for wrongthink or even just for looking the way you look.
But Howard also didn’t think that the blockchain industry was doing much to fix the problem, opining that crypto companies were building “solutions in search of problems.”
Instead, he said, he started from the user experience and worked backwards. What if you could separate data that should be private from data that should be public? What if you could allow services to get the data they need, but only with permission from users? What if you could change the business model of the web?
To Howard, the ability to do all of those things required a new architecture, integrated with the existing internet. He wanted to build an internet on which services live on the client side (i.e. with the user) and instead of sending all your data to a centralized service, services would send transparent algorithms to you that you would run on your device, using the data you grant access to.
This architecture would benefit both sides:
Users are no longer forced to give up all of their data to use internet services.
Providers don’t need to manage the risk and reporting requirements of storing user data.
In other words, instead of being open-by-default, applications built on this architecture would be “private-by-default.”
That model isn’t really possible given how the internet was built and has evolved, so in 2019, he put together a small team of four co-founders – himself, Raymond Chu, Collin Chin, and Michael Beller – and started building Aleo.
Building a new L1 from the ground up is a really hard thing to do, so initially, the team looked into a bunch of different options, starting with building an L2 on top of Ethereum. As they dug in, however, they realized that they wouldn’t be able to build full privacy on top of a blockchain that wasn’t built for zero-knowledge proofs.
“You’re bounded by the L1 you’re based on,” Howard told me when I asked about the decision. “Ethereum doesn’t use hash functions that are SNARK and ZK-friendly, and in order to emulate them in a SNARK is slow. You pay a 10-100x cost factor to be compatible.”
Specifically, as Alex described it to me, implementing Zexe on Ethereum is both impossible and impractical.
Impossible. Zexe uses a record model, which treats transactions as the atomic unit and doesn’t require the storage of all transaction history for each account. Ethereum uses an account model, which treats each address as the atomic unit and does require the storage of all transaction history for each account. (There are more details, ask ChatGPT if you’re curious.) The challenge is, Ethereum’s account model doesn’t reconcile with Zexe’s record model, and without the record model, you can’t really have privacy without using a mixer like Tornado Cash does. (Fun fact: this is why Aztec, Starkware, and zkSync point to the L3 layer for privacy.)
Impractical. Because of the lack of SNARK-friendly hash functions, elliptic curves, and other primitives on Ethereum, the cost to verify a proof on-chain can be very high. Because costs are high, it only makes sense to do verification and settlement at longer intervals. So while zkRollups and zkEVMs can scale Ethereum at the execution level, the scaling benefits are less pronounced when taking settlement into account. The Aleo team wanted to scale both execution and settlement, so Ethereum was out. (Jumping ahead, on Aleo, transactions settle every block, so every 15 seconds.)
Alas, Aleo would need to build everything from scratch, and the more they took on themselves, the more they needed the other half of the team Howard and Dekrypt identified: the business person who could explain all of the complexity to a broader community, align incentives, and develop an ecosystem.
He found someone who believed in the same things he did, for very different reasons.
Privacy for Liberty
Alex Pruden’s journey to crypto was more circuitous than Howard’s.
Alex isn’t the type of person you think about when you think “crypto bro.” He’s more badass than you are. He’s definitely more badass, and smarter, than I am. I highly recommend watching him share his story here:
After West Point, Alex served as a lieutenant in the U.S. Army, first in Afghanistan, and then as a Special Operator in Iraq, Turkey, Kuwait, and Syria. A series of experiences in the Army, first running a crop diversification program in Afghanistan and then working with Iraqis and Syrian Rebels as a Green Beret, showed him first-hand the value of decentralized, trustless systems.
Specifically, he recalls a story of a Syrian doctor who one day found his bank account frozen as a “suspected Rebel sympathizer” and gathered his family to flee to Turkey. On his way out of the country, at a checkpoint, he had to give up his and his family’s passports to Syrian soldiers, and finally crossed the border illegally (because he gave up his documents). Once in Turkey, his family moved into a refugee camp, where the doctor realized that he had no access to money, no identity, and therefore no way to rebuild his life for his family. Multiply his story by millions, and that’s the situation Alex saw in the Middle East.
When Alex returned home and reflected on his experience, he traced many of the issues he saw back to the lack of economic opportunity and trusted institutions in the region. Around that time, he read the Bitcoin Whitepaper and found a potential solution to very real problems.
What if Dr. Hussein and the millions like him had bitcoin instead of a bank account in Syria? What if they had their identity documents saved to a public blockchain instead of carrying them in their pocket? Well, they could have crossed the border and started all over again, without having to rely on the charity of others to make ends meet and to get them through that terrible situation they were already facing.
And Liberty is not something that’s just for the people of Syria who were suffering in the refugee crisis. It is the most fundamentally American political value that I can think of.
When he left the Army in 2017 and attended Stanford GSB for his MBA, he learned everything he could about crypto, studying cryptography, economics, and computer science, and helped found the Stanford Blockchain Club. While there, he interned at Coinbase as the first business intern under COO Emilie Choi, and after school, he joined a16z crypto as a Deal Partner.
Given his experience in corrupt, war-torn countries, countries in which a lack of privacy meant a lack of liberty, it’s no surprise that Alex was drawn to one particular area in crypto more than others: zero-knowledge proofs.
As he dug in, he asked his Stanford cryptography professor, Dan Boneh (the same legend from the Proof of Solvency paper) who he should meet in the ZK space. Boneh told him he had to meet Howard. They met, hit it off, and stayed in touch.
When Alex found out that Howard was starting Aleo, he called him and told him that he wanted to invest. Howard pitched a16z, and according to Alex, the team loved it but ultimately passed because it was too early. After the decision, Alex called Howard to let him know that they were passing, but asked if he might be willing to hire him at Aleo. He was.
Aleo was the project he’d been looking for, and Alex, in turn, was the other part of the team that Howard had been looking for. He joined Aleo as Chief Strategy Officer in November 2020, was promoted to COO in April 2021, and was recently promoted to CEO in August of this year. (And a16z made up for lost time when they led Aleo’s $22.5 million Series A in April 2021.)
Understanding Alex and Howard’s backgrounds is important to understanding what they’re building, and why. It’s also important to understanding why they’re building the way they are, all the way from the ground up, to build the most private programmable blockchain on the market.
How Aleo Works
Aleo wants to fill that empty quadrant as a High Privacy, High Programmability L1 blockchain.
So how’s it going to pull it off? Glad you asked.
Aleo is a decentralized platform that uses its blockchain to verify and store proofs, which are effectively Zexe transactions.
It uses a Bitcoin-like architecture, with a ledger and a record or UTXO (unspent transaction output) model in which inputs specify which address an asset is coming from and outputs specify the address to which an asset is being sent, with a value representing the amount of the asset being sent. Its consensus algorithm is Proof of Work-like, with some key differences. That’s largely where the comparisons end, and where a bunch of new stuff Aleo created comes in.
There are three pieces of Aleo that are different than traditional blockchains that are worth understanding (with links, in case you want to go deeper):
A typical programmable blockchain, like Ethereum, works by executing programs on a virtual machine (“VM”) on-chain that must be run by every node in the network. If you’ve heard of the “EVM” or “EVM-compatible,” that refers to Ethereum’s virtual machine.
One of Aleo’s biggest differences is that zkCloud splits it into two parts: snarkVM is a virtual machine that runs applications off-chain, and sends shielded transactions to the Aleo blockchain, snarkOS. In crypto-speak, it separates execution (snarkVM) from state (snarkOS).
Remember that graphic from the Zexe section? No? OK, I’ll repost it, slightly updated:
There’s one important difference between Zexe and Aleo here. Zexe enables both data privacy and function privacy, whereas Aleo has data privacy but no function privacy. On Aleo, you can’t see a program’s inputs and outputs or the sender and receiver of credits, but you can see which program was interacted with. While Howard was one of the people who came up with a way to guarantee function privacy in the first place, the team felt that focusing on data privacy was the right trade-off to make with Aleo because removing function privacy improves performance while still giving developers the tools to protect privacy.
The idea is similar, though: perform computations off-chain, generate a proof, and send the proof on-chain. In his blog post, Alex likened the relationship between snarkVM and snarkOS to “objects casting shadows: When you see a shadow, you know that something created that shadow, but it is hard to make out details or identify precisely what it is.”
Programs that run off-chain in snarkVM can run for any amount of time. You could, if you were so inclined, run a program that calculates pi to trillions of digits over the course of months as long as a shielded transaction is submitted to snarkOS at the end.
Importantly, this architecture provides a few more key benefits:
Privacy: since only the proofs are on-chain, it’s impossible for anyone (anyone without a currently-infeasible quantum computer, at least) to see transaction details.
Higher Throughput: nodes only verify proofs instead of running programs.
Maintained Security: ZKPs cryptographically guarantee that the program was run correctly or not, removing trust assumptions present with cryptoeconomic guarantees of other L1s and L2s.
This architecture lets Aleo come pretty damn close to cracking the scalability trilemma – it allows Aleo to be decentralized, scalable, and secure – with privacy added in for good measure.
Vitalik Buterin, Why Sharding Is Great, Modified by Me
Of course, there are no free lunches. As mentioned earlier, running private applications is more expensive than running public applications. More crucially for Aleo’s early prospects, building a blockchain on which it expects a lot of developers – all of whom are not as deep in cryptography as Howard – to build private applications required Aleo to create its own programming language.
Programming Language: Leo
Aleo’s goal is for regular web developers to be able to write private applications without having to reason about low-level cryptography.
The challenge was: that was impossible with the languages out there. The most popular languages in crypto, Solidity and Rust, don’t work perfectly for ZKPs, and existing zero-knowledge languages are all math-based. To use them, Howard explained, “you need to know so much advanced math.” As he described it, for Zexe and early work on Aleo, he and the team essentially “wired circuits by hand, in code.”
Essentially, and I am certainly paraphrasing from the blog post here because I am not a zero-knowledge programmer, to construct a zero-knowledge proof, you need a proof system (in Aleo’s case, a SNARK, and more specifically a MARLIN SNARK) and a ZK circuit. Like circuits in your computer with NAND gates that take 0s and 1s as inputs and outputs, ZK circuits use addition and multiplication gates that take numbers between 0 and p as inputs and outputs. Creating a ZK circuit means manually putting all of those gates together – which is what Howard meant by “wiring circuits by hand, in code.”
Writing private applications that way would be something like writing computer applications in 0s and 1s, and layering on a bunch of zero-knowledge knowledge on top. Not practical. There’s a reason software engineers don’t do that anymore – other engineers build languages that abstract away all of that low-level code and let modern engineers write in something that looks a lot more like normal human language. Unfortunately, because we’re “still so early” in ZKPs, nothing like that existed.
(Side note: Starkware, a zk L2, ran into the same issue and created its own programming language, Cairo, in response.)
So again, Aleo decided to build from scratch, or close to it. They surveyed the landscape of domain-specific languages (DSLs), and landed on ZoKrates (pronounced like Socrates), which they forked. They changed the syntax and “developed it to a place where it’s almost unrecognizable.”
Leo is built to look and feel much more like JavaScript, the world’s most popular programming language, than Assembly, any low-level programming language that’s closer to the metal like the circuit-programming horror show we just talked about. If ZKPs are going to infiltrate the fabric of the internet, making it super easy for non-ZK-native developers to incorporate ZKPs is a necessity.
Under the hood, the language is complex, abstracting away circuit-programming, zero-knowledge knowledge, and other low-level concepts, so that above the hood, it’s easier for developers to build private applications.
It takes familiar-looking code like this…
Intro to Leo Programming
and…
constructs the proof circuit that represents the computation you want to run, populates the input wires with the values you want, runs the circuit, generates proving/verifying keys, and then combines all the relevant data into a ZKP.
More simply, it takes the code and produces a proof that you ran your computation correctly, which can be sent down from snarkVM to snarkOS for nodes to verify.
Beyond the language, Aleo also developed a bunch of other tools to make life easy (easier at least?) for developers, including a testing framework and package manager. They bundled it all up in Aleo Studio, the “first IDE (integrated developer environment) for Zero Knowledge proofs.”
Aleo Studio, the First IDE for Zero Knowledge Proofs
Creating a new programming language is a big bet. It’s a bet that the convenience afforded to developers who take the time to learn it and the powers they can get from writing applications that leverage ZKPs is enough to overcome the inertia of existing languages. We’ll come back to this point when we talk about risks.
As a strategy nerd who appreciates good token economics, the piece of Aleo’s model that fascinates me the most is its consensus algorithm: AleoBFT.
Ehhhh… you know what? Let’s just give this idea its own section.
Commoditize Your Complements: AleoBFT & ZPrize
In the annals of Tech Strategy Blog History, one of the all-timers is Joel Spolsky’s 2002 classic, Strategy Letter V. If the name is unfamiliar, the concept he named in it might not be: Commoditize Your Complement.
In the letter, Spolsky explains the seemingly bizarre decision of large, public tech companies to spend a lot of time, money, and resources supporting open source software, which they do not own and from which they do not make any money.
The decision makes more sense when viewed through the lens of microeconomics, specifically the concept of substitutes and complements.
Substitutes are products that can replace each other if the other is unavailable or becomes too expensive. Pepsi is a substitute for Coke. Tea is a substitute for coffee. If you run a business, you want your substitutes to be as unavailable and expensive as possible.
Complements, on the other hand, are products that are typically consumed together. Cars and gasoline are a classic example. Spolsky points out that Netscape open sourced its browser because browsers were a complement to its moneymaker, servers. If you run a business, you want your complements to be as abundant and cheap as possible.
Here’s the money section from Spolsky:
Once again: demand for a product increases when the price of its complements decreases. In general, a company’s strategic interest is going to be to get the price of their complements as low as possible. The lowest theoretically sustainable price would be the “commodity price” — the price that arises when you have a bunch of competitors offering indistinguishable goods.
So:
Smart companies try to commoditize their products’ complements.
If you can do this, demand for your product will increase and you will be able to charge more and make more.
Aside from the useful strategy lesson, why did I just spend 293 words discussing a 2002 blog post?
Because Aleo is running the Commoditize Your Complements playbook on zkSNARK proving to such an extent that it built the strategy into its consensus mechanism. Here’s what I mean.
Roughly, Aleo is more successful the more companies use zkSNARKs in their applications. Because generating proofs is difficult, Aleo’s design allows applications to outsource proof generation to third-party “proving services” who use specialized hardware and software to compute zkSNARKs more quickly, cheaply, and efficiently than an application developer could on some basic CPUs.
Right now, one of the biggest limiting factors to that future is that, even for proving services, “creating a zero-knowledge proof of correct application execution can be *much* more expensive than just directly running the application.” zkSNARK proving is not yet a commodity.
In order for zero-knowledge proofs to become commonplace, and for Aleo to succeed, zkSNARK proving hardware, software, and knowledge need to be commoditized. And Aleo both designed its consensus mechanism and sponsored the ZPrize competition to commoditize proving.
Let’s take a step back and a dive down into the details.
Traditional PoW mining, like Bitcoin, is relatively simplistic, and the hardware is commoditized. Miners grind SHA-256 functions on ASICs and try to plant themselves next to sources of cheap energy to maximize profits. There aren’t many creative ways to gain advantages.
On Aleo, proving requires grinding zkSNARKs, which is a richer design space with more opportunities for sophisticated provers to gain huge advantages. Alex told me that on Aleo’s Testnet 2, “One prover was running something special that no one else had access to and thus they ended up dominating, which is bad for all kinds of reasons including community perception and most importantly, security of the underlying protocol.” Aleo is also different than Bitcoin in that it accepts multiple valid solutions per block, and therefore distributes rewards to more provers instead of a “winner-take-all” dynamic, but the existence of one prover who crushes everyone else disincentivizes prover participation, decreases decentralization, and keeps costs higher.
So Aleo has done two things to commoditize its zkSNARK proving complement: AleoBFT and ZPrize.
AleoBFT
AleoBFT combines Proof of Stake (PoS) and a specific type of Proof of Work (PoW) called Proof of Succinct Work (itself a subset of Proof of Necessary Work).
We’re going to get in the weeds in this section, but what you need to know is that AleoBFT is designed to do three things: secure the protocol, ensure that there are enough skilled provers to serve applications’ zkSNARK needs, and incentivize more efficient and cheaper proving.
In the company’s November blog post, Introducing Provers in Aleo Testnet 3, Pratyush Mishra wrote that solving the problem of “incentivizing the development of better architectures for proving” is “one of the key motivations behind the design of Aleo’s new consensus algorithm, AleoBFT.” AleoBFT (BFT stands for Byzantine Fault Tolerance):
is a hybrid architecture that leverages proof-of-stake to achieve instant finality for block confirmation, and leverages a proof-of-work-type “coinbase puzzle” that rewards the development of faster techniques for proof generation.
(Side note, because this confused me too: “coinbase puzzle” has nothing to do with the company Coinbase. Both are named after the coinbase transaction, the first transaction in a block. TIL.)
The details on the PoS piece of AleoBFT are still forthcoming, but the team has said that it will be based on DiemBFT, which you can learn more about in this Messari report. Reading between the lines – Aleo wrote that provers do not produce blocks in AleoBFT – my guess is that:
Provers generate proofs for a given block and earn pro rata portions of the coinbase reward (a subset of the total block reward) based on how many above-target proofs they submit.
Validators stake Aleo credits to propose blocks made up of those proofs, and receive a portion of the total block reward for validating.
Verifiers check that the proofs within the block are correct (without learning knowledge of the proof’s contents) and receive a portion of the block reward.
Ali Yahya, who also studied cryptography under Dan Boneh, walked me through why the combination of game theoretical (PoS) and cryptographic (PoSW) approaches makes sense. “Agreeing on transactions to be included, you can’t do cryptographically, so you need to use a game theoretical approach. Once you have the transactions you want to execute in order, everything else is something you should do cryptographically.” In other words, use cryptography wherever possible, and game theory where you can’t use cryptography.
On Testnet 3, the current and final Testnet before Aleo goes to Mainnet, Aleo is focused on the cryptographic provers piece. That’s also the most relevant for our discussion here.
The prover piece of AleoBFT is based on Aleo’s original consensus algorithm, Proof of Succinct Work (PoSW). The most important thing to understand about PoSW, especially as Ethereum and new chains eschew Proof of Work for environmental reasons, is that the “work” in Proof of Succinct Work is actually useful, unlike grinding SHA-256. In fact, PoSW is based off of Proof of Necessary Work, an idea proposed by Assimakis Katis (an Aleo advisor from the beginning) and Joe Bonneau (another former Boneh student) in 2020 “in which proof generation is an integral part of the proof-of-work used in Nakamoto consensus, effectively producing proofs using energy that would otherwise be wasted.” If you need to spend energy to secure the blockchain, spend it on proofs.
The work is necessary in two ways, directly and indirectly:
Directly. Generating zkSNARKs is useful for letting people prove something without revealing any information about that thing.
Indirectly. By incentivizing generating zkSNARKs, Aleo hopes to accelerate the development of better architectures for proving.
On the Zero Knowledge Podcast, Howard said that “the goal is to incentivize miners to develop hardware acceleration for SNARKs to make these types of computations a commodity and commonplace.” One way to do that is to make sure that miners always have something to prove.
“If market demand says there are a lot of programs, and people want to pay a lot of transaction fees to run their programs, I will target my hardware for those types of programs,” Howard explained. “If suddenly there’s a drop in activity, there’s still a blockchain where I can mine a block and get rewards."
Interestingly, given the nature of commoditization, Aleo’s efforts here also help other ZK protocols. Howard pointed out that coinbase rewards on Aleo could also be useful for companies like Matter Labs and Aztec, whose rollup validators are designed to be performant for computing ZKPs. At periods of low traffic for rollups, those validators could switch over and use their hardware to generate zkSNARKs on Aleo.
The ZKP industry is still so young and small that it’s still advantageous for participants to work together to grow the pie than to fight over the size of each of their slices. To that end, the companies teamed up on the second leg of the commoditize your complement master plan: ZPrize.
ZPrize
When Howard and Alex saw that one Testnet 2 prover dominated everyone else, they realized that they needed to do more to spread knowledge and accelerate commoditization, so they came up with an idea: a competition, modeled on the DARPA Grand Challenge, called ZPrize. They announced it in May.
The competition had three goals:
ZPrize Website
Along with 32 partners, including ZK protocols like Polygon, Mina, Aztec, and Espresso, they raised over $8 million in prize money for whoever could come up with the best solutions to challenges like “Accelerating MSM Operations on GPU/FPGA” and “Proof-of-Succinct-Work Acceleration (GPU).”
ZPrize Website
Importantly, in order to qualify for prizes, “all winning submissions will become open source libraries for the benefit of all.” Commoditize your complement.
Much of the potential for optimization remains in hardware acceleration. Many people forget that the modern encryption techniques of the modern web only became practical after they were implemented natively in CPUs.
In order for zero-knowledge proofs to underpin the next generation of the web, and in order for Aleo, Matter Labs, Aztec, Espresso, and the like to reach their potential, they need to be baked into the hardware itself.
ZPrize recently announced the results from the inaugural competition, and TL;DR, it worked. The average improvement across categories was 5.3x above baseline, with a range of 2.3x to 11.3x.
ZPrize Results from Aleo Team
Every category with submissions saw improvements, some dramatic. The two most immediately relevant to Aleo – Proof-of-Succinct-Work Acceleration (GPU) and Fast Verifier for Marlin Proof System – saw the biggest improvements, at 6.7x and 11.3x respectively. The Marlin improvements have already been integrated into snarkVM, and the team is currently integrating the PoSW work, meaning that applications, provers, and verifiers on Aleo are already directly benefiting from the competition.
Side note: MARLIN, named after the fast and agile fish, is the type of SNARK that Aleo uses. It’s optimized for speed and efficiency. Specifically, MARLIN allows for a system in which application developers don’t need to run a trusted setup for their apps. Aleo’s trusted setup, which took place in November 2021 with 2,241 contributors, is universal, meaning that applications don’t need to run their own. The use of MARLIN is part of the plan to bring down the cost and developer overhead of using ZKPs.
Trusted setup ceremonies are very cool, but very complex, and would dramatically increase the overhead for launching new applications on Aleo. Give this amazing 2017 Radiolab episode a listen to understand what goes into trusted setups, and ask yourself, “Would making developers go through this increase or decrease the number of apps built on Aleo?”
In case you didn’t listen, the answer is no. Anyway, back to the main attraction.
Combined, AleoBFT and ZPrize are Aleo’s attempts to commoditize zkSNARK proving, and therefore to increase demand for zkSNARKs.
Commoditization is an interesting strategy in that it benefits anyone for whom the commoditized good or service in question is a complement. That so many zero-knowledge protocols teamed up in pursuit of that goal speaks to the nascency of the industry, the breadth of opportunities, and the collegiality in what looks, on the surface, like a crowded field.
The Zero-Knowledge Landscape
There are a few different ways to slice and dice the zk landscape. A big one is whether the willing zk chain will be built as a rollup built on the Ethereum Virtual Machine (EVM) or as a standalone L1. Will it be scaling-focused or privacy-focused or both? Will it cater to DeFi or attempt to be more general purpose?
I’m not here to pick winners. Some of my smartest friends work at Espresso (Jill Gunter, who contributed all the good stuff in Zero Knowledge) and Aztec (Jon Wu, who wrote Terra: To the Moon & Back for Not Boring and did a much better job debating crypto on Cartoon Avatars than I did). It’s hard to not be impressed with Polygon’s momentum (and its crypto-world-famous BD team). I’m really excited about what Matter Labs is cooking up on the scaling side with zkSync. ETH is my largest crypto position by a wide margin.
The truth is, it’s unlikely, and even undesirable, that there will be a single winner. There will likely be a handful of dominant architectures, just like there are a handful of dominant architectures in traditional compute – CPU, ARM, GPU, FPGA, ASIC, and one day, quantum.
Understanding Aleo’s potential, then, is less about figuring out whether it will “win” and eat all zero-knowledge compute or all blockchain applications, and more about where it sits in the landscape of Zero-Knowledge protocols.
The team at Kora put together a useful categorization of many of the players in the space, which I’ve updated here:
One really interesting thing to note is that, despite all of the ink I’ve spilled on zero-knowledge proofs’ privacy-preserving properties, the largest category of ZK protocols is the “Layer-2 Scaling, No Privacy” category. The most well-known ZK projects like StarkNet, zkSync, ImmutableX, and Polygon Hermez, Miden, and Zero all fit into this category. Aleo’s approach is to focus on privacy, and get scalability as an added (but very important) bonus.
To be clear, there are a lot of different ways I could have categorized these. Some are programmable, and others aren’t. Some Defi-Specific protocols, like Zcash, are just focused on sending money, others address the wider universe of DeFi applications. Many of the L2s are DeFi-specific. And things can and will evolve – protocols that are scaling-focused today may try to use ZKPs for privacy over time.
No matter how you slice it, though, it’s clear that Aleo stands alone in its approach. It’s the only project building a general purpose L1 for scaling and privacy, with its own language and VM.
That comes with trade-offs.
On the one hand, while the future will be multi-chain and there will certainly be bridges between Aleo and Ethereum, it’s a bold choice to fight the gravity of the Ethereum ecosystem. Many of the most popular protocols and applications are written to the EVM. When Electric Capital released its 2021 Developer Report, Ethereum stood head and shoulders above all other chains by number of developers, and according to Artemis’ developer dashboard, Ethereum still has 2x the Weekly Active Devs as the next chain.
Electric Capital Developer Report (2021)
Aleo is also making a bet that enough people, and therefore enough developers, care about privacy that they’re willing to pay more for that privacy and go through the headache, however mild, of learning a new language. It’s not surprising that early developers and users have gravitated towards projects built on top of a familiar chain (Ethereum), with a familiar language (Solidity), and a clear value proposition (scalability).
On the other hand, if Aleo is right, if privacy is fundamental to the future of web3, or at least if there are enough applications that require privacy and programmability to build a robust ecosystem, and if full privacy can only be achieved on a new L1 with a new language, it owns a wide open piece of the market.
Even if you assume that all DeFi goes to DeFi-specific L1s and L2s, which is a very conservative assumption, there are still a number of use cases for which full privacy and programmability are necessary. Looking at the use cases from earlier, federated machine learning, AI, identity, voting, and certain segments of gaming all seem to be use cases that require privacy.
The fact that Aleo designed Leo to feel like JavaScript, the language that the most non-web3 developers use, also hints at bigger ambitions in connecting web2 and web3. For applications that aren’t fully crypto, but that want to incorporate ZKPs into their products to shield themselves from needing to store users’ private data, or that want to tap into certain features of crypto without risking exposing proprietary or user data, Aleo seems to be a compelling option.
As Howard told me at the end of our last conversation, he wants Aleo to pass the “Mom Test.” In other words, “My mother doesn’t use BlockFi, Uniswap, or Compound. We’ll pass the Mom Test when an app that uses the Aleo stack in some way reaches a general audience. That will be a wonderful sign that we’ve gone beyond DeFi and entered the real territory of the web.”
Whether the initial demand for Aleo comes from DeFi apps like private stablecoins or private DEXes, from wild new use cases like federated machine learning and AI data sovereignty, from games that don’t work unless the state of play is private, or from mainstream web apps, I think there are enough potential pathways that there will be significant demand for the zkSNARK proving that Aleo’s selling.
The question then becomes, how does Aleo capture value?
Aleonomics
Here’s how Aleo Credits work.
Aleo Credits are used in two main ways:
Secure the network. Validators stake Aleo Credits to propose blocks and secure the network, and receive Aleo Credits as a reward for validation. This is standard for PoS blockchains.
Purchase zero-knowledge compute. Applications that need zkSNARK-proving use Aleo credits to pay provers to generate the proofs.
This second piece is what makes Aleo Credits unique and interesting. Aleo expects significantly increased demand for the computations underlying zero knowledge proofs as their cost comes down and their accessibility improves. As discussed, it also wants to be the place that offers the most efficient and cheapest private zkSNARK computing power. Aleo Credits are the way to access that computing power. Whether an application is built fully on Aleo or just needs zero-knowledge compute for a piece of what it does, it will need to purchase Aleo Credits to purchase that compute.
Because of that, Aleo Credits will be valuable to developers who want to use zero-knowledge computing power, and like any commodity, their value will be based on the demand for and price of zero-knowledge compute.
One other unique feature to note is that there’s no concept of “gas” on Aleo because, while off-chain computations can be any size and take any amount of time, the proofs they generate are equally sized. That means that people will always know ahead of time what they’ll need to pay to do a transaction on Aleo. And again, that will be roughly tied to the actual value of ZK compute.
As for specific numbers, Aleo is releasing updated economics based on the adoption of AleoBFT soon, but the rough outline will be that stakers and provers share the coinbase rewards for the first ten years, with the prover share decreasing linearly over time until the proving ecosystem is sufficiently bootstrapped. At that point, provers will earn money for generating proofs for applications and stakers will earn rewards for securing the network. The goal of the economic model is to ensure the security, decentralization, and longevity of the network.
I think Aleo’s approach is novel and smart, and I love the idea that Aleo Credits are supported for something as demonstrably valuable as ZK compute. That said, this is never investment advice. Aleo’s system is designed for developers and the creation of zero-knowledge products, not for aping. And if you’re taking cues on where ZK compute should be priced from me, you need to re-examine your life :)
If you want to go deeper, you can read more about Aleo’s Token Economics here and look out for announcements from the team as they finalize details pre-Mainnet launch.
While I don’t think that Aleo will suck up all zkSNARK compute, Aleo certainly has the potential for some pretty killer network effects beyond those of a traditional blockchain.
It has the same potential for Two-Sided Platform Network Effects that a typical blockchain does – more developers attract more users attract more developers attract more users and so on – with the added potential for Two-Sided Marketplace Network Effects from the dynamic between provers offering SNARK-proving services and applications that need those services. More developers attract more users attract more provers who bring down the cost of SNARK Work which attracts more developers who attract more users, and so on.
If the goal is to commoditize SNARK-proving, though, then it would suggest that the Two-Sided Marketplace Network Effect has a shot clock on it. It needs to leverage its advantage in SNARK-proving – that 11.3x improvement in Marlin Verification that’s already implemented in snarkVM is a good example – as quickly and bigly as possible before competitors match those gains in order to create the Two-Sided Platform Network Effect that should sustain the ecosystem in the long run.
With so much noise – if not direct competition – in the ZK space, Aleo needs to get to market with the best private, programmable product as quickly as possible to get the flywheel spinning.
So where is Aleo on that path today?
Where Aleo is Today
Aleo launched Testnet 1 in 2020, Testnet 2 in 2021, and Testnet 3 in August. It flipped the credit switch half-on in November, incentivizing Testnet 3 by giving provers a way to earn credits that will convert 5:1 into Aleo Credits when Mainnet goes live. It expects to go live on Mainnet in the next two quarters, once they’re convinced that everything is stable based on Testnet 3.
When I asked Alex what metrics they look at to gauge the success and stability of Testnet 3, he highlighted two main ones:
The number of nodes on the network securing the blockchain
The number of provers, a proxy for the capability to process transactions at scale.
On both counts, Testnet 3, driven by improvements in AleoBFT and proving hardware, has been a huge leap up from Testnet 2.
Nodes. There are currently at least 14,610 nodes on the Aleo network right now, with the actual number closer to 20-30k as two large proving pools coming online in the last few days. For comparison, they had 10,000 nodes during Testnet 2, when the coinbase puzzles that needed to be solved were significantly easier, and therefore more accessible.
Provers. About 1,000 provers participated in Testnet 2. When Alex emailed me on December 1st, after they launched the incentivized testnet, he wrote that they “have been *crushed* w/ demand. Over 10k provers on the network right now, so at least it still seems like there is healthy interest in ZK!” At the time of writing, less than two weeks later, that number has more than doubled.
Increased prover participation and improved efficiency have translated into speed. Based on this community-built dashboard, there are 157 million proof-per-second being generated on the network.
Haruka’s Aleo Explorer
That number jumped 33% from 118 million between Saturday and today, and Alex tells me that that’s a 10,000-20,000x stepup from what they saw on Testnet 2. He credits demand from big mining pools that used to focus on ETH before The Merge for part of the increase:
It seems that the network is ready. Then, the question becomes, what applications are developers going to build on Aleo to take advantage of all of that proving capacity? We covered the potential applications above, but who’s actually building on Aleo today?
In March, Aleo announced a partnership with Forte, a platform that partners with gaming companies like Zynga to introduce blockchain-based digital property rights – NFTs and game tokens – to their games. The announcement focused on Aleo’s scaling capabilities, but as discussed, privacy might also be useful to Forte’s partners who want to build incomplete information games, like MMORPGs with fog of war features.
More natively, Howard keeps a running list of applications built on Aleo in his Awesome Aleo GitHub repo. The list includes four VC-backed companies – SpruceID (Decentralized Identity), Pine Street Labs (custody), Demox (wallet), and Nucleo (multi-sig wallet). There are also games like Battleship and Boloney that play with the potential of private games on blockchains.
Awesome Aleo
Awesome Aleo also has categories like Machine Learning and Oracles that read simply, “Help me fill in!”
Awesome Aleo
While this list doesn’t capture companies and developers that Aleo is in conversation with, it’s a useful guidepoint for where the ecosystem is today. The tech is built, it’s working, provers are joining the network in droves, the cost of SNARK-proving is coming down, and the speed is coming up. Now, Aleo needs to turn its attention towards attracting developers who will attract users.
Marketing itself is not Aleo’s natural muscle. It’s a product built by engineers for engineers.
But it’s working on strengthening the marketing muscle. This newsletter is one small piece of the puzzle, of letting people know that Aleo exists and has some powerful toys to play with. But the bigger part is that Aleo itself is turning on the outreach jets.
As Daniel Jacobs explained, “Howard is a stud (technical term) and spends his time like a traveling salesman, but instead of snake oil in a briefcase, he has a laptop in a backpack and does live coding and hackathons. The feedback has been that many people who are most excited are those with web2 backgrounds who expect a programming language that works.”
At this point, the make or break for Aleo will be its ability to attract developers, whether web2 or web3-native. It’s one of a few risks that will be critical to overcome.
Risks & Regulation
If you’ve been in crypto for more than a day, you understand that risk is a part of the game. I can’t yell that loudly enough. But the point of this piece isn’t to analyze Aleo as an investable asset, but as a technology and a platform.
Many months into researching ZKPs and Aleo specifically, I’m convinced that it has enormous potential. As a strategy nerd, I’m a huge fan of Aleo’s approach to bringing down the cost of ZK compute. And Howard’s credentials in the space speak for themselves. I’m rooting for Aleo.
That said, there are also risks, which I would break down into three categories:
Privacy. Do people care about privacy?
Competition. If they care about privacy, how will Aleo stand out in a noisy competitive environment?
Regulation. If Aleo stands out, will regulators put a damper on natural market demand?
Let’s take each in turn.
Privacy
The obvious question looming over Aleo, and the privacy-focused segment of the ZK space, is whether people actually care about privacy.
Certainly, people pay lip service to caring about privacy. We get all up in arms when our data leaks. We don’t love the fact that “when we’re not paying for the product, we are the product.” But … do we actually care enough to do anything about it? Facebook and TikTok’s MAU numbers would suggest that we don’t.
I actually think that those revealed preferences are misleading.
For one, privacy is having a moment. Meta itself, who has more data on what people care about than anyone else in the world, is focusing its WhatsApp messaging (no pun intended) on privacy:
That may be in part due to the fact that its smaller rival, Signal, whose cumulative downloads grew from 10 million in 2019 to 125 million in 2021, with countries like Egypt, Iran, Saudi Arabia, and the UAE leading the way.
More importantly, though, is the fact that to date, privacy has been a trade-off. If you want to use the internet, you need to give up some privacy. If you want to apply for a mortgage, you need to give up some privacy. The choice hasn’t been “Do I want to use the internet with or without privacy?” but “Do I want to use the internet or not?”
ZKPs have the potential to kill that trade-off by making privacy simple.
If Aleo is successful, and as it brings down the cost of privacy, the question we ask might become, “Would I prefer this app that lets me control my data or that similar app that doesn’t let me control my data?” At that point, the answer would be obvious.
Framing it that way actually makes me more bullish on privacy, and it’s up to Aleo to give developers the tools to bake privacy in as seamlessly and cheaply as possible.
Competition
There are around 40 protocols in crypto that use ZKPs to some extent or another, as we covered above. While Aleo stands alone as the only fully programmable, fully private general purpose L1, that’s only half the battle.
At this early stage, the more important half of the battle is educating developers on that nuance enough that they’re willing to learn a new language and a new way of thinking about developing apps. They’ll also need to convince them to either leave the comforts of the Ethereum ecosystem or to jump into crypto in the first place, depending on their starting point.
To those in the space already, the nuance is apparent, and it seems as if they’d rather team up to improve and evangelize the technology. Plus, there’s a belief among builders and investors in zero-knowledge that the technology will infiltrate all corners of the internet, web2 and web3, and from that perspective, we might look back at 40 protocols as a laughably small number.
The risk, then, isn’t that ZK competition will hinder Aleo. It just faces the same risks that any new platform faces in attracting developers to build on their thing instead of on the other things. In Aleo’s case, that means convincing developers that zero-knowledge is mature and affordable enough, and that it’s language and programming environment makes everything easy enough, to build in its ecosystem. From there, with (potentially safer zero-knowledge) bridges, they can connect with the rest of the crypto ecosystem, or with the rest of the web.
Other L1s have convinced developers with a combination of education and incentives, deploying multi-hundred-million-dollar ecosystem funds to make the decision a little easier. It will be interesting to watch how aggressive Aleo gets there, or whether it focuses incentives on provers and lets the tech and SNARK-proving capacity speak for themselves.
Regulation
That brings us to the third, and most existential, risk: regulation.
In August, Dutch authorities arrested developer Alexey Pertsev on suspicion of his involvement in Tornado Cash, a cryptocurrency tumbler or mixer, two days after the US Treasury Department froze Tornado Cash and the Office of Foreign Assets Control (OFAC) sanctioned it because it was allegedly used by North Korean hackers. Tornado Cash lets users perform transactions anonymously using zkSNARKs.
The sanction of a privacy-preserving protocol that uses zkSNARKs is obviously a worrying development for Aleo.
When I spoke to Howard and Alex about that concern, they flipped the concern on its head, and pointed out that a lack of privacy in web3 protocols like Ethereum actually risks the neutrality of the protocol. Protocols, they believe, should be neutral.
TCP/IP, the protocol on which the internet runs, is private and neutral thanks to encryption and TLS (Transport Layer Security). No one can read the packets that are sent from one place to another. If my device forwards a packet that ends up in Iran, no federal agent knocks on my door.
On non-private blockchains, on the other hand, it’s relatively easy to look at what the providers – infrastructure providers, nodes, and indexers – touch and put pressure on them, which threatens the neutrality of the base layer.
Howard and Alex believe that the important thing is that protocols on the internet are inherently neutral. Privacy, to them, isn’t about helping bad actors evade sanctions, but ensuring that the base layer stays neutral. Whatever is built on top of the protocols is the most natural and effective place for regulation, as those applications can be sensitive to geography and local regulation in a way that base layer protocols can’t be. This mimics the compliance regime that has enabled the internet’s success: regulate the applications, not the base layer, just as my bank might be sanctioned for sending money to Iran, but the internet itself won’t be.
Plus, developers on Aleo can build what was lacking on Tornado Cash: risk mitigation controls that will allow compliance with laws as they currently exist (and maybe, optimistically, even inspire more effective regulations). While the base layer is private, most activity will take place through applications, where on and off ramps can serve as important places to ensure compliance, as they do in the broader crypto ecosystem today (and zk-based KYC compliance, where applications can confirm things like KYC and sanctions clearance without compromising user data, would be a privacy improvement over many current KYC options).
In this environment, the tricky part is getting regulators to listen to, appreciate the potential of this infrastructure, with the internet itself serving as an important analogy. It seems likely that people will do both wonderful and terrible things on Aleo, as they do wonderful and terrible things on the internet. As with developers, Aleo’s biggest challenge on the regulatory front will be education.
Personally, I think it’s a real risk, the biggest that Aleo faces, and that the best defense is a good offense. Specifically, Aleo will need to show regulators the value of the positive use cases by attracting developers to build applications with clear consumer benefits. Here, I think that uses like healthcare studies, voting, AI data integrity, and user data privacy will be particularly valuable.
At the same time, developers in the industry and policymakers can work together to develop risk mitigation and compliance frameworks that meet policy goals while protecting privacy and letting innovation flourish. Some may say-ay-ay-ay I’m a dreamer, but if that happens, we may get more privacy and better compliance.
Ultimately, the zero-knowledge cat is out of the bag, and like any technology, they’re not inherently good or evil. It will be up to the Aleo team, and the larger zero-knowledge ecosystem, to shepard the technology in such a way that the positives far outweigh the negatives.
The Zero Knowledge Decade
Before writing this piece, I’d heard and read enough about zero-knowledge proofs to believe that they would play a key role in scaling web3 in the coming years. After writing this piece, I’m convinced that within a decade, and maybe much sooner, ZKPs will be baked into the vast majority of crypto applications and transactions.
I think this statement will be true based on ZKPs’ scaling advantages alone. Handling execution off-chain – whether in an L2 rollup or snarkVM – and sending small, uniform proofs on-chain is simply faster and less block-congesting than doing everything on-chain. You can be a ZK Maxi if you only believe in scaling. Aleo’s efforts to incentivize faster, cheaper, and more efficient zkSNARK proving will only widen the gap and pull forward the zero-knowledge future.
The bet that Aleo is making, however, is that if it can make zkSNARK proving fast, cheap, and efficient enough, developers can put users back in control of their data and introduce private-by-default applications to the internet without trading off performance or cost. Put another way, if you could build more scalable applications that also let users control their data and offload the headache of handling their PII for the same cost and effort, why wouldn’t you?
Not Boring is a newsletter about tech strategy, and strategy can be boiled down to a series of trade-offs. While I’m nowhere near smart enough to understand the inner-workings of ZKPs, I think the thing that keeps drawing me back to them is that they eliminate trade-offs.
In the context of web3, ZKPs help crack the Scalability Trilemma, assuming proving is commoditized enough to allow for decentralization.
More broadly, ZKPs have the potential to eliminate a major trade-off inherent in living, working, and transacting online: the convenience, speed, reach, and scale of the internet in exchange for our privacy.
I’ve written a couple times in this essay that there are no free lunches, and that’s mostly true, but the point of technological advances is to eliminate trade-offs. The people who spend years toiling away in the lab or the garage pay for all of our lunches once in a while.
The airplane eliminated the trade-off between remaining geographically tied down or spending weeks or months to travel far away. Mobile phones eliminated the trade-off between staying connected and staying by a landline. Fossil fuels eliminated all sorts of trade-offs between the amount of work people put in and what they could get out. Renewable energy eliminates the trade-off between getting all those things and harming the environment. Advances in semiconductors eliminated the trade-off between having a computer that was powerful and capable of running demanding applications or a computer that was lightweight and portable. The list goes on, and you get the point.
Technological advances are the main reason that constant dollar GDP per capita has increased as much as 26x in western countries over the past two centuries. If lunches aren’t free, they’re certainly more affordable than they used to be.
It’s healthy to be skeptical whenever someone offers you a free lunch, especially in crypto and especially recently, but these breakthroughs do happen.
Now that the technology works, thanks in part to Howard’s work, the focus shifts to commercialization. Proof generation needs to be cheap and accessible enough that developers don’t think twice about building them into their applications. That’s what Aleo is focused on.
By vertically integrating a private-by-default L1, Aleo is taking as much of the complex work on itself in order to make ZKPs relatively easy to use for application developers and their users. By commoditizing zkSNARK-proving through AleoBFT and ZPrize, Aleo is improving the efficiency and cost of using ZKPs. By creating the Leo programming language and Aleo Studio, Aleo is attempting to make ZKPs accessible to any developer who knows or can learn JavaScript. By sponsoring this half-book, Aleo wants to let people know that ZKPs are ready for prime time.
Over the next couple of years, I expect that we’ll see developers who really need privacy to make their products work – the ones building for all of the use cases we discussed earlier – start building on Aleo. Over time, I think more and more developers beyond those obvious applications will begin to see that they can deliver privacy and scale, cheaply and simply. By the end of the decade, as people far more creative than me get their hands on these new primitives, I wouldn’t be surprised if private-by-default became the new default for any application.
After 40 years in the lab, zero-knowledge proofs are ready for the internet. Aleo is working to make sure that the internet is ready for zero-knowledge proofs.
Thanks as always to Dan for editing, to Alex, Howard, Daniel, Drew, and Ali for input on the piece, and to Jill for introducing me to the wonderful world of ZKPs.
That’s all for today! See you Friday for the most optimistic Weekly Dose yet, and on Monday for my last essay of 2022!
Great introduction to ZKPs! I think your points about the interest and demand for privacy are very important as to why this tech even matters. I especially liked the framing of this: The choice hasn’t been “Do I want to use the internet with or without privacy?” but “Do I want to use the internet or not?”..."if you could build more scalable applications that also let users control their data and offload the headache of handling their PII for the same cost and effort, why wouldn’t you?"
Aleo: Can You Keep a Secret?
You're the man, Packy. Another great piece!
Great introduction to ZKPs! I think your points about the interest and demand for privacy are very important as to why this tech even matters. I especially liked the framing of this: The choice hasn’t been “Do I want to use the internet with or without privacy?” but “Do I want to use the internet or not?”..."if you could build more scalable applications that also let users control their data and offload the headache of handling their PII for the same cost and effort, why wouldn’t you?"