Preston Evans
@prestonevans__
Followers
1,833
Following
252
Media
3
Statuses
182
Explore trending content on Musk Viewer
Flamengo
• 244619 Tweets
4th of July
• 214299 Tweets
Davis
• 89692 Tweets
水分補給
• 86733 Tweets
ゼンゼロ
• 82201 Tweets
Atlético
• 77668 Tweets
GRACIAS FURIA
• 52252 Tweets
ゼンレスゾーンゼロ
• 52099 Tweets
Wesley
• 48938 Tweets
Carlinhos
• 46336 Tweets
#AEWDynamite
• 42627 Tweets
#CAMxFLA
• 30124 Tweets
Allan
• 26959 Tweets
Kai Cenat
• 25704 Tweets
Hulk
• 21365 Tweets
Mengão
• 20405 Tweets
Bruno Henrique
• 19576 Tweets
Vegetti
• 18670 Tweets
Arena MRV
• 18501 Tweets
#jjk263
• 17997 Tweets
#GiftOfSight
• 17209 Tweets
Ferreira
• 15541 Tweets
Erick
• 15492 Tweets
Ayrton Lucas
• 15231 Tweets
Palácios
• 14715 Tweets
Gerson
• 13212 Tweets
穂高先生
• 13040 Tweets
Seabra
• 12781 Tweets
Pulgar
• 12498 Tweets
Ramiro
• 12294 Tweets
Britt
• 11060 Tweets
Pinned Tweet
Today, I’m incredibly excited to reveal what we’re building at Sovereign Labs - a next gen toolkit for building zk-rollups called the Sovereign SDK.
You can find all the details in the linked blog post, but I’ll summarize some of the key points here.
Today, we announce Sovereign, the Internet of Rollups.
Sovereign is an ecosystem of interoperable and scalable rollups that can run on any blockchain.
Why are we building this? 🧵
59
167
735
4
18
112
I’ll be talking with
@ercwl
about how sovereign rollups can add new features to Bitcoin at
@TheBitcoinConf
today.
Find us on the Open Source Stage at 1:30!
16
29
118
We think we've invented a way to make merkle trees 10x faster!
If you're interested in implementing this design, Sovereign would be more than happy to provide guidance and support. Get in touch!
Building state commitments is the biggest bottleneck for most blockchains today. Here at Sovereign, we’ve been working on a new design that should speed up state merklization by a factor of 10 or more.
Why is this such a big deal?
Creating a state commitment allows for
11
46
217
7
7
93
@pwuille
@EliBenSasson
I have an implementation (not based on this technique) which runs today and can prove an ECDSA signature in <10mins on CPU (should be a few seconds on GPU). Proof size is a a few KB.
Happy to share details via DM, but not quite ready to announce publicly yet.
3
3
68
A new solution to decentralized random number generation:
1
9
43
NOMT lets blockchains scale without giving up light client verification. It’s free, permissively licensed, and FAST.
Fantastic work by
@rphmeier
and the Thrum team.
Today, I'm happy to introduce NOMT: The Nearly Optimal Merkle Trie Database.
State access and state merklization are the main bottlenecks in blockchain scaling at the moment. NOMT has been created to solve this problem.
We push modern SSDs to their limit and make running
28
87
375
1
4
41
@pwuille
@EliBenSasson
Since this was an unexpectedly popular tweet, I want to add a very strong disclaimer that this is not solo work!
Don’t want to name my collaborators yet to avoid leaking Alpha, but they deserve all of the credit. Will hopefully QT with attribution soon.
2
1
33
@aeyakovenko
@nickwh8te
Yeah, of course. You don't use zk to speed up execution, you do it to increase *scalability* (meaning, the volume of transactions that can be processed without increasing hardware reqs).
The point is that adding zk doesn't add a new bottleneck.
1
1
30
@nickwh8te
@aeyakovenko
No need for ORUs! You can build zk-rollups which are proven asynchronously. Finalize at the speed of the DA layer, and prove (in parallel) after the fact!
That way you still get trustless bridges and light-clients.
3
2
29
@nickwh8te
@aeyakovenko
And, at the risk of leaking alpha, I should add that you can *prove* computations in parallel even if the execution is sequential. So even if your prover performance is bad you can just throw hardware at it.
1
0
25
6/n The other barrier to developing zk-rollups is protocol engineering complexity.
To date, rollups have mostly been developed in a one-off fashion - meaning that work done to develop one rollup can’t be easily reused in other contexts
1
0
11
5. We've learned a lot since Bitcoin Core was first released. Initial results from Zcash Zebra suggest that a new approach to the networking and signature verification stack of Bitcoin and related currencies can be *very* fruitful.
1
3
15
7/n To address these problems, the team at Sovereign Labs is building a generalized rollup node which is compatible with any existing blockchain. Using this software, developers will be able to re-use rollup logic across Celestia, Ethereum, EigenLayr, and even Bitcoin.
2
0
13
3/n Zk-rollups completely eliminate this bottleneck. Thanks to the succinctness property of zero-knowledge proofs, a cell-phone can easily validate the work of an entire data-center.
1
0
14
A proposal for secure Random Number Generation in decentralized systems.
@josephbonneau
@el33th4xor
@danboneh
1
0
11
While the world is going crazy, Bitcoin just keeps getting better.
Today, I’m excited to announce Bitcoin Warp, the most ambitious Bitcoin client yet. Completely free and open source, built by Bitcoiners, for Bitcoiners.
Check it out at .
1
2
13
9/n We’re also working on new proving techniques which will allow unprecedented parallelism in proof creation, and new bridging techniques specifically designed for zk-rollups, which will allow low latency message passing without trusted third parties.
1
0
12
4/n But, despite their advantages, zk-rollups are a long way from achieving their potential.
Today, there are only a few zk-rollups under development - and almost all of those will be completely centralized at launch.
1
0
12
10/10 In other words, we expect the Sovereign SDK both to be the easiest way to build rollups, and to raise the bar for performance and interoperability.
And best of all, it’s completely free and open source. Come build with us!
3
0
12
2/n While a modern consensus algorithm can easily process tens of megabytes of data per second, a client running on commodity hardware can’t validate transactions nearly that fast.
So, if they value decentralization, blockchains are forced to artificially cap their throughput.
1
0
12
1/n Over the past 18 months, I’ve become increasingly convinced that zk-rollups are the endgame of blockchain scalability. With the technology available today, it’s much easier to scale data throughput than it is to scale execution.
1
0
12
5/n One problem is the complexity of developing zero-knowledge programs. Until quite recently, building zero-knowledge circuitry was difficult even for experts - and completely inaccessible to outsiders.
1
0
11
8/n Our SDK will integrate with state-of-the-art cryptographic compilers to generate zero-knowledge proofs from regular Rust code. So, as a developer, you can write your blockchain’s state machine using tools that are already familiar.
1
0
10
@real_philogy
secp256k1 is the clear winner, according to benchmarks by the authors of the (pure Rust) k256 crate.
1
0
7
The more I read about Avalanche, the less I'm convinced that any of its proponents understand it.
In most systems, letting more people participate in staking improves security. In Avalanche, these sorts of proposals *hurt* security.
A thread 🧵
For those gasping at the 2000 AVAX prerequisite, fear not.
That number will change in the future when on-chain governance goes live.
Personally, I'd like to see that number at around the 1000 USD equivalent.
2
3
42
1
2
9
@jon_charb
@arjunbhuptani
@buchmanster
@CelestiaOrg
Yep! Sovereign Rollups with trust-minimized are much more like traditional dApps in this sense.
They either need governance to manage upgrades in a way that’s legible on-chain or they have to deploy a new instance for each upgrade and have users migrate over gradually.
0
0
8
@ercwl
@colludingnode
@nickwh8te
@_prestwich
No.
See
or
or
Eclipses are practical and very difficult (impossible?) to defend against.
1
0
8
@aeyakovenko
@shumochu
@sreeramkannan
@nickwh8te
@toghrulmaharram
Users with very low latency requirements can (and will) run full nodes. Since proving is async, zk doesn't impact their perceived latency at all.
But prover latencies are surprisingly low, even for complex proof systems like zkEVMs. Should be acceptable for ~all individuals.
1
0
7
Finally, Avalanche in particular is not nearly as secure as people seem to think!
This is just one of several significant drawbacks to Avalanche. If you're curious, I've tried to give a more thorough rundown of Ava's problems here
0
1
6
@mattysino
Hats off to Coinbase for the quick patch, but offering $250k for a critical vulnerability like this is unbelievably shortsighted.
@brian_armstrong
@zosegal
0
1
6
@CannnGurel
We call it sovereign if end-users are able to adjudcate finality for themselves rather than having to defer to the SC.
With this defn, there is a still meaningful distinction between a sov rollup and a standard SC rollup - but we're open to suggestions for better terms!
2
0
6
@PossibltyResult
Nope, a light client is sufficient! In fact, Sovereign SDK already supports running a rollup full node from a trust-minimized light client on other base layers.
2
0
5
@seunlanlege
@cemozer_
@hdevalence
@EthereumDenver
In the context of an L1, you can't zk-prove fork choice because the validator set could just double-sign.
But, you can prove the rollup's fork choice *in term's of the DA Layer's fork choice* because that's purely deterministic. If latest Eth block is X, rollup state is Y.
1
0
6
In light of recent events, we've decided to host another copy of the whitepaper alongside our client.
0
0
5
@aeyakovenko
@pwuille
@EliBenSasson
Our system is stark-based, so we'll generate the execution trace on CPU and then run the rest of proving (FFTs, etc) on GPU. More details soon™️
0
0
5
@DrNo_21M
@bradmillscan
@rot13maxi
@pwuille
@EliBenSasson
@z_prize
This thing depends on some software written by others that isn't publicly licensed yet - so I can't make any promises about that stuff. Our piece will be freely available under MIT/Apache though.
0
0
5
@ercwl
@colludingnode
@nickwh8te
@_prestwich
And the worst attack is way worse than you think! If a node doesn’t see a fraud proof, it’s not just vulnerable to double spends - it becomes convinced of the validity of an arbitrary state root controlled by the attacker.
You can make it believe *literally* anything.
1
0
5
@colludingnode
@ercwl
@nickwh8te
@_prestwich
If your sequencer set gives safe pre-confirmations of tx *results*, isn't it just a sparkling L1?
That's a fully stateful set of bonded entities that we trust to maintain the safety and liveness of the network - in other words, a validator set.
2
0
4
@seunlanlege
@cemozer_
@hdevalence
@EthereumDenver
To be clear, we are *not* claiming finality faster than the underlying L1! We're just claiming finality (for full nodes) at the speed data finalizes on the L1 - because again, the rollup is just a deterministic function of that data. Proving happens async to aid light clients
0
0
5
@MarediaShehzan
IMO, the most compelling argument is that it’s (very) difficult to transition to a multi-client world. At some point, adoption is split 50-50 between Core and alts, and a divergence at that time could be very damaging.
Also, see
@pwuille
here:
2
0
4
@_jhunsaker
@sovereign_labs
1. Is correct - Ethereum compatibility is not a goal of this design (although some aspects could be adapted)
2. SSDs can be great at random writes, as long as they're aligned properly and written in large enough batches!
3
0
4
Can confirm that this both exists and is very out of date 🙂
I don’t have much time to work on this anymore, but Zebra (the upstream version) is a fantastic codebase and Bitcoiners should build on it.
Happy to help anyone get started!
0
3
4
@cronokirby
@SuccinctLabs
I can't speak to their design, but knowing which recent block hash to use seems trivial - just compare all (alleged) recent block hashes and pick the one with the (SNARK of) the most work. This has the same assumption as traditional bootstrap (on honest peer).
0
0
4
@norswap
@sreeramkannan
@sovereign_labs
This is exactly the defn we had in mind. The bridge *is* a light client, and it gets full security (up to its choice of rule set).
Important to note that we don't currently plan on a "default" or enshrined L1 bridge, so different ones could have different upgrade paths
1
0
4
7. Vires in Numeris. That's why we started developing Bitcoin Warp, the most ambitious Bitcoin client yet.
Follow our progress at .
If you want to contribute, to a healthy Bitcoin ecosystem, reach out! My DMs are always open to Bitcoiners.
Fin.
1
0
4
@cemozer_
@ino_at_boba
@JoshCStein
@esadyusufatik
@0xOrkun
@andreas_tzionis
You bet! There are a bunch of issues on Github labeled "small" or "good first issue" that should be good for getting started.
We're also more than happy to help support you as you get up to speed with Codebase - come find us on Discord!
1
1
2
In that case, the network would expand to 10,000 validators, and the attacker would control 200 of them. Since 200 is a lot more than 100 (= √10000), Avalanche would suddenly be vulnerable.
But wait... the attacker didn't buy any more stake. So what the heck happened?
1
0
3
@hdevalence
@gakonst
I think you can still do late binding if you know *which* storage slots will be used.
The node can just verify the witness for the first tx that touches particular slot, and then it can ignore witnesses and late-bind the value for the remaining accesses.
0
0
2
This brings us back to the original premise. Relaxing validator requirements in Ava is a *really* bad idea.
Why? Well, imagine that an attacker owns a small fraction (say, 2%) of all the $AVAX in circulation, and that running a validator takes 1/1000 of the $AVAX supply.
1
0
3
That means that the attacker can control 20 nodes. Since that's less than 31 (= √1000) the attacker isn't powerful enough break Ava. So far so good.
Now, imagine that Ava cut its staking requirements by a factor of ten (which is roughly what the original tweet proposed).
1
0
3
@JTremback
@aidan0x
The big difference is that neither side of the fork experiences a reduction in security. This makes it much easier to fork without massive centralization
2
0
3
@cemozer_
@devloper_xyz
@brandonhgomes
@RiscZero
@sovereign_labs
This actually isn't quite right! We proved smart contract deployments and executions as well (though only relatively small ones).
We did prove signatures separately though. IIRC Risc0 is adding in-circuit support for signature checks, but it's not available yet.
1
0
3
6. Bitcoin Core isn't designed to be easy to build on. A new client can use library-first design, making it trivial for new projects to extract and build on any functionality they desire. Again, see Zcash Zebra.
1
0
3
@IanSNorden
@sovereign_labs
Yeah, that is confusing :)
The `version` is a disk-only concept. You can see that it doesn't appear in the data that is actually hashed here:
and here:
2
0
3
There are three key takeaways here:
First, don't relax the staking requirements on Ava. The staking requirement is a vital security parameter, and it needs to be as high as possible.
(P.S. That means Ava *can't* be both safe and decentralized! cc:
@SarahJamieLewis
)
1
0
3
@seunlanlege
@cemozer_
@hdevalence
@EthereumDenver
Nope! The consensus layer *defines* the rollup's state transition, but is not (necessarily) aware of that fact. The CL picks a set of rollup transactions, and the rollup state is a pure function of those transactions - whether or not the SC has verified the proof.
1
0
3
Edward
@Snowden
is an American hero.
He...
- Exposed illegal surveillance on an incredible scale
- Exhausted every other option before turning whistleblower
- Took action despite the personal cost
History will look kindly on the one who pardons him
@realDonaldTrump
0
0
3
Quanta Mag's new piece on Godel is great. It's also wrong in an interesting way.
1
1
3
@aidan0x
@JTremback
Yeah, this is pretty much it.
You could bake an automatic fork choice rule into the bridge (for example, using token weighted governance) - but much of the time the best path will just be to fork the rollup, make a new bridge (with no assets), and let users migrate gradually.
4
0
3
@IanSNorden
@sovereign_labs
Great point. Terminology is very confusing in this space, but our current "jmt" implementation is actually not order dependent except at the disk layer - so it can be constructed in parallel as well.
1
0
1
@kevinsekniqi
@jon_charb
@luigidemeo
@hn_avax
@ufukaltinok
I’ll be looking forward to it 🙂
As I said, I’ll be happy to update the thread at that point.
0
0
2
@jadler0
I think this leaves out a key distinction. In PoS, you *personally* have to be online (or getting info from a trusted node) for safety.
In PoW, you merely need a reasonable fraction of people to be online at any given time to create the Nakamoto incentive.
0
0
2
Whereas most Proof-of-Stake consensus algorithms can tolerate a constant fraction of malicious stakers (typically 33%), Ava's security properties only hold when less than √n nodes are malicious.
When more than √n nodes are malicious, Ava quickly loses liveness.
1
0
2
@glozow
I spent quite a long time building an alt client! But several prominent community members discouraged me from continuing, so I eventually moved on.
All of the old code is still around though. I’d be more than happy to hand it off to someone.
0
0
2
@oconnor663
@zooko
Ah, I didn't know that these pieces were baked into the compression state instead of the padding for BLAKE3. That's a cool optimization! I assumed it was just a padding scheme...
Looks like there is such a scheme here; .
(h/t
@fd_ripatel
for the paper)
2
0
2
@norswap
@sovereign_labs
We just need to guarantee that our writes are always SSD page-sized and aligned. If a particular filesystem won't add any metadata or mess with the alignment, then that should be fine to use - although using the filesystem might still amplify reads/writes due to inodes
0
0
2
2. As Bitcoin continues to accrue value, a single supply chain poses an unacceptable risk. Some of the earliest secure operating systems were breached not by attacking the running instances , but by breaking into the authors offices and modifying the source.
1
2
2
@balajis
This is exactly right. Bitcoin Core is 3x faster and much more secure than the next best client. That needs to change.
That's why we're building , a free and open source client in Rust. Contributors welcome!
1
1
2
@benediktbuenz
@pwuille
It might be worth noting that the 2^80 here isn’t an apples to apples comparison with 2^80 mining work, since generating key pairs is fairly expensive (~10ms per key pair with OpenSSL on my M1 mac).
Still, it’s probably good that vanilla P2PKH is phasing out.
1
0
2
Now in most modern systems (think ETH 2.0), a loss of liveness isn't a huge deal. When liveness begins to fail, the faulty nodes get their stake slashed and the system returns to normal.
But Ava doesn't have slashing. When it loses liveness, it has no way to recover.
1
0
2
@phildaian
@balajis
@FEhrsam
@VitalikButerin
@hudsonjameson
@jcp
@el33th4xor
Thanks again for the feedback! This is why we have peer review. I’ve added a section to the paper which I hope will address your concerns. Please feel free to point out anything else I’ve overlooked!
1
0
2
@kate_sills
@danrobinson
Unless the two subtries are identical, only one of hash(x, y) will match the next root. If the two subtries are identical, then hash(x, y) will match the sibling provided in the proof! So the verifier can detect that with a simple equality check and know that the value exists 2x
0
0
2
The Bitcoin Core devs have done a great job. So why do we need another Bitcoin client?
A thread 👇
1
1
2
@colludingnode
@ercwl
@nickwh8te
@_prestwich
This is true, but…
Eclipses are much more dangerous for rollups (POS consensus makes eclipsing useless - can’t even double spend)
Eclipsing full nodes is much harder (bc they connect to more peers)
Eclipsing full nodes only allows double spending, not state forgery
2
0
2
@BenedictEvans
4/n: This appears to be a fundamental limitation of data-based computing systems. Adults don't typically notice this problem with our own visual systems because we get to 'train' on high-def, 3-D image data all the time. However, we do see 'bias' problems in young children.
2
0
2
@colludingnode
@ercwl
@nickwh8te
@_prestwich
Yep. All of which makes eclipse attacks on L1s (esp POS) basically impossible in practice.
Sadly, the same is not true for rollups
1
0
2
@kate_sills
@danrobinson
You're both right? This is what I was alluding to here.
Either the verifier has a path in mind (in which case he decides without ambiguity) and Dan is right or he doesn't - in which case he can recompute it from the proof.
@kate_sills
Thinking about this more, this is an interesting special case.
In general, even if the verifier doesn't have the key, they can recompute it using the proof for the reason Dan mentioned. Here, they can also efficiently detect that the value is present with both different keys!
0
0
1
1
0
2
Second, blockchain users aren't distributed systems experts. That's ok, but we should stop acting like they are.
(P.S. That means that on-chain governance is a bad idea! cc:
@VladZamfir
)
1
1
2
@bitmaster177
@balajis
Yes, we will almost certainly take pieces of it.
There are some technical differences between our approach and theirs, in part because the Rust language has evolved a lot since 2014, but there is still a good bit of overlap.
0
0
2
@RiscZero
@cemozer_
@sunnya97
I’m flattered, but would like to humbly submit
@hdevalence
for your consideration. GOAT’d builder and true cypherpunk
0
0
2
@kate_sills
@AlexCoventry4
Glad it was interesting! TBC, you don't typically use trial and error in practice. Usually, the verifier already has the key and just wants a proof of the value. But it's still cool :)
1
0
1
@_jhunsaker
@sovereign_labs
3. Is correct. Archival storage is a non-goal of this particular design (although this can be added with a well-designed WAL)
1
0
1
0
1
2
@colludingnode
@ercwl
@nickwh8te
@_prestwich
…And get the private keys of 2/3 of the old validator set to create a convincing fork
2
0
1
@ja_akinyele
This explainer from Coindesk is pretty good, but starts with a very basic introduction. I’d skip the “Ok, I Already Knew all of That. What is Yield Farming” section.
1
0
1
4. The Bitcoin Core codebase is highly complex and operates under constant pressure to avoid bugs. This makes contributing to Core very difficult. A clean codebase will make it easier for new contributors to enter the space.
1
0
1
@pete_rizzo_
@ErikVoorhees
To be clear, I agree that hard forks should be avoided if possible. I’m just not sure that it’s possible to avoid them altogether.
0
0
1
@0xkaiserkarel
@seunlanlege
@hdevalence
@EthereumDenver
You can actually run state transitions over a dirty ledger! (See i.e. the Celestia whitepaper or ).
Intuitively, the state transition func just ignores malformed transactions. So you don't need consensus among the sequencers!
2
0
1
1. Bitcoin Core is a single point of failure. No matter how good the devs, there will always be bugs. This isn't theoretical. A critical bug in Bitcoin Core v0.16 made nodes vulnerable to DOS attacks.
1
1
1
@kevinsekniqi
@jon_charb
@luigidemeo
@hn_avax
@ufukaltinok
Happy to add a caveat to the old thread if the protocol has been updated!
But the security proof in the latest Avalanche paper on your website does *not* hold against a sqrt(n) adversary.
0
0
1
@dystopiabreaker
@nickwh8te
Yep!
Interesting note: I believe this result applies to all possible subsampling protocols, not just the current implementation of Avalanche. So (IIUC) the only way for them to fix it would be to switch to a protocol with all-to-all communication.
0
0
1
What happened was that **Ava made a counterintuitive assumption.** Specifically, it assumed that the ratio of honest to dishonest stakers would grow *quadratically* as the number of validators increased.
When we subverted that assumption, the whole system blew up.
1
0
1
@0xkaiserkarel
@nikkolasg1
@seunlanlege
@hdevalence
@EthereumDenver
Nope, sequencers can't fork the rollup! They have a window of time where they're allowed to post transactions onto DA. If a tx is posted on DA in that time, then it's included. Otherwise, it's not.
They *don't* get to choose a prev block to build on - just which txs to include
1
0
1
@kate_sills
@danrobinson
You can reconstruct the directions with constant overhead! Just try H(x, y) and H(y, x) - only one will match the next root unless x and y are the same.
If x and y are the same, then you know that (if either proof verifies) the value is present in the same slot of both subtries
1
0
1