Shumo Chu

Shumo Chu

NEBRA: The Shared Settlement Layer for the Future Internet

(Edited from my original Post on X. Thank Grace Deng for the valuable feedback.)

Design Philosophy

A Blockchain Protocol is to Solve A Problem

A successful blockchain protocol is to solve a far fetching problem in the blockchain space. For example:

  • Celestia/Avail: improving the Data Availability bandwidth of Ethereum, which is the dominating cost for L2 transaction fees (before 4844).
  • Eigenlayer: using restaking to help many protocol builders to build their protocol without bootstrapping their own consensus (Note: there are pretty serious risk concerns).
  • Flashbot: mitigating the existential crisis of Ethereum MEV after the the POW -> POS transition (a.k.a. the merge).

When the protocol you are building is solving a far fetching problem in the space, the protocol level product market fit follows. It might take several years to realize your value proposition, however, as long as you are solving the right problem and are working towards the right direction, you should believe the right results will come eventually.

Minimality is Power

One principle that these successful protocols share in common, and what I keep reminding myself everyday, is minimality. Miniality means to be extremely focused and tries to reduce the surface area of the protocol that you are building. To demonstrate the power of minimality, let's compare alternative L1s such as Near, Avalanche, versus dedicated DA layers such as Celestia:

The origin of Celestia is called LazyLedger. The name indicates that it tries to do less things instead of more. In particular, it tries to decouple the data availability part of the consensus from the transaction ordering part of consensus. By doing so and staying focused on its core mission (data availability), Celestia team built a high performance data availability protocol that works together with existing consensus protocol (i.e. modularity).

Since a consensus protocol offers both data availability and transaction ordering, there is no surprise that an alt-L1 can offer DA as well. In fact, Near protocol offers a DA solution with very little protocol changes.

The entire DA market is still early and it is hard to predicate what the market chooses. However, I think a dedicated DA protocol has both technical advantages and non-technical advantages:

  • Technically, thanks to its smaller protocol surface area, a dedicated DA layer can be:
    • More efficient:, since the protocol is designed for this single purpose
    • More secure, since smaller protocol surface area can directly translate to smaller attack surface
  • In terms of go-to-market and building brand image, the project and the team could be more mission driven, so the message the project delivers to the developers and the end users are much clearer. The clarity of the message can go a long way, especially in building a trust relation with the protocol users. One can call this "legitimacy" as well.

NEBRA: the Shared Settlement Layer that scales Ethereum

When we started NEBRA Labs, we asked ourselves:

What is the biggest unsolved problem in the blockchain space?

Breaking-down Blockchain Protocols

Before answering the question, it could be helpful to breakdown a blockchain protocol (i.e. consensus) to the following parts:

  1. Data Availability: the ledger needs to publish the data to be agreed on.
  2. Execution: the ledger executes the transactions based on the state data.
  3. Ordering: the ledger needs to agree on a deterministic order of the transactions.
  4. Settlement: the ledger confirms the finality of the transactions.

The figure below shows various projects who work on scaling and modularize different verticals of Ethereum. As you can see, before NEBRA, no one works on enhancing settlement part, since a common myth is that you have to change Ethereum L1 to improve the settlement capabilities.

modular

Figure 1: Breaking down a consensus protocol

What is a good settlement protocol?

We think a good settlement layer needs to provide the following 5 properties:

  • Security: The settlement layer needs to provide a strong security guarantee, where this security guarantee needs to be both strong in the following aspects:
    1. Economic security: the cost of attacking the settlement layer needs to be extremely high, in order to be able to settle high value financial transactions.
    2. Decentralization: A decentralized settlement layer is more robust to attacks and hacks, and more censorship resistant. Decentralization means a large validator set, client diversity so that the protocol is resilient to software implementation bugs, and a robust social layer for decentralized governance. One great strength of proof based settlement is to unconditionally inherent security guarantee from the base layer.
  • Verifiability: The settlement layer needs to provide easily accessible verifiability of every settlement, i.e. either through traditional lights client or ZK light clients.
  • Scalability: This settlement layer should ideally scale linearly with the computation resources it consumes.
  • Liveness: The settlement layer needs to provide a strong liveness guarantee.
  • Privacy: This settlement layer needs to support settlement of computation over private state (a.k.a ZK), so that people can build privacy preserving applications.

The case for proof based settlement layer

In NEBRA, we take an opinionated view of what a shared settlement layer should be. We think that cryptographic proof (a.k.a. zero-knowledge proof) based settlement would eventually be the only form of settlement.

First, thanks to the asymmetry of prover cost and verifier cost: for example, zero-knowledge proof systems allowe linear prover cost and sub-linear (usually logarithmic or constant) verifier cost. As well as the ability to use recursive snark to aggregate a astronomical number of proofs in a single proof. Proof based settlement is the only solution can scale computation linearly with the resource it consumes. And due to the sublinear verifier cost, this scaling property would not hurt the verifiability, i.e., we can still have a huge number of low-cost verifiers to keep the entire blockchain system decentralized.

scale-factor

Figure 2: scale factor of settlement: 60x a single proof per EVM Block, 600x by aggregating 10 proofs, 2400x by aggregating 40 proofs.

Second, proof based settlement could power privacy-preserving applications, which is the next phase of paradigm shift from pure public blockchains. As blockchains become a fundamental part of people's daily lives, privacy will become the next big problems to be solved on public blockchains. In fact, there are many privacy preserving applications being built today, from privacy preserving L2 like Aztec, to privacy preserving identity solutions like Worldcoin. Being able to support these privacy-preserving applications is very crucial for blockchain technology getting real world adoptions.

However, a big problem prevents us from directly using Ethereum as an efficient settlement layer is the proof verification capabilities. The table below shows the cost of verifying different kinds of zero-knowledge proofs on Ethereum today:

gas-cost

Figure 3: proof verification cost on Ethereum

The root reason for this huge cost is for its decentralization, a single computation on Ethereum needs to be repeated 1 million time (since Ethereum has more than 1,000,000 validators). This incredible level of decentralization is where the strong security guarantee comes from.

At NEBRA, we want to extend the security guarantee from the Ethereum base layer without any compromise of security. As a result, we leverage recursive zkSNARK to aggregate multiple proofs into a single proof. As a result, the proof verification cost is getting amortized among all the proofs.

nebra

In NEBRA UPA 1.0, we already scaled Ethereum's proof settlement capabilities by 10x (source: NEBRA Docs). We expect further improvement on the future versions.

Promising usecases that are enabled by NEBRA

Last, we would like to foresee 4 kinds of "killer applications" that can be built on NEBRA. This is by no means an exclusive list: the only limitation is our imagination.

Privacy preserving applications for the masses. NEBRA can dramatically reduce the cost of privacy preserving transactions: on Ethereum L1, NEBRA UPA reduces proof verification cost from 25 dollar to 2.5 dollars, on Ethereum L2s such as Optimism, NEBRA UPA reduces proof verification cost 1 dollar to 10 cents. This makes possibile of mass adoption of privacy preserving applications, for example, privacy preserving DeFi, ZK-based DID solutions, private voting, and hidden information games such as zkHoldem.

High performance provable gaming engines. Provable games (some people call them autonomous worlds) excite many people in crypto space. However, the provable gaming performance is limited by the computational power on the client side. By using NEBRA UPA, provable game engines can divide the computation to be proven to smaller proofs and then use NEBRA to settle them. This could greatly improve the capabilities of provable game engines.

Proof based oracles and attestation protocols. Oracles/attestations provide programmable accesses to both onchain and offchain data and activities. Zero-knowledge proof based oracles and attestation protocols will not only reduce the trust assumpitons, it could make the protocols themselves more composable and easier to integrate with. NEBRA can help proof based oracles and attestation protocols both in terms of cost and composability. For example, NEBRA can allow composition of proofs from different verticals such as zkML, zkDID and zk storage proofs to power new usecases.

Proof based interoperability solutions. Finally, by settling validity proofs from different zkRollups, NEBRA can provide trust-less interoperability to ZK based L2s and L3s. The basic idea is to do batched settlement of validity proofs from different L2s/L3s and provide a trust-worthy finalized state-root to different parties. Together with messaging passing bridges and sequencing solutions, NEBRA can bring either asynchronous composability or atomic composability to L2s/L3s.

Further Read

  1. Vitalik's thoughts on L3s
  2. Scailing Crypto Apps Not Infra
  3. LazyLedger paper