Proof of Consensus

To communicate information between two blockchains without a trusted intermediary, we can simply verify the consensus of the source chain in the execution environment of the destination chain. This is the exact principle that Light Client nodes use to keep track of the state of a blockchain in a compute and storage-efficient manner. For example, running an on-chain Light Client for Ethereum on Gnosis chain would allow for keeping track of Ethereum block headers on Gnosis (and vice-versa) without any additional trust assumptions, aside from trusting the security of the consensus of each participating chain (in our case, the sync committee). Once an on-chain Light Client can keep track of block headers of another chain, anyone can supply state proofs to prove any information (balances, storage, transactions, events) about the source chain in the context of the destination chain. With this, building cross-chain applications, such as an arbitrary message bridge or token bridge becomes simple. Historically, this approach has been difficult because on-chain computation is quite expensive. From a gas perspective, it’s not feasible to run these on-chain Light Clients. For example, Ethereum validators in Ethereum POS consensus use BLS signatures and the EVM does not have a precompile for the BLS12-381 curve used in these signatures. This renders a naive Solidity implementation of such a Light Client prohibitively expensive. Recent advances in zero-knowledge proof systems, which allow for succinctly verifiable computation, make this approach feasible today. Similar to how zkSNARKs are powering zkEVM teams to scale execution, verifiable compute can also scale verification of consensus. In particular, “proof of consensus”, is the idea of using zero-knowledge succinct proofs to generate a validity proof of the state of a chain according to its consensus protocol. This validity proof can be used to power a gas-efficient Light Client, which facilitates trust-minimized interoperability. We note that we don’t actually use the zero-knowledge property of “zero-knowledge proofs”, we are using the succinctness property for scaling. For more information about how the zero-knowledge circuits work, read this blog post.