RISC Zero
Verifiable Games

On-chain $~~~$ 👉 $ZK$ 👈 $~~~$ Off-chain

Event Materials ↗️

Why RISC Zero?

• Verifiable Computation: outsource-able
• Highly Scalable: low-cost verification
• Tunable Privacy: robust & universal*

Notes:

• you can verify that a computation of a specific program ran exactly as it should, even if done by untrusted executor!
• Prover that runs program & produces receipt reveals as little as nothing to everything about execution to verifier.
• Verification is significantly cheaper than running computation yourself... at the cost of prover doing significantly more work to run the zkVM
• * Privacy is from everyone outside the prover, if you are the prover, no one but you has secret data.

What problems can ZK address for games?

See Zypher's supporting content for more.

Notes:

• ZK coprocessor - run verifiable program logic in zkVM by 3rd party or yourself to untrusting parties

• Added security and fairness and privacy that zero-knowledge proofs can provide, as they involve complex decision-making and competitive interactions.

• Commonly turn based, but can simply be tick based (STF analogy -> blocks)

• Privacy is optional, fully transparent games with ZKPs can provided added guarantees around many things other than that (if carefully designed)

  • cheating specifically in being able to go around rules of game logic, especially in cases with hidden player data/logic. (Don't trust. verify!)

• Private:

  • moves of known players
  • cards in your hand / hidden from all deck shuffle
  • hidden ID / anonymous interactions in multiplayer
  • Enabling incomplete information games (e.g. “fog of war” mechanics)

• Can prove final score without revealing anything about the game that resulted in it! Proof of Exploit CTF.

• Off-chain: CFT game where you prove you got a flag without revealing it (because that needs to remain secret) no 3rd party to check, use a proof!

RISC Zero Track Objective

Develop games using RISC Zero to ensure privacy and fairness.

Notes:

Developers are encouraged to implement game designs that can verify player actions without disclosing specific game data. This approach allows for the exploration of new gaming models that operate off-chain but utilize on-chain verification to ensure transparency and fairness.

RISC Zero 101

Read Getting Started and/or watch the playlist.

Notes:

• deeper understanding as exercise for views of this presentation.
• very happy to answer questions on our discord!

RISC Zero On-chain

Read about Blockchain Integration and watch the Foundry Template playlist.

Notes:

• TODO diagram how the proof works in game context (seq. diagrams with actors IDed (player, execution, prover))

✨ Inspiration

⚠️ -- Do not copy 🍝 -- 🙏

Notes:

Plagiarism, missing attribution and violating licenses will disqualify you! Building on them to something significantly enhancements may be considered - please let us know what you are planning :grin:

ZK Checkmate Demo

Join in following the Hands-on instructions ↗️

Notes:

• See the recording there to follow along for an overview.
• I encourage you to experiment yourself!

Bevy (R0 v1.0.1)

• Serious Rust game engine
• Great base to start hackin' 🤠
• Start with shared core logic

Notes:

• Core logic can be used in the host & the guest for Bevy games
• Design guest to be minimal as proofs are costly!

zkSnake (R0 v0.20)

zkSnake Source ↗️

Notes:

• Winner of RISC Zero Coprocessor Bounty at ETHDenver 2024 and did well in community quadratic voting too!
• Idea: take it further and make a bevy app in wasm w/ webGPU with shared core logic identical on web & "re-player" zkVM

3D ZK Games?!

🎮 Play the Demo 🎮

• Real-time Multiplayer Games Track featured demo!
• Rendered web game + wallet connect
• Demo tooling to generate browser example

🎨 ZK Game Design Patterns

• Prove transcript of game for verifiable high scores
• Prove state update based on complex game logic
• Prove validity of player moves while concealing
• Play & prove latter (snake game)
• Proof for each hidden move, perhaps in a tx on chain
• Able to run only core game logic in zkVM - GUI and other non-security/privacy/fairness aspects can live outside the proven core logic (diagram)
• Randomness
  • cannot do within guest - only fake & deterministic random for replay of moves perhaps (who gets to know seed? Choose? VRF maybe?)

🎇 What is special about RISC Zero? (1)

• Developer productivity (@ hackathons & beyond)
    Top 1000 crates.io tested nightly,
    benchmarks and more: reports.risczero.com
• Hard in zkDSL, easy in zkVM:
    Loops & branching
    Design 🡺 Implementation 🡺 Auditing

Notes:

• Lots of ZKP options, why use R0?
  • zkDSL could be more performant, but time to market is very high, small set of humans can implement them at all.
  • Why use us over other zkVMs? First, arguably best devex, v1.0 release stability and prover performance milestones!

🎇 What is special about RISC Zero? (2)

• Proof continuation
    Unbounded guest programs
• Proof composition
    "Proof-ception"
    Hybrid Client side {🕵️privacy} & server {🦾power}
• Execution separate from proof generation

Notes:

• Proof-ception = efficient verification of proofs within a guest.
  • Privacy for small client side proofs and the bulk of proof computational overhead outsourced to an untrusted prover.
  • Reuse of existing proofs included in new proof using their journal
  • Batching/compression of many proofs
  • Proof transposition for compatibility of specific verifiers.
• Execution is near zero overhead, proving is high overhead.
  • Realtime exec & prove in parallel / after / remote is possible
• What killer features does R0 provide?

🎇 What is special about RISC Zero? (3)

⛓️ EVM Support

• RISC Zero Foundry template
    Write unbounded programs that are low cost to verify on any EVM chain
• Ethereum contracts, proof systems, and more
    View call proofs with STEEL
    ZK Rollups & RollApps
    ... Help us define more!

Notes:

• Zeth could run existing solidity games off chain, optionally unbounded computation per block (gasless). Zeth deep dive
• mention: 256 view call limit - could you do inclusion proof checkpoints? contract state is simply recursive proof of minimal thing needed (maybe block header / hash?) updated by anyone to use for deep archival view calls? prove "this state was in block X that is a child of recent block {younger than 256}"

🎇 What is special about RISC Zero? (4)

✨Zypher Support

poker0 ↗️

A poker game leveraging RISC Zero and PLONK for off-chain proof of game processes, with on-chain validation, built on the Z4 engine.

Notes:

Take heed: This perhaps is a rather complex starting point from without any experience with RISC Zero or PLONK, we suggest experimenting with the more basic RISC Zero examples first to get a feel for things first!

🤿 Before you dive deep...

• You must match versions of cargo risczero and your Cargo.toml deps
    Some examples / templates may not be the version you need!
    Bonsai (proving service) is 0.21, updating mid-July 2024 to 1.0
• Keep guest minimal - extra cycles are expensive
    ...But this is a hackathon, don't stress too much!
• When experimenting, always use DEV_MODE!
    Execution only with mocked proving (fast!)
• Bonsai API key priority & support
    Apply: bonsai.xyz/
• 🧠 You are designing a cryptographic system, not just a game!
• Discord #💻|support-forum channel for help
    Join: discord.gg/risczero

Further Reading & Resources

Nuke 🌄's Book ↗️

• 🗃️ More details and research links
• 🪧 These slides (fuzzy-searchable!)
• 👷 ZK Chess Checkmate Workshop (+videos)