Home

Awesome

Miden Virtual Machine

LICENSE Test Build RUST_VERSION Crates.io

A STARK-based virtual machine.

WARNING: This project is in an alpha stage. It has not been audited and may contain bugs and security flaws. This implementation is NOT ready for production use.

WARNING: For no_std, only the wasm32-unknown-unknown and wasm32-wasip1 targets are officially supported.

Overview

Miden VM is a zero-knowledge virtual machine written in Rust. For any program executed on Miden VM, a STARK-based proof of execution is automatically generated. This proof can then be used by anyone to verify that the program was executed correctly without the need for re-executing the program or even knowing the contents of the program.

Status and features

Miden VM is currently on release v0.11. In this release, most of the core features of the VM have been stabilized, and most of the STARK proof generation has been implemented. While we expect to keep making changes to the VM internals, the external interfaces should remain relatively stable, and we will do our best to minimize the amount of breaking changes going forward.

The next version of the VM is being developed in the next branch. There is also a documentation for the latest features and changes in the next branch documentation next branch.

Feature highlights

Miden VM is a fully-featured virtual machine. Despite being optimized for zero-knowledge proof generation, it provides all the features one would expect from a regular VM. To highlight a few:

Planned features

In the coming months we plan to finalize the design of the VM and implement support for the following features:

Compilation to WebAssembly.

Miden VM is written in pure Rust and can be compiled to WebAssembly. Rust's std standard library is enabled as feature by default for most crates. For WASM targets, one can compile with default features disabled by using --no-default-features flag.

Concurrent proof generation

When compiled with concurrent feature enabled, the prover will generate STARK proofs using multiple threads. For benefits of concurrent proof generation check out benchmarks below.

Internally, we use rayon for parallel computations. To control the number of threads used to generate a STARK proof, you can use RAYON_NUM_THREADS environment variable.

Project structure

The project is organized into several crates like so:

CrateDescription
coreContains components defining Miden VM instruction set, program structure, and a set of utility functions used by other crates.
assemblyContains Miden assembler. The assembler is used to compile Miden assembly source code into Miden VM programs.
processorContains Miden VM processor. The processor is used to execute Miden programs and to generate program execution traces. These traces are then used by the Miden prover to generate proofs of correct program execution.
airContains algebraic intermediate representation (AIR) of Miden VM processor logic. This AIR is used by the VM during proof generation and verification processes.
proverContains Miden VM prover. The prover is used to generate STARK proofs attesting to correct execution of Miden VM programs. Internally, the prover uses Miden processor to execute programs.
verifierContains a light-weight verifier which can be used to verify proofs of program execution generated by Miden VM.
midenAggregates functionality exposed by Miden VM processor, prover, and verifier in a single place, and also provide a CLI interface for Miden VM.
stdlibContains Miden standard library. The goal of Miden standard library is to provide highly-optimized and battle-tested implementations of commonly-used primitives.
test-utilsContains utilities for testing execution of Miden VM programs.

Performance

The benchmarks below should be viewed only as a rough guide for expected future performance. The reasons for this are twofold:

  1. Not all constraints have been implemented yet, and we expect that there will be some slowdown once constraint evaluation is completed.
  2. Many optimizations have not been applied yet, and we expect that there will be some speedup once we dedicate some time to performance optimizations.

Overall, we don't expect the benchmarks to change significantly, but there will definitely be some deviation from the below numbers in the future.

A few general notes on performance:

Single-core prover performance

When executed on a single CPU core, the current version of Miden VM operates at around 20 - 25 KHz. In the benchmarks below, the VM executes a Fibonacci calculator program on Apple M1 Pro CPU in a single thread. The generated proofs have a target security level of 96 bits.

VM cyclesExecution timeProving timeRAM consumedProof size
2<sup>10</sup>1 ms60 ms20 MB46 KB
2<sup>12</sup>2 ms180 ms52 MB56 KB
2<sup>14</sup>8 ms680 ms240 MB65 KB
2<sup>16</sup>28 ms2.7 sec950 MB75 KB
2<sup>18</sup>81 ms11.4 sec3.7 GB87 KB
2<sup>20</sup>310 ms47.5 sec14 GB100 KB

As can be seen from the above, proving time roughly doubles with every doubling in the number of cycles, but proof size grows much slower.

We can also generate proofs at a higher security level. The cost of doing so is roughly doubling of proving time and roughly 40% increase in proof size. In the benchmarks below, the same Fibonacci calculator program was executed on Apple M1 Pro CPU at 128-bit target security level:

VM cyclesExecution timeProving timeRAM consumedProof size
2<sup>10</sup>1 ms120 ms30 MB61 KB
2<sup>12</sup>2 ms460 ms106 MB77 KB
2<sup>14</sup>8 ms1.4 sec500 MB90 KB
2<sup>16</sup>27 ms4.9 sec2.0 GB103 KB
2<sup>18</sup>81 ms20.1 sec8.0 GB121 KB
2<sup>20</sup>310 ms90.3 sec20.0 GB138 KB

Multi-core prover performance

STARK proof generation is massively parallelizable. Thus, by taking advantage of multiple CPU cores we can dramatically reduce proof generation time. For example, when executed on an 8-core CPU (Apple M1 Pro), the current version of Miden VM operates at around 140 KHz. And when executed on a 64-core CPU (Amazon Graviton 3), the VM operates at around 250 KHz.

In the benchmarks below, the VM executes the same Fibonacci calculator program for 2<sup>20</sup> cycles at 96-bit target security level:

MachineExecution timeProving timeExecution %Implied Frequency
Apple M1 Pro (16 threads)310 ms7.0 sec4.2%140 KHz
Apple M2 Max (16 threads)280 ms5.8 sec4.5%170 KHz
AMD Ryzen 9 5950X (16 threads)270 ms10.0 sec2.6%100 KHz
Amazon Graviton 3 (64 threads)330 ms3.6 sec8.5%265 KHz

Recursive proofs

Proofs in the above benchmarks are generated using BLAKE3 hash function. While this hash function is very fast, it is not very efficient to execute in Miden VM. Thus, proofs generated using BLAKE3 are not well-suited for recursive proof verification. To support efficient recursive proofs, we need to use an arithmetization-friendly hash function. Miden VM natively supports Rescue Prime Optimized (RPO), which is one such hash function. One of the downsides of arithmetization-friendly hash functions is that they are considerably slower than regular hash functions.

In the benchmarks below we execute the same Fibonacci calculator program for 2<sup>20</sup> cycles at 96-bit target security level using RPO hash function instead of BLAKE3:

MachineExecution timeProving timeProving time (HW)
Apple M1 Pro (16 threads)310 ms94.3 sec42.0 sec
Apple M2 Max (16 threads)280 ms75.1 sec20.9 sec
AMD Ryzen 9 5950X (16 threads)270 ms59.3 sec
Amazon Graviton 3 (64 threads)330 ms21.7 sec14.9 sec

In the above, proof generation on some platforms can be hardware-accelerated. Specifically:

References

Proofs of execution generated by Miden VM are based on STARKs. A STARK is a novel proof-of-computation scheme that allows you to create an efficiently verifiable proof that a computation was executed correctly. The scheme was developed by Eli Ben-Sasson, Michael Riabzev et al. at Technion - Israel Institute of Technology. STARKs do not require an initial trusted setup, and rely on very few cryptographic assumptions.

Here are some resources to learn more about STARKs:

Vitalik Buterin's blog series on zk-STARKs:

Alan Szepieniec's STARK tutorials:

StarkWare's STARK Math blog series:

StarkWare's STARK tutorial:

License

This project is MIT licensed.