Proofs

Nockchain is an L1 zero-knowledge proof blockchain. This means that the data posted to the blockchain consists of blocks of proofs over transactions. At a high level, transactions are submitted and broadcast to the chain. Miners check pending transactions for consistency against the blockchain state. They then collect pending transactions into candidate blocks and compete to solve a proof puzzle which meets the target difficulty for the current difficulty epoch. If they receive a message of a successful proof puzzle solution, they check it; if it is correct, they broadcast it and the block height is incremented by one.

A transaction can contain transfers of $NOCK between addresses, onchain data storage (and payment), and app rollup data. More specifically, this traces Nockchain's technical roadmap:

1. At the beginning, during what we call "dumbnet", Nockchain transactions correspond to transfers of Nocks and simple Bitcoin-like multisigs and atomic swaps. Thus each block simply encodes some amount of monetary transactions.

2. At the next stage, Nockchain is outfitted with a namespace for addressing data. This starts with posted blobs, or generic data. (You can think of these as "files", but they are more generally nouns, including bit arrays.)

3. Nockchain's final mature form is a system for posting proofs of offchain verifiable computations. We have referred to this model as "lightweight trustless settlement of heavyweight verifiable computation." Verifiability is not supplied via public replication, but instead by means of private proofs which are reproducible and verifiable by those who need to. Proofs are produced offchain, but verification takes place onchain. Running a light node should be straightforward.

This is why when we talk about the mining power available on the network, we refer to "proofpower" rather than "hashpower". Proofpower means the available commoditized verifiable computation based on zero-knowledge proving. We call the compute power "commoditized" because the heavyweight computation does not need to be done on the distributed consensus blockchain; only a proof of it needs to be posted. You can trustlessly use state which has been verified correct without necessitating the entire history.

$NOCKs pay primarily for space in Nockchain’s namespace and for onchain data storage and temporary data availability. Nockchain is not intended to support heavyweight onchain execution of computation. This focus makes Nockchain a high-throughput chain for posting verifiable proofs and storing data.

Proof of Useful Work

This interview with Zorp founder Logan Allen discusses how Nockchain's ZKPoW satisfies the longstanding dream of real "proof of useful work".

Arithmetization

This video by Zorp mathematician Brian Klatt explains how Nock ISA nouns are converted into an arithmetized representation for use in proofs:

Proof Puzzles

A miner competes to solve a proof puzzle and validate a candidate block bundling transactions, thereby winning the block reward.

The proof puzzle begins from a block header and a nonce, both cryptographic hashes, and a length that must be a power of 2 (and is fixed at 64 for Nockchain). These elements (the header and nonce) act as a seed to generate a cascade of random field elements that fill the subject. The subject is a balanced binary tree with leaves to the specified length. (Thus the requirement for a power of 2 ensures that the tree balances.)

The system generates a sequence of random field elements and arranges them into the leaves of the balanced tree as the subject. (A field element is an integer between 0 and p – 1, where p = 2⁶⁴ – 2³² + 1; see Goldilocks Field.) The formula has the same shape as the product. The formula is based on expanding [6 [3 0 hed] [0 0] [0 hed]], where hed scans through every axis of the subject to assert that each leaf is an atom (opcode 3) or a crash ([0 0]).The proof of work puzzle follows this logic:

1. The header and nonce determine the subject seed.

2. The length of the subject is fixed at 64.

3. A search takes place by varying the nonce and generating a new subject.

4. If this checks out (the target difficulty is what the hash needs to meet to be a valid PoW for a block), then you've found a block; submit the new block to the chain.

5. If it fails, vary the nonce and try again.

6. If a new block comes in, then use its header as the input to the puzzle and mine on that instead (new subject).

The proof puzzle is encoded in eight.hoon at ll. 892–930.

Goldilocks Field

The Goldilocks field used in Nock ZKVM proofs consists of values drawn from 0 to p – 1, where

p = 2⁶⁴ – 2³² + 1

is a prime number. This field is particularly apt ("Goldilocks") for hardware, being 64 bits wide. (Contrast this with other fields like the 256-bit field used in KZG Commitments.)